WeirdAAL (AWS Attack Library)

Download this presentation
https://www.slideshare.net/chrisgates

WeirdAAL
(AWS Attack Library)
Chris Gates, Ken Johnson

whoami
Chris Gates - Sr. Security Engineer - Uber
Twitter: @carnal0wnage
Blog: carnal0wnage.attackresearch.com
Talks: slideshare.net/chrisgates

whoami
Ken Johnson - AppSec - GitHub
Twitter: @cktricky
Talks: slideshare.net/KenJohnson61/

We’ve been talking about this...
LasCon 2014 - DevOops, I did it Again
https://www.youtube.com/watch?v=i8SnLXwlBWM

… and talking...
DevOpsDays DC 2015
https://vimeo.com/137691444

...and talking some more...
DevOops Redux - AppSec USA 2016
https://bit.ly/2qYe29y

… still going...
RSA Conference 2017
https://bit.ly/2HOZ0N4

OKAY, WE GET IT ALREADY! (do you, though?)
DevOops Redux - CERN 2017 &
InsomniaHack 2017
https://cds.cern.ch/record/2256987

So what has happened during this time?
2014 - Code Spaces

… le sigh (horrorshow is right)
2015 - Systema Software

… surely its getting better? Nope
2017 - Deep Root Analytics / America?

This is why we drink
2018 - MBM Company, Tesla

So what did we decide to do about it?

WeirdAAL
● WeirdAAL (AWS Attack Library)
● https://github.com/carnal0wnage/
weirdAAL
● Python3
● Relies heavily on boto3 library

WeirdAAL
Two Goals:
1. Answer what can I do with this AWS Keypair [blackbox]
1. Be a repository of useful functions (offensive & defensive) to
interact with AWS services.

WeirdAAL
Prior work
1. CG’s aws_interrogate (vaporware)
2. https://github.com/dagrz/aws_pwn & his medium posts
3. https://github.com/bchew/dynamodump
4. https://github.com/ThreatResponse/aws_ir
5. https://github.com/nccgroup/Scout2

Setup / Usage / Boto3
● Supports boto3 and aws credentials format
○ Using boto3 allows us to natively support STS tokens
○ Put your creds in .env folder in WeirdAAL home

Setup / Usage / Boto3
● Targets
○ Passes a -t (target) value to track your work
○ Can have multiple AWS keys in a target
● Modules
○ Modules passed via -m to do various tasks
○ python3 weirdAAL.py -m dynamodb_list_tables -t demo
○ Coverage for many services but not all (so far)
■ EC2, Lambda, s3, dynamodb, iam, etc
● Built in proxy support via boto3

What Can I Do With This AWS Key Pair?
AWS offers no easy way (blackbox)
If you have IAM you can look at running services manually or check billing.
Tedious & No Fun
(135 services in boto3 1.7.4)

Our solution, ask every service if we have permission to use it (recon_all)

Recon_all demo

Recon_all demo (recap)
Hit up every AWS service we can ask a **generic** question to
** required no args or specifics about that account
Log to DB for use later and automation
Todo: Evasion? Timing? Does anyone look or care?

Recon_all demo (gotchas)
● Root keys that have invalid billing info give you:
“SubscriptionRequiredException” or “OptInRequired” boto3 errors
● Root keys that are in good standing give you everything available :-/

In previous talks, we discussed
monitoring. Now we show you
how to burn all that to the
ground.

Starting with SNS…
List topics

List subscribers to a
topic

Or… just delete the
Topic. Now nobody
knows what you’re
doing :-)

Config service has rules.
You’ll see why cloudtrail
is important

We can list the config rules of course (for every region):

But what about deleting rules? Yeah, we’ve got that too :-)

Or just delete the whole recording altogether - BEFORE

Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...

Now, delete it :-)

Welp, no more Config alerts… or Config at all, really

IAM_Pwn
Found a key with IAM/Root?
Let’s automate the takeover / make
backdoor accounts

IAM_Pwn demo

IAM_Pwn demo - List users

IAM_Pwn demo - User details IAM console

IAM_Pwn demo - delete MFA device

IAM_Pwn demo - change console password

IAM_Pwn demo - create access/secret key

IAM_Pwn demo - delete access/secret key

IAM_Pwn demo - make backdoor account

IAM_Pwn (recap)
Deleted 2FA
Add console user / add new keys
Backdoor admin user
Hack all the thingz

IAM_Pwn (story time)
Made backdoor account in pentest, proved lack of logging and policy
enforcement

Logging / IR

Lambda -
list_functions

Lambda - get_function

Thankfully, lambda serverless arch and KMS means no more creds in code right?

Nope :-)

Lambda
http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code

It’s cool I have cloudtrail configured….

Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594)
Identify existing CloudTrail trails

Stop Cloudtrail logging
Use TrailARN to stop CloudTrail with stop_logging function

Delete Cloudtrail Trail
Use TrailARN to stop CloudTrail with delete_trail function

Delete Cloudtrail Trail

EC2 get_console_screenshot

EC2 get_console_output

EC2 get_console_output_all

EC2 & Lucidcharts

Just plain mean…. ec2_stop_instances

Useful Functions &
Libs
Grew tired of stackoverflowing
everything
Ideally, grab useful functions and
throw together quick python script
to knock out your task
Uses libs for actions that need more
control/finesse/data passed

Useful Functions &
Libs
Used WeirdAAL at work to get public EC2 instances quickly so we can do
external pentesting
-impossible to know given the large range of AWS IP space

Useful Functions & Libs
Pydoc friendly (work in progress)

Contact Info
Chris Gates
Slides
Twitter: @carnal0wnage https://www.slideshare.net/chrisgates
Ken Johnson
Code:
Twitter: @cktricky
https://github.com/carnal0wnage/weirdAAL

WeirdAAL (AWS Attack Library)

More Related Content

What's hot

Similar to WeirdAAL (AWS Attack Library)

More from Chris Gates

Recently uploaded

WeirdAAL (AWS Attack Library)