Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS security - NULL meet chennai

792 views

Published on

At the end of this presentation, audience will be aware of the following topics.

1. Introduction to AWS
2. Accessing AWS console via cli.
3. Launching and logging into an EC2 instance
4. Creating a S3 bucket and uploading an image.
5. Security misconfigurations in S3 bucket.
6. Subdomain takeover via S3 bucket.
7. Hardcoded AWS credentials in github.
8. Aasna AWS credentials leak using pixel flood attack
9. Murder in the cloud - Codespace hack

Published in: Technology

AWS security - NULL meet chennai

  1. 1. AWS Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 18/03/2017
  2. 2. # About Me Application security engineer @ Freshdesk Blogger @ http://www.tutorgeeks.net Email @ vinothpkumar333@gmail.com https://null.co.in/profile/294-vinothpkumar
  3. 3. What is AWS Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Getting started with AWS Create an account in AWS and start playing with their services - https://aws.amazon.com/free/ Valid Credit card is required for account creation.
  4. 4. AWS Services Amazon Elastic Compute - EC2 Amazon Simple Storage Service - S3 Amazon Relational Database Service - RDS Amazon CloudFront - CDN
  5. 5. Why AWS No need for a Infrastructure capability - Cost saved No need for more employee resources - Cost saved Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)
  6. 6. Accessing AWS using CLI The AWS Command Line Interface is a unified tool to manage your AWS services. pip install awscli cd <path_to_awscli> python setup.py install aws configure AWS Access Key ID: ←----------------------> AWS Secret Access Key: ←----------------------> Default region name [us-west-2]: us-west-2 Default output format [None]: json https://aws.amazon.com/cli/
  7. 7. AWS S3 - Internet’s hard drive is down AWS S3 service was down on Feb28th. What exactly happened? Human Error - Accidentally deleted 2 main servers supporting S3 operation. S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.
  8. 8. EC2 Instance IP disclosure 1. Send a GET request to example.com 2. Change the HTTP version from 1.1 to 1.0 3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application hacker’s handbook ) 4. Add a traversal attack ( GET /.. ) and forward the request. 5. Observe the IP being disclosed in the location header.
  9. 9. S3 Bucket Misconfiguration “bucketname.s3-ap-southeast-1.amazonaws.com” Vulnerability : “Write access to any AWS Authenticated user” Vinoth:~ aws s3 mv malicious.bat s3://bucketname move. ./malicious.bat s3://bucketname/malicious.exe The issue has been reported and it is fixed. Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
  10. 10. S3 Bucket - Subdomain takeover Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com Keep an eye for the following error messages while viewing the subdomains - “No such bucket” / “Bucket doesn’t exist” Investigate the subdomain - dig / nslookup subdomain.example.com subdomain.example.com CNAME “bucketname.s3.amazonaws.com” Create the above bucket in your AWS and host your subdomain takeover page. Now “subdomain.example.com” will show your hosted page.
  11. 11. Asana - AWS key disclosure Uploaded 65000x65000 pixel image in the profile picture. S3 Bucket couldn’t accommodate the huge pixel image. Error message is shown along with AWS Access and Secret key. Bounty awarded : 500 USD https://molico.tomahock.com/lottapixel-my-first-500-bounty-d3e678da1861#.88buoaod6
  12. 12. AWS Keys Exposed Developers by mistake hardcode their AWS credentials in github. https://gitleaks.com/search?q=AWS
  13. 13. Murder in the cloud Code space - AWS Root credentials were hacked. Attacker asked for Ransom - Code Space refused. Attacker got frustrated and deleted their AWS account. Unfortunately, their backup data was also stored in their AWS account. Codespace was shut down completely. No means of retrieving the data. Key takeaways : Have offsite backup. http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
  14. 14. Resources for Learning AWS Security https://aws.amazon.com/blogs/security/ - Official AWS security blog. http://flaws.cloud - CTF Challenge to learn AWS security. https://www.slideshare.net/search/slideshow?searchfrom=header&q=AWS+Security

×