Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacking AWS: the full cyber kill chain

777 views

Published on

While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security.

The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the Jenkins server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS service to escalate privileges to administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe other potential, cloud-specific threats, e.g. cryptojacking.

The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.

Published in: Services
  • Be the first to comment

Attacking AWS: the full cyber kill chain

  1. 1. Attacking AWS: the full cyber kill chain Pawel Rzepa
  2. 2. www.securing.biz #whoami • Senior Security Consultant in - Pentesting - Cloud security assessment • Blog: https://medium.com/@rzepsky • Twitter: @Rzepsky
  3. 3. www.securing.biz
  4. 4. VS www.securing.biz source: https://redlock.io/blog/cryptojacking-tesla
  5. 5. www.securing.biz source: https://www.bloomberg.com/news/articles/2017-11-21/uber- concealed-cyberattack-that-exposed-57-million-people-s-data
  6. 6. www.securing.biz
  7. 7. www.securing.biz
  8. 8. www.securing.biz Somewhere in the other end of the Internet...
  9. 9. Demo: https://vimeo.com/334855817 www.securing.biz Domainanalytics.online intro
  10. 10. Identify the IP owner www.securing.biz Public AWS IP ranges: https://amzn.to/2EbvP0J Or use AWS EC2 reachability test: https://bit.ly/30274Ag
  11. 11. www.securing.biz
  12. 12. Demo: https://vimeo.com/334856068 www.securing.biz Exploiting SSRF
  13. 13. Demo: https://vimeo.com/334856278 www.securing.biz Ooops… other services are also available!
  14. 14. What is metadata? • Data about your instance • It's a link-local address, accessible ONLY from your instance! • May include access keys to Instance Profile: www.securing.biz http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/meta-data/
  15. 15. www.securing.biz
  16. 16. www.securing.biz
  17. 17. Demo: https://vimeo.com/334856214 www.securing.biz Pacu intro
  18. 18. www.securing.biz
  19. 19. Enumerate permissions www.securing.biz You need the following permissions to display your permissions: iam:ListAttachedUserPolicies iam:GetUserPolicy ...little chances to see them in Instance Profile :/
  20. 20. Bruteforce permissions www.securing.biz
  21. 21. Enumerate, enumerate, enumerate! Pacu (Domain Analytics:ec2_pivot) > run ec2__enum (...) Pacu (Domain Analytics:ec2_pivot) > data EC2 (...) VS www.securing.biz
  22. 22. There's a stopped instance (i-08d6cf0eaf210a552) with instance-profile/admin attached! www.securing.biz What can we find out there?
  23. 23. www.securing.biz
  24. 24. Demo: https://vimeo.com/334856098 www.securing.biz Privilege escalation
  25. 25. www.securing.biz #cloud-boothook
  26. 26. www.securing.biz User Data
  27. 27. Staying under the hoodStaying under the hood
  28. 28. CloudTrail by default monitors all regions
  29. 29. CloudTrail: ways to hide your fingerprints
  30. 30. Persist access • Bind shell in User Data with backdoor in Security Groups • Lambda backdoor which creates IAM user when specific CloudWatch Event occurs) • Add extra keys to existing user www.securing.biz
  31. 31. Demo: https://vimeo.com/334856167 www.securing.biz Without monitoring it’s hard to detect a 2nd key pair… even for legit administrator :O
  32. 32. Let's switch perspective to the blue team www.securing.biz
  33. 33. Analysing what went wrong • Vulnerable, publicly available web application • "Test" instance with admin permissions (possible privilege escalation) • Missing monitoring services of sensitive actions (e.g. using Instance Profile's keys outside the instance, modifying CloudTrail's settings, creating additional keys etc.) • Improperly configured CloudTrail Service (missing log encryption, missing log replication to the bucket under different AWS account) as well as Security Groups www.securing.biz
  34. 34. • Are there any extra, undocumented resources? • Is the system architecture free from design flaws? Cloud security assessment: architecture review www.securing.biz
  35. 35. Cloud security assessment: configuration review • Are all cloud services configured in compliance with best practices? www.securing.biz
  36. 36. • Are your applications free from vulnerabilities like RCE/SSRF/XXE etc.? • Is the Serverless code secure (e.g. free from "event injections")? Cloud security assessment: pentesting sensitive services www.securing.biz
  37. 37. • Do you monitor sensitive actions? • Do you have defined incident response procedure? Cloud security assessment: verifying monitoring processes www.securing.biz
  38. 38. Cloud security assessment in practice • Vulnerable, publicly available web application • "Test" instance with admin permissions (possible privilege escalation) • Missing monitoring services of sensitive actions (e.g. using Instance Profile's keys outside the instance, modifying CloudTrail's settings, creating additional keys etc.) • Improperly configured CloudTrail Service (missing log encryption, missing log replication to the bucket under different AWS account) as well as Security Groups www.securing.biz
  39. 39. „Through 2022, at least 95% of cloud security failures will be the customer’s fault” www.securing.biz Gartner's report, source: https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
  40. 40. CloudGoat: https://bit.ly/2TKxczt CloudGoat walkthrough: https://bit.ly/2u4QYXO Pacu: https://bit.ly/2SYJKyX KrkAnalytica CTF: https://bit.ly/2ZFF9Gh 7-Step Guide to SecuRing your AWS Kingdom: https://bit.ly/2EN7yAs CloudMapper: https://bit.ly/2NV6zSY Prowler: https://bit.ly/2kxy879 www.securing.biz Extras
  41. 41. If so, contact me on: pawel.rzepa@securing.pl Do you have any questions? Could you give me any feedback?

×