Successfully reported this slideshow.
Your SlideShare is downloading. ×

Attacking AWS: the full cyber kill chain

Oct. 01, 2019
3 likes 2,839 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Building&Hacking modern iOS apps
Building&Hacking modern iOS apps
Loading in …3
×

Check these out next

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
Hunting for the secrets in a cloud forest
SecuRing
Testing iOS apps without jailbreak in 2018
SecuRing
Security and Privacy on the Web in 2015
Francois Marier
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
Security and Privacy on the Web in 2016
Francois Marier
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
Rails security: above and beyond the defaults
Matias Korhonen
1 of 51 Ad

Attacking AWS: the full cyber kill chain

Oct. 01, 2019
3 likes 2,839 views

Download to read offline

Software

While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.

While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.

Software
License: CC Attribution-NonCommercial-ShareAlike License
Advertisement

Recommended

Building&Hacking modern iOS apps
SecuRing
2k views
67 slides
Building & Hacking Modern iOS Apps
SecuRing
634 views
66 slides
Abusing & Securing XPC in macOS apps
SecuRing
2.1k views
50 slides
REST API Pentester's perspective
SecuRing
4.7k views
72 slides
Serverless security: attack & defense
SecuRing
1.2k views
63 slides
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
582 views
58 slides
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
82 views
52 slides
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
215 views
49 slides
Advertisement

More Related Content

Slideshows for you (20)

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
289 views
Hunting for the secrets in a cloud forest
SecuRing
664 views
Testing iOS apps without jailbreak in 2018
SecuRing
3.8k views
Security and Privacy on the Web in 2015
Francois Marier
2.9k views
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
2.6k views
Security and Privacy on the Web in 2016
Francois Marier
670 views
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
178 views
Rails security: above and beyond the defaults
Matias Korhonen
435 views
Wi-Fi Hotspot Attacks
Greg Foss
10.3k views
Web & Cloud Security in the real world
Madhu Akula
1.5k views
How secure are webinar platforms?
SecuRing
120 views
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
7.1k views
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
405 views
Integrity protection for third-party JavaScript
Francois Marier
4.3k views
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
1.5k views
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
5.2k views
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
2.5k views
Secure your web app presentation
Frans Lytzen
165 views
Lares from LOW to PWNED
Chris Gates
6.4k views
My tryst with sourcecode review
Anant Shrivastava
2.6k views
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
289 views
54 slides
Hunting for the secrets in a cloud forest
SecuRing
664 views
54 slides
Testing iOS apps without jailbreak in 2018
SecuRing
3.8k views
73 slides
Security and Privacy on the Web in 2015
Francois Marier
2.9k views
105 slides
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
2.6k views
155 slides
Security and Privacy on the Web in 2016
Francois Marier
670 views
116 slides

Similar to Attacking AWS: the full cyber kill chain (20)

[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
186 views
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
Ken Johnson
647 views
Core strategies to develop defense in depth in AWS
Shane Peden
294 views
Avoiding Friendly Fire in AWS
DebHawk
77 views
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
2.7k views
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
382 views
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
Garth Boyd
348 views
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
10.9k views
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
92 views
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
235 views
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
Amazon Web Services
2.8k views
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
139 views
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
646 views
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
VMware Tanzu
210 views
It's 10pm, Do You Know Where Your Access Keys Are?
Ken Johnson
280 views
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
Andrew Backhouse
176 views
AWS re:Invent 2019
Maksim Djackov
75 views
Security in serverless world
Yan Cui
3.5k views
AWS Cyber Security Best Practices
DoiT International
1.1k views
AWS Security Strategy
Teri Radichel
1.5k views
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
186 views
28 slides
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
Ken Johnson
647 views
148 slides
Core strategies to develop defense in depth in AWS
Shane Peden
294 views
13 slides
Avoiding Friendly Fire in AWS
DebHawk
77 views
36 slides
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
2.7k views
83 slides
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
382 views
24 slides
Advertisement

More from SecuRing (20)

Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing
128 views
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
83 views
Is persistency on serverless even possible?!
SecuRing
248 views
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
134 views
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
1.3k views
Developer in a digital crosshair, 2022 edition
SecuRing
121 views
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
901 views
Let's get evil - threat modeling at scale
SecuRing
363 views
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
990 views
Budowanie i hakowanie nowoczesnych aplikacji iOS
SecuRing
263 views
We need t go deeper - Testing inception apps.
SecuRing
1.1k views
Artificial Intelligence – a buzzword, new era of IT or new threats?
SecuRing
358 views
Czy S w PSD2 znaczy Secure?
SecuRing
290 views
Testowanie bezpieczeństwa chmury na przykładzie AWS.
SecuRing
346 views
Internet banking applications' security
SecuRing
1.2k views
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
SecuRing
1.5k views
Jailbreak - dylematy hazardzisty w pentestach aplikacji iOS
SecuRing
1.8k views
A 2018 practical guide to hacking RFID/NFC
SecuRing
16.3k views
Hunting for the secrets in a cloud forest
SecuRing
250 views
“Emacsem przez Sendmaila” czyli 5 prawdziwych scenariuszy APT wykorzystującyc...
SecuRing
1.2k views
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing
128 views
113 slides
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
83 views
111 slides
Is persistency on serverless even possible?!
SecuRing
248 views
101 slides
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
134 views
61 slides
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
1.3k views
58 slides
Developer in a digital crosshair, 2022 edition
SecuRing
121 views
106 slides

Recently uploaded (20)

Vector gradiente discreto en imágenes
franciscoreales
0 views
webdesign.ppt
SharaafNazeer
0 views
Presentation.pptx
AyushmanTiwari11
3 views
Quarter-2-CH-1.ppt
TanTan622589
0 views
FLIPPED CLASSROOM AND EDU PODCAST-1.pptx
NayanaS48
9 views
SQA.ppt
Dr.Saranya K.G
1 view
Cpp Study Jam
MuhammadHaseeb53015
0 views
Masako Katsura Age 7.pdf
News Recoder
4 views
Re-engineering Technology to break barriers with Business
XPDays
8 views
GRID TECH..pptx
ANANT SONI
0 views
Robotics technical Presentation
klepsydratechnologie
4 views
DSAPresentation (11810976).pptx
ShivamSingh634514
3 views
EHS Portal
ASK EHS Engineering & Consultants
11 views
12682076.ppt
priyanshugautam46
0 views
HCL Workload Automation - Automate Anything, Run Anywhere
HCL Software
5 views
NDC Security 2023
rouanw
3 views
GEOSERVER - DOWNLOAD AND INSTALLATION STEP BY STEP TUTORIAL
Sohail Akbar Goheer
0 views
Unit4_Managing Contracts.ppt
KGSCSEPSGCT
3 views
DRHA KPLIFE BOOTCAMP.pptx
Kinetic Potential
13 views
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
688 views
Vector gradiente discreto en imágenes
franciscoreales
0 views
1 slide
webdesign.ppt
SharaafNazeer
0 views
28 slides
Presentation.pptx
AyushmanTiwari11
3 views
10 slides
Quarter-2-CH-1.ppt
TanTan622589
0 views
64 slides
FLIPPED CLASSROOM AND EDU PODCAST-1.pptx
NayanaS48
9 views
19 slides
SQA.ppt
Dr.Saranya K.G
1 view
50 slides
Advertisement

Attacking AWS: the full cyber kill chain

  1. 1. Attacking AWS: the full cyber kill chain Pawel Rzepa (pawel.rzepa@securing.pl)
  2. 2. IDS SIEM DLP Firewall - Is it safe? - F@#ck it, deploy! Cloud environment
  3. 3. www.securing.biz source: https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-identified-and-five-new-partners/
  4. 4. www.securing.biz source: https://technodrone.blogspot.com/2019/03/the-anatomy-of-aws-key-leak-to-public.html Commit including AWS keys Amazon notifies about the leak First attempt to use leaked keys 0 55 sec 122 sec
  5. 5. www.securing.biz #whoami • Senior Security Consultant in - Pentesting - Cloud security assessment • Blog: https://medium.com/@rzepsky • Twitter: @Rzepsky
  6. 6. The story www.securing.biz
  7. 7. www.securing.biz
  8. 8. www.securing.biz
  9. 9. www.securing.biz source: https://media.images.yourquote.in/post/large/0/0/12/20/x95x3598.jpg
  10. 10. www.securing.biz
  11. 11. What is metadata? • Data about your instance • It's a link-local address, accessible ONLY from your instance! • May include access keys to Instance Profile: www.securing.biz http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/meta-data/
  12. 12. Dark side of the story www.securing.biz
  13. 13. www.securing.biz Somewhere in the other end of the Internet...
  14. 14. Demo: https://vimeo.com/363518570 www.securing.biz Domainanalytics.org - intro
  15. 15. Identify the IP owner www.securing.biz Public AWS IP ranges: https://amzn.to/2EbvP0J Or use AWS EC2 reachability test: https://bit.ly/30274Ag
  16. 16. Demo: https://vimeo.com/363519636 www.securing.biz Exploiting SSRF to get metadata
  17. 17. www.securing.biz port 80 from 0.0.0.0/0 ec2_role SSRF
  18. 18. The real story… www.securing.biz Source: https://bit.ly/2mhhvRb
  19. 19. www.securing.biz
  20. 20. Demo: https://vimeo.com/334856214 www.securing.biz Pacu intro
  21. 21. Bruteforce permissions www.securing.biz
  22. 22. Enumerate, enumerate, enumerate! Pacu (Domain Analytics:ec2_pivot) > run ec2__enum (...) Pacu (Domain Analytics:ec2_pivot) > data EC2 (...) VS www.securing.biz
  23. 23. There's a stopped instance (i-08d6cf0eaf210a552) with instance-profile/admin attached! www.securing.biz What can we find out there?
  24. 24. www.securing.biz port 80 from 0.0.0.0/0 ec2_role admin SSRF
  25. 25. www.securing.biz Modified User Data
  26. 26. www.securing.biz Port 80 from 0.0.0.0/0 SSRF admin User Data reverse shell getting administrator access ec2_role
  27. 27. Demo: https://vimeo.com/334856098 www.securing.biz Privilege escalation
  28. 28. Staying under the hoodStaying under the hood
  29. 29. CloudTrail by default monitors all regions
  30. 30. CloudTrail: ways to hide your fingerprints
  31. 31. www.securing.biz Disrupt monitoring services
  32. 32. www.securing.biz Minimize monitoring services
  33. 33. www.securing.biz Minimize monitoring services
  34. 34. Persist access • Bind shell in User Data with backdoor in Security Groups • Lambda backdoor which creates IAM user when specific CloudWatch Event occurs • Backdoor via cross-account Trust Policy • Add extra keys to existing user www.securing.biz
  35. 35. www.securing.biz Without monitoring it’s hard to detect a 2nd key pair… even for legit administrator ! Demo: https://vimeo.com/334856167
  36. 36. www.securing.biz The real story… Source: https://bit.ly/30qQo5c
  37. 37. Let's switch perspective to the blue team www.securing.biz
  38. 38. www.securing.biz Mitigation: dynamically lock role’s credentials More: https://bit.ly/2HFJYtk
  39. 39. www.securing.biz Mitigation: separate access to logs AWS Organizations
  40. 40. www.securing.biz Mitigation: follow the AWS CIS Foundations Benchmark Source: https://bit.ly/2lP8fnb
  41. 41. Mitigation: aggregate security events www.securing.biz Source: https://bit.ly/2kPhYtp
  42. 42. How to detect all security issues? www.securing.biz
  43. 43. • Are there any extra, undocumented resources? • Is the system architecture free from design flaws? Cloud security assessment: architecture review www.securing.biz
  44. 44. Cloud security assessment: configuration review • Are all cloud services configured in compliance with best practices? www.securing.biz
  45. 45. • Are your applications free from vulnerabilities like RCE/SSRF/XXE etc.? • Is the Serverless code secure (e.g. free from "event injections")? Cloud security assessment: pentesting sensitive services www.securing.biz
  46. 46. • Do you monitor sensitive actions? • Do you have defined incident response procedure? Cloud security assessment: verifying monitoring processes www.securing.biz
  47. 47. Audit your cloud infrastructure Harden it. Repeat. www.securing.biz
  48. 48. 7-Step Guide to SecuRing your AWS Kingdom www.securing.biz https://bit.ly/2EN7yAs
  49. 49. KrkAnalytica CTF www.securing.biz https://bit.ly/2ZFF9Gh
  50. 50. If so, contact me on: pawel.rzepa@securing.pl Do you have any questions? Could you give me any feedback?

×