Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Step by step AWS Cloud Hacking

andresriancho
September 25, 2020
Technology
0
610

Step by step AWS Cloud Hacking

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.8k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3.1k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
220
Galería de Fallos en Unicornios
andresriancho
1
170
Esoteric Web Application Vulnerabilities
andresriancho
0
860
String Compare Timing Attacks
andresriancho
0
520
Timing Attacks
andresriancho
1
260

Other Decks in Technology

See All in Technology
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
バクラクのドキュメント解析技術と実データにおける課題 / layerx-ccc-winter-2024
shimacos
2
1.1k
【re:Invent 2024 アプデ】 Prompt Routing の紹介
champ
0
150
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
180
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
360
ガバメントクラウドのセキュリティ対策事例について
fujisawaryohei
0
560
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
270
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
普通のエンジニアがLaravelコアチームメンバーになるまで
avosalmon
0
110
レンジャーシステムズ | 会社紹介(採用ピッチ)
rssytems
0
200
Qiita埋め込み用スライド
naoki_0531
0
5.1k
サイボウズフロントエンドエキスパートチームについて / FrontendExpert Team
cybozuinsideout
PRO
5
38k

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
133
9k
A designer walks into a library…
pauljervisheath
204
24k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
520
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
Docker and Python
trallard
42
3.1k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Making Projects Easy
brettharned
116
5.9k
The Invisible Side of Design
smashingmag
298
50k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None