Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Step by step AWS Cloud Hacking

andresriancho
September 25, 2020
Technology
0
600

Step by step AWS Cloud Hacking

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.8k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3.1k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
210
Galería de Fallos en Unicornios
andresriancho
1
160
Esoteric Web Application Vulnerabilities
andresriancho
0
840
String Compare Timing Attacks
andresriancho
0
520
Timing Attacks
andresriancho
1
260

Other Decks in Technology

See All in Technology
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
180
日経電子版のStoreKit2フルリニューアル
shimastripe
1
150
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
190
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
440
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
430
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
110
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
540
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
260

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
380
Statistics for Hackers
jakevdp
796
220k
Bash Introduction
62gerente
608
210k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
A designer walks into a library…
pauljervisheath
204
24k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
How STYLIGHT went responsive
nonsquared
95
5.2k
Designing for humans not robots
tammielis
250
25k
Done Done
chrislema
181
16k
Faster Mobile Websites
deanohume
305
30k
What's new in Ruby 2.0
geeforr
343
31k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None