Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Step by step AWS Cloud Hacking

andresriancho
September 25, 2020
Technology
0
600

Step by step AWS Cloud Hacking

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.8k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3.1k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
210
Galería de Fallos en Unicornios
andresriancho
1
160
Esoteric Web Application Vulnerabilities
andresriancho
0
830
String Compare Timing Attacks
andresriancho
0
520
Timing Attacks
andresriancho
1
250

Other Decks in Technology

See All in Technology
フルカイテン株式会社 採用資料
fullkaiten
0
40k
エンジニア候補者向け資料2024.11.07.pdf
macloud
0
4.5k
軽量DDDはもういらない! スタイルガイド本で OOPの実装パターンを学ぼう
panda_program
29
11k
DatabricksにおけるLLMOpsのベストプラクティス
taka_aki
4
1.6k
dev 補講: プロダクトセキュリティ / Product security overview
wa6sn
0
1.5k
家具家電付アパートの冷蔵庫をIoT化してみた!
scbc1167
0
140
State of Open Source Web Mapping Libraries
dayjournal
0
200
ZOZOTOWNでの推薦システム活用事例の紹介
f6wbl6
1
480
元旅行会社の情シス部員が教えるおすすめなre:Inventへの行き方 / What is the most efficient way to re:Invent
naospon
2
260
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
0
1.1k
マイベストのデータ基盤の現在と未来 / mybest-data-infra-asis-tobe
mybestinc
2
1.9k
今、始める、第一歩。 / Your first step
yahonda
2
680

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
95
5.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Teambox: Starting and Learning
jrom
133
8.8k
Agile that works and the tools we love
rasmusluckow
327
21k
Unsuck your backbone
ammeep
668
57k
The Language of Interfaces
destraynor
154
24k
Automating Front-end Workflow
addyosmani
1366
200k
Building Your Own Lightsaber
phodgson
102
6.1k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None