Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding AWS cloud attacks using CloudGoat

Understanding AWS cloud attacks using CloudGoat

Enterprises are increasingly running their IT and application infrastructure natively in the cloud. With more workloads running in the cloud, security becomes an important and unavoidable part of your day-to-day operations. All cloud providers seek to implement the shared responsibility of security with their customers, which means that although the cloud provider is responsible for the hardware and underlying infrastructure security, the customer becomes responsible for all accounts, workloads, systems, and configuration-based security.

Regardless of whether you are a cloud security enthusiast or a pentester, it is important that you are able to assess the security of the cloud platform and pentest these cloud-native deployments to help secure organizations. This session will help you get started and understand what are the different attacks that are possible on a target AWS environment. You will learn how to discover vulnerabilities and what attacks are possible on AWS that leverage AWS IAM, Lambda and S3, etc.

Kavisha Sheth

May 10, 2021
Tweet

More Decks by Kavisha Sheth

Other Decks in Technology

Transcript

  1. Kavisha Sheth • Security Analyst at Appsecco • Breaks web

    application, API and Cloud security • Member of a number of security communities including null community, InfoSecGirls, and WiCys India • Listed as one of the top security researchers of the nation, in a newsletter of NCIIPC RVDP About me
  2. • Why are we doing this? • AWS Real World

    Attacks • Attacking AWS infra using keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions • Next steps in learning • Tools • References What we will cover today
  3. • Enterprises are increasingly running their IT and application infrastructure

    natively in the cloud • Our experience with multiple cloud assessments has shown mis-configurations to be a major security concern • Lot of default code and deployment practices on the Internet do not take security into account • Shared responsibility between cloud provider and you can be confusing • If you are aware of what attacks are out there, you can defend yourself better Why are we doing this?
  4. What we are covering today Attacking AWS infra using keys

    obtained via SSRF Enumerating and attacking AWS S3 storage Privilege escalation within AWS using IAM policy rollback Privilege escalation using lambda functions
  5. • To understand the attacks in today's talk we will

    be using CloudGoat as our target environment • You can setup CloudGoat to practice these attacks by following instructions from our reference slide Target Environment
  6. • Credentials already found by attacker (through JS source, Github,

    server-side code disclosure etc.) Scenario Assumptions
  7. 4. List Lamba functions Hard-coded AWS security credentials in the

    environment variables of the lambda function
  8. 13.List the buckets and download any data stored on the

    s3 buckets. S3 Bucket has additional sensitive information!!
  9. What was our approach? • Found credentials with read only

    access • Application which is hosted on EC2 instance was vulnerable to SSRF • Role was attached to EC2 instance • Exploit to steal the IAM role credentials • Look for permissions • Found S3 related permission • List S3 bucket and downloaded data
  10. What's next? • Is web application hosted on EC2 instance?

    • Is role attached to EC2 instance?
  11. Finding SSRF via HTML Injection inside a PDF file on

    AWS EC2 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90
  12. • Attacker has discovered a public IP with a HTTP

    reverse proxy running • Reverse proxy is misconfigured (does not check target IP) • This reverse proxy allows access to any internal IP addresses including the instance metadata endpoint Scenario Assumptions
  13. Where can you find S3 buckets ? • HTTP responses

    when uploading a file • In DNS records • Google searches for website name and s3 buckets • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search
  14. • Credentials already found by attacker (through JS source, Github,

    server-side code disclosure etc.) Scenario Assumptions
  15. 5. Make V3 version as the default policy version Command

    to make V5 default policy version aws iam set-default-policy-version \ --policy-arn "arn:aws:iam::ACCOUNT-ID:policy/cg-raynor-policy" \ - -version-id v3 --profile <PROFILE-NAME> Let's create a new IAM user!
  16. • Credentials already found by attacker (through JS source, Github,

    server-side code disclosure etc.) Scenario Assumptions
  17. • Create lambda function: aws lambda create-function --function-name admin_function --runtime

    python3.6 --role <cg-debug-role arn> --handler code.lambda_handler -- zip-file fileb://code.zip --profile lambdaManager • Invoke lambda function: aws lambda invoke --function-name admin_function out.txt -- profile lambdaManager 6.Leverage the lambdaManager role to perform a privilege escalation using a Lambda function
  18. Some AWS Vulnerability detection tools Scout Suite Scout Suite Prowler

    Prowler Bucket finder Bucket finder Enumerate IAM Enumerate IAM iam_user_enum iam_user_enum
  19. • Reconnaissance and OSINT are the key to discover the

    security issues in cloud services and applications • To prevent the risk associated with a successful SSRF on AWS, administrators can upgrade EC2 instance metadata endpoints to IMDSv2 which can protect EC2 instances against vanilla SSRF attempts • Make sure that EC2 instances are configured properly • The most common themes are mis-configuration of services, insecure programming and permissions that should not have been given • Post exploitation has no limits with the cloud. You can attack additional services, disrupt logging, make code changes to attack users. • There are a ton of tools that security folks have written on GitHub and a lot of work is being done in the attack and exploitation areas Things to note