Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

WeirdAAL (Awesome Attack Library) CactusCon 2018

981 visualizaciones

Publicado el

Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.

Publicado en: Tecnología
  • Sé el primero en comentar

WeirdAAL (Awesome Attack Library) CactusCon 2018

  1. 1. Download this presentation https://tinyurl.com/weirdAAL-cactuscon18
  2. 2. WeirdAAL (AWS Attack Library) Chris Gates, Ken Johnson CactusCon 2018
  3. 3. whoami
  4. 4. whoami Chris Gates - Staff Security Engineer - Cruise Automation Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
  5. 5. whoami
  6. 6. whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky YouTube: https://www.youtube.com/c/absoluteappsec Talks: slideshare.net/KenJohnson61/
  7. 7. We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
  8. 8. … and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
  9. 9. ...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
  10. 10. … still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
  11. 11. OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
  12. 12. So what has happened during this time? 2014 - Code Spaces
  13. 13. … le sigh (horrorshow is right) 2015 - Systema Software
  14. 14. Come on! 2016 - Datadog
  15. 15. … surely its getting better? Nope 2017 - Deep Root Analytics / America?
  16. 16. This is why we drink 2018 - MBM Company, Tesla
  17. 17. So what did we decide to do about it?
  18. 18. Join the party of course :-)
  19. 19. Vaporware
  20. 20. WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/w eirdAAL ● Python3 ● Relies heavily on boto3 library
  21. 21. WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 2. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
  22. 22. WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2 6. https://github.com/RhinoSecurityLabs/pacu [post | concurrent]
  23. 23. Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
  24. 24. Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
  25. 25. Setup / Usage / Boto3 *New* we now list modules by cloud service
  26. 26. What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
  27. 27. What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
  28. 28. What Can I Do With This AWS Key Pair? Recon_all demo
  29. 29. What Can I Do With This AWS Key Pair? Recon_all demo
  30. 30. What Can I Do With This AWS Key Pair?
  31. 31. What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
  32. 32. What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
  33. 33. F**king Stuff Up
  34. 34. What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
  35. 35. What Can I Do With This AWS Key Pair? Starting with SNS… List topics
  36. 36. What Can I Do With This AWS Key Pair? List subscribers to a topic
  37. 37. What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
  38. 38. What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
  39. 39. What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
  40. 40. What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
  41. 41. What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
  42. 42. What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
  43. 43. What Can I Do With This AWS Key Pair? Now, delete it :-)
  44. 44. What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
  45. 45. What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
  46. 46. What Can I Do With This AWS Key Pair? IAM_Pwn demo
  47. 47. What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
  48. 48. What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
  49. 49. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
  50. 50. What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
  51. 51. What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
  52. 52. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
  53. 53. What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
  54. 54. What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
  55. 55. What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
  56. 56. What Can I Do With This AWS Key Pair? Logging / IR
  57. 57. What Can I Do With This AWS Key Pair? Lambda - list_functions
  58. 58. What Can I Do With This AWS Key Pair? Lambda - get_function
  59. 59. What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
  60. 60. What Can I Do With This AWS Key Pair? Nope :-)
  61. 61. What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
  62. 62. It’s cool I have cloudtrail configured….
  63. 63. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
  64. 64. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
  65. 65. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
  66. 66. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
  67. 67. What Can I Do With This AWS Key Pair? Logging / IR
  68. 68. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  69. 69. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  70. 70. What Can I Do With This AWS Key Pair? EC2 get_console_output
  71. 71. What Can I Do With This AWS Key Pair? EC2 get_console_output
  72. 72. What Can I Do With This AWS Key Pair? EC2 get_console_output_all
  73. 73. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  74. 74. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  75. 75. What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
  76. 76. Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
  77. 77. Example of a Module
  78. 78. Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
  79. 79. Useful Functions & Libs Pydoc friendly (work in progress)
  80. 80. WeirdAAL (AWS Awesome Attack Library) Now with GCP :-)
  81. 81. WeirdAAL - GCP Third Goal: 3. Be a repository of useful functions (offensive & defensive) to interact with GCP services.
  82. 82. WeirdAAL - GCP Documentation SUCKS Take in a service account keyfile (json) Brute force what services that keyfile has access to use libs/modules structure is/will be the same Currently a separate branch while we tidy it up https://github.com/carnal0wnage/weirdAAL/tree/gcp_testing
  83. 83. WeirdAAL - GCP Does work though
  84. 84. WeirdAAL - GCP Does work though
  85. 85. WeirdAAL - GCP
  86. 86. WeirdAAL - GCP
  87. 87. Questions?
  88. 88. Contact Info Chris Gates Slides Twitter: @carnal0wnage https://tinyurl.com/weirdAAL Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL

×