Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

WeirdAAL (AWS Attack Library)

3.073 visualizaciones

Publicado el

WeirdAAL (AWS Attack Library) YSTS12 May 2018
Chris Gates & Ken Johnson

Publicado en: Tecnología
  • Sé el primero en comentar

WeirdAAL (AWS Attack Library)

  1. 1. Download this presentation https://www.slideshare.net/chrisgates
  2. 2. WeirdAAL (AWS Attack Library) Chris Gates, Ken Johnson
  3. 3. whoami
  4. 4. whoami Chris Gates - Sr. Security Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
  5. 5. whoami
  6. 6. whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky Talks: slideshare.net/KenJohnson61/
  7. 7. We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
  8. 8. … and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
  9. 9. ...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
  10. 10. … still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
  11. 11. OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
  12. 12. So what has happened during this time? 2014 - Code Spaces
  13. 13. … le sigh (horrorshow is right) 2015 - Systema Software
  14. 14. Come on! 2016 - Datadog
  15. 15. … surely its getting better? Nope 2017 - Deep Root Analytics / America?
  16. 16. This is why we drink 2018 - MBM Company, Tesla
  17. 17. So what did we decide to do about it?
  18. 18. Join the party of course :-)
  19. 19. Vaporware
  20. 20. WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/ weirdAAL ● Python3 ● Relies heavily on boto3 library
  21. 21. WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 1. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
  22. 22. WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2
  23. 23. Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
  24. 24. Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
  25. 25. What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
  26. 26. What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
  27. 27. What Can I Do With This AWS Key Pair? Recon_all demo
  28. 28. What Can I Do With This AWS Key Pair? Recon_all demo
  29. 29. What Can I Do With This AWS Key Pair?
  30. 30. What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
  31. 31. What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
  32. 32. F**king Stuff Up
  33. 33. What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
  34. 34. What Can I Do With This AWS Key Pair? Starting with SNS… List topics
  35. 35. What Can I Do With This AWS Key Pair? List subscribers to a topic
  36. 36. What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
  37. 37. What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
  38. 38. What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
  39. 39. What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
  40. 40. What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
  41. 41. What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
  42. 42. What Can I Do With This AWS Key Pair? Now, delete it :-)
  43. 43. What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
  44. 44. What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
  45. 45. What Can I Do With This AWS Key Pair? IAM_Pwn demo
  46. 46. What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
  47. 47. What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
  48. 48. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
  49. 49. What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
  50. 50. What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
  51. 51. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
  52. 52. What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
  53. 53. What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
  54. 54. What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
  55. 55. What Can I Do With This AWS Key Pair? Logging / IR
  56. 56. What Can I Do With This AWS Key Pair? Lambda - list_functions
  57. 57. What Can I Do With This AWS Key Pair? Lambda - get_function
  58. 58. What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
  59. 59. What Can I Do With This AWS Key Pair? Nope :-)
  60. 60. What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
  61. 61. It’s cool I have cloudtrail configured….
  62. 62. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
  63. 63. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
  64. 64. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
  65. 65. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
  66. 66. What Can I Do With This AWS Key Pair? Logging / IR
  67. 67. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  68. 68. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  69. 69. What Can I Do With This AWS Key Pair? EC2 get_console_output
  70. 70. What Can I Do With This AWS Key Pair? EC2 get_console_output
  71. 71. What Can I Do With This AWS Key Pair? EC2 get_console_output_all
  72. 72. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  73. 73. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  74. 74. What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
  75. 75. Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
  76. 76. Example of a Module
  77. 77. Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
  78. 78. Useful Functions & Libs Pydoc friendly (work in progress)
  79. 79. Questions?
  80. 80. Contact Info Chris Gates Slides Twitter: @carnal0wnage https://www.slideshare.net/chrisgates Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL

×