SlideShare una empresa de Scribd logo

WeirdAAL (AWS Attack Library)

Chris Gates
Chris Gates

WeirdAAL (AWS Attack Library) YSTS12 May 2018 Chris Gates & Ken Johnson

Tecnología
1 de 80
Download this presentation https://www.slideshare.net/chrisgates
WeirdAAL (AWS Attack Library) Chris Gates, Ken Johnson
whoami
whoami Chris Gates - Sr. Security Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
whoami
whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky Talks: slideshare.net/KenJohnson61/
We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
… and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
… still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
So what has happened during this time? 2014 - Code Spaces
… le sigh (horrorshow is right) 2015 - Systema Software
Come on! 2016 - Datadog
… surely its getting better? Nope 2017 - Deep Root Analytics / America?
This is why we drink 2018 - MBM Company, Tesla
So what did we decide to do about it?
Join the party of course :-)
Vaporware
WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/ weirdAAL ● Python3 ● Relies heavily on boto3 library
WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 1. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2
Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
What Can I Do With This AWS Key Pair? Recon_all demo
What Can I Do With This AWS Key Pair? Recon_all demo
What Can I Do With This AWS Key Pair?
What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
F**king Stuff Up
What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
What Can I Do With This AWS Key Pair? Starting with SNS… List topics
What Can I Do With This AWS Key Pair? List subscribers to a topic
What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
What Can I Do With This AWS Key Pair? Now, delete it :-)
What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
What Can I Do With This AWS Key Pair? IAM_Pwn demo
What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
What Can I Do With This AWS Key Pair? Logging / IR
What Can I Do With This AWS Key Pair? Lambda - list_functions
What Can I Do With This AWS Key Pair? Lambda - get_function
What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
What Can I Do With This AWS Key Pair? Nope :-)
What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
It’s cool I have cloudtrail configured….
What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
What Can I Do With This AWS Key Pair? Logging / IR
What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
What Can I Do With This AWS Key Pair? EC2 get_console_output
What Can I Do With This AWS Key Pair? EC2 get_console_output
What Can I Do With This AWS Key Pair? EC2 get_console_output_all
What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
Example of a Module
Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
Useful Functions & Libs Pydoc friendly (work in progress)
Questions?
Contact Info Chris Gates Slides Twitter: @carnal0wnage https://www.slideshare.net/chrisgates Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL

Recomendados

GitHub Actions with Node.js
GitHub Actions with Node.jsGitHub Actions with Node.js
GitHub Actions with Node.js
Stefan Stölzle
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with Vault
Mitchell Pronschinske
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 

Recomendados

GitHub Actions with Node.js
GitHub Actions with Node.jsGitHub Actions with Node.js
GitHub Actions with Node.js
Stefan Stölzle
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with Vault
Mitchell Pronschinske
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Web Services
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
Amazon Web Services Korea
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
Amazon Web Services
 
6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction
Mostafa El Lathy
 
ARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending ProgramsARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending Programs
Amazon Web Services
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introduction
leo lapworth
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
Yudi Arijanto
 
AWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit GatewayAWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit Gateway
RJ Jafarkhani ☁
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
Ami Mahloof
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops Overview
Joel W. King
 
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSXCloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
VMware Tanzu
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
Shiva Narayanaswamy
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
Amazon Web Services
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
Amazon Web Services
 
AWS CloudFront 가속 및 DDoS 방어
AWS CloudFront 가속 및 DDoS 방어AWS CloudFront 가속 및 DDoS 방어
AWS CloudFront 가속 및 DDoS 방어
Kyle(KY) Yang
 
Fundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWSFundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWS
Bhuvaneswari Subramani
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
Chris Gates
 
Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
Luciano Mammino
 

Más contenido relacionado

La actualidad más candente

AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
Amazon Web Services
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 

La actualidad más candente (20)

Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
AWS re:Invent 2016: How to Automate Policy Validation (SEC311)
 
6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction
 
ARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending ProgramsARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending Programs
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introduction
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
AWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit GatewayAWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit Gateway
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops Overview
 
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSXCloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
 
AWS CloudFront 가속 및 DDoS 방어
AWS CloudFront 가속 및 DDoS 방어AWS CloudFront 가속 및 DDoS 방어
AWS CloudFront 가속 및 DDoS 방어
 
Fundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWSFundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWS
 

Similar a WeirdAAL (AWS Attack Library)

Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
Luciano Mammino
 
End-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS servicesEnd-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS services
Massimo Ferre'
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made Simple
Luciano Mammino
 

Similar a WeirdAAL (AWS Attack Library) (20)

WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
 
Serverless in production, an experience report (Going Serverless)
Serverless in production, an experience report (Going Serverless)Serverless in production, an experience report (Going Serverless)
Serverless in production, an experience report (Going Serverless)
 
Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)
 
Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)
 
End-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS servicesEnd-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS services
 
Introduction to the Serverless paradigm
Introduction to the Serverless paradigmIntroduction to the Serverless paradigm
Introduction to the Serverless paradigm
 
Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)
 
Bostonrb Amazon Talk
Bostonrb Amazon TalkBostonrb Amazon Talk
Bostonrb Amazon Talk
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience report
 
Serverless in Production, an experience report (cloudXchange)
Serverless in Production, an experience report (cloudXchange)Serverless in Production, an experience report (cloudXchange)
Serverless in Production, an experience report (cloudXchange)
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)
 
Serverless in production, an experience report (LNUG)
Serverless in production, an experience report (LNUG)Serverless in production, an experience report (LNUG)
Serverless in production, an experience report (LNUG)
 
Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)
 
Richard Cole of Amazon Gives Lightning Tallk at BigDataCamp
Richard Cole of Amazon Gives Lightning Tallk at BigDataCampRichard Cole of Amazon Gives Lightning Tallk at BigDataCamp
Richard Cole of Amazon Gives Lightning Tallk at BigDataCamp
 
Serverless in production, an experience report (CoDe-Conf)
Serverless in production, an experience report (CoDe-Conf)Serverless in production, an experience report (CoDe-Conf)
Serverless in production, an experience report (CoDe-Conf)
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made Simple
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Continuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:InventContinuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:Invent
 

Más de Chris Gates

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Chris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 

Más de Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

WeirdAAL (AWS Attack Library)

  • 4. whoami Chris Gates - Sr. Security Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
  • 6. whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky Talks: slideshare.net/KenJohnson61/
  • 7. We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
  • 8. … and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
  • 9. ...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
  • 10. … still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
  • 11. OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
  • 12. So what has happened during this time? 2014 - Code Spaces
  • 13. … le sigh (horrorshow is right) 2015 - Systema Software
  • 14. Come on! 2016 - Datadog
  • 15. … surely its getting better? Nope 2017 - Deep Root Analytics / America?
  • 16. This is why we drink 2018 - MBM Company, Tesla
  • 17. So what did we decide to do about it?
  • 18. Join the party of course :-)
  • 20. WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/ weirdAAL ● Python3 ● Relies heavily on boto3 library
  • 21. WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 1. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
  • 22. WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2
  • 23. Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
  • 24. Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
  • 25. What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
  • 26. What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
  • 27. What Can I Do With This AWS Key Pair? Recon_all demo
  • 28. What Can I Do With This AWS Key Pair? Recon_all demo
  • 29. What Can I Do With This AWS Key Pair?
  • 30. What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
  • 31. What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
  • 33. What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
  • 34. What Can I Do With This AWS Key Pair? Starting with SNS… List topics
  • 35. What Can I Do With This AWS Key Pair? List subscribers to a topic
  • 36. What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
  • 37. What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
  • 38. What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
  • 39. What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
  • 40. What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
  • 41. What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
  • 42. What Can I Do With This AWS Key Pair? Now, delete it :-)
  • 43. What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
  • 44. What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
  • 45. What Can I Do With This AWS Key Pair? IAM_Pwn demo
  • 46. What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
  • 47. What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
  • 48. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
  • 49. What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
  • 50. What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
  • 51. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
  • 52. What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
  • 53. What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
  • 54. What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
  • 55. What Can I Do With This AWS Key Pair? Logging / IR
  • 56. What Can I Do With This AWS Key Pair? Lambda - list_functions
  • 57. What Can I Do With This AWS Key Pair? Lambda - get_function
  • 58. What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
  • 59. What Can I Do With This AWS Key Pair? Nope :-)
  • 60. What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
  • 61. It’s cool I have cloudtrail configured….
  • 62. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
  • 63. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
  • 64. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
  • 65. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
  • 66. What Can I Do With This AWS Key Pair? Logging / IR
  • 67. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  • 68. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  • 69. What Can I Do With This AWS Key Pair? EC2 get_console_output
  • 70. What Can I Do With This AWS Key Pair? EC2 get_console_output
  • 71. What Can I Do With This AWS Key Pair? EC2 get_console_output_all
  • 72. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  • 73. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  • 74. What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
  • 75. Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
  • 76. Example of a Module
  • 77. Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
  • 78. Useful Functions & Libs Pydoc friendly (work in progress)
  • 80. Contact Info Chris Gates Slides Twitter: @carnal0wnage https://www.slideshare.net/chrisgates Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL