SlideShare uma empresa Scribd logo

WeirdAAL (AWS Attack Library)

Chris Gates
Chris Gates

WeirdAAL (AWS Attack Library) YSTS12 May 2018 Chris Gates & Ken Johnson

Tecnologia
1 de 80
Download this presentation https://www.slideshare.net/chrisgates
WeirdAAL (AWS Attack Library) Chris Gates, Ken Johnson
whoami
whoami Chris Gates - Sr. Security Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
whoami
whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky Talks: slideshare.net/KenJohnson61/
We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
… and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
… still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
So what has happened during this time? 2014 - Code Spaces
… le sigh (horrorshow is right) 2015 - Systema Software
Come on! 2016 - Datadog
… surely its getting better? Nope 2017 - Deep Root Analytics / America?
This is why we drink 2018 - MBM Company, Tesla
So what did we decide to do about it?
Join the party of course :-)
Vaporware
WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/ weirdAAL ● Python3 ● Relies heavily on boto3 library
WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 1. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2
Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
What Can I Do With This AWS Key Pair? Recon_all demo
What Can I Do With This AWS Key Pair? Recon_all demo
What Can I Do With This AWS Key Pair?
What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
F**king Stuff Up
What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
What Can I Do With This AWS Key Pair? Starting with SNS… List topics
What Can I Do With This AWS Key Pair? List subscribers to a topic
What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
What Can I Do With This AWS Key Pair? Now, delete it :-)
What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
What Can I Do With This AWS Key Pair? IAM_Pwn demo
What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
What Can I Do With This AWS Key Pair? Logging / IR
What Can I Do With This AWS Key Pair? Lambda - list_functions
What Can I Do With This AWS Key Pair? Lambda - get_function
What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
What Can I Do With This AWS Key Pair? Nope :-)
What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
It’s cool I have cloudtrail configured….
What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
What Can I Do With This AWS Key Pair? Logging / IR
What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
What Can I Do With This AWS Key Pair? EC2 get_console_output
What Can I Do With This AWS Key Pair? EC2 get_console_output
What Can I Do With This AWS Key Pair? EC2 get_console_output_all
What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
Example of a Module
Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
Useful Functions & Libs Pydoc friendly (work in progress)
Questions?
Contact Info Chris Gates Slides Twitter: @carnal0wnage https://www.slideshare.net/chrisgates Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL

Recomendados

Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Web Services
 
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
Amazon Web Services Korea
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
Amazon Web Services Korea
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Teri Radichel
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
Amazon Web Services
 
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQSAWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
Amazon Web Services Japan
 

Recomendados

Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Web Services
 
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
AWS Builders Online Series | AWS와 함께하는 클라우드 컴퓨팅 - 강철, AWS 어카운트 매니저
Amazon Web Services Korea
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
[AWS Builders] AWS와 함께하는 클라우드 컴퓨팅
Amazon Web Services Korea
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Teri Radichel
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit Gateway
Amazon Web Services
 
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQSAWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
AWS Black Belt Techシリーズ Amazon SNS / Amazon SQS
Amazon Web Services Japan
 
AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdf
Shagun Rathore
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
Amazon Web Services
 
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
Amazon Web Services Japan
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPC
Abhishek Amralkar
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An Introduction
Amazon Web Services
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Web Services
 
AWS Black Belt Online Seminar 2017 Amazon DynamoDB
AWS Black Belt Online Seminar 2017 Amazon DynamoDB AWS Black Belt Online Seminar 2017 Amazon DynamoDB
AWS Black Belt Online Seminar 2017 Amazon DynamoDB
Amazon Web Services Japan
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
Amazon Web Services
 
20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS
Amazon Web Services Japan
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
Présentation des services AWS
Présentation des services AWSPrésentation des services AWS
Présentation des services AWS
Julien SIMON
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
 
AWS Lambda / Amazon API Gateway Deep Dive
AWS Lambda / Amazon API Gateway Deep DiveAWS Lambda / Amazon API Gateway Deep Dive
AWS Lambda / Amazon API Gateway Deep Dive
Keisuke Nishitani
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
AWS Technical Due Diligence Workshop Session One
AWS Technical Due Diligence Workshop Session OneAWS Technical Due Diligence Workshop Session One
AWS Technical Due Diligence Workshop Session One
Tom Laszewski
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
Chris Gates
 
Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
Luciano Mammino
 

Mais conteúdo relacionado

Mais procurados

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 

Mais procurados (20)

AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdf
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
20180704(20190520 Renewed) AWS Black Belt Online Seminar Amazon Elastic File ...
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An Introduction
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
AWS Black Belt Online Seminar 2017 Amazon DynamoDB
AWS Black Belt Online Seminar 2017 Amazon DynamoDB AWS Black Belt Online Seminar 2017 Amazon DynamoDB
AWS Black Belt Online Seminar 2017 Amazon DynamoDB
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Présentation des services AWS
Présentation des services AWSPrésentation des services AWS
Présentation des services AWS
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
AWS Lambda / Amazon API Gateway Deep Dive
AWS Lambda / Amazon API Gateway Deep DiveAWS Lambda / Amazon API Gateway Deep Dive
AWS Lambda / Amazon API Gateway Deep Dive
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWS
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Technical Due Diligence Workshop Session One
AWS Technical Due Diligence Workshop Session OneAWS Technical Due Diligence Workshop Session One
AWS Technical Due Diligence Workshop Session One
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 

Semelhante a WeirdAAL (AWS Attack Library)

Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
Luciano Mammino
 
End-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS servicesEnd-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS services
Massimo Ferre'
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made Simple
Luciano Mammino
 

Semelhante a WeirdAAL (AWS Attack Library) (20)

WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
Semplificare l'observability per progetti Serverless
Semplificare l'observability per progetti ServerlessSemplificare l'observability per progetti Serverless
Semplificare l'observability per progetti Serverless
 
Serverless in production, an experience report (Going Serverless)
Serverless in production, an experience report (Going Serverless)Serverless in production, an experience report (Going Serverless)
Serverless in production, an experience report (Going Serverless)
 
Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)
 
Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)
 
End-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS servicesEnd-to-end CI/CD deployments of containerized applications using AWS services
End-to-end CI/CD deployments of containerized applications using AWS services
 
Introduction to the Serverless paradigm
Introduction to the Serverless paradigmIntroduction to the Serverless paradigm
Introduction to the Serverless paradigm
 
Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)
 
Bostonrb Amazon Talk
Bostonrb Amazon TalkBostonrb Amazon Talk
Bostonrb Amazon Talk
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience report
 
Serverless in Production, an experience report (cloudXchange)
Serverless in Production, an experience report (cloudXchange)Serverless in Production, an experience report (cloudXchange)
Serverless in Production, an experience report (cloudXchange)
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)
 
Serverless in production, an experience report (LNUG)
Serverless in production, an experience report (LNUG)Serverless in production, an experience report (LNUG)
Serverless in production, an experience report (LNUG)
 
Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)
 
Richard Cole of Amazon Gives Lightning Tallk at BigDataCamp
Richard Cole of Amazon Gives Lightning Tallk at BigDataCampRichard Cole of Amazon Gives Lightning Tallk at BigDataCamp
Richard Cole of Amazon Gives Lightning Tallk at BigDataCamp
 
Serverless in production, an experience report (CoDe-Conf)
Serverless in production, an experience report (CoDe-Conf)Serverless in production, an experience report (CoDe-Conf)
Serverless in production, an experience report (CoDe-Conf)
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made Simple
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Continuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:InventContinuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:Invent
 

Mais de Chris Gates

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Chris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 

Mais de Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

WeirdAAL (AWS Attack Library)

  • 4. whoami Chris Gates - Sr. Security Engineer - Uber Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
  • 6. whoami Ken Johnson - AppSec - GitHub Twitter: @cktricky Talks: slideshare.net/KenJohnson61/
  • 7. We’ve been talking about this... LasCon 2014 - DevOops, I did it Again https://www.youtube.com/watch?v=i8SnLXwlBWM
  • 8. … and talking... DevOpsDays DC 2015 https://vimeo.com/137691444
  • 9. ...and talking some more... DevOops Redux - AppSec USA 2016 https://bit.ly/2qYe29y
  • 10. … still going... RSA Conference 2017 https://bit.ly/2HOZ0N4
  • 11. OKAY, WE GET IT ALREADY! (do you, though?) DevOops Redux - CERN 2017 & InsomniaHack 2017 https://cds.cern.ch/record/2256987
  • 12. So what has happened during this time? 2014 - Code Spaces
  • 13. … le sigh (horrorshow is right) 2015 - Systema Software
  • 14. Come on! 2016 - Datadog
  • 15. … surely its getting better? Nope 2017 - Deep Root Analytics / America?
  • 16. This is why we drink 2018 - MBM Company, Tesla
  • 17. So what did we decide to do about it?
  • 18. Join the party of course :-)
  • 20. WeirdAAL ● WeirdAAL (AWS Attack Library) ● https://github.com/carnal0wnage/ weirdAAL ● Python3 ● Relies heavily on boto3 library
  • 21. WeirdAAL Two Goals: 1. Answer what can I do with this AWS Keypair [blackbox] 1. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
  • 22. WeirdAAL Prior work 1. CG’s aws_interrogate (vaporware) 2. https://github.com/dagrz/aws_pwn & his medium posts 3. https://github.com/bchew/dynamodump 4. https://github.com/ThreatResponse/aws_ir 5. https://github.com/nccgroup/Scout2
  • 23. Setup / Usage / Boto3 ● Supports boto3 and aws credentials format ○ Using boto3 allows us to natively support STS tokens ○ Put your creds in .env folder in WeirdAAL home
  • 24. Setup / Usage / Boto3 ● Targets ○ Passes a -t (target) value to track your work ○ Can have multiple AWS keys in a target ● Modules ○ Modules passed via -m to do various tasks ○ python3 weirdAAL.py -m dynamodb_list_tables -t demo ○ Coverage for many services but not all (so far) ■ EC2, Lambda, s3, dynamodb, iam, etc ● Built in proxy support via boto3
  • 25. What Can I Do With This AWS Key Pair? AWS offers no easy way (blackbox) If you have IAM you can look at running services manually or check billing. Tedious & No Fun (135 services in boto3 1.7.4)
  • 26. What Can I Do With This AWS Key Pair? Our solution, ask every service if we have permission to use it (recon_all)
  • 27. What Can I Do With This AWS Key Pair? Recon_all demo
  • 28. What Can I Do With This AWS Key Pair? Recon_all demo
  • 29. What Can I Do With This AWS Key Pair?
  • 30. What Can I Do With This AWS Key Pair? Recon_all demo (recap) Hit up every AWS service we can ask a **generic** question to ** required no args or specifics about that account Log to DB for use later and automation Todo: Evasion? Timing? Does anyone look or care?
  • 31. What Can I Do With This AWS Key Pair? Recon_all demo (gotchas) ● Root keys that have invalid billing info give you: “SubscriptionRequiredException” or “OptInRequired” boto3 errors ● Root keys that are in good standing give you everything available :-/
  • 33. What Can I Do With This AWS Key Pair? In previous talks, we discussed monitoring. Now we show you how to burn all that to the ground.
  • 34. What Can I Do With This AWS Key Pair? Starting with SNS… List topics
  • 35. What Can I Do With This AWS Key Pair? List subscribers to a topic
  • 36. What Can I Do With This AWS Key Pair? Or… just delete the Topic. Now nobody knows what you’re doing :-)
  • 37. What Can I Do With This AWS Key Pair? Config service has rules. You’ll see why cloudtrail is important
  • 38. What Can I Do With This AWS Key Pair? We can list the config rules of course (for every region):
  • 39. What Can I Do With This AWS Key Pair? But what about deleting rules? Yeah, we’ve got that too :-)
  • 40. What Can I Do With This AWS Key Pair? Or just delete the whole recording altogether - BEFORE
  • 41. What Can I Do With This AWS Key Pair? Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
  • 42. What Can I Do With This AWS Key Pair? Now, delete it :-)
  • 43. What Can I Do With This AWS Key Pair? Welp, no more Config alerts… or Config at all, really
  • 44. What Can I Do With This AWS Key Pair? IAM_Pwn Found a key with IAM/Root? Let’s automate the takeover / make backdoor accounts
  • 45. What Can I Do With This AWS Key Pair? IAM_Pwn demo
  • 46. What Can I Do With This AWS Key Pair? IAM_Pwn demo - List users
  • 47. What Can I Do With This AWS Key Pair? IAM_Pwn demo - User details IAM console
  • 48. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete MFA device
  • 49. What Can I Do With This AWS Key Pair? IAM_Pwn demo - change console password
  • 50. What Can I Do With This AWS Key Pair? IAM_Pwn demo - create access/secret key
  • 51. What Can I Do With This AWS Key Pair? IAM_Pwn demo - delete access/secret key
  • 52. What Can I Do With This AWS Key Pair? IAM_Pwn demo - make backdoor account
  • 53. What Can I Do With This AWS Key Pair? IAM_Pwn (recap) Deleted 2FA Add console user / add new keys Backdoor admin user Hack all the thingz
  • 54. What Can I Do With This AWS Key Pair? IAM_Pwn (story time) Made backdoor account in pentest, proved lack of logging and policy enforcement
  • 55. What Can I Do With This AWS Key Pair? Logging / IR
  • 56. What Can I Do With This AWS Key Pair? Lambda - list_functions
  • 57. What Can I Do With This AWS Key Pair? Lambda - get_function
  • 58. What Can I Do With This AWS Key Pair? Thankfully, lambda serverless arch and KMS means no more creds in code right?
  • 59. What Can I Do With This AWS Key Pair? Nope :-)
  • 60. What Can I Do With This AWS Key Pair? Lambda http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
  • 61. It’s cool I have cloudtrail configured….
  • 62. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594) Identify existing CloudTrail trails
  • 63. What Can I Do With This AWS Key Pair? Stop Cloudtrail logging Use TrailARN to stop CloudTrail with stop_logging function
  • 64. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail Use TrailARN to stop CloudTrail with delete_trail function
  • 65. What Can I Do With This AWS Key Pair? Delete Cloudtrail Trail
  • 66. What Can I Do With This AWS Key Pair? Logging / IR
  • 67. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  • 68. What Can I Do With This AWS Key Pair? EC2 get_console_screenshot
  • 69. What Can I Do With This AWS Key Pair? EC2 get_console_output
  • 70. What Can I Do With This AWS Key Pair? EC2 get_console_output
  • 71. What Can I Do With This AWS Key Pair? EC2 get_console_output_all
  • 72. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  • 73. What Can I Do With This AWS Key Pair? EC2 & Lucidcharts
  • 74. What Can I Do With This AWS Key Pair? Just plain mean…. ec2_stop_instances
  • 75. Useful Functions & Libs Grew tired of stackoverflowing everything Ideally, grab useful functions and throw together quick python script to knock out your task Uses libs for actions that need more control/finesse/data passed
  • 76. Example of a Module
  • 77. Useful Functions & Libs Used WeirdAAL at work to get public EC2 instances quickly so we can do external pentesting -impossible to know given the large range of AWS IP space
  • 78. Useful Functions & Libs Pydoc friendly (work in progress)
  • 80. Contact Info Chris Gates Slides Twitter: @carnal0wnage https://www.slideshare.net/chrisgates Ken Johnson Code: Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL