Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
Hunting for the secrets in a cloud forest
1. Hunting for the secrets in a cloud
forest
Pawel Rzepa (pawel.rzepa@securing.pl)
2. cloud.developerdays.pl@DeveloperDaysPL
#whoami
• Senior Security Consultant in SecuRing
• Pentesting
• Consultancy in cloud security
• Working ~6 yrs in cybersecurity
• Blog: https://medium.com/@rzepsky
• GitHub: https://github.com/xep624/
• Twitter: @Rzepsky
3. cloud.developerdays.pl@DeveloperDaysPL
TL;DR
The goal of this presentation is to show how
access keys may leak from your company
regardless service provider you use (AWS,
Azure, GCP etc) and to discuss reliable
countermeasures.
@Rzepsky
4. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
7. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
18. cloud.developerdays.pl@DeveloperDaysPL
What about Azure?
• There is no groups like “Any authenticated Azure user” (thanks
Microsoft!)
• You have to discover 2 variables instead of 1 (consider only Full
public read access):
http://[storage account name].blob.core.windows.net/[container
name]?restype=container&comp=list
19. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
21. cloud.developerdays.pl@DeveloperDaysPL
Leaks via compromised accounts
• Numerous ways of infecting employee’s computer
• Leaks via:
• Local config files, tools etc.
• ~/.aws/credentials
---------------------------------------------------------------------------------------------
• Enforcing MFA is a must!!!
• Remember about the principle of least privilege (e.g.
Repokid may help you)
@Rzepsky
22. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
25. cloud.developerdays.pl@DeveloperDaysPL
Old vulns gain new life
• Some vulns can be much more dangerous in cloud:
▪ CWE-200: Information Exposure
▪ CWE-441: Unintended Proxy or Intermediary
▪ CWE-611: XXE
▪ CWE-918: SSRF
• …because any of them may reveal your metadata!!!
27. cloud.developerdays.pl@DeveloperDaysPL
What is the “meta-data”?
• Data about your instance
• Accessible only from within the instance itself
via link:
http://169.254.169.254/latest/meta-data/
@Rzepsky
30. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
36. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
39. cloud.developerdays.pl@DeveloperDaysPL
Specify keys characteristics
• They have fixed length
• All chars from Base64 charset
• They are random = they have high entropy
AWS_SECRET_ACCESS_KEY =
2r9pAuQxUFAqtrWhEy4G4WiVx5iJ74Hja5AWgHq9
Shared_Key =
M3mmbjOlIZr11OZoULqUWyFA1EpOdZAEcmaC64E/Ft9MRfDEYE7
qDJm+9ezGQY15==
@Rzepsky
43. cloud.developerdays.pl@DeveloperDaysPL
Shannon entropy in practice
• Hash
404e554d243c1a11d13c96b60129504a31b0abd has 3.57 entropy
• Long string
„ ChuckNorriscountedtoinfinitytwentytwice” has 3.81 entropy
“Where_are_my_keys?!¯_(ツ)_/¯” contains characters out of Base64
• AWS secret key
2r9pAuQxUFAstrWhEy4G4WiVx5iJ74Hja5AWgHq9 has 4.67 entropy
@Rzepsky
Interesting fact: AWS secret key has always entropy > 4.3
44. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky
48. cloud.developerdays.pl@DeveloperDaysPL
Advanced search - allows for
creating additional rules
• Triggers if it finds
“aws_secret_access_key”
• Triggers if it finds 10 emails in .db or .sql
file
• Triggers if it finds any of the pattern:
*pass*, *haslo*, *key*
@Rzepsky
51. cloud.developerdays.pl@DeveloperDaysPL
Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky