Hacking the Cloud - Java2Days

Hacking the Cloud - Java2Days

Hacking the Cloud Javier Godinez CUMULUS Into the Cloud (background) Techniques for getting a foothold in the Cloud Cumulus

Creating IAM users Launching workloads Locking users out

Demo How do we stay safe? 2 Into the Cloud INSTANCE Virtual host

Virtual environment on Xen hypervisor Feels very much like a host running on bare metal 4 METADATA SERVICE Internal HTTP service that provides Instances information about its environment

Available from host at http://169.254.169.254/ Also provides temporary credentials to host 5 INSTANCE PROFILE AWS construct that maps a role to an instance

Instance may or may not have a profile associated with it Instance 6

AWS IDENTITY AND ACCESS MANAGEMENT OVERVIEW Users Groups Roles ^ Access Policies Effect Actions Resources Condition

7 THE GOOD Policy is specifically created for the user/application

Least privilege Made to be as granular as possible 8

THE BAD ec2:* iam:* anything:* 9 THE UGLY

All actions on all resources Great for development, because everything just works Really Bad for Security 10 Foothold in the Cloud

FOOTHOLD IN THE CLOUD Weak authentication - SSH SSH Server on the Internet Accepts passwords Weak/guessable passwords 12 SSH Demo

FOOTHOLD IN THE CLOUD Insecure configurations - Jenkins Jenkins console on Internet Default installation with no auth/weak auth Console allows command execution 14

Jenkins Demo FOOTHOLD IN THE CLOUD Misconfiguration - Squid Proxy Default/insecure configuration Accepts ingress traffic from Internet Can be used to proxy for internal resources

16 Proxy Demo FOOTHOLD IN THE CLOUD Application vulnerabilities - XXE XML Entity Injection Misconfigured XML Parser XML parser allows input that

references system or network resources 18 XXE Demo Cumulus But First, what is Metasploit?

Tool used by Security practitioners to test controls Environment for building exploits Used to take advantage of / exploit software flaws 21

CREATE IAM USER MODULE Allows for the creation of a user with Admin Privileges to the AWS account Needs access to AWS Access Keys or Instance Role with:

iam:CreateUser iam:CreateGroup iam:PutGroupPolicy iam:AddUserToGroup

iam:CreateAccessKey 22 LAUNCH INSTANCES MODULE Auto detects configuration for launching EC2 instances

Can launch one or multiple instances Can execute setup scripts 23 LOCKOUT USERS MODULE

Requires an IAM admin role (created by previous module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts

24 DISCLAIMER This is not an Amazon Web Services issue This is a DevOps education issue It is the users responsibility to understand the technology being used With power user privileges comes great responsibilities 25

Demo Putting it all Together AWS API IGW 1

SSH API 3 Prox y Attack

er Jenkins 10.0.0.0/1 6 27 2 How do we stay safe in the

Cloud? Staying Safe in the Cloud IAM Best Practices Add MFA to Root user and remove Root user access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for users Enable MFA for all users

Use roles for Applications running on EC2 Detach roles from applications that don't need them (*New) 29 Staying Safe in the Cloud IAM Best Practices Delegate by using roles instead of by sharing credentials Rotate passwords and access keys regularly Remove unnecessary credentials

Use policy conditions for extra security Monitor activity in your AWS account (CloudTrail) See: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 30 Staying Safe in the Cloud Practice separation of duties Can all your users perform IAM actions?

Only a subset of users should be IAM Admins Can any instance perform IAM actions? Heavily restrict IAM actions on Instances Audit your Users/Groups/Roles 31 Staying Safe in the Cloud

Beware of tunnels Do you use VPN tunnels between AWS and Datacenters Other AWS accounts (or VPC Peering) Other hosts Attacks can traverse these tunnels Lock down security groups 32

Staying Safe in the Cloud Monitor your CloudTrail Will someone notice when a new user is created in your account a resource is created in an unused region Will you notice right away or at the end of the month?

33 Staying Safe in the Cloud Test for Security Is your AWS footprint covered by

Threat Models Vulns scanners Penetration tests RedTeam 34 Staying Safe in the Cloud

Awareness Security training Conferences like this one Read IAM Best Practices and security whitepapers Build a community around Cloud security 35

Questions? Javier Godinez Thank you! Cumulus - A Cloud Exploitation Toolkit https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ See cumulus branch: https://github.com/godinezj/metasploit-framework

Control Plane: https://github.com/devsecops/controlplane/ Javier Godinez APPENDIX HOW APPLY THIS KNOWLEDGE Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail

Audit your AWS Account IAM Policies and Roles Red Team your applications and instances: https://www.metasploit.com Think to yourself: How would an attacker use this against me? Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org 39 UNDERSTANDING THE TECHNOLOGY YOU USE

How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious choices Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing 40

UPCOMING MODULES AND PROJECTS Metasploit AWS Lambda module Metasploit AWS s3 enumeration module Cumulus Cloud Attack Toolkit AWS Google Cloud Platform

DevSecOps.org Community 41

Recently Viewed Presentations

  • Chapter 9 Linear Programming - 國立臺灣大學

    Chapter 9 Linear Programming - 國立臺灣大學

    Chapter 9 Linear Programming. 9.1 Systems of Linear Inequalities. 9.2 Linear Programming Involving Two Variables. 9.3 The Simplex Method: Maximization
  • Attention - DePaul University

    Attention - DePaul University

    Attention Focus on what matters What is Attention? Selection Needed to avoid "information overload" Related to Limited Capacity Concentration Applying Mental Resources Control Attention's relation to Automaticity and Action Early Studies and Basic Phenomena Dichotic Listening Shadowing Whether it is...
  • Carbohydrates: Sugar, Starches and Fiber - Kira Baum

    Carbohydrates: Sugar, Starches and Fiber - Kira Baum

    Alpha-tocopherol is the form of vitamin E absorbed by the human body. The other forms cannot be distrubuted. The supplement form contains 8 different isomers, only ½ of which are active in the body. Vitamin E absorption depends on normal...
  • Recycling in Virginia Recycling is Mandatory in Virginia

    Recycling in Virginia Recycling is Mandatory in Virginia

    2012 Legislative Update. HB 1301, Item 367 #2c Waste Tire Fund. Notwithstanding the provisions of § 10.1-1422.3 of the Code of Virginia, $2,330,000 the first year from the WTTF shall be used for costs associated with DEQ's land protection &...
  • Common Low-level Operations - courses.cs.washington.edu

    Common Low-level Operations - courses.cs.washington.edu

    X-rays. X-rays were invented by Conrad Rontgen in 1895 describing it as new kind of rays which can penetrate almost anything. He described the diagnostic capabilities of X-rays for imaging the human body and received the Noble Prize in 1901.
  • Catholic Faith Formation

    Catholic Faith Formation

    Online Unit Review - Family Fun - "Faith Jeopardy" https:// www.loyolapress.com. Sadlier . www.religion.sadlierconnect.com. To fully take advantage of the curriculum, create an account and you will receive access to the curriculum and activities offered.
  • Child Language Acquisition

    Child Language Acquisition

    Chomsky's generative grammar ignores semantics and language use, focusing on the set of rules that would generate syntactically correct strings. What is innate was claimed to be a universal grammar, initially connected to an organ called the language acquisition device(LAD).
  • UME Electronic Portfolio Research Study

    UME Electronic Portfolio Research Study

    What is a Portfolio? "A . portfolio. is a purposeful and longitudinal collection of tangible evidence of learner-selected work that exhibits the learner's efforts, progress or achievement. This portfolio features . the criteria for selection and judging merit, and ....