Hacking the Cloud - Java2Days

Hacking the Cloud - Java2Days

Hacking the Cloud Javier Godinez CUMULUS Into the Cloud (background) Techniques for getting a foothold in the Cloud Cumulus

Creating IAM users Launching workloads Locking users out

Demo How do we stay safe? 2 Into the Cloud INSTANCE Virtual host

Virtual environment on Xen hypervisor Feels very much like a host running on bare metal 4 METADATA SERVICE Internal HTTP service that provides Instances information about its environment

Available from host at http://169.254.169.254/ Also provides temporary credentials to host 5 INSTANCE PROFILE AWS construct that maps a role to an instance

Instance may or may not have a profile associated with it Instance 6

AWS IDENTITY AND ACCESS MANAGEMENT OVERVIEW Users Groups Roles ^ Access Policies Effect Actions Resources Condition

7 THE GOOD Policy is specifically created for the user/application

Least privilege Made to be as granular as possible 8

THE BAD ec2:* iam:* anything:* 9 THE UGLY

All actions on all resources Great for development, because everything just works Really Bad for Security 10 Foothold in the Cloud

FOOTHOLD IN THE CLOUD Weak authentication - SSH SSH Server on the Internet Accepts passwords Weak/guessable passwords 12 SSH Demo

FOOTHOLD IN THE CLOUD Insecure configurations - Jenkins Jenkins console on Internet Default installation with no auth/weak auth Console allows command execution 14

Jenkins Demo FOOTHOLD IN THE CLOUD Misconfiguration - Squid Proxy Default/insecure configuration Accepts ingress traffic from Internet Can be used to proxy for internal resources

16 Proxy Demo FOOTHOLD IN THE CLOUD Application vulnerabilities - XXE XML Entity Injection Misconfigured XML Parser XML parser allows input that

references system or network resources 18 XXE Demo Cumulus But First, what is Metasploit?

Tool used by Security practitioners to test controls Environment for building exploits Used to take advantage of / exploit software flaws 21

CREATE IAM USER MODULE Allows for the creation of a user with Admin Privileges to the AWS account Needs access to AWS Access Keys or Instance Role with:

iam:CreateUser iam:CreateGroup iam:PutGroupPolicy iam:AddUserToGroup

iam:CreateAccessKey 22 LAUNCH INSTANCES MODULE Auto detects configuration for launching EC2 instances

Can launch one or multiple instances Can execute setup scripts 23 LOCKOUT USERS MODULE

Requires an IAM admin role (created by previous module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts

24 DISCLAIMER This is not an Amazon Web Services issue This is a DevOps education issue It is the users responsibility to understand the technology being used With power user privileges comes great responsibilities 25

Demo Putting it all Together AWS API IGW 1

SSH API 3 Prox y Attack

er Jenkins 10.0.0.0/1 6 27 2 How do we stay safe in the

Cloud? Staying Safe in the Cloud IAM Best Practices Add MFA to Root user and remove Root user access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for users Enable MFA for all users

Use roles for Applications running on EC2 Detach roles from applications that don't need them (*New) 29 Staying Safe in the Cloud IAM Best Practices Delegate by using roles instead of by sharing credentials Rotate passwords and access keys regularly Remove unnecessary credentials

Use policy conditions for extra security Monitor activity in your AWS account (CloudTrail) See: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 30 Staying Safe in the Cloud Practice separation of duties Can all your users perform IAM actions?

Only a subset of users should be IAM Admins Can any instance perform IAM actions? Heavily restrict IAM actions on Instances Audit your Users/Groups/Roles 31 Staying Safe in the Cloud

Beware of tunnels Do you use VPN tunnels between AWS and Datacenters Other AWS accounts (or VPC Peering) Other hosts Attacks can traverse these tunnels Lock down security groups 32

Staying Safe in the Cloud Monitor your CloudTrail Will someone notice when a new user is created in your account a resource is created in an unused region Will you notice right away or at the end of the month?

33 Staying Safe in the Cloud Test for Security Is your AWS footprint covered by

Threat Models Vulns scanners Penetration tests RedTeam 34 Staying Safe in the Cloud

Awareness Security training Conferences like this one Read IAM Best Practices and security whitepapers Build a community around Cloud security 35

Questions? Javier Godinez Thank you! Cumulus - A Cloud Exploitation Toolkit https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ See cumulus branch: https://github.com/godinezj/metasploit-framework

Control Plane: https://github.com/devsecops/controlplane/ Javier Godinez APPENDIX HOW APPLY THIS KNOWLEDGE Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail

Audit your AWS Account IAM Policies and Roles Red Team your applications and instances: https://www.metasploit.com Think to yourself: How would an attacker use this against me? Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org 39 UNDERSTANDING THE TECHNOLOGY YOU USE

How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious choices Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing 40

UPCOMING MODULES AND PROJECTS Metasploit AWS Lambda module Metasploit AWS s3 enumeration module Cumulus Cloud Attack Toolkit AWS Google Cloud Platform

DevSecOps.org Community 41

Recently Viewed Presentations

  • Elements of the Short Story

    Elements of the Short Story

    Ex. The maple leaf is a symbol for Canada. Some symbols must be interpreted in the context of the story. Ex. A heart may symbolize love and affection. However, in "The Tell-Tale Heart," the beating heart represents truth and the...
  • Grade 8 Magnet Programs Information Night To value

    Grade 8 Magnet Programs Information Night To value

    Extended French -no special interview or application process Partial or Full French Immersion program in Grade 8 is required There is a selection for WCI Extended French on the Gr. 8 online course selection (MY WAY) A certificate is granted...
  • Us Trends in Refractive Surgery: 1998

    Us Trends in Refractive Surgery: 1998

    U.S. Trends in Refractive Surgery: 2011 ISRS Survey - Partner of AAO - Richard J. Duffey, MD David Leaming, MD Refractive Subspecialty Day Orlando: October 22, 2011 DUFFEY 2011 Total LVC Volume w/i ISRS (1000s) * 6% increase in Total...
  • Chapter 1 Studying Geography - Mr. Corell's Sixth Grade Class

    Chapter 1 Studying Geography - Mr. Corell's Sixth Grade Class

    What is Geography? Main Ideas. Geography is the study of the world, its people, and the landscapes they create. Geographers look at the world in many different ways. Maps and other tools helps geographers study the planet. The Big Idea....
  • Gent Slides - CDIO

    Gent Slides - CDIO

    First and fourth year design-build team projects: a comparison David C Levy Director, Software Engineering Program School of Electrical and Information Engineering
  • Why involve families? - Home | FPG Child Development Institute

    Why involve families? - Home | FPG Child Development Institute

    Positive discipline places emphasis on preventing problems by attending to the room arrangement, having age-appropriate expectations, providing interactive activities for play and learning, and active adult monitoring and supervision.
  • Engineering 1040: Mechanisms & Electric Circuits Fall 2011

    Engineering 1040: Mechanisms & Electric Circuits Fall 2011

    Types of Thread Ball Screws (1) Ball Screws (2) Advantages of a ball screw Have very high efficiency (Over 90%) Could be used in applications which require precise and repeatable movement Could be easily preloaded to eliminate backlash Smooth movement...
  • Poetry Workshop Week 1, Class 1 - WordPress.com

    Poetry Workshop Week 1, Class 1 - WordPress.com

    Person in My Papa's Waltz. Which person is My Papa's Waltz written in? Is it told in more than one "person?" How does the point of view relate to the meaning of the poem? How would the poem be different...