Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.
21. WeirdAAL
Two Goals:
1. Answer what can I do with this AWS Keypair [blackbox]
2. Be a repository of useful functions (offensive & defensive) to
interact with AWS services.
22. WeirdAAL
Prior work
1. CG’s aws_interrogate (vaporware)
2. https://github.com/dagrz/aws_pwn & his medium posts
3. https://github.com/bchew/dynamodump
4. https://github.com/ThreatResponse/aws_ir
5. https://github.com/nccgroup/Scout2
6. https://github.com/RhinoSecurityLabs/pacu [post | concurrent]
23. Setup / Usage / Boto3
● Supports boto3 and aws credentials format
○ Using boto3 allows us to natively support STS tokens
○ Put your creds in .env folder in WeirdAAL home
24. Setup / Usage / Boto3
● Targets
○ Passes a -t (target) value to track your work
○ Can have multiple AWS keys in a target
● Modules
○ Modules passed via -m to do various tasks
○ python3 weirdAAL.py -m dynamodb_list_tables -t demo
○ Coverage for many services but not all (so far)
■ EC2, Lambda, s3, dynamodb, iam, etc
● Built in proxy support via boto3
25. Setup / Usage / Boto3
*New* we now list modules by cloud service
26. What Can I Do With This AWS Key Pair?
AWS offers no easy way (blackbox)
If you have IAM you can look at running services manually or check billing.
Tedious & No Fun
(135 services in boto3 1.7.4)
27. What Can I Do With This AWS Key Pair?
Our solution, ask every service if we have permission to use it (recon_all)
28. What Can I Do With This AWS Key Pair?
Recon_all demo
29. What Can I Do With This AWS Key Pair?
Recon_all demo
31. What Can I Do With This AWS Key Pair?
Recon_all demo (recap)
Hit up every AWS service we can ask a **generic** question to
** required no args or specifics about that account
Log to DB for use later and automation
Todo: Evasion? Timing? Does anyone look or care?
32. What Can I Do With This AWS Key Pair?
Recon_all demo (gotchas)
● Root keys that have invalid billing info give you:
“SubscriptionRequiredException” or “OptInRequired” boto3 errors
● Root keys that are in good standing give you everything available :-/
34. What Can I Do With This AWS Key Pair?
In previous talks, we discussed
monitoring. Now we show you
how to burn all that to the
ground.
35. What Can I Do With This AWS Key Pair?
Starting with SNS…
List topics
36. What Can I Do With This AWS Key Pair?
List subscribers to a
topic
37. What Can I Do With This AWS Key Pair?
Or… just delete the
Topic. Now nobody
knows what you’re
doing :-)
38. What Can I Do With This AWS Key Pair?
Config service has rules.
You’ll see why cloudtrail
is important
39. What Can I Do With This AWS Key Pair?
We can list the config rules of course (for every region):
40. What Can I Do With This AWS Key Pair?
But what about deleting rules? Yeah, we’ve got that too :-)
41. What Can I Do With This AWS Key Pair?
Or just delete the whole recording altogether - BEFORE
42. What Can I Do With This AWS Key Pair?
Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
43. What Can I Do With This AWS Key Pair?
Now, delete it :-)
44. What Can I Do With This AWS Key Pair?
Welp, no more Config alerts… or Config at all, really
45. What Can I Do With This AWS Key Pair?
IAM_Pwn
Found a key with IAM/Root?
Let’s automate the takeover / make
backdoor accounts
46. What Can I Do With This AWS Key Pair?
IAM_Pwn demo
47. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - List users
48. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - User details IAM console
49. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - delete MFA device
50. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - change console password
51. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - create access/secret key
52. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - delete access/secret key
53. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - make backdoor account
54. What Can I Do With This AWS Key Pair?
IAM_Pwn (recap)
Deleted 2FA
Add console user / add new keys
Backdoor admin user
Hack all the thingz
55. What Can I Do With This AWS Key Pair?
IAM_Pwn (story time)
Made backdoor account in pentest, proved lack of logging and policy
enforcement
56. What Can I Do With This AWS Key Pair?
Logging / IR
57. What Can I Do With This AWS Key Pair?
Lambda -
list_functions
58. What Can I Do With This AWS Key Pair?
Lambda - get_function
59. What Can I Do With This AWS Key Pair?
Thankfully, lambda serverless arch and KMS means no more creds in code right?
60. What Can I Do With This AWS Key Pair?
Nope :-)
61. What Can I Do With This AWS Key Pair?
Lambda
http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
63. What Can I Do With This AWS Key Pair?
Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594)
Identify existing CloudTrail trails
64. What Can I Do With This AWS Key Pair?
Stop Cloudtrail logging
Use TrailARN to stop CloudTrail with stop_logging function
65. What Can I Do With This AWS Key Pair?
Delete Cloudtrail Trail
Use TrailARN to stop CloudTrail with delete_trail function
66. What Can I Do With This AWS Key Pair?
Delete Cloudtrail Trail
67. What Can I Do With This AWS Key Pair?
Logging / IR
68. What Can I Do With This AWS Key Pair?
EC2 get_console_screenshot
69. What Can I Do With This AWS Key Pair?
EC2 get_console_screenshot
70. What Can I Do With This AWS Key Pair?
EC2 get_console_output
71. What Can I Do With This AWS Key Pair?
EC2 get_console_output
72. What Can I Do With This AWS Key Pair?
EC2 get_console_output_all
73. What Can I Do With This AWS Key Pair?
EC2 & Lucidcharts
74. What Can I Do With This AWS Key Pair?
EC2 & Lucidcharts
75. What Can I Do With This AWS Key Pair?
Just plain mean…. ec2_stop_instances
76. Useful Functions & Libs
Grew tired of stackoverflowing
everything
Ideally, grab useful functions and
throw together quick python script
to knock out your task
Uses libs for actions that need more
control/finesse/data passed
78. Useful Functions & Libs
Used WeirdAAL at work to get public EC2 instances quickly so we can do
external pentesting
-impossible to know given the large range of AWS IP space
81. WeirdAAL - GCP
Third Goal:
3. Be a repository of useful functions (offensive & defensive) to
interact with GCP services.
82. WeirdAAL - GCP
Documentation SUCKS
Take in a service account keyfile (json)
Brute force what services that keyfile has access to use
libs/modules structure is/will be the same
Currently a separate branch while we tidy it up
https://github.com/carnal0wnage/weirdAAL/tree/gcp_testing
88. Contact Info
Chris Gates Slides
Twitter: @carnal0wnage https://tinyurl.com/weirdAAL
Ken Johnson Code:
Twitter: @cktricky https://github.com/carnal0wnage/weirdAAL