21. WeirdAAL
Two Goals:
1. Answer what can I do with this AWS Keypair [blackbox]
1. Be a repository of useful functions (offensive & defensive) to
interact with AWS services.
22. WeirdAAL
Prior work
1. CG’s aws_interrogate (vaporware)
2. https://github.com/dagrz/aws_pwn & his medium posts
3. https://github.com/bchew/dynamodump
4. https://github.com/ThreatResponse/aws_ir
5. https://github.com/nccgroup/Scout2
23. Setup / Usage / Boto3
● Supports boto3 and aws credentials format
○ Using boto3 allows us to natively support STS tokens
○ Put your creds in .env folder in WeirdAAL home
24. Setup / Usage / Boto3
● Targets
○ Passes a -t (target) value to track your work
○ Can have multiple AWS keys in a target
● Modules
○ Modules passed via -m to do various tasks
○ python3 weirdAAL.py -m dynamodb_list_tables -t demo
○ Coverage for many services but not all (so far)
■ EC2, Lambda, s3, dynamodb, iam, etc
● Built in proxy support via boto3
25. What Can I Do With This AWS Key Pair?
AWS offers no easy way (blackbox)
If you have IAM you can look at running services manually or check billing.
Tedious & No Fun
(135 services in boto3 1.7.4)
26. What Can I Do With This AWS Key Pair?
Our solution, ask every service if we have permission to use it (recon_all)
27. What Can I Do With This AWS Key Pair?
Recon_all demo
28. What Can I Do With This AWS Key Pair?
Recon_all demo
30. What Can I Do With This AWS Key Pair?
Recon_all demo (recap)
Hit up every AWS service we can ask a **generic** question to
** required no args or specifics about that account
Log to DB for use later and automation
Todo: Evasion? Timing? Does anyone look or care?
31. What Can I Do With This AWS Key Pair?
Recon_all demo (gotchas)
● Root keys that have invalid billing info give you:
“SubscriptionRequiredException” or “OptInRequired” boto3 errors
● Root keys that are in good standing give you everything available :-/
33. What Can I Do With This AWS Key Pair?
In previous talks, we discussed
monitoring. Now we show you
how to burn all that to the
ground.
34. What Can I Do With This AWS Key Pair?
Starting with SNS…
List topics
35. What Can I Do With This AWS Key Pair?
List subscribers to a
topic
36. What Can I Do With This AWS Key Pair?
Or… just delete the
Topic. Now nobody
knows what you’re
doing :-)
37. What Can I Do With This AWS Key Pair?
Config service has rules.
You’ll see why cloudtrail
is important
38. What Can I Do With This AWS Key Pair?
We can list the config rules of course (for every region):
39. What Can I Do With This AWS Key Pair?
But what about deleting rules? Yeah, we’ve got that too :-)
40. What Can I Do With This AWS Key Pair?
Or just delete the whole recording altogether - BEFORE
41. What Can I Do With This AWS Key Pair?
Let’s go ahead and just delete Config’s recorder altogether, shall we? First list them...
42. What Can I Do With This AWS Key Pair?
Now, delete it :-)
43. What Can I Do With This AWS Key Pair?
Welp, no more Config alerts… or Config at all, really
44. What Can I Do With This AWS Key Pair?
IAM_Pwn
Found a key with IAM/Root?
Let’s automate the takeover / make
backdoor accounts
45. What Can I Do With This AWS Key Pair?
IAM_Pwn demo
46. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - List users
47. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - User details IAM console
48. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - delete MFA device
49. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - change console password
50. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - create access/secret key
51. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - delete access/secret key
52. What Can I Do With This AWS Key Pair?
IAM_Pwn demo - make backdoor account
53. What Can I Do With This AWS Key Pair?
IAM_Pwn (recap)
Deleted 2FA
Add console user / add new keys
Backdoor admin user
Hack all the thingz
54. What Can I Do With This AWS Key Pair?
IAM_Pwn (story time)
Made backdoor account in pentest, proved lack of logging and policy
enforcement
55. What Can I Do With This AWS Key Pair?
Logging / IR
56. What Can I Do With This AWS Key Pair?
Lambda -
list_functions
57. What Can I Do With This AWS Key Pair?
Lambda - get_function
58. What Can I Do With This AWS Key Pair?
Thankfully, lambda serverless arch and KMS means no more creds in code right?
59. What Can I Do With This AWS Key Pair?
Nope :-)
60. What Can I Do With This AWS Key Pair?
Lambda
http://boto3.readthedocs.io/en/latest/reference/services/lambda.html#Lambda.Client.update_function_code
62. What Can I Do With This AWS Key Pair?
Stop Cloudtrail logging (ref: https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594)
Identify existing CloudTrail trails
63. What Can I Do With This AWS Key Pair?
Stop Cloudtrail logging
Use TrailARN to stop CloudTrail with stop_logging function
64. What Can I Do With This AWS Key Pair?
Delete Cloudtrail Trail
Use TrailARN to stop CloudTrail with delete_trail function
65. What Can I Do With This AWS Key Pair?
Delete Cloudtrail Trail
66. What Can I Do With This AWS Key Pair?
Logging / IR
67. What Can I Do With This AWS Key Pair?
EC2 get_console_screenshot
68. What Can I Do With This AWS Key Pair?
EC2 get_console_screenshot
69. What Can I Do With This AWS Key Pair?
EC2 get_console_output
70. What Can I Do With This AWS Key Pair?
EC2 get_console_output
71. What Can I Do With This AWS Key Pair?
EC2 get_console_output_all
72. What Can I Do With This AWS Key Pair?
EC2 & Lucidcharts
73. What Can I Do With This AWS Key Pair?
EC2 & Lucidcharts
74. What Can I Do With This AWS Key Pair?
Just plain mean…. ec2_stop_instances
75. Useful Functions &
Libs
Grew tired of stackoverflowing
everything
Ideally, grab useful functions and
throw together quick python script
to knock out your task
Uses libs for actions that need more
control/finesse/data passed
77. Useful Functions &
Libs
Used WeirdAAL at work to get public EC2 instances quickly so we can do
external pentesting
-impossible to know given the large range of AWS IP space
80. Contact Info
Chris Gates
Slides
Twitter: @carnal0wnage https://www.slideshare.net/chrisgates
Ken Johnson
Code:
Twitter: @cktricky
https://github.com/carnal0wnage/weirdAAL