Peter Bennink 3rd of July, 2018 MSc System & Network Engineering Automated analysis of AWS infrastructures Supervisor: Cedric van Bockhaven -
Peter Bennink 3rd of July, 2018 Background “... a secure cloud services platform, offering compute power, database storage, content delivery and other functionality …” 2
Peter Bennink 3rd of July, 2018 Background EC2 (Elastic Compute Cloud) RDS (Relational Database Service) S3 (Simple Storage Service) 3
Peter Bennink 3rd of July, 2018 Background VPC Security groups IAM 4
Peter Bennink 3rd of July, 2018 Background VPC Security groups IAM 5
Peter Bennink 3rd of July, 2018 Background IAM - Access keys - Policies - Users - Groups - Roles 6
Peter Bennink 3rd of July, 2018 Background IAM > Policies - Effect (Allow/Deny) - Action - Resource 7
Peter Bennink 3rd of July, 2018 Introduction - You’ve infiltrated an AWS infrastructure, now what? - Expanding access - Knowledge of inaccessible components - Visualization 8
Peter Bennink 3rd of July, 2018 Background Bloodhound Active Directory 9
Peter Bennink 3rd of July, 2018 Research question Given an infiltrated AWS component, what part of the related infrastructure would an automated tool be able to index? 10
Peter Bennink 3rd of July, 2018 Methodology 1. Analysis 2. Development 3. Testing 11
Peter Bennink 3rd of July, 2018 Methodology 1. Analysis 2. Development 3. Testing 12
Peter Bennink 3rd of July, 2018 Analysis IAM - Resource-level permissions - *:Describe* - *:List* 13
Peter Bennink 3rd of July, 2018 Background IAM > Policies - Effect (Allow/Deny) - Action - Resource 14
Peter Bennink 3rd of July, 2018 Analysis IAM - Resource-level permissions - *:Describe* - *:List* 15
Peter Bennink 3rd of July, 2018 Analysis Metadata server - EC2 - 169.254.169.254 16
Peter Bennink 3rd of July, 2018 Functionality Metadata crawler Captures everything on the metadata server… … including security credentials 17
Peter Bennink 3rd of July, 2018 Functionality Permission bruteforcer Infrastructure analyser Checks what commands Uses access of key(s) to create access keys can use mapping of infrastructure 18
Peter Bennink 3rd of July, 2018 19
Peter Bennink 3rd of July, 2018 Development - Neo4j - boto3 - py2neo 20
Peter Bennink 3rd of July, 2018 Conclusion - Very useful for expanding - Diversity of keys more access & escalating privilege important than privilege in - Resource-level permissions terms of enumeration https://gitlab.com/PeterBennink/aws-infrastructure-analysis 21
Peter Bennink 3rd of July, 2018 Discussion/Future work Expandable in an infinite number of ways 22
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work Expandable in an infinite number of ways 23
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work - STS Expandable in an infinite number of ways 24
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work - STS - More AWS services/commands Expandable in an infinite number of ways 25
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work - STS - More AWS services/commands - Automated infiltration Expandable in an infinite number of ways 26
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work - STS - More AWS services/commands - Automated infiltration Expandable in an infinite number of ways - Nmapping subnets 27
Peter Bennink 3rd of July, 2018 - Linkurious (visualization) Discussion/Future work - STS - More AWS services/commands - Automated infiltration Expandable in an infinite number of ways - Nmapping subnets - Resource-level permission bruteforcer 28
Peter Bennink 3rd of July, 2018 Thank you. Any questions? https://gitlab.com/PeterBennink/aws-infrastructure-analysis 29
Recommend
More recommend