DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf

Hacking the Cloud
Gerald Steere – Microsoft C+E Red Team (@Darkpawh)
Sean Metcalf – CTO Trimarc (@pyrotek3)

Gerald Steere - @darkpawh
10+ years experience as a penetration tester and red team operator
Member of C+E Red Team since 2014
Speaker at BlueHat and Bsides Seattle
Spends work days happily smashing atoms in Azure
About
Us

Sean Metcalf - @pyrotek3
Founder Trimarc, a security company.
Microsoft Certified Master (MCM) Directory Services
Speaker: Black Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon
Security Consultant / Security Researcher
Own & Operate ADSecurity.org
(Microsoft platform security info)
About
Us
+

Cloud FTW!
What’s in it for me?
Staying clean while being mean
Buzzword bingo with cloud lingo
Pathfinding, recon, and targeting in multiple dimension
Currency exchange – what do I do with all these hashes?
Happy fun exploit time (with demos)
Countermeasures and proper protection
Cloud?
Who
cares!

Cloud matters for business
Your client probably uses it, whether you (or
they) realize it or not
Many traditional techniques do not work
Same concepts but new ways of thinking
What’s
in
it
for
me?

When we last saw our intrepid red team
Hired to red team SithCo
Have domain admin on a subsidiary
domain
SithCo uses public cloud resources to
host web applications
Hacker
Quest
How do we leverage access to get into SithCo corporate?

Staying clean while being mean
Cause pissing off The Net is bad for business

Can I really go after my client’s cloud
deployments?
We are not lawyers.
If you’re a professional you need one of
those to talk to ALWAYS.
Staying
Clean

Lawful Evil is a perfectly valid alignment
Scope & Access will be more
limited
Spell out enforced limitations in
your reporting
Cloud providers typically require an
approval process be followed
Staying
Clean

Attacking Azure, AWS, or Google Cloud
Deployments
Requires preapproval by account owner (Azure and AWS)
Standard Rules of Engagement (RoE) stuff
Limited to customer owned resources
No DoS
Can include attempts to break isolation (Azure)
Staying
Clean

Buzzword Bingo
Do you have your card ready?

Accessibility modifiers
Public could
Private cloud
Hybrid cloud
Buzzword
Bingo
https://www.stickermule.com/marketplace/3442-there-is-no-
cloud

All the aaS
Buzzword
Bingo
Albert Barron – https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service

It’s not domain, but it’s still admin
Cloud assets are managed under an
account or subscription
Getting access to that layer is often
equivalent to DA
Buzzword
Bingo

CloudOS - Same ideas, different words
Buzzword
Bingo
Server
Domain
Domain Admin
Pass the Hash
Private IPs
RDP / SSH
Services
Subscription
Subscription Admin
Credential Pivot
Public IPs
Management APIs
Faust and Johnson – Cloud Post Exploitation Techniques Infiltrate 2017 https://vimeo.com/214855977

Where’s the data?
Cloud services rely on data storage for
nearly everything
How is data stored in the cloud?
Do I need to attack the service or is the
data my real goal?
Buzzword
Bingo
Image: ©MITRE

SithCo’s app hosting
What
are
we
looking
at?

Pathfinding, recon, and targeting in
multiple dimension
How do I figure out I even need to look at the cloud?

Identifying Cloud Deployments
In the public cloud –
DNS is your best friend
Pathfinding

Cloud Recon: DNS MX Records
• Microsoft Office 365:
DOMAIN-COM.mail.protection.outlook.com
• Google Apps (G Suite):
*.google OR *.googlemail.com
• Proofpoint (pphosted)
• Cisco Email Security (iphmx)
• Cyren (ctmail)
• GoDaddy (secureserver)
• CSC (cscdns)
Pathfinding

Cloud Recon: DNS TXT
Records
MS = Microsoft Office 365
Google-Site-Verification = G Suite
Amazonses = Amazon Simple Email
OSIAGENTREGURL = Symantec MDM
AzureWebsites = Microsoft Azure
Paychex = Paychex financial services
Docusign = Docusign digital signatures
Atlassian-* = Atlassian services
Pathfinding

Cloud Recon:
SPF Records
SalesForce (salesforce.com,
pardot.com, & exacttarget.com)
MailChimp (mcsv.net)
Mandrill (MailChimp paid app)
Q4Press (document collaboration)
Zendesk (support ticket)
Oracle Marketing (Eloqua.com)
Constant Contact (email marketing)
Postmark (mtasv.net)
Pathfinding

Discover Federation Servers
No standard naming for FS.
DNS query for:
• adfs
• auth
• fs
• okta
• ping
• sso
Pathfinding

Federation Web Page Detail
Pathfinding

OWA Version Discovery
Check for autodiscover subdomain (autodiscover.domain.com)
Connect to autodiscover web page (https://autodiscover.domain.com)
Copyright date effectively provides Exchange version:
2006 = Microsoft Exchange 2007
Pathfinding

Cloud and Federation
Attackers go after Identity since that provides access to
resources.

Modern auth
Cloud authentication and authorization is typically independent from
the on-premises domain, though Federation may provide a path…
How you authenticate will depend on the specific cloud provider
More Buzzword Bingo:
• OAUTH
• OpenID
• SAML
• WS-Federation
• WS-Trust
Identity

ADFS Federation Server Config
Identity
Federation server typically lives on the internal network with a
proxy server in the DMZ.
Certificates installed on Federation server
Service communication
Token-decrypting
Token-signing
Relying party trusts: cloud services and applications
Claim rules: determine what type of access and from where
access is allowed.

Federation Key Points
Identity
Federation: trust between organizations leveraging PKI (certificates
matter)
Cloud SSO often leverages temporary or persistent browser cookies
(cookies provide access)
Several protocols may be supported, though typically SAML. (protocols
and versions matter)
Federation server (or proxy) is on public internet via port 443 (HTTPS).

How to steal identities – federated style
Identity
Federation is effectively Cloud Kerberos.
Own the Federation server, own organizational cloud services.
Token & Signing certificates ~= KRBTGT (think Golden Tickets)
Steal federation certificates to spoof access tokens (Mimikatz fun later).

On-Premises Cloud Components
How do we get those identities into the cloud anyways?

Active Directory & the Cloud
Identity
Active Directory provides Single Sign On (SSO) to cloud services.
Some directory sync tools synchronizes all users and their attributes to
cloud service(s).
Most sync engines only require AD user rights to send user and group
information to cloud service.
Most organizations aren’t aware of all cloud services active in their
environment.

Express Permissions for Azure AD Connect
Identity
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions

Custom Permissions for Azure AD Connect
Identity
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions

Currency exchange – what do I do
with all these hashes?
I never liked buying tokens, but that’s all these things take

Spending our horde
I’ve got all these hashes and no where
to go
No matter how many times you’ve
popped the KRBTGT account, your
cloud provider really doesn’t care
Currency
exchange

Creds, creds never change
Certificates, certificates, certificates!
Popping dev boxes has never been more productive
You do know mimikatz can also export certificates, right?
Currency
exchange

What is old is new again
Password Spraying involves attempting authentication with a
single password against all users before moving on to the next
password.
Works against Cloud services: email, IM, etc.
Low & Slow: 1 to 2 per hour
Often works against VPN as well.
Currency
exchange

Password spraying tools
OWA-Toolkit: https://github.com/johnnyDEP/OWA-Toolkit
MailSniper: Invoke-PasswordSprayOWA
https://github.com/dafthack/MailSniper
Patator: https://github.com/lanjelot/patator
LyncSniper: https://github.com/mdsecresearch/LyncSniper
https://www.mdsec.co.uk/2017/04/penetration-testing-skype-for-
business-exploiting-the-missing-lync/
The authors have not evaluated these tools. Always test before use.
Currency
exchange

DevOops
DevOps probably has what you are looking for
API keys and shared secrets for the win
Source code access for fun and profit
How are these deployments done anyways?
Currency
exchange

Where Are API Keys? GitHub!
Currency
exchange
https://hackernoon.com/how-to-use-environment-variables-
keep-your-secret-keys-safe-secure-8b1a7877d69c
https://github.com/jjenkins/node-amazon-ses/issues/9

The circle of access
Access between on-premises and
cloud deployments often a two way
street
On-premises -> cloud typically
involves identifying credentials
Is there a way back?
Are there shared authentication
methods?
Currency
exchange

The circle of access
What is the likelihood this
cloud service needs to
access resources from on-
premises?
Currency
exchange

Happy fun exploit time
Pray to the demo gods, pray I say!

Demo stuff here
Currency
exchange
There should be a fun live demo here if everything goes right

Countermeasures and proper
protection
Closing my eyes and hoping it goes away isn’t going to
work, is it?

Giving useful advice
Telling your client to close up shop and moving back into the basement
is probably a non-starter
Clouds do provide real business benefits and can improve security
when done right
How can the “cloud” be secured?
Countermeasures

Giving useful advice: The Basics
Properly handle, store, and mange
credentials and secrets
You aren’t storing those access keys in GIT are
you?
Clouds do provide managed secret stores
Make it easy for DevOps to do the right thing
Enforce MFA on all accounts
If it can’t have MFA, limit it as much as possible
and monitor it
Countermeasures

Giving useful advice: Securing Federation
Protect Federation servers at the same level as Domain Controllers.
Use a proxy server to limit communication directly with federation server
inside the network.
Audit cloud authentication by logging Federation auth events & send to
SIEM.
Enable multifactor authentication for all admin accounts & preferably all
cloud accounts.
Control Cloud authentication via Federation rules.
Example:
Internal network access provides single sign-on
External access requires username, password, and two-factor authentication
Countermeasures

Giving useful advice
Many of the basics remain the same
Least privilege is key and poorly understood in many cloud implementations
Least access, use the security features provided by the cloud
Credential management is hard in a connected world – this is an
massive opportunity for attackers
Countermeasures

Monitoring and alerting
It’s not just for your network any more
Defenders need to work with DevOps to make sure that cloud
resources and data are considered in defensive designs
Different cloud providers provide different tools for managing security
Defenders must be familiar with the tools from cloud providers used by
their client
Log collection and management needs to include cloud assets
You do know what your assets are, right?
Assume breach!
Countermeasures

References
Infiltrate 2017: Cloud Post Exploitation Techniques - Andrew Johnson &
Sacha Faust
https://vimeo.com/214855977
Azure Security: https://portal.msrc.microsoft.com/en-
us/engage/pentest
AWS Security: https://aws.amazon.com/security/penetration-testing/
Google Cloud Security: https://cloud.google.com/security/
MailSniper: https://github.com/dafthack/MailSniper
Patator: https://github.com/lanjelot/patator
Conclusion

DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf

More Related Content

Similar to DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf (20)

Recently uploaded (20)

DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf