Automated analysis of AWS infrastructures Supervisor: Cedric van - - PowerPoint PPT Presentation

Peter Bennink 3rd of July, 2018

Automated analysis of AWS infrastructures

Supervisor: Cedric van Bockhaven - MSc System & Network Engineering

Peter Bennink 3rd of July, 2018

2

“... a secure cloud services platform, offering compute power, database storage, content delivery and other functionality …”

Background

Peter Bennink 3rd of July, 2018

3

EC2 (Elastic Compute Cloud) RDS (Relational Database Service) S3 (Simple Storage Service)

Background

Peter Bennink 3rd of July, 2018

4

VPC Security groups IAM

Background

Peter Bennink 3rd of July, 2018

5

VPC Security groups IAM

Background

Peter Bennink 3rd of July, 2018

6

IAM

• Access keys
• Policies
• Users
• Groups
• Roles

Background

Peter Bennink 3rd of July, 2018

7

IAM > Policies

• Effect (Allow/Deny)
• Action
• Resource

Background

Peter Bennink 3rd of July, 2018

Introduction

• You’ve infiltrated an AWS infrastructure, now what?
• Expanding access
• Knowledge of inaccessible components
• Visualization

8

Peter Bennink 3rd of July, 2018

9

Background

Bloodhound Active Directory

Peter Bennink 3rd of July, 2018 Research question

Given an infiltrated AWS component, what part of the related infrastructure would an automated tool be able to index?

10

Peter Bennink 3rd of July, 2018

11

1. Analysis 2. Development 3. Testing

Methodology

Peter Bennink 3rd of July, 2018

12

1. Analysis 2. Development 3. Testing

Methodology

Peter Bennink 3rd of July, 2018

13

IAM

• Resource-level permissions
• *:Describe*
• *:List*

Analysis

Peter Bennink 3rd of July, 2018

14

IAM > Policies

• Effect (Allow/Deny)
• Action
• Resource

Background

Peter Bennink 3rd of July, 2018

15

IAM

• Resource-level permissions
• *:Describe*
• *:List*

Analysis

Peter Bennink 3rd of July, 2018

16

Metadata server

• EC2
• 169.254.169.254

Analysis

Peter Bennink 3rd of July, 2018

Functionality

17

Metadata crawler

Captures everything on the metadata server… … including security credentials

Peter Bennink 3rd of July, 2018

Functionality

Permission bruteforcer

Checks what commands access keys can use

18

Infrastructure analyser

Uses access of key(s) to create mapping of infrastructure

Peter Bennink 3rd of July, 2018

19

Peter Bennink 3rd of July, 2018

Development

20

• Neo4j
• boto3
• py2neo

Peter Bennink 3rd of July, 2018

Conclusion

21

• Very useful for expanding

access & escalating privilege

• Resource-level permissions
• Diversity of keys more

important than privilege in terms of enumeration

https://gitlab.com/PeterBennink/aws-infrastructure-analysis

Peter Bennink 3rd of July, 2018

Discussion/Future work

22

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

23

• Linkurious (visualization)

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

24

• Linkurious (visualization)
• STS

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

25

• Linkurious (visualization)
• STS
• More AWS services/commands

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

26

• Linkurious (visualization)
• STS
• More AWS services/commands
• Automated infiltration

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

27

• Linkurious (visualization)
• STS
• More AWS services/commands
• Automated infiltration
• Nmapping subnets

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Discussion/Future work

28

• Linkurious (visualization)
• STS
• More AWS services/commands
• Automated infiltration
• Nmapping subnets
• Resource-level permission bruteforcer

Expandable in an infinite number of ways

Peter Bennink 3rd of July, 2018

Thank you. Any questions?

29 https://gitlab.com/PeterBennink/aws-infrastructure-analysis