WS - 5
Attacking Applications and Servers on AWS
Workshop Objective:
Amazon Web Services (AWS) one of the most popular cloud service. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this training we will cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS services and concepts that should be used for security.
The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tools that can be used for attacking and auditing. Due to the attack, focused nature of the training, we will not be spending a lot of time on security architecture, defence in depth etc. While mitigations will be covered, we will point out to the relevant security documentation provided by AWS for further self-study.
We expect the trainees to bring their own AWS account for the training.
Course Content (ToC):
-
- We look at the compute services of AWS such as EC2 (Virtual machines), Lambda (Serverless) and ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.
- Attacking EC2 and ELBs
- Abusings application misconfigurations
- Attacking Serverless endpoints (AWS Lambda)
- We look at the compute services of AWS such as EC2 (Virtual machines), Lambda (Serverless) and ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.
Attacking Cloud compute
-
- Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.
- Deep dive into AWS S3 misconfigurations
- Discovering and pillaging EBS
- Cloud forensics for discovery and attacks
- Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.
Attacking Cloud storage
-
- Apart from the standard storage most data are stored in databases. We will attack AWS RDS for finding out misconfigurations which will allow us to steal data and increase our foothold.
- Abusing AWS RDS misconfigurations
- Apart from the standard storage most data are stored in databases. We will attack AWS RDS for finding out misconfigurations which will allow us to steal data and increase our foothold.
Attacking Cloud databases
-
- Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven't realized what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.
- OSINT techniques to enumerate AWS infra
- Techniques to identify misconfigured buckets
- Tools for discovering, stealing AWS keys
- Techniques to find subdomain takeovers due to S3 at scale
- Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven't realized what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.
Recon and OSINT against cloud targets
-
- While most of the class is hands-on and scenario based, we will cover the following topics at relevant places during the training. These will be some beginners to intermediate tasks done in a sequence to build our capacity.
- AWS IAM
- AWS Security Groups
- AWS VPCs
- AWS CloudWatch
- AWS CloudTrail
- AWS Config
- While most of the class is hands-on and scenario based, we will cover the following topics at relevant places during the training. These will be some beginners to intermediate tasks done in a sequence to build our capacity.
AWS services and concepts for security
-
- We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.
- Hands on challenges for the attendees
- Walkthrough of all challenges
- We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.
Capture the flag
Pre-requisite
- Familiarity with AWS console
- Ideally you should have started VMs in AWS, configured S3 buckets and have an idea of IAM
- Familiarity with Security Testing basics and tools like nmap, Burp Suite
- Comfortable using command line tools to login to servers, install packages, executing scripts and applications
- Basics of HTTP, JavaScript
- Basics of Networking concepts enough to understand Cloud Architecture
Participants’ Requirements:
- Laptop with a modern OS like Windows 10 / OSX / Linux
- SSH client installed on the host OS
- Ability to connect to the wireless network
- Own AWS account which has been activated for payments
Who should attend:
- Pentesters and Security Testers
- Security Professionals
- Cloud / IT Professionals
- DevSecOps Professionals
What to expect:
- Completely hands-on
- Fast paced training
- While we will be using free-tier AWS services as much as possible, you can expect some minimal account charges
What not to expect:
- DevOps concepts
- How to build cloud infrastructure
Speaker Profile:
Bharath is a Security Engineer with Appsecco. He has a strong passion for information security and building solutions that solve real world problems.Bharath is an active member and contributor at various security and developer communities including null open security community. His core interest lies in Application security, Infrastructure security, Reconnaissance and Cloud security.
Bharath has presented at many security and developer conferences including:
- Defcon 26: Recon Village
- Bsides Delhi 2017
- BugcrowdLevelUp 2017 & 2018
- FUDCon 2012
Bharath has conducted trainings at various conferences including:
- c0c0n, 2018
- Nullcon, Bangalore, 2018/2019
For more details:
- https://www.disruptivelabs.in/
- https://null.co.in/profile/352
- https://twitter.com/0xbharath
- https://github.com/0xbharath
- https://speakerdeck.com/0xbharath
- https://medium.com/@yamakira_
- https://www.linkedin.com/in/0xbharath