Mastering AWS Pentesting and Methodology

Presented at DeepSec 2019 „Internet of Facts and Fears“, Unknown date/time (Unknown duration).

There have been patterns that have been found in AWS environment while exploring insecure S3 buckets, misconfiguration and compromised credentials flaws. These flaws are an outcome of the way the particular environment was configured and is not a flaw in AWS services itself, and are therefore inevitable. Finding the flaws relies on specific knowledge and approach as these attacks are specific. . There has been increasing use of AWS services,migration has increased multifold as well. As a result, it is important to challenge existing AWS security measures to be able to detect potential issues. . Description of Research Topic The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS IAM keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs. Takeaway for the Audience from the Talk: There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owner's organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner. The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this an exhaustive toolset for a comprehensive pentest. 1) Developing an approach toward pentesting a specific cloud environment 2) Different tools available for pentesting cloud-specific environments,short demo on couple of tools. 3) Areas to look in an AWS for flaws and misconfiguration, understanding shared responsibility model.

Presenters:

  • Ankit Giri - Independent Security Researcher
    Speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs. A penetration tester by profession with 4+ years of experience. Part time bug bounty hunter. Featured in Hall of fame of EFF,GM,SONY, HTC, Pagerduty, HTC, AT&T,Mobikwik and multiple other Hall Of Fames. He loves speaking at conferences, has given talks at RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun,Cyber Square Summit, OWASP Jaipur and has been a regular feature at Infosec meetups like Null and OWASP Delhi Chapter. He also leads the show for Peerlyst Delhi-NCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS pentesting and methodology.

Links:

Similar Presentations: