- Blackshield Awards
- Job Fair
- CXO Track
- Breaking and Owning Applications and Servers on AWS and Azure
Trainer Name: Akash Mahajan & Riyaz Walikar
Title: Breaking and Owning Applications and Servers on AWS and Azure
Duration: 3 Days
Dates: 26th - 28th Feb 2019
Background and about the training
Amazon Web Services (AWS) and Azure run the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud / IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we will cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS and Azure services and concepts that should be used for security.
The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, we will not be spending a lot of time on security architecture, defence in depth etc. While mitigations will be covered, we will point out to the relevant security documentation provided by the cloud provider for further self-study.
We expect the trainees to bring their own AWS and Azure accounts for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.
Although the section names are specific to AWS, the equivalent Azure capabilities will be covered to understand and demonstrate attack surfaces, possible security misconfigurations and weaknesses that have been demonstrated in the real world for Azure based deployments.
Target Audience (Who should attend)
- Pentesters and Security Testers
- Security Professionals
- Cloud / IT Professionals
- DevSecOps Professionals
Training delivery approach (What to expect)
- Completely hands-on
- Automation scripts will be provided to bring up your AWS cloud infrastructure
- Fast paced training
- Using AWS console, Azure Console, CLI, AWS services and chosen security and management tools which will be provided
- While we will be using free-tier AWS and Azure services as much as possible, you can expect some minimal account charges
Hardware and Software Requirements
- Laptop with a modern OS Windows 10/OSX/Linux
- Updated browsers such as Chrome, Firefox
- Ability to connect to a wireless / wired network
- Own AWS and Azure account which has been activated for payments
Pre-requisites (What you should know)
- Familiarity with AWS and Azure console
- Familiarity with Security Testing basics and tools like nmap, Burp Suite/OWASP ZAP
- Comfortable using command line tools to login to servers, install packages, executing scripts and applications
- Basics of Networking concepts enough to understand Cloud Architecture
- Ideally you should have started VMs in AWS, configured S3 buckets and have an idea of IAM
What not to expect
- DevOps concepts
- How to build out cloud infrastructure
- A lot of theory
- Complete training hands-on guide
- This will be in an e-book formats such as ePub, Mobi, PDF and HTML
- You can use it with e-book readers such as Kindle etc.
- Access to our online AWS Workbench for a month
- Use this to practice some key concepts and skills from beginner to intermediate
- References and links for further studying
- One month access to exclusive training slack channel
- This is to ensure that if you are practicing after the class, you have us available to guide and answer questions
- This also provides a platform for class to continue the discussions online
The following courseware, although uses AWS section names, will be mapped to equivalent Azure services during the discussions in class.
We look at the compute services of AWS such as EC2 (Virtual machines), Lambda (Serverless) and ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.
- Setting up Attack Tools and VMs using automation
- Attacking EC2 and ELBs
- Application Misconfigurations
- EC2 meta data abuse
- Stealing credentials
- Attacks against virtualization
- Using AWS Inspector for audits and attacks
- Attacking Serverless endpoints (AWS Lambda)
Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.
- Abusing AWS S3 misconfigurations
- Discovering and pillaging EBS
- Cloud forensics for discovery and attacks
Apart from the standard storage most data are stored in databases. We will attack AWS RDS for finding out misconfigurations which will allow us to steal data and increase our foothold.
- AWS RDS misconfigurations
- Data pilferage
OSINT against Cloud targets
Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven’t realised what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.
- Techniques for OSINT
- Tools for finding public buckets
- Tools for discovering, stealing keys and endpoints
Cloud Security and Compliance
Security is not always about attack and defence. A vibrant running ecosystem involves governance and compliance activities. Here we will look at how we can use AWS Trusted Advisor (free version) for this and then Botmetric. Botmetric is leading tool for managing security and compliance for AWS clouds. While this is a paid tool, we have managed to get each of the attendees a one month trial which will be more than enough for the class and any additional practice you may want to do afterwards
- Using Trusted Advisor
- Using Cloud Custodian
AWS Services and Concepts for Security
While most of the class is hands-on and scenario based, we will cover the following topics at relevant places during the training. These will be some beginners to intermediate tasks done in a sequence to build our capacity.
- AWS IAM
- AWS VPCs
- AWS Security Groups
- AWS Flowlogs
- AWS CloudWatch
- AWS CloudTrail
- AWS Config
- Requirements for Pentesting AWS Cloud Infra
Attacking Azure Environments
Common attack scenarios and common security misconfigurations that would allow attackers access to protected data, will be covered. A discussion around the common security defaults, configuration changes and security services that Azure provides will also be part of this module. As an attacker it becomes important to understand the defences that can be put in place so that the bypasses and attacks can be streamlined based on the scenario.
Capture the Flag
We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of 3 days of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.
- Hands on challenges for the attendees
- Walkthrough of all challenges
About the trainer
Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert, and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience in providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.
He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring newcomers in the industry.
Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA.
He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, and EBay. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.
Akash is a Director at Appsecco, a company that specializes in Web Application Security. He is an accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world.
He has a deep experience of working with clients to provide cutting-edge security insight that truly reflects the commercial and operational needs of the organization from strategic advice to testing and analysis to incident response and recovery.
Akash has also authored a book titled "BurpSuite Essentials" that comes recommended by the creator of BurpSuite itself and is an active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community.