- CXO Track
- For You
- Horror Stories from Hacker World
- Resume Clinic
- Goa 2020
- Breaking and Owning Applications and Servers on AWS and Azure
Trainer Names: Bharath & Riyaz Walikar
Title: Breaking and Owning Applications and Servers on AWS and Azure
Duration: 3 Days
Dates: 3th - 5th March 2020
- Setting up and attacking Cloud Virtual Machines, Compute and Serverless
- Cloud Storage
- Cloud Databases
- OSINT against cloud targets
- Cloud Security, Compliance and Assessment
- Shells, Privilege Escalation and Pivoting in the clouds
- Capture the flag
Background and about the training
Amazon Web Services (AWS) and Azure run the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we will cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS and Azure services and concepts that should be used for security.
The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing and OSINT engagements which take the student through the journey of discovery, identification and exploitation of security weaknesses, misconfigurations and poor programming practices that can lead to complete compromise of the cloud infrastructure.
The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, we will not be spending a lot of time on security architecture, defence in depth etc. While mitigations will be covered, we will point out to the relevant security documentation provided by the cloud provider for further self-study.
We expect the trainees to bring their own AWS and Azure accounts for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.
Target Audience (Who should attend)
- Pentesters and Security Testers
- Security Professionals
- Cloud / IT Professionals
- DevSecOps Professionals
Training delivery approach (What to expect)
- Completely hands-on
- Automation scripts will be provided to bring up your AWS cloud infrastructure
- Fast paced training
- Using AWS console, Azure Console, CLI, AWS services and chosen security and management tools which will be provided
- While we will be using free-tier AWS and Azure services as much as possible, you can expect some minimal account charges
Hardware and Software Requirements
- Laptop with a modern OS Windows 10/OSX/Linux
- Updated browsers such as Chrome, Firefox
- Ability to connect to a wireless / wired network
- Own AWS and Azure account which has been activated for payments
Pre-requisites (What you should know)
- Familiarity with AWS console and the Azure Portal
- Familiarity with Security Testing basics and tools like nmap, Burp Suite/OWASP ZAP
- Comfortable using command line tools to login to servers, install packages, executing scripts and applications
- Basics of Networking concepts enough to understand Cloud Architecture
- Ideally you should have started VMs in AWS, configured S3 buckets and have an idea of IAM
What not to expect
- DevOps concepts
- How to build out cloud infrastructure
- A lot of theory
Complete training hands-on guide
- This will be in an e-book formats such as ePub, Mobi, PDF
- References and links for further studying
One month access to exclusive training slack channel
- This is to ensure that if you are practicing after the class, you have us available to guide and answer questions
- This also provides a platform for class to continue the discussions online
The following section lists the courseware in greater detail. The topics listed below will be hands-on in nature and the trainers will assist the students to complete the exercises as they are built.
Setting up and attacking Cloud Virtual Machines, Compute and Serverless
We look at the compute services of AWS and Azure such as AWS EC2, Azure Virtual Machines, AWS Lambda and Azure Functions (Serverless) and AWS ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.
- Setting up Attack Tools and VMs using automation
- Attacking EC2 and ELBs
- Application Misconfigurations
- EC2 meta data abuse
- Stealing credentials
- Attacking AWS Lambda
- Using AWS Inspector for audits and attacks
- Working with the Azure CLI
- Deploying Virtual Machines using the Azure Portal
- Attacking Azure Virtual Machines
- Post Exploitation Windows commands and Info Gathering
- Attacking and Inspecting Azure Functions
- Azure App Services subdomain takeover
Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.
- Deep dive into AWS S3 misconfigurations
- Discovering and pillaging AWS EBS
- Cloud forensics for discovery and attacks
- Attacking Azure Block Blobs
Apart from the standard storage most data is stored in databases. We will attack AWS RDS and Azure Databases by finding out misconfigurations which will allow us to steal data and increase our foothold. We will also identify what implementation level hardening cloud providers do that prevents attackers from gaining access to the underlying OS in cases of cloud databases.
- AWS RDS misconfigurations
- Data pilferage
- Attacking Azure MSSQL databases
- Implementation level hardening to prevent attacker access
OSINT against Cloud targets
Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven’t realised what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.
- Techniques for OSINT
- AWS and Azure DNS
- Tools for finding public buckets
- OSINT to discover Azure Storage and its attack surface
- Tools for discovering, stealing keys and endpoints
- OSINT to discover and attack Azure Databases
- Techniques to find subdomain takeovers due to S3 at scale
Cloud Security, Compliance and Assessment
Security is not always about attack and defence. A vibrant running ecosystem involves governance and compliance activities. Here we will look at how we can use tools that the cloud providers have as services or third party tools that enable auditing and compliance.
- Using Trusted Advisor
- Using Cloud Custodian
- Azure Security Center
- Azure Advisor
Shells, Privilege Escalation and Pivoting in the clouds
Both AWS and Azure have services that can be abused to gain access to systems and in several cases could result in a total compromise of the infrastructure. Weakly configured user roles can lead to privilege escalation issues which can be used to gain access to services and restricted data. Both AWS and Azure provide services that allow you to manage cloud compute instances using the CLI which allows for interesting use cases where command execution on the instances is possible using policies and cloud capabilities
- AWS SSM
- Azure Run Command and controlling Virtual machines
- Privilege Escalation within AWS and Azure
- Pivoting within cloud environments
Capture the flag
We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of 3 days of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.
- Hands on challenges for the attendees
- Walkthrough of all challenges
About the trainers
Bharath is a Security Engineer with Appsecco. He has a strong passion for information security and building solutions that solve real world problems. Bharath is an active member and contributor at various security and developer communities including null open security community. His core interest lies in Application security, Infrastructure security, Reconnaissance and Cloud security.
Bharath is an Offensive Security Certified Professional (OSCP).
Bharath holds multiple CVEs, the latest include - CVE-2018-15635, CVE-2018-15636, CVE2018-15638, CVE-2018-15639 and CVE-2018-15641.
- Defcon 26: Recon Village
- Bsides Delhi 2017
- BugcrowdLevelUp 2017 & 2018
- FUDCon 2012
Bharath has conducted trainings at various conferences including:
- c0c0n, 2018/2019
- Nullcon, Bangalore, 2018/2019
For more details:
Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert, and researcher with over 10 years of experience in the Internet and web application security industry. He has many years of experience in providing web, mobile and cloud application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.
He is also one of the leaders for OWASP Bangalore and has been an active contributor within the null community, actively encouraging participation and mentoring newcomers in the industry.
Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA.
He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, and EBay. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.
Appsecco is a specialist application security company that provides industry-leading security services to companies ranging from the biggest banks in the world to international brands and professional services consultancies to software companies, both global and cutting edge start-ups. In addition to their client-facing work, Appsecco’s technical team can regularly be found presenting their work at industry conferences and events ranging from nullcon in India, DevSecCon in London, Seattle and Singapore, to Black Hat and DEF CON, the world’s largest security trade show and conferences, respectively, held annually in the USA.