hacking the cloud - active directory security – active ... · pdf filehacking the cloud...
TRANSCRIPT
![Page 1: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/1.jpg)
Hacking the CloudGerald Steere – Microsoft C+E Red Team (@Darkpawh)
Sean Metcalf – CTO Trimarc (@pyrotek3)
![Page 2: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/2.jpg)
Gerald Steere - @darkpawh
10+ years experience as a penetration tester and red team operator
Member of C+E Red Team since 2014
Speaker at BlueHat and Bsides Seattle
Spends work days happily smashing atoms in Azure
Ab
out
Us
![Page 3: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/3.jpg)
Sean Metcalf - @pyrotek3
Founder Trimarc, a security company.
Microsoft Certified Master (MCM) Directory Services
Speaker: Black Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon
Security Consultant / Security Researcher
Own & Operate ADSecurity.org(Microsoft platform security info)
Contact: Sean [at] ADSecurity.org
Ab
out
Us
+
![Page 4: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/4.jpg)
Cloud FTW!
What’s in it for me?
Buzzword bingo with cloud lingo
Pathfinding, recon, and targeting in multiple dimension
Currency exchange – what do I do with all these hashes?
Happy fun exploit time (with demos)
Countermeasures and proper protection
Clo
ud
? W
ho
care
s!
![Page 5: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/5.jpg)
What’s in it for me?
![Page 6: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/6.jpg)
Cloud matters for business
Your client probably uses it, whether you (or they) realize it or not
Many traditional techniques do not work
Same concepts but new ways of thinkingWhat’s
in it
for
me?
![Page 7: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/7.jpg)
Can I really go after my client’s cloud deployments?
We are not lawyers.
If you’re a professional you need one of those to talk to ALWAYS.W
hat’s
in it
for
me?
![Page 8: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/8.jpg)
Lawful Evil is a perfectly valid alignment
Scope & Access will be more limited
Spell out enforced limitations in your reporting
Cloud providers typically require an approval process be followed
What’s
in it
for
me?
![Page 9: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/9.jpg)
Attacking Azure, AWS, or Google Cloud DeploymentsRequires preapproval by account owner (Azure and AWS)
Standard Rules of Engagement (RoE) stuff
Limited to customer owned resources
No DoS
Can include attempts to break isolation (Azure)
What’s
in it
for
me?
![Page 10: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/10.jpg)
Buzzword BingoDo you have your card ready?
![Page 11: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/11.jpg)
Accessibility modifiers
Public could
Private cloud
Hybrid cloudBuzz
wo
rd B
ing
o
https://www.stickermule.com/marketplace/3442-there-is-no-cloud
![Page 12: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/12.jpg)
All the aaSBuzz
wo
rd B
ing
o
Albert Barron – https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service
![Page 13: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/13.jpg)
CloudOS - Same ideas, different wordsBuzz
wo
rd B
ing
o
Server
Domain
Domain Admin
Pass the Hash
Private IPs
RDP / SSH
Services
Subscription
Subscription Admin
Credential Pivot
Public IPs
Management APIs
Faust and Johnson – Cloud Post Exploitation Techniques Infiltrate 2017 https://vimeo.com/214855977
![Page 14: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/14.jpg)
Where’s the data?
Cloud services rely on data storage for nearly everything
How is data stored in the cloud?
Do I need to attack the service or is the data my real goal?
Buzz
wo
rd B
ing
o
Image: ©MITRE
![Page 15: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/15.jpg)
Pathfinding, recon, and targeting in multiple dimensionHow do I figure out I even need to look at the cloud?
![Page 16: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/16.jpg)
Identifying Cloud Deployments
In the public cloud –
DNS is your best friend
Path
find
ing
![Page 17: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/17.jpg)
Cloud Recon: DNS MX Records
• Microsoft Office 365: DOMAIN-COM.mail.protection.outlook.com
• Google Apps (G Suite): *.google OR *.googlemail.com
• Proofpoint (pphosted)
• Cisco Email Security (iphmx)
• Cyren (ctmail)
• GoDaddy (secureserver)
• CSC (cscdns)
Path
find
ing
![Page 18: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/18.jpg)
Cloud Recon: DNS TXT RecordsMS = Microsoft Office 365
Google-Site-Verification = G Suite
Amazonses = Amazon Simple Email
OSIAGENTREGURL = Symantec MDM
AzureWebsites = Microsoft Azure
Paychex = Paychex financial services
Docusign = Docusign digital signatures
Atlassian-* = Atlassian services
Path
find
ing
![Page 19: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/19.jpg)
Cloud Recon:SPF RecordsSalesForce (salesforce.com, pardot.com, & exacttarget.com)
MailChimp (mcsv.net)
Mandrill (MailChimp paid app)
Q4Press (document collaboration)
Zendesk (support ticket)
Oracle Marketing (Eloqua.com)
Constant Contact (email marketing)
Postmark (mtasv.net)
Path
find
ing
![Page 20: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/20.jpg)
Discover Federation Servers
No standard naming for FS.
Some are hosted in the cloud.
DNS query for:• adfs• auth• fs• okta• ping• sso• sts
Path
find
ing
![Page 21: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/21.jpg)
Federation Web Page Detail
Path
find
ing
![Page 22: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/22.jpg)
OWA Version Discovery
Check for autodiscover subdomain (autodiscover.domain.com)
Connect to autodiscover web page (https://autodiscover.domain.com)
Copyright date effectively provides Exchange version:2006 = Microsoft Exchange 2007
Path
find
ing
![Page 23: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/23.jpg)
Cloud and FederationAttackers go after Identity since that provides access to resources.
![Page 24: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/24.jpg)
Modern auth
Cloud authentication and authorization is typically independent from the on-premises domain, though Federation may provide a path…
How you authenticate will depend on the specific cloud provider
More Buzzword Bingo:• OAUTH
• OpenID
• SAML
• WS-Federation
• WS-Trust
Identity
![Page 25: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/25.jpg)
Identity
![Page 26: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/26.jpg)
ADFS Federation Server Config
Identity
Federation server typically lives on the internal network with a proxy server in the DMZ.
Certificates installed on Federation serverService communicationToken-decryptingToken-signing
Relying party trusts: cloud services and applications
Claim rules: determine what type of access and from where access is allowed.
![Page 27: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/27.jpg)
SAML in a NutshellId
entity
• Security Assertion Markup Language (SAML)
• Web browser single-sign on
• Three roles:• User• Identity Provider (IDP)• Service Provider
• Specifies assertions between these roles (broker) which are used to confirm identity.
• Authentication method agnostic.
• SAML messages have several levels of signatures.
![Page 28: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/28.jpg)
Federation Key Points
Identity
Federation: trust between organizations leveraging PKI (certificates matter)
Cloud SSO often leverages temporary or persistent browser cookies (cookies provide access)
Several protocols may be supported, though typically SAML. (protocols and versions matter)
Federation server (or proxy) is on public internet via port 443 (HTTPS).
![Page 29: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/29.jpg)
How to steal identities – federated style
Identity
Federation is effectively Cloud Kerberos.
Own the Federation server, own organizational cloud services.
Token & Signing certificates ~= KRBTGT (think Golden Tickets)
Steal federation certificates to spoof access tokens (Mimikatz fun later).
![Page 30: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/30.jpg)
On-Premises Cloud ComponentsHow do we get those identities into the cloud anyways?
![Page 31: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/31.jpg)
Active Directory & the Cloud
Identity
Active Directory provides Single Sign On (SSO) to cloud services.
Some directory sync tools synchronizes all users and their attributes to cloud service(s).
Most sync engines only require AD user rights to send user and group information to cloud service.
Most organizations aren’t aware of all cloud services active in their environment.
![Page 32: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/32.jpg)
Express Permissions for Azure AD Connect Id
entity
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
![Page 33: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/33.jpg)
Custom Permissions for Azure AD ConnectId
entity
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
![Page 34: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/34.jpg)
PowerShell Management of Cloud Stuff
• Amazon AWShttps://aws.amazon.com/powershell/
• Google Cloudhttps://cloud.google.com/powershell/
• Microsoft Azurehttps://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.1.0
• Microsoft Office 365https://technet.microsoft.com/en-us/library/dn975125.aspx
Identity
![Page 35: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/35.jpg)
Identity
![Page 36: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/36.jpg)
Identity
![Page 37: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/37.jpg)
AAD – Microsoft Graph Explorer
Identity
![Page 38: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/38.jpg)
Attacking Cloud Assets(or Protecting)
![Page 39: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/39.jpg)
Managing VMs is Still Your Responsibility…A
ttack
ing
Clo
ud
Ass
ets
![Page 40: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/40.jpg)
Att
ack
ing
Clo
ud
Ass
ets
![Page 41: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/41.jpg)
Att
ack
ing
Clo
ud
Ass
ets
![Page 42: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/42.jpg)
Att
ack
ing
Clo
ud
Ass
ets
![Page 43: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/43.jpg)
Att
ack
ing
Clo
ud
Ass
ets
![Page 44: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/44.jpg)
Att
ack
ing
Clo
ud
Ass
ets
![Page 45: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/45.jpg)
Att
ack
ing
Clo
ud
Ass
ets
“If you are vulnerable, attackers could get full access to your S3 bucket, allowin them to download, upload and overwrite files.”
https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/
![Page 46: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/46.jpg)
Currency exchange – what do I do with all these hashes?I never liked buying tokens, but that’s all these things take
![Page 47: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/47.jpg)
Spending our horde
I’ve got all these hashes and no where to go
No matter how many times you’ve popped the KRBTGT account, your cloud provider really doesn’t careC
urr
ency
exc
hang
e
![Page 48: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/48.jpg)
Creds, creds never changeCertificates, certificates, certificates!
Popping dev boxes has never been more productive
You do know mimikatz can also export certificates, right?
Curr
ency
exc
hang
e
![Page 49: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/49.jpg)
What is old is new again
Password Spraying: Attempting authentication with a single password against all users before moving on to the next password.
Works against Cloud services: email, IM, etc.
Run Low & Slow
Often works against VPN as well.
Curr
ency
exc
hang
e
![Page 50: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/50.jpg)
DevOopsDevOps probably has what you are looking for
API keys and shared secrets for the win
Source code access for fun and profit
How are these deployments done anyways?
Curr
ency
exc
hang
e
![Page 51: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/51.jpg)
Where Are API Keys? GitHub!C
urr
ency
exc
hang
e
https://hackernoon.com/how-to-use-environment-variables-keep-your-secret-keys-safe-secure-8b1a7877d69c
https://github.com/jjenkins/node-amazon-ses/issues/9
![Page 52: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/52.jpg)
The circle of access
Access between on-premises and cloud deployments often a two way street
On-premises -> cloud typically involves identifying credentials
Is there a way back?
Are there shared authentication methods?
Curr
ency
exc
hang
e
![Page 53: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/53.jpg)
Countermeasures and proper protectionClosing my eyes and hoping it goes away isn’t going to work, is it?
![Page 54: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/54.jpg)
Giving useful advice: The BasicsProperly handle, store, and mange credentials and secrets
You aren’t storing those access keys in GIT are you?
Clouds do provide managed secret stores
Make it easy for DevOps to do the right thing
Enforce MFA on all accountsIf it can’t have MFA, limit it as much as possible and monitor it
Co
unte
rmeasu
res
![Page 55: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/55.jpg)
Giving useful advice
Review permissions on data sources.
Separate private & public accessible resources.
Regularly review network access rules.
Many of the basics remain the sameLeast privilege is key and poorly understood in many cloud implementations
Least access, use the security features provided by the cloud
Cloud admin workstations – treat same as privileged users
Credential management is hard in a connected world – this is an massive opportunity for attackers
Co
unte
rmeasu
res
![Page 56: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/56.jpg)
Giving useful advice: Securing Federation
Protect Federation servers at the same level as Domain Controllers.
Use a proxy server to limit communication directly with federation server inside the network.
Audit cloud authentication by logging Federation auth events & send to SIEM.
Enable multifactor authentication for all admin accounts & preferably all cloud accounts.
Control Cloud authentication via Federation rules. Example:
Internal network access provides single sign-onExternal access requires username, password, and two-factor authentication
Co
unte
rmeasu
res
![Page 57: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/57.jpg)
Leverage Cloud Provider Security Features
Microsoft Azure:• Azure Security Center
• Use Azure Resource Manager deployments with RBAC
• 2FA for all admin accounts
Amazon AWS:• Resource Management
• Cloud Watch Events
• VPC Flow Logs
Co
unte
rmeasu
res
![Page 58: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/58.jpg)
Monitoring and alertingIt’s not just for your network any more
Defenders need to work with DevOps to make sure that cloud resources and data are considered in defensive designs
Different cloud providers provide different tools for managing security
Defenders must be familiar with the tools from cloud providers used by their client
Log collection and management needs to include cloud assets
You do know what your assets are, right?
Assume breach!
Co
unte
rmeasu
res
![Page 59: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/59.jpg)
Hacker Quest
![Page 60: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/60.jpg)
When we last saw our intrepid red team
Hired to red team SithCo
Have domain admin on a subsidiary domain
SithCo uses public cloud resources to host web applications
Hack
er
Quest
How do we leverage access to get into SithCo corporate?
![Page 61: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/61.jpg)
SithCo’s app hosting
Hack
er
Quest
![Page 62: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/62.jpg)
Hack
er
Quest
![Page 63: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/63.jpg)
Hack
er
Quest
![Page 64: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/64.jpg)
Hack
er
Quest
![Page 65: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/65.jpg)
Hack
er
Quest
![Page 66: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/66.jpg)
Hack
er
Quest
![Page 67: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/67.jpg)
Hack
er
Quest
![Page 68: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/68.jpg)
Hack
er
Quest
![Page 69: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/69.jpg)
Hack
er
Quest
![Page 70: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/70.jpg)
Hack
er
Quest
![Page 71: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/71.jpg)
Hack
er
Quest
![Page 72: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/72.jpg)
Hack
er
Quest
![Page 73: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/73.jpg)
Video demo provided laterH
ack
er
Quest
Will appear on adsecurity.org
![Page 74: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/74.jpg)
ConclusionAre we there yet?
![Page 75: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/75.jpg)
ReferencesPentesting Azure Security: https://portal.msrc.microsoft.com/en-us/engage/pentest
Pentesting AWS Security: https://aws.amazon.com/security/penetration-testing/
Pentesting Google Cloud Security: https://cloud.google.com/security/
Azure AD Connect permissionshttps://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
Infiltrate 2017: Cloud Post Exploitation Techniques - Andrew Johnson & Sacha Faust https://vimeo.com/214855977
Co
ncl
usi
on
![Page 76: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/76.jpg)
References
Amazon AWS PowerShellhttps://aws.amazon.com/powershell/
Google Cloud PowerShellhttps://cloud.google.com/powershell/
Microsoft Azure PowerShellhttps://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.1.0
Microsoft Office 365 PowerShellhttps://technet.microsoft.com/en-us/library/dn975125.aspx
Co
ncl
usi
on
![Page 77: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/77.jpg)
ReferencesOWA-Toolkithttps://github.com/johnnyDEP/OWA-Toolkit
MailSniper: Invoke-PasswordSprayOWAhttps://github.com/dafthack/MailSniper
Patator:https://github.com/lanjelot/patator
LyncSniper: https://github.com/mdsecresearch/LyncSniper https://www.mdsec.co.uk/2017/04/penetration-testing-skype-for-business-exploiting-the-missing-lync/
Detectify - AWS S3 Miconfigurations Explainedhttps://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/
Co
ncl
usi
on
![Page 78: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/78.jpg)
ReferencesAzure Network Security Best Practiceshttps://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices
Azure security best practices and patternshttps://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns
Azure virtual machine security best practiceshttps://docs.microsoft.com/en-us/azure/security/azure-security-best-practices-vms
Azure identity & access security best practiceshttps://docs.microsoft.com/en-us/azure/security/azure-security-identity-management-best-practices
Security Best Practices for Windows Azure Solutions - Download Centerhttp://download.microsoft.com/download/7/8/a/78ab795a-8a5b-48b0-9422-fddeee8f70c1/securitybestpracticesforwindowsazuresolutinsfeb2014.docx
Co
ncl
usi
on
![Page 79: Hacking the Cloud - Active Directory Security – Active ... · PDF fileHacking the Cloud Gerald Steere ... Security Best Practices for Windows Azure Solutions - Download Center](https://reader030.vdocuments.mx/reader030/viewer/2022020108/5abe1d7c7f8b9a3a428c94fa/html5/thumbnails/79.jpg)
ReferencesThe AWS Security Best Practices white paperhttps://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
The EC2 Instances Best Practices white paperhttps://aws.amazon.com/articles/1233/
Finding API keyshttps://hackernoon.com/how-to-use-environment-variables-keep-your-secret-keys-safe-secure-8b1a7877d69c
AWS Credential Managementhttps://github.com/awslabs/git-secrets
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Executionhttps://www.youtube.com/watch?v=x4GkAGe65vE
Co
ncl
usi
on