Breaking and Owning Applications and Servers on AWS and Azure

Trainer Name: Akash Mahajan & Riyaz Walikar
Title: Breaking and Owning Applications and Servers on AWS and Azure
Duration: 3 Days
Dates: 26^th - 28^th Feb 2019

Background and about the training

Amazon Web Services (AWS) and Azure run the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we will cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS and Azure services and concepts that should be used for security.

The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, we will not be spending a lot of time on security architecture, defence in depth etc. While mitigations will be covered, we will point out to the relevant security documentation provided by the cloud provider for further self-study.

We expect the trainees to bring their own AWS and Azure accounts for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.

Target Audience (Who should attend)

• Pentesters and Security Testers
• Security Professionals
• Cloud / IT Professionals
• DevSecOps Professionals

Training delivery approach (What to expect)

• Completely hands-on
• Automation scripts will be provided to bring up your AWS cloud infrastructure
• Fast paced training
• Using AWS console, Azure Console, CLI, AWS services and chosen security and management tools which will be provided
• While we will be using free-tier AWS and Azure services as much as possible, you can expect some minimal account charges

Hardware and Software Requirements

• Laptop with a modern OS Windows 10/OSX/Linux
• Updated browsers such as Chrome, Firefox
• Ability to connect to a wireless / wired network
• Own AWS and Azure account which has been activated for payments

Pre-requisites (What you should know)

• Familiarity with AWS console and the Azure Portal
• Familiarity with Security Testing basics and tools like nmap, Burp Suite/OWASP ZAP
• Comfortable using command line tools to login to servers, install packages, executing scripts and applications
• Basics of HTTP, JavaScript
• Basics of Networking concepts enough to understand Cloud Architecture
• Ideally you should have started VMs in AWS, configured S3 buckets and have an idea of IAM

What not to expect

• DevOps concepts
• How to build out cloud infrastructure
• A lot of theory

Student Giveaways

• Complete training hands-on guide
  • This will be in an e-book formats such as ePub, Mobi, PDF
• References and links for further studying
• One month access to exclusive training slack channel
  • This is to ensure that if you are practicing after the class, you have us available to guide and answer questions
  • This also provides a platform for class to continue the discussions online

Courseware

The following section lists the courseware in greater detail. The topics listed below will be hands-on in nature and the trainers will assist the students to complete the exercises as they are built.

Setting up and attacking Cloud Virtual Machines, Compute and Serverless

We look at the compute services of AWS and Azure such as AWS EC2, Azure Virtual Machines, AWS Lambda and Azure Functions (Serverless) and AWS ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.

• Setting up Attack Tools and VMs using automation
• Attacking EC2 and ELBs
• Application Misconfigurations
• EC2 meta data abuse
• Stealing credentials
• Attacking AWS Lambda
• Using AWS Inspector for audits and attacks
• Working with the Azure CLI
• Deploying Virtual Machines using the Azure Portal
• Attacking Azure Virtual Machines
• Attacking and Inspecting Azure Functions
• Azure App Services subdomain takeover

Cloud Storage

Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.

• Abusing AWS S3 misconfigurations
• Discovering and pillaging AWS EBS
• Cloud forensics for discovery and attacks
• Attacking Azure Block Blobs

Cloud Databases

Apart from the standard storage most data are stored in databases. We will attack AWS RDS for finding out misconfigurations which will allow us to steal data and increase our foothold.

• AWS RDS misconfigurations
• Data pilferage
• Attacking Azure MSSQL databases

OSINT against Cloud targets

Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven’t realised what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.

• Techniques for OSINT
• Tools for finding public buckets
• Tools for discovering, stealing keys and endpoints
• OSINT to discover Azure Storage and its attack surface
• OSINT to discover and attack Azure Databases

Cloud Security, Compliance and Assessment

Security is not always about attack and defence. A vibrant running ecosystem involves governance and compliance activities. Here we will look at how we can use tools that the cloud providers have as services or third party tools that enable auditing and compliance.

• Using Trusted Advisor
• Using Cloud Custodian
• Azure Security Center
• Azure Advisor
• Azure Infrastructure assessment using Nessus

Managing cloud Infra without credentials

Both AWS and Azure provide services that allow you to manage cloud compute instances using the CLI and the console/portal without requiring you to know the login credentials. This allows for interesting use cases where command execution on the instances is possible using policies and cloud capabilities.

• AWS SSM
• Azure Run Command and controlling Virtual machines

AWS and Azure Services and Concepts for Security

While most of the class is hands-on and scenario based, we will cover the following topics at relevant places during the training. These will be some beginners to intermediate tasks done in a sequence to build our capacity.

• AWS IAM
• AWS KMS
• AWS VPCs
  • AWS Security Groups
  • AWS Flowlogs
• AWS CloudWatch
• AWS CloudTrail
• AWS Config
• Requirements for Pentesting AWS Cloud Infra
• Mapping Azure Services to AWS
• Azure Security Services and Role Based Access Control
• Azure Security Center
• Azure Advisor

Capture the flag

We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of 3 days of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.

• Hands on challenges for the attendees
• Walkthrough of all challenges

About the trainer

Riyaz Walikar

Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert, and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience in providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.

He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring newcomers in the industry.

Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA.

He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, and EBay. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.

Akash

Akash is a Director at Appsecco, a company that specializes in Web Application Security. He is an accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world.

He has a deep experience of working with clients to provide cutting-edge security insight that truly reflects the commercial and operational needs of the organization from strategic advice to testing and analysis to incident response and recovery.

Akash has also authored a book titled "BurpSuite Essentials" that comes recommended by the creator of BurpSuite itself and is an active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community.