Breaking and Pwning Apps and Servers on AWS and Google Cloud – Post Pandemic Edition

Trainer Name: Riyaz Walikar , Rohit Jadav
Title: Breaking and Pwning Apps and Servers on AWS and Google Cloud – Post Pandemic Edition
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022

TRAINING OBJECTIVES

About 60% of the world's cloud infrastructure is shared between AWS, Azure, and GCP. More and more organizations are moving their infrastructure to the cloud with the promise of scalability, robustness, higher resource bandwidth for far less, ease of use, and security.

With this shift, there is an ever-increasing demand for cloud security professionals to be able to securely design, implement, defend, attack, and repair cloud configurations and services. A lot of enterprises operate entirely on the cloud and with everyone learning to work remotely, there are additional challenges that come into play when dealing with security.

The current state of the industry creates a need for security testers, Cloud/IT admins, and people tasked with the role of DevSecOps to learn - how to effectively attack and test their cloud infrastructure before the bad guys. Security vendors need to hire folks who specialize in conducting cloud penetration tests and configuration reviews all the while expanding in scope and services.

In this Post Pandemic version of tools and techniques-based training, we will cover attack approaches, create your attack arsenal in the cloud, and distilled deep dive into AWS and Google Cloud services and concepts that should be used for security. Attacks on the Azure cloud will be mentioned when similar attack scenarios are being covered for AWS and Google Cloud.

The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing, and OSINT engagements which take the student through the journey of discovery, identification, and exploitation of security weaknesses, misconfiguration, and poor programming practices that can lead to complete compromise of the cloud infrastructure.

The training is meant to be hands-on training with guided walkthroughs, scenario-based attacks, and coverage of tools that can be used for attacking and auditing. Due to the attack, and focused nature of the training, we will not be spending a lot of time on security architecture, defense-in-depth, etc. While mitigations will be covered, we will point out the relevant security documentation provided by the cloud provider for further self-study.

We expect the trainees to bring their own AWS and Google Cloud account for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.

Training level: Intermediate

TRAINING OUTLINE:

Day 1 (Cloud Compute, Serverless, Load Balancers, and Kubernetes)

• Setting up the infrastructure for attacks using Terraform
• Understanding pentesting requirements for AWS and Google Cloud
• Attacking AWS EC2 and Google Cloud VM instances
• IMDSv1 and IMDSv2
• Attacking Serverless (Lambda and Cloud Run)
• Attacking Load balancers and Web Application Firewalls
• Real world attacks with Kubernetes

Day 2 (Cloud Storage, Cloud Databases, and IAM)

• Identifying vulnerable cloud storage services
• AWS S3 and Google Cloud Storage
• Attacking Disk Storage, Backups, and Cloud Forensics
• Attacking AWS RDS and Google Cloud Firestore
• IAM – Policies, weaknesses, misconfigurations in AWS and Google Cloud
• Stealing API keys, service account tokens, and (ab)using temporary credentials

Day 3 (OSINT, Cloud Networking, Security tools, CTF)

• OSINT techniques, subdomain enumeration, and DNS
• Subdomain Takeovers in AWS and Google Cloud
• Misconfigurations in Cloud Networking
• Auditing Cloud platforms and inbuilt security services
• Capture The Flag!
• Infrastructure disassembly

WHAT TO BRING?

• Laptop with a modern OS Windows 10/OSX/Linux
• VirtualBox - v6.1.30 or above
• Closer to the conference we will provide a VM that will have to be downloaded and deployed using VirtualBox. Other virtualization software may also work with the VM but the troubleshooting will be time-consuming so VirtualBox is preferred.
• Updated browsers such as Chrome, Firefox
• Ability to connect to a wireless/wired network
• Own AWS and Google Cloud account which has been activated for payments

TRAINING PREREQUISITES:

• Familiarity with AWS console and the Google Cloud Console
• Familiarity with security testing basics and tools like Nmap, Burp Suite
• Comfortable using command-line tools to log in to servers, install packages, execute scripts and applications
• Basics of HTTP, JavaScript
• Basics of Networking concepts enough to understand Cloud Architecture
• Ideally, you should have started VMs in AWS or Google Cloud, configured S3 buckets, and have some idea of what IAM is

WHO SHOULD ATTEND?

• Pentesters and Security Testers
• Security Professionals
• Cloud/IT Professionals
• DevSecOps Professionals

WHAT TO EXPECT?

• Completely hands-on
• Automation scripts will be provided to bring up your AWS and Google Cloud infrastructure
• Fast-paced training (we have a lot of content and a ton of experiences to share)
• While we will be using free-tier AWS and free credits on Google Cloud services as much as possible, you can expect some minimal account charges
• Lots of fun and bad jokes by Riyaz

WHAT ATTENDEES WILL GET?

• Complete training hands-on guide. This will be in an e-book format such as ePub, Mobi, and PDF
• References and links for further studying

WHAT NOT TO EXPECT?

• Lots of theory. The training is designed to be hands-on.
• DevOps concepts
• Deep dive into services and implementation (we can talk about these but we will run out of time)

About Trainer

Riyaz Walikar is the Chief Hacker and Co-Founder at Kloudle, a cloud security SaaS product used by Engineers to automate cloud security so that they can go back to focusing on building great stuff! He also serves as a Technical and Strategic Advisor at Appsecco. He has over a decade of experience in offensive security, hacking his way into web applications, mobile apps, wireless networks, thick clients, and cloud and container-based infrastructure.

As part of his professional career, he has led security testing teams at Microland, PwC, Citrix, and Appsecco. He likes to evangelize cybersecurity and has been a speaker/trainer and multiple hacker conferences around the world including BlackHat, DefCON, OWASP AppsecUSA, Nullcon, and c0c0n.

He has co-authored 2 books and loves teaching cybersecurity which he does through various online blogs and publications, in-person and online training programs, community talks, conference presentations, and beer sessions.

When he is not writing/breaking code, you can find him dabbling in photography, playing video games, googling for weight loss solutions, stargazing, or laughing at his own jokes.

Linkedin: https://in.linkedin.com/in/riyazw

Twitter: @riyazwalikar

Blog: https://ibreak.software

Rohit is a Cloud security team lead with Appsecco. He has a strong passion for information security and has 7 years of experience in the field. His areas of expertise are Application Security, Infrastructure security, Reconnaissance, and Cloud security. He has led penetration testing engagements in many countries and performed numerous onsite engagements. He is an active member of the null open security community.