What You Will Learn
Computing workloads have been moving to the cloud for years. Analysts predict that most if not all companies will have workloads in public and other cloud environments in the very near future. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when it comes to assessing risk to organizations, we need to be prepared to assess the security of cloud-delivered services. In this course you will learn the latest in penetration testing techniques focused on the cloud and how to assess cloud environments.
The most commonly asked questions regarding cloud security are "Do I need training for cloud-specific penetration testing" and "Can I accomplish my objectives with other pen test training and apply it to the cloud?" The answer to both questions is yes, but to understand why, we need to address the explicit importance of having cloud-focused penetration testing. In cloud-service-provider environments, penetration testers will not encounter a traditional data center design. Specifically, what we rely on to be true in a traditional setting - such as who owns the Operating System, who owns the infrastructure, and how the applications are running - will likely be very different. Applications, services, and data will be hosted on a shared hosting environment that is potentially unique to each cloud provider.
What makes cloud native different? The Cloud Native Computing Foundation, which was chartered to provide guidance on what is a cloud-first and cloud-native application, states that the application and environment will be composed of containers, service meshes, microservices, immutable infrastructure, and declarative APIs.
While some of these items are available in a non-cloud environment, in the cloud these features are further decomposed into services that are made available by cloud providers. In this environment, an example of complexity is a microservices architecture in which there may be a virtual machine, a container, or even what is considered a "serverless" hosting area. We must therefore deal with additional complexity in order to appropriately assess this environment, stay within the legal bounds, and learn new and different ways to perform what we would consider legacy attacks.
SEC588 dives into these topics as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.
Syllabus (36 CPEs)Download PDF
In this course section you will be conducting the first phases of a Cloud-Focused Penetration Testing Assessment. We'll get familiar with how the terms of service, demarcation points, and limits imposed by cloud service providers function. There are labs on how open databases and Internet-level scans can be used in near real time as well as historically to uncover target infrastructure and vulnerabilities. In this course section we'll describe how web scale affects reconnaissance and how we can best address it. The exercises are designed to walk through the discovery of useful artifacts and the labs themselves throughout the course - a virtual hacker treasure hunt!
- Discovery Using Cloud-Focused Enumeration Tools such as GoBuster
- Port Scanning Methodology Using Network Scanners such as MassCAN
- Discovering Artifacts in Git Repositories
- Abusing Databases for Privileges Escalation with Redis and NoSQL
- Eyewitness and Visual Reconnaissance
- Cloud Assessment Methodology
- Infrastructure Cloud Components
- Terms of Service and Demarcation Points
- Domains and Certificates for Enumeration
- Host Discovery with MassCAN and Nmap
- Git Mirroring
- Services and Databases in the Cloud
- Recon and Discovery through Visual Tracking
In this course section we'll show the differences between mapping at the port level, application-level, and infrastructure mapping through cloud-service-provider APIs. The section features labs designed to show how we can go from outer to inner reconnaissance and discovery. We'll then shift to three very important and interrelated topics: authentication and authorization in APIs, identifying undisclosed APIs and how they can be used, and how to abuse privilege and identity management. Amazon Web Services and other cloud providers have adopted an RBAC system to which many of their services can turn to for authorization checking. The last part of this section will cover privileges in RBAC and how we can abuse them to elevate privileges. Our labs will show how a low-privilege user can run lambda functions, enumerate s3 buckets, execute ec2 instances, and even decrypt sensitive data.
- Mapping out Web Services with cURL
- AWS CLI User and Privilege Enumeration
- Finding and Using Undocumented APIs
- AWS IAM Privilege Escalations to Locate S3 Buckets and Execute EC2
- AWS IAM Privilege Escalations to Execute KMS and Lambda Functions
- Automation with PACU
- Cloud SDKs
- AWS IAM and Privileges
- Building and Using Powerful Wordlists
- Turning Tokens into Access
- Persistence through AWS IAM
While Amazon Web Services holds the largest share of the market, many large enterprises are moving their on-premise workloads into the cloud. Microsoft Azure, while being equivalent to many other cloud providers, also has some unique services that are used. Azure Active Directory and other user services such as Office365, Exchange, and even Microsoft Graph are unique in their services. This section will introduce you to an Azure Environment in which we have provided Windows machines, containers, and services. As during the previous course sections, the environments are live and running, and each has its own set of artifacts to run through. We will leverage similar CLI tooling to take over Azure services in a controlled manner.
- Familiarizing Ourselves with Azure CLI Tools, Virtual Machines, and Blob Stores
- Privileges Escalations in Azure
- Microsoft Graph API
- Windows Containers
- Azure Active Directory and SAML
- Volume Shadow Copies in the Cloud
- Azure Active Directory
- VHD and Volume Shadow Copies
- SAML and Microsoft ADFS
- Windows Containers
- Azure Roles
- Microsoft Graph API
The fourth section of this course focuses on what are referred to as cloud native applications. While the instruction particularly examines web applications themselves, it is designed to show how cloud native applications operate and how we can assess them. More and more, what we see being created in the wild are applications that are container-packaged and microservice-oriented. These applications will have their nuances. They will typically be deployed in a service mesh at times that could indicate a system like Kubernetes is used. We will be exploring many questions in this section, including:
- Which application vulnerabilities are very critical in my environments?
- How does Serverless and Lambda change my approach?
- How does managed and unmanaged Kubernetes change my testing?
- How do microservice applications operate?
- What is the CI/CD pipeline and how can it be abused?
- Backdooring CI/CD
- Discovering Routes and Hidden Consoles
- SSRF Impacts on Cloud Environments
- Command Line Injections
- SQL Injections
- Peirates for Container Escape
- Injecting Functionless Environments Using LambdaShell
- AWS IAM Metadata Discovery
- Kubernetes and Escapes
- TravisCI and Git Actions
- Moving Laterally Across Containers
- Privileged and Unprivileged Containers
The final section of this course explores the world of exploitation and red teaming in the cloud. By this time we have a very good understanding of our target environments, and as such we will explore how we can exploit what we have found, advance further into the environments, and finally how to move around laterally. This includes breaking out of containers and service meshes and exfiltrating data in various ways to show the real business impact of these types of attacks.
- Credential Stuffing and Leveraging Password Methodologies
- Backdooring Web Applications with Tokens
- Heavy and Lite Shells
- Backdooring Containers
- Load Balancer and Proxy Abuse
- Windows Backdoors
- Red Team and Methodologies
- Heavy and Lite Shells
- Data Smuggling
- Avoiding Detections
Be prepared on your last day to work as a team and complete an end-to-end assessment in a new cloud environment. The applications and environments are all newly designed to imitate real-world environments. This day is designed to allow students to put together the week's worth of knowledge, reinforcing theory and practice, and simulating an end-to-end test. It is also a capstone event, as we will be asking students to write a report using a method that is easy to read for both developers and administrative staff. We will provide students with a few rubrics and ways to work through the scenarios. There are always new and novel solutions and we like students to share what they have learned and how they did what they did with each other.
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
System Hardware Requirements
- 64-bit Intel i5/i7 2.0+ GHz processor
- Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
- VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
- Windows users can use this article to learn more about their CPU and OS capabilities.
- Apple users can use this support page to learn more information about Mac 64-bit capability.
- Enabled "Intel-VT"
- Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
- USB 3.0 Type-A port
- At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
- 8 GB RAM (4 GB minimum) is required for the best experience. To verify on Windows 10, press Windows key to open Settings, then click "System," then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
Hard Drive Free Space
- 60 GB FREE of FREE space on the hard drive is critical to host the virtual machines and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
Additional Hardware Requirements
The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.
- Network, Wireless Connection
- A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.
Additional Software Requirements
- Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
- Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
- VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
System Configuration Settings
- Local Admin - Have an account with local admin privileges.
- Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.
- Disable VPN - The ability to disable your enterprise VPN client temporarily for some exercises.
- Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.
- Disable AV - The ability to disable your anti-virus tools temporarily for some exercises.
- You will be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"When I was first asked about putting together a cloud penetration testing class, there were many questions. Could there be room for a class as 'niche' as this? We felt the need to have a class with all new material and topics that we had not covered in any of our other penetration testing classes. I believe we have met that need with this class in ways most could not have imagined. This class breaks the rules and allows us to help you test, assess, and secure cloud environments."
- Moses Frost