Last Week! Get an iPad (32G), Galaxy Tab A, or $250 Off with Online Training! Dont Miss Out!

Rocky Mountain HackFest

Denver, CO | Mon, Jun 1 - Mon, Jun 8, 2020
This course is sold out. Join the wait below or view other class locations & virtual options.

SEC588: Cloud Penetration Testing Waitlist

Wed, June 3 - Mon, June 8, 2020

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

Computing workloads have been moving to the cloud for years. Analysts predict that most if not all companies will have workloads in public and other cloud environments in the very near future. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when it comes to assessing risk to organizations, we need to be prepared to assess the security of cloud-delivered services. In this course you will learn the latest in penetration testing techniques focused on the cloud and how to assess cloud environments.

The most commonly asked questions regarding cloud security are "Do I need training for cloud-specific penetration testing" and "Can I accomplish my objectives with other pen test training and apply it to the cloud?" The answer to both questions is yes, but to understand why, we need to address the explicit importance of having cloud-focused penetration testing. In cloud-service-provider environments, penetration testers will not encounter a traditional data center design. Specifically, what we rely on to be true in a traditional setting - such as who owns the Operating System, who owns the infrastructure, and how the applications are running - will likely be very different. Applications, services, and data will be hosted on a shared hosting environment that is potentially unique to each cloud provider.

What makes cloud native different? The Cloud Native Computing Foundation, which was chartered to provide guidance on what is a cloud-first and cloud-native application, states that the application and environment will be composed of containers, service meshes, microservices, immutable infrastructure, and declarative APIs.

While some of these items are available in a non-cloud environment, in the cloud these features are further decomposed into services that are made available by cloud providers. In this environment, an example of complexity is a microservices architecture in which there may be a virtual machine, a container, or even what is considered a "serverless" hosting area. We must therefore deal with additional complexity in order to appropriately assess this environment, stay within the legal bounds, and learn new and different ways to perform what we would consider legacy attacks.

SEC588 dives into these topics as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.

Course Syllabus


Moses Frost
Wed Jun 3rd, 2020
9:00 AM - 5:00 PM

Overview

In this course section you will be conducting the first phases of a Cloud-Focused Penetration Testing Assessment. We'll get familiar with how the terms of service, demarcation points, and limits imposed by cloud service providers function. There are labs on how open databases and Internet-level scans can be used in near real time as well as historically to uncover target infrastructure and vulnerabilities. In this course section we'll describe how web scale affects reconnaissance and how we can best address it. The exercises are designed to walk through the discovery of useful artifacts and the labs themselves throughout the course - a virtual hacker treasure hunt!

Exercises
  • Discovery Using Cloud-Focused Enumeration Tools such as GoBuster
  • Port Scanning Methodology Using Network Scanners such as MassCAN
  • Discovering Artifacts in Git Repositories
  • Abusing Databases for Privileges Escalation with Redis and NoSQL
  • Eyewitness and Visual Reconnaissance

CPE/CMU Credits: 6

Topics
  • Cloud Assessment Methodology
  • Infrastructure Cloud Components
  • Terms of Service and Demarcation Points
  • Domains and Certificates for Enumeration
  • Host Discovery with MassCAN and Nmap
  • Git Mirroring
  • Services and Databases in the Cloud
  • Recon and Discovery through Visual Tracking

Moses Frost
Thu Jun 4th, 2020
9:00 AM - 5:00 PM

Overview

In this course section we'll show the differences between mapping at the port level, application-level, and infrastructure mapping through cloud-service-provider APIs. The section features labs designed to show how we can go from outer to inner reconnaissance and discovery. We'll then shift to three very important and interrelated topics: authentication and authorization in APIs, identifying undisclosed APIs and how they can be used, and how to abuse privilege and identity management. Amazon Web Services and other cloud providers have adopted an RBAC system to which many of their services can turn to for authorization checking. The last part of this section will cover privileges in RBAC and how we can abuse them to elevate privileges. Our labs will show how a low-privilege user can run lambda functions, enumerate s3 buckets, execute ec2 instances, and even decrypt sensitive data.

Exercises
  • Mapping out Web Services with cURL
  • AWS CLI User and Privilege Enumeration
  • Finding and Using Undocumented APIs
  • AWS IAM Privilege Escalations to Locate S3 Buckets and Execute EC2
  • AWS IAM Privilege Escalations to Execute KMS and Lambda Functions
  • Automation with PACU

CPE/CMU Credits: 6

Topics
  • APIs
  • Cloud SDKs
  • AWS IAM and Privileges
  • Building and Using Powerful Wordlists
  • Turning Tokens into Access
  • Persistence through AWS IAM

Moses Frost
Fri Jun 5th, 2020
9:00 AM - 5:00 PM

Overview

While Amazon Web Services holds the largest share of the market, many large enterprises are moving their on-premise workloads into the cloud. Microsoft Azure, while being equivalent to many other cloud providers, also has some unique services that are used. Azure Active Directory and other user services such as Office365, Exchange, and even Microsoft Graph are unique in their services. This section will introduce you to an Azure Environment in which we have provided Windows machines, containers, and services. As during the previous course sections, the environments are live and running, and each has its own set of artifacts to run through. We will leverage similar CLI tooling to take over Azure services in a controlled manner.

Exercises
  • Familiarizing Ourselves with Azure CLI Tools, Virtual Machines, and Blob Stores
  • Privileges Escalations in Azure
  • Microsoft Graph API
  • Windows Containers
  • Azure Active Directory and SAML
  • Volume Shadow Copies in the Cloud

CPE/CMU Credits: 6

Topics
  • Azure Active Directory
  • VHD and Volume Shadow Copies
  • SAML and Microsoft ADFS
  • Windows Containers
  • Azure Roles
  • Microsoft Graph API
  • Office365

Moses Frost
Sat Jun 6th, 2020
9:00 AM - 5:00 PM

Overview

The fourth section of this course focuses on what are referred to as cloud native applications. While the instruction particularly examines web applications themselves, it is designed to show how cloud native applications operate and how we can assess them. More and more, what we see being created in the wild are applications that are container-packaged and microservice-oriented. These applications will have their nuances. They will typically be deployed in a service mesh at times that could indicate a system like Kubernetes is used. We will be exploring many questions in this section, including:

  • Which application vulnerabilities are very critical in my environments?
  • How does Serverless and Lambda change my approach?
  • How does managed and unmanaged Kubernetes change my testing?
  • How do microservice applications operate?
  • What is the CI/CD pipeline and how can it be abused?
Exercises
  • Backdooring CI/CD
  • Discovering Routes and Hidden Consoles
  • SSRF Impacts on Cloud Environments
  • Command Line Injections
  • SQL Injections
  • Peirates for Container Escape
  • Injecting Functionless Environments Using LambdaShell

CPE/CMU Credits: 6

Topics
  • AWS IAM Metadata Discovery
  • Kubernetes and Escapes
  • TravisCI and Git Actions
  • Moving Laterally Across Containers
  • Privileged and Unprivileged Containers

Moses Frost
Sun Jun 7th, 2020
9:00 AM - 5:00 PM

Overview

The final section of this course explores the world of exploitation and red teaming in the cloud. By this time we have a very good understanding of our target environments, and as such we will explore how we can exploit what we have found, advance further into the environments, and finally how to move around laterally. This includes breaking out of containers and service meshes and exfiltrating data in various ways to show the real business impact of these types of attacks.

Exercises
  • Credential Stuffing and Leveraging Password Methodologies
  • Backdooring Web Applications with Tokens
  • Heavy and Lite Shells
  • Backdooring Containers
  • Load Balancer and Proxy Abuse
  • Windows Backdoors

CPE/CMU Credits: 6

Topics
  • Red Team and Methodologies
  • Heavy and Lite Shells
  • Data Smuggling
  • Avoiding Detections

Moses Frost
Mon Jun 8th, 2020
9:00 AM - 5:00 PM

Overview

Be prepared on your last day to work as a team and complete an end-to-end assessment in a new cloud environment. The applications and environments are all newly designed to imitate real-world environments. This day is designed to allow students to put together the week's worth of knowledge, reinforcing theory and practice, and simulating an end-to-end test. It is also a capstone event, as we will be asking students to write a report using a method that is easy to read for both developers and administrative staff. We will provide students with a few rubrics and ways to work through the scenarios. There are always new and novel solutions and we like students to share what they have learned and how they did what they did with each other.

CPE/CMU Credits: 6

Additional Information

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. These requirements are the mandatory minimums. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. We strongly urge you to arrive with a system meeting all the requirements specified for the course. It is critical that you back up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

CPU

  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
    • VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
    • Windows users can use this article to learn more about their CPU and OS capabilities.
    • Apple users can use this support page to learn more information about Mac 64-bit capability.

BIOS

  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.

USB

  • USB 3.0 Type-A port
  • At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.

RAM

  • 8 GB RAM (4 GB minimum)
  • 8 GB RAM (4 GB minimum) is required for the best experience. To verify on Windows 10, press Windows key + â"" to open Settings, then click "System," then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."

Hard Drive Free Space

  • 30 GB FREE of FREE space on the hard drive is critical to host the virtual machines and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Windows, macOS, or Linux
  • Any operating system (Windows, macOS, or Linux) that can run VMware Workstation Player/Pro or VMware Fusion. Those who use a Linux host must be able to access the ExFAT partitions using the appropriate kernel or FUSE modules.

Additional Hardware Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

  • Network, Wireless Connection
  • A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Additional Software Requirements

  • VMware Workstation 15 or Fusion 11
  • Please note: VMware Workstation 15 or Fusion 11 is mandatory. VMware Player will not meet this requirement. You must have the ability to take virtual machine snapshots, and you cannot do this with VMware Player. VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class. If you do not own a licensed copy of VMware Workstation 15 or Fusion 11, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website.
  • Credential Guard
  • If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMWare prior to class and confirm that virtual machines can run. It is required that Credential Guard be turned off prior to coming to class.

System Configuration Settings

  • Local Admin - Have an account with local admin privileges.
  • Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.
  • Disable VPN - The ability to disable your enterprise VPN client temporarily for some exercises.
  • Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.
  • Disable AV - The ability to disable your anti-virus tools temporarily for some exercises.
  • You will be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Both attack-focused and defense-focused security practitioners will benefit greatly from this course by gaining a deep understanding of vulnerabilities, insecure configurations, and associated business risk to their organizations.

This course benefits penetration testers, vulnerability analysts, risk assessment officers, DevOps engineers, site reliability engineers, and many more.

  • Access to the in-class Virtual Training Lab for over 30 in-depth labs
  • A course USB with many tools used for all in-house labs
  • Conduct cloud based penetration tests
  • Assess cloud environments and bring value back to the business by locating vulnerabilities
  • Understand first-hand how cloud environments are constructed and how to scale factors into the gathering of evidence

You will immediately be able to apply what you have learned. SEC588 addresses how to assess security risks in Amazon and Microsoft Azure environments, the two largest cloud platforms in the market today.

Author Statement

"When I was first asked about putting together a cloud penetration testing class, there were many questions. Could there be room for a class as 'niche' as this? We felt the need to have a class with all new material and topics that we had not covered in any of our other penetration testing classes. I believe we have met that need with this class in ways most could not have imagined. This class breaks the rules and allows us to help you test, assess, and secure cloud environments."

- Moses Frost