I Hacked The Cloud: Azure Managed Identities
Рет қаралды 59,972
Ай бұрынjh.live/alteredsecurity || Altered Security has just released their new "Advanced Azure Attacks" course and "Certified Azure Red Team Expert" certification -- use code HAMMOND20 for 20% off ALL THREE of their Azure courses! jh.live/alteredsecurity
🗨️ "I Hacked The Cloud" -- compromising an Azure website, swiping the access token for the managed identity of the web app, leveraging permissions to gain code execution on a virtual machine, and extracting credentials for further access! 😎 💬
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
@wildstorm74 Ай бұрын
Im actually really happy with myself, because I actually understood all of that. My self studying been paying off.
@binary_galaxies Ай бұрын
that feeling is always the best
@mrstocks Ай бұрын
also but whats that coffee she is drinking
@myutyoube Ай бұрын
So...... you're telling me there's a chance. For me that is. ;)
@wildstorm74 Ай бұрын
@@mrstocks who's what drinking?
@wildstorm74 Ай бұрын
@@myutyoube It took me about 1 year of reading and studying, but yes. Effort and time is everyone's thing, if you are willing to put in time.😎
@darshannaik1676 Ай бұрын
I regulary Watch Your Video , But today i wanna say thank you to you man,.. You are doing great job. You Motivate me to work in the cyber security field in interesting way. Thank You John Sir !!🙏🏻🙏🏻
@RajuSingh-pr8ec Ай бұрын
Pjuup the :-[8-:'(😮
@DePhoegonIsle Ай бұрын
If this isn't a complete course on why you should disable code or execution of things on an entire directory, or ya know disable direct access to user uploades using an set to call the files in a sanitized way, as clean text only. I have to admit it's cool to see some of these things, but alot of these vulnerablities come off more as Pebuac sorts of the one who setup that web service, and less in 'it's in the cloud'.
@diabilliq Ай бұрын
very cool writeup! this is something that will get mitigated once CAE (continuous access evaluation) support managed identities.
@fredrikzels2637 Ай бұрын
This was great. I understood most of it. Started out with PS and now i'm learning linux OS to understand the basics before I go to networks and further.
@greob Ай бұрын
Very nice demonstration!
@xCheddarB0b42x Ай бұрын
Rad stuff. I guess one way to learn Azure AD I mean Entra ID is to learn some attack chains.
@PracticalAIinstitute Ай бұрын
NICE!! well done and thanks for theat
@IvanStamenkovicSeemsIndie Ай бұрын
I am literally right now deploying AKS cluster, and also using Managed Identities for internal stuff. Damn, have to watch this :D
@zanidd Ай бұрын
I actually wanted to get a blue team cert after the CBBH, but this looks too tempting
@malikgenius4u 22 күн бұрын
great demo ... i didnt know it could escalate this far... secure sites are the key to protect cloud env.
@antifreeze44 Ай бұрын
John's the best there is. These are so Insighful.
@chris94kennedy 28 күн бұрын
i mean the website is as secure as an overweight asleep security guard. It's easy to be insightful when the fucking door is left open for you to walk straight through.
@subhankarpaul9743 Ай бұрын
Really awesome video 🎉.....i also learning cloud security 😀
@NicolasPare Ай бұрын
John has 'dirbuster' integrated right into his browser's auto complete suggestions :)
@logiciananimal Ай бұрын
If one needs a name, the initial access of the managed identity endpoint is effectively a case of SSRF - server side request forgery.
@chris94kennedy Ай бұрын
probably a dumb question, I'm no cybersecurity engineer, but what sort of website would allow you to just straight up browse /uploads in order to interact with arbitrary data you uploaded?
@Clemens.Gooooo Ай бұрын
You need directory listing enabled for browsing the /upload folder...
@xCheddarB0b42x Ай бұрын
This is not a dumb question. "Insecure Design" is a security flaw that appears often enough that it appears on the OWASP Top 10.
@simple-security Ай бұрын
Not really the point.many lessons here. Improve best practices for dev secops. Use auto code checks when pushing to repos. Use cspm to check configs. Etc
@chris94kennedy Ай бұрын
@@simple-security I think that's the point I'm making isn't it? Those things would definitely be done by any company worth their salt. This is an unrealistic video and just seems to pick the most lightweight website possible to attack with a vector that should be easily closed. Who deploys a website that takes not only user input but pretty much any file you want in such a ridiculously insecure and open way. This is like the sort of vulnerability you might see when someone is in a bootcamp or right at the start of their career, imo? I just feel like this is one of those videos that sort of 'strawmans' a website that rarely exists in the wild, and certianly not one maintained by a company with anything sensitive to protect. It says in the title that it exploits an Azure website but actually he's exploiting a pathetically secured website that would have a whole bunch of other issues unrelated to Azure. Please correct me if I'm wrong, as I said I'm not an expert, but I do have a little bit of experience with cybersec; I recently implemented an OIDC compliant IdP SaaS prototype for my company which passed external pen test with no advisories to resolve. As a complete non-expert, if I can do that, every other engineer with at least a couple years under their belt could do exactly the same. Basically what I'm saying is no website that behaves and is so insecure like this one would be deployed by anyone with a bit of experience, so this is just a basically useless video because company's with literally anything to hide, i.e. every company lol, aren't going to do this. Happy to be corrected! :)
@youtonew Ай бұрын
if we know that there is the page after uploads and we know page name (like you you create your own sheell and there you spesify the C and then you modify the url c=whoami and its executed if we dont upload this kind of shell) then how we execute commands in url
@Sleeping_Aizawa Ай бұрын
😊 love how your skills have evolved into beautiful public resources for knowledge, understanding, and wisdom. Thank you for all you time and teachings
@xx-be2uz Ай бұрын
I do not understand in 06:31 where did you gather the api-version from
@BillAnt Ай бұрын
Boom, another vuln got Hammonded! :D
@creatorofimages7925 Ай бұрын
Ah, I see John on the quick side of things. >:D The whole Azure *Tree* with all the Kubernetes Cluster Setups and Managements is beautifully riddled with ... holes. :D
@hazembenmadhi9500 5 күн бұрын
does there is any ctf challenge for demo this attack or something similar to it like azure active directory attacks?
@ambroserapose5082 Ай бұрын
Hey John, I am a victim of someone hacking my multiple accounts gmail microsoft Facebook twitter etc maybe through my phone or somehow they got access to my Google password manager, Is there any safety steps I can take other than changing password and adding 2 factor authenticator app? Any help is appreciated.
@simbad3311 Ай бұрын
Really cool mate👍
@Hybrid_Netowrks 28 күн бұрын
As always John the king of security
@CesSanchez Ай бұрын
Shoulnd't it be Entra ID, instead of Azure AD, in the cert?
@gvoden 29 күн бұрын
another great video!
@ancipital Ай бұрын
Interesting stuff - thanks!
@HitemAriania Ай бұрын
Sir, its Entra ID sir
@HarmonicaMustang Ай бұрын
Viva la résistance
@papidulzuratravel8715 17 күн бұрын
Amazing thanks!
@MsDuketown Ай бұрын
Great uses of SAAS tools! These git-flows all lead back home, and with resources beyond 09-01-2017... So working with URI's is similar to working with URL's, but without the universal curl commandeer? Awesome! Who could of think of that? Next up Amazon AWS? Cloudfare? Some other CDN, like fonts for Google?
@david3199 Ай бұрын
HI John
@ALEXWARELLC Ай бұрын
Security is only as good as the person who sets it up.
@55mga Ай бұрын
Your videos are great. Keep it up, it really helps us all learn. But I admit the conditions for this hack were staged for the hacking adventure, but it shows how multiple vulnerabilities can be used. Thank you.
@alone_rider_988 Ай бұрын
Bro do you know how does someone exploited all the data of boat company
@wildstorm74 Ай бұрын
Do you mean big companies, not goat companies?🤔
@stevenhernandez6856 Ай бұрын
@@wildstorm74 boat
@alone_rider_988 Ай бұрын
I mean boat a speaker etc brand
@wildstorm74 Ай бұрын
@@alone_rider_988oh, I was reading and typing too fast.😅😒
@KyAreTR Ай бұрын
Isnt all of your attack possible because of the website and code uploaded to the i guess webapp? And not because of Azure, WebApps, Functions or other PaaS in Azure? The Title seems very Clickbaity. Please educate me
@ryandawson1220 Ай бұрын
I agree on this one. When an RCE happens on your server, they will always have access to secrets in one form or fashion. We are pulling our secrets in via Azure Keyvault at runtime with a managed identity, so this particular video interested me. This makes it super easy for the attacker to get access to the Keyvault to pull secrets. However if they are already on the server, they could dump memory and get them this one. I think the one take away is to make sure your managed identities are properly scoped. Don't use one managed identity for all applications.
@KyAreTR Ай бұрын
Agree. Use system managed identity and use IAM to grant access to needed ressources and thats it. And i really do hope that people do not have VMs with PublicIPs available in azure...use a loadbalancer at least infront of it.
@rnts08 Ай бұрын
110% clickbait. The vulnerability is SSI, which has been known for 20+ years surfacing again due to clueless DevOps managing infrastructure.
@basavarajtippannavar3092 Ай бұрын
Bro where is the XZ back door proof of concept video
@joelanzo Ай бұрын
Serious
@JohnSmith-jc7dk Ай бұрын
You cant get away with this.
@carsonjamesiv2512 Ай бұрын
COOL!
@Iheb4166 Ай бұрын
You remind me of networkchuck
@shakibbro2 24 күн бұрын
please 1 video how to hacked gmail password please please new video 🙏🙏🙏🙏🙏🙏
@courageousmelon5654 Ай бұрын
Azure Active Directory? Don't you mean Entra ID? 🤮
@velo1337 Ай бұрын
funny that windows defender detects this as a trojan
@peaktheweak Ай бұрын
is it just me or did he look at the eclipse a little too long? eyes r a lil red lookin
@user-ef1rs5to5y Ай бұрын
Is bro still at the hotel that he leaked the address to in his last video? 😭 be safe bro
@pranavbanerjee8625 Ай бұрын
Why should he worry about that tho?
@jwspock1690 Ай бұрын
top
@user-yw1lb5ru7p Ай бұрын
Old hackers descend ppl from sky to earth sow y will never reach them😂😂😂
@jmanuelng Ай бұрын
😱
@lachine1 Ай бұрын
early gang
@BoogeyMan.00 29 күн бұрын
Hack my company if you can HOHOHOHO 👹👺👺
@fredrikzels2637 Ай бұрын
This was great. I understood most of it. Started out with PS and now i'm learning linux OS to understand the basics before I go to networks and further.
BEN EAGLE
Рет қаралды 31 МЛН
Paano BA kuya TV
Рет қаралды 5