Owning a company through their logs
Download as PPTX, PDF•0 likes•144 views
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
![Slack Channels --> AWS creds
● slack channel list
● aws s3api list-buckets — query “Buckets[].Name”](https://image.slidesharecdn.com/owningacompanythroughtheirlogs-200717160737/85/Owning-a-company-through-their-logs-8-320.jpg)
Owning a company through their logs
- 1. Owning a company through their logs Aseem Shrey Security Engineer ( Grofers ) @AseemShrey
- 2. Can logs be that useful ?
- 3. How did I get here ? ● Passive Reconnaissance - Shodan ● Searching for Jenkins and Sonarqube open instances
- 8. Slack Channels --> AWS creds ● slack channel list ● aws s3api list-buckets — query “Buckets[].Name”
- 9. Key Takeaways ● Know your boundaries : If you think that the data you’ve got access wasn’t meant to be accessible to you and was meant to be private, STOP. Take written permission from the company before testing any further. ● Automate them all : Let machines take over ( The mundane tasks only ). While I had automated the screenshot part, I was also checking for RCE on Jenkins on these instances ( i.e. Jenkins instances with open Script Console and I did get quite a few ) ● Don’t presume anything : Now, usually Jenkins replaces secrets with asterisks but it can’t mask the tool output and as in this case the zookeeper was leaking the credentials. ● No secret sauce : Bugs are simple, persistence is the key.
- 10. The Blogpost