I attended a recent on-line preview training of Breaching the Cloud Perimeter; presented by Beau Bullack (@dafthack). This training mentioned a technique of using a script named FireProx with an AWS API Gateway to create a pass-through proxy; which rotated the source IP Address with every request. I was very intrigued and wondered how I could use this technique during a pentest.
My first thought was why not use TOR? But, then I thought of cloud applications like Azure/O365 that implement conditional geolocation. Using the regions within AWS would give me better control of where my source IP Address originated, as well as possibly bypassing conditional geolocation. As to TOR, I do not believe that it has the ability to control the region of the source IP Address.
Since an AWS instance was required, I did have a few concerns of being able to be traced back to the instance. However, since I would be utilizing the service during an authorized penetration test, my concern somewhat subsided.
AWS API Gateway:
First and foremost, one needs to have an AWS account, preferably root access, to create a group and user account. This account will be required so that FireProx can create the pass-through proxy.
Authenticate to the AWS Management Console, select Services, and then IAM to open the Identity and Access Management dashboard.
Within the IAM Dashboard, select Groups from the Access management submenu on the left side of the dashboard.
Next, click on the Create New Group button to open the Create New Group Wizard. Enter the name of the group within the Group Name field box and select the Next button.
Select the AmazonAPIGatewayAdministrator policy from the available policies and then click on the Next Step button; followed by the Create Group button.
With the group created, create the user account by selecting Users from the Access management submenu on the left side of the dashboard.
Select the Add User button and enter a user name in the User Name field box. Select the check box of Programmatic access for the Access type and then select the Next: Permissions button.
Next, select the check box next to the newly created group (from above) and then click on the Next: Tags button.
There is no need to add any information about tags at this time. So, skip this by clicking on the Next: Review button.
After reviewing the options, click on the Create user button.
If the user has been successfully created, copy the contents for the Access key ID and the Secret access key. These keys will be needed when using FireProx.
Lastly, click on the Close button to finish.
FireProx:
To use FireProx, one has two options to execute the script. The first is by using a virtual Python 3 environment and the second is using a Docker environment. I have used both environments, but I prefer the Docker environment.
After installing Docker, as well as downloading the FireProx GitHub repository, build the Docker image.
Usage:
To create the pass-through proxy, run the Docker image of FireProx, use the access-key and secret-access-key from the newly created AWS API account. In addition, specify the region to proxy from as well as the URL to be proxied.
All that is left to do is to copy the FireProx proxied URL to a browser or other script/application and that is it.
Shout Out:
Wanted to throw a shout out to @dafthack for providing a few nudges along the way.
References:
https://github.com/ustayready/fireprox
https://blogs.perficient.com/2019/08/27/how-to-use-the-aws-api-with-s3-buckets-in-your-pen-test/
https://www.blackhillsinfosec.com/training/breaching-the-cloud-perimeter-training/
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
