Hunting for Fireprox
As part of our red team engagements, we may sometimes utilize Fireprox to obtain a larger number of IP addresses for various actions, such as password spraying. We thought that we should figure out if there are any IOC or easy-to-identify indicators on the default tool and see if anyone else is using Fireprox.
Execute API
The API returned by Fireprox in AWS conforms to the following format:
*.execute-api.*.amazonaws.com
We can quickly lookup many relevant subdomains or entries using SecurityTrails. After identifying the relevant entries, we can perform an IOC check based on:
- A HTTP request to the URL should result in a 403
- A HTTP request to the path '/fireprox/' should result in a 302 Object Moved.
For example:
cat 1.txt | httpx -status-code -follow-redirects -title -mc 403 -o 2.txt cat 2.txt | cut -f 1 -d' ' | httpx -status-code -title -mc 302 -o 3.txt # 3.txt contains potential fireprox entries.
As a result of the quick research against just the us-east-2 region, we can identify 5 instances potentially running Fireprox at the time of testing:
https://inwerq7zg9.execute-api.us-east-2.amazonaws.com/fireprox/ [302] [Object moved] https://j46pe2hkxa.execute-api.us-east-2.amazonaws.com/fireprox/ [302] [Object moved] https://lnyhmrei3e.execute-api.us-east-2.amazonaws.com/fireprox/ [302] [Object moved] https://vz23b6so7c.execute-api.us-east-2.amazonaws.com/fireprox/ [302] [Object moved] https://w7286bgo31.execute-api.us-east-2.amazonaws.com/fireprox/ [302] [Object moved]
Visiting each one, we can see that the request is redirected to Microsoft, successfully confirming that it is indeed Fireprox.
Conclusion
- Searching for standard open-source tooling is possible based on basic knowledge of the response codes.
- The deployment of an API gateway on AWS is likely publicly accessible without further restrictions and can be used by anyone on the Internet.
- A malicious threat actor may be able to abuse a legitimately exposed Fireprox API (for purposes of Red Teaming) to perform their malicious password spraying attacks.
- We do not recommend Red Teams using other deployed Fireprox APIs because it would not be impossible to deploy a honeypot Fireprox API that logs all traffic, which would disclose information about your customers.