top of page
Jul 102 min read

Hunting for Fireprox

Updated: Jul 15

As part of our red team engagements, we may sometimes utilize Fireprox to obtain a larger number of IP addresses for various actions, such as password spraying. We thought that we should figure out if there are any IOC or easy-to-identify indicators on the default tool and see if anyone else is using Fireprox.


Execute API


The API returned by Fireprox in AWS conforms to the following format: 

*.execute-api.*.amazonaws.com

We can quickly lookup many relevant subdomains or entries using SecurityTrails. After identifying the relevant entries, we can perform an IOC check based on:


  1. A HTTP request to the URL should result in a 403

  2. A HTTP request to the path '/fireprox/' should result in a 302 Object Moved.


For example:

cat 1.txt | httpx -status-code -follow-redirects -title -mc 403 -o 2.txt

cat 2.txt | cut -f 1 -d' ' | httpx -status-code -title -mc 302 -o 3.txt

# 3.txt contains potential fireprox entries.

As a result of the quick research against just the us-east-2 region, we can identify 5 instances potentially running Fireprox at the time of testing:



Visiting each one, we can see that the request is redirected to Microsoft, successfully confirming that it is indeed Fireprox.


Conclusion

  • Searching for standard open-source tooling is possible based on basic knowledge of the response codes.

  • The deployment of an API gateway on AWS is likely publicly accessible without further restrictions and can be used by anyone on the Internet.

  • A malicious threat actor may be able to abuse a legitimately exposed Fireprox API (for purposes of Red Teaming) to perform their malicious password spraying attacks.

    • We do not recommend Red Teams using other deployed Fireprox APIs because it would not be impossible to deploy a honeypot Fireprox API that logs all traffic, which would disclose information about your customers.


References

Comments

bottom of page