Scott Weston
Scott is a Labs Researcher at NetSPI. He has performed work in the past regarding open source tooling for AWS as well as GCP. He has spoken at past conferences including fwd:cloudsec and the Defcon Cloud Village. He has published a tool called gcpwn for GCP enumeration and pentesting. He is originally from the Southern California area and is currently working out of Minnesota. In his spare time he enjoys soccer/basketball, or pursuing interesting research-oriented tasks in cloud-based technologies.
Session
Oracle Cloud Infrastructure (OCI) offers a unique format with regards to IAM when compared to other cloud providers that introduces challenges in tooling and parsing. While learning OCI from a penetration-testing perspective, I encountered architectural and tooling gaps that hindered effective assessment. This talk presents a suite of open-source tools built to close those gaps, including an ANTLR-based OCI IAM policy parser, a Burp Suite extension for signing OCI API requests, an OCI reconnaissance framework with different execution modules, and an OpenGraph graph model that visualizes privilege escalation paths like BloodHound. Attendees will leave with a practical understanding of some OCI IAM attack-path analysis and how to use these tools.