If our assets are in the cloud, we can apply penetration tests on them like any other system with an IP address. But setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already). So we will be using a free service called Hack A Server, which offers vulnerable machines to pwn in the cloud. We will be using an instance of Metasploit Pro here in this experiment.
To pentest in the cloud, the following will be required:
Download and launch a VPN configuration to connect to the vulnerable machines.
Go to Hack A Server (www.hackaserver.com) and sign up for a free account. Once signed up, click on Training Arena on the toolbar, as shown in the following screenshot:
Then click on Training Arena in your own space. You will get list of all the vulnerable machines as shown in the following screenshot:
We can see lots of vulnerable machines. We will be selecting Metasploitable and then clicking on the Hack it! button on the right-hand side.
You must set up your VPN connection to the arena. Download your connection certificate here. Unzip the certificate bundle, then run the
openvpn client.conf
command and submit a vulnerability.Now, we will download the connection certificate and then run the following commands:
unzip monika-connectionpack.zip openvpn client.conf
Open a second terminal window and ping the Metasploitable server on 10.3.33.132.
Now, let's exploit the machine with the following commands:
Open your Firefox browser and browse to
https://localhost:3790
.Go into the default project and click on the Scan button. Enter
10.3.33.132
and click on Launch Scan.Once the scan has completed, go to the Analysis menu and click on the Hosts option.
Click on Exploit. It will now match up the right exploits with the operating system and services fingerprinted on the Metasploitable machine, and then the smart exploitation process will be launched. When using Metasploitable, it is preferable to use
exploit/unix/misc/distcc_exec
.Once the exploitation process has completed, click on the Sessions button in the toolbar. You should see one open session with the ping 10.3.33.132.
We can now proceed with various scripts after the session is complete.
Click on Collect and check the box next to Session 1. Then click on the Collect System Data button on the bottom right. This will now collect passwords, screenshots, and other evidence from the machine. If you go back to the Hosts screen in the Analysis menu, you'll see that the machine is marked as looted.
There is a research paper on the internet called Cloud Penetration Testing by Ralph LaBarge and Thomas McGuire that presents the results of a series of penetration tests performed on the OpenStack Essex Cloud Management Software. This paper discusses penetration testing of the OpenStack Essex Cloud Management Software package. The paper is organized into nine sections as follows:
INTRODUCTION
OPENSTACK CLOUD MANAGEMENT SOFTWARE
SELECTION OF PENETRATION TESTING SOFTWARE
DESIGN & IMPLEMENTATION OF THE TEST CLOUD
DESIGN & IMPLEMENTATION OF THE PENETRATION TEST ENVIRONMENT
DESCRIPTION OF THE PENETRATION TESTS PERFORMED
TEST RESULTS
SUMMARY and CONCLUSIONS
REFERENCES
You can read it at http://cryptome.org/2013/07/cloud-pentest.pdf link.
Note
Metasploit Pro is available as an Amazon Machine Image (AMI), so it can easily be run in the Amazon cloud to carry out external penetration tests.
In addition, some other tools are available for cloud-focused pentesting. Core CloudInspect was recently released by Core Security Technologies, a well-known provider of professional pentesting products. Core CloudInspect is a cloud-based pentesting platform that integrates with Amazon's EC2 cloud environment, which greatly simplifies scheduling and testing.