Book Image

Hands-On AWS Penetration Testing with Kali Linux

By : Karl Gilbert, Benjamin Caudill

Book Image

Hands-On AWS Penetration Testing with Kali Linux

By: Karl Gilbert, Benjamin Caudill

Overview of this book

The cloud is taking over the IT industry. Any organization housing a large amount of data or a large infrastructure has started moving cloud-ward — and AWS rules the roost when it comes to cloud service providers, with its closest competitor having less than half of its market share. This highlights the importance of security on the cloud, especially on AWS. While a lot has been said (and written) about how cloud environments can be secured, performing external security assessments in the form of pentests on AWS is still seen as a dark art. This book aims to help pentesters as well as seasoned system administrators with a hands-on approach to pentesting the various cloud services provided by Amazon through AWS using Kali Linux. To make things easier for novice pentesters, the book focuses on building a practice lab and refining penetration testing with Kali Linux on the cloud. This is helpful not only for beginners but also for pentesters who want to set up a pentesting environment in their private cloud, using Kali Linux to perform a white-box assessment of their own cloud resources. Besides this, the book covers a large variety of AWS services that are often overlooked during a pentest — from serverless infrastructure to automated deployment pipelines. By the end of this book, you will be able to identify possible vulnerable areas efficiently and secure your AWS cloud environment.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

Section 1: Kali Linux on AWS

Section 1: Kali Linux on AWS

Setting Up a Pentesting Lab on AWS

Setting Up a Pentesting Lab on AWS

Technical requirements

Setting up a vulnerable Ubuntu instance

Setting up a vulnerable Windows instance

Configuring security groups within the lab

Further reading

Setting Up a Kali PentestBox on the Cloud

Setting Up a Kali PentestBox on the Cloud

Technical requirements

Setting up Kali Linux on AWS EC2

Configuring OpenSSH for remote SSH access

Setting up Guacamole for remote access

Further reading

Exploitation on the Cloud using Kali Linux

Exploitation on the Cloud using Kali Linux

Technical requirements

Configuring and running Nessus

Exploiting a vulnerable Linux VM

Exploiting a vulnerable Windows VM

Further reading

Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing

Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing

Setting Up Your First EC2 Instances

Setting Up Your First EC2 Instances

Technical requirements

Setting Up Ubuntu on AWS EC2

Configuring VPC settings

Storage types that are used in EC2 instances

Configuring firewall settings

Configuring EC2 authentication

Further reading

Penetration Testing of EC2 Instances using Kali Linux

Penetration Testing of EC2 Instances using Kali Linux

Technical requirements

Installing a vulnerable service on Windows

Scanning and reconnaissance using Nmap

Identifying and fingerprinting open ports and services using Nmap

Performing an automated vulnerability assessment using Nexpose

Using Metasploit for automated exploitation

Using Meterpreter for privilege escalation, pivoting, and persistence

Further reading

Elastic Block Stores and Snapshots - Retrieving Deleted Data

Elastic Block Stores and Snapshots - Retrieving Deleted Data

Technical requirements

Creating, attaching, and detaching new EBS volumes from EC2 instances

Extracting deleted data from EBS volumes

Full disk encryption on EBS volumes

Further reading

Section 3: Pentesting AWS Simple Storage Service Configuring and Securing

Section 3: Pentesting AWS Simple Storage Service Configuring and Securing

Reconnaissance - Identifying Vulnerable S3 Buckets

Reconnaissance - Identifying Vulnerable S3 Buckets

Setting up your first S3 bucket

S3 permissions and the access API

Creating a vulnerable S3 bucket

Further reading

Exploiting Permissive S3 Buckets for Fun and Profit

Exploiting Permissive S3 Buckets for Fun and Profit

Extracting sensitive data from exposed S3 buckets

Injecting malicious code into S3 buckets

Backdooring S3 buckets for persistent access

Further reading

Section 4: AWS Identity Access Management Configuring and Securing

Section 4: AWS Identity Access Management Configuring and Securing

Identity Access Management on AWS

Identity Access Management on AWS

Creating IAM users, groups, roles, and associated privileges

Limit API actions and accessible resources with IAM policies

Using IAM access keys

Signing AWS API requests manually

Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu

Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu

The importance of permissions enumeration

Using the boto3 library for reconnaissance

Dumping all the account information

Permission enumeration with compromised AWS keys

Privilege escalation and gathering credentials using Pacu

Using Boto3 and Pacu to Maintain AWS Persistence

Using Boto3 and Pacu to Maintain AWS Persistence

Backdooring users

Backdooring role trust relationships

Backdooring EC2 Security Groups

Using Lambda functions as persistent watchdogs

Section 5: Penetration Testing on Other AWS Services

Section 5: Penetration Testing on Other AWS Services

Security and Pentesting of AWS Lambda

Security and Pentesting of AWS Lambda

Setting up a vulnerable Lambda function

Attacking Lambda functions with read access

Attacking Lambda functions with read and write access

Pivoting into Virtual Private Clouds

Pentesting and Securing AWS RDS

Pentesting and Securing AWS RDS

Technical requirements

Setting up a vulnerable RDS instance

Connecting an RDS instance to WordPress on EC2

Identifying and enumerating exposed RDS instances using Nmap

Exploitation and data extraction from a vulnerable RDS instance

Further reading

Targeting Other Services

Targeting Other Services

Simple Email Service (SES)

Attacking all of CloudFormation

Elastic Container Registry (ECR)

Section 6: Attacking AWS Logging and Security Services

Section 6: Attacking AWS Logging and Security Services

Pentesting CloudTrail

Pentesting CloudTrail

More about CloudTrail

Setup, best practices, and auditing

Bypassing logging

Disrupting trails

GuardDuty

An introduction to GuardDuty and its findings

Alerting about and reacting to GuardDuty findings

Bypassing GuardDuty

Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks

Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks

Using Scout Suite for AWS Security Auditing

Using Scout Suite for AWS Security Auditing

Technical requirements

Setting up a vulnerable AWS infrastructure

Configuring and running Scout Suite

Parsing the results of a Scout Suite scan

Using Scout Suite's rules

Using Pacu for AWS Pentesting

Using Pacu for AWS Pentesting

Getting started with Pacu

Creating a new module

An introduction to PacuProxy

Putting it All Together - Real - World AWS Pentesting

Putting it All Together - Real - World AWS Pentesting

Pentest kickoff

Unauthenticated reconnaissance

Authenticated reconnaissance plus permissions enumeration

Privilege escalation

Post-exploitation

Auditing for compliance and best practices

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Summary

In this chapter, we have looked at how we can establish a means of persistent access to a target AWS environment. This can be done directly, as we have shown with something like adding backdoor keys to other IAM users, or we can use more long-term methods with services such as AWS Lambda and CloudWatch Events. There are many different ways you can establish some kind of persistence in a target AWS account, but sometimes it can just take a little research on the target to determine where might be a good location.

Lambda provides a very flexible platform from which to react and respond to events within our target account, meaning we can establish persistence (or more) as resources are created; however just like we have shown by backdooring EC2 Security Groups, not every backdoor needs to be based on/within the IAM service and can sometimes be a backdoor for alternate kinds...