Book Image

Hands-On AWS Penetration Testing with Kali Linux

By : Karl Gilbert, Benjamin Caudill
Book Image

Hands-On AWS Penetration Testing with Kali Linux

By: Karl Gilbert, Benjamin Caudill

Overview of this book

The cloud is taking over the IT industry. Any organization housing a large amount of data or a large infrastructure has started moving cloud-ward — and AWS rules the roost when it comes to cloud service providers, with its closest competitor having less than half of its market share. This highlights the importance of security on the cloud, especially on AWS. While a lot has been said (and written) about how cloud environments can be secured, performing external security assessments in the form of pentests on AWS is still seen as a dark art. This book aims to help pentesters as well as seasoned system administrators with a hands-on approach to pentesting the various cloud services provided by Amazon through AWS using Kali Linux. To make things easier for novice pentesters, the book focuses on building a practice lab and refining penetration testing with Kali Linux on the cloud. This is helpful not only for beginners but also for pentesters who want to set up a pentesting environment in their private cloud, using Kali Linux to perform a white-box assessment of their own cloud resources. Besides this, the book covers a large variety of AWS services that are often overlooked during a pentest — from serverless infrastructure to automated deployment pipelines. By the end of this book, you will be able to identify possible vulnerable areas efficiently and secure your AWS cloud environment.

Related Content you might be interested in

Current Title:

Small book image
Hands-On AWS Penetration Testing with Kali Linux
Karl Gilbert | Benjamin Caudill
Apr, 2019 | 508 pages
Small book image
AWS Penetration Testing
Jonathan Helmus
Dec, 2020 | 330 pages
Small book image
Implementing Identity Management on AWS
Jon Lehtinen
Oct, 2021 | 504 pages
Small book image
AWS for System Administrators
Prashant Lakhera
Feb, 2021 | 388 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Disclaimer
Free Chapter
1
Section 1: Kali Linux on AWS
Section 1: Kali Linux on AWS
2
Setting Up a Pentesting Lab on AWS
Setting Up a Pentesting Lab on AWS
Technical requirements
Setting up a vulnerable Ubuntu instance
Setting up a vulnerable Windows instance
Configuring security groups within the lab
Summary
Further reading
3
Setting Up a Kali PentestBox on the Cloud
Setting Up a Kali PentestBox on the Cloud
Technical requirements
Setting up Kali Linux on AWS EC2
Configuring OpenSSH for remote SSH access
Setting up Guacamole for remote access
Summary
Questions
Further reading
4
Exploitation on the Cloud using Kali Linux
Exploitation on the Cloud using Kali Linux
Technical requirements
Configuring and running Nessus
Exploiting a vulnerable Linux VM
Exploiting a vulnerable Windows VM
Summary
Questions
Further reading
5
Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing
Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing
6
Setting Up Your First EC2 Instances
Setting Up Your First EC2 Instances
Technical requirements
Setting Up Ubuntu on AWS EC2
Configuring VPC settings
Storage types that are used in EC2 instances
Configuring firewall settings
Configuring EC2 authentication
Summary
Further reading
7
Penetration Testing of EC2 Instances using Kali Linux
Penetration Testing of EC2 Instances using Kali Linux
Technical requirements
Installing a vulnerable service on Windows
Scanning and reconnaissance using Nmap
Identifying and fingerprinting open ports and services using Nmap
Performing an automated vulnerability assessment using Nexpose
Using Metasploit for automated exploitation
Using Meterpreter for privilege escalation, pivoting, and persistence
Summary
Further reading
8
Elastic Block Stores and Snapshots - Retrieving Deleted Data
Elastic Block Stores and Snapshots - Retrieving Deleted Data
Technical requirements
Creating, attaching, and detaching new EBS volumes from EC2 instances
Extracting deleted data from EBS volumes
Full disk encryption on EBS volumes
Summary
Further reading
9
Section 3: Pentesting AWS Simple Storage Service Configuring and Securing
Section 3: Pentesting AWS Simple Storage Service Configuring and Securing
10
Reconnaissance - Identifying Vulnerable S3 Buckets
Reconnaissance - Identifying Vulnerable S3 Buckets
Setting up your first S3 bucket
S3 permissions and the access API
Creating a vulnerable S3 bucket
Summary
Further reading
11
Exploiting Permissive S3 Buckets for Fun and Profit
Exploiting Permissive S3 Buckets for Fun and Profit
Extracting sensitive data from exposed S3 buckets
Injecting malicious code into S3 buckets
Backdooring S3 buckets for persistent access
Summary
Further reading
12
Section 4: AWS Identity Access Management Configuring and Securing
Section 4: AWS Identity Access Management Configuring and Securing
13
Identity Access Management on AWS
Identity Access Management on AWS
Creating IAM users, groups, roles, and associated privileges
Limit API actions and accessible resources with IAM policies
Using IAM access keys
Signing AWS API requests manually
Summary
14
Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu
Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu
The importance of permissions enumeration
Using the boto3 library for reconnaissance
Dumping all the account information
Permission enumeration with compromised AWS keys
Privilege escalation and gathering credentials using Pacu
Summary
15
Using Boto3 and Pacu to Maintain AWS Persistence
Using Boto3 and Pacu to Maintain AWS Persistence
Backdooring users
Backdooring role trust relationships
Backdooring EC2 Security Groups
Using Lambda functions as persistent watchdogs
Summary
16
Section 5: Penetration Testing on Other AWS Services
Section 5: Penetration Testing on Other AWS Services
17
Security and Pentesting of AWS Lambda
Security and Pentesting of AWS Lambda
Setting up a vulnerable Lambda function
Attacking Lambda functions with read access
Attacking Lambda functions with read and write access
Pivoting into Virtual Private Clouds
Summary
18
Pentesting and Securing AWS RDS
Pentesting and Securing AWS RDS
Technical requirements
Setting up a vulnerable RDS instance
Connecting an RDS instance to WordPress on EC2
Identifying and enumerating exposed RDS instances using Nmap
Exploitation and data extraction from a vulnerable RDS instance
Summary
Further reading
19
Targeting Other Services
Targeting Other Services
Route 53
Simple Email Service (SES)
Attacking all of CloudFormation
Elastic Container Registry (ECR)
Summary
20
Section 6: Attacking AWS Logging and Security Services
Section 6: Attacking AWS Logging and Security Services
21
Pentesting CloudTrail
Pentesting CloudTrail
More about CloudTrail
Setup, best practices, and auditing
Reconnaissance
Bypassing logging
Disrupting trails
Summary
22
GuardDuty
GuardDuty
An introduction to GuardDuty and its findings
Alerting about and reacting to GuardDuty findings
Bypassing GuardDuty
Summary
23
Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks
Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks
24
Using Scout Suite for AWS Security Auditing
Using Scout Suite for AWS Security Auditing
Technical requirements
Setting up a vulnerable AWS infrastructure
Configuring and running Scout Suite
Parsing the results of a Scout Suite scan
Using Scout Suite's rules
Summary
25
Using Pacu for AWS Pentesting
Using Pacu for AWS Pentesting
Pacu history
Getting started with Pacu
Pacu commands
Creating a new module
An introduction to PacuProxy
Summary
26
Putting it All Together - Real - World AWS Pentesting
Putting it All Together - Real - World AWS Pentesting
Pentest kickoff
Unauthenticated reconnaissance
Authenticated reconnaissance plus permissions enumeration
Privilege escalation
Persistence
Post-exploitation
Auditing for compliance and best practices
Summary
27
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Exploitation and data extraction from a vulnerable RDS instance

We have now discovered an RDS instance whose MySQL service is listening publicly. We have also identified a set of valid usernames.

Our next step is to brute-force the login and the valid password for our admin user.

For this exercise, we will use Hydra to brute-force the MySQL service and find the password:

  1. On your Kali instance, download a wordlist dictionary for the brute-force attack; I find rockyou.txt to be adequate. Then, issue the following command:
hydra -l admin -P rockyou.txt <RDS IP Address> mysql
  1. Hydra will brute-force the service using the wordlist that has been provided, and will give you the valid password for this:

Once we have our valid set of credentials, it's time to connect to the MySQL service and create a new user for WordPress.

In order to compromise the WordPress installation...

Previous Section
End of Section 6
Next Section