Hands-On AWS Penetration Testing with Kali Linux

Hands-On AWS Penetration Testing with Kali Linux

by Karl Gilbert, Benjamin Caudill
Released April 2019
Publisher(s): Packt Publishing
ISBN: 9781789136722

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Identify tools and techniques to secure and perform a penetration test on an AWS infrastructure using Kali Linux

Key Features

  • Efficiently perform penetration testing techniques on your public cloud instances
  • Learn not only to cover loopholes but also to automate security monitoring and alerting within your cloud-based deployment pipelines
  • A step-by-step guide that will help you leverage the most widely used security platform to secure your AWS Cloud environment

Book Description

The cloud is taking over the IT industry. Any organization housing a large amount of data or a large infrastructure has started moving cloud-ward - and AWS rules the roost when it comes to cloud service providers, with its closest competitor having less than half of its market share. This highlights the importance of security on the cloud, especially on AWS. While a lot has been said (and written) about how cloud environments can be secured, performing external security assessments in the form of pentests on AWS is still seen as a dark art.

This book aims to help pentesters as well as seasoned system administrators with a hands-on approach to pentesting the various cloud services provided by Amazon through AWS using Kali Linux. To make things easier for novice pentesters, the book focuses on building a practice lab and refining penetration testing with Kali Linux on the cloud. This is helpful not only for beginners but also for pentesters who want to set up a pentesting environment in their private cloud, using Kali Linux to perform a white-box assessment of their own cloud resources. Besides this, the book covers a large variety of AWS services that are often overlooked during a pentest - from serverless infrastructure to automated deployment pipelines.

By the end of this book, you will be able to identify possible vulnerable areas efficiently and secure your AWS cloud environment.

What you will learn

  • Familiarize yourself with and pentest the most common external-facing AWS services
  • Audit your own infrastructure and identify flaws, weaknesses, and loopholes
  • Demonstrate the process of lateral and vertical movement through a partially compromised AWS account
  • Maintain stealth and persistence within a compromised AWS account
  • Master a hands-on approach to pentesting
  • Discover a number of automated tools to ease the process of continuously assessing and improving the security stance of an AWS infrastructure

Who this book is for

If you are a security analyst or a penetration tester and are interested in exploiting Cloud environments to reveal vulnerable areas and secure them, then this book is for you.

A basic understanding of penetration testing, cloud computing, and its security concepts is mandatory.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On AWS Penetration Testing with Kali Linux
  3. About Packt
    1. Why subscribe?
    2. Packt.com
  4. Contributors
    1. About the authors
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  6. Section 1: Kali Linux on AWS
  7. Setting Up a Pentesting Lab on AWS
    1. Technical requirements
    2. Setting up a vulnerable Ubuntu instance
      1. Provisioning an Ubuntu EC2 instance
      2. Installing a vulnerable service on Ubuntu
    3. Setting up a vulnerable Windows instance
      1. Provisioning a vulnerable Windows server instance
      2. Configuring a vulnerable web application on Windows
    4. Configuring security groups within the lab
      1. Configuring security groups
    5. Summary
    6. Further reading
  8. Setting Up a Kali PentestBox on the Cloud
    1. Technical requirements
    2. Setting up Kali Linux on AWS EC2
      1. The Kali Linux AMI
      2. Configuring the Kali Linux instance
    3. Configuring OpenSSH for remote SSH access
      1. Setting root and user passwords
      2. Enabling root and password authentication on SSH
    4. Setting up Guacamole for remote access
      1. Hardening and installing prerequisites
      2. Configuring Guacamole for SSH and RDP access
    5. Summary
    6. Questions
    7. Further reading
  9. Exploitation on the Cloud using Kali Linux
    1. Technical requirements
    2. Configuring and running Nessus
      1. Installing Nessus on Kali
      2. Configuring Nessus
      3. Performing the first Nessus scan
    3. Exploiting a vulnerable Linux VM
      1. Understanding the Nessus scan for Linux
      2. Exploitation on Linux
    4. Exploiting a vulnerable Windows VM
      1. Understanding the Nessus scan for Windows
      2. Exploitation on Windows
    5. Summary
    6. Questions
    7. Further reading
  10. Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing
  11. Setting Up Your First EC2 Instances
    1. Technical requirements
    2. Setting Up Ubuntu on AWS EC2
      1. The Ubuntu AMI
    3. Configuring VPC settings
    4. Storage types that are used in EC2 instances
    5. Configuring firewall settings
    6. Configuring EC2 authentication
    7. Summary
    8. Further reading
  12. Penetration Testing of EC2 Instances using Kali Linux
    1. Technical requirements
    2. Installing a vulnerable service on Windows
      1. Setting up a target machine behind the vulnerable Jenkins machine
      2. Setting up Nexpose vulnerability scanner on our Kali machine
    3. Scanning and reconnaissance using Nmap
    4. Identifying and fingerprinting open ports and services using Nmap
    5. Performing an automated vulnerability assessment using Nexpose
    6. Using Metasploit for automated exploitation
    7. Using Meterpreter for privilege escalation, pivoting, and persistence
    8. Summary
    9. Further reading
  13. Elastic Block Stores and Snapshots - Retrieving Deleted Data
    1. Technical requirements
      1. EBS volume types and encryption
    2. Creating, attaching, and detaching new EBS volumes from EC2 instances
    3. Extracting deleted data from EBS volumes
    4. Full disk encryption on EBS volumes
      1. Creating an encrypted volume
      2. Attaching and mounting an encrypted volume
      3. Retrieving data from an encrypted volume
    5. Summary
    6. Further reading
  14. Section 3: Pentesting AWS Simple Storage Service Configuring and Securing
  15. Reconnaissance - Identifying Vulnerable S3 Buckets
    1. Setting up your first S3 bucket
    2. S3 permissions and the access API
      1. ACPs/ACLs
      2. Bucket policies
      3. IAM user policies
      4. Access policies
    3. Creating a vulnerable S3 bucket
    4. Summary
    5. Further reading
  16. Exploiting Permissive S3 Buckets for Fun and Profit
    1. Extracting sensitive data from exposed S3 buckets
    2. Injecting malicious code into S3 buckets
    3. Backdooring S3 buckets for persistent access
    4. Summary
    5. Further reading
  17. Section 4: AWS Identity Access Management Configuring and Securing
  18. Identity Access Management on AWS
    1. Creating IAM users, groups, roles, and associated privileges
    2. Limit API actions and accessible resources with IAM policies
      1. IAM policy structure
      2. IAM policy purposes and usage
    3. Using IAM access keys
    4. Signing AWS API requests manually
    5. Summary
  19. Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu
    1. The importance of permissions enumeration
    2. Using the boto3 library for reconnaissance
      1. Our first Boto3 enumeration script
      2. Saving the data
      3. Adding some S3 enumeration
    3. Dumping all the account information
      1. A new script – IAM enumeration
      2. Saving the data (again)
    4. Permission enumeration with compromised AWS keys
      1. Determining our level of access
      2. Analysing policies attached to our user
      3. An alternative method
    5. Privilege escalation and gathering credentials using Pacu
      1. Pacu – an open source AWS exploitation toolkit
      2. Kali Linux detection bypass
      3. The Pacu CLI
      4. From enumeration to privilege escalation
      5. Using our new administrator privileges
    6. Summary
  20. Using Boto3 and Pacu to Maintain AWS Persistence
    1. Backdooring users
      1. Multiple IAM user access keys
      2. Do it with Pacu
    2. Backdooring role trust relationships
      1. IAM role trust policies
      2. Finding a suitable target role
      3. Adding our backdoor access
      4. Confirming our access
      5. Automating it with Pacu
    3. Backdooring EC2 Security Groups
    4. Using Lambda functions as persistent watchdogs
      1. Automating credential exfiltration with Lambda
      2. Using Pacu for the deployment of our backdoor
      3. Other Lambda Pacu modules
    5. Summary
  21. Section 5: Penetration Testing on Other AWS Services
  22. Security and Pentesting of AWS Lambda
    1. Setting up a vulnerable Lambda function
    2. Attacking Lambda functions with read access
    3. Attacking Lambda functions with read and write access
      1. Privilege escalation
      2. Data exfiltration
      3. Persistence
      4. Staying stealthy
    4. Pivoting into Virtual Private Clouds
    5. Summary
  23. Pentesting and Securing AWS RDS
    1. Technical requirements
    2. Setting up a vulnerable RDS instance
    3. Connecting an RDS instance to WordPress on EC2
    4. Identifying and enumerating exposed RDS instances using Nmap
    5. Exploitation and data extraction from a vulnerable RDS instance
    6. Summary
    7. Further reading
  24. Targeting Other Services
    1. Route 53
      1. Hosted zones
      2. Domains
      3. Resolvers
    2. Simple Email Service (SES)
      1. Phishing
      2. Other attacks
    3. Attacking all of CloudFormation
      1. Parameters
      2. Output values
      3. Termination protection
      4. Deleted stacks
      5. Exports
      6. Templates
      7. Passed roles
      8. Bonus – discovering the values of NoEcho parameters
    4. Elastic Container Registry (ECR)
    5. Summary
  25. Section 6: Attacking AWS Logging and Security Services
  26. Pentesting CloudTrail
    1. More about CloudTrail
    2. Setup, best practices, and auditing
      1. Setup
      2. Auditing
    3. Reconnaissance
    4. Bypassing logging
      1. Unsupported CloudTrail services for attackers and defenders
      2. Bypassing logging through cross-account methods
        1. Enumerating users
        2. Enumerating roles
    5. Disrupting trails
      1. Turning off logging
      2. Deleting trails/S3 buckets
      3. Minifying trails
      4. Problems with disruption (and some partial solutions)
    6. Summary
  27. GuardDuty
    1. An introduction to GuardDuty and its findings
    2. Alerting about and reacting to GuardDuty findings
    3. Bypassing GuardDuty
      1. Bypassing everything with force
      2. Bypassing everything with IP whitelisting
      3. Bypassing EC2 instance credential exfiltration alerts
      4. Bypassing operating system (PenTest) alerts
      5. Other simple bypasses
        1. Cryptocurrency
        2. Behavior
        3. ResourceConsumption
        4. Stealth
        5. Trojan
        6. Others
    4. Summary
  28. Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks
  29. Using Scout Suite for AWS Security Auditing
    1. Technical requirements
    2. Setting up a vulnerable AWS infrastructure
      1. A misconfigured EC2 instance
      2. Creating a vulnerable S3 instance
    3. Configuring and running Scout Suite
      1. Setting up the tool
      2. Running Scout Suite
    4. Parsing the results of a Scout Suite scan
    5. Using Scout Suite's rules
    6. Summary
  30. Using Pacu for AWS Pentesting
    1. Pacu history
    2. Getting started with Pacu
    3. Pacu commands
      1. list/ls
      2. search [[cat]egory] <search term>
      3. help
      4. help <module name>
      5. whoami
      6. data
      7. services
      8. data <service>|proxy
      9. regions
      10. update_regions
      11. set_regions <region> [<region>...]
      12. run/exec <module name>
      13. set_keys
      14. swap_keys
      15. import_keys <profile name>|--all
      16. exit/quit/Ctrl + C
      17. aws <command>
      18. proxy <command>
    4. Creating a new module
      1. The API
        1. session/get_active_session
        2. get_proxy_settings
        3. print/input
        4. key_info
        5. fetch_data
        6. get_regions
        7. install_dependencies
        8. get_boto3_client/get_boto3_resource
      2. Module structure and implementation
    5. An introduction to PacuProxy
    6. Summary
  31. Putting it All Together - Real - World AWS Pentesting
    1. Pentest kickoff
      1. Scoping
      2. AWS pentesting rules and guidelines
      3. Credentials and client expectations
        1. Setup
    2. Unauthenticated reconnaissance
    3. Authenticated reconnaissance plus permissions enumeration
    4. Privilege escalation
    5. Persistence
    6. Post-exploitation
      1. EC2 exploitation
      2. Code review and analysis in Lambda
      3. Getting past authentication in RDS
      4. The authenticated side of S3
    7. Auditing for compliance and best practices
    8. Summary
  32. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Hands-On AWS Penetration Testing with Kali Linux
  • Author(s): Karl Gilbert, Benjamin Caudill
  • Release date: April 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789136722