Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and CloudFormation Karl Gilbert Benjamin Caudill BIRMINGHAM - MUMBAI Hands-On AWS Penetration Testing with Kali Linux Copyright © 2019 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Shrilekha Inani Content Development Editor: Deepti Thore Technical Editor: Mamta Yadav Copy Editor: Safis Editing Project Coordinator: Nusaiba Ansari Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Graphics: Jisha Chirayil Production Coordinator: Nilesh Mohite First published: April 2019 Production reference: 2090519 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78913-672-2 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content Packt.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Karl Gilbert is a security researcher who has contributed to the security of some widely used open-source software. His primary interests relate to vulnerability research, 0-days, cloud security, secure DevOps, and CI/CD. I would like to thank the entire team at Packt as well as Sayanta Sen, without whose major contributions this book wouldn’t have seen the light of day. Benjamin Caudill is a security researcher and founder of pentesting firm Rhino Security Labs. Built on 10+ years of offensive security experience, Benjamin directed the company with research and development as its foundation, into a key resource for high-needs clients. Benjamin has also been a major contributor to AWS security research. With co-researcher Spencer Gietzen, the two have developed Pacu (the AWS exploitation framework) and identified dozens of new attack vectors in cloud architecture. Both GCP and Azure research are expected throughout 2019. As a regular contributor to the security industry, Benjamin been featured on CNN, Wired, Washington Post, and other major media outlets. I'd like to thank Spencer Gietzen and the amazing team at Rhino - we wouldn’t have Pacu, CloudGoat, or the supporting research without you. This has been as exciting as it is humbling. About the reviewers Rejah Rehim is currently the Director and Chief Information Security Officer (CISO) of Appfabs. Prior to that, he held the title of security architect at FAYA India. Rejah is a long- time preacher of open source and a steady contributor to the Mozilla Foundation. He has successfully created the world's first security testing browser bundle, PenQ, an open source Linux-based penetration testing browser bundle preconfigured with tools for security testing. Rejah is also an active member of OWASP and the chapter leader of OWASP Kerala. Additionally, he also holds the title of commander at Cyberdome, an initiative of the Kerala police department. Shivanand Persad has an MBA from the Australian Institute of Business, and a BSc in Electrical and Computer Engineering from the University of the West Indies, among a number of certifications in the technology sphere. He has a number of areas of specialization, including controls and instrumentation systems, wireless and wired communication systems, strategic management, and business process re-engineering. With over a decade of experience across multiple engineering disciplines, a lengthy tenure with the Caribbean's largest ISP, and oversight of the largest media group in Trinidad and Tobago, he continues to be passionate about technology and its ongoing development. When not reading everything in sight, he enjoys archery, martial arts, biking, and tinkering. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Section 1: Section 1: Kali Linux on AWS Chapter 1: Setting Up a Pentesting Lab on AWS 8 Technical requirements 8 Setting up a vulnerable Ubuntu instance 8 Provisioning an Ubuntu EC2 instance 9 Installing a vulnerable service on Ubuntu 10 Setting up a vulnerable Windows instance 12 Provisioning a vulnerable Windows server instance 13 Configuring a vulnerable web application on Windows 15 Configuring security groups within the lab 18 Configuring security groups 19 Summary 21 Further reading 21 Chapter 2: Setting Up a Kali PentestBox on the Cloud 22 Technical requirements 23 Setting up Kali Linux on AWS EC2 23 The Kali Linux AMI 23 Configuring the Kali Linux instance 25 Configuring OpenSSH for remote SSH access 28 Setting root and user passwords 29 Enabling root and password authentication on SSH 29 Setting up Guacamole for remote access 31 Hardening and installing prerequisites 31 Configuring Guacamole for SSH and RDP access 34 Summary 36 Questions 37 Further reading 37 Chapter 3: Exploitation on the Cloud using Kali Linux 38 Technical requirements 38 Configuring and running Nessus 39 Installing Nessus on Kali 39 Configuring Nessus 45 Performing the first Nessus scan 47 Exploiting a vulnerable Linux VM 50 Understanding the Nessus scan for Linux 51 Table of Contents Exploitation on Linux 53 Exploiting a vulnerable Windows VM 55 Understanding the Nessus scan for Windows 55 Exploitation on Windows 57 Summary 60 Questions 60 Further reading 60 Section 2: Section 2: Pentesting AWS Elastic Compute Cloud Configuring and Securing Chapter 4: Setting Up Your First EC2 Instances 62 Technical requirements 62 Setting Up Ubuntu on AWS EC2 63 The Ubuntu AMI 63 Configuring VPC settings 64 Storage types that are used in EC2 instances 69 Configuring firewall settings 71 Configuring EC2 authentication 72 Summary 80 Further reading 80 Chapter 5: Penetration Testing of EC2 Instances using Kali Linux 81 Technical requirements 82 Installing a vulnerable service on Windows 82 Setting up a target machine behind the vulnerable Jenkins machine 95 Setting up Nexpose vulnerability scanner on our Kali machine 96 Scanning and reconnaissance using Nmap 99 Identifying and fingerprinting open ports and services using Nmap 101 Performing an automated vulnerability assessment using Nexpose 105 Using Metasploit for automated exploitation 110 Using Meterpreter for privilege escalation, pivoting, and persistence 114 Summary 117 Further reading 117 Chapter 6: Elastic Block Stores and Snapshots - Retrieving Deleted Data 118 Technical requirements 118 EBS volume types and encryption 119 Creating, attaching, and detaching new EBS volumes from EC2 instances 120 Extracting deleted data from EBS volumes 123 Full disk encryption on EBS volumes 126 [ ii ] Table of Contents Creating an encrypted volume 127 Attaching and mounting an encrypted volume 130 Retrieving data from an encrypted volume 132 Summary 134 Further reading 134 Section 3: Section 3: Pentesting AWS Simple Storage Service Configuring and Securing Chapter 7: Reconnaissance - Identifying Vulnerable S3 Buckets 136 Setting up your first S3 bucket 137 S3 permissions and the access API 140 ACPs/ACLs 142 Bucket policies 142 IAM user policies 143 Access policies 143 Creating a vulnerable S3 bucket 145 Summary 150 Further reading 150 Chapter 8: Exploiting Permissive S3 Buckets for Fun and Profit 151 Extracting sensitive data from exposed S3 buckets 151 Injecting malicious code into S3 buckets 154 Backdooring S3 buckets for persistent access 155 Summary 157 Further reading 157 Section 4: Section 4: AWS Identity Access Management Configuring and Securing Chapter 9: Identity Access Management on AWS 159 Creating IAM users, groups, roles, and associated privileges 160 Limit API actions and accessible resources with IAM policies 170 IAM policy structure 170 IAM policy purposes and usage 173 Using IAM access keys 174 Signing AWS API requests manually 181 Summary 182 Chapter 10: Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu 183 The importance of permissions enumeration 184 Using the boto3 library for reconnaissance 184 Our first Boto3 enumeration script 185 Saving the data 187 [ iii ] Table of Contents Adding some S3 enumeration 190 Dumping all the account information 193 A new script – IAM enumeration 193 Saving the data (again) 194 Permission enumeration with compromised AWS keys 196 Determining our level of access 196 Analysing policies attached to our user 197 An alternative method 201 Privilege escalation and gathering credentials using Pacu 202 Pacu – an open source AWS exploitation toolkit 203 Kali Linux detection bypass 204 The Pacu CLI 205 From enumeration to privilege escalation 207 Using our new administrator privileges 210 Summary 213 Chapter 11: Using Boto3 and Pacu to Maintain AWS Persistence 215 Backdooring users 215 Multiple IAM user access keys 216 Do it with Pacu 219 Backdooring role trust relationships 219 IAM role trust policies 219 Finding a suitable target role 220 Adding our backdoor access 222 Confirming our access 223 Automating it with Pacu 225 Backdooring EC2 Security Groups 226 Using Lambda functions as persistent watchdogs 229 Automating credential exfiltration with Lambda 230 Using Pacu for the deployment of our backdoor 231 Other Lambda Pacu modules 233 Summary 234 Section 5: Section 5: Penetration Testing on Other AWS Services Chapter 12: Security and Pentesting of AWS Lambda 236 Setting up a vulnerable Lambda function 238 Attacking Lambda functions with read access 249 Attacking Lambda functions with read and write access 262 Privilege escalation 262 Data exfiltration 270 Persistence 271 Staying stealthy 271 Pivoting into Virtual Private Clouds 275 [ iv ]