Advertisement
joemccray

Attacking & Defending AWS

Sep 5th, 2019
2,233
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.97 KB | None | 0 0
  1. #####################################
  2. --------######## # Day 1: AWS Intro & Pentesting AWS # ########--------
  3. #####################################
  4.  
  5.  
  6. ###################
  7. # Getting Started #
  8. ###################
  9. https://portal.aws.amazon.com/billing/signup#/start
  10. - Create an account
  11. - Enter valid credit card (expect today and tomorrow to be FREE, but a valid credit card is required)
  12.  
  13.  
  14.  
  15. -- Let's look at the FREE stuff --
  16. https://aws.amazon.com/free/
  17.  
  18.  
  19.  
  20. -- Let's spin up an instance in EC2 --
  21. https://console.aws.amazon.com/
  22.  
  23. Task 1: Spin up a Linux instance
  24. - SSH setup with putty
  25. - delete the instance
  26.  
  27. Task 2: Spin up a Windows instance
  28. - delete the instance
  29.  
  30.  
  31. -- Let's build a web app --
  32. https://us-west-1.console.aws.amazon.com/elasticbeanstalk/home?region=us-west-1#/gettingStarted
  33.  
  34. - Step 1: You can use this application:
  35. https://infosecaddicts-files.s3.amazonaws.com/AWS-Course/0-aws-first-nodejs-app.zip
  36. - Step 2
  37. - Step 3
  38. - Step 4
  39. - Step 5
  40. - Step 6
  41. **** about 6 min ****
  42.  
  43.  
  44. --- It's broke ---
  45. -- says degraded --
  46.  
  47. - Click "Configuration", then "Software/modify"
  48. - In the "Node command" field type: npm start, at the bottom of the screen click "Apply"
  49. **** about 2 min ****
  50.  
  51. Reference:
  52. https://javascript.tutorialhorizon.com/2015/08/11/what-does-npm-start-do-in-nodejs/
  53.  
  54.  
  55.  
  56. --- Look in EC2 ---
  57. https://us-west-1.console.aws.amazon.com/ec2/v2/home?region=us-west-1#Instances:sort=instanceId
  58.  
  59. --- Back to Beanstalk ---
  60. https://us-west-1.console.aws.amazon.com/elasticbeanstalk/home?region=us-west-1#/applications
  61. - Step 1: Delete the app
  62. - Step 2
  63.  
  64.  
  65. #################
  66. # AWS IAM Intro #
  67. #################
  68.  
  69. - Step 1: Create a group
  70. - Step 2: Create a user
  71. - Step 3: Enable MFA
  72. - Step 4: Apply IAM password policy
  73. - Step 5: Apply a policy
  74. - Step 6: Apply a role
  75.  
  76.  
  77. ##################################################
  78. # Try to install something a little more complex #
  79. ##################################################
  80. Deploy Wordpress using the following tutorial:
  81. https://www.essycode.com/posts/wordpress-and-elastic-beanstalk/
  82.  
  83.  
  84.  
  85. ########################
  86. # AWS Lambda functions #
  87. ########################
  88. --- Lambdas take 3 Arguments ---
  89.  
  90. Event = event data, request data, basically a trigger
  91. Context = Some additional info about what's going on and what to do
  92. Callback = let's lambda know we are done (error, success)
  93.  
  94.  
  95. def lambda_handler(event, context):
  96. # Do something
  97. print('received create event{}'.format(event))
  98. return ''
  99.  
  100.  
  101.  
  102.  
  103. #################
  104. # Setup AWS CLI #
  105. #################
  106.  
  107.  
  108. --- AWS CLI in Windows ---
  109. Reference: https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html#install-msi-on-windows
  110.  
  111. 1. Download/install the aws cli msi file
  112. https://s3.amazonaws.com/aws-cli/AWSCLI64PY3.msi
  113.  
  114. -------------Type this--------------------
  115. C:\Users\SecureNinja>where aws
  116. C:\Program Files\Amazon\AWSCLI\bin\aws.exe
  117.  
  118. C:\Users\SecureNinja>aws --version
  119. aws-cli/1.16.139 Python/3.6.0 Windows/7 botocore/1.12.129
  120. ------------------------------------------
  121.  
  122.  
  123.  
  124. 2. Install Python3 and awscli
  125. -------------Type this--------------------
  126. C:\Users\SecureNinja>python --version
  127. Python 3.7.3
  128.  
  129. C:\Users\SecureNinja>pip3 --version
  130. pip 19.0.3 from c:\users\secureninja\appdata\local\programs\python\python37\lib\site-packages\pip (python 3.7)
  131.  
  132. C:\Users\SecureNinja>pip3 install awscli
  133. ------------------------------------------
  134.  
  135.  
  136.  
  137. 3. Configure awscli
  138. -------------Type this--------------------
  139. C:\Users\SecureNinja>aws configure
  140. AWS Access Key ID [None]: AKIAJWN4LNF7********
  141. AWS Secret Access Key [None]: fdbgAYf5SnmZ11YndhVQwRysljZCCyNH********
  142. Default region name [786199696183]: us-east-1
  143. Default output format [None]: json
  144. C:\Users\SecureNinja>aws s3 ls
  145. 2019-04-04 07:17:15 virtualmachines05
  146.  
  147. References:
  148. https://cloudacademy.com/blog/aws-cli-10-useful-commands/
  149.  
  150.  
  151.  
  152. #######################
  153. # Pentesting From AWS #
  154.  
  155.  
  156. #######################
  157. Deploy Kali Linux using the following tutorial:
  158. https://www.alienvault.com/blogs/security-essentials/configuring-kali-linux-on-amazon-aws-cloud-for-free
  159.  
  160. root@kali:/home/ec2-user# history
  161. sudo /bin/bash
  162. apt-get update
  163. apt-get install kali-linux-top10
  164. apt-get install -y xfce4 xfce4-goodies tightvncserver gnome-core kali-defaults kali-root-login desktop-base
  165. tightvncserver :1
  166. nmap localhost -p 5900-5901
  167.  
  168.  
  169. #################################
  170. # Building a pentest lab in AWS #
  171. #################################
  172. Here is some code to take a look at (it's old, but should give you an idea of where to start)
  173. https://github.com/averagesecurityguy/AWSlab
  174.  
  175. Although this is designed for OpenStack instead of AWS it should give you some ideas of what to do in your lab.
  176. https://github.com/Sliim/pentest-lab
  177.  
  178.  
  179.  
  180.  
  181.  
  182. ##################
  183. # Pentesting AWS #
  184. ##################
  185. https://www.slideshare.net/VengateshNagarajan/pentesting-cloud-environment
  186. https://www.slideshare.net/TeriRadichel/red-team-vs-blue-team-on-aws-rsa-2018
  187. https://www.slideshare.net/wojdwo/attacking-aws-the-full-cyber-kill-chain-144590283
  188.  
  189.  
  190. ############################
  191. # Practicing Attacking AWs #
  192. ############################
  193. https://github.com/RhinoSecurityLabs/cloudgoat
  194.  
  195. https://medium.com/@rzepsky/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da
  196. https://medium.com/@rzepsky/playing-with-cloudgoat-part-2-fooling-cloudtrail-and-getting-persistence-access-6a1257bb3f7c
  197. https://medium.com/@rzepsky/playing-with-cloudgoat-part-3-using-aws-lambda-for-privilege-escalation-and-exploring-a-lightsail-4a48688335fa
  198. https://medium.com/@rzepsky/playing-with-cloudgoat-part-4-security-nuances-of-aws-glue-codebuild-and-s3-services-cc67fb88cc46
  199. https://medium.com/@rzepsky/playing-with-cloudgoat-part-5-hacking-aws-with-pacu-6abe1cf5780d
  200.  
  201.  
  202. ##################################
  203. --------######## # Day 2: Preparing for AWS exams # ########--------
  204. ##################################
  205.  
  206.  
  207. ###########
  208. # Task 1: #
  209. ###########
  210.  
  211. #######################
  212. # 1) Deploy cloudgoat #
  213. #######################
  214.  
  215. ---step 1: create linux instance---
  216. Ubuntu Server 18.04 LTS (HVM), SSD Volume Type - ami-0fc20dd1da406780b (64-bit x86) / ami-0959e8feedaf156bf (64-bit Arm)
  217. (https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#LaunchInstanceWizard:)
  218.  
  219. ---step 2: login server via ssh---
  220. ip addr: 18.189.31.144
  221. pem = aws-security-train.pem
  222. username= ubuntu
  223.  
  224. ---step 3: initialize---
  225. -------------Type this--------------------
  226. sudo su
  227. apt-get update
  228.  
  229. - install unzip
  230. -------------Type this--------------------
  231. apt install unzip
  232.  
  233. - install python
  234. -------------Type this--------------------
  235. apt install python
  236. apt install python3-pip
  237.  
  238. - install terraform
  239. (https://learn.hashicorp.com/terraform/getting-started/install.html)
  240.  
  241. -------------Type this--------------------
  242. wget https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip
  243. unzip terraform_0.12.21_linux_amd64.zip
  244.  
  245. - install aws cli version 1
  246. (https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html)
  247.  
  248. -------------Type this--------------------
  249. curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
  250. unzip awscli-bundle.zip
  251. sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
  252.  
  253. - configure aws
  254. ---------------run "aws configure" and input info such followings;---------------------
  255.  
  256. Remember:(acceess key id, secret access key must be real values.)
  257.  
  258. AWS Access Key ID [None]: AKIA3ODJHKM36C66BUWK
  259. AWS Secret Access Key [None]: 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
  260. Default region name [None]: us-west-2
  261. Default output format [None]: json
  262.  
  263.  
  264. - edit PATH environment variable
  265. ( open .bashrc and insert following lines.)
  266.  
  267. -------------Type this--------------------
  268. export PATH=/home/ubuntu:/usr/local/aws:$PATH
  269.  
  270. - export it
  271.  
  272. -------------Type this--------------------
  273. source .bashrc
  274.  
  275. ---step 4: git clone CloudGoat, install and configure to quick start---
  276. (https://github.com/RhinoSecurityLabs/cloudgoat)
  277.  
  278. - get source & install
  279.  
  280. -------------Type this--------------------
  281. git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat
  282. cd CloudGoat
  283. pip3 install -r ./core/python/requirements.txt
  284. chmod u+x cloudgoat.py
  285.  
  286. - configure to quick start
  287.  
  288. -------------Type this--------------------
  289. ./cloudgoat.py config profile
  290. input aws profile name = default
  291.  
  292. ./cloudgoat.py config whitelist --auto
  293.  
  294. #####################################################################
  295. # 2) After Deploying cloudgoat, and verify that the exercises work: #
  296. #####################################################################
  297.  
  298. #####################################################################
  299. # (1) https://thetestlabs.io/post/cloudgoat-2-walkthrough-part-one/ #
  300. #####################################################################
  301.  
  302. ---step 1: Using first scenario, iam_privesc_by_rollback.
  303. -------------Type this--------------------
  304.  
  305. Remember:(acceess_key_id, secret_access_key must be real values. )
  306.  
  307. export AWS_ACCESS_KEY_ID=AKIA3ODJHKM36C66BUWK
  308. export AWS_SECRET_ACCESS_KEY=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
  309.  
  310. ---step 2: Using first scenario, iam_privesc_by_rollback.
  311. ./cloudgoat.py create iam_privesc_by_rollback
  312.  
  313. -------------Type this--------------------
  314. (when you fail first trying, modify the 3 files iam.tr, null-resource.tr, outputs.tf in scenario/iam_privesc_by_rollback/terraform , change raynor -> raynor1)
  315.  
  316. ---step 3: check modified info to confirms the identity of the user
  317. aws sts get-caller-identity
  318.  
  319. ---step 4: Checking attached policies
  320.  
  321. ##########
  322. # Task 2 #
  323. ##########
  324.  
  325. ------Type this-------
  326. ls /etc/passwd
  327.  
  328. https://www.slideshare.net/wojdwo/hunting-for-the-secrets-in-a-cloud-forest-reduced
  329.  
  330.  
  331. ##########
  332. # Task 3 #
  333. ##########
  334.  
  335. https://github.com/nbrandaleone/Amazon-GuardDuty-Lab/blob/master/Lab1-Discovery-and-Remediation-EC2/Amazon%20GuardDuty%20Lab%20-%20SFO%20Loft%20-%2012-14-2017.md
  336.  
  337. ---In section "Enable GuardDuty" , click the highlighted text "link".
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement