Attacking & Defending AWS

1. #####################################
2. --------######## # Day 1: AWS Intro & Pentesting AWS # ########--------
3. #####################################
4.  
5.  
6. ###################
7. # Getting Started #
8. ###################
9. https://portal.aws.amazon.com/billing/signup#/start
10. - Create an account
11. - Enter valid credit card (expect today and tomorrow to be FREE, but a valid credit card is required)
12.  
13.  
14.  
15. -- Let's look at the FREE stuff --
16. https://aws.amazon.com/free/
17.  
18.  
19.  
20. -- Let's spin up an instance in EC2 --
21. https://console.aws.amazon.com/
22.  
23. Task 1: Spin up a Linux instance
24. - SSH setup with putty
25. - delete the instance
26.  
27. Task 2: Spin up a Windows instance
28. - delete the instance
29.  
30.  
31. -- Let's build a web app --
32. https://us-west-1.console.aws.amazon.com/elasticbeanstalk/home?region=us-west-1#/gettingStarted
33.  
34. - Step 1: You can use this application:
35. https://infosecaddicts-files.s3.amazonaws.com/AWS-Course/0-aws-first-nodejs-app.zip
36. - Step 2
37. - Step 3
38. - Step 4
39. - Step 5
40. - Step 6
41. **** about 6 min ****
42.  
43.  
44. --- It's broke ---
45. -- says degraded --
46.  
47. - Click "Configuration", then "Software/modify"
48. - In the "Node command" field type: npm start, at the bottom of the screen click "Apply"
49. **** about 2 min ****
50.  
51. Reference:
52. https://javascript.tutorialhorizon.com/2015/08/11/what-does-npm-start-do-in-nodejs/
53.  
54.  
55.  
56. --- Look in EC2 ---
57. https://us-west-1.console.aws.amazon.com/ec2/v2/home?region=us-west-1#Instances:sort=instanceId
58.  
59. --- Back to Beanstalk ---
60. https://us-west-1.console.aws.amazon.com/elasticbeanstalk/home?region=us-west-1#/applications
61. - Step 1: Delete the app
62. - Step 2
63.  
64.  
65. #################
66. # AWS IAM Intro #
67. #################
68.  
69. - Step 1: Create a group
70. - Step 2: Create a user
71. - Step 3: Enable MFA
72. - Step 4: Apply IAM password policy
73. - Step 5: Apply a policy
74. - Step 6: Apply a role
75.  
76.  
77. ##################################################
78. # Try to install something a little more complex #
79. ##################################################
80. Deploy Wordpress using the following tutorial:
81. https://www.essycode.com/posts/wordpress-and-elastic-beanstalk/
82.  
83.  
84.  
85. ########################
86. # AWS Lambda functions #
87. ########################
88. --- Lambdas take 3 Arguments ---
89.  
90. Event = event data, request data, basically a trigger
91. Context = Some additional info about what's going on and what to do
92. Callback = let's lambda know we are done (error, success)
93.  
94.  
95. def lambda_handler(event, context):
96. # Do something
97. print('received create event{}'.format(event))
98. return ''
99.  
100.  
101.  
102.  
103. #################
104. # Setup AWS CLI #
105. #################
106.  
107.  
108. --- AWS CLI in Windows ---
109. Reference: https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html#install-msi-on-windows
110.  
111. 1. Download/install the aws cli msi file
112. https://s3.amazonaws.com/aws-cli/AWSCLI64PY3.msi
113.  
114. -------------Type this--------------------
115. C:\Users\SecureNinja>where aws
116. C:\Program Files\Amazon\AWSCLI\bin\aws.exe
117.  
118. C:\Users\SecureNinja>aws --version
119. aws-cli/1.16.139 Python/3.6.0 Windows/7 botocore/1.12.129
120. ------------------------------------------
121.  
122.  
123.  
124. 2. Install Python3 and awscli
125. -------------Type this--------------------
126. C:\Users\SecureNinja>python --version
127. Python 3.7.3
128.  
129. C:\Users\SecureNinja>pip3 --version
130. pip 19.0.3 from c:\users\secureninja\appdata\local\programs\python\python37\lib\site-packages\pip (python 3.7)
131.  
132. C:\Users\SecureNinja>pip3 install awscli
133. ------------------------------------------
134.  
135.  
136.  
137. 3. Configure awscli
138. -------------Type this--------------------
139. C:\Users\SecureNinja>aws configure
140. AWS Access Key ID [None]: AKIAJWN4LNF7********
141. AWS Secret Access Key [None]: fdbgAYf5SnmZ11YndhVQwRysljZCCyNH********
142. Default region name [786199696183]: us-east-1
143. Default output format [None]: json
144. C:\Users\SecureNinja>aws s3 ls
145. 2019-04-04 07:17:15 virtualmachines05
146.  
147. References:
148. https://cloudacademy.com/blog/aws-cli-10-useful-commands/
149.  
150.  
151.  
152. #######################
153. # Pentesting From AWS #
154.  
155.  
156. #######################
157. Deploy Kali Linux using the following tutorial:
158. https://www.alienvault.com/blogs/security-essentials/configuring-kali-linux-on-amazon-aws-cloud-for-free
159.  
160. root@kali:/home/ec2-user# history
161. sudo /bin/bash
162. apt-get update
163. apt-get install kali-linux-top10
164. apt-get install -y xfce4 xfce4-goodies tightvncserver gnome-core kali-defaults kali-root-login desktop-base
165. tightvncserver :1
166. nmap localhost -p 5900-5901
167.  
168.  
169. #################################
170. # Building a pentest lab in AWS #
171. #################################
172. Here is some code to take a look at (it's old, but should give you an idea of where to start)
173. https://github.com/averagesecurityguy/AWSlab
174.  
175. Although this is designed for OpenStack instead of AWS it should give you some ideas of what to do in your lab.
176. https://github.com/Sliim/pentest-lab
177.  
178.  
179.  
180.  
181.  
182. ##################
183. # Pentesting AWS #
184. ##################
185. https://www.slideshare.net/VengateshNagarajan/pentesting-cloud-environment
186. https://www.slideshare.net/TeriRadichel/red-team-vs-blue-team-on-aws-rsa-2018
187. https://www.slideshare.net/wojdwo/attacking-aws-the-full-cyber-kill-chain-144590283
188.  
189.  
190. ############################
191. # Practicing Attacking AWs #
192. ############################
193. https://github.com/RhinoSecurityLabs/cloudgoat
194.  
195. https://medium.com/@rzepsky/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da
196. https://medium.com/@rzepsky/playing-with-cloudgoat-part-2-fooling-cloudtrail-and-getting-persistence-access-6a1257bb3f7c
197. https://medium.com/@rzepsky/playing-with-cloudgoat-part-3-using-aws-lambda-for-privilege-escalation-and-exploring-a-lightsail-4a48688335fa
198. https://medium.com/@rzepsky/playing-with-cloudgoat-part-4-security-nuances-of-aws-glue-codebuild-and-s3-services-cc67fb88cc46
199. https://medium.com/@rzepsky/playing-with-cloudgoat-part-5-hacking-aws-with-pacu-6abe1cf5780d
200.  
201.  
202. ##################################
203. --------######## # Day 2: Preparing for AWS exams # ########--------
204. ##################################
205.  
206.  
207. ###########
208. # Task 1: #
209. ###########
210.  
211. #######################
212. # 1) Deploy cloudgoat #
213. #######################
214.  
215. ---step 1: create linux instance---
216. Ubuntu Server 18.04 LTS (HVM), SSD Volume Type - ami-0fc20dd1da406780b (64-bit x86) / ami-0959e8feedaf156bf (64-bit Arm)
217. (https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#LaunchInstanceWizard:)
218.  
219. ---step 2: login server via ssh---
220. ip addr: 18.189.31.144
221. pem = aws-security-train.pem
222. username= ubuntu
223.  
224. ---step 3: initialize---
225. -------------Type this--------------------
226. sudo su
227. apt-get update
228.  
229. - install unzip
230. -------------Type this--------------------
231. apt install unzip
232.  
233. - install python
234. -------------Type this--------------------
235. apt install python
236. apt install python3-pip
237.  
238. - install terraform
239. (https://learn.hashicorp.com/terraform/getting-started/install.html)
240.  
241. -------------Type this--------------------
242. wget https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip
243. unzip terraform_0.12.21_linux_amd64.zip
244.  
245. - install aws cli version 1
246. (https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html)
247.  
248. -------------Type this--------------------
249. curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
250. unzip awscli-bundle.zip
251. sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
252.  
253. - configure aws
254. ---------------run "aws configure" and input info such followings;---------------------
255.  
256. Remember:(acceess key id, secret access key must be real values.)
257.  
258. AWS Access Key ID [None]: AKIA3ODJHKM36C66BUWK
259. AWS Secret Access Key [None]: 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
260. Default region name [None]: us-west-2
261. Default output format [None]: json
262.  
263.  
264. - edit PATH environment variable
265. ( open .bashrc and insert following lines.)
266.  
267. -------------Type this--------------------
268. export PATH=/home/ubuntu:/usr/local/aws:$PATH
269.  
270. - export it
271.  
272. -------------Type this--------------------
273. source .bashrc
274.  
275. ---step 4: git clone CloudGoat, install and configure to quick start---
276. (https://github.com/RhinoSecurityLabs/cloudgoat)
277.  
278. - get source & install
279.  
280. -------------Type this--------------------
281. git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat
282. cd CloudGoat
283. pip3 install -r ./core/python/requirements.txt
284. chmod u+x cloudgoat.py
285.  
286. - configure to quick start
287.  
288. -------------Type this--------------------
289. ./cloudgoat.py config profile
290. input aws profile name = default
291.  
292. ./cloudgoat.py config whitelist --auto
293.  
294. #####################################################################
295. # 2) After Deploying cloudgoat, and verify that the exercises work: #
296. #####################################################################
297.  
298. #####################################################################
299. # (1) https://thetestlabs.io/post/cloudgoat-2-walkthrough-part-one/ #
300. #####################################################################
301.  
302. ---step 1: Using first scenario, iam_privesc_by_rollback.
303. -------------Type this--------------------
304.  
305. Remember:(acceess_key_id, secret_access_key must be real values. )
306.  
307. export AWS_ACCESS_KEY_ID=AKIA3ODJHKM36C66BUWK
308. export AWS_SECRET_ACCESS_KEY=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
309.  
310. ---step 2: Using first scenario, iam_privesc_by_rollback.
311. ./cloudgoat.py create iam_privesc_by_rollback
312.  
313. -------------Type this--------------------
314. (when you fail first trying, modify the 3 files iam.tr, null-resource.tr, outputs.tf in scenario/iam_privesc_by_rollback/terraform , change raynor -> raynor1)
315.  
316. ---step 3: check modified info to confirms the identity of the user
317. aws sts get-caller-identity
318.  
319. ---step 4: Checking attached policies
320.  
321. ##########
322. # Task 2 #
323. ##########
324.  
325. ------Type this-------
326. ls /etc/passwd
327.  
328. https://www.slideshare.net/wojdwo/hunting-for-the-secrets-in-a-cloud-forest-reduced
329.  
330.  
331. ##########
332. # Task 3 #
333. ##########
334.  
335. https://github.com/nbrandaleone/Amazon-GuardDuty-Lab/blob/master/Lab1-Discovery-and-Remediation-EC2/Amazon%20GuardDuty%20Lab%20-%20SFO%20Loft%20-%2012-14-2017.md
336.  
337. ---In section "Enable GuardDuty" , click the highlighted text "link".