Setting up a Kali Linux EC2 Platform on AWS (Chapter 2)
Setting up a Kali Linux EC2 Platform on AWS (Chapter 2)
Introduction
“Setting up a Kali Linux EC2 Platform on AWS” is a step-by-step guide that walks readers through the process of creating a virtual machine in Amazon Web Services (AWS) and installing Kali Linux. The chapter starts with an overview of Kali Linux, and our list of essential tools and scripts for penetration testing in AWS. It then proceeds to explain the different AWS services required to create a virtual machine and how to configure them. Readers will learn how to create an AWS account, set up an Amazon Elastic Compute Cloud (EC2) instance, and configure security groups to allow remote access to the virtual machine. The chapter also covers the various options for launching an EC2 instance, including selecting the appropriate Kali Linux Amazon Machine Image (AMI) and configuring instance storage. The chapter concludes with instructions on how to connect to the Kali Linux EC2 instance using SSH and set up basic configurations, such as updating the system and installing necessary software. By following the step-by-step instructions, readers will be able to create a secure and reliable Kali Linux environment in AWS, ready for penetration testing.
The end chapter will dive into the official “Prohibited Activities” list publicly available to everyone from AWS listed here https://aws.amazon.com/security/penetration-testing/. Activities we will discuss include DNS zone walking via Amazon Route 53 Hosted Zones DNS hijacking via Route 53 DNS Pharming via Route 53 Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy Port flooding Protocol flooding Request flooding (login request flooding, API request flooding).
Structure
The chapter covers the following topics:
· 1. Introduction to Kali Linux: Learn about Kali Linux and the essential tools and scripts required for penetration testing in AWS.
· 2. Creating a virtual machine in AWS: Gain an understanding of the different AWS services required to create a virtual machine and how to configure them, including creating an AWS account, setting up an Amazon EC2 instance, and configuring security groups.
· 3. Launching an EC2 instance: Understand the various options for launching an EC2 instance, such as selecting the appropriate Kali Linux Amazon Machine Image (AMI) and configuring instance storage.
· 4. Connecting to the Kali Linux EC2 instance: Learn how to connect to the Kali Linux EC2 instance using SSH and set up basic configurations, such as updating the system and installing necessary software.
· 5. Best practices for creating a secure Kali Linux environment: Discover best practices for creating a secure and reliable Kali Linux environment in AWS, including configuring security groups, implementing regular system updates, and monitoring for suspicious activity. Also, we will dive into what AWS deems as unauthorized activity like Denial-of-Service (DoS) attacks or simulations of such against ANY AWS asset, yours or otherwise.
Objectives
At the end of this chapter, you will have a basic understanding of creating, launching, and connecting to an EC2 machine in AWS. Having a good foundation of the AWS infrastructure will lead to faster and easier Kali Linux deployments during future assessments. Listed below are the basic objectives and AWS requirements we hope to convey during our deployment focused chapter:
· Introduction and background of the Kali Linux Debian based operating system.
· Understand the concept of EC2 cloud compute, Amazon Machine Images, and the (AMI) marketplace, and how to configure network security groups securely.
· Gain an understanding of securely connecting to AWS instances using creation of personally managed SSH keys, network security group rules to whitelist your public Ip address.
· Learn how to efficiently install a Debian desktop environment and full repository of pen testing tools with OS updates and upgrades via the command line.
· Understand how to stay out of trouble with AWS and learn acceptable boundaries of penetration testing AWS services and hosted resources.
· Learn where to find and install the latest and most reliable offensive tools used to enumerate, attack, and exfiltrate AWS hosts and services.
What is Kali Linux? Kali Linux is the world’s most popular Linux distribution specifically designed for the needs of penetration testers, cyber security professionals, and students of hacking. This operating system receives quarterly security, functionality, and curation of software tools in a rolling release format. It provides a wide range of powerful tools and features for advanced Penetration Testing and Security Auditing, making it a go-to choice for those looking to secure their networks, systems, and data.
One of the main strengths of Kali Linux is its user-friendly interface, which allows users to focus on the task at hand without being distracted by irrelevant details. With more than 600 pre-installed penetration testing tools, Kali Linux provides almost everything we will need to conduct comprehensive AWS centric security audits. Included within the distro are frequently updated tools for gathering open-source intelligence, conducting vulnerability assessments of on prem and cloud-based networks and applications. The widely known American international company previously known as “Offensive Security”, now OffSec the creator and maintainer of Kali Linux since its birth known to many as “BackTrack”.
Kali Linux is built on the Debian architecture and is completely open source and free to use. It features a custom kernel that is optimized for wireless assessments and is patched for injection, making it one of the most versatile and powerful penetration testing tools available today. In addition to its powerful tools and features, Kali Linux also boasts a range of other benefits for security professionals, including multi-language support, customizable configurations, and support for a wide range of wireless devices. It’s also developed in a secure environment by a small team of trusted experts, ensuring that it’s always up to date with the latest security standards and best practices.
Creating a Kali Linux Virtual Machine in AWS
The first section of this chapter will provide an overview of Amazon Web Services (AWS) Elastic Compute Cloud or more commonly known as EC2. We will walk through configuring the basic configuration and security requirements needed for our Virtual Private Cloud or (VPC) platform. This section will guide you through the process of setting up an AWS account and the fundamentals of configuring an AWS account while avoiding any security gaps or pitfalls that would later require cleanup after the VPC is setup.
The first step is to sign up for an AWS account if you don’t already have one. The service is also available with a 1-year free trial. Hence the beginners can go for that to experience the service without paying. Here Click on “Create a Free Account” unless you already have an account you would like to use.
Figure 2.1: AWS Create Free Account Landing Page
Source : https://aws.amazon.com
Figure 2.2: AWS Root User email address
Source : https://aws.amazon.com/
Follow the Prompts to sign up by clicking on the “Verify email address button” and then navigating to your designated email address and then clicking the acceptance link.
Then enter your verification code and then set your root user account password following password best practices of 2 uppercase, 2 lower case, 2 numbers, and 2 special characters for a string of 12 or more characters. Next fill out all the contact and billing information as this step is unavoidable for any new AWS account.
Figure 2.3: AWS MFA Verification Code Confirmation
Source : https://aws.amazon.com/
The AWS Free Tier is a program by Amazon Web Services that offers a limited amount of free usage of AWS services to its users for a certain period. The Free Tier can help users get started with AWS by providing access to some of the most popular AWS services without incurring any costs. However, users should be aware that exceeding the Free Tier limits or using services not covered by the program may result in charges being applied to their account.
Figure 2.4: AWS Free Tier Brief Description
Source : https://aws.amazon.com/free/
· The AWS Free Tier allows new AWS users to use some of the most popular AWS services for free, up to certain limits.
· These limits include the amount of compute power, storage, data transfer, and other resources that can be used within a certain time frame.
· This means that new AWS users can experiment and learn how to use these services without incurring any costs, as long as they stay within the free tier limits.
Your company may have the desire to select a support plan as part of the multistep process. Here we are just going with a free “Basic Support” plan. Finally click “Complete Sign-up” and then select “Go to the management console”. Next, enter the email address the root account was created under and login.
Figure 2.5: AWS Root User Email Login
Source : https://aws.amazon.com/
Now we should be at the landing page for the AWS management console where we can search for the EC2 service and move into the EC2 dashboard landing page and scroll down to the “Images” column on the left-hand side and select the “AMI Catalog” option and search for the Offensive Security Official Kali Linux AMI from the marketplace.
Figure 2.6: AWS EC2 and Amazon Machine Image (AMI) Sections
Source : https://aws.amazon.com/
Launching an EC2 instance: Understand the various options for launching an EC2 instance, such as selecting the appropriate Kali Linux Amazon Machine Image (AMI) and configuring instance storage. Click “Select” for a Kali Linux instance AMI.
Figure 3.1: AWS Amazon Machine Image (AMI) Marketplace
Source : https://aws.amazon.com/
Be sure to look at the cost per hour information on the next page just as a point of reference. If we are not using our On Demand EC2 instance, we should shut it down using only the AWS web console. Powering down the Kali Linux OS from within the OS will sometimes disconnect our API connection between our OS and the AWS management console of our account and powering it on again can be tricky.
Next click select and then the “Launch Instance with AMI” in the upper right hand. Be sure to give the new Kali instance a memorable name associated with its purpose to help search and find it later if needed.
Figure 3.2: AWS EC2 and Amazon Machine Image (AMI) Sections
Source : https://aws.amazon.com/
Choose a suitable instance size based on your needs and budget. Here we selected a t2 medium sized instance for our performance needs that fit within our budget.
Figure 3.3: AWS EC2 and Amazon Machine Image (AMI) Type Sections
Source : https://aws.amazon.com/
Note: If you choose to select a t2 micro instance size for testing or other reasons there is a cost credit of 750 hours in EC2 usage available in the 1st year of deployment usage. This may be subject to change.
We will follow the best security practice to “Create a new key pair” option and store it in a safe place like a password protected folder or key management solution. Later we will need it to connect our Kali Linux Ec2 Instance remotely using SSH.
Here we will select “Create new key pair.”
Figure 3.4: AWS EC2 Authentication Key Pair Selection
Source : https://aws.amazon.com/
Important Note: You will only receive the option to download the .pem file once be careful to make sure you download the file as you cannot go back and do it later.
Figure 3.5: AWS EC2 Authentication Key Pair One Time Warning
Source : https://aws.amazon.com/
Note: location of your .pem file that you just received. In the next section called “Network Settings” we need to restrict SSH access between our Kali EC2 instance and our personal public Ip address only. Later we can turn off SSH access if desired but during the setup process it is a requirement.
Figure 3.6: AWS EC2 and Firewall Security Group Rules
Source : https://aws.amazon.com/
The Next section we will adjust our Elastic Backed Storage root volume drive which is essentially our local primary hard drive provided by the CSP. We selected “No” at the Delete on Termination option just in case we accidentally terminated the instance and wanted to retain our image of the root drive for later use. If you would like to use the “No to delete on termination” option and then later want to delete this EBS volume you will have to go into the EBS menu option and right, click on the volume and delete it manually.
Figure 3.7: AWS EC2 Elastic Block Storage Selection
Source : https://aws.amazon.com/
Here we decided to increase the volume of the root drive from the default setting of 12 GiB to 100 GiB. We intend to keep this volume for a while and a larger root drive will simply eliminates the need of future drive expansion managing multiple logical volumes for our EC2.
Finally click the “Launch Instance” button. To verify your connection and security group navigate to the EC2 menu and then click on “Security Groups” and then find our rule to allow port 22 for SSH access between our one public Ip address and our attacking EC2 instance.
Figure 3.8: AWS EC2 Edit Inbound Security Group Rules
Source : https://aws.amazon.com/
Next, we will need to find the public Ip address given out by AWS to our newly created instance by clicking on the Instances option and then selecting our new instance and viewing the “Details” section to view our dynamic Ip address. If we reboot our instance or shut it down, it is likely this Ip address will change over time.
Figure 3.9: AWS EC2 Public IP Address Section
Source : https://aws.amazon.com/
NOTE: If your public Ip address at home or office changes then you will need again edit this configuration setting here to continue access to the kali Linux instance over SSH. If you would like to keep this Ip address as a static Ip address, then a small additional cost may be associated with this additional service offering. Reference the AWS official documentation.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
There are pluses and minuses for argument’s sake of either decision of retaining an Elastic Ip address or having the ability to drop your current Ip address and pick up a new one at will. Before starting any engagement, it’s necessary to go over the Rules of Engagement or ROE document that lists all approved actions and what is off limits for the upcoming penetration test. It should cover things like making sure you have approval from your cloud provider or on prem system owners, when status updates will be sent to the client, and how time sensitive and critical issues we discover will be handled. Most of these, as you would expect, go over without many questions.
However, one of the ROE items that usually gets a fair amount of conversation is whitelisting a list of our IP addresses in the client’s intrusion prevention system (IPS). After all, many clients want to know why they should whitelist the pen tester’s IP address. Isn’t that cheating? Will this make the network team look bad or worse off than before? There are several reasons why you should whitelist the pen tester’s IP address.
One of the strengths of having a non-elastic or dynamic Ip address is that during the active scanning and attacking phase your EC2 Ip address may set off alarms and security appliance detections. This often leads to having your Ip address shadow banned, banned, or filtered in general.
In conclusion, both static and dynamic IP addresses have their pros and cons, and the choice ultimately depends on your specific needs and circumstances. If you require a fixed IP address for hosting a Command and Control or C2 server framework or your organization needs a consistent Ip address for whitelisting, suppressing alarms, or even just convenient remote access, a static IP address is likely the best option.
We will continue forward with our current default Ip address settings and connect to our instance using the default built in kali user account and host Ip address.
If your local system is Linux change the permission of the key using the command:
1. chmod 400 Penetration_Testing_AWS.pem
2. sh-3.2# ls -alh Penetration_Testing_AWS.pem
3. -rw-r — r — @ 1 m staff 1.6K Apr 5 06:40 Penetration_Testing_AWS.pem
4. sh-3.2# chmod 400 Penetration_Testing_AWS.pem
5. sh-3.2# ls -alh Penetration_Testing_AWS.pem
6. -r — — — — @ 1 m staff 1.6K Apr 5 06:40 Penetration_Testing_AWS.pem
If you do not set these permissions, then you will not be able to connect to your instance using this key pair. After that run the following command to connect to the public kali EC2:
ssh -i “path-to-your-key-pair.pem” kali@public-ip-address
Figure 4.1: AWS EC2 SSH with Kali User Section
Source : https://aws.amazon.com/
Once connected we should change the default kali user password to a custom password of your choosing by issuing the following command.
sudo passwd kali
Figure 4.2: AWS EC2 SSH with Kali User and Update Password Section
Source : https://aws.amazon.com/
After connection a user may realize that the image is quite sparse. This is to allow for customization and reduced image size. To download and install the XFCE desktop environment and get a full suite of the Kali tool set we can utilize Kali’s metapackages. Alternatively, a more time consuming but minimalist approach is to install specific tools as they are needed. The following commands will utilize the kali-linux-headless metapackage and get us quickly up and running to start testing:
1. sudo apt update && sudo apt install -y kali-linux-headless
2. sudo apt update && sudo apt install -y kali-desktop-xfce
3. sudo apt-get update && sudo apt-get -y upgrade
4. sudo apt-get install -y kali-linux-everything
Now connect to the Kali instance using an RDP client. Here we use the native RDP client.
Figure 4.3: AWS EC2 and Remote Desktop Protocol (RDP) Login
Source : https://aws.amazon.com/
Next, we login to the XFCE desktop as the kali user with the password from earlier.
Figure 4.4: AWS EC2 RDP Connection XFCE Desktop Login
Source : https://aws.amazon.com/
As a penetration tester, it is important to stay up-to-date with the latest offensive tools and techniques. Keep in mind that you should always obtain proper authorization before conducting any penetration testing activities.
When it comes to AWS security, the following aspects should be considered:
1. Identity and Access Management (IAM): IAM allows you to manage user access to AWS services. Ensure that you follow the principle of least privilege, granting users only the permissions they require.
2. Network Security: Utilize Virtual Private Clouds (VPCs) to isolate and control network traffic. Implement security groups and network access control lists (NACLs) to restrict access to specific ports and protocols.
3. Secure Configurations: Regularly review and apply secure configurations for your AWS resources. This includes keeping software and services up-to-date, disabling unnecessary ports and services, and using strong authentication mechanisms.
4. Logging and Monitoring: Enable AWS CloudTrail to log all API activity within your AWS account. Utilize AWS Config to assess resource configurations and AWS CloudWatch to monitor for suspicious activities.
Now, let’s talk about some commonly used AWS security tools:
AWS Security Hub: It provides a comprehensive view of security alerts and compliance status across your AWS accounts. It aggregates findings from various security services, such as AWS GuardDuty, AWS Inspector, and AWS Macie.
AWS GuardDuty: It is a threat detection service that analyzes logs and events to identify potential security issues, such as compromised instances or unauthorized access attempts.
AWS Inspector: This service helps to assess the security and compliance of your EC2 instances. It performs automated security assessments and provides detailed reports and recommendations.
AWS Macie: It is a data discovery and classification service that helps identify sensitive data, such as personally identifiable information (PII), in your AWS environment. It assists in meeting regulatory requirements and preventing data leaks.
Remember that the usage of offensive tools must comply with ethical standards and legal requirements. Always obtain proper authorization and ensure you are conducting penetration testing activities within the boundaries of the law.
Finally, we move into the exciting world of offensive tools for AWS! As a penetration tester, you’re about to unlock a treasure trove of possibilities. Let’s dive into the latest and most reliable offensive tools that can help you enumerate, attack, and exfiltrate AWS hosts and services. Here are some powerful tools you can consider:
AWSBucketDump: This tool enables you to enumerate and extract sensitive data from misconfigured S3 buckets, uncovering potential security vulnerabilities.
Pacu: A comprehensive AWS exploitation framework, Pacu provides a wide range of capabilities, including privilege escalation, persistence, and exfiltration techniques.
CloudGoat: A vulnerable AWS deployment tool, CloudGoat allows you to simulate real-world attack scenarios and practice your offensive skills in a safe environment.
BeRoot: This tool focuses on AWS Elastic Beanstalk environments, providing privilege escalation techniques and opportunities to gain root access.
Now, let’s talk about installing these tools using code examples. To install AWSBucketDump, you can use the following commands:
1. git clone https://github.com/jordanpotti/AWSBucketDump.git
2. cd AWSBucketDump
3. pip install -r requirements.txt
For Pacu, the installation steps are as follows:
1. git clone https://github.com/RhinoSecurityLabs/pacu.git
2. cd pacu
3. pip install -r requirements.txt
To set up CloudGoat, you can follow the instructions provided in its GitHub repository:
1. git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
2. cd cloudgoat
3. # Follow the setup instructions provided in the repository
Lastly, for BeRoot, use the following commands:
1. git clone https://github.com/michenriksen/beargit.git
2. cd beargit
3. # Additional setup steps may be required, please refer to the repository for instructions
AWS has established clear guidelines regarding acceptable and unacceptable activities during penetration testing. According to AWS Penetration Testing Guidelines, the following activities are generally considered as unauthorized:
· Testing third-party applications or services without prior written consent from the vendor or owner.
· Conducting a penetration test against a target outside the scope of an approved testing plan or agreement.
· Targeting any Amazon-owned infrastructure or services, including EC2 instances, S3 buckets, or other AWS resources, without prior authorization
· Engaging in any activities that could result in the disruption of AWS services or other customers’ use of those services, such as launching a Denial-of-Service (DoS) attack or attempting to overload a system.
· Attempting to gain unauthorized access to other customers’ data, resources, or accounts on AWS.
· Performing any activities that could potentially damage or corrupt data, systems, or networks.
· Using any exploit or vulnerability beyond the scope of the approved testing plan.
· Failing to comply with all applicable laws and regulations, including privacy laws and data protection requirements.
It’s important to note that AWS policies and guidelines may change over time, so it’s always best to refer to the official AWS documentation and consult with AWS support before conducting any penetration testing activities.
AWS Terms and Conditions
Before we dive into the risks and consequences of unauthorized activity within AWS, it is important to understand the AWS terms and conditions that govern the use of the platform. AWS has a detailed Acceptable Use Policy that outlines the types of activities that are prohibited on the platform. Specifically, AWS prohibits any activities that are illegal, harmful, or disruptive to the platform or other users. This includes activities such as hacking, phishing, spamming, and DoS attacks.
Risks of Unauthorized Activity within AWS
Unauthorized activity within AWS, including DoS attacks or simulations of such against any AWS asset, can have severe consequences for both the attacker and the victim. For example, a DoS attack can result in a loss of service or access to critical resources, which can lead to significant financial and operational losses for the victim. Additionally, unauthorized activity can compromise the security of sensitive data or infrastructure, which can have long-lasting and far-reaching consequences.
One of the main risks associated with unauthorized activity within AWS is the potential for legal action. AWS takes unauthorized activity very seriously and has the right to terminate any account that engages in such activities. In addition, victims of unauthorized activity can pursue civil damages against the attacker, which can be costly and time-consuming.
Consequences of Unauthorized Activity within AWS
The consequences of unauthorized activity within AWS can be severe, both in terms of legal and financial repercussions. AWS has a zero-tolerance policy for any activities that violate its terms and conditions, including DoS attacks or simulations of such against any AWS asset. If an account is found to be engaging in unauthorized activity, AWS has the right to terminate the account and take legal action against the perpetrator.
In addition to legal action, victims of unauthorized activity within AWS may pursue civil damages against the attacker. This can include compensation for any financial losses or damages caused by the unauthorized activity, as well as punitive damages to deter future attacks.
Finally, it is worth noting that unauthorized activity within AWS can also result in criminal charges. Depending on the severity of the activity, attackers may be subject to criminal charges and prosecution. This can include charges such as computer fraud, identity theft, and unauthorized access to a computer system.
Conclusion
In conclusion, creating a secure Kali Linux environment in AWS requires a combination of configuring security groups, implementing regular system updates, and monitoring for suspicious activity. By following these best practices, you can reduce the risk of unauthorized access and ensure the protection of sensitive data. Remember that cybersecurity is an ongoing process, and you must stay vigilant and keep up with the latest security trends and best practices to maintain a secure environment.
