AWS Pen-Testing Laboratory

AWS Pen-Testing LaboPenTesting laboratory deployed as IaC with Terraform on AWS. It deploys a Kali Linux instance accessible via ssh & wireguard VPN. Vulnerable instances in a private subnet.

NOTE:

  • Ids only defined for region “eu-west-1”
  • For other regions, kali ami id must be specified and metasploitable3 id (after building it)

Changelog

  • [2022-01-30]
    • set sudoers to allow sudo nmap for users group
    • security group allows incoming connections to ports 8800-8899 (for reverse-shells)
  • [2021-12-26]
    • set automatically first availability zone
    • new metasploitable ami’s created with packer
    • initial integration of log4jshell vulnerability to metasploitable3 machine (but it is not usable)
  • [2021-12-22]
    • Packer to build metasploitable images (see ./metasploitable3/)
    • fixes in kali user_data script
    • Deployment on us-east-1 validated
  • [2021-12-09]
    • Look for latest Kali-linux ami id instead of providing ids
    • terraform template_file replaced as it is deprecated
    • windows server ami (todo: install a vulnerable software)
  • [2021-09-15]
    • Fixes in wireguard multi-peer creation
    • Infection Monkey app integrated on Kali Linux
    • Upgrade to new Kali version 2021.3
  • [2021-06-02] AMI IDs changed to use Kali 2021.2
  • [2021-03-10] Use new Kali version 2021.1

Diagram

Architecture Diagram

Components

  • Kali instance (private key is saved into kali.pem)
    • Wireguard VPN service: client file client_vpn.wg
    • Accessible via ssh/scp
    • Public Subnet 10.0.0.5/24
    • Infection Monkey running on port 5000 (only accesible via vpn or ssh)
  • Vulnerable machine “Metasploitable” (ami build is public)
    • Private subnet 10.0.1.5/24
  • More vulnerable labs/machines/docker (to-be-done)

Features added

  • User management
    • Automatically create non privileged users in kali instance with rsa
    • Wireguard VPN client file per user
  • Command line audit logging in syslog
  • auditd enabled with sudo_log and users_log keys for auditing user actions (see also ausearch command)
  • ToDO: Forward terminal audit to CloudWatch or an S3 Bucket with write once policy

How-To

  • Requirements:
    • Terraform CLI install guide
    • AWS CLI install guide
    • $PATH configured for AWS CLI & Terraform
    • AWS account and configure credentials via aws cli: aws configure
    • Kali Linux Subscription in AWS Marketplace
    • Metasploitable3 AMI image previously built (public AMI available for eu-west-1 region) see

Deploy

  1. Enable/disable vulnerable instances to be deployed setting 0 or 1 in variables.tf:
variable "deploment-control" {
  type = map
  default = {
    #"instance" = 0 or 1, to disable or enable
    "metasploitable3" = 1
    "dvca" = 0
  }
  description = "Control which EC2 instances are deployed, 0 for none or 1"
}

Use terraform for deploy infraestructure

terraform init
terraform plan
terraform apply -auto-approve   

Outputs

Terraform outputs will show following entries:

  • ssh connection command for kali user (root via sudo)
  • wireguard client file for kali user will be automatically retrieved from kali server
  • scp command to retrieve wireguard client file (just in case defined terraform local-exec command fails)
  • For each of the normal users created in Kali instance
    • Private key file for ssh connection
    • Wireguard client file for VPN connectivity

Usage

Either connect to Kali via ssh or wireguard:

  • SSH: (Only command line) Use autogenerated private key (see terraform output)
KALI_IP=<KALI_IP>     # configure kali public ip
ssh -i kali.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes [email protected]${KALI_IP}
  • Wireguard: Connect your local kali instance via wireguard (see client_vpn.wg generated file)
KALI_IP=<KALI_IP>     # configure kali public ip
scp -i kali.pem -o StrictHostKeyChecking=no IdentitiesOnly=yes [email protected]${KALI_IP}:/home/kali/client_vpn.wg .

####
(local_kali)$ sudo apt-get install –y wireguard 
(local_kali)$ sudo gedit /etc/wireguard/wg0.conf # copy contents of client_vpn.wg
(local_kali)$ sudo chmod 700 /etc/wireguard/wg0.conf
(local_kali)$ sudo wg-quick up wg0

(local_kali)$ ping 10.0.0.5  # test connectivity with kali instance in AWS

Destroy

terraform destroy -auto-approve

GitHub – juanjoSanz/aws-pentesting-lab: Pentesting lab with a Kali Linux instance accessible via ssh & wireguard VPN and with vulnerable instances in a private subnet

Comments Box