final project for cloud security. i attached a ppt file what to do there are step by step procedure to doAWS_Pentest.pptx
final project for cloud security.
i attached a ppt file what to do there are step by step procedure to do
AWS PenTest
AWS Services
Compute Service
Storage Service
Networking & Content Delivery
Create User by logged in as ROOT user
Click Add User
Set Permissions
Attach existing policies directly
Programmatic Access
It is important we record Access Key ID , Secret access key by downloading CSV file.
Setup two-factor authentication for cbutest
Cont…
Select a User name from the Users where you want to setup a two-factor authentication.
Go to Security credentials
Very Important
Select MFA Device
Cont…
Cont…
Cont…
Type two consecutive MFA codes from the virtual device for this user account.
Lets login with cbutest user account
Login
MFA enable
Change password since we are accessing first time
Cont…
Successful login
Console Home
We have created an account and we have set up a working IAM user to administer it.
There are a few things we should do to protect our accounts.
We should set up a multi-factor authentication on the root account and delete its programmatic access ID and secret key.
We still be able to use the root user interactive access, but the programmatic option will be erased.
We now have an AWS account set up and we can start provisioning and using cloud services.
AWS Services
Let’s take a look at one of the latest Amazon services which makes launching a new cloud server very easy. This is the Lightsail service.
Lightsail is a quick and easy way to launch servers.
Lightsail Service
Cont…
Cont…
OS Only
Cont…
Cont…
Cont…
Cont….
Cont…
Cont…
Cont….
Cont…
RDP access
Access VM using RDP
Windows Subsystem for Linux
Windows 10 includes a Windows Subsystem for Linux (WSL)
WSL is command line only
Ubuntu, Debian, SUSE, and Kali
Configure the Windows Subsystem for Linux
Settings -> Apps -> Programs and Features -> Turn Windows features on or off
We need to reboot for this to activate.
Search the Microsoft store for Linux.
Installing AWS Tools
Best approach is to install directly from the AWS site.
$ curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip –o “awscliv2.zip”
Unpack the awscliv2.zip
Check the version
Cont…
We have to set up access credentials to log into our cloud account.
The access and secret keys we were given when we set up our user accounts in IAM
$ aws configure
Cont…
We can use the AWSCLI now to access out cloud account.
The command line interface tool can be used for the complete set of AWS services.
Let’s explore ec2 command.
Cloud Infrastructure Automation
When we are dealing with cloud deployments, the Amazon Management Console and Amazon’s command line tool provide everything we need to deploy, configure, and manage our resources.
However, especially with larger deployments, this can be quite time-consuming.
One of the key performance and reliability options for a business running in the cloud is automation. HashiCorp provide a tool called Terraform which enabled cloud automation. The CloudGoat testing environement uses Terraform to deploy its scenarios.
Installation of Terraform
The Downloads page (https://www.terraform.io/downloads) has the details of the latest Terraform packages.
Pen Testing the Cloud
Hands-on learning
Getting hands-on with tools and creating custom scripts that you can further develop and use when on an engagement is a great way to build your skills.
To do this requires a set of cloud targets that you can use to try out the tools and scripts.
For traditional pen testing, we can manually deploy targets on our testing network. We can do the same with cloud.
Manually provisioning resources through the AWS management console and configuring them with vulnerabilities. An easier approach for traditional pen testing is to deploy a ready to go testing environment, such as the OWASP WebGoat, the Web Security Dojo, or Rapid7’s Metasploitable.
Cont…
Similarly, we have a better way to test cloud than manually provisioning targets.
A good starter for learning about AWS cloud testing (http://flaws.cloud) is to run the cloud flAWS challenge. Which take you through the use of the AWS command line interface to find a number of typical cloud configuration and operational flaws. This uses a fixed deployment of accessible cloud resources.
There are a more advanced capability available from the Rhino Security folks called CloudGoat. (https://github.com/RhinoSecurityLabs/cloudgoat)
Cont…
This is being actively supported and enhanced. And CloudGoat version two is now available. It’s also supported by an AWS testing framework Pacu.
CloudGoat and Pacu
CloudGoat and Pacu are both Python applications which can be installed directly onto a Linux system, including the windows subsystem for Linux (WSL).
CloudGoat uses Terraform automation to deploy a set of cloud resources automatically. And these can then be used as the target for testing with the Pacu framework. These resources can be provisioned and deprovisioned with simple one-line CloudGoat commands, with no requirement of any further cloud resource management.
CloudGoat is designed to work within the permitted AWS testing activities. And so can be used without any requirement for notification or approvals.
Deployment Scenarios
The deployments are provided in the form of scenarios. Each having a specific vulnerability in the deployment resources. The resources are deployed into an existing cloud account and are typically designed for exploitation to start at the point where you found some exposed AWS credentials. In addition, white listing is used to limit access to the CloudGoat deployment. Rhino security advises that the CloudGoat solution does not require much if any investments in cloud services.
It should operate within the free tier or for a charged account should be limited to a few dollars a day. The deployed scenarios are not just limited to testing through Pacu.
Testing Methods
Pacu
They can also be used for testing manually by the AWS command line interface or by writing python scripts using the AWS software development kit library, boto3.
Testing CloudGoat deployments is a great way to learn about the CLI commands and to get familiar with boto3 coding.
Installing CloudGoat
CloudGoat is an easy tool to install and use. We already have loaded what it needs to run: Python, the Terraform Cloud building tool, and the AWS command line tool. We are now ready to install CloudGoat.
Later in the course we will use an associated cloud testing tool: Pacu.
So let’s create a Pacu folder. Unload CloudGoat into it.
Cont…
Cont…
Scenarios
So let’s see what scenarios we have available to deploy.
Cont…
Now we have CloduGoat scenarios, and we can set up an AWS deployment and get started on testing it. We’ll configure the default profile for the CloudGoat to use to deploy the scenarios.
Load Scenarios
Cont…
AWS Profile
Cont…
Cont…
As Cloud Goat is designed for running authenticated pen testing.
Cont…
Let’s see what user policies we have associated with our scenario one credentials.
We will use the AWS command line tool for this.
$ aws iam list-policies – – profile scenario1
Cont…
We can see there are a lot of policies associated with this account. We want to be bit more selective and look at just the relevant ones. We know from the start.txt file that the username is Raynor, but we could, in any case find this using the get caller identity request.
$ aws sts get-caller-identity –profile scenario1
Cont…
Okay, Raynor hasn’t any managed user policies.
Let’s try the attached policies
Cont…
Cont…
Gaining Privileges by changing policies
We have determined that we have the authority to set the default policy, but so far we only seen version one.
Let’s see how we list all the versions,
Cont…
Okay, so now we know there are five policies. We know what’s in v1. So let’s get each of the other policies in turn, staring with v2 and see what they can offer.
Cont….
Cont….
Cont…
Not Ahuthorized
Destroy the Scenario
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
