Table Of ContentHands-On AWS Penetration
Testing with Kali Linux
Set up a virtual lab and pentest major AWS services,
including EC2, S3, Lambda, and CloudFormation
Karl Gilbert
Benjamin Caudill
BIRMINGHAM - MUMBAI
Hands-On AWS Penetration Testing with
Kali Linux
Copyright © 2019 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, without the prior written permission of the publisher, except in the case of brief quotations
embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither the
authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to
have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy
of this information.
Commissioning Editor: Vijin Boricha
Acquisition Editor: Shrilekha Inani
Content Development Editor: Deepti Thore
Technical Editor: Mamta Yadav
Copy Editor: Safis Editing
Project Coordinator: Nusaiba Ansari
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Graphics: Jisha Chirayil
Production Coordinator: Nilesh Mohite
First published: April 2019
Production reference: 2090519
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78913-672-2
www.packtpub.com
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Packt.com
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at www.packt.com and as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
[email protected] for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for a
range of free newsletters, and receive exclusive discounts and offers on Packt books and
eBooks.
Contributors
About the authors
Karl Gilbert is a security researcher who has contributed to the security of some widely
used open-source software. His primary interests relate to vulnerability research, 0-days,
cloud security, secure DevOps, and CI/CD.
I would like to thank the entire team at Packt as well as Sayanta Sen, without whose major
contributions this book wouldn’t have seen the light of day.
Benjamin Caudill is a security researcher and founder of pentesting firm Rhino Security
Labs. Built on 10+ years of offensive security experience, Benjamin directed the company
with research and development as its foundation, into a key resource for high-needs clients.
Benjamin has also been a major contributor to AWS security research. With co-researcher
Spencer Gietzen, the two have developed Pacu (the AWS exploitation framework) and
identified dozens of new attack vectors in cloud architecture. Both GCP and Azure
research are expected throughout 2019.
As a regular contributor to the security industry, Benjamin been featured on CNN, Wired,
Washington Post, and other major media outlets.
I'd like to thank Spencer Gietzen and the amazing team at Rhino - we wouldn’t have Pacu,
CloudGoat, or the supporting research without you. This has been as exciting as it is
humbling.
About the reviewers
Rejah Rehim is currently the Director and Chief Information Security Officer (CISO) of
Appfabs. Prior to that, he held the title of security architect at FAYA India. Rejah is a long-
time preacher of open source and a steady contributor to the Mozilla Foundation. He has
successfully created the world's first security testing browser bundle, PenQ, an open source
Linux-based penetration testing browser bundle preconfigured with tools for security
testing. Rejah is also an active member of OWASP and the chapter leader of OWASP
Kerala. Additionally, he also holds the title of commander at Cyberdome, an initiative of
the Kerala police department.
Shivanand Persad has an MBA from the Australian Institute of Business, and a BSc in
Electrical and Computer Engineering from the University of the West Indies, among a
number of certifications in the technology sphere. He has a number of areas of
specialization, including controls and instrumentation systems, wireless and wired
communication systems, strategic management, and business process re-engineering. With
over a decade of experience across multiple engineering disciplines, a lengthy tenure with
the Caribbean's largest ISP, and oversight of the largest media group in Trinidad and
Tobago, he continues to be passionate about technology and its ongoing development.
When not reading everything in sight, he enjoys archery, martial arts, biking, and tinkering.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com
and apply today. We have worked with thousands of developers and tech professionals,
just like you, to help them share their insight with the global tech community. You can
make a general application, apply for a specific hot topic that we are recruiting an author
for, or submit your own idea.
Table of Contents
Preface 1
Section 1: Section 1: Kali Linux on AWS
Chapter 1: Setting Up a Pentesting Lab on AWS 8
Technical requirements 8
Setting up a vulnerable Ubuntu instance 8
Provisioning an Ubuntu EC2 instance 9
Installing a vulnerable service on Ubuntu 10
Setting up a vulnerable Windows instance 12
Provisioning a vulnerable Windows server instance 13
Configuring a vulnerable web application on Windows 15
Configuring security groups within the lab 18
Configuring security groups 19
Summary 21
Further reading 21
Chapter 2: Setting Up a Kali PentestBox on the Cloud 22
Technical requirements 23
Setting up Kali Linux on AWS EC2 23
The Kali Linux AMI 23
Configuring the Kali Linux instance 25
Configuring OpenSSH for remote SSH access 28
Setting root and user passwords 29
Enabling root and password authentication on SSH 29
Setting up Guacamole for remote access 31
Hardening and installing prerequisites 31
Configuring Guacamole for SSH and RDP access 34
Summary 36
Questions 37
Further reading 37
Chapter 3: Exploitation on the Cloud using Kali Linux 38
Technical requirements 38
Configuring and running Nessus 39
Installing Nessus on Kali 39
Configuring Nessus 45
Performing the first Nessus scan 47
Exploiting a vulnerable Linux VM 50
Understanding the Nessus scan for Linux 51
Table of Contents
Exploitation on Linux 53
Exploiting a vulnerable Windows VM 55
Understanding the Nessus scan for Windows 55
Exploitation on Windows 57
Summary 60
Questions 60
Further reading 60
Section 2: Section 2: Pentesting AWS Elastic Compute Cloud
Configuring and Securing
Chapter 4: Setting Up Your First EC2 Instances 62
Technical requirements 62
Setting Up Ubuntu on AWS EC2 63
The Ubuntu AMI 63
Configuring VPC settings 64
Storage types that are used in EC2 instances 69
Configuring firewall settings 71
Configuring EC2 authentication 72
Summary 80
Further reading 80
Chapter 5: Penetration Testing of EC2 Instances using Kali Linux 81
Technical requirements 82
Installing a vulnerable service on Windows 82
Setting up a target machine behind the vulnerable Jenkins machine 95
Setting up Nexpose vulnerability scanner on our Kali machine 96
Scanning and reconnaissance using Nmap 99
Identifying and fingerprinting open ports and services using Nmap 101
Performing an automated vulnerability assessment using Nexpose 105
Using Metasploit for automated exploitation 110
Using Meterpreter for privilege escalation, pivoting, and
persistence 114
Summary 117
Further reading 117
Chapter 6: Elastic Block Stores and Snapshots - Retrieving Deleted
Data 118
Technical requirements 118
EBS volume types and encryption 119
Creating, attaching, and detaching new EBS volumes from EC2
instances 120
Extracting deleted data from EBS volumes 123
Full disk encryption on EBS volumes 126
[ ii ]
Table of Contents
Creating an encrypted volume 127
Attaching and mounting an encrypted volume 130
Retrieving data from an encrypted volume 132
Summary 134
Further reading 134
Section 3: Section 3: Pentesting AWS Simple Storage Service
Configuring and Securing
Chapter 7: Reconnaissance - Identifying Vulnerable S3 Buckets 136
Setting up your first S3 bucket 137
S3 permissions and the access API 140
ACPs/ACLs 142
Bucket policies 142
IAM user policies 143
Access policies 143
Creating a vulnerable S3 bucket 145
Summary 150
Further reading 150
Chapter 8: Exploiting Permissive S3 Buckets for Fun and Profit 151
Extracting sensitive data from exposed S3 buckets 151
Injecting malicious code into S3 buckets 154
Backdooring S3 buckets for persistent access 155
Summary 157
Further reading 157
Section 4: Section 4: AWS Identity Access Management
Configuring and Securing
Chapter 9: Identity Access Management on AWS 159
Creating IAM users, groups, roles, and associated privileges 160
Limit API actions and accessible resources with IAM policies 170
IAM policy structure 170
IAM policy purposes and usage 173
Using IAM access keys 174
Signing AWS API requests manually 181
Summary 182
Chapter 10: Privilege Escalation of AWS Accounts Using Stolen Keys,
Boto3, and Pacu 183
The importance of permissions enumeration 184
Using the boto3 library for reconnaissance 184
Our first Boto3 enumeration script 185
Saving the data 187
[ iii ]
Table of Contents
Adding some S3 enumeration 190
Dumping all the account information 193
A new script – IAM enumeration 193
Saving the data (again) 194
Permission enumeration with compromised AWS keys 196
Determining our level of access 196
Analysing policies attached to our user 197
An alternative method 201
Privilege escalation and gathering credentials using Pacu 202
Pacu – an open source AWS exploitation toolkit 203
Kali Linux detection bypass 204
The Pacu CLI 205
From enumeration to privilege escalation 207
Using our new administrator privileges 210
Summary 213
Chapter 11: Using Boto3 and Pacu to Maintain AWS Persistence 215
Backdooring users 215
Multiple IAM user access keys 216
Do it with Pacu 219
Backdooring role trust relationships 219
IAM role trust policies 219
Finding a suitable target role 220
Adding our backdoor access 222
Confirming our access 223
Automating it with Pacu 225
Backdooring EC2 Security Groups 226
Using Lambda functions as persistent watchdogs 229
Automating credential exfiltration with Lambda 230
Using Pacu for the deployment of our backdoor 231
Other Lambda Pacu modules 233
Summary 234
Section 5: Section 5: Penetration Testing on Other AWS
Services
Chapter 12: Security and Pentesting of AWS Lambda 236
Setting up a vulnerable Lambda function 238
Attacking Lambda functions with read access 249
Attacking Lambda functions with read and write access 262
Privilege escalation 262
Data exfiltration 270
Persistence 271
Staying stealthy 271
Pivoting into Virtual Private Clouds 275
[ iv ]
