AWS Pen-Testing Laboratory

PenTesting laboratory deployed as IaC with Terraform on AWS. It deploys a Kali Linux instance accessible via ssh & wireguard VPN. Vulnerable instances in a private subnet.

NOTE:

Ids only defined for region "eu-west-1"
For other regions, kali ami id must be specified and metasploitable3 id (after building it)

Changelog

[2022-01-30]
- set sudoers to allow sudo nmap for users group
- security group allows incoming connections to ports 8800-8899 (for reverse-shells)
[2021-12-26]
- set automatically first availability zone
- new metasploitable ami's created with packer
- initial integration of log4jshell vulnerability to metasploitable3 machine (but it is not usable)
[2021-12-22]
- Packer to build metasploitable images (see ./metasploitable3/)
- fixes in kali user_data script
- Deployment on us-east-1 validated
[2021-12-09]
- Look for latest Kali-linux ami id instead of providing ids
- terraform template_file replaced as it is deprecated
- windows server ami (todo: install a vulnerable software)
[2021-09-15]
- Fixes in wireguard multi-peer creation
- Infection Monkey app integrated on Kali Linux
- Upgrade to new Kali version 2021.3
[2021-06-02] AMI IDs changed to use Kali 2021.2
[2021-03-10] Use new Kali version 2021.1

Diagram

Components

Kali instance (private key is saved into kali.pem)
- Wireguard VPN service: client file client_vpn.wg
- Accessible via ssh/scp
- Public Subnet 10.0.0.5/24
- Infection Monkey running on port 5000 (only accesible via vpn or ssh)
Vulnerable machine "Metasploitable" (ami build is public)
- Private subnet 10.0.1.5/24
More vulnerable labs/machines/docker (to-be-done)

Features added

User management
- Automatically create non privileged users in kali instance with rsa
- Wireguard VPN client file per user
Command line audit logging in syslog
auditd enabled with sudo_log and users_log keys for auditing user actions (see also ausearch command)
ToDO: Forward terminal audit to CloudWatch or an S3 Bucket with write once policy

How-To

Requirements:
- Terraform CLI install guide
- AWS CLI install guide
- $PATH configured for AWS CLI & Terraform
- AWS account and configure credentials via aws cli: aws configure
- Kali Linux Subscription in AWS Marketplace
- Metasploitable3 AMI image previously built (public AMI available for eu-west-1 region) see

Deploy

Enable/disable vulnerable instances to be deployed setting 0 or 1 in variables.tf:

variable "deploment-control" {
  type = map
  default = {
    #"instance" = 0 or 1, to disable or enable
    "metasploitable3" = 1
    "dvca" = 0
  }
  description = "Control which EC2 instances are deployed, 0 for none or 1"
}

Use terraform for deploy infraestructure

terraform init
terraform plan
terraform apply -auto-approve

Outputs

Terraform outputs will show following entries:

ssh connection command for kali user (root via sudo)
wireguard client file for kali user will be automatically retrieved from kali server
scp command to retrieve wireguard client file (just in case defined terraform local-exec command fails)
For each of the normal users created in Kali instance
- Private key file for ssh connection
- Wireguard client file for VPN connectivity

Usage

Either connect to Kali via ssh or wireguard:

SSH: (Only command line) Use autogenerated private key (see terraform output)

KALI_IP=<KALI_IP>     # configure kali public ip
ssh -i kali.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes kali@${KALI_IP}

Wireguard: Connect your local kali instance via wireguard (see client_vpn.wg generated file)

KALI_IP=<KALI_IP>     # configure kali public ip
scp -i kali.pem -o StrictHostKeyChecking=no IdentitiesOnly=yes kali@${KALI_IP}:/home/kali/client_vpn.wg .

####
(local_kali)$ sudo apt-get install –y wireguard 
(local_kali)$ sudo gedit /etc/wireguard/wg0.conf # copy contents of client_vpn.wg
(local_kali)$ sudo chmod 700 /etc/wireguard/wg0.conf
(local_kali)$ sudo wg-quick up wg0

(local_kali)$ ping 10.0.0.5  # test connectivity with kali instance in AWS

Destroy

terraform destroy -auto-approve

Name		Name	Last commit message	Last commit date
Latest commit History 46 Commits
.github/workflows		.github/workflows
docs		docs
metasploitable3		metasploitable3
user_data		user_data
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
aws_eip.tf		aws_eip.tf
aws_igw.tf		aws_igw.tf
aws_instance_private_dvca.tf		aws_instance_private_dvca.tf
aws_instance_private_metasploitable3.tf		aws_instance_private_metasploitable3.tf
aws_instance_private_windows.tf		aws_instance_private_windows.tf
aws_instance_public_kali.tf		aws_instance_public_kali.tf
aws_instance_serverless_goat.tf_test		aws_instance_serverless_goat.tf_test
aws_lambda_private_vulnapp.tf_test		aws_lambda_private_vulnapp.tf_test
aws_lambda_private_vulnerable_python.tf_test		aws_lambda_private_vulnerable_python.tf_test
aws_route_tables.tf		aws_route_tables.tf
aws_security_group.tf		aws_security_group.tf
aws_subnets.tf		aws_subnets.tf
aws_vpc.tf		aws_vpc.tf
build_metasploitable3.sh		build_metasploitable3.sh
generate_user_data.sh		generate_user_data.sh
locals.tf		locals.tf
main.tf		main.tf
outputs.tf		outputs.tf
sonar-project.properties		sonar-project.properties
sonarcloud.yml		sonarcloud.yml
variables.tf		variables.tf
versions.tf		versions.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

AWS Pen-Testing Laboratory

Changelog

Diagram

Components

Features added

How-To

Deploy

Outputs

Usage

Destroy

References

About

Releases

Packages

Languages

License

juanjoSanz/aws-pentesting-lab

Folders and files

Latest commit

History

Repository files navigation

AWS Pen-Testing Laboratory

Changelog

Diagram

Components

Features added

How-To

Deploy

Outputs

Usage

Destroy

References

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages