Move your VMware and KVM applications to the cloud without making any changes

  • February 19, 2016

How to set up and run a penetration testing (pentest) lab on AWS or Google Cloud with Kali Linux, Metasploitable and WebGoat

Clarence Chio
Clarence works at Shape Security on the system that tackles malicious bot intrusion from the angle of big data analysis. Clarence has presented independent research on Machine Learning and Security at Information Security conferences in several countries, and is also the organizer of the "Data Mining for Cyber Security" meetup group in the SF Bay Area.

In this blog, I describe how you can deploy Kali Linux and run penetration testing (also called pen testing) on AWS or Google Cloud using Ravello System’s nested virtualization technology. This ‘Linux/Web Security Lab’ lets you hit the ground running in a matter of minutes and start exploiting security vulnerabilities. By the way, if you haven’t already seen it, this blog by SimSpace about on-demand Cyber Ranges on Ravello is very interesting as well.

You’ve been living under a rock if you haven’t noticed the high profile security breaches that have shaken the technology industry in recent years. From huge government spying scandals to the countless company databases infiltrations, we have never been more aware of the need for securing the complex systems on which we so heavily rely on. Security awareness is at an all-time high, but the information security profession largely still remains out of reach for most in the tech industry. What exactly do penetration testers do? How does fuzzing or reverse engineering help to make networks and systems more secure? This blog post aims to help give beginners and security amateurs some hands-on experience in using popular systems and tools used by security professionals to help keep those black hats out.

It’s difficult to embark on your ethical-hacking endeavors by trying to find vulnerabilities in an ATM. That’s kind of like learning to swim by swimming across the English Channel. You want to build up some water-confidence and learn the strokes before you enter the big leagues. This is precisely why ‘deliberately vulnerable’ systems such as Metasploitable (by Rapid7) and WebGoat (by OWASP) were born. Making use of the built-in security vulnerabilities in these systems, you can get familiarized with the tools used in real-world vulnerability assessments and learn more about how systems have been compromised in the past. You will be surprised at how many of these old vulnerabilities still exist in modern systems that we use everyday.

If you not sure of what you’re doing, it’s a generally not good idea not to deliberately execute vulnerable code on your machine. Sandboxing these applications in a Virtual Machine (VM) is a good way to ensure that attackers don’t get into your system while you’re learning the ropes. However, setting up these VMs correctly and securely can be quite a bit of work. It requires procuring necessary hardware, getting the appropriate permissions to execute these mock tests,securing the VMs, so nothing leaks out into your corporate network and much more. What if you could procure the necessary hardware on demand on public cloud and build these completely sandboxed environments which represent your corporate network topologies and system setup to learn and execute penetration testing exercises? Public clouds for right reasons don’t easily allow building and running penetration testing, because of the impact it can have on their other customers on a shared infrastructure. You can still do some of this testing on AWS, however, you have to go through an approval and setup process.

Ravello’s HVX nested virtualization technology implements a fully fenced L2 overlay network on top of AWS and Google Cloud, so you can set up Security Smart Labs with multiple systems/VMs with complex networking representative of corporate environments, namely, promiscuous mode, multiple NICs, static IPs and more. You can build environments with multiple systems, test and run the environment on AWS or Google Cloud and save them Ravello blueprints. Ravello blueprints provide with capability to save entire environments and spin up multiple isolated copies across the globe on AWS and Google Cloud within minutes. This can be used to provision on-demand security labs for pen testing training, sales demos and POCs.

Section I: Setting Up Your Environment

In this brief walkthrough, we will get a simple and extensible environment set up in Ravello with 3 VMs - Kali Linux, Metasploitable 2, and WebGoat 7.0 running on Ubuntu. Kali is a Linux distribution based off Debian, designed for penetration testing and vulnerability assessments. More than 600 penetration testing tools applications come pre-installed with the system, and is today’s system of choice for most serious ethical hackers. Metasploitable is an intentionally vulnerable Linux VM, and WebGoat is a deliberately insecure web application server with dozens of structured lessons and exploit exercises that you can go through. After getting the lab environment setup, we will run through a couple of simple examples where we use Kali as a base for launching attacks on Metasploitable and WebGoat. By the end of this exercise, you will have successfully exploited your first Linux system and web server.

To get started, first ensure that you have a Ravello account and search for the ‘Linux/Web Security Lab Blueprint’ published by me on the Ravello Repo. Select ‘Add to Library’, and proceed to the Ravello dashboard.

After selecting the ‘Library’ → ‘Blueprints’ tab on the dashboard sidebar, you can then select the blueprint you just added to your library and click the orange ‘Create Application’ button. This will take you to the ‘Applications’ section of the dashboard, where you can launch the application by publishing it to the cloud.

Publishing the application will launch these VMs on a cloud environment, made possible by Ravello’s nested virtualization technology. It will take roughly 10 minutes for the VMs to launch. Once you see that all 3 VMs are running, we will then be ready to enter the boxes. Using the ‘Console’ feature of the Ravello platform is the easiest way to get command line or graphical access to the boxes within your web browser. You can also SSH into the boxes in your own terminal by following the instructions provided in the ‘More’ tab in the bottom of the dashboard right sidebar under ‘Summary’.

Enter all the boxes through the console and find out each VM’s IP address (usually 10.0.0.*) either through the command line (ifconfig) or by looking at the top right hand corner of the console page.

Get it on Repo
REPO by Ravello Systems, is a library of public blueprints shared by experts in the infrastructure community.

Section II: Exploiting Metasploitable with Armitage on Kali Linux

Let’s enter the Kali Linux console, which will bring you through the boot and login sequence of the OS. You can either boot from the image or install the OS - I prefer the former because there is no need (in this case) for any state to be saved between sessions.

The main tool that we will be exploring today is Armitage. Armitage is ‘a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits’. We will make use of exploits that Armitage recommends and see just how easy it is to exploit a vulnerable Unix system like Metasploitable. From the Kali desktop, launch a terminal window.

Armitage requires PostgreSQL to be running in the background, and also requires some Metasploit state to have been initialized. Execute the following commands to meet these requirements and launch armitage:

$ service postgresql start $ service metasploit start $ service metasploit stop $ armitage

This will bring up a window where you have to configure Armitage’s connection to Metasploit. The default settings are shown in the above screenshot, and the username:password ‘msf:test’ will work.

Allow Armitage to start Metasploit’s RPC server.

Once in Armitage, do a ‘Quick Scan (OS detect)’ of the Metasploitable VM by entering it’s IP address into this dialog box. As you might guess, the Quick Scan function of Armitage allows you to scan a range of IP addresses and discover all machines in that range by performing an ‘nmap’ scan.

Once the scan is complete, you’ll see that there will be a Linux machine icon that appears in the canvas area of the Armitage window. The scan has detected that the machine is running Linux, and Armitage has further determined a whole range of attacks that the machine may be vulnerable to.

Let’s try to launch a Samba "username map script" Command Execution attack on the machine. According to Metasploit’s exploit database, ‘This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!’

The default options will work just fine.

After the attack has been launched, you will know that it is successful when you see that the original icon has changed.

Congratulations, you have exploited your very first linux box. Right clicking the icon will reveal a whole range of new interactions that you can now have with the Metasploitable VM - without ever having to enter the username and password at all! Select the ‘Interact’ option as shown in the below screenshot. This brings up a console, which allows you to execute arbitrary code.

You can do all sorts of things, like echoing a friendly statement to /tmp/pwn on the box.

You can verify your action by switching to the Metasploitable VM console and checking to see if the changes you made are indeed reflected there.

Of course, this just scratches the surface of what you can do with Armitage, and the 600+ other penetration testing tools on Kali. Spend time exploring the tools and understanding what it does under the surface. It will be worth it.

Section III: Exploiting Webgoat

We will work on exploring Webgoat’s extensive range of web application vulnerability tutorials next. Enter the Webgoat console and execute the Webgoat jar file in the background to start the server. You do this by entering

$ nohup java -jar /opt/app/webgoat-container-7.0-SNAPSHOT-war-exec.jar &

This command executes the Webgoat java server in the background, ignoring the HUP (hangup) signal, so the server will continue to run even if the shell is disconnected. The server will take a couple of minutes to initialize and start up.

Next, switch to the Kali desktop and navigate to the Webgoat URL. In my case, it is since my WebGoat VM has as it’s IP address. Login with any of the credentials presented to you on the login screen, then navigate to the ‘Shopping Cart Concurrency Flaw’ exercise. This is one of the simplest and most elegant exploits of a ecommerce web application. I assure you that variants of this exploit exists in some websites out there.

This exercise exploits the web application’s flawed shopping cart logic that allows a user to purchase an expensive item for the price of a less expensive item. As you may have guessed from the title of the exercise, you will need two browser tabs open on this page for this to work. Then, you have to follow the following sequence of steps carefully.

  • In one tab, you will purchase a low-priced item by updating it ‘Quantity’ to 1, updating the cart, then selecting ‘Purchase’.
  • In the other tab, update the ‘Quantity’ of the highest-priced item to 1, then update the cart. Do not select ‘Purchase’.
  • Return to the first tab where you were buying the low-priced item and complete the purchase.
  • You have purchased the high-priced item but paid the low-price for it.

Many of the exercises in WebGoat demonstrate real web application vulnerabilities that OWASP has identified to be the most common in modern web applications. If you want a complete and hands-on education in web application security, there is no better place to being.

Section IV: Fin

If you went through the above sections, you have successfully exploited a Linux machine and tricked a web application with just a few clicks. However, don’t be misled by the simplicity of the above exercises! Penetration testing and vulnerability assessments are often extremely complex, tedious, and sometimes discouraging. Playing with toy systems that are intentionally insecure will help you get familiar with tools and understand the reasons why insecure systems are insecure. It will help you to build applications with security in mind, and become more conscious of the dangers of careless software development.

When you have spent some time playing in the lab, I strongly encourage you to use the lab to build an environment that allows you to perform vulnerability assessments on your own systems. Ravello’s flexibility allows you to create a close replica of system and network infrastructures within a sandbox that can be repeatedly spun up and destroyed with a few clicks.

Lastly, keep in mind that breaking into computer systems is illegal. Most system administrators, government agencies, and companies don’t have a great sense of humor, and you don’t have to do any real damage to get into a considerable amount of trouble. Just trying to break into a system is a serious offence in many jurisdictions.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.