functionality using Metasploit Framework and Armitage's deconfliction services.
Deploying this type of collaborative penetration testing environment in Amazon's cloud (EC2) offers some nice benefits:
- On Demand / Low Cost - You can spin up or bring your penetration testing platform as needed and you only pay for the resources you consume them.
- Scalable - If your project or engagement requires a more computing power then you can easily bring this to bear.
- High bandwidth - Bottlenecks are reduced for network assessment activities that might tax other uplinks.
- Quick External viewpoint - For internal security teams, AWS instances provide a convenient vantage point to test/simulate attacker actions from outside back in.
- Team From Anywhere - By focusing your efforts through a central cloud instance, your assessment team can initiate their testing activities easily through central IP without need of additional VPN.
At the end of this setup you will be able to share scans results, metasploit sessions, and more between team members. See the video below for usage examples:
Step 1. Establish Or Login To Your Amazon Web Services Account.http://aws.amazon.com
Step 2. Setting Up An Ubuntu Instance in Amazon EC2 Cloud.If you've never used EC2 before you will definitely need to familiarize yourself with this platform.
Amazon has some good getting started guides here (high recommended):
A good video tutorial walk-through has been provided on YouTube:
The basic steps that we need to take with bring this Ubuntu Instance up is the following:
- Select Ubuntu Server 12.04 LTS x64
- Use Micro Tier (t1.micro, 613MB) for test setup. This may be a bit slow but it is eligble for free usage tier.
- Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.
- Create A Customized Security Group that allows inbound access to SSH (tcp 22) and Armitage Deconfliction Server (TCP 55553).
Step 3. Accessing and Configuring Ubuntu InstanceAfter your instance has started, you will need to access it using SSH and the Key file you saved.
chmod 400 example.pem ssh -i example.pem [email protected]
Once you are connected in you will need to patch the box and get some needed base packages installed (below).
sudo apt-get update sudo apt-get upgrade sudo apt-get install ruby libruby ri rubygems subversion ruby-dev libpcap-dev libpq-dev postgresql nmap sudo gem install --no-rdoc --no-ri pg sudo gem install msgpack
Step 4. Installing and Configuring MetasploitGrab MSF with subversion and symlink the binaries.
sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/metasploit/msf3/ sudo ln -sf /opt/metasploit/msf3/msf* /usr/local/bin/ sudo msfupdate
Step 5. Postgresql Database SetupBasic DB Setup.
sudo /etc/init.d/postgresql start sudo -u postgres createuser msf -P Enter password for new role: 'enteryourpassword' Enter it again: 'enteryourpassword' Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n sudo -u postgres createdb --owner=msf metasploit3
We'll need to run msfconsole and connect to database to populate the tables.
msfconsole msf > db_status [*] postgresql selected, no connection msf > db_connect msf:[email protected] metasploit3 NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id" NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts" NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id" ..... msf > db_status [*] postgresql connected to metasploit3 msf > quit
Echo this line out to config file to have msfconsole connect to database on startup automatically.
echo "db_connect msf:enteryour[email protected]:5432/metasploit3" > ~/.msf4/msfconsole.rc
We'll also need to create a database YML file so that Armitage can connect to the Postgres DB.
We'll place it in /opt/metasploit/msf3/database.yml
It should be formatted as below replacing password with the values you set for msf db user account.
production: adapter: "postgresql" database: "metasploit3" username: "msf" password: "enteryourpassword" port: 5432 host: "localhost" pool: 256 timeout: 5After creating the file, we'll set environmental variable so that Artimage can find this.
sudo /bin/sh -c 'echo "MSF_DATABASE_CONFIG=/opt/metasploit/msf3/database.yml" >> /etc/environment'
Step6. Configuring Java JREArmitage depends on Oracle's Java 1.7. You will encounter problems if you use openjdk.
wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F" "http://download.oracle.com/otn-pub/java/jdk/7u5-b05/jre-7u5-linux-x64.tar.gz" tar xvzf jre-7u5-linux-i586.tar.gz sudo mkdir /usr/lib/jvm sudo mv jre1.7.0_05/ /usr/lib/jvm/jre1.7.0 sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jre1.7.0/bin/java 1 sudo ln -sf /usr/lib/jvm/jre1.7.0/bin/keytool /usr/local/bin/keytool
Step 7. Starting Armitage Deconfliction ServerEC2 uses symmetric 1:1 NAT to route traffic to instances. You will need to start Armitage Deconfliction Server on the public hostname/address associated with your EC2 instance.
(Thanks To Raphael Mudge for notes on how to avoid issues here.)
We can use ec2metadata utility to help with this.
- Note: You may get some connection refused messages for several seconds after launch. Give the teamserver script time to run (esp. on Micro Tier instances).
cd /opt/metasploit3/msf3/data/armitage sudo ./teamserver `ec2metadata --public-hostname` testing [+] Generating X509 certificate and keystore (for SSL) [+] Starting RPC daemon [*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg... [*] MSGRPC backgrounding at Thu Jul 05 05:50:36 +0000 2012... [+] sleeping for 20s (to let msfrpcd initialize) Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused at server.sl:392 Use the following connection details to connect your clients: Host: ec2-23-20-105-99.compute-1.amazonaws.com Port: 55553 User: msf Pass: testing Fingerprint (check for this string when you connect): 910c7589f0253a4997dbd4d1198ed76e46b91836 feel free to connect now, Armitage is ready for collaboration
Step 8. Connecting Your Red Team MembersYou will need Oracle Java 1.7 installed on your client machines as well.
Aftering making sure Java is installed, download armitage from http://www.fastandeasyhacking.com/download
java -jar armitage.jar
We'll connect to Artimage on the public DNS address with the username msf and the password we set with the teamserver script in Step7.
You need to make sure that the server fingerprint matches the console output from teamserver script.
Now that team members are connected the fun can begin....but see last step/note below.
Step 9. Obtaining Authorization For Penetration Testing Use.Amazon will detect and throttle certain assessment activities like portscans. To remove these restrictions and avoid some inevitable abuse emails, Amazon requires that you
obtain formal authorization to use your instance as a security testing platform. This is handled by visiting the following page and filling out the linked form: