Tuesday, July 24, 2012

Collaborative PenTest Platform with EC2, Metasploit, and Armitage

This post will go over how to establish a relatively low cost penetrating testing framework using Amazon Cloud (EC2) and leveraging collaborative "red-teaming" 
functionality using Metasploit Framework and Armitage's deconfliction services.

Deploying this type of collaborative penetration testing environment in Amazon's cloud (EC2) offers some nice benefits:
  • On Demand / Low Cost - You can spin up or bring your penetration testing platform as needed and you only pay for the resources you consume them.
  • Scalable - If your project or engagement requires a more computing power then you can easily bring this to bear.
  • High bandwidth - Bottlenecks are reduced for network assessment activities that might tax other uplinks.
  • Quick External viewpoint - For internal security teams, AWS instances provide a convenient vantage point to test/simulate attacker actions from outside back in.
  • Team From Anywhere - By focusing your efforts through a central cloud instance, your assessment team can initiate their testing activities easily through central IP without need of additional VPN.

At the end of this setup you will be able to share scans results, metasploit sessions, and more between team members. See the video below for usage examples:

Step 1. Establish Or Login To Your Amazon Web Services Account.


Step 2. Setting Up An Ubuntu Instance in Amazon EC2 Cloud.

If you've never used EC2 before you will definitely need to familiarize yourself with this platform.

Amazon has some good getting started guides here (high recommended):

A good video tutorial walk-through has been provided on YouTube:

The basic steps that we need to take with bring this Ubuntu Instance up is the following:
  • Select Ubuntu Server 12.04 LTS x64
  • Use Micro Tier (t1.micro, 613MB) for test setup. This may be a bit slow but it is eligble for free usage tier.
  • Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.
  • Create A Customized Security Group that allows inbound access to SSH (tcp 22) and Armitage Deconfliction Server (TCP 55553).

Step 3. Accessing and Configuring Ubuntu Instance

After your instance has started, you will need to access it using SSH and the Key file you saved.
chmod 400 example.pem
ssh -i example.pem [email protected]

Once you are connected in you will need to patch the box and get some needed base packages installed (below).
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install ruby libruby ri rubygems subversion ruby-dev libpcap-dev libpq-dev postgresql nmap
sudo gem install --no-rdoc --no-ri pg
sudo gem install msgpack

Step 4. Installing and Configuring Metasploit

Grab MSF with subversion and symlink the binaries.
sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/metasploit/msf3/
sudo ln -sf /opt/metasploit/msf3/msf* /usr/local/bin/
sudo msfupdate

Step 5. Postgresql Database Setup

Basic DB Setup.
sudo /etc/init.d/postgresql start
sudo -u postgres createuser msf -P
Enter password for new role: 'enteryourpassword'
Enter it again: 'enteryourpassword'
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
sudo -u postgres createdb --owner=msf metasploit3

We'll need to run msfconsole and connect to database to populate the tables.

msf > db_status
[*] postgresql selected, no connection

msf > db_connect  msf:[email protected] metasploit3

NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE:  CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
msf > db_status
[*] postgresql connected to metasploit3

msf > quit

Echo this line out to config file to have msfconsole connect to database on startup automatically.
echo "db_connect msf:[email protected]:5432/metasploit3" > ~/.msf4/msfconsole.rc

We'll also need to create a database YML file so that Armitage can connect to the Postgres DB.

We'll place it in /opt/metasploit/msf3/database.yml
It should be formatted as below replacing password with the values you set for msf db user account.
  adapter: "postgresql"
  database: "metasploit3"
  username: "msf"
  password: "enteryourpassword"
  port: 5432
  host: "localhost"
  pool: 256
  timeout: 5
After creating the file, we'll set environmental variable so that Artimage can find this.
sudo /bin/sh -c 'echo "MSF_DATABASE_CONFIG=/opt/metasploit/msf3/database.yml" >> /etc/environment'

Step6. Configuring Java JRE

Armitage depends on Oracle's Java 1.7. You will encounter problems if you use openjdk.
wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F" "http://download.oracle.com/otn-pub/java/jdk/7u5-b05/jre-7u5-linux-x64.tar.gz"
tar xvzf jre-7u5-linux-i586.tar.gz
sudo mkdir /usr/lib/jvm
sudo mv jre1.7.0_05/ /usr/lib/jvm/jre1.7.0
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jre1.7.0/bin/java 1
sudo ln -sf /usr/lib/jvm/jre1.7.0/bin/keytool /usr/local/bin/keytool

Step 7. Starting Armitage Deconfliction Server

EC2 uses symmetric 1:1 NAT to route traffic to instances. You will need to start Armitage Deconfliction Server on the public hostname/address associated with your EC2 instance. 
(Thanks To Raphael Mudge for notes on how to avoid issues here.)

We can use ec2metadata utility to help with this.
  • Note: You may get some connection refused messages for several seconds after launch. Give the teamserver script time to run (esp. on Micro Tier instances).
cd /opt/metasploit3/msf3/data/armitage

sudo ./teamserver `ec2metadata --public-hostname` testing
[+] Generating X509 certificate and keystore (for SSL)
[+] Starting RPC daemon
[*] MSGRPC starting on (NO SSL):Msg...
[*] MSGRPC backgrounding at Thu Jul 05 05:50:36 +0000 2012...
[+] sleeping for 20s (to let msfrpcd initialize)
Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused at server.sl:392
Use the following connection details to connect your clients:
 Host: ec2-23-20-105-99.compute-1.amazonaws.com
 Port: 55553
 User: msf
 Pass: testing

 Fingerprint (check for this string when you connect):

feel free to connect now, Armitage is ready for collaboration

Step 8. Connecting Your Red Team Members

You will need Oracle Java 1.7 installed on your client machines as well.

Aftering making sure Java is installed, download armitage from http://www.fastandeasyhacking.com/download

java -jar armitage.jar

We'll connect to Artimage on the public DNS address with the username msf and the password we set with the teamserver script in Step7.

You need to make sure that the server fingerprint matches the console output from teamserver script.

Now that team members are connected the fun can begin....but see last step/note below.

Step 9. Obtaining Authorization For Penetration Testing Use.

Amazon will detect and throttle certain assessment activities like portscans. To remove these restrictions and avoid some inevitable abuse emails, Amazon requires that you 
obtain formal authorization to use your instance as a security testing platform. This is handled by visiting the following page and filling out the linked form:


  1. Thanks for the article, I'm still having some issues, but working through them. Something you might want to update:

    Instead of: sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/metasploit/msf3/

    Use: git clone https://github.com/rapid7/metasploit-framework.git

    Using the first one gives you problems.

  2. I'm getting this error when I run msfupdate
    root@ip-10-242-230-83:/opt/metasploit/msf3# msfupdate
    [*] Attempting to update the Metasploit Framework...

    [*] Checking for updates via git
    [*] Note: Updating from bleeding edge
    Saved working directory and index state WIP on master: 2ac02d3 Land #2802, @todb-r7's mods before release
    HEAD is now at 2ac02d3 Land #2802, @todb-r7's mods before release
    [*] Stashed local changes to avoid merge conflicts.
    [*] Run `git stash pop` to reapply local changes.
    HEAD is now at 2ac02d3 Land #2802, @todb-r7's mods before release
    Already on 'master'
    Already up-to-date.
    [*] Updating gems...
    /usr/local/bin/msfupdate:188:in `require': no such file to load -- bundler (LoadError)
    from /usr/local/bin/msfupdate:188:in `update_git!'
    from /usr/local/bin/msfupdate:137:in `run!'
    from /usr/local/bin/msfupdate:135:in `chdir'
    from /usr/local/bin/msfupdate:135:in `run!'
    from /usr/local/bin/msfupdate:292