Attack and Defend Lab in AWS Cloud
This document outline we are going to setup a security lab within AWS cloud environment. In this lab, we are going to spin up three instances one netspectrum ubuntu, that allow us to access the instance over a browser, along with a windows instance to send the events logs over to our splunk instance via universal forwarder. Finally, we are going to spin up a kali instance that will simulate as our attacker instance in this setup.
We are going to utilize terraform with gitlab pipelines to deploy all the required infrastructure. Once the instances are spun up, rest of the setup will be completed manually for now, but in a later project, we will try to look at some configuration management tools like Ansible to automate the entire flow of this setup.
Infrastructure as Code
We will be creating a isolated VPC for these three instances to isolate them from all the other assest in our cloud. We will open the security groups on ports 22 for ssh, 3389 for RDP along with some other ports for us to communicate with these instances over the internet.
I have create two modules one for VPC and the other for EC2 instance and I am going to deploy this using gitlab pipelines.
For more infromation on terraform, visit Terraform
For ref, you can navigate to my Gitlab Repository
Splunk Installation
Before we start with setting up splunk, we need to ensure that we are able to login to the instance, and change the default password.
Get the public ip of the security tools instances and paste it in the browser, it should ask for the password(by default, it would be the instance id). Now We are can go to the splunk website and download the splunk enterprise version. We will be asked to sign up or login before we can start the download(the debian version). Once downloaded, we can install it using the following command,
1
sudo dpkg -i splunk-downloaded-package
1
2
> cd /opt/splink/bin
> ./splunk start
provide username and password and wait for it to complete.
When completed, we will be provided with an https link where we can access the splunk UI, we can navigate to that and configure the listening port.
- configure the listening port on 9997 in settings > forwarding and receiving > configure receiving.
Now, we will also create an index to receive all the logs from the windows universal forworder. This will be used later in the windows instance when we are configuring the universal forwarder instance.
Forward Windows event logs using Splunk Universal Forwarder
In order to login to the windows instance, we need to get the password from our private key that we used to launch the instance. This can be obtained directly from the AWS EC2 dashboard, navigate to the instance and select connect. It will ask for your private key and once you provide it, it will decrypt the key and provides you with the password required to RDP into the instance.
Once logged in, Firstly, turn off windows defender firewall. This will ensure that we have some logs to forward to splunk.
Now, We can open edge and download the splunk universal forwarder, we will again be asked to sign up or login, we can login using the same credentials the we have used to download splunk in the security tools instance.
When installing, we can specify which logs we want to send to our splunk instance. Finally, we will provide a receiving host configuration, which is the ip of our security tools splunk instance with the listening port that we have configured in our security tools instance.
Once installed, we need to update make a copy of the outputs file and rename it to inputs file and modify it to add the index. This file can be found in the C > programfile > splunkforwarder > bin
1
2
3
[WinEventLog://Security]
index = win-security ## this would be the index we have created in our splunk instance.
disabled = 0
In the same directory,
1
splunk.exe restart
Now, we can navigate to our splunk instance and search using the index, we should see the event logs flowing in from the windows instance.
now install tenable nesses for amd-64 as our security tools box is of amd arch and install. This setup might take some time to compile all the plugins.
Setting up RDP for Kali
We need to enable rdp access for kali instance. For Windows and linux, it is pretty straight forward, we can use direct RDP for windows, and for security tools instance, we can access directly on web as it is exposed to the internet. But for kali, we need to install xrdp and configure it to access the system over RDP.
first, run change passworf to default for simplicity.
1
echo kali:kali | chpasswd
Now, lets update and upgrade the instance
1
2
sudo apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get full-upgrade -yq ## this non noninteractive flag is to run this over gitlab pipelines.
After the update is complete, instance xrdp, xorga and desktop xfce
1
apt-get install -y kali-desktop-xfce xorg xrdp
Configure this xrdp to listen over 3389 port.
1
sed -i 's/port=3389/port=3389/g' /etc/xrdp/xrdp.ini
Finally, lets enable the service
1
systemctl enable xrdp --now
verify the service is enabled and active.
1
systemctl status xrdp
We have successfully setup of security lab with three instances and logging enabled. We can use kali as our attacker and try to exploit windows instance. Now that the windows instance has no firewall enabled, it essentially is a vulnerable instance.