Attacking EC2 instances - Lab setup

Introduction

Amazon EC2 or Amazon Elastic Compute Cloud provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Basically, Amazon EC2 instances

  • are like virtual machines on the cloud

  • you start a EC2 and you are given the choice of creating a key pair for ssh

  • for Windows images, a RDP file or a password for the Administrator account is made available.

  • you can choose to use a pre-created image for linux and Windows

  • you can add the virtual machines in their own private networks using VPC

  • you can allow access to certain ports and certain IPs using Security Groups

Attackers can target any of the aspects of an EC2 instance. This not only includes web applications, services etc. running on the instance but also the access to EC2 itself.

What are we going to cover?

This chapter covers some of the attacks that can occur on an exposed EC2 machine on the Internet.

Steps to setup lab

1. Deploy terraform to setup EC2 Instance

Run the following script from the student VM to bring up the target lab. The EC2 instance, once created, will not have a public IP address.

deploy-compute-target

The output of this script is the IP address of the target EC2 which will be attacked

If you see any error, please inform one of the trainers

2. Attach an IAM policy for SSM Access

On your student machine, once your compute-target-machine is up and the details are printed, run the below command to attach the AmazonSSMManagedInstanceCore policy to the role ec2access which is attached to compute-target-machine.

aws iam attach-role-policy --role-name ec2access --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

3. Create VPC endpoints for Systems Manager

Amazon EC2 instances must be registered as managed instances to be managed with AWS Systems Manager. Since the machine is internal to AWS, VPC Interface Endpoints must be created for AWS to manage our machine using SSM.

Run the following commands one at a time. If any of them generate errors, stop and let one of the trainers know.

  1. export vpc_id_target=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=target-subnet" "Name=tag:key,Values=bapaws" --query 'Subnets[].VpcId' --output text)

  2. export subnet_id_target=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=target-subnet" "Name=tag:key,Values=bapaws" --query 'Subnets[].SubnetId' --output text)

  3. export security_group_target=$(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=target-sg" "Name=tag:key,Values=bapaws" --query 'SecurityGroups[].GroupId' --output text)

  4. aws ec2 create-vpc-endpoint --vpc-id $vpc_id_target --subnet-ids $subnet_id_target --security-group-ids $security_group_target --private-dns-enabled --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.ssm

  5. aws ec2 create-vpc-endpoint --vpc-id $vpc_id_target --subnet-ids $subnet_id_target --security-group-ids $security_group_target --private-dns-enabled --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.ec2messages

  6. aws ec2 create-vpc-endpoint --vpc-id $vpc_id_target --subnet-ids $subnet_id_target --security-group-ids $security_group_target --private-dns-enabled --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.ssmmessages

4. Set up SSH SOCKS proxy

On the student machine launch Firefox.

Setup a SSH tunnel between the student machine and the internal application via the attacker machine's SSH connection

ssh -o ServerAliveInterval=15 -D 9090 cloudhacker@$cloudhackerip

A Firefox addon called FoxyProxy allows you to switch between no proxy and other proxy states. Switch to

foxy proxy

This will setup Firefox to use the SSH tunnel to send traffic, allowing you to browse the application running on the EC2 instance even though its not accessible directly.

Additional References

No additional resources needed

PreviousAWS Cloud computeNextAccessing instance data via SSRF

Last updated