Wednesday, July 1, 2015

HackBox in the Cloud

You Never Know When You'll Need It

There's plenty of legit uses for a cloud based hackbox, penetration testing being the most prominent. While a Kali box on your home LAN is great for pentesting the local network, a Kali box in the cloud with a dedicated public IP address is a much more versatile tool. Sometimes it's easier to use the cloud box, even if I am working on the same network as my target due to local firewalls, NAT upstream issues, etc. But being able to ssh into your hackbox from your daily driver, from anywhere, is every bit as comfortable as it is priceless. I also bet many people overlook the security implications of leaving a pentest box like Kali running on your home network 24/7. If someone is able to compromise your home Kali box, you may find the damage will escalate quickly & in stylish fashion as that hacker uses your own tools against you. Yes, that has happened to me...

Building Your VPS -- Use Debian Wheezy!

A couple of posts ago I discussed the perks of taking advantage of the cheap & abundant virtualization available today, and of segregating your systems by task. Today we're going to talk about how to build a little "hackbox in the cloud", so to speak. It will be hosted on a relatively cheap VPS, yet provide most of the functionality of a physical Kali box. The system should be built from the Debian 7 kernel, enabling us to make use of the Kali Linux repositories. This will make your life about 1000x easier. Kali Linux is a straight pentesting distro with more security tools than I care to count, including metasploit, armitage, setoolkit, sqlmap, ettercap, wireshark, etc, blah. It is also completely based on Debian Wheezy, which means that we can turn any Wheezy system into a full blown angle of death with two or three lines of bash.

First you need to purchase a VPS that is running Debian Wheezy. I'd recommend Digital Ocean for this project if you are going to use the hackbox for legal whitehat activities, because D.O. is simply damn convenient & stable. I have never had even 1 second of downtime on any of my D.O. boxes. They also offer free Snapshots; meaning that you can rebuild your box with an image you created earlier when something breaks. This is a priceless feature, especially for this kind of project. The first thing I do after configuring a server is make a snapshot. As for the architecture, it's probably better to go with x64, simply because that allows us to compile both 32 and 64 bit binaries, something that can't effectively be done of a x86 system.

Graphic Desktop Environments

Before you build your VPS, decide whether you will be installing a desktop environment to use over VNC (tunnelled over ssh, of course). If so, than make sure you have at least 2G of ram. You can get away with running Openbox or Metacity on a server with 1G of ram, but you run the risk of program crashes because your system has ran out of memory, which is most inconvenient during a pentest! It will also be very slow once you start the X server. If you don't want a GUI, than 1G of ram will be more than enough. If you cheap out on yourself and go with the 512 MB ram package, than at least configure a large swap file, and do expect random system crashes.

It's also worth noting that tunnelling VNC over SSH can be really slow, especially if you are also behind a VPN or proxy. However, not tunnelling VNC over some type of SSL is like saying "Hey NSA -- Want a free live stream of my desktop?" To mitigate this problem, find a server that is geographically close to you, or tunnel your VNC through a VPN instead of SSH, which can be a lot faster depending on too many factors to list here (blowfish and AES-128 are two fast ciphers for this purpose).

In the end, GUI's on VPS servers kind of suck. I'd recommend doing the things which require a GUI on a local Virtual Machine instead. Besides, GUI's add tons of extra code, which introduces security vulnerabilities and requires a lot of extra precaution to deploy correctly.

Getting to It

After you've configured your sever, set up SSH, got your firewall running, optionally configured sudo, and performed a system update, it's time to add the Kali repositories to your sources.list:

deb http://http.kali.org/kali kali main non-free contrib
deb-src http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free


You'll probably get an error about not having the GPG key when you run apt-get update, so add it than try again. You may be to install the package kali-archive-keyring to take care of that, or you may have to manually wget & import the key:

$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import


You should then check the fingerprint against the one listed on their site. After adding the sources and running an apt-get update && apt-get upgrade (but not an a dist-upgrade because that could break your Kali install) you can turn your Debian server into a near complete Kali system with this command:

 apt-get install kali-linux-full

That will install a lot of packages, and will take between 10 and 20 minutes to complete. If you opted to go with  a headless environment instead, you should probably install the packages you need individually instead, so that you don't end up with a bunch of useless extra code. Programs like metasploit, nmap, sqlmap, and tshark do not require a GUI to function, and can be installed via apt individually.

Metasploit is arguably the most useful program in a pentesters tool chest, so I'll briefly cover setting that up. You can clone it from git or grab it from apt, installation is pretty straightforward regardless of how you install it, but to ensure things go smoothly, I'd recommend doing things in this order:

apt-get -y install nmap metasploit postgresql
service postgresql start
service metasploit start
mfsconsole

Beautiful, isn't it? At this point you're pretty much good to go, but we've got a few more optimizations and tweaks to make. At some point your are going to need to open some ports for metasploit, so it's a good idea to write a 'reset' firewall script that you can later call on demand to close those ports. Normally I'd not recommend using UFW on a server, but because of it's sheer simplicity, and because your hackbox needs to be flexible (and can always be restored to it's original state provided you took a snapshot), UFW is not a bad choice in this situation.Write a quick script to reset the firewall after completing an exploit and save it as /usr/local/bin/firewall so it can be executed from anywhere, something like this:

#!/bin/bash
    # Need root.
    if [[ $EUID -ne 0 ]]; then
       echo "Got root?"
       exit 1
    fi


#First, define your SSH server's listening port:
   sshPORT=

   sshHOST=1.2.3.4
   primINT=eth0

   sshHOST=some.static.ip.addrs

   iptables -t nat -F #flusing iptables does not always reset these chains
   iptables -t mangle -F

   ufw reset

   ufw allow in on $primINT to any port $sshPORT proto tcp from $sshHOST

  ufw enable
  exit


If you want graphical desktop environment, than you need a way to access X. SSH does have native X forwarding, but to be honest, I've never used it. As I mentioned, you can use VNC and tunnel that over ssh. I've been using xtightvncserver, and tightvncviewer on the client side. The experience has not been great, but it works. For example, (unless I just don't know what I'm doing, which is possible) there does not seem to be a way to copy & paste text from or into the VNC window. Also, when I press the \/ arrow key out of habit to scroll through my command history, it does not work whatsoever. The < and > arrows work though... not sure what's with that situation. In any case, this is how you set it up [ Thanks & credit to the source for the excellent tutorial!] :

server$ apt-get update
server$ apt-get upgrade
server$ apt-get dist-upgrade 

(^It's always good to refresh your sources before installing anything.) The default Kali environment runs on gnome-classic, or "Metacity". I first tried doing this with openbox because it's lighter, but I had some configuration problems so I ended up going with good ol' trusty gnome:

server$ apt-get install gnome-desktop-environment 

(Assuming you're going to use tightvncserver: ) 

server$ apt-get install xfonts-100dpi xfonts-100dpi-transcoded xfonts-75dpi xfonts-75dpi-transcoded xfonts-base tightvncserver
 
Stop! Before you start the vncserver, I think it's a really good idea to create a separate user with limited privileges to run it. Anything graphical based tends to induce a lot of security issues, so take precautions. This way if someone manages to brute into your box, at least they will be presented with a somewhat limited shell.

server$ useradd -m limpriv
server$ usermod -s /bin/sh limpriv
server$ passwd limpriv (enter a strong password)
server$ su limpriv

And finally start the server, explicitly telling it to only accept connections from the localhost:

tightvncserver -localhost :1

Or from another account:

sudo su $USER -c '/usr/bin/tightvncserver -localhost :1'

At this point you'll be prompted to create a password to access vnc, so do that. If you want the VNC server to start up everytime you boot your box, create an init script. Here's a sample one to get you started. Now you need to create an ssh key for your limpriv user. I'll assume you know how to do that if you got this far. When you VNC into your box, you will be running as the limpriv user. From there, you can log into your privileged account, and than finally sudo or su to root. This adds a layer of protection, and is probably worth the effort. To start the connection:

client$ ssh -f -N -L 5901:localhost:5901 limpriv@hackbox 
client$ xtightvncviewer localhost:1

After entering your VNC password, a new window will appear with your remote desktop, with that old familiar black Kali desktop. Now you're ready to rock and roll. What you can do from here is only limited by your imagination and IQ level, I suppose. Just do the world a favour and use this gift of open source awesomeness for good rather than evil... You know the drill:

  • Think before you type
  • Respect other people's privacy
  • With great power comes great responsibility

1 comment:

  1. DId you ever find workaround to the Up arrow and Copy&Paste!! I have exactly the same issues and its unworkable!

    ReplyDelete