Security Kilroy: September 2018

Friday, September 28, 2018

VNC Over AWS

If you followed the instructions from the last post, you have a Kali instance running in AWS. The problem is that you are limited to SSH access, which is the management protocol allowed by default through the AWS security groups. You really want to be able to get GUI access so you can run the pretty tools. Well, there are a couple of ways to do that. One way is a bit more complicated, though it doesn’t involve adding rules to your security group. It requires that you install an X server on your local desktop and then turn on X11 forwarding through your SSH session. If you are using PuTTY, this is fairly simple. Getting an X-server isn’t very complex. Xming works pretty well, though there are others. Ideally, if you enable X forwarding, your display host will be set to your X server on your local system so any program that requires a screen, keyboard and mouse will be thrown back to your X server and displayed on your local system. While I’ve used this approach for … well, decades … I find it’s not foolproof. Sometimes the variable doesn’t get set and often pushing X-based programs back through an SSH session can be just plain clunky. So, we’ll try another approach.

This will be fairly easy and straightforward, as well, though it does require altering the security group in AWS to allow a port through to your Kali instance. The first thing you want to do, though, is to open an SSH session to your Kali instance. Once you are there, run sudo vi /etc/init.d/vncserver to create a script that will be used to start the VNC server at boot that we are going to be using. Once you have vi running (you need to use sudo because you are editing in a directory where you need to have administrative privileges), paste in the following code:

#!/bin/sh
### BEGIN INIT INFO
# Provides: vncserver
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start VNC Server at boot time
# Description: Start VNC Server at boot time.
### END INIT INFO

USER=root
HOME=/root

export USER HOME

case "$1" in
start)
echo "Starting VNC Server"
#Insert your favoured settings for a VNC session
/usr/bin/vncserver :0 -geometry 1280x800 -depth 16 -pixelformat rgb565
;;

stop)
echo "Stopping VNC Server"
/usr/bin/vncserver -kill :0
;;

*)
echo "Usage: /etc/init.d/vncserver {start|stop}"
exit 1
;;
esac

exit 0

Kali Linux uses the newer systemd startup process, though you can still use init scripts with Kali. Once you have the script created (use ‘I’ to insert, then paste the code using Ctrl-V as you normally would, then hit ESC followed by ‘:wq’ to get the text entered and saved — skip the ‘ characters when typing), we need to make sure that Kali uses it when the system boots. In order to do that, run the following:

ec2-user@kali:~$ sudo chmod 755 /etc/init.d/vncserver
ec2-user@kali:~$ sudo update-rc.d vncserver defaults
ec2-user@kali:~$ sudo /etc/init.d/vncserver start

Your Kali instance will add the service as a startup script in the default run levels, which is all we need to do. When you start the VNC server for the first time, you will be asked to set a password. This is a password you will be asked to enter when you connect to the VNC server, so it’s a minimal amount of security to keep unauthorized users out. The last thing to do is allow the VNC traffic through the security group, which is essentially a firewall where you create rules for traffic control. We need to allow TCP port 5900 in. Below, you can see what those rules look like. From the left hand side of the AWS portal, go to Security Groups. You should see one where the Group Name says something that includes Kali Linux. Right-click on that and select Edit Inbound Rules. Once you are there, you can add the rule just the way it’s shown below.

SecurityGroup

If you happen to know the public IP that you are using through your ISP, you can enter that into the Source field but don’t go too crazy or you’ll just end up locking yourself out. If your IP address changes, you will need to change it here to allow yourself VNC access. Once you have saved it, it becomes active. There is nothing further to do.

All you need to do now is to start a VNC client to connect to your server. There are a number of clients, including Screen Sharing on a macOS system. On Windows, you can use the RealVNC client as a reasonably good application to connect to VNC servers. You will be asked for the password you created when you started the VNC server when you are configuring the settings. You will also need the public IP address. When you go to the AWS portal and select your running Kali instance, at the bottom, you will see two lines. One is for the Public DNS (IPv4) and the other is IPv4 Public IP. You can use either of those. Both will likely change when you shut down and start up your Kali instance. Use either the hostname (DNS name) or the IP address and the password you created then connect to your VNC server. You will be presented with a desktop running XFCE, so it doesn’t look like the same desktop as if you were running it locally in a VM. However, it is still a fully functional instance of Kali with the desktop and access to all the applications.

Thursday, September 27, 2018

Kali on AWS

Kali Linux is an incredibly useful distribution for security testing and also open source intelligence gathering. While you can certainly install Kali on a hardware-based system or even in a virtual machine, you can also take advantage of the work other companies have already done. This includes Amazon Web Services (AWS). You don’t have to build an image or install a hypervisor. You just connect to AWS and launch an EC2 instance from the AWS marketplace. We’re going to work through that here, showing you how simple the process is.

This assumes you have an AWS account, which is very easy to setup if you already have an Amazon account and who doesn’t have one of those? I assume everyone else is spending entirely too much money buying stuff that just shows up at your door, just because it takes no thought and almost no effort. I’m not going to walk through the process of creating an account. It should be straightforward enough.

Once you have logged into the AWS portal, you should go to the Instances page from the link on the left hand side. From there, you will see a big blue button that says Launch Instance. This will take you to Step 1 where you will select an AMI image. If you search for Kali, you will find there are several community images as well as one marketplace image. Use the marketplace image, as you can see below.

Once you have selected Kali Linux as your AMI, you will need to select the size of your system. You can definitely select as large a machine as you want, but if you want to go cheap and don’t plan on doing a lot of high-intensity computing, you can use the free tier system, as shown below. This is a t2.micro type with a single CPU and only 1G of memory. You aren’t going to be doing a lot with a system this small but for just playing around with Kali, it should be ample.

This will create a new instance of the Kali Linux image, after which you will need to create authentication credentials. This is done, under Linux, with SSH keys. If you happen to have keys already stored in AWS, you can use them. Otherwise, you can create a new set, just as you can see being done below. Once you have provided a name, you will need to download the key file. This will be Privacy Enhanced Mail (pem) file, containing a certificate that has the encryption keys necessary to establish an encrypted SSH session, as well as authenticate you.

We’re almost done at this point. Your instance will start up after you have downloaded your .pem file and then clicked Launch Instances. You can’t Launch until you have downloaded the key pair, so the Launch button will remain disabled until then. As soon as you launch your instance, it will get provisioned. It takes a couple of minutes or so to start up the instance. Once that happens, it will show up as Running in your instance list. If you right-click, you can select Connect and you will get a window like the one shown below.

In my case, I’m working from a macOS system so I have an ssh client available through the command line (I use iTerm for command line access). Below, you can see changing the permissions on the key file, since ssh won’t make use of the key file unless access to it has been restricted. After that, I just ssh into the remote system. Because I’ve let Amazon do all the work for me, I don’t have to make any modifications to security policies in AWS. It took care of allowing SSH to the public-facing IP address that it allocated for me.

kilroy@binkley  ~/Downloads  chmod 400 Kali.pem

kilroy@binkley  ~/Downloads  ssh -i "Kali.pem” ec2-user@ec2-34-213-11-105.us-west-2.compute.amazonaws.com

The authenticity of host 'ec2-34-213-11-105.us-west-2.compute.amazonaws.com (34.213.11.105)' can't be established.

ECDSA key fingerprint is SHA256:Rv7rErLsH6pch8jxJc6HL+VmzTxZ3TQw7iwm1mJaLok.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'ec2-34-213-11-105.us-west-2.compute.amazonaws.com,34.213.11.105' (ECDSA) to the list of known hosts.

Linux kali 4.17.0-kali1-amd64 #1 SMP Debian 4.17.8-1kali1 (2018-07-24) x86_64

The programs included with the Kali GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

ec2-user@kali:~$

And that’s all that it takes to get a Kali instance running in AWS! Enjoy!

Kali on AWS