Posted in AWSPTwK, Blog

Hands-On AWS Penetration Testing with Kali Linux Section 7: Leveraging AWS Pentesting Tools for Real-World Attacks – Ch 17 – Using Scout Suite for AWS Security Auditing

More notes…

Book info – Hands-On AWS Penetration Testing with Kali Linux

Disclaimer: Working through this book will use AWS, which costs money. Make sure you are doing things to manage your costs. If I remember, I’ll keep up with my costs to help get a general idea. But prices can change at any time, so major grain of salt.

Disclaimer #2: Jail is bad. Cybercrime is illegal. Educational purposes. IANAL. Don’t do things you shouldn’t. Etc. 

Remember that depending on your setup, you may not have to specify region and profile in the CLI commands. And make sure your user has the required permissions so you can check things out in the CLI.

Ch 17 – Using Scout Suite for AWS Security Auditing

Next up is using Scout Suite to do an audit on the AWS infrastructure. Nice helpful tool with a dashboard report. The book walks through setting up a VPC with an exposed EC2 instance and S3 bucket. I don’t feel a real need to go through that setup, and if you’ve been working through things, you should be able to just use the VPC you’ve already setup. If you have an EC2 in there, you can make it vulnerable. Remember to add the Internet gateway if you create a new VPC.

The vulnerable part of the EC2 is a security group that allows All from Anywhere. I added the group and a new EC2 in my existing VPC. Amazon helpfully told me that the security group assigned to the new EC2 was “open to the world” and you should update the security group. Good call, Amazon.

The vulnerable S3 bucket requires turning off the block all public access option then going to the Access Control List and allowing public read/write access. I think AWS has increased the warnings about making S3 buckets open to the public even more than the last time I created a bucket, which I see as a good thing.

Configuring and running Scout Suite

Scout Suite works on AWS, Azure, and Google Cloud Platform – that is sweet. Set up starts by adding an IAM user with the appropriate permissions: IAM > Add user > Programmatic Access > Attach existing policies directly > Select ReadOnlyAccess and SecurityAudit (use the search feature to save time) > Review and create. Note the access key ID and creds to use for AWS CLI configuration. Configure the CLI with:

 aws configure --profile <auditorprofile>

You can skip the --profile if it’s the only one. Now install Scout Suite. I’m using GitHub because the pip3 version had issues, and I didn’t feel like dealing with it.

 git clone https://github.com/nccgroup/ScoutSuite
 cd ScoutSuite
 sudo pip3 install -r requirements.txt
 python3 scout.py --help #Check install
 python3 scout.py aws --profile <profile>

Note that the script is scout.py not Scout.py as in the book, and you may need to specify the profile depending on how you have the AWS CLI setup. This will give you an HTML report that you can view in the normal ways. It returned a fair number of things, but nothing too surprising. It gives a really nice summary. I can definitely see using ScoutSuite for an overview of cloud infrastructure, much like using PingCastle to check on prem AD.

Using Scout Suite’s rules

Scout Suite very helpfully allows custom rulesets. Pull down the default ruleset to make sure you have the right format.

 curl https://raw.githubusercontent.com/nccgroup/ScoutSuite/master/ScoutSuite/providers/aws/rules/rulesets/detailed.json > detailed-rules.json

The line count has changed, so definitely use whatever feature your text editor has to jump to the approximate line (1200ish on the version I pulled). Now run with the new ruleset:

 python3 scout.py aws --profile <profile> --ruleset <ruleset>

Now the VPC thing should pop as a higher level of warning.

Summary

Very cool tool. Nice quick chapter. I look forward to using Scout Suite to investigate Azure settings and looking into it more for AWS. If nothing else, it’s a really nice way to make sure you’ve turned off the vulnerable things you’ve created for labbing.

Author:

Lifelong paradox - cyber sec enthusiast - loves to learn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.