EC2 or Bust – How to Build Your Own Pen Testing Lab in Amazon EC2

yeah we're good okay um so today one of the things that I'm going to talk about I I probably spent about six months playing on ec2 trying to do various things and so one of the things I want to do today is take those experiences and try to apply them to doing some sort of a pent test lab now this doesn't have to be like a pen test lab but it could be sort of a oneoff machine that you that you spin up for say for testing some new tool or anything like that there's um I'm going to look at a few things because obviously for between 5 to 80000 bucks you could build your own um

so what I'm going to do is just kind of go through some of the pros and cons of each and I think in the end for at least for the type of thing that I was looking for that using ec2 just to do sort of oneoff Labs uh on a periodic basis seem to work well uh and in the long term would probably be cheaper and it and it also offers a lot more flexibility in terms of dealing with uh being able to just have like you already have the operating systems with the licenses so you don't have to worry about that it's easy to upgrade your processor your memory anything like that uh you can do

without having to go out and purchase more Hardware okay so for those um so this is me on Twitter uh I come from uh Northern Virginia which is right outside of DC do we have any people here all right any Nova hackers here all right we got a few so thanks for showing up um so I started my career in security probably about early 2000ish one of the cool things that I got in is sort of I got on I got in on the ground floor of whenever web application security was coming out and uh I just had a blast it was awesome and I knew that security was something that I wanted to do as a career for the long

term um unfortunately I had to move on in terms of like career decisions now I was still doing security but I was doing you know in order to progress up rics this is similar to the talk to uh to the keynote this morning where you know you you can start on doing all this fun hacker stuff and then at some point you have to grow up and you get into management and then you kind of lose being able to do some of that fun stuff but so I got into security engineering so that's fun um I unfortunately that led to doing fsma CNA type work has anyone done done that anybody you okay one one person that

does stuff for the federal government um and then that led to doing awesome things like writing proposals and um just a whole lot of things which seemed cool at the time from the business sense but so I was creating a lot of this um unfortunately there was all this cool stuff that was going on and and it was very frustrating because all I'm doing is creating this um so you know that made me want to do this um so I thought a little I thought a little bit um so now i' I'd say for the for the past three years um I've been more doing like trade studies on different security tools uh doing just

various sort of Applied research type stuff and most recently I'm going to start teaching a class for the company that I uh work work for so still doing you know I'm I'm uh you know still creating some of this um so I get to drink better versions of this and in the evening when I have time because I have more time now since I'm not creating all that huge amount of paperwork um I spend my time trying to do some sort sort of handson on stuff to kind of get back to the hacker roots and and and and learn all those things um so which I try to showcase on a website that I run which

is know inc.com uh it's sort of a local site for people that are in the DC area as you can tell I've put some theide stuff up recently um I just want to say thanks to some of the people that have um you know indirectly paid for me to be be here too so there's Milton's security um Bob security and traines um so if if any if anybody's here what what what would be really cool is if you would tweet out you know just to each of them saying hey thanks for sponsoring GRE so that would really help so I can continue my little side job I don't really make that much money but it's more of um you know I

want to get to the point where it just sort of pays for itself on the website um so anyway now I'm a happy panda all right so to the core of what I want to talk today about is you know first I'm just going to go through a quick intro of some of the background of why I'm doing this some pros and cons of each of the different solutions and then also get a detailed look into the Amazon services and what they offer and how you can set those up to be your Virtual Lab uh then I'm going to go through sort of a quick setup and conclusion a few caveats here um this was the first presentation that I've

ever tried to do in Google Docs so let so I've spent a lot of time trying to tr transition stuff over so if stuff's sort of out out of whack um please take that into consideration and then also too this is just the start for me there's like I definitely want to take this a lot further so you know I'm just sort of giving the bait the basics now but going forward um you know I really want to set up a like a pretty com complex lab and run it on on uh on a regular basis and then do some some some sort of a cost analysis you know where like what's the point where it's more efficient for you

to purchase the actual hardware and run it out of your house versus uh just using the ec2 stuff okay so the goals um like I said this is just I wanted in in closed lab to play on um a lot of times I'm on travel and it's very hard to uh access um lab like a home lab now you can use things like Dy DNS inste instead of an ESX server and sort of VPN in back in but that kind of works kind of does and um it you you can depending on the bandwidth that your uh broad room provider gives uh it may work well it may may not um and and kind of it's

accessible from anywhere which kind of what is what I talked about and then the thing that I really like is that you only pay for what you're using I mean and and it's easier in terms of you know I I I think maybe to get started uh you you probably spend about 5 to 800 bucks to set up your own home lab with using something like esxi um but there are advantages like with your home with that like you don't have any licenses so you don't you you're going to have to go out and unfortunately you know techet isn't available or or or you can get it but you have about a month um so you get licenses and a lot

of stuff like that but the nice thing is you only pay for what you use in terms terms of how I'm like what I'm planning on using it for I don't like I don't think this is going to be something that I'm going to set up and just run the whole month this is going to be something where maybe something's going to come in up at work maybe a new tool comes out and so what I'll do is just spin up my VMS um VPN out into my private lab and test things see how things work and then probably just shut them down and uh move on so I kind of relate it to um like it's a

lot easier to swallow just paying say 10 bucks per month then then uh come coming up with between five and $800 to set it up and then all the all the research that you would have to go in to um get it working the way you want uh and then also like I relate this it's sort of like a car payment but you only pay for for when you drive so the car sitting in the garage really is going to do that then the other thing was to just get a more in-depth understanding of um the cloud and how it works um so a lot of people and and I've been here since Saturday and I've had

several discussions with you know hey well why why not just set up your own home machine and do it that way um so between you know 5 to 700 bucks you can get a lowend Del server uh you can do esxi for free um there are uh I think they call them white boxes there's a site that's dedicated to it where you can actually get like a pretty cheap old desktop for say one to 200 bucks and set that up as a white box and that can work well work well too um and then the other option is just having your normal laptop and then just having VMware and just running a few VM um at least personally I was looking for

something a little bit heavier uh and the other thing that I like um is that if I'm doing some something say like now we're analysis even though it's in a DM you know I would rather have that be doing that up somewhere that that's not on my Hardware infrastructure uh and the other thing too is is it's you know avoid carrying around like a big Hawk and laptop uh it's sort of like one of those big alien wees um so I already touched on some of the use cases like just teaching yourself or or trying to learn on on on your own I mean and this could be say commercial security tools but it could

also just just be you know new new tools that come out on a regular basis um and then what I plan to kind of use it for too is maybe throwing up ad hoc lab stfe for doing uh classes and webinars and things like that so um like like the past few talks that I've given have been on our analysis and so one of the goals was to set up some sort of lab that people do a webinar that and then people could VPN into it and and and uh have VM set up for them there um so the pros um at least for me there's no space required you know so if you have significant other um you know

they may not be of cool with you having this big server you know in their closet so so that was a big factor for me I talked about upfront costs uh you only pay for what you use you you don't have you don't have to come up with a big like 700 bucks to get that server and know not that it's a huge issue but you don't have to worry about any the increase in electrical cost uh availability it's accessible anywhere anytime I mean I can take my iPhone and I can start up all my VMS and then I can just add SSH or RDP into them so um wherever I am if I'm at home if I'm on

travel if I'm at work whatever all you need is internet connection and some and then some sort of VPN client so that uh you can connect into your private Network and the other Pro is just the and the machines are very flexible so uh you could easily add augment or remove machines you know based on what you need you you can go with the they call them Ami for Amazon something or Amazon machine images so you can go with the standard ones that they provide and I mean and they have tons of stuff so um anything from all the like the licensed stuff from all the different Windows versions to they have appliances so say

um like for like on one assignment I was looking at the what was formerly the asaro security Gateway thing well they had an appliance I didn't have to set up I can just spin up that VM and test it out um but it's easy to um then you can create customized ones too so you start with one of theirs and then you customize it and then you can create your own Ami from that and then you can also create your own Amis so the easiest way that I found to do that is you actually build it on your workstation using something like VMware and then they have scripts that you can run and automatically put that up uh into your

listing of Amis and then from that you can spin up those images um and and the thing that I like too is it is it's just very e easy like say you put something up and it just seems to be running slow like one of the things that I did was Run Security onion and I started out running like a micro inance and and it was just a dog you know so it was very easy just to go in and say hey I'm going to up that you know Up the Rim up up the processor I mean it cost more when I did that but um but it at least you have that option um so other Pros oh and by the

way that's not my wife so um so Pros uh one of the things that I said earlier was that Microsoft techet I forget the exact date but you have a few weeks to purchase that before they do away with with it so the nice thing about that is that you could you know for 200 bucks per year you could get access to you know everything from way back to you know Doss whatever 3.1 or Windows 31 uh all the way up to you know Windows 8 all the different server versions and so a lot of people would use that when they build glasss because they could set up a real alistic lab and they were licensed too I mean the terms

of service you weren't supposed to use it for for commercial purposes um but uh you know it was just a nice option well they've done away with that and so that's where I think Amazon has a or or any not just Amazon but but any of the cloud providers have Advantage because you know they come with licensed software so um OS and and and then you don't have to worry about any trials or timeouts or any or anything like that um and then also um there's no dependencies on your home broadband so if that's where you're hosting it you don't have to worry about you know oh I can download stuff at you know 50 gig but I don't have upload like

one 28k so it's probably not going to work too well um so cons is is for some reason Amazon does not provide desktop Amis and um seems reasonable because their goal is to provide a server so that people can Outsource their infrastructure there um but like I said you can go out to say eBay or any any site where you can get retail licenses you can create them on VMware and then uh import them as an Amazon API but in reality too there's um there's a lot of uh you know you can use server as a good desktop too so you have that option um and then and then there are third party Services where you can

have virtual desktops that actually use the Amazon infrastructure um I'm I'm still looking into that uh whether you can put it them into your private bpc or if you're excluded from doing that um you know cost you know cost could be a a pro or con because it depends on how much you use it the different machine types as an example I was just doing Windows servers and and it seemed pretty pretty cheap and then I ran SQL Server like one that had SQL Server built in and it was like three times the cost so so it depends on the different machine types too and then also the length of use but you know I I I think for my

purposes uh where I was going to do some periodic testing uh just as long as you start them up use them and shut them down it's really not that expensive um and also the con is you can't do anything without the network so if you don't have network connectivity to Amazon or to your VMS or or to your Amis you know you really can't do much okay so so the next thing the next part of this is uh I wanted to get into you know what is the club so does any does anybody who's familiar with the cloud anybody who's not familiar with the cloud have you ever heard of the internet I don't know all right what is

that what the computer yeah so so first I come from a Federal Federal Government Contracting background so nist has a nice definition here which is basically this picture um can't read it on on the screen there but there's five essential characteristics which I can't really read because it's too too small but the different service models are infrastructure as a service uh platform as a service and software as a service so you know software things like Gmail platform you know you might have like a net platform you can develop on and in an infrastructure as a a service so that's basically what Amazon is or or what their core structure is and all that is and like when I started

getting into this everyone's like the cloud the cloud and I thought it was this magic uni unicorn thing and then I found out oh you're just running VMS on their Hardware I was like disappointed but but that's all it is it's just like instead of running VMS on your local you're just able to spin up things and run them on other people's infra structures Amazon basically provides two types there's your standard ec2 instances and then there are instances within vpcs which is a virtual private Cloud kind of I have a slide but seem to be missing something on that side there it is once again this is the Google Docs thing I don't know um so first of all

you have the standown Standalone in in instances and what I don't like about them is you start out here you have this Amazon ec2 Cloud there's some basic services that it provides um security wise they have security groups which are basically Firs on top of that you can run these operating systems um and like I said just whatever Amis they have and what I really didn't like about that is it's there was really no way to create an infrastructure with that in terms of trying to build like a pen a pen test lab so if I wanted to create like a domain controller and then have work stations that would be part of that there there didn't seem a way to keep

that all connected because whenever you reboot these guess what happens does anybody know they they get a new IP so so it was really hard now you can do things which cost a little bit more so they basically have Dynamic IPS um you can assign eips which are um their version like just a static IP to it so there's there's that and um but it it really didn't fit what I was looking for in terms of building a lab so that's when I really got into using the VPC which is the virtual private cloud and you know basically it has all this different struct all this structure here and then you can spin up the ec2 in

instances here and these are just private little networks that you can um you know put Security on and and then force all the traffic through that to go out your gateway so there's a lot of cool things you can do with it um so by default down on the bottom right there the VPC they come with a default DNS service DHCP um VPN and a Gateway so the Gateway obviously is so that the machines um can get out and access the internet uh the VPN is it's mainly for not so you can VPN and access your stuff it's really focused on hardware vpns and so their use case is if you have your infr structure and you want to extend it

to Amazon am on cloud so you would it basically gives you the set the settings to put into your Hardware router so that you can V so that you can have instances that are running in Amazon that are basically an extension of your internal infrastructure with the VPC structure you get additional Al column Services some of them are security related some of them aren't so you have security groups which we already talked about that's just basically firewall um you have Network ACL so that's basically the same thing but it's stateless uh a lot of over overlap there you have routing tables that you can map and you have subnets and then on on top of that you you can run your your

different operating systems and for those security folks that really don't know networking that well this is an awesome playground to learn um you know how firewalls work how Network ACS work how how uh like how to set up routing tables in sub so that's a good place to start without having to go you know buy your Cisco router and try to configure it that way just you know a nice little gooey that uh you can do stuff with uh and then once again um you can the eips you can um assign that and to the V to the hardware VPN interface so that you can connect your corporate infrastructure up up to it and then also

within e e to the different operating systems that that's in a that's kind of in its own secluded pocket but you can also assign them external IPS too so that you can access them directly that but that's not something that I really want to do I don't want to set up my lab and have other people just going and using it to do their their stuff um but just to give a comparison between the two types of instances that Amazon has um so ec2 it's simple and cheap and I think it's excellent for doing oneoff test like as in the staro security Gateway thing that I was playing with you know I really didn't need to put that into a whole

infrastructure in order just just to load it up log in see what all it's capability ilities are now if I wanted to use that as a gateway then it would make sense to move over to the VPC but cons Dynamic public IPS for uh by default and also that it it's very hard to set up any sort of INF structure there VPC you know you get your private stat static IPS you can also expose those through the E IPS like I talked about on the previous slide uh and you get a nice land in in INF structure so you know for those folks that you know were familiar with networking but we haven't actually done stuff with it this

will give you some some good Hands-On knowledge in terms of setting that up on the cons it it can be the vpcs are obviously going to be more difficult to set up just because of all the infrastructure you may have to map but like I said the conclusions down at the bottom there uh E2 is very good source for doing oneoff testing uh like say you want to test some security tool you can just spin up some o instance uh load the tool up test it you know and just toss it or like if you want that if you want to test that tool against other uh say like a web server um you know you would

obviously have to do that and do the same thing but you do it in the VPC um um tools so that you're not attacking other people which you know isn't necessarily a good thing to do um so see so amazingly Enough by default creating the virtual private clouds are very easy um so just here's some of the things that I talked about here um so you have your all your settings are basically here so you have your subnets your internet gate gateways some DHCP stuff the eips and here's your security stuff and then this is the VPN connections here this is all the stuff for uh connecting into to your corporate Gateway which you probably wouldn't

wouldn't use but it's very easy because you just literally press hey I'm going to create that you fill out a few forms and Bam you got this whole infra structure set up and the only thing that left to do is to go and uh spin up instances and then specify that you want those instances to uh be within that VPC so um whenever you push that button this is what comes up now this is the wizard so this is the easy one um but you basically get three options so um so the first one you know this is basically uh you basically have your PC and by default each instance has private IPS and then they also have public IPS and

so that didn't really fit for what I was looking for the next two are sort of a combination of having a public subnet and a private subnet and that may be useful for doing something in the future but right now I just sort of wanted my own Sub sub uh secluded network uh that I can inter interface with the last one just to get started is probably the one that you want to go with so this is and it basically looks like that P picture there you have your private sub subnet uh and they say oh you only have Hardware VPN access but what you can actually do is just take this out right and then within your

subnet within your VPC you can spin up uh there's instances for Open VPN so you just spin up those and then now you can use any nor any normal VPN client to get into your VPC um so this is just after you go through that setup process this is what it looks like um in terms of all the different settings nothing too exciting there uh just some examples of what the settings look look like so this is the sub this is the subn net uh so for this particular subnet there's a router table this is what that looks like there's a network ACL and then there's out out inbound and outbound so the um route

table you this basically says so you're in the 10 dot range so any traffic if it's heading to the 10 dot range you're basic going to stay local this is another way of saying the internet so if you're going out to the inter internet go to the internet gateway uh and then the these are basically your firewall rules here um so you write by default they sort of are pretty open there so definitely um going to limit that but that's not big of a deal right now cuz you're on your own private sub um but where once you VPN in then you may want to those uh depending what you choose to expose um this is sort of some it's very

easy to add rules to so for as this is the inbound and oh yeah that's oh yes this is what the ACL looks like you know it's basically the same thing as a security group but it's stat static um so for the security groups it's it's really easy because you just say hey I'm going to there's a drop down here and you say oh I want to allow s uh SSH inbound and then you say and then it'll automatically fill this all out and you you specify the source and then you can do the same thing for the outbound and it's really easy and it's a good way to get some Hands-On activity with doing

firewall type stuff too um so was yes so then the last thing is you go to your ec2 dashboard uh and then you say launch instance it comes up with this nice little wizard you pick what you want the key thing is that you specify that you want it to be within that VPC uh and that's basically it um I could I could go through a little demo I guess if anybody's interested I don't know how much time do I have left like you have about 15 minutes 15 minutes or well probably don't have enough time but um you know just to overview so quick intro pros and cons gave an overview Amazon services and just set up an

conclusion the only reason why I ever put the slide there is because all the presentation gurus say oh you have to you know tell them what you're going to tell them tell them whatever but uh so there's how to contact me but I can take questions now anyway yes sir so you mentioned using Amis for some stuff like could you talk a little bit about like how you automate stuff how you spin stuff up like what if you need to customize something that there's not any reactor you use like Chef or pet or anything like what's your workflow because you mentioned that you'll shut everything down and then spin it all back up whenever you're ready to work

yeah I assume you're not doing that manually well right now I'm just like I said this is the sort of the initial research stage and so I'm not using any of those tools yet but yes how does Amazon feel about running you know malicious where hack something I forgot what are the risks so in my notes that didn't make it into the slide deck I I actually address this but if you're going to do any sort of pen testing they have a um they have this form that you have to fill out and in most cases you know um they're cool with it but you just have to let them know so that if it pops up on their like in

their sock they can they know like oh that guy's doing fantastic um in terms of I know a lot of people have looked at doing things like hey I'm going to use edmap and scan the internet and and Amazon doesn't seem you know they don't like you doing stuff like that but but if it's small stuff that you're doing in you're secluded environment um the other limitation is that I talked about was that you don't have any desktop Amis that you can spin up and kind of like officially policy-wise you're not supposed to put them there because it it's they could but it's it's more of a licensing issue but if you you can create your own

and you can put it there officially you're probably not supposed to do that but I've never heard of anyone getting caught and having it taken down yes

sir can you speak up please yes so the question was sorry if I haven't been repeating the question um the question was is there a cost difference if you use an instance in just if you just spin up an instance versus having that incident in incident instance in VPC and so there is no additional cost um if using using uh the infrastructure that was showed in that one picture here um if if you use their VPN here there's usually a cost that doesn't apply to us so you're basically going to spin up your open VPN instance and uh so you wouldn't even even have that cost um but yeah there's no difference in terms of uh cost spinning up ec2 instances

alone or Solo versus having them in the VPC yes and actually may ec2 where I think now only new customers will get only VPC have option for the for the traditional yeah yeah that's that's what I've noticed too so so right now um recently they have the classic and then they have the current one so the classic is where you spin up an ec2 instance and that's uh it's just sitting in in their Cloud you know it's really not connected to anything and then the running an instance in a VP PC that's that's sort of the new R so yeah I forgot to mention that thanks for pointing that out did they change they used to be a couple

months ago that they won't let you run the micro instance in the bpc did that change yeah that so you can use the um well I guess the big question is is can you be on the free tier and use the VPC and previously theoretically you could but you were very limited what you could run but they're slowly adding more and more stuff so the free tier is kind of another cool option too um that you can test Amazon out for a year um now at the end of the year could just create another account I guess but um yeah that form that you have to the sign that them to do is there anything

that's like absolutely off the limits and if something bad does happen and you end know taking down a bunch of their infrastructure because of something you know say some of M like being aware jumps out and takes down half the data center are you liable for yeah that kind of stuff or is that even addressed well so the the question was on the pen testing for that they make you fill out is there any um like are you liable if if if if stuff goes really wrong and um I don't I didn't really see much like that it's sort of you know the worst they're going to do is cu oh we're going to take it all

down obviously I mean someone else could you you know like if you're scanning they can come back and just there they can sue you any other questions good well thanks um thanks to besides Las Vegas and for all the volunteers that make this thing happen um anyway that's it and I'll be around you know all through def so if you see me and want to chat just let me know thanks [Applause] that's it for the morning session there's a lunch break for an hour and then the rest of the sessions will continue at 3:00 3:30 3:30 yes it's an hour and a half that's change okay all right you want a t-shirt or a towel I

got PL for you [Music] t-shirt I'm out a t-shirt sorry