From the course: Python: Pen Testing AWS
Understanding the CloudGoat testing paradigm - Python Tutorial
From the course: Python: Pen Testing AWS
Understanding the CloudGoat testing paradigm
- [Instructor] One of the best ways of learning is through doing. And learning how to pen test cloud deployments is no exception. Getting hands-on with tools and creating custom scripts that you can further develop and use when on an engagement is a great way to build your skills. To do this requires a set of cloud targets that you can use to try out the tools and scripts. For traditional pen testing, we can manually deploy targets on our testing network. We can do the same with cloud. Manually provisioning resources through the AWS management console and configuring them with vulnerabilities. An easier approach for traditional pen testing is to deploy a ready to go testing environment, such as the OWASP WebGoat, the Web Security Dojo, or Rapid7's Metasploitable. Similarly, we have a better way to test cloud than manually provisioning targets. A good starter for learning about AWS cloud testing is to run the cloud flAWS challenge. Which takes you through the use of the AWS command line interface to find a number of typical cloud configuration and operational flaws. This uses a fixed deployment of accessible cloud resources. There's a more advanced capability available from the Rhino Security folks called CloudGoat. This is being actively supported and enhanced. And CloudGoat version two is now available. It's also supported by an AWS testing framework called Pacu. CloudGoat and Pacu are both Python applications which can be installed directly onto a Linux system, including the windows subsystem for Linux. CloudGoat uses Terraform automation to deploy a set of clouds resources automatically. And these can then be used as the target for testing with the Pacu framework. These resources can be provisioned and deprovisioned with simple one-line CloudGoat commands, with no requirement for any further cloud resource management. CloudGoat is designed to work within the permitted AWS testing activities. And so can be used without any requirement for notification or approvals. The deployments are provided in the form of scenarios. Each having a specific vulnerability in the deployed resources. The resources are deployed into an existing cloud account and are typically designed for exploitation to start at the point where you found some exposed AWS credentials. In addition, white listing is used to limit access to the CloudGoat deployment. Rhino security advises that the CloudGoat solution does not require much if any investments in cloud services. It should operate within the free tier or for a charged account should be limited to a few dollars a day. The deployed scenarios are not just limited to testing through Pacu. They can also be used for testing manually by the AWS command line interface or by writing Python scripts using the AWS software development kit library, Boto3. Testing CloudGoat deployments is a great way to learn about the CLI commands and to get familiar with Boto3 coding.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
Understanding the CloudGoat testing paradigm3m 5s
-
(Locked)
Installing CloudGoat2m 7s
-
(Locked)
Launching CloudGoat scenarios2m 29s
-
(Locked)
Listing the user policy2m 50s
-
(Locked)
Gaining privileges by changing policies2m 27s
-
(Locked)
Exploiting a misconfigured server4m 22s
-
(Locked)
Closing down a CloudGoat scenario37s
-
-
-
-
-