Hands-On AWS Penetration Testing with Kali Linux

Gilbert, Karl, Caudill, Benjamin

商品描述

Key Features

  • Efficiently perform penetration testing techniques on your public cloud instances
  • Learn not only to cover loopholes but also to automate security monitoring and alerting within your cloud-based deployment pipelines
  • A step-by-step guide that will help you leverage the most widely used security platform to secure your AWS Cloud environment

Book Description

The cloud is taking over the IT industry. Any organization housing a large amount of data or a large infrastructure has started moving cloud-ward ― and AWS rules the roost when it comes to cloud service providers, with its closest competitor having less than half of its market share. This highlights the importance of security on the cloud, especially on AWS. While a lot has been said (and written) about how cloud environments can be secured, performing external security assessments in the form of pentests on AWS is still seen as a dark art.

This book aims to help pentesters as well as seasoned system administrators with a hands-on approach to pentesting the various cloud services provided by Amazon through AWS using Kali Linux. To make things easier for novice pentesters, the book focuses on building a practice lab and refining penetration testing with Kali Linux on the cloud. This is helpful not only for beginners but also for pentesters who want to set up a pentesting environment in their private cloud, using Kali Linux to perform a white-box assessment of their own cloud resources. Besides this, there is a lot of in-depth coverage of the large variety of AWS services that are often overlooked during a pentest ― from serverless infrastructure to automated deployment pipelines.

By the end of this book, you will be able to identify possible vulnerable areas efficiently and secure your AWS cloud environment.

What you will learn

  • Familiarize yourself with and pentest the most common external-facing AWS services
  • Audit your own infrastructure and identify flaws, weaknesses, and loopholes
  • Demonstrate the process of lateral and vertical movement through a partially compromised AWS account
  • Maintain stealth and persistence within a compromised AWS account
  • Master a hands-on approach to pentesting
  • Discover a number of automated tools to ease the process of continuously assessing and improving the security stance of an AWS infrastructure

Who this book is for

If you are a security analyst or a penetration tester and are interested in exploiting Cloud environments to reveal vulnerable areas and secure them, then this book is for you.

A basic understanding of penetration testing, cloud computing, and its security concepts is mandatory.

商品描述(中文翻譯)

主要特點


  • 有效地在公有雲實例上進行滲透測試技術

  • 學習不僅要覆蓋漏洞,還要在基於雲的部署流程中自動化安全監控和警報

  • 一個逐步指南,將幫助您利用最廣泛使用的安全平台來保護您的AWS雲環境

書籍描述

雲正在接管IT行業。任何擁有大量數據或大型基礎設施的組織都開始向雲端遷移 - AWS在雲服務提供商中佔據主導地位,其最接近的競爭對手市場份額不到其一半。這凸顯了在雲上的安全性的重要性,特別是在AWS上。雖然關於如何保護雲環境已經有很多言論(和著作),但在AWS上進行外部安全評估(以pentest形式)仍然被視為一門黑暗的藝術。

本書旨在通過使用Kali Linux在AWS上進行測試,幫助pentester和經驗豐富的系統管理員進行實踐。為了讓新手pentester更容易上手,本書專注於構建實踐實驗室並在雲上改進使用Kali Linux進行滲透測試。這不僅對初學者有幫助,也對希望在私有雲中建立滲透測試環境並使用Kali Linux對自己的雲資源進行白盒評估的pentester有幫助。此外,本書還深入介紹了在pentest中經常被忽視的各種AWS服務 - 從無服務基礎設施到自動化部署流程。

通過閱讀本書,您將能夠高效地識別可能的弱點區域並保護您的AWS雲環境。

您將學到什麼


  • 熟悉並測試最常見的面向外部的AWS服務

  • 審核自己的基礎設施並識別缺陷、弱點和漏洞

  • 展示通過部分受損的AWS帳戶進行橫向和縱向移動的過程

  • 在受損的AWS帳戶中保持隱蔽和持久性

  • 掌握實踐滲透測試的方法

  • 發現一些自動化工具,以便持續評估和改進AWS基礎設施的安全狀態

本書適合對象

如果您是安全分析師或滲透測試人員,並且有興趣利用雲環境揭示弱點區域並加以保護,那麼本書適合您。

必須具備滲透測試、雲計算及其安全概念的基本理解。

目錄大綱

Table of Contents

  1. Setting Up a Pentesting Lab on AWS
  2. Setting Up a Kali PentestBox on the Cloud
  3. Exploitation on the Cloud using Kali Linux
  4. Setting Up Your First EC2 Instances
  5. Penetration Testing of EC2 Instances using Kali Linux
  6. Elastic Block Stores and Snapshots - Retrieving Deleted Data
  7. Reconnaissance - Identifying Vulnerable S3 Buckets
  8. Exploiting Permissive S3 Buckets for Fun and Profit
  9. Identity Access Management on AWS
  10. Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3, and Pacu
  11. Using Boto3 and Pacu to Maintain AWS Persistence
  12. Security and Pentesting of AWS Lambda
  13. Pentesting and Securing AWS RDS
  14. Targeting Other Services
  15. Pentesting CloudTrail
  16. GuardDuty
  17. Using Scout Suite for AWS Security Auditing
  18. Using Pacu for AWS Pentesting
  19. Putting it All Together - Real - World AWS Pentesting

目錄大綱(中文翻譯)

目錄


  1. 在 AWS 上建立測試實驗室

  2. 在雲端上建立 Kali PentestBox

  3. 使用 Kali Linux 在雲端進行攻擊

  4. 設置您的第一個 EC2 實例

  5. 使用 Kali Linux 進行 EC2 實例的滲透測試

  6. 彈性區塊儲存和快照 - 恢復已刪除的資料

  7. 偵查 - 辨識有漏洞的 S3 存儲桶

  8. 利用寬鬆的 S3 存儲桶進行攻擊

  9. AWS 的身份訪問管理

  10. 使用被竊金鑰、Boto3 和 Pacu 進行 AWS 帳戶的特權升級

  11. 使用 Boto3 和 Pacu 維持 AWS 的持久性

  12. AWS Lambda 的安全性和測試

  13. AWS RDS 的測試和安全性

  14. 針對其他服務進行攻擊

  15. CloudTrail 的測試

  16. GuardDuty

  17. 使用 Scout Suite 進行 AWS 安全審計

  18. 使用 Pacu 進行 AWS 測試

  19. 將所有內容結合 - 實際的 AWS 測試