kali-in-cloud-3

Offensive Security has long since been the go to choice for penetration testing Linux distributions (BackTrack, and Kali). Earlier this year they released an Amazon Machine Instance (AMI) for Kali Linux. The Kali AMI makes it trivial to deploy Kali Linux leveraging Amazon Web Services (AWS). This allows for a very flexible lab environment, or even an operational platform for penetration testing. In this blog post we will go through deploying Kali Linux in the cloud, configuring it to have all the desired packages/tools, and setting up VNC access through SSH tunneling for remote GUI access.

Deploying the Virtual Machine (VM):
First sign up for an Amazon AWS account here

Navigate to the Amazon Community AMI to accept terms and conditions: https://aws.amazon.com/marketplace/pp?sku=7w47z55mltsv9q1eaqrgmh5gr

SS-0

Then you can login to your Amazon AWS account and click on the EC2 option:

SS-1

Now click on “Instances” and then “Launch Instance” this will start the wizard and let you “Next, Next” to deploy your VM:

SS-2

Next click on “Community AMIs” and search “kali” to select the community AMI put out by Offensive Security. This is a bare bones instance, and we will have to choose which packages we want to install later:

SS-3

On the next tab you will choose your “Instance Type”, this corresponds to the Hardware resources (vCPUs, Memory, Storage, etc.) you’d like to have for your VM:

SS-4

Now you can skip over to step 4 to configure the desired amount of storage (default is 20GB):

SS-5

The last tab to configure is step 6 “Configure Security Group”. Here you will setup firewall rules to allow remote connections. You can setup SSH on default TCP/22 and lock it down by just your IP(s) to further lock down the access:

SS-6

Lastly, you can click “Review and Launch” and then “Launch”. At this point you will be prompted to setup an SSH key pair to access your VM. To increase security, AWS Linux VMs require public/private SSH keys to authenticate. Click “Create a new key pair” and setup a name and then download the key:

SS-7

Note that this will be the only time you will be able to download the private key. If you lose this private key you’ll need to go through the process again to deploy a new VM. Once downloaded change the permissions on the file to work with SSH:

SS-8

Once you downloaded the private key click “Launch Instances” to start your VM. You will be able to monitor its status under “Instances” tab:

SS-9

Now it is finally time to connect to your VM. Obtain your public IP address from the “Instances” tab, and fire up a terminal and SSH over to your VM:

SS-10

Installing Meta-packages:
Since you are now connected to a bare bones Kali instance you will want to install packages. You have several different meta-packages available which will change what tools get installed on the VM “apt-get update && apt-cache search kali-linux”:

SS-11

Choose the desired package and install it with apt-get (Ex: apt-get install kali-linux-full). This stage will take a while as its pulling down quite a bit of tools and dependencies.

VNC over SSH Tunneling: “Through SSH, all things are possible”:

A solution to obtain GUI access to your instance is through tunnelling VNC over SSH. This involves setting up a listener on your local box when you make an SSH connection to the system, and then pointing a VNC client through the listener/SSH tunnel and connect to a local listening service on the other end. If SSH tunnelling is a new concept you might find it confusing at first, but its actually quite simple and very helpful for bypassing access controls or adding a layer of security to a clear-text protocol.

Install a VNC client, one good option is TightVNC Viewer – Download here.

Install a desktop environment on the Kali VM:

SS-12

Now start the VNC server, you can specify the desired resolution at the command line using -geometry switch. If it’s the first time the server is started it will prompt for a password for the service:

SS-13

You might notice it started the listener as “:1” this means its listening on 5900 + 1 or 5901. You can have several different VNC servers listening for different users to have GUI access to the system at the same time. To properly shutdown Tightvncserver you can use “-kill” followed by the VNC ID number.

With the VNC server listening it is now time to setup the SSH tunnel to allow the VNC connection to connect through it. Below you can see a screen shot of the command leveraged to achieve the SSH tunnel:

SS-14_SSH_tunnel

-L 5901:localhost:5901 – This creates the listener on the localhost of 5901 and will allow any connections to localhost:5901 to be tunneled out through the SSH tunnel to port 5901 on the Kali instance.

-N says don’t execute any commands, this is used to just use SSH for port forwarding
-f this executes SSH in the background

With he SSH tunnel in place, you can now connect using TightVNC Viewer. The reason we weren’t able to leverage TightVNC Viewer for the SSH tunnel is due to the fact that it doesn’t support SSH public/private key authentication.

SS-15

Now you’ll be presented with a VNC window that allows you to have GUI interaction with your Kali instance in the cloud – Happy Hacking!:

SS-16