This project is a cost effective solution for launching a Security Operations Center (SOC) in AWS using Kali Linux and Purple Team tools.
It consists of two files:
- KaliPurple-VPC.yml - This file will configure the Virtual Private Cloud (VPC) with the necessary subnets and security groups.
- KaliPurple-NAT-EC2.yml - This file will configure the instances. You can select the ones that you need to lauch.
This is the diagram of the VPC. I reduced the number of subnets for simplicity by grouping all the VLANs into one. This reduced the number of required interfaces in the firewall from 5 to 3 and this allowed me to choose an instance type that was more cost effective. I know that the solution is not the ideal but it was a compromise that I had to make. Also, I didn't use the kali.purple domain name so all the references to the machines are done through their respective private ip addresses.
To install this project, you need to have an AWS account and access to CloudFormation service. You first have to create two IAM roles named 'KaliPurpleGuacamole' and 'KaliPurpleSSMFullAccess'. Using the 'AmazonSSMFullAccess' policy should be OK for a testing environment.
Launch the VPC stack using the KaliPurple-VPC.yml file. Write "vpc" in the stack name for simplicity. It will create all the necessary subnets and security groups. I used the N. Virginia region so all images belong to it. If you want to use a different region you need to use different images.
Once this stack is created, you need to create the instances using the KaliPurple-NAT-EC2.yml file. For simplicity use "ec2" as a name. You need to input the name of the VPC stack that was created previously.
The EC2 stack gives you the possibility of choosing the instances that you want to launch. This way you don't have to pay for services that you don't need. I used the Guacamole Bastion initially but there is no need for it once the firewall and its OpenVPN is configured unless there is a problem with one of the instances. I left the option of launching it if needed but it is not necessary for most cases. I also left the possibility of using an internet gateway for the instances in the SOC and LAN subnets to have access to the internet. Again, this option should not be necessary once the firewall is configured.
The instance types defaults are the minimum required for each to work. You can choose a bigger type if desired.
The setup is similar to that described in Kali-Purple SOC instructions, with some modifications made to avoid the use of VLANs. For simplicity, the domain name was not utilized.
Currently, the cloud configuration and firewall accept packets from all over the internet and in all of the internal connections, making it unsuitable for production situations but acceptable for proof of concept.
To use this project, you need to connect to the firewall instance using its public IP address and configure its OpenVPN service. You can then use the OpenVPN client on your machine to connect to the firewall. You can then access all the other instances in the SOC and LAN subnets using their private IP addresses through http. https, SSH or RDP protocols.
You need to enter into Elasticsearch and then install an Elastic-Agent of each of the other machines except for Kali-Pearly. Otherwise, data will not be ingested into Elasticsearch.
You can use Kali-Heliotrope as your attack platform on the kali-pearly instance. You can also upload other vulnerable machine AMIs. Once you are done, delete the stack.
Due to AWS restrictions, AIM images with product codes cannot be made public. Therefore, the official Kali AIM cannot be used as a base. Instead, a Debian AIM with the Kali repository added was used. Several methods exist for achieving this, but the method outlined in this article was chosen. When installing Kali packages, follow the syntax
sudo aptitude install -t <package-name>.
Some of the packages are not yet available or not well-configured in the default Kali repositories, so I had to install them from the original repositories. An example of this is the Elastic Stack. Only the minimum required packages were installed in each of the images.
These machines can be accessed within the Cloud Formation VPC, or they can be launched individually. If you wish to access them in the Cloud Formation VPC and have not yet configured OPNSense with OpenVPN, use a Bastion such as Guacamole since the machines are created in a private subnet. Simultaneously launching Guacamole is an option when launching the instances in CloudFormation.
To login to all EC2 instances, except for Bizantium, use the following credentials.
Username: kali
Password: kali2023
This machine is not part of the SOC, but it has been included to assist users with customizations. It does not have any Kali tools installed. This image can be found on AWS as 'ami-0dbd53121fa982e40'.
I decided not to publish a vulnerable machine as an AMI image in AWS, so the image that I included in the CloudFormation script is Kali-Basic. This is the simplest of the Kali-Purple machines, but the instructions provided to set up dvwa did not work for me. I had to go to the official repository to obtain it at https://github.com/digininja/DVWA. I used the following commands to set it up:
sudo apt update
sudo apt upgrade
sudo apt install -t kali-rolling apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php php8.2-mysql git
cd Downloads/
git clone https://github.com/digininja/DVWA.git
sudo mv DVWA/ /var/www/html/
cd /var/www/html/DVWA/
cp config/config.inc.php.dist config/config.inc.php
Database setup is also necessary:
sudo mysql
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)
mysql> create user dvwa@localhost identified by 'p@ssw0rd';
Query OK, 0 rows affected (0.01 sec)
mysql> grant all on dvwa.* to dvwa@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
Assuming you have Kali-Purple ready, use a desktop viewer and xrdp to connect to 192.168.1.20 (Kali-Purple's OpenVPN should take care of this). Once connected, open Heliotrope's browser and navigate to <kali-Pearly's IP address>/DVWA/login.php. Log in with the username 'admin' and the password 'password',
A Kali-Basic machine with XRDP and XFCE desktop installed and basic tools. This image can be found on AWS as 'ami-03d8d342a533f5c75'. Point a desktop viewer with the XRDP protocol to 192.168.1.20.
A Kali-Basic machine with Malcolm installed and running. This image can be found on AWS as 'ami-04563635f0999dc56'. To start Malcolm you need to input the following command.
./scripts/start
Now you can access the dashboard and other pages (Kali-Purple's OpenVPN should take care of this).
Point your browser to the following links:
https://192.168.253.103/dashboard
https://192.168.253.103/upload
https://192.168.253.103/netbox
https://192.168.253.103/cyberchef
https://192.168.253.103/readme
https://192.168.253.103/name-map-ui
https://192.168.253.103:8022/files
Rather than a machine image, in this case the most efficient way to share this machine is via it's configuration file . You need to edit the file and paste your ip address in the places were 'XXX.XXX.XXX.XXX' appear. Launch the default OPNsense image in the stack and upload the configuration file. The passwords for this configuation are the following.
**********************************************************************************************************
*** set initial ec2-user password to : PHbbdPhJjUfq4J43R8SLepe2JDWGGiXpDRJNzEocz7YVlXKMY5
*** !!! remember to change this immediately
*** openssh-key provided, set to ec2-user
*** set initial root password to : 6s89E3cPU9oE3uRHN59H4jEkQ7n6udvV8nGxpocXRKRyHNMwHo
*** remember to change this immediately
**********************************************************************************************************
I left the OpenVPN configuration, you need to change the hostname in the client export section to the ip address of the ec2 instance. I left the certificates, to help you see how I configured it. You might want to change this. The username and password for the OpenVPN are the following.
Username: kaliopenvpn
Password: bizantium
The Kali-Purple image is 'ami-0f0e440cf357443a4' and the Elasticsearch credentials are the following:
Username: elastic
Password: 9voOW_WV6AO3EifKz=uu
Point the browser to https://192.168.253.105:5601
The Kali-Violet image is 'ami-0ea952e3e2d36ebad'. The credentials are he following.
OpenCTI
Username: admin@opencti.io
Password: kalipurpleSOCCTI
OpenCTI Portainer
Username: admin
Password: kalipurpleSOCPortainer
GVM
Username: admin
Password: efa72ac9-95fe-496e-b110-e68baa757ea5
The links are:
-
The Byzantium machine needs 3 interfaces (LAN, WAN, and SOC). OpnSense may get them mixed up when it launches. Obtain the MAC address of the interfaces in the interfaces section of AWS and assign them to the appropriate subnet in the interfaces menu of OPNsense. If you can't access the login screen, relaunch the stack.
-
When the Byzantium machine is stopped, it may lose the public IP address assigned. You need to create an Elastic IP and assign it to the WAN interface to solve this issue.
-
Please note that this repository is still work in progress.
-
CloudFormation is an AWS service and cannot be used for provisioning infrastructure on other cloud platforms like Azure, Google Cloud, etc. For those platforms, you need to use Terraform instead. A tool to make this conversion is available on this page: https://discuss.hashicorp.com/t/tool-to-convert-cloudformation-to-terraform/46704. Keep in mind that the tool may require some tweaking to work properly.
-
Reference: https://gitlab.com/kalilinux/kali-purple/documentation/-/wikis/home
The cost of running this setup is approximately $6 per day, and I use the instances for 5 hours each day, stopping them when not in use.
The VPC stack in AWS is free, so you can leave it running indefinitely. However, keep in mind that AWS will charge for services in the EC2 stack, so be sure to delete it once you no longer needed to avoid unnecessary charges.
