DURATION: 2 hours
CPE POINTS: On completion you get a certificate granting you 2 CPE points.
Course launch date: September 25th 2020
This course is geared towards imparting practical, AWS Pentesting knowledge/skills to anyone interested in Cloud Security. Cloud computing has indeed reached an acme of sorts in its evolution since an increasing number of companies and individuals are transitioning towards a cloud-based infrastructure. Establishing security has, therefore, become an issue of prime concern. This course takes a novel approach providing documented walkthroughs and analyses of vulnerable, close to real-world scenarios dubbed “Quests” using the Cloud Pentesting Framework, “HazProne”, built exclusively for the course. Thus, a better insight into the different types of vulnerabilities and ways to exploit them can be gained.
Course benefits:
What skills will you gain?
On successful completion of the course, students will have learned about:
- AWS Identity Access Management (IAM) Console
- The functionalities, commands, and methods of implementation of the awscli tool
- The HazProne Cloud Pentesting Framework
- Methods to identify and exploit vulnerabilities in Cloud Infrastructure.
What will you learn?
On successful completion of the course, students will be able to:
- Set up an AWS Account and create an IAM Account with Administrator Privileges.
- Implement the awscli tool to identify and exploit vulnerabilities in Cloud Infrastructure.
- Identify vulnerabilities in misconfigured AWS resources such as DynamoDB and S3 buckets and exploit the same.
- Identify a flavor of Privilege Escalation Vulnerability and exploit the same.
- Identify and exploit vulnerabilities on a public facing EC2 Instance to gain Admin privileges and potentially do anything you want.
Course general information:
Course format:
- Self-paced
- Pre-recorded
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What will you need?
Minimum Hardware Requirements:
- 2GB RAM
- 1GB to 2GB Free Space on Device
Recommended Hardware Requirements:
- 4GB RAM
- 5GB Free space on Device
Minimum Software Requirements:
- Linux OS (Ubuntu, Kali, etc.) or MAC OS or Windows 10 (not possible on Windows 7 or 8)
- Python3
- Terraform
What should you know before you join?
No prerequisites are required for the course though basic knowledge of EC2 Instances, S3 buckets, IAM users and Linux commands would definitely aid in faster understanding.
YOUR INSTRUCTOR:
Staford Titus is budding Ethical Hacker and Full Stack Web Developer with immense interests in the cybersecurity field. Interests are focused on Penetration testing, Reverse Engineering and Automotive Hacking. Skills in Python, Nodejs, Linux, Web Development, Terraform, Docker, and Ethical Hacking. Teaching Assistant at Cybrary. Built the Cloud Pentesting Framework, HazProne. Written a few articles on cybersecurity that have been published on PenTest Mag, Hakin9 and the Cyber Defense Magazine. For more information or help, reach me on LinkedIn: https://www.linkedin.com/in/staford-titus-643638147/.
COURSE SYLLABUS
Lesson 1
Lesson 1: Introduction to Cloud Security and AWS
This lesson introduces Cloud Security by providing the information required to understand cloud computing and security in terms of the cloud. It also introduces the learner to Amazon Web Services - A Cloud Service Provider, the AWS Console, EC2 Instances, and S3 Buckets.
Lesson 1 covered topics:
- Cloud Security
- Amazon Web Services
- AWS EC2 Instances
- AWS S3 Buckets
Lesson 2
Lesson 2: Setting Up
This lesson revolves around setting up an AWS free-tier account and then creating an IAM (Identity Access Management) User Account with Administrator Privileges. It also includes the installation of the awscli tool and HazProne Framework along with basic awscli commands and an additional Ubuntu Terminal setup for Windows 10 users.
Lesson 2 covered topics:
- Setting up an AWS Free-tier account
- Creating an IAM User Account with Administrator Privileges
- Installation of HazProne
- Installation and usage of the awscli tool
- Additional Installation of Ubuntu on Windows 10 using WSL
Lesson 3
Lesson 3: HazProne Quest Walkthrough – 1: q1-openworld
This lesson provides a documented walkthrough of the q1-openworld quest of the HazProne platform. It includes steps to identify vulnerabilities and exploitation techniques.
Lesson 3 covered topics:
- Identify vulnerabilities in misconfigured AWS resources such as DynamoDB and S3 buckets and exploit the same.
Lesson 3 exercises:
- Identify and exploit the method to log into the q1-openworld quest’s ec2 instance from the webpage!
- Once logged into the ec2 instance, find the secret_file.txt containing the base64 encoded flag to complete Exercise 1.
Lesson 4
Lesson 4: HazProne Quest Walkthrough – 2: q2-up
This lesson provides a documented walkthrough of the q2-up quest of the HazProne platform. It includes steps to identify vulnerabilities and exploitation techniques.
Lesson 4 covered topics:
Identify a flavor of Privilege Escalation Vulnerability and exploit the same.
Lesson 5
Lesson 5: HazProne Quest Walkthrough – 3: q3-infiltrate
This lesson provides a documented walkthrough of the q3-infiltrate quest of the HazProne platform. It includes steps to identify vulnerabilities and exploitation techniques.
Lesson 5 covered topics:
Identify and exploit vulnerabilities on a public facing EC2 Instance to gain Admin privileges and potentially do anything you want.
Lesson 5 exercises:
Once logged into the secret server in q3-infiltrate, find the secrets.txt file and decode the base64 encoded flag to complete this exercise!
Lesson 6
Lesson 6: Conclusion and summary
This lesson summarizes the points in all the previous lessons to provide a shortlist of takeaways that would help prepare for the final exam.
Lesson 6 covered topics:
Important points from all the covered topics are revised
Final exam
The final exam will consist of 10 questions in total. Nine questions will be multiple-choice questions from any of the covered topics, and the last one would be a one-word/one-phrase answer based on the findings from any of the discussed HazProne Quests or a Quest built specifically for the exam, that will be updated on the day the course is released. The final exam will be 30 minutes in total. The learners will have one minute, per multiple-choice questions, and twenty-one minutes for the Quest-based question.
Error Code returned by Terraform. Please try again!!
Before Terraform ver. 0.14 you could have undoubtedly leaked any secret as being a part of an output value. This usually happens in a CI/CD pipeline. These days Terraform will throw the error mentioned by Spiritualman. To solve the issue you may add this line : “sensitive = true” without quotes.
So for example :
output “cloudflare_access_secret” {
value = azuread_application_password.cloudflare_access.value
sensitive = true
}
very nice designed course, thankx
i really enjoyed this course. it takes more than 3 to 4 days to complete.
Not happy
I am getting HAZPRONE :: Error Code returned by Terraform. Please try again!!
HAZPRONE :: Deleting Quest Folder!! from the hazpone.py installing the first exercise and I can’t get help!!!!!!!
This has been so much fun!
Highly recommended. I enjoyed it a lot. Thank you for providing this course!