You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+45-35
Original file line number
Diff line number
Diff line change
@@ -17,8 +17,6 @@ It consists of two files:
17
17
This is the diagram of the VPC. I reduced the number of subnets for simplicity by grouping all the VLANs into one. This reduced the number of required interfaces in the firewall from 5 to 3 and this allowed me to choose an instance type that was more cost effective. I know that the solution is not the ideal but it was a compromise that I had to make. Also, I didn't use the kali.purple domain name so all the references to the machines are done through their respective private ip addresses.
@@ -27,59 +25,37 @@ To install this project, you need to have an AWS account and access to CloudForm
27
25
Once this stack is created, you need to create the instances using the KaliPurple-NAT-EC2.yml file. For simplicity use "ec2" as a name. You need to input the name of the VPC stack that was created previously.
The EC2 stack gives you the possibility of choosing the instances that you want to launch. This way you don't have to pay for services that you don't need. I used the Guacamole Bastion initially but there is no need for it once the firewall and its OpenVPN is configured unless there is a problem with one of the instances. I left the option of launching it if needed but it is not necessary for most cases. I also left the possibility of using an internet gateway for the instances in the SOC and LAN subnets to have access to the internet. Again, this option should not be necessary once the firewall is configured.
The instance types defaults are the minimum required for each to work. You can choose a bigger type if desired.
40
34
41
35
## Configuration
42
36
43
-
To set up the SOC, I could not find any Kali Purple images in AWS without product codes, so I used a regular Debian image and manually installed only the required packages for each of the machines. Additionally, some of the packages are not yet available or not well configured int the Kali repositories so I had to go to the original repositories. One example of this is the Elastic Stack.
44
-
45
-
The cost of running this setup is approximately $6 per day, and I use the instances for 5 hours each day, stopping them when not in use.
There are no Kali Purple images in AWS without product codes, so I used a regular Debian image and manually installed only the required packages for each of the machines. Additionally, some of the packages are not yet available or not well configured int the Kali repositories so I had to go to the original repositories. One example of this is the Elastic Stack.
48
38
49
-
The VPC stack in AWS is free, so you can leave it running indefinitely. However, keep in mind that AWS will charge for services in the EC2 stack, so be sure to it once you no longer needed to avoid unnecessary charges.
50
-
51
-
Note that the SOC setup process is lengthy and nuanced, as the instructions in the Kali-Purple documentation are not very clear, resulting in lots of trial and error. However, it is possible to set up the same configuration as in the Kali-Purple instructions for all machines except Bizantium, which requires some tweaking to avoid using VLANs. I also omitted the use of a domain name for simplicity.
52
-
53
-
Currently, the cloud configuration and firewall accept packets from all over the internet and in all of the internal connections, making it unsuitable for production situations but acceptable for proof of concept. To make it as close to production as possible, I will be hardening the AWS security groups, routing tables, NACs, and firewall rules.
54
-
55
-
In the future, I will be publishing a tutorial to help others replicate this setup, starting with the firewall setup, which is necessary for the rest of the instances unless an internet gateway is used.
56
-
57
-
Lastly, I have not yet attempted an attack the vulnerable Kali-Pearly machine. As soon as I do, I will publish some screenshots of the SOC.
39
+
The setup is similar to that described in Kali-Purple SOC instructions, with some modifications made to avoid the use of VLANs. For simplicity, the domain name was not utilized.
58
40
41
+
Currently, the cloud configuration and firewall accept packets from all over the internet and in all of the internal connections, making it unsuitable for production situations but acceptable for proof of concept.
59
42
60
43
## Usage
61
44
62
-
To use this project, you need to connect to the firewall instance using its public IP address and configure its OpenVPN service. You can then download and install the OpenVPN client on your machine and connect to the firewall using its private IP address.
63
-
64
-
You can then access all the other instances in the SOC and LAN subnets using their private IP addresses through SSH or RDP protocols.
65
-
66
-
You can use Kali Linux as your attack platform on the kali-pearly instance and run various tools such as Nmap, Metasploit, Burp Suite, etc. You can also upload other vulnerable machine AMIs to perform attacks. Once the simulated attack is complete, you can delete the stack and pay only for the time used.
67
-
68
-
Please note that this repository is still work in progress.
45
+
To use this project, you need to connect to the firewall instance using its public IP address and configure its OpenVPN service. You can then use the OpenVPN client on your machine to connect to the firewall. You can then access all the other instances in the SOC and LAN subnets using their private IP addresses through SSH or RDP protocols.
CloudFormation is an AWS service and cannot be used for provisioning infrastructure on other cloud platforms like Azure, Google Cloud, etc. For those platforms, you need to use Terraform instead. A tool to make this conversion is available on this page: https://discuss.hashicorp.com/t/tool-to-convert-cloudformation-to-terraform/46704. Keep in mind that the tool may require some tweaking to work properly.
47
+
You need to enter into Elasticsearch and then install an Elastic-Agent of each of the other machines except for Kali-Pearly. Otherwise, data will not be ingested into Elasticsearch.
48
+
49
+
You can use Kali-Heliotrope as your attack platform on the kali-pearly instance. You can also upload other vulnerable machine AMIs. Once you are done, delete the stack.
73
50
74
51
## AIM Images
75
-
Due to AWS restrictions, AIM images with product codes cannot be made public. Therefore, the official Kali AIM cannot be used as a base. Instead, a Debian AIM with the Kali repository added was used. Several methods exist for achieving this, but the method outlined in this article was chosen https://miloserdov.org/?p=3609&PageSpeed=noscript. When installing Kali packages, follow the syntax
52
+
Due to AWS restrictions, AIM images with product codes cannot be made public. Therefore, the official Kali AIM cannot be used as a base. Instead, a Debian AIM with the Kali repository added was used. Several methods exist for achieving this, but the method outlined in [this](https://miloserdov.org/?p=3609&PageSpeed=noscript) article was chosen. When installing Kali packages, follow the syntax
76
53
```
77
54
sudo aptitude install -t <package-name>.
78
55
```
56
+
These machines can be accessed within the Cloud Formation VPC, or they can be launched individually. If you wish to access them in the Cloud Formation VPC and have not yet configured OPNSense with OpenVPN, use a Bastion such as Guacamole since the machines are created in a private subnet. Simultaneously launching Guacamole is an option when launching the instances in CloudFormation.
79
57
80
-
These machines can be accessed within the Cloud Formation VPC, or they can be launched individually. If you wish to access them in the Cloud Formation VPC and have not yet configured OPNSense with OpenVPN, use a Bastion such as Guacamole since the machines are created in a private subnet. Simultaneously launching Guacamole is an option when launching the instances in CloudFormation.The Elastic-Agent is not installed on the images. Install the agent once you have Kali-Purple running.
81
-
82
-
To login use the following credentials.
58
+
To login to all EC2 instances, except for Bizantium, use the following credentials.
83
59
```
84
60
Username: kali
85
61
Password: kali2023
@@ -164,13 +140,47 @@ Username: elastic
164
140
Password: 9voOW_WV6AO3EifKz=uu
165
141
```
166
142
167
-
### The remaining images will be available soon.
143
+
### Kali Violet
144
+
The Kali-Violet image is 'ami-0ea952e3e2d36ebad'. The credentials are he following.
145
+
146
+
OpenCTI
147
+
```
148
+
Username: admin@opencti.io
149
+
Password: kalipurpleSOCCTI
150
+
```
151
+
OpenCTI Portainer
152
+
```
153
+
Username: admin
154
+
Password: kalipurpleSOCPortainer
155
+
```
156
+
GVM
157
+
```
158
+
Username: admin
159
+
Password: efa72ac9-95fe-496e-b110-e68baa757ea5
160
+
```
168
161
169
162
## Tips
170
163
- The Byzantium machine needs 3 interfaces (LAN, WAN, and SOC). OpnSense may get them mixed up when it launches. Obtain the MAC address of the interfaces in the interfaces section of AWS and assign them to the appropriate subnet in the interfaces menu of OPNsense. If you can't access the login screen, relaunch the stack.
171
164
172
165
- When the Byzantium machine is stopped, it may lose the public IP address assigned. You need to create an Elastic IP and assign it to the WAN interface to solve this issue.
173
166
167
+
## Notes
168
+
169
+
- Please note that this repository is still work in progress.
170
+
171
+
- CloudFormation is an AWS service and cannot be used for provisioning infrastructure on other cloud platforms like Azure, Google Cloud, etc. For those platforms, you need to use Terraform instead. A tool to make this conversion is available on this page: https://discuss.hashicorp.com/t/tool-to-convert-cloudformation-to-terraform/46704. Keep in mind that the tool may require some tweaking to work properly.
The VPC stack in AWS is free, so you can leave it running indefinitely. However, keep in mind that AWS will charge for services in the EC2 stack, so be sure to delete it once you no longer needed to avoid unnecessary charges.
182
+
183
+
174
184
## Screenshots
175
185
176
186
0 commit comments