For real Red Team Operation we need a complex cloud Infrastructure, in real world the Teamserver machine can have various roles or tier, but this is beyond the scope of this article, for more information you can watch the video of Raphael Mudge @armitagehacker at https://www.youtube.com/watch?v=3gBJOJb8Oi0.
In this three videos we’ll try to build a simple EC2 machine with installed Armitage Teamserver and CobaltStrike teamserver which we will use as needed.
In real world scenarios the EC2 platform is a very clever choice for its scalability, for its bandwidth, because is on-demand and with reasonable costs. We must also consider that the real attackers will use a solution like this, so if we want to emulate the behavior of an attacker we will, in our turn, use cloud platforms. Even the functionality of teamserver usable thanks to the cloud from anywhere, are a convenience for the whole team.
The first step is to create an account on http://aws.amazon.com
This is not an article for script kiddies, we will use one of our real e-mail address and our real credit card number. (If you already have, you can use your Amazon Ec2 account)
We can choose from any VM linux, but for our job I would choose a Kali VM .
After create the new account (or after log in with your existing account) click on AWS services and click on EC2
Now choose instances and Launch instance
If you want to create a Kali Machine, you can’t choose quick start, you must choose AWS Marketplace
and write “kali” in the search field.
Click on select
Now we can choose the machine type, if you want to take advantage of a free tier machine, you must select t2.micro machine, choose the machine and then click Review and Launch, now we can create a new security group, and ssh is the default opened port, but for red teaming operation we need more ports to be opened, if you’d like,you could open all ports (All traffic – all protocol – all port range – all source, not reccomended in production environment ) or only few ports (for example http80, https443, dns53 and TCP 55553 for Armitage Deconfliction Server), for demo purpose we open “any-any-any-permit”
now click on Review and Launch (and the launch, if necessary), at this point,if you already have a key pair,you can just use it,otherwise you can create a new one (it’s very important to save and backup your key pair, if you loose the key, you can’t log on again on your instance)
flag the acknowledgement and then click launch instance
if you click on the instance id you can view your instance list and you can manage y our instance
If you want you can get a new name for your instance or edit the zone where put your instance, for this demo, this details can’t be relevant.
Before installing CobaltStrike you can log on your kali machine with any ssh client, if you are using windows you can download putty.
If your ssh client use .ppk key, you need to convert the .pem certificate, you can follow the official AWS guide at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
The hostname is something like that : email@example.com where 00-00-00-00 is your real IP. Now you can update and upgrade you linux box with :
sudo apt-get update && sudo apt-get upgrade
For today is all.