Exercise 27: Cloud Security Group and Network ACL Misconfiguration

Objective:

Understand how overly permissive security groups and network ACLs expose cloud resources to unauthorized access. Simulate an attack that exploits open ports or services and learn how to secure network controls with strict inbound and outbound rules.

---

Scenario:

An organization deploys an EC2 instance with security groups and network ACLs configured to allow excessive access, such as open SSH or database ports to the public internet. Attackers exploit these open network controls to gain unauthorized access to cloud resources. Your goal is to simulate this attack and recommend strategies for securing network configurations.

---

Lab Setup:

Prerequisites:

1. Access to a cloud platform:
   • AWS or Google Cloud.
2. Installed tools:
   • aws-cli (Installation Guide).
   • Nmap (Download).

---

Steps to Set Up the Lab:

1. Launch an EC2 Instance:
   • Navigate to AWS EC2 > Launch Instance.
   • Configure the instance:
     • AMI: Amazon Linux 2 or Ubuntu.
     • Instance Type: t2.micro.
     • Key Pair: Select or create a key pair for SSH access.
     • Security Group: Create a new security group with the following settings:
       • Inbound Rules:
         • Allow SSH (port 22) from 0.0.0.0/0.
         • Allow HTTP (port 80) from 0.0.0.0/0.
         • Allow MySQL (port 3306) from 0.0.0.0/0.
       • Outbound Rules:
         • Allow all traffic by default.
   • Launch the instance and note its public IP.
2. Modify the Network ACL:
   • Navigate to VPC > Network ACLs.
   • Create a new network ACL and associate it with the instance’s subnet.
   • Configure overly permissive rules:
     • Inbound Rules:
       • Allow all traffic from 0.0.0.0/0 (source IP).
     • Outbound Rules:
       • Allow all traffic to 0.0.0.0/0 (destination IP).
3. Install Vulnerable Services:
   • Connect to the instance using SSH:bashCopyEditssh -i <key-file>.pem ec2-user@<public-ip>
   • Install a web server (Apache) and database server (MySQL):bashCopyEditsudo yum install httpd mysql-server -y sudo systemctl start httpd sudo systemctl start mysqld
   • Create a test webpage:bashCopyEditecho "Test Webpage - Security Misconfiguration" | sudo tee /var/www/html/index.html

---

Exercise: Exploiting the Misconfigured Network Controls

Objective:

Simulate an attacker exploiting the open network controls to gain unauthorized access to the cloud resource.

1. Scan for Open Ports:
   • Use Nmap to enumerate open ports on the EC2 instance:bashCopyEditnmap -Pn -p 22,80,3306 <public-ip>
   • Verify that ports for SSH (22), HTTP (80), and MySQL (3306) are open.
2. Exploit Open Services:
   • Access the test webpage using a browser:vbnetCopyEdithttp://<public-ip>
   • Attempt to connect to the MySQL server using default credentials:bashCopyEditmysql -h <public-ip> -u root -p
     • If no password is set, log in to the database and enumerate tables.
3. Simulate Unauthorized SSH Access:
   • Attempt to brute-force SSH access using a tool like Hydra (optional):bashCopyEdithydra -l ec2-user -P /usr/share/wordlists/rockyou.txt ssh://<public-ip>
4. Analyze the Impact:
   • Show how an attacker can enumerate open ports, access services, and potentially exfiltrate data.

---

Tools Required:

1. AWS EC2: For deploying the instance.
2. Nmap: For port scanning and service enumeration.
3. aws-cli: For managing the cloud environment.
4. Hydra (optional): For brute-forcing SSH credentials.

---

Deliverables:

1. Exploit Report:
   • Evidence of open ports and services being accessed.
   • Logs or screenshots demonstrating unauthorized access to SSH, HTTP, or MySQL.
2. Recommendations for Securing Security Groups and Network ACLs:
   • Steps to harden inbound and outbound rules and monitor network activity.

---

Solution:

1. Identified Vulnerabilities:
   • Open Ports: SSH, HTTP, and MySQL ports were accessible to the public internet.
   • Overly Permissive Network ACLs: Allowed unrestricted inbound and outbound traffic.
   • No Access Monitoring: No alerts or logs were configured to detect unauthorized access.
2. Consequences:
   • Unauthorized Access: Attackers could access open ports and exploit vulnerable services.
   • Data Breach: Sensitive data in the database could be exfiltrated.
   • Service Disruption: Unauthorized access could lead to resource misuse or denial of service.
3. Prevention Techniques:
   • Harden Security Group Rules:
     • Restrict inbound access to specific IP ranges:jsonCopyEdit{ "Type": "SSH", "Protocol": "TCP", "PortRange": "22", "Source": "192.168.1.0/24" }
   • Configure Network ACLs:
     • Allow specific traffic only, such as:
       • Inbound:
         • Allow HTTP (port 80) from trusted IPs.
         • Allow SSH (port 22) from a specific management network.
       • Outbound:
         • Allow only required traffic for the instance’s operation.
   • Enable Monitoring and Alerts:
     • Use AWS CloudWatch or GuardDuty to monitor for suspicious network activity.
   • Regularly Audit Rules:
     • Use AWS Config to detect overly permissive rules and recommend remediation.
   • Limit Exposure:
     • Deploy bastion hosts for SSH access and restrict database access to the internal network.

---

Conclusion:

This exercise demonstrates how misconfigured security groups and network ACLs expose cloud resources to unauthorized access. By hardening network controls, monitoring activity, and following the principle of least privilege, organizations can mitigate these risks and protect their cloud environments.