This walkthrough will demonstrate creating and setting up a penetration testing environment in the cloud, the series will be using Google Cloud Platform. You will not need to notify Google about conducting penetration tests so long as your tests only affect your projects. To make sure we stay in proper scope of our tests we will set up a VPN network and subnet to work inside of and generate a VPN we can connect to from our local machine.
Other cloud providers may need to you get permission before conducting tests, make sure you check with the provider. For instance, AWS requires you to fill out a pen-testing form (https://aws.amazon.com/security/penetration-testing).
By the end of the walkthrough we will have:
- Set up a penetration testing project in GCP
- Created a VPC network
- Created firewall rules
- Created and connected to our VPN
Set up a pen-testing project in GCP
This will be the easiest step in this guide. Simply head over to your cloud console (https://console.cloud.google.com) and add a new project, the name doesn’t really matter so much as you remember what you named it.
Take a minute to get familiar with the console if you’ve not been here before if you want to learn more about GCP checkout (https://linuxacademy.com/google-cloud-platform/courses)
Create a subnet
Next step is to create a VPC Network for our newly created project. On the menu to the left navigate down to
NETWORKING -> VPC Networks
This may take a minute for compute engine to spin up
Once inside click on the Create VPC Network button at the top and give it a name, for this guide, we’ll call it “internal-testing” then let choose a custom subnet.
I’m going to call this subnet “internal-testing-subnet” and selecting a region close by in my case “us-east1” will work just fine. I don’t plan to have a large number of machines on here so I’m going to choose a smaller CIDR range of “10.0.0.0/28” which will give us 16 IP’s.
If you followed along with these values it should look something like this.
I turned Private Google Access and Flow Logs on but they’re not required for this walkthrough. I’ll post links to these below but in short:
Private Google Access – lets you hit the google API’s without having an external IP address.
Flow Logs – record network flows sent from or received by our VM instances.
Creating firewall rules
Now that we have our subnet (internal-testing-subnet) let’s add some firewall rules. Navigate to :
NETWORKING -> VPN Network -> Firewall Rules
We’ll be creating two firewall rules, one to allow ingress traffic on our default VPN port 1194 and ssh port 22. Both of these will be for our VPN instance.
Here are the values for the first rule:
Network: “internal-testing” (select your VPC name here)
Direction of traffic: “Ingress”
Action on match: “Allow”
Targets: “Specified target tags”
Target tags: “vpn”
Source filter: “IP ranges”
Source IP ranges: “0.0.0.0/0”
Protocols and ports: “Specified protocols and ports” – “udp:1194”
our second rule will the same but with “tcp:22” as the port and change Target tag to “ssh”
Creating a VPN instance
If you prefer to use GCP for a managed VPN solution checkout
Extend your Network to Google Cloud using Cloud VPN (https://www.cloudassessments.com/blog/extend-your-network-to-google-cloud-using-cloud-vpn/)
Network configuration is out of the way, for now, let us create our VPN instance in Compute Engine. Navigate to:
COMPUTE -> Compute engine -> VM instances -> Create
Give your VPN instance an easy name to identify, like “internal-testing-vpn”. For simplicity pick a zone with the same region that the network was created in and use this zone for later instances.
I’m going with the “f1-micro” machine type for this VPN which comes with shared vCPU and 0.6 GB of memory. Leaving everything in default with Debian 9, click on the “Management, disks, networking, SSH keys” link to expand the advanced menu options.
In networking, we need to add the firewall tag “vpn” and “ssh” making sure that we are putting this on the VPC network and subnet we created earlier. I’m going to also add a static External IP address. This section should look something like this:
We should also add our public SSH Key so that we can securely retrieve our VPN credentials later on.
Setting up and connecting to VPN
Wait for the VPN instance to get done spawning and assigning an external IP, then let’s jump into the instance with an ssh session using the external IP provided.
For convenience we’re going to use a script for our openvpn configuration (https://github.com/Nyr/openvpn-install) by running:
sudo wget https://git.io/vpn -O openvpn-install.sh && sudo bash openvpn-install.sh
make sure you read through the source before running any code on your internal network
This script makes things really easy for us. Most of the defaults should be accurate but we may need to provide the external IP if asked. Our firewall rule allows ingress on port 1194 over UDP so make sure the leave those defaults unless you’ve changed them.
If everything went well you should see a message
“Your client configuration is available at: /root/client.ovpn”
Awesome! Let’s move that into our home directory with
sudo cp /root/client.ovpn ~
The last thing to do now is just getting that “client.ovpn” file to our local machine with
scp $(your_username)@$(your_ip):client.ovpn ~
I removed my “ssh” network tag from the instance as I will not need to ssh into it anymore.
That’s it for setting up our testing environment’s network, in the next part of the guide we’ll wrap up by adding a vulnerable application that we can start test against.
Sources / Resources
GCP Courses (https://linuxacademy.com/google-cloud-platform/courses)
Private Google Access (https://cloud.google.com/vpc/docs/private-google-access)
Flow Logs (https://cloud.google.com/vpc/docs/using-flow-logs)