Kali Linux on EC2 in AWS for Pen Testing (Part 2)

Installing Kali Linux on EC2 in AWS for Pen Testing

TL:DR In part one a Kali Linux instance was created in AWS what follows is a step by step guide to getting remote desktop working with Apache Guacamole™ so that the Kali Linux graphical tools can be used.

Part 2

Configure SSH for password access

We will be logging in to the system via RDP or SSH using a username and password via remote desktop so that means enabling password login in /etc/ssh/sshd_config. Edit the file and change PasswordAuthentication no to PasswordAuthentication yes.

┌──(kali㉿kali)-[~]
└─$ sudo vi /etc/ssh/sshd_config

Then restart ssh.

┌──(kali㉿kali)-[~]
└─$ sudo service ssh restart

Add another firewall (optional)

Out of an abundance of caution the authors of the book Hands-On AWS Penetration Testing with Kali Linux — Amazon recommend adding a firewall using the command sudo apt-get install ufw fail2ban and then adding rules to only allow SSH and RDP over particular ports to your Kali Linux distribution to protect the instance, but this is AWS and it has security groups, which are a firewall in all but name, so they can be used to more effectively restrict access to the instance to specific IP addresses or by policies to specific IAM users so you might find that extra step redundant.

Install a window Manager

Our RDP server still needs a Desktop to sent via RDP. Curiously I did this installation twice and am sure I did not need to do this the first time! Anyway, if Kali will only load a terminal even when you expect it to load a graphical desktop check you have a working xorg window manager!

┌──(kali㉿kali)-[~]
└─$ sudo apt install kali-desktop-xfce xserver-xorg-input-all xserver-xorg-video-all

Installing Apache Guacamole 1.5.0 dependencies

Installing Apache Guacamole for Kali Linux is relatively simple although there are a few dependencies which look daunting at first. Apache Guacamole requires Apache Tomcat (a Java based enterprise web services platform) and comprises guacamole-client, the web application which serves the Guacamole client to users, and guacamole-server, a remote desktop and ssh proxy. You have to build the guacamole-server from source, and install the other dependencies first. You dont need to build guacamole-client, it just needs to be deployed in Apache Tomcat.

Dependencies

On review of the dependencies, the command required to install all the items needed for RDP and SSH is sudo apt-get install build-essential htop libcairo2-dev libjpeg-dev libpng-dev libossp-uuid-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libpulse-dev libssl-dev libvorbis-dev tomcat9 xrdp.

What this does is to install the compiler and related tools needed to build the software, the Apache Tomcat Java based enterprise web services platform, the required dependencies for Apache Guacamole, the optional dependencies required to support RDP and SSH and RDP over X. You'll need to complete this successfully in order to build and commission Apache Guacamole. It takes quite a time and theres lots of output. Be sure to review the output to ensure you have succeeded before continuing.

Edit the value of allowed_users in the configuration file using sudo vi /etc/X11/Xwrapper.config and adjust it to anybody like this allowed_users=anybody. If you were paying attention during the installation you would have seen a warning that xrdp was disabled and we installed Apache Tomcat. Run the following commands to enable them and set them to automatically start.

┌──(kali㉿kali)-[~]
└─$ sudo update-rc.d xrdp enable
sudo systemctl enable xrdp-sesman.service
sudo service xrdp start
sudo service xrdp-sesman start
sudo systemctl enable tomcat9

Now we can download Apache Guacamole and build the server. You can test your installation so far by loading a browser to the public IP address of your AWS instance, and checking that the Apache Tomcat default page loads. don't forget the port and that we are just using http. So the link will be something like http://xxx.xxx.xxx.xxx:8080 Remember we are using security groups in AWS to restrict access so you need to make sure traffic is passing through for the web port like you have for SSH

AWS EC2 Security Group

The inbound rule for SSH was set up when we installed the instance. To add and apply another rule the instance must be stopped. My rules restrict access to the instance to my current IP address which is fixed. You can see I added a custom tcp rule opening port 8080 to my IP. This is pretty secure and why it may not be necessary to have an additional firewall. YMMV.

Apache Tomcat

You may think it is overkill to get the Tomcat default page working before moving on to Apache Guacamole but I'd say its helpful to understand what you have so far is working before adding another layer of software on top!

Downloading Apache Guacamole Server

The Guacamole project website recommend that you should always download the most recent release, unless you know you need a very specific version. The latest release as of this article is 1.5.0, which was published on the 18th February 2023. Nice and current!

You can download Apache Guacamole from the terminal using wget like this wget https://apache.org/dyn/closer.lua/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz?action=download.

Rename the downloaded file once it has completed to remove the quotes and noise in the filename and you have your zipped archive.

┌──(kali㉿kali)-[~]
└─$ wget https://apache.org/dyn/closer.lua/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz?action=download
$ mv 'guacamole-server-1.5.0.tar.gz?action=download' guacamole-server-1.5.0.tar.gz
$ ls -al guacamole-server-1.5.0.tar.gz 
-rw-r--r-- 1 kali kali 1102862 Feb 14 00:32 guacamole-server-1.5.0.tar.gz

Extract the source for the server from the zipped tape archive file using tar xvf guacamole-server-1.5.0.tar.gz and change directories into the resulting folder and you should see your copy of the Apache Guacamole server source code.

┌──(kali㉿kali)-[~/guacamole-server-1.5.0]
└─$ ls
aclocal.m4  build-aux    configure     CONTRIBUTING  Dockerfile  m4           Makefile.in  README  util
bin         config.h.in  configure.ac  doc           LICENSE     Makefile.am  NOTICE       src