• Stars
    star
    920
  • Rank 49,655 (Top 1.0 %)
  • Language
    CSS
  • License
    MIT License
  • Created over 4 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!

Breaking and Pwning Apps and Servers on AWS and Azure - Free Training Courseware and Labs

Breaking and Pwning Apps and Servers AWS+Azure Free Training

Introduction

The world is changing right in front of our eyes. The way we have been learning is going to be radically transformed by the time we all have eradicated the COVID19 from our lives.

While we figure out what is the best way to transfer our knowledge to you, we realise that by the time world is out of the lockdown, a cloud focussed pentesting training is likely going to be obsolete in parts.

So as a contribution towards the greater security community, we decided to open source the complete training.

Hope you enjoy this release and come back to us with questions, comments, feedback, new ideas or anything else that you want to let us know! Looking forward to hacking with all of you!

Description

Amazon Web Services (AWS) and Azure run the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS and Azure services and concepts that should be used for security.

The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing and OSINT engagements which take the student through the journey of discovery, identification and exploitation of security weaknesses, misconfigurations and poor programming practices that can lead to complete compromise of the cloud infrastructure.

The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, not a lot of documentation is around security architecture, defence in depth etc. Additional references are provided in case further reading is required.

To proceed, you will need

  1. An AWS account, activated for payments (you should be able to open and view the Services > EC2 page)
  2. An Azure account, you should be able to login to the Azure console

About this repo

This repo contains all the material from our 3 day hands on training that we have delivered at security conferences and to our numerous clients.

The primary things in this repo are:

  • documentation - all documentation in markdown format that is to be used to go through the training
  • setup-files - files required to create a student virtual machine that will be used to create the cloud labs
  • extras - any additional files that are relevant during the training

Getting started

  • Clone this repo
  • Setup the student VM
  • Host the documentation locally using gitbook
  • Follow the docs :)

Step 1 - Setup the student VM

  • the documentation to setup your own student virtual machine, which is required for the training, is under documentation/setting-up/setup-student-virtual-machine.md
  • this needs to be done first

Step 2 - Documentation

  • As all documentation is in markdown format, you can use Gitbook to host a local copy while walking through the training
Steps to do this
  • install gitbook-cli (npm install gitbook-cli -g)
  • cd into the documentation folder
  • gitbook serve
  • browse to http://localhost:4000

License

About Appsecco

At Appsecco we provide advice, testing and training around software, infra, web and mobile apps, especially that are cloud hosted. We also specialise in auditing AWS environments as per the AWS CIS Foundations Benchmark to create a picture of the current state of security in your AWS environment. Our experience has led us to creating multiple hands on training courses like the very popular "Breaking and Pwning Apps and Servers on AWS and Azure" and "Automated Defence using Cloud Services for AWS, Azure and GCP".

More Repositories

1

dvna

Damn Vulnerable NodeJS Application
SCSS
686
star
2

the-art-of-subdomain-enumeration

This repository contains all the supplement material for the book "The art of sub-domain enumeration"
Python
633
star
3

bugcrowd-levelup-subdomain-enumeration

This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
Python
632
star
4

vulnerable-apps

Python
214
star
5

spaces-finder

A tool to hunt for publicly accessible DigitalOcean Spaces
Python
154
star
6

attacking-cloudgoat2

A step-by-step walkthrough of CloudGoat 2.0 scenarios.
133
star
7

dvja

Damn Vulnerable Java (EE) Application
CSS
128
star
8

defcon24-infra-monitoring-workshop

Defcon24 Workshop Contents : Ninja Level Infrastructure Monitoring
124
star
9

defcon-26-workshop-attacking-and-auditing-docker-containers

DEF CON 26 Workshop - Attacking & Auditing Docker Containers Using Open Source
107
star
10

sqlinjection-training-app

A simple PHP application to learn SQL Injection detection and exploitation techniques.
PHP
95
star
11

VyAPI

VyAPI - A cloud based vulnerable hybrid Android App
Java
85
star
12

using-docker-kubernetes-for-automating-appsec-and-osint-workflows

Repository for all the workshop content delivered at nullcon X on 1st of March 2019
CSS
81
star
13

json-flash-csrf-poc

This repo contains the files required to perform a CSRF attack using Flash and HTTP 307 redirections.
ActionScript
75
star
14

dvcsharp-api

Damn Vulnerable C# Application (API)
C#
70
star
15

practical-recon-levelup0x02

This repository contains all the material from the talk "Practical recon techniques for bug hunters & pentesters" given at Bugcrowd LevelUp 0x02 virtual conference
CSS
61
star
16

winmanipulate

A simple tool to manipulate window objects inย Windows
Visual Basic
44
star
17

opa-traefik-microservice-authz

Proof of concept implementation of a scenario using Open Policy Agent for microservices authorization in API Gateway (Traefik).
JavaScript
41
star
18

raneto-docker

Docker container for Markdown based Raneto Knowledgebase
JavaScript
38
star
19

osint-viz-platform-reconvillage

The repository for Building visualisation platforms for OSINT data using open source solutions
Python
31
star
20

docker-data-science-toolbox

Data Science Command Line Toolbox in a docker container
Shell
28
star
21

docker-datasploit

Docker container for datasploit framework
Shell
26
star
22

sqlinjectionloginbypass

A simple app to demo SQL Injection login bypass
PHP
25
star
23

owasp-threat-dragon-gitlab

OWASP Threat Dragon with Gitlab Integration
JavaScript
23
star
24

kubeseco

Application Security Workflow Automation using Docker and Kubernetes
JavaScript
22
star
25

alldaydevops-aism

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)
Python
22
star
26

devsecops-using-cloudnative-workshop

This repo contains workshop material delivered at #nullcon2020
HTML
15
star
27

datasploit-ansible

Ansible Playbook for setting up Datasploit
14
star
28

ansible-module-owasp-zap

Ansible module for OWASP ZAP using Python API to scan web targets for security issues
HTML
13
star
29

alldaydevops-shua

This repository contains all the talk materials and ebook from the talk System Hardening Using Ansible given at All Day DevOps 2016 online conference
12
star
30

owasp-webgoat-dot-net-docker

Docker container for running OWASP WebGoat.NET application
11
star
31

nullblr-bachaav-aismd

null Bangalore Public Bachaav 10 December 2016 Automated Infrastructure Security Monitoring & Defence
HTML
10
star
32

prowler-aws-securityhub-integration

Using Prowler to Automate Compliance Checks for AWS CIS Benchmarks
Python
7
star
33

c0c0n-2019-ctf-writeups

CTF write-ups from c0c0n 2019 CTF challenges that we participated
7
star
34

bsides-delhi-recon

This repository contains all the material from the talk "Doing recon like it's 2017" given at Bsides Delhi 2017 conference
Python
5
star
35

django-rev-shell

A simple django app to provide a reverse shell when deployed and invoked.
Python
4
star
36

nodejs-google-idp-sample

Presentation with proof of concept code on using Google as Identity Provider for Web API authentication using NodeJS as backend and VueJS as frontend
JavaScript
3
star
37

container-image-scanner-api

A minimalist Go API to scan Docker images for security vulnerabilities and weaknesses
Go
2
star
38

automated-defence-ssh-bruteforce-aws

Source code for Automated Defence - Blocking SSH bruteforce attacks in AWS
JavaScript
2
star
39

secrets-in-google-cloud-run-with-google-cloud-build

Baking secrets in Google Cloud Run containers using Google Cloud Build
Python
2
star
40

owasp-bayarea-adef

Visual Basic
2
star
41

asn-search-api

A Golang API over MaxMind ASN database
Go
2
star
42

kubernetes-ptaas-scripts

Scripts to generate kubeconfig files required to perform a PT.
Shell
2
star
43

http-basics-docker

PHP
1
star