Cybersecurity Practice Lab Environment using AWS

Hardware Requirements

Ensure that  your computer has sufficient processing capacility (CPU, RAM, SSD) to execute multiple remote deskptop connections. You should also ensure that you have fast internet connection 100+ Mbps. My test computer has an i7-1360P processor and 16GB RAM which is sufficient for running a basic lab with 3 VMs (Kali, Ubuntu, and Windows 11). 

AWS Account Creation

The first step is to create an AWS account if you don't yet have one. You can create a root user account with free tier access for 6 months. The Amazon Web Services (AWS) Free Tier provides a 6-month "Free Plan" based on up to $200 in credits.

Steps to Create an AWS Account

1. Initiate Signup: Go to aws.amazon.com/free and click Create a Free Account.

2. Root User Credentials: Enter a valid email address and choose a strong password (root user).

3. Account Details: Select "Personal" or "Business" (for individual use, choose Personal), fill in contact information, and accept the customer agreement.

4. Payment Method: Enter credit or debit card information. Note that AWS may charge a small temporary amount (e.g., $1 USD) to verify the card, which is later refunded.

5. Identity Verification: Verify your phone number via SMS or voice call.

6. Support Plan: Select the Basic Support - Free plan, which is sufficient for new users.

7. Finalize: Complete the sign-up process. You will receive a confirmation email, and activation usually takes a few minutes. 

Important Tips

1. Security: After logging in for the first time, immediately enable Multi-Factor Authentication (MFA) on your root account.

2. Billing Alert: Set up a budget alert to monitor usage and avoid unexpected charge

Next Steps

To get started quickly, I followed a good introduction video on YouTube to get an idea of how to setup a virtual cybersecurity lab in AWS. 

Video Link: https://www.youtube.com/watch?v=2cMkpLoKUj0 (Follow Option 2 - Provision With AWS Console UI [watch from 18:12 onwards])

Step-by-step Notes: check the link in the comments section of the video

Summary of Important Dashboards to familiarise with:

VPC

• Used to create a private isolated network for the EC2 instances.

• Setup the CIDR block for IP addresses.

• Enable DNS hostnaes and resolution.

• Create Security Groups (virtual firewalls) attached to the virtual machines (EC2 instances).

EC2

• Setup Key Pairs. Create a .pem file for SSH connections from your local machine (Desktop).

• Deploy the virtual machines as EC2 instances.

• Configure the settings of the EC2 instances based on AMI OS, processing, storage, network selections.  

Billing and Cost Management

• Monitor your AWS credit usage.

Some Changes to the Configurations and Settings Described in the Video

VPC CIDR Block: Choose a smaller subnet to use - choose the smallest based on your expected needs. A home cybersecurity lab only needs a small network. I selected 10.0.2.0/24 when provisioning the VPC.

Security Group settings: Allow rdp connections only from your public IP for all EC2 instances. Do the same for ssh connections. You would need to monitor for changes to your public IP. If your home/work router is rebooted your public IP can change so beware of this. 

Security Group settings: Host reachability testing using ping failed initially. You will need to allow ALL ICMP - IPv4 from your VPC network e.g. in my case 10.0.2.0/28. Do this for all security groups associated with your EC2 instances. Then all instances should be able to ping successfully.  

Instance type Settings for AWS Free Tier:

Kali Linux - t3.small - some resources needed for Kali tools for attacking

Windows - t3.micro - mostly used as vulnerable workstation testing

Ubuntu - c7i-flex.large - Splunk and Nessus need more resources

EC2 Ubuntu Instance: AWS free tier access is limited to the Ubuntu server image. Select the Ubuntu server 24.04 LTS image. You can to connect to it via SSH (as done for the Kali Linux image) or using the web shell connect option. The image does not come with a GUI so I got one and configured the xrdp by following instructions from:

https://www.digitalocean.com/community/tutorials/how-to-enable-remote-desktop-protocol-using-xrdp-on-ubuntu-22-04  

Rdp shortcuts on my desktop: Easy shortcuts to each remote desktop from a folder on your computer. Beware, that you most likely need to change the public IP of your rdp shortcuts since this changed when you restart after shutting  down the EC2 instance.

Network Configuration and Connectivity Tests after Starting VMs

Network IP settings:

Linux: ip a

Windows: ipconfig

Ping to test connectivity

Testing SIEM Tools - Splunk

Splunk Enterprise:

Splunk Enterprise .deb package installed on the Ubuntu Dektop system. Download from Splunk website using the wget command and then install using dpkg command. Navigate to installation directory (/opt/splunk/bin). Start the splunk service with the bash command sudo ./splunk start. Follow the prompts to accept the license and create your admin credentials.

Open a web browser on your local Ubuntu machine or a remote machine that can access the Ubuntu server's IP address. Navigate to http://<your_ubuntu_ip_address>:8000. Log in with the administrator credentials created during setup to access the Splunk dashboard.

Configure the receiving indexer port on the Splunk dashboard. Click Settings > Forwarding and Receiving. Under the "Receive Data" section, click Configure Receiving. On the "Forwarding and Receiving" page, check if there are any existing receiver ports open. You cannot create a duplicate port.

Click New. In the "Listen on this port" field, enter the desired port number (default 9997). Click Save

Splunk Universal Forwarder:

Ubuntu: 

Download the .deb package from the Splunk website using the wget command and then install using the dpkg command.  Navigate to the installation directory bin folder (/opt/splunkforwarder/bin). Start the service with the bash command: sudo ./splunk start --accept-license. Follow the prompts to create an administrator username and password. 

Configure the receiving indexer with the bash command: sudo /opt/splunkforwarder/bin/splunk add forward-server <ubuntu_ip_address>:9997. After this add data to be monitored (e.g. /var/log). Bash command: sudo /opt/splunkforwarder/bin/splunk add monitor /var/log.

Note: you can modify the data (folders) monitored by editing the inputs.conf file. The file is located at: /opt/splunkforwarder/etc/apps/search/local/inputs.conf

Windows:

Go to Microsoft Edge, type in the following URL: https://www.splunk.com/en_us/download/universalforwarder/ 

Log into Splunk. Navigate to the Windows Server download. Click the Dowload Now icon.

Navigate to the Downloads Folder. Click on the .msi file and follow Wizard options

Picture below shows Splunk Enterprise on Ubuntu collecting logs from the Windows 11 machine

Testing SIEM Tools - Wazuh

Wazuh Server:

Installed on the Ubuntu Desktop system. Follow the Quickstart instructions for a simple straightforward installation: https://documentation.wazuh.com/current/quickstart.html 

Wazuh Agent;

Agent installed on the Windows 11 machine. Powershell script to install agent is generated from the Wazuh Dashboard on Ubuntu. 

1. Access the Dashboard: Log into the Wazuh dashboard and go to Wazuh > Agents.

2. Deploy New Agent: Click Deploy new agent in the upper-right corner.

3. Configure Parameters:

   • Operating System: Select Windows.

   • Architecture: Select 64-bit (or 32-bit if needed).

   • Wazuh Manager Address: Enter the IP address or hostname of your Wazuh manager.

   • Agent Name (Optional): Define a custom name or leave blank for the default hostname.

4. Run Installer Command:

   • Copy the generated PowerShell command.

   • Open PowerShell as an Administrator on the target Windows endpoint.

   • Paste and run the command.

5. Start the Agent: Once installation finishes, the command generally starts the service automatically, but if not, run: Start-Service wazuhsvc

Testing Vulnerability Scanning Tools:

Tenable Nessus

Download Tenable Nessus version Ubuntu - amd64: https://www.tenable.com/downloads/nessus?loginAttempted=true   

Run: dpkg -i "Nessus-<version number>-debian6_amd64.deb" .

Start Nessus: sudo systemctl start nessusd.service

Navigate to the URL: https://localhost:8834 . Choose Nessus Essentials -> Register with a new

account -> Set a username/password for the console -> Wait for plugins to setup.

Tenable Nessus scan of the Ubuntu and Windows 11 VMs

Install and Configure Web Applications for Security Testing

Two open-source, intentionally insecure web applications designed to practice web application security testing in a legal, safe, and controlled environment are:

1.      Damn Vulnerable Web Application (DVWA) - https://github.com/digininja/DVWA

2.      Buggy Web Application (bWAPP) - http://www.itsecgames.com/

DVWA includes a range of common, real-world vulnerabilities with different difficulty levels (Low, Medium, High, and Impossible). It includes Brute Force, Command Injection, CSRF, File Inclusion, File Upload, Insecure CAPTCHA, SQL Injection (including blind), and XSS vulnerabilities.

bWAPP is known for having a very large set of vulnerabilities—over 100 in total—covering all major known web bugs, including the OWASP Top 10. bWAPP covers a wide spectrum of vulnerabilities including SQL Injection, Code Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Heartbleed, and Shellshock.

 Note: It is highly recommended to only download and configure these on VMs or your EC2 instances. AVOID installing on your host machine and AVOID hosting on a publicly accessible server.

Windows Installation (if Windows is the vulnerable device)

1. Install XAMPP (Required for Both DVWA and bWAPP)

Step 1 – Download XAMPP

1. Go to:
   https://www.apachefriends.org/index.html

2. Download XAMPP for Windows (PHP 7.x or 8.x).

Step 2 – Install

1. Run the installer.

2. Select components:

   • Apache

   • MySQL

   • PHP

   • phpMyAdmin

3. Install to the default directory: C:\xampp

Step 3 – Start Services

Open XAMPP Control Panel and start:

Apache
MySQL

Test the installation:

http://localhost

You should see the XAMPP dashboard.

2. Install DVWA (Damn Vulnerable Web Application)

Step 1 – Download DVWA from GitHub

Go to: https://github.com/digininja/DVWA 

Click Code → Download ZIP

Step 2 – Extract to XAMPP Web Directory

Extract the folder to:

C:\xampp\htdocs\

Final structure:

C:\xampp\htdocs\DVWA

Step 3 – Create Database

1. Open: http://localhost/phpmyadmin

2. Click New

3. Create database: dvwa

Step 4 – Configure DVWA

Navigate to:

C:\xampp\htdocs\DVWA\config

Copy: config.inc.php.dist

Rename to: config.inc.php

Edit the file and confirm save:

$_DVWA['db_server'] = '127.0.0.1';
$_DVWA['db_database'] = 'dvwa';
$_DVWA['db_user'] = 'root';
$_DVWA['db_password'] = '';

Step 5 – Launch DVWA

Open: http://localhost/DVWA

Click: Create / Reset Database

Step 6 – Login

Default credentials:

username: admin
password: password

DVWA will now be running.

3. Install bWAPP (Buggy Web Application)

Step 1 – Download bWAPP

Download from: http://www.itsecgames.com

Download: bWAPP_latest.zip (You may need to temporarily disable Windows Defender to successfully download)

Step 2 – Extract to XAMPP

Extract to: C:\xampp\htdocs\

Folder structure: C:\xampp\htdocs\bWAPP

Step 3 – Configure bWAPP files

Navigate to:

C:\xampp\htdocs\bWAPP

Locate: install.php

Edit the file as follows and confirm save:

Insert the following text in the line below $db=0 (2nd line after the header comments);

mysqli_report(MYSQLI_REPORT_OFF);

Navigate to:

C:\xampp\htdocs\bWAPP\admin

Configure database credentials in the settings.php file to use a valid MySQL user with correct privileges.

example:

                             $db_server = "localhost";       // your database server (IP/name), here 'localhost'

                             $db_username = "root";          // your MySQL user, here 'root'

                             $db_password = "";

Step 4 – Install

Open in browser: http://localhost/bWAPP/install.php

Click: Install bWAPP.

Step 5 – Login

Open: http://localhost/bWAPP/login.php

Default credentials:

username: bee
password: bug

4. Verify Both Applications Can Open and You Can Log In

DVWA: http://localhost/DVWA

bWAPP: http://localhost/bWAPP

5. Recommended Lab Settings

For penetration testing practice:

DVWA Security Level

Go to:

DVWA Security → Low

Then gradually increase to:

Medium → High → Impossible

Enable Vulnerable PHP Settings

Edit: C:\xampp\php\php.ini

Ensure these are enabled:

allow_url_fopen = On
allow_url_include = On
display_errors = On

Restart Apache after changes.

Tools to attack the apps (use your Kali Linux VM or EC2 for this):

Burp Suite
OWASP ZAP
SQLMap
Nikto
Gobuster
Dirbuster
Nmap

Note: Make sure you have enabled incoming connections on ports 80, 443, and 3306 on the Windows firewall.

Linux Installations

Both web applications can also be installed on Linux e.g. Ubuntu or Kali.

The easiest way is to use docker. This method is the fastest and avoids complex LAMP configuration LAMPP: setting up a LAMP stack (Linux, Apache, MySQL, PHP)

Install Docker and Docker Compose if not already installed. The easiest way to install both Docker and Docker Compose is by installing Docker Desktop, which is available for Windows, macOS, and Linux and bundles both tools.

DVWA: Open a terminal window and type in the following command

docker run --rm -it -p 80:80 vulnerables/web-dvwa

bWAPP: Open a terminal window and type in the following command

docker run -d -p 80:80 raesene/bwapp

NMap Scanning of the Web Application Host

sudo apt update

sudo apt install nmap

Nikto Scanning of the Web Application Host

sudo apt install nikto

ZAP Scanning of the Web Application Host

sudo apt install zaproxy