From cfc6b3c79bdce67f85dc300160f9459e9267decf Mon Sep 17 00:00:00 2001 From: Khizar Karim Date: Tue, 29 Jul 2025 23:02:32 -0500 Subject: [PATCH 1/2] Added TF code --- terraform/README.md | 50 +++++++++++++++++++++++++++++++ terraform/main.tf | 60 ++++++++++++++++++++++++++++++++++++++ terraform/terraform.tfvars | 7 +++++ terraform/variables.tf | 27 +++++++++++++++++ 4 files changed, 144 insertions(+) create mode 100644 terraform/README.md create mode 100644 terraform/main.tf create mode 100644 terraform/terraform.tfvars create mode 100644 terraform/variables.tf diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..f702cc9 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,50 @@ +# Deploy Vulnerable Windows Server + +A simple deployment of a vulnerable Windows 2016 Server. + +--- + +## HOWTO + +This guide assumes that the following tests are run on a workstation and not using a pipeline system. + +### Prerequisites + +**NOTE:** This guide uses IAM users. This is not recommended for everyday use or in production environments! When using pipelines or in a secure environment, use alternative approaches such as authenticating runners or actions using OIDC and using IAM roles for them. + +* AWS Access/Secret [keypair](https://docs.aws.amazon.com/keyspaces/latest/devguide/create.keypair.html) for a service account +* Terraform is [installed](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) +* S3 bucket to host the `backend.tf` file +* Preexisting VPC, subnet, EC2 instance role, and SSH keypair + +Follow these steps to deploy a Windows server with misconfigurations: + +1. Clone this repository. +2. Navigate to the `terraform` directory. +3. Fill in values for the variables in `terraform.tfvars`. +4. Export `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables, like so: + + ```bash + export AWS_ACCESS_KEY_ID="" + export AWS_SECRET_ACCESS_KEY="" + ``` + +5. Initiate Terraform directory with your backend bucket, like so: + + ```bash + terraform init \ + -backend-config="bucket=awesome-tfstate-bucket" \ + -backend-config="key=optional/directory/terraform.tfstate" \ + -backend-config="region=us-east-2" + terraform plan # This is optional especially if running in a pipeline + terraform apply # Use flag -auto-approve if running in a pipeline + ``` + +--- + +## Upcoming Changes + +* Terraform code for VPC, subnet, EC2 instance role, and SSH keypair to be added. +* Ensure that this project works with a pipeline configured with OIDC. +* More resources via Terraform to cover wider variety of use cases. +* Integrate this repository with `cortexcli` to demonstrate code scanning capabilities. diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..4c1c683 --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,60 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + region = var.aws_region +} + +resource "aws_security_group" "ec2-security-group" { + name = var.security_group + vpc_id = var.vpc + description = "allow all internal traffic, ssh, http, https from anywhere" + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + self = "true" + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_instance" "windows_instance_1" { + instance_type = var.windows_instance_type + ami = lookup(var.windows_amis, var.aws_region) + get_password_data = true + key_name = var.key_name + security_groups = ["${aws_security_group.ec2-security-group.name}"] + iam_instance_profile = var.iam_role + associate_public_ip_address = true +} diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars new file mode 100644 index 0000000..637e07a --- /dev/null +++ b/terraform/terraform.tfvars @@ -0,0 +1,7 @@ +aws_region = "DEFAULT REGION" +vpc = "ENTER VPC NAME HERE" +windows_instance_type = "t3.xlarge" +windows_amis = {"us-east-2" = "ami-0f63c5662f3d395ae"} # Windows Server 2016 +key_name = "KEY PAIR TO DECRYPT PASSWORD" +iam_role = "EC2 INSTANCE ROLE" +security_group = "SECURITY GROUP NAME" \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf new file mode 100644 index 0000000..193ac09 --- /dev/null +++ b/terraform/variables.tf @@ -0,0 +1,27 @@ +variable "aws_region" { + description = "Default region" +} + +variable "vpc" { + description = "VPC to use" +} + +variable "windows_instance_type" { + description = "EC2 instance type to deploy" +} + +variable "windows_amis" { + description = "Windows AMI to use" +} + +variable "key_name" { + description = "SSH key name" +} + +variable "iam_role" { + description = "IAM role to assign EC2" +} + +variable "security_group" { + description = "Security group for EC2" +} From e888418872ac3041a3e4d7893831750798ab54a0 Mon Sep 17 00:00:00 2001 From: Khizar Karim Date: Wed, 30 Jul 2025 10:25:27 -0500 Subject: [PATCH 2/2] Forgot to add PS script --- terraform/main.tf | 59 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index 4c1c683..61d665f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -57,4 +57,63 @@ resource "aws_instance" "windows_instance_1" { security_groups = ["${aws_security_group.ec2-security-group.name}"] iam_instance_profile = var.iam_role associate_public_ip_address = true + user_data = < + +# Disable Windows Defender +Write-Output "❌ Disabling Windows Defender..." +Set-MpPreference -DisableRealtimeMonitoring $true ` + -DisableIOAVProtection $true ` + -DisableIntrusionPreventionSystem $true ` + -EnableControlledFolderAccess Disabled ` + -DisableScriptScanning $true ` + -MAPSReporting Disabled ` + -SubmitSamplesConsent NeverSend + +# Enable SMBv1 +Write-Output "📡 Enabling insecure SMBv1 protocol..." +Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart + +# Enable admin shares (C$, ADMIN$) +Write-Output "🔓 Ensuring admin shares are active..." +New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "AutoShareWks" -Value 1 -PropertyType DWORD -Force + +# Disable TLS 1.2 +Write-Output "📉 Disabling modern TLS protocols (TLS 1.2)..." +New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Force +New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Force +New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Force +New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ` + -Name "Enabled" -Value 0 -PropertyType DWORD -Force +New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "Enabled" -Value 0 -PropertyType DWORD -Force + +# Enable RDP without NLA +Write-Output "🔐 Disabling RDP Network Level Authentication..." +Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" ` + -Name "UserAuthentication" -Value 0 + +# Disable Windows Firewall +Write-Output "🧱 Disabling Windows Firewall..." +Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False +Write-Output "✅ Vulnerable system configuration complete. Reboot may be required to apply all settings." +EOF }