Trying DetectionLab
Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right?
Enter
DetectionLab, a project by
Chris Long. Briefly, Chris built a project that uses
Packerand
Vagrantto create an instrumented lab environment. Chris explained the project in late 2017 in a
Medium post, which I recommend reading.
I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running.
My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed
Virtualbox 6.0with the appropriate VirtualBox Extension Pack. I had also enabled the
native OpenSSH serverand performed all DetectionLab installation functions over an OpenSSH session.
Install ChocolateyMy first step was to install
Chocolatey, a package manager for Windows. I wanted to use this to install the Git client I wanted to use to clone the DetectionLab repo. Commands I typed at each stage are in bold below.
root@LAPTOP-HT4TGVCP C:\Users\root>@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "ie x ((New-Object System.Net.WebClient).DownloadString('http://bit.ly/2FvY5wv" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin" Getting latest version of the Chocolatey package for download. Getting Chocolatey from http://bit.ly/2B7eAz4. Downloading 7-Zip commandline tool prior to extraction. Extracting C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall... Installing chocolatey on this machine Creating ChocolateyInstall as an environment variable (targeting 'Machine') Setting ChocolateyInstall to 'C:\ProgramData\chocolatey' WARNING: It's very likely you will need to close and reopen your shell before you can use choco. Restricting write permissions to Administrators We are setting up the Chocolatey package repository. The packages themselves go to 'C:\ProgramData\chocolatey\lib' (i.e. C:\ProgramData\chocolatey\lib\yourPackageName). A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin' and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.
Creating Chocolatey folders if they do not already exist.
WARNING: You can safely ignore errors related to missing log files when upgrading from a version of Chocolatey less than 0.9.9. 'Batch file could not be found' is also safe to ignore. 'The system cannot find the file specified' - also safe. chocolatey.nupkg file not installed in lib. Attempting to locate it from bootstrapper. PATH environment variable does not have C:\ProgramData\chocolatey\bin in it. Adding... WARNING: Not setting tab completion: Profile file does not exist at 'C:\Users\root\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'. Chocolatey (choco.exe) is now ready. You can call choco from anywhere, command line or powershell by typing choco. Run choco /? for a list of functions. You may need to shut down and restart powershell and/or consoles first prior to using choco. Ensuring chocolatey commands are on the path Ensuring chocolatey.nupkg is in the lib folder
root@LAPTOP-HT4TGVCP C:\Users\root>choco Chocolatey v0.10.11 Please run 'choco -?' or 'choco -?' for help menu.
Install Git
With Chocolatey installed, I could install Git.
root@LAPTOP-HT4TGVCP C:\Users\root>choco install git -params '"/GitAndUnixToolsOnPath"' Chocolatey v0.10.11 Installing the following packages: git By installing you accept licenses for the packages. Progress: Downloading git.install 2.20.1... 100% Progress: Downloading chocolatey-core.extension 1.3.3... 100% Progress: Downloading git 2.20.1... 100%chocolatey-core.extension v1.3.3 [Approved] chocolatey-core.extension package files install completed. Performing other installation steps. Installed/updated chocolatey-core extensions. The install of chocolatey-core.extension was successful. Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core'
git.install v2.20.1 [Approved] git.install package files install completed. Performing other installation steps. The package git.install wants to run 'chocolateyInstall.ps1'. Note: If you don't run this script, the installation will fail. Note: To confirm automatically next time, use '-y' or consider: choco feature enable -n allowGlobalConfirmation Do you want to run the script?([Y]es/[N]o/[P]rint): y
@{Inno Setup CodeFile: Path Option=CmdTools; PSPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Git_ is1; PSParentPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall; PSChildName=Git_is1; PSDrive=HKLM; PS Provider=Microsoft.PowerShell.Core\Registry} Using Git LFS Installing 64-bit git.install... git.install has been installed. git.install installed to 'C:\Program Files\Git' git.install can be automatically uninstalled. Environment Vars (like PATH) have changed. Close/reopen your shell to see the changes (or in powershell/cmd.exe just type `refreshenv`). The install of git.install was successful. Software installed to 'C:\Program Files\Git\'
git v2.20.1 [Approved] git package files install completed. Performing other installation steps. The install of git was successful. Software install location not explicitly set, could be in package or default install location if installer.
Chocolatey installed 3/3 packages. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Clone DetectionLab
With Git installed, I can clone the DetectionLab repo from Github.
root@LAPTOP-HT4TGVCP C:\Users\root>mkdir gitroot@LAPTOP-HT4TGVCP C:\Users\root>cd git
root@LAPTOP-HT4TGVCP C:\Users\root\git>mkdir detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git>cd detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone http://bit.ly/2TleydW 'git' is not recognized as an internal or external command, operable program or batch file.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>refreshenv Refreshing environment variables from registry for cmd.exe. Please wait...Finished..
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone http://bit.ly/2TleydW Cloning into 'DetectionLab'... remote: Enumerating objects: 1, done. remote: Counting objects: 100% (1/1), done. remote: Total 1163 (delta 0), reused 0 (delta 0), pack-reused 1162R Receiving objects: 100% (1163/1163), 11.81 MiB | 12.24 MiB/s, done. Resolving deltas: 100% (568/568), done.
Install Vagrant
Before going any further, I needed to install Vagrant.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>cd ..\..\root@LAPTOP-HT4TGVCP C:\Users\root>choco install vagrant Chocolatey v0.10.11 Installing the following packages: vagrant By installing you accept licenses for the packages. Progress: Downloading vagrant 2.2.3... 100%
vagrant v2.2.3 [Approved] vagrant package files install completed. Performing other installation steps. The package vagrant wants to run 'chocolateyinstall.ps1'. Note: If you don't run this script, the installation will fail. Note: To confirm automatically next time, use '-y' or consider: choco feature enable -n allowGlobalConfirmation Do you want to run the script?([Y]es/[N]o/[P]rint): y
Downloading vagrant 64 bit from 'http://bit.ly/2B7SFHX' Progress: 100% - Completed download of C:\Users\root\AppData\Local\Temp\chocolatey\vagrant\2.2.3\vagrant_2.2.3_x86_64.msi (229.22 MB). Download of vagrant_2.2.3_x86_64.msi (229.22 MB) completed. Hashes match. Installing vagrant... vagrant has been installed. Repairing currently installed global plugins. This may take a few minutes... Installed plugins successfully repaired! vagrant may be able to be automatically uninstalled. Environment Vars (like PATH) have changed. Close/reopen your shell to see the changes (or in powershell/cmd.exe just type `refreshenv`). The install of vagrant was successful. Software installed as 'msi', install location is likely default.
Chocolatey installed 1/1 packages. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Packages requiring reboot: - vagrant (exit code 3010)
The recent package changes indicate a reboot is necessary. Please reboot at your earliest convenience. root@LAPTOP-HT4TGVCP C:\Users\root>shutdown /r /t 0 Installing DetectionLab
Now we are finally at the point where we can install DetectionLab. Note that in my example, I downloaded boxes already built by Chris. I did not build my own, in order to save time. You can follow his instructions to build boxes yourself.
I saw an error regarding the win10 host, but that did not appear to be a real problem.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.PS C:\Users\root\git\detectionlab\DetectionLab> .\build.ps1 -ProviderName virtualbox -VagrantOnly [preflight_checks] Running.. [preflight_checks] Checking if Vagrant is installed [preflight_checks] Checking for pre-existing boxes.. [preflight_checks] Checking for vagrant instances.. [preflight_checks] Checking disk space.. [preflight_checks] Checking if vagrant-reload is installed.. The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now. Installing the 'vagrant-reload' plugin. This can take a few minutes... Installed the plugin 'vagrant-reload (0.0.1)'! [preflight_checks] Finished. [download_boxes] Running.. [download_boxes] Downloading windows_10_virtualbox.box
[download_boxes] Downloading windows_2016_virtualbox.box [download_boxes] Getting filehash for: windows_10_virtualbox.box [download_boxes] Getting filehash for: windows_2016_virtualbox.box [download_boxes] Checking Filehashes.. [download_boxes] Finished. [main] Running vagrant_up_host for: logger [vagrant_up_host] Running for logger Attempting to bring up the logger host using Vagrant [vagrant_up_host] Finished for logger. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! logger was built successfully! [main] Finished for: logger [main] Running vagrant_up_host for: dc [vagrant_up_host] Running for dc Attempting to bring up the dc host using Vagrant [vagrant_up_host] Finished for dc. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! dc was built successfully! [main] Finished for: dc [main] Running vagrant_up_host for: wef [vagrant_up_host] Running for wef Attempting to bring up the wef host using Vagrant [vagrant_up_host] Finished for wef. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! wef was built successfully! [main] Finished for: wef [main] Running vagrant_up_host for: win10 [vagrant_up_host] Running for win10 Attempting to bring up the win10 host using Vagrant [vagrant_up_host] Finished for win10. Got exit code: 1 [main] vagrant_up_host finished. Exitcode: 1 WARNING: Something went wrong while attempting to build the win10 box. Attempting to reload and reprovision the host... [main] Running vagrant_reload_host for: win10 [vagrant_reload_host] Running for win10 [vagrant_reload_host] Finished for win10. Got exit code: 1 C:\Users\root\git\detectionlab\DetectionLab\build.ps1 : Failed to bring up win10 after a reload. Exiting At line:1 char:1 + .\build.ps1 -ProviderName virtualbox -VagrantOnly + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,build.ps1
[main] Running post_build_checks [post_build_checks] Running Caldera Check. [download] Running for http://bit.ly/2TiiPyP, looking for [download] Found at http://bit.ly/2TiiPyP [post_build_checks] Cladera Result: True [post_build_checks] Running Splunk Check. [download] Running for http://bit.ly/2B9ay9D, looking for This browser is not supported by Splunk [download] Found This browser is not supported by Splunk at http://bit.ly/2B9ay9D [post_build_checks] Splunk Result: True [post_build_checks] Running Fleet Check. [download] Running for http://bit.ly/2Ti2euZ, looking for Kolide Fleet [download] Found Kolide Fleet at http://bit.ly/2Ti2euZ [post_build_checks] Fleet Result: True [post_build_checks] Running MS ATA Check. [download] Running for https://192.168.38.103, looking for [post_build_checks] ATA Result: True [main] Finished post_build_checks
I used the Virtualbox command line program to check the status of the new VMs.
root@LAPTOP-HT4TGVCP c:\Program Files\Oracle\VirtualBox>VBoxManage list runningvms "logger" {3da9fffb-4b02-4e57-a592-dd2322f14245} "dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd} "wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7} "win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd} Interacting with Vagrant and the Logger HostNext I decided to use Vagrant to check on the status of the boxes, and to interact with one if I could. I wanted to find the Bro and Suricata logs.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>cd Vagrant root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant status Current machine states:logger running (virtualbox) dc running (virtualbox) wef running (virtualbox) win10 running (virtualbox)
This environment represents multiple VMs. The VMs are all listed above with their current state. For more information about a specific VM, run `vagrant status NAME`.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant ssh logger
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: http://bit.ly/XlAX5B * Support: http://bit.ly/29lyHJM
29 packages can be updated. 24 updates are security updates.
Last login: Sun Jan 27 19:24:05 2019 from 10.0.2.2
root@logger:~# /opt/bro/bin/broctl status Name Type Host Status Pid Started manager manager localhost running 9848 27 Jan 17:19:15 proxy proxy localhost running 9893 27 Jan 17:19:16 worker-eth1-1 worker localhost running 9945 27 Jan 17:19:17 worker-eth1-2 worker localhost running 9948 27 Jan 17:19:17
vagrant@logger:~$ ls -al /opt/bro total 32 drwxr-xr-x 8 root root 4096 Jan 27 17:19 . drwxr-xr-x 5 root root 4096 Jan 27 17:19 .. drwxr-xr-x 2 root root 4096 Jan 27 17:19 bin drwxrwsr-x 2 root bro 4096 Jan 27 17:19 etc drwxr-xr-x 3 root root 4096 Jan 27 17:19 lib drwxrws--- 3 root bro 4096 Jan 27 18:00 logs drwxr-xr-x 4 root root 4096 Jan 27 17:19 share drwxrws--- 8 root bro 4096 Jan 27 17:19 spool
vagrant@logger:~$ ls -al /opt/bro/logs ls: cannot open directory '/opt/bro/logs': Permission denied
vagrant@logger:~$ sudo bash
root@logger:~# ls -al /opt/bro/logs/ 2019-01-27/ current/
root@logger:~# ls -al /opt/bro/logs/current/ total 3664 drwxr-sr-x 2 root bro 4096 Jan 27 19:20 . drwxrws--- 8 root bro 4096 Jan 27 17:19 .. -rw-r--r-- 1 root bro 475 Jan 27 19:19 capture_loss.log -rw-r--r-- 1 root bro 127 Jan 27 17:19 .cmdline -rw-r--r-- 1 root bro 83234 Jan 27 19:30 communication.log -rw-r--r-- 1 root bro 1430714 Jan 27 19:30 conn.log -rw-r--r-- 1 root bro 1340 Jan 27 19:00 dce_rpc.log -rw-r--r-- 1 root bro 185114 Jan 27 19:28 dns.log -rw-r--r-- 1 root bro 310 Jan 27 17:19 .env_vars -rw-r--r-- 1 root bro 139387 Jan 27 19:30 files.log -rw-r--r-- 1 root bro 544416 Jan 27 19:30 http.log -rw-r--r-- 1 root bro 224 Jan 27 19:05 known_services.log -rw-r--r-- 1 root bro 956 Jan 27 19:19 notice.log -rw-r--r-- 1 root bro 5 Jan 27 17:19 .pid -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.capture_loss -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.communication -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.conn -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.conn-summary -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.dce_rpc -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.dns -rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.dpd -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.files -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.http -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.kerberos -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_certs -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_hosts -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_services -rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.loaded_scripts -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.notice -rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.packet_filter -rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.reporter -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.smb_files -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.smb_mapping -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.software -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.ssl -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.stats -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.weird -rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.x509 -rw-r--r-- 1 root bro 1311 Jan 27 19:24 smb_mapping.log -rw-r--r-- 1 root bro 15767 Jan 27 19:30 ssl.log -rw-r--r-- 1 root bro 58 Jan 27 17:19 .startup -rw-r--r-- 1 root bro 11326 Jan 27 19:30 stats.log -rwx------ 1 root bro 18 Jan 27 17:19 .status -rw-r--r-- 1 root bro 80 Jan 27 19:00 stderr.log -rw-r--r-- 1 root bro 188 Jan 27 17:19 stdout.log -rw-r--r-- 1 root bro 1141860 Jan 27 19:30 weird.log -rw-r--r-- 1 root bro 2799 Jan 27 19:20 x509.log
root@logger:~# cd /opt/bro/logs/
root@logger:/opt/bro/logs# ls 2019-01-27 current
root@logger:/opt/bro/logs# cd current
root@logger:/opt/bro/logs/current# ls
capture_loss.log conn.log dns.log http.log notice.log smb_mapping.log stats.log stdout.log x509.log communication.log dce_rpc.log files.log known_services.log smb_files.log ssl.log stderr.log weird.log
root@logger:/opt/bro/logs/current# jq -c . dce_rpc.log | head
{"ts":1548615615.836272,"uid":"CEmNr31qusp3G7GFg4","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548615615.83961,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.0003 57,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.851544,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 596,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.835628,"uid":"CgEcizh05xJ1ricP8","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":" 135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548615615.839587,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.852193,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548618003.200283,"uid":"CGYDww34wYz8eCYr96","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548618003.200403,"uid":"CrTZMz2nCXsiY5WOF8","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"}
root@logger:~# head /var/log/suricata/fast.log
01/27/2019-17:19:08.133030 [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0 .2.15:51574 -> 195.135.221.134:80 01/27/2019-17:19:08.292747 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80 01/27/2019-17:19:08.356618 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80 01/27/2019-17:19:08.432477 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:46630 -> 91.189.95.83:80 01/27/2019-17:19:08.448249 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:53932 -> 91.189.88.161:80 ...trimmed...
Chris is using Docker to provide some of the Logger host functions, e.g.:
root@logger:~# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 343c18f933d9 kolide/fleet:latest "sh -c 'echo '\\n' | …" 3 hours ago Up 3 hours 0.0.0.0:8412->8412/tcp kolidequic kstart_fleet_1 513cb0d61401 mysql:5.7 "docker-entrypoint.s…" 3 hours ago Up 3 hours 3306/tcp, 33060/tcp kolidequic kstart_mysql_1 b0278855b130 mailhog/mailhog:latest "MailHog" 3 hours ago Up 3 hours 1025/tcp, 0.0.0.0:8025->8025/tcp kolidequic kstart_mailhog_1 ddcd3e59dda2 redis:3.2.4 "docker-entrypoint.s…" 3 hours ago Up 3 hours 6379/tcp kolidequic kstart_redis_1 Troubleshooting Localhost BindingsOne of the issues I encountered involved the IP addresses to which VMs bound their Virtualbox Remote Display Protocol servers. The default configuration bound them to localhost on my Windows laptop. That was ok if I was interacting with that laptop in person, but I was doing this work remotely.
I could RDP to the laptop, and then RDP from the laptop to the VMs. This works, but it was a slight hassle to log into the Windows 2016 server which required a ctrl-alt-del sequence. This is a nuanced issue that can be solved by using the on screen keyboard (osk.exe) to enter the ctrl-alt-end sequence on the remote laptop, but I wanted an easier solution.
Dustin Lee, who has done a lot of work customized DetectionLab to include Security Onion (a future post maybe?) suggested I modify the Vagrantfile with the following bolded content. This example is for the wef host in the Vagrantfile.
cfg.vm.provider "virtualbox" do |vb, override| vb.gui = true vb.name = "wef.windomain.local" vb.default_nic_type = "82545EM" vb.customize ["modifyvm", :id, "--vrde", "on"] vb.customize ["modifyvm", :id, "--vrdeaddress", "0.0.0.0"] vb.customize ["modifyvm", :id, "--memory", 2048] vb.customize ["modifyvm", :id, "--cpus", 2] vb.customize ["modifyvm", :id, "--vram", "32"] vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] endBasically, add the bold entries wherever you see a "virtualbox" option, to enable the VRDP server binding to 0.0.0.0 (which should be all IP addresses, to include the public IP, as I want).
Before I restarted the wef host, you can see below how the VRDE server is listening only on localhost on port 5932 (in bold).
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local | findstr /I vrdeVRDE: enabled (Address 127.0.0.1, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...
After changing the Vagrant file, I restarted the wef host using Vagrant. root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload wef ==> wef: Attempting graceful shutdown of VM... ==> wef: Clearing any previously set forwarded ports... ==> wef: Fixed port collision for 3389 => 3389. Now on port 2201. ==> wef: Fixed port collision for 22 => 2222. Now on port 2202. ==> wef: Fixed port collision for 5985 => 55985. Now on port 2203. ==> wef: Fixed port collision for 5986 => 55986. Now on port 2204. ==> wef: Clearing any previously set network interfaces... ==> wef: Preparing network interfaces based on configuration... wef: Adapter 1: nat wef: Adapter 2: hostonly ==> wef: Forwarding ports... wef: 3389 (guest) => 2201 (host) (adapter 1) wef: 22 (guest) => 2202 (host) (adapter 1) wef: 5985 (guest) => 2203 (host) (adapter 1) wef: 5986 (guest) => 2204 (host) (adapter 1) ==> wef: Running 'pre-boot' VM customizations... ==> wef: Booting VM... ==> wef: Waiting for machine to boot. This may take a few minutes... wef: WinRM address: 127.0.0.1:2203 wef: WinRM username: vagrant wef: WinRM execution_time_limit: PT2H wef: WinRM transport: negotiate ==> wef: Machine booted and ready! ==> wef: Checking for guest additions in VM... wef: The guest additions on this VM do not match the installed version of wef: VirtualBox! In most cases this is fine, but in rare cases it can wef: prevent things such as shared folders from working properly. If you see wef: shared folder errors, please make sure the guest additions within the wef: virtual machine match the version of VirtualBox you have installed on wef: your host and reload your VM. wef: wef: Guest Additions Version: 5.2.16 wef: VirtualBox Version: 6.0 ==> wef: Setting hostname... ==> wef: Configuring and enabling network interfaces... ==> wef: Mounting shared folders... wef: /vagrant =>
The bolded entry about port 2201 means I can log into the wef host as user vagrant / password vagrant, over RDP, directly from another computer.
After restarting the wef host, I check to see what IP address and port the RDP server is listening (in bold): root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local | findstr /I vrde VRDE: enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...
This should allow me to access the "screen" of the VM via port 5932 and the IP of the host laptop. Unfortunately, there is some sort of conflict, as I saw the domain controller also reserved the same port for its VRDE.
root@LAPTOP-HT4TGVCP C:\Users\root>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo dc.windomain.local | findstr /I vrdeVRDE: enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...
I encountered a similar issue with the domain controller also failing to resolve a conflict with the host system RDP port.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload dc ==> dc: Attempting graceful shutdown of VM... ==> dc: Clearing any previously set forwarded ports... ==> dc: Fixed port collision for 22 => 2222. Now on port 2200. ==> dc: Clearing any previously set network interfaces... ==> dc: Preparing network interfaces based on configuration... dc: Adapter 1: nat dc: Adapter 2: hostonly ==> dc: Forwarding ports... dc: 3389 (guest) => 3389 (host) (adapter 1) dc: 22 (guest) => 2200 (host) (adapter 1) dc: 5985 (guest) => 55985 (host) (adapter 1) dc: 5986 (guest) => 55986 (host) (adapter 1)I haven't solved these problems yet. I wonder if it's a result of using pre-built VMs, which use the 5.x series of Virtualbox extensions, while my Virtualbox system runs 6.0?
These are minor issues, for the result of all this work is four systems offering Windows client and server features, plus instrumentation. That could be another topic for discussion. I'm also excited by the prospect of
running all of this in the cloud. Furthermore,
Dustin Leehas a
fork of DetectionLabthat replaces some of the instrumentation with Security Onion!
from TaoSecurity http://bit.ly/2DCEiNu
