Category: Vagrant

Vagrant up – Cheat sheet

Vagrant and Packer are very useful tools to build Lab environments quickly, but, it can become a pain in the ass, as there are allot of quirks and you end up waste a whole day, trying to get a basic VM up and running. So, this is my notes to repeat the process on new workstations.

Windows Security Logs Events

• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
• https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

My lab

• MacBook Pro
  • MacBook Pro (13-inch, 2019,) Four Thunderbolt 3 ports
  • 2.4 GHz Quad-Core Intel Core i5
  • 8 GB 2133 MHz LPDDR
  • 250.69 GB (250,685,575,168 bytes) APPLE SSD AP0256M
• VMware Fusion
• VMware Desktop Vagrant Plugin (costs $79 USD)
• Samsun Portable T5 SSD
  • I store my VM on the external drive, as I use my internal for documents, etc.

Installation

• You must have a license copy of VMware Fusion in my case. (I strongly suggest not to use Virtual Box or Hyper-V, it has too many bugs and unsupported functions. Trust me, i waste too much time on both of them )
• Buy VMware Desktop Vagrant Plugin (costs $79) – https://www.vagrantup.com/vmware#buy-now
• Install the following;
  • https://www.vagrantup.com/downloads
  • https://www.vagrantup.com/vmware/downloads
  • https://www.vagrantup.com/docs/providers/vmware/vagrant-vmware-utility
  • https://www.vagrantup.com/docs/providers/vmware/installation
• Change the .vagrant home folder, this moves the download and tmp director to your location. Otherwise, you will fill up your home path. You need to do this before you install the below plugin, otherwise, it you will have issues.
  • export VAGRANT_HOME=/Volumes/VM/vmware/vagrant
  • export VAGRANT_DEFAULT_PROVIDER=vmware_desktop
  • HINT, in order to see the .vagrant folder and the contents inside OSX Finder, press, [LEFT SHIFT + COMMAND + . ]
  • Unfortunately, you need to set the these default in bash every time, I haven’t figured out how to set the home path permanently inside the following; (this causes allot of headaches.)
    • /opt/vagrant/embedded/gems/2.2.14/gems/vagrant-2.2.14/lib/vagrant/environment.rb
    • https://harvsworld.com/2014/change-vagrant_home-directory-windows/
  • Create a bash profile and insert the exports inside this file. If you are using MAC Catalina you need to update the .zshrc file instead of .bash_profile or .profile, as per ; https://scriptingosx.com/2019/06/moving-to-zsh/

touch ~/.bash_profile; open ~/.bash_profile

• Download the VMware Vagrant license as per the email you received after purchase.
• Install the VMware Vagrant license;
  • vagrant plugin install vagrant-vmware-desktop
  • vagrant plugin update vagrant-vmware-desktop
  • vagrant plugin license vagrant-vmware-desktop /Usersr/rock/Desktop/license.lic
  • vagrant plugin list

DetectionLab install on VMware Fusion

You may need to adjust the Memory allocation to fit with your specific Physical memory limits, by adjusting the Vagrantfile settings;

## adjust Vagrantfile;   
    
v.memory (vmware) or
vb.customize ["modifyvm", :id, "--memory"] (virtualbox) in the Vagrantfile

      v.vmx["displayname"] = "logger"
      v.memory = 4096
      v.vmx["displayname"] = "dc.windomain.local"
      v.memory = 3072
      v.vmx["displayname"] = "wef.windomain.local"
      v.memory = 2048
      v.vmx["displayname"] = "win10.windomain.local"
      v.memory = 2048

## Deployment

cd /Volumes/VM/vmware/DetectionLab/Vagrant
git clone https://github.com/clong/DetectionLab.git
./prepare.sh 
export VAGRANT_HOME=/Volumes/VM/vmware/vagrant
export VAGRANT_DEFAULT_PROVIDER=vmware_desktop
vagrant up --provider=vmware_desktop 
vagrant up win10 --provider=vmware_desktop  (I had to ran each of the VM on its on starting from the DC.)
.\post_build_checks.sh (needs to be run inside the Win10 VM.)

Install Kali via Vagrant

# Make a folder and inside that folder type
vagrant init kalilinux/rolling
vagrant up
vagrant halt
vagrant version
# open the VM and login with vagrant/vagrant
# run updates as per my other kali blog.

Executing a Powershell script

https://www.vagrantup.com/docs/provisioning/shell

# Powershell Script in local folder /scripts
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: "scripts/PowershellScript.ps1"
en

# Remote Powershell scripts, must have .sh or .ps1 extension
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: "https://example.com/provisioner.sh"
end

# Inline script
Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "/bin/sh /path/to/the/script/already/on/the/guest.sh"
end

Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
     inline: "Set-TimeZone 'Eastern Standard Time'" 
end

# Running: Restart-WUService.ps1 as c:\tmp\vagrant-shell.ps1
Vagrant.configure("2") do |config|
    config.vm.define "test" do |test|
        test.vm.box = "eratiner/w2016x64vmX"
        test.vm.network "private_network", ip: "192.168.10.24"
        test.vm.hostname = "test"
        test.vm.provision "shell", privileged: "true", powershell_elevated_interactive: "true", path: "Restart-WUService.ps1"
    end
  end

Vagrant.configure("2") do |config|
  config.vm.box = "StefanScherer/windows_2019"
  config.vm.provision "shell" do |shell|
    shell.path = "headless_dsc.ps1"
    shell.privileged = true
  end
end

Auto Windows 10

Vagrant.configure("2") do |config|

  # Enable provisioning with a shell script. Additional provisioners such as
  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
  # documentation for more information about their specific syntax and use.
  # config.vm.provision "shell", inline: <<-SHELL
  #   apt-get update
  #   apt-get install -y apache2
  # SHELL

  config.vm.define "win10" do |cfg|
    cfg.vm.box = "detectionlab/win10"
    #config.vm.box = "bento"
    cfg.vm.hostname = "Autowin10"
    cfg.vm.boot_timeout = 1200
    cfg.vm.communicator = "winrm"
    cfg.winrm.basic_auth_only = true
    cfg.winrm.timeout = 1200
    cfg.winrm.retry_limit = 20
    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"

    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" 
    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "reload"
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false

    cfg.vm.provider "vmware_desktop" do |v, override|
      v.vmx["displayname"] = "win10.windomain.local"
      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
      v.memory = 1024
      v.cpus = 1
      v.gui = true
      v.enable_vmrun_ip_lookup = false
    end
  end
end

AWS DetectionLab Build Process

• Install AWSCLI
  • https://aws.amazon.com/cli/
• Install Terraform CLI
  • https://www.terraform.io/downloads.html
  • terraform –version
• AWS Account
  • An AWS account :
  • An IAM user and role for Terraform :
  • An AWS keypair for that user :
• Create AWS Policy
  • https://gist.github.com/clong/5eae6a83e6484bb2c01fa5e9cc6e8c9d
• Deployment

# Create IAM User Account
aws iam create-user \
> --user-name 'cli_first_user'
{
    "User": {
        "Path": "/",
        "UserName": "cli_first_user",
        "UserId": "AIDAS3CARBCBUS63MIFZT",
        "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
        "CreateDate": "2019-08-18T09:14:38Z"
    }
}

# Create Policy
git clone https://gist.github.com/clong/5eae6a83e6484bb2c01fa5e9cc6e8c9d
aws iam create-policy --policy-name my-policy --policy-document file://5eae6a83e6484bb2c01fa5e9cc6e8c9d

# Inline Create Policy 
aws iam create-policy \
    --policy-name AmazonEKSClusterAutoscalerPolicy \
    --policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

# Attaching Policy to IAM User
aws iam attach-user-policy \ > --user-name 'cli_first_user' \ > --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

# Create group using AWS CLI
aws iam create-group \
> --group-name 'HR'
{
    "Group": {
        "Path": "/",
        "GroupName": "HR",
        "GroupId": "AGPAS3CARBCB7H4NRBUHW",
        "Arn": "arn:aws:iam::195556345987:group/HR",
        "CreateDate": "2019-08-18T09:34:55Z"
    }
}

# Adding user to a group using AWS CLI
aws iam add-user-to-group \
> --group-name 'HR' \
> --user-name 'cli_second_user'

# Get user details
aws iam get-user \
> --user-name 'cli_first_user'

aws iam list-users 

Deployment Step-by-Step

git clone https://github.com/clong/DetectionLab.git

#Install Terraform
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
brew upgrade hashicorp/tap/terraform
terraform -install-autocomplete

# Verify that terraform is installed
terraform --version

# Configure AWS keys to use with Terraform ~/.aws/credentials
aws configure --profile terraform
aws configure set region us-west-1

# Generate an SSH key to authenticat to Logger with
ssh-keygen -b 2048 -f ~/.ssh/id_logger

SHA256:v6ilK83pgxjJYA3Q6KR06y9lGdXEmiixjk6THa4mfqo [email protected]

# Go to the Terraform directory in DetectionLab folder
cd /DetectionLab/Terraform

# Copy terraform.tfvars.example to terraform.thvars
cp DetectionLab/AWS/Terraform/terraform.tfvars.example /DetectionLab/AWS/Terraform/terraform.tfvars

cp DetectionLab/AWS/Terraform/terraform.tfvars.example /Users/rock/Desktop/DetectionLab/AWS/Terraform/terraform.tfvars

# Edit terraform.tfvars
nano terraform.tfvar
-----------------------------
/Users/rock/.ssh/
/Users/rock/.aws/
-----------------------------
region = "us-west-1"
profile = "terraform"
shared_credentials_file = "/Users/rock/.aws/credentials"
public_key_name = "id_logger"
public_key_path = "/Users/rock/.ssh/id_logger.pub"
private_key_path = "/Users/rock/.ssh/id_logger"
ip_whitelist = ["0.0.0.0/32"]
availability_zone = "us-west-1b"
// instance_name_prefix = "some_prefix_"
// custom-tags = {"tag_name": "tag_value"}
-----------------------------
# Create Default VPC
aws ec2 create-default-vpcs
aws ec2 create-default-subnet --availability-zone us-west-1
aws ec2 describe-vpcs
aws ec2 describe-subnets

# Deployment
terraform init
terraform fmt
terraform validate
terraform apply
terraform state list
terraform show
terraform destroy -f
terraform output
vagrant reload <hostname> --provision

Terraform Example

mkdir learn-terraform-aws-instance
cd learn-terraform-aws-instance
touch main.tf
pbpaste > main.tf
nano main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }
}

provider "aws" {
  profile = "default"
  region  = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-830c94e3"
  instance_type = "t2.micro"

  tags = {
    Name = "ExampleInstance"
  }
}

Terraform / AWS / Ansible Setup

Terraform Output

output "instance_id" {
  description = "ID of the EC2 instance"
  value       = aws_instance.example.id
}

output "instance_public_ip" {
  description = "Public IP address of the EC2 instance"
  value       = aws_instance.example.public_ip
}

New Lab environment 25..07.23

This sections is for a build of a hacking lab environment.

Tools to consider;

• Docker
• Vagrant
• Terraform
• VMware Imager
• Bitname
• Quem
• UTM

SOE

• Disable updates autologin
• Install Tools
• Install TeamViewer
• Sysprep and rename

Research

• Terraform Crash Course
  • https://www.youtube.com/watch?v=Gbf0fKR5wek&list=PL0yQYCnvTmOvNvjaPXMIFx1SFJerk0pqv&index=2
  • https://www.youtube.com/watch?v=qZ1-e76Uj5Y
  • https://www.youtube.com/watch?v=Gn1YmkgWB50
• Create Default VPC
  • https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-cloudformer-default-vpc/
  • https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-vpc
• Introduction to Terraform
  • https://learn.hashicorp.com/tutorials/terraform/infrastructure-as-code?in=terraform/aws-get-started
• ATTACK TECHNIQUES FOR BEGINNERS
  • https://samsclass.info/123/ABH.htm
• CyberRang / CloudGoat
  • https://github.com/secdevops-cuse/CyberRange
  • https://medium.com/@darkcaracal/building-a-free-threat-hunting-lab-for-testing-detections-and-ttps-in-5-minutes-1d216cc9d419
  • https://medium.com/aws-cyber-range/aws-cyber-range-the-ultimate-cyber-lab-overview-3affcca1c842
• EDU Range
  • http://www.edurange.org/scenarios.html
• Using Devops Tools to Deploy Cybersecurity Labs in Cloud Computing Environments
  • https://www.caecommunity.org/sites/default/files/Simpson%20Using%20Devops%20Tools.pdf
• Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab
  • https://www.sans.org/reading-room/whitepapers/assurance/vagrant-build-manageable-sharable-intrusion-detection-lab-37292
• DetectionLab Troubleshooting
  • https://www.detectionlab.network/deployment/troubleshooting/
• 10 Things about Vagrant
  • https://zwischenzugs.com/2017/10/27/ten-things-i-wish-id-known-before-using-vagrant/
• Active Directory Lab build
  • https://medium.com/subpointsolutions/building-a-disposable-windows-2016-domain-controller-in-20-minutes-with-vagrant-fce6eb4e01bd
  • https://github.com/cunninghamp/New-LabUsers.ps1
  • https://petri.com/populate-active-directory-with-test-user-accounts
  • https://secframe.com/blog/2020/ad_lab/
  • https://github.com/AutomatedLab/AutomatedLab
  • https://github.com/dsccommunity/
  • https://github.com/dsccommunity/ActiveDirectoryDsc
  • https://github.com/microsoft/MSLab
  • https://medium.com/swlh/building-an-active-directory-lab-part-1a-automatedlab-fc2399ebe5be
• PfSense
• Use Spot instances for DetectionLab
  • https://blog.agood.cloud/posts/2019/02/17/building-detection-lab-in-aws-part-ii/
• Windows 10 with Cuckoo
  • https://github.com/cacois/cuckoo-vagrant
  • https://github.com/nbeede/BoomBox
  • https://www.sans.org/reading-room/whitepapers/incident/deployment-flexible-malware-sandbox-environment-open-source-software-36207
  • https://layer0.xyz/malware_forensics/2020/04/14/Cuckoo_SIFT_With_Ansible/
• Deploy in a different AWS Region
  • https://detectionlab.network/customization/differentawsregion/
  • https://github.com/clong/DetectionLab/issues/345
  • https://github.com/clong/DetectionLab/issues/225
• Youtubes
  • https://www.youtube.com/watch?v=kfbM1l8GGbM
  • https://www.youtube.com/watch?v=KNpxFTfEi3Y
  • https://www.youtube.com/watch?v=Ed1ujM3xWNg
  • Accelerating the Analysis of Offensive Security Techniques Using DetectionLab
    • https://www.youtube.com/watch?v=IiuUsi2XQNU