Vagrant up – Malware Lab Build on VMware Fusion

Vagrant up – Cheat sheet

Vagrant and Packer are very useful tools to build Lab environments quickly, but, it can become a pain in the ass, as there are allot of quirks and you end up waste a whole day, trying to get a basic VM up and running. So, this is my notes to repeat the process on new workstations.

My lab

  • MacBook Pro
    • MacBook Pro (13-inch, 2019,) Four Thunderbolt 3 ports
    • 2.4 GHz Quad-Core Intel Core i5
    • 8 GB 2133 MHz LPDDR
    • 250.69 GB (250,685,575,168 bytes) APPLE SSD AP0256M
  • VMware Fusion
  • VMware Desktop Vagrant Plugin (costs $79 USD)
  • Samsun Portable T5 SSD
    • I store my VM on the external drive, as I use my internal for documents, etc.

Installation

touch ~/.bash_profile; open ~/.bash_profile
  • Download the VMware Vagrant license as per the email you received after purchase.
  • Install the VMware Vagrant license;
    • vagrant plugin install vagrant-vmware-desktop
    • vagrant plugin update vagrant-vmware-desktop
    • vagrant plugin license vagrant-vmware-desktop /Usersr/rock/Desktop/license.lic
    • vagrant plugin list

DetectionLab install on VMware Fusion

You may need to adjust the Memory allocation to fit with your specific Physical memory limits, by adjusting the Vagrantfile settings;

## adjust Vagrantfile;   
    
v.memory (vmware) or
vb.customize ["modifyvm", :id, "--memory"] (virtualbox) in the Vagrantfile

      v.vmx["displayname"] = "logger"
      v.memory = 4096
      v.vmx["displayname"] = "dc.windomain.local"
      v.memory = 3072
      v.vmx["displayname"] = "wef.windomain.local"
      v.memory = 2048
      v.vmx["displayname"] = "win10.windomain.local"
      v.memory = 2048

## Deployment

cd /Volumes/VM/vmware/DetectionLab/Vagrant
git clone https://github.com/clong/DetectionLab.git
./prepare.sh 
export VAGRANT_HOME=/Volumes/VM/vmware/vagrant
export VAGRANT_DEFAULT_PROVIDER=vmware_desktop
vagrant up --provider=vmware_desktop 
vagrant up win10 --provider=vmware_desktop  (I had to ran each of the VM on its on starting from the DC.)
.\post_build_checks.sh (needs to be run inside the Win10 VM.)

Install Kali via Vagrant

# Make a folder and inside that folder type
vagrant init kalilinux/rolling
vagrant up
vagrant halt
vagrant version
# open the VM and login with vagrant/vagrant
# run updates as per my other kali blog.

Executing a Powershell script

https://www.vagrantup.com/docs/provisioning/shell

# Powershell Script in local folder /scripts
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: "scripts/PowershellScript.ps1"
en

# Remote Powershell scripts, must have .sh or .ps1 extension
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: "https://example.com/provisioner.sh"
end

# Inline script
Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "/bin/sh /path/to/the/script/already/on/the/guest.sh"
end

Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
     inline: "Set-TimeZone 'Eastern Standard Time'" 
end

# Running: Restart-WUService.ps1 as c:\tmp\vagrant-shell.ps1
Vagrant.configure("2") do |config|
    config.vm.define "test" do |test|
        test.vm.box = "eratiner/w2016x64vmX"
        test.vm.network "private_network", ip: "192.168.10.24"
        test.vm.hostname = "test"
        test.vm.provision "shell", privileged: "true", powershell_elevated_interactive: "true", path: "Restart-WUService.ps1"
    end
  end

Vagrant.configure("2") do |config|
  config.vm.box = "StefanScherer/windows_2019"
  config.vm.provision "shell" do |shell|
    shell.path = "headless_dsc.ps1"
    shell.privileged = true
  end
end

Auto Windows 10

Vagrant.configure("2") do |config|

  # Enable provisioning with a shell script. Additional provisioners such as
  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
  # documentation for more information about their specific syntax and use.
  # config.vm.provision "shell", inline: <<-SHELL
  #   apt-get update
  #   apt-get install -y apache2
  # SHELL

  config.vm.define "win10" do |cfg|
    cfg.vm.box = "detectionlab/win10"
    #config.vm.box = "bento"
    cfg.vm.hostname = "Autowin10"
    cfg.vm.boot_timeout = 1200
    cfg.vm.communicator = "winrm"
    cfg.winrm.basic_auth_only = true
    cfg.winrm.timeout = 1200
    cfg.winrm.retry_limit = 20
    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"

    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" 
    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "reload"
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false

    cfg.vm.provider "vmware_desktop" do |v, override|
      v.vmx["displayname"] = "win10.windomain.local"
      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
      v.memory = 1024
      v.cpus = 1
      v.gui = true
      v.enable_vmrun_ip_lookup = false
    end
  end
end

AWS DetectionLab Build Process

# Create IAM User Account
aws iam create-user \
> --user-name 'cli_first_user'
{
    "User": {
        "Path": "/",
        "UserName": "cli_first_user",
        "UserId": "AIDAS3CARBCBUS63MIFZT",
        "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
        "CreateDate": "2019-08-18T09:14:38Z"
    }
}

# Create Policy
git clone https://gist.github.com/clong/5eae6a83e6484bb2c01fa5e9cc6e8c9d
aws iam create-policy --policy-name my-policy --policy-document file://5eae6a83e6484bb2c01fa5e9cc6e8c9d

# Inline Create Policy 
aws iam create-policy \
    --policy-name AmazonEKSClusterAutoscalerPolicy \
    --policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

# Attaching Policy to IAM User
aws iam attach-user-policy \ > --user-name 'cli_first_user' \ > --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

# Create group using AWS CLI
aws iam create-group \
> --group-name 'HR'
{
    "Group": {
        "Path": "/",
        "GroupName": "HR",
        "GroupId": "AGPAS3CARBCB7H4NRBUHW",
        "Arn": "arn:aws:iam::195556345987:group/HR",
        "CreateDate": "2019-08-18T09:34:55Z"
    }
}

# Adding user to a group using AWS CLI
aws iam add-user-to-group \
> --group-name 'HR' \
> --user-name 'cli_second_user'

# Get user details
aws iam get-user \
> --user-name 'cli_first_user'

aws iam list-users 

Deployment Step-by-Step

git clone https://github.com/clong/DetectionLab.git

#Install Terraform
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
brew upgrade hashicorp/tap/terraform
terraform -install-autocomplete

# Verify that terraform is installed
terraform --version

# Configure AWS keys to use with Terraform ~/.aws/credentials
aws configure --profile terraform
aws configure set region us-west-1

# Generate an SSH key to authenticat to Logger with
ssh-keygen -b 2048 -f ~/.ssh/id_logger

SHA256:v6ilK83pgxjJYA3Q6KR06y9lGdXEmiixjk6THa4mfqo [email protected]

# Go to the Terraform directory in DetectionLab folder
cd /DetectionLab/Terraform

# Copy terraform.tfvars.example to terraform.thvars
cp DetectionLab/AWS/Terraform/terraform.tfvars.example /DetectionLab/AWS/Terraform/terraform.tfvars

cp DetectionLab/AWS/Terraform/terraform.tfvars.example /Users/rock/Desktop/DetectionLab/AWS/Terraform/terraform.tfvars

# Edit terraform.tfvars
nano terraform.tfvar
-----------------------------
/Users/rock/.ssh/
/Users/rock/.aws/
-----------------------------
region = "us-west-1"
profile = "terraform"
shared_credentials_file = "/Users/rock/.aws/credentials"
public_key_name = "id_logger"
public_key_path = "/Users/rock/.ssh/id_logger.pub"
private_key_path = "/Users/rock/.ssh/id_logger"
ip_whitelist = ["0.0.0.0/32"]
availability_zone = "us-west-1b"
// instance_name_prefix = "some_prefix_"
// custom-tags = {"tag_name": "tag_value"}
-----------------------------
# Create Default VPC
aws ec2 create-default-vpcs
aws ec2 create-default-subnet --availability-zone us-west-1
aws ec2 describe-vpcs
aws ec2 describe-subnets

# Deployment
terraform init
terraform fmt
terraform validate
terraform apply
terraform state list
terraform show
terraform destroy -f
terraform output
vagrant reload <hostname> --provision

Terraform Example

mkdir learn-terraform-aws-instance
cd learn-terraform-aws-instance
touch main.tf
pbpaste > main.tf
nano main.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }
}

provider "aws" {
  profile = "default"
  region  = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-830c94e3"
  instance_type = "t2.micro"

  tags = {
    Name = "ExampleInstance"
  }
}

Terraform / AWS / Ansible Setup

Terraform Output

output "instance_id" {
  description = "ID of the EC2 instance"
  value       = aws_instance.example.id
}

output "instance_public_ip" {
  description = "Public IP address of the EC2 instance"
  value       = aws_instance.example.public_ip
}

Research