Monday, January 28, 2019

Trying DetectionLab


Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right?

Enter

DetectionLab

, a project by

Chris Long

. Briefly, Chris built a project that uses

Packer

and

Vagrant

to create an instrumented lab environment. Chris explained the project in late 2017 in a

Medium post

, which I recommend reading.

I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running.

My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed

Virtualbox 6.0

with the appropriate VirtualBox Extension Pack. I had also enabled the

native OpenSSH server

and performed all DetectionLab installation functions over an OpenSSH session.

Install Chocolatey

My first step was to install

Chocolatey

, a package manager for Windows. I wanted to use this to install the Git client I wanted to use to clone the DetectionLab repo. Commands I typed at each stage are in bold below.


root@LAPTOP-HT4TGVCP C:\Users\root>@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "ie x ((New-Object System.Net.WebClient).DownloadString('http://bit.ly/2FvY5wv" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin" Getting latest version of the Chocolatey package for download. Getting Chocolatey from http://bit.ly/2B7eAz4. Downloading 7-Zip commandline tool prior to extraction. Extracting C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall... Installing chocolatey on this machine Creating ChocolateyInstall as an environment variable (targeting 'Machine')   Setting ChocolateyInstall to 'C:\ProgramData\chocolatey' WARNING: It's very likely you will need to close and reopen your shell   before you can use choco. Restricting write permissions to Administrators We are setting up the Chocolatey package repository. The packages themselves go to 'C:\ProgramData\chocolatey\lib'   (i.e. C:\ProgramData\chocolatey\lib\yourPackageName). A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin'   and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.
Creating Chocolatey folders if they do not already exist.
WARNING: You can safely ignore errors related to missing log files when   upgrading from a version of Chocolatey less than 0.9.9.   'Batch file could not be found' is also safe to ignore.   'The system cannot find the file specified' - also safe. chocolatey.nupkg file not installed in lib.  Attempting to locate it from bootstrapper. PATH environment variable does not have C:\ProgramData\chocolatey\bin in it. Adding... WARNING: Not setting tab completion: Profile file does not exist at 'C:\Users\root\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'. Chocolatey (choco.exe) is now ready. You can call choco from anywhere, command line or powershell by typing choco. Run choco /? for a list of functions. You may need to shut down and restart powershell and/or consoles  first prior to using choco. Ensuring chocolatey commands are on the path Ensuring chocolatey.nupkg is in the lib folder
root@LAPTOP-HT4TGVCP C:\Users\root>choco Chocolatey v0.10.11 Please run 'choco -?' or 'choco -?' for help menu.
Install Git

With Chocolatey installed, I could install Git.

root@LAPTOP-HT4TGVCP C:\Users\root>choco install git -params '"/GitAndUnixToolsOnPath"' Chocolatey v0.10.11 Installing the following packages: git By installing you accept licenses for the packages. Progress: Downloading git.install 2.20.1... 100% Progress: Downloading chocolatey-core.extension 1.3.3... 100% Progress: Downloading git 2.20.1... 100%
chocolatey-core.extension v1.3.3 [Approved] chocolatey-core.extension package files install completed. Performing other installation steps.  Installed/updated chocolatey-core extensions.  The install of chocolatey-core.extension was successful.   Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core'
git.install v2.20.1 [Approved] git.install package files install completed. Performing other installation steps. The package git.install wants to run 'chocolateyInstall.ps1'. Note: If you don't run this script, the installation will fail. Note: To confirm automatically next time, use '-y' or consider: choco feature enable -n allowGlobalConfirmation Do you want to run the script?([Y]es/[N]o/[P]rint): y
@{Inno Setup CodeFile: Path Option=CmdTools; PSPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Git_ is1; PSParentPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall; PSChildName=Git_is1; PSDrive=HKLM; PS Provider=Microsoft.PowerShell.Core\Registry} Using Git LFS Installing 64-bit git.install... git.install has been installed. git.install installed to 'C:\Program Files\Git'   git.install can be automatically uninstalled. Environment Vars (like PATH) have changed. Close/reopen your shell to  see the changes (or in powershell/cmd.exe just type `refreshenv`).  The install of git.install was successful.   Software installed to 'C:\Program Files\Git\'
git v2.20.1 [Approved] git package files install completed. Performing other installation steps.  The install of git was successful.   Software install location not explicitly set, could be in package or   default install location if installer.
Chocolatey installed 3/3 packages.  See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Clone DetectionLab

With Git installed, I can clone the DetectionLab repo from Github.

root@LAPTOP-HT4TGVCP C:\Users\root>mkdir git
root@LAPTOP-HT4TGVCP C:\Users\root>cd git
root@LAPTOP-HT4TGVCP C:\Users\root\git>mkdir detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git>cd detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone http://bit.ly/2TleydW 'git' is not recognized as an internal or external command, operable program or batch file.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>refreshenv Refreshing environment variables from registry for cmd.exe. Please wait...Finished..
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone http://bit.ly/2TleydW Cloning into 'DetectionLab'... remote: Enumerating objects: 1, done. remote: Counting objects: 100% (1/1), done. remote: Total 1163 (delta 0), reused 0 (delta 0), pack-reused 1162R Receiving objects: 100% (1163/1163), 11.81 MiB | 12.24 MiB/s, done. Resolving deltas: 100% (568/568), done.
Install Vagrant

Before going any further, I needed to install Vagrant.

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>cd ..\..\
root@LAPTOP-HT4TGVCP C:\Users\root>choco install vagrant Chocolatey v0.10.11 Installing the following packages: vagrant By installing you accept licenses for the packages. Progress: Downloading vagrant 2.2.3... 100%
vagrant v2.2.3 [Approved] vagrant package files install completed. Performing other installation steps. The package vagrant wants to run 'chocolateyinstall.ps1'. Note: If you don't run this script, the installation will fail. Note: To confirm automatically next time, use '-y' or consider: choco feature enable -n allowGlobalConfirmation Do you want to run the script?([Y]es/[N]o/[P]rint): y
Downloading vagrant 64 bit   from 'http://bit.ly/2B7SFHX' Progress: 100% - Completed download of C:\Users\root\AppData\Local\Temp\chocolatey\vagrant\2.2.3\vagrant_2.2.3_x86_64.msi (229.22 MB). Download of vagrant_2.2.3_x86_64.msi (229.22 MB) completed. Hashes match. Installing vagrant... vagrant has been installed. Repairing currently installed global plugins. This may take a few minutes... Installed plugins successfully repaired!   vagrant may be able to be automatically uninstalled. Environment Vars (like PATH) have changed. Close/reopen your shell to  see the changes (or in powershell/cmd.exe just type `refreshenv`).  The install of vagrant was successful.   Software installed as 'msi', install location is likely default.
Chocolatey installed 1/1 packages.  See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Packages requiring reboot:  - vagrant (exit code 3010)
The recent package changes indicate a reboot is necessary.  Please reboot at your earliest convenience. root@LAPTOP-HT4TGVCP C:\Users\root>shutdown /r /t 0 Installing DetectionLab

Now we are finally at the point where we can install DetectionLab. Note that in my example, I downloaded boxes already built by Chris. I did not build my own, in order to save time. You can follow his instructions to build boxes yourself.

I saw an error regarding the win10 host, but that did not appear to be a real problem.

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\root\git\detectionlab\DetectionLab> .\build.ps1 -ProviderName virtualbox -VagrantOnly [preflight_checks] Running.. [preflight_checks] Checking if Vagrant is installed [preflight_checks] Checking for pre-existing boxes.. [preflight_checks] Checking for vagrant instances.. [preflight_checks] Checking disk space.. [preflight_checks] Checking if vagrant-reload is installed.. The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now. Installing the 'vagrant-reload' plugin. This can take a few minutes... Installed the plugin 'vagrant-reload (0.0.1)'! [preflight_checks] Finished. [download_boxes] Running.. [download_boxes] Downloading windows_10_virtualbox.box
[download_boxes] Downloading windows_2016_virtualbox.box [download_boxes] Getting filehash for: windows_10_virtualbox.box [download_boxes] Getting filehash for: windows_2016_virtualbox.box [download_boxes] Checking Filehashes.. [download_boxes] Finished. [main] Running vagrant_up_host for: logger [vagrant_up_host] Running for logger Attempting to bring up the logger host using Vagrant [vagrant_up_host] Finished for logger. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! logger was built successfully! [main] Finished for: logger [main] Running vagrant_up_host for: dc [vagrant_up_host] Running for dc Attempting to bring up the dc host using Vagrant [vagrant_up_host] Finished for dc. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! dc was built successfully! [main] Finished for: dc [main] Running vagrant_up_host for: wef [vagrant_up_host] Running for wef Attempting to bring up the wef host using Vagrant [vagrant_up_host] Finished for wef. Got exit code: 0 [main] vagrant_up_host finished. Exitcode: 0 Good news! wef was built successfully! [main] Finished for: wef [main] Running vagrant_up_host for: win10 [vagrant_up_host] Running for win10 Attempting to bring up the win10 host using Vagrant [vagrant_up_host] Finished for win10. Got exit code: 1 [main] vagrant_up_host finished. Exitcode: 1 WARNING: Something went wrong while attempting to build the win10 box. Attempting to reload and reprovision the host... [main] Running vagrant_reload_host for: win10 [vagrant_reload_host] Running for win10 [vagrant_reload_host] Finished for win10. Got exit code: 1 C:\Users\root\git\detectionlab\DetectionLab\build.ps1 : Failed to bring up win10 after a reload. Exiting At line:1 char:1 + .\build.ps1 -ProviderName virtualbox -VagrantOnly + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,build.ps1
[main] Running post_build_checks [post_build_checks] Running Caldera Check. [download] Running for http://bit.ly/2TiiPyP, looking for [download] Found at http://bit.ly/2TiiPyP [post_build_checks] Cladera Result: True [post_build_checks] Running Splunk Check. [download] Running for http://bit.ly/2B9ay9D, looking for This browser is not supported by Splunk [download] Found This browser is not supported by Splunk at http://bit.ly/2B9ay9D [post_build_checks] Splunk Result: True [post_build_checks] Running Fleet Check. [download] Running for http://bit.ly/2Ti2euZ, looking for Kolide Fleet [download] Found Kolide Fleet at http://bit.ly/2Ti2euZ [post_build_checks] Fleet Result: True [post_build_checks] Running MS ATA Check. [download] Running for https://192.168.38.103, looking for [post_build_checks] ATA Result: True [main] Finished post_build_checks


Checking the VMs

I used the Virtualbox command line program to check the status of the new VMs.

root@LAPTOP-HT4TGVCP c:\Program Files\Oracle\VirtualBox>VBoxManage list runningvms "logger" {3da9fffb-4b02-4e57-a592-dd2322f14245} "dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd} "wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7} "win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd} Interacting with Vagrant and the Logger Host

Next I decided to use Vagrant to check on the status of the boxes, and to interact with one if I could. I wanted to find the Bro and Suricata logs.

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>cd Vagrant root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant status Current machine states:
logger                    running (virtualbox) dc                        running (virtualbox) wef                       running (virtualbox) win10                     running (virtualbox)
This environment represents multiple VMs. The VMs are all listed above with their current state. For more information about a specific VM, run `vagrant status NAME`.

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant ssh logger
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)
 * Documentation:  https://help.ubuntu.com  * Management:     http://bit.ly/XlAX5B  * Support:        http://bit.ly/29lyHJM
29 packages can be updated. 24 updates are security updates.

Last login: Sun Jan 27 19:24:05 2019 from 10.0.2.2
root@logger:~# /opt/bro/bin/broctl status Name         Type    Host             Status    Pid    Started manager      manager localhost        running   9848   27 Jan 17:19:15 proxy        proxy   localhost        running   9893   27 Jan 17:19:16 worker-eth1-1 worker  localhost        running   9945   27 Jan 17:19:17 worker-eth1-2 worker  localhost        running   9948   27 Jan 17:19:17
vagrant@logger:~$ ls -al /opt/bro total 32 drwxr-xr-x 8 root root 4096 Jan 27 17:19 . drwxr-xr-x 5 root root 4096 Jan 27 17:19 .. drwxr-xr-x 2 root root 4096 Jan 27 17:19 bin drwxrwsr-x 2 root bro  4096 Jan 27 17:19 etc drwxr-xr-x 3 root root 4096 Jan 27 17:19 lib drwxrws--- 3 root bro  4096 Jan 27 18:00 logs drwxr-xr-x 4 root root 4096 Jan 27 17:19 share drwxrws--- 8 root bro  4096 Jan 27 17:19 spool
vagrant@logger:~$ ls -al /opt/bro/logs ls: cannot open directory '/opt/bro/logs': Permission denied
vagrant@logger:~$ sudo bash
root@logger:~# ls -al /opt/bro/logs/ 2019-01-27/ current/
root@logger:~# ls -al /opt/bro/logs/current/ total 3664 drwxr-sr-x 2 root bro    4096 Jan 27 19:20 . drwxrws--- 8 root bro    4096 Jan 27 17:19 .. -rw-r--r-- 1 root bro     475 Jan 27 19:19 capture_loss.log -rw-r--r-- 1 root bro     127 Jan 27 17:19 .cmdline -rw-r--r-- 1 root bro   83234 Jan 27 19:30 communication.log -rw-r--r-- 1 root bro 1430714 Jan 27 19:30 conn.log -rw-r--r-- 1 root bro    1340 Jan 27 19:00 dce_rpc.log -rw-r--r-- 1 root bro  185114 Jan 27 19:28 dns.log -rw-r--r-- 1 root bro     310 Jan 27 17:19 .env_vars -rw-r--r-- 1 root bro  139387 Jan 27 19:30 files.log -rw-r--r-- 1 root bro  544416 Jan 27 19:30 http.log -rw-r--r-- 1 root bro     224 Jan 27 19:05 known_services.log -rw-r--r-- 1 root bro     956 Jan 27 19:19 notice.log -rw-r--r-- 1 root bro       5 Jan 27 17:19 .pid -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.capture_loss -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.communication -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.conn -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.conn-summary -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.dce_rpc -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.dns -rw-r--r-- 1 root bro      18 Jan 27 18:00 .rotated.dpd -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.files -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.http -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.kerberos -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.known_certs -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.known_hosts -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.known_services -rw-r--r-- 1 root bro      18 Jan 27 18:00 .rotated.loaded_scripts -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.notice -rw-r--r-- 1 root bro      18 Jan 27 18:00 .rotated.packet_filter -rw-r--r-- 1 root bro      18 Jan 27 18:00 .rotated.reporter -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.smb_files -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.smb_mapping -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.software -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.ssl -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.stats -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.weird -rw-r--r-- 1 root bro      18 Jan 27 19:00 .rotated.x509 -rw-r--r-- 1 root bro    1311 Jan 27 19:24 smb_mapping.log -rw-r--r-- 1 root bro   15767 Jan 27 19:30 ssl.log -rw-r--r-- 1 root bro      58 Jan 27 17:19 .startup -rw-r--r-- 1 root bro   11326 Jan 27 19:30 stats.log -rwx------ 1 root bro      18 Jan 27 17:19 .status -rw-r--r-- 1 root bro      80 Jan 27 19:00 stderr.log -rw-r--r-- 1 root bro     188 Jan 27 17:19 stdout.log -rw-r--r-- 1 root bro 1141860 Jan 27 19:30 weird.log -rw-r--r-- 1 root bro    2799 Jan 27 19:20 x509.log
root@logger:~# cd /opt/bro/logs/
root@logger:/opt/bro/logs# ls 2019-01-27  current
root@logger:/opt/bro/logs# cd current
root@logger:/opt/bro/logs/current# ls
capture_loss.log   conn.log     dns.log    http.log            notice.log     smb_mapping.log  stats.log   stdout.log  x509.log communication.log  dce_rpc.log  files.log  known_services.log  smb_files.log  ssl.log          stderr.log  weird.log
root@logger:/opt/bro/logs/current# jq  -c . dce_rpc.log  | head
{"ts":1548615615.836272,"uid":"CEmNr31qusp3G7GFg4","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548615615.83961,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.0003 57,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.851544,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 596,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.835628,"uid":"CgEcizh05xJ1ricP8","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":" 135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548615615.839587,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548615615.852193,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000 382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"} {"ts":1548618003.200283,"uid":"CGYDww34wYz8eCYr96","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"} {"ts":1548618003.200403,"uid":"CrTZMz2nCXsiY5WOF8","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe": "135","endpoint":"epmapper","operation":"ept_map"}
root@logger:~# head /var/log/suricata/fast.log
01/27/2019-17:19:08.133030  [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0 .2.15:51574 -> 195.135.221.134:80 01/27/2019-17:19:08.292747  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80 01/27/2019-17:19:08.356618  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80 01/27/2019-17:19:08.432477  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:46630 -> 91.189.95.83:80 01/27/2019-17:19:08.448249  [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:53932 -> 91.189.88.161:80 ...trimmed...


Docker on the Logger Host

Chris is using Docker to provide some of the Logger host functions, e.g.:

root@logger:~# docker container ls CONTAINER ID        IMAGE                    COMMAND                   CREATED             STATUS              PORTS                              NAMES 343c18f933d9        kolide/fleet:latest      "sh -c 'echo '\\n' | …"   3 hours ago         Up 3 hours          0.0.0.0:8412->8412/tcp             kolidequic kstart_fleet_1 513cb0d61401        mysql:5.7                "docker-entrypoint.s…"    3 hours ago         Up 3 hours          3306/tcp, 33060/tcp                kolidequic kstart_mysql_1 b0278855b130        mailhog/mailhog:latest   "MailHog"                 3 hours ago         Up 3 hours          1025/tcp, 0.0.0.0:8025->8025/tcp   kolidequic kstart_mailhog_1 ddcd3e59dda2        redis:3.2.4              "docker-entrypoint.s…"    3 hours ago         Up 3 hours          6379/tcp                           kolidequic kstart_redis_1 Troubleshooting Localhost Bindings

One of the issues I encountered involved the IP addresses to which VMs bound their Virtualbox Remote Display Protocol servers. The default configuration bound them to localhost on my Windows laptop. That was ok if I was interacting with that laptop in person, but I was doing this work remotely.

I could RDP to the laptop, and then RDP from the laptop to the VMs. This works, but it was a slight hassle to log into the Windows 2016 server which required a ctrl-alt-del sequence. This is a nuanced issue that can be solved by using the on screen keyboard (osk.exe) to enter the ctrl-alt-end sequence on the remote laptop, but I wanted an easier solution.

Dustin Lee

, who has done a lot of work customized DetectionLab to include Security Onion (a future post maybe?) suggested I modify the Vagrantfile with the following bolded content. This example is for the wef host in the Vagrantfile.

    cfg.vm.provider "virtualbox" do |vb, override|       vb.gui = true       vb.name = "wef.windomain.local"       vb.default_nic_type = "82545EM"       vb.customize ["modifyvm", :id, "--vrde", "on"]       vb.customize ["modifyvm", :id, "--vrdeaddress", "0.0.0.0"]       vb.customize ["modifyvm", :id, "--memory", 2048]       vb.customize ["modifyvm", :id, "--cpus", 2]       vb.customize ["modifyvm", :id, "--vram", "32"]       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]     end

Basically, add the bold entries wherever you see a "virtualbox" option, to enable the VRDP server binding to 0.0.0.0 (which should be all IP addresses, to include the public IP, as I want).

Before I restarted the wef host, you can see below how the VRDE server is listening only on localhost on port 5932 (in bold).

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local | findstr /I vrde
VRDE:                        enabled (Address 127.0.0.1, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...
After changing the Vagrant file, I restarted the wef host using Vagrant. root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload wef ==> wef: Attempting graceful shutdown of VM... ==> wef: Clearing any previously set forwarded ports... ==> wef: Fixed port collision for 3389 => 3389. Now on port 2201. ==> wef: Fixed port collision for 22 => 2222. Now on port 2202. ==> wef: Fixed port collision for 5985 => 55985. Now on port 2203. ==> wef: Fixed port collision for 5986 => 55986. Now on port 2204. ==> wef: Clearing any previously set network interfaces... ==> wef: Preparing network interfaces based on configuration...     wef: Adapter 1: nat     wef: Adapter 2: hostonly ==> wef: Forwarding ports...     wef: 3389 (guest) => 2201 (host) (adapter 1)     wef: 22 (guest) => 2202 (host) (adapter 1)     wef: 5985 (guest) => 2203 (host) (adapter 1)     wef: 5986 (guest) => 2204 (host) (adapter 1) ==> wef: Running 'pre-boot' VM customizations... ==> wef: Booting VM... ==> wef: Waiting for machine to boot. This may take a few minutes...     wef: WinRM address: 127.0.0.1:2203     wef: WinRM username: vagrant     wef: WinRM execution_time_limit: PT2H     wef: WinRM transport: negotiate ==> wef: Machine booted and ready! ==> wef: Checking for guest additions in VM...     wef: The guest additions on this VM do not match the installed version of     wef: VirtualBox! In most cases this is fine, but in rare cases it can     wef: prevent things such as shared folders from working properly. If you see     wef: shared folder errors, please make sure the guest additions within the     wef: virtual machine match the version of VirtualBox you have installed on     wef: your host and reload your VM.     wef:     wef: Guest Additions Version: 5.2.16     wef: VirtualBox Version: 6.0 ==> wef: Setting hostname... ==> wef: Configuring and enabling network interfaces... ==> wef: Mounting shared folders...     wef: /vagrant =>  
The bolded entry about port 2201 means I can log into the wef host as user vagrant / password vagrant, over RDP, directly from another computer.

After restarting the wef host, I check to see what IP address and port the RDP server is listening (in bold):
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local | findstr /I vrde VRDE:                        enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...

This should allow me to access the "screen" of the VM via port 5932 and the IP of the host laptop. Unfortunately, there is some sort of conflict, as I saw the domain controller also reserved the same port for its VRDE.

root@LAPTOP-HT4TGVCP C:\Users\root>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo dc.windomain.local | findstr /I vrde
VRDE:                        enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null) ...trimmed...

I encountered a similar issue with the domain controller also failing to resolve a conflict with the host system RDP port.

root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload dc ==> dc: Attempting graceful shutdown of VM... ==> dc: Clearing any previously set forwarded ports... ==> dc: Fixed port collision for 22 => 2222. Now on port 2200. ==> dc: Clearing any previously set network interfaces... ==> dc: Preparing network interfaces based on configuration...     dc: Adapter 1: nat     dc: Adapter 2: hostonly ==> dc: Forwarding ports...     dc: 3389 (guest) => 3389 (host) (adapter 1)     dc: 22 (guest) => 2200 (host) (adapter 1)     dc: 5985 (guest) => 55985 (host) (adapter 1)     dc: 5986 (guest) => 55986 (host) (adapter 1)


I haven't solved these problems yet. I wonder if it's a result of using pre-built VMs, which use the 5.x series of Virtualbox extensions, while my Virtualbox system runs 6.0?


Summary

These are minor issues, for the result of all this work is four systems offering Windows client and server features, plus instrumentation. That could be another topic for discussion. I'm also excited by the prospect of

running all of this in the cloud

. Furthermore,

Dustin Lee

has a

fork of DetectionLab

that replaces some of the instrumentation with Security Onion!



from TaoSecurity http://bit.ly/2DCEiNu

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.