One Click Forensics Lab in the Cloud

    

By: Jason Alvarez,
Follow me on twitter @0xBanana


Deploy a DFIR forensics lab with one script on Google Cloud Platform!

In part one of this series we covered initial automating of our cloud forensics laboratory. In this installment we are going to build out our individual instances and take a look at a really cool piece of software that I stumbled upon in my internet travels.

Reviewing our infrastructure diagram we have the following VPC

Our instances exist but are otherwise in a default and unconfigured state.

Also there is also a minor change, SIFT has been replaced by REMnux due to the nature of the toolset (and ease of installation).


  1. Kali - Kali Linux Distribution Homepage Installing Kali on-top of an ubuntu system is documented and while this won’t be the first (and not the last) hopefully the code snippets below guide you more than I was guided.

What is it & Why do we want it

Kali Linux is a prepackaged and preconfigured distribution that’s focused on red teaming and penetration testing. Its a great distro for anyone looking to have a set of tools at the ready but I would expect the more seasoned users have their own preferred applications and installation scripts. There are plenty of enumeration and intelligence gathering tools as well so while not strictly malware focused it’s something I want to have available.

Installation

Let’s take a look at the system startup script , it’s not terribly long so let’s go through it line by line to get a thorough understanding.

#! /bin/bash The first line declares this as a script to be interpreted with /bin/bash and can just as easily be replaced with the shell or scripting language of your choice

#!/bin/sh — Execute the file using sh, the Bourne shell, or a compatible shell
#!/bin/csh — Execute the file using csh, the C shell, or a compatible shell
#!/usr/bin/perl -T — Execute using Perl with the option for taint checks
#!/usr/bin/php — Execute the file using the PHP command line interpreter
#!/usr/bin/python -O — Execute using Python with optimizations to code
#!/usr/bin/ruby — Execute using Ruby

Shebang (Unix) - Wikipedia

sudo su - Elevate our user permissions to root as the subsequent commands will need higher privileges than the standard user provides.

export DEBIAN_FRONTEND=noninteractive This is a variable used during the Kali linux install that informs it to use the default options as we do not have the ability to interact with it and select choices.

wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc Download the Kali Linux public repo key and save it in the appropriate trusted folder.

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list Append the Kali Linux repo to the system package manager sources list.

This line uses echo and >> to add text to a specified file (/etc/apt/sources.list) . The same technique can be applied to any text and any file. Be becareful not to mix up redirect & append (>>) with just redirect (>) or you’ll end up with a file that has less data than you’re expecting!

apt-get update Update the system package manager application repository with the content from the newly added Kali Linux repository.

apt-get install -yq kali-linux-default Kali Linux offers us various “metapackages”, packages that are representative of an application group or system configuration. For our purposes we’re going to choose kali-linux-default

I couldn’t find a vendor supplied or even up-to-date list of meta packages offered so here’s the current list. Use any or all that suit your system needs.

kali-linux-arm - Kali Linux ARM system
kali-linux-core - Kali Linux base system
kali-linux-default - Kali Linux default system
kali-linux-everything - Everything in Kali Linux
kali-linux-large - Kali Linux large system
kali-linux-nethunter - Kali Linux NetHunter tools
kali-menu - Kali Linux custom menu
kali-tools-802-11 - Kali Linux 802.11 attacks tools
kali-tools-bluetooth - Kali Linux bluetooth attacks tools
kali-tools-crypto-stego - Kali Linux Cryptography and Steganography tools
kali-tools-database - Kali Linux database assessment tools menu
kali-tools-exploitation - Kali Linux exploitation tools menu
kali-tools-forensics - Kali Linux forensic tools menu
kali-tools-fuzzing - Kali Linux fuzzing attacks tools
kali-tools-gpu - Kali Linux GPU tools
kali-tools-hardware - Kali Linux hardware attacks tools
kali-tools-headless - Kali Linux headless tools
kali-tools-information-gathering - Kali Linux information gathering menu
kali-tools-passwords - Kali Linux password cracking tools menu
kali-tools-post-exploitation - Kali Linux post exploitation tools menu
kali-tools-reporting - Kali Linux reporting tools menu
kali-tools-reverse-engineering - Kali Linux reverse engineering menu
kali-tools-rfid - Kali Linux RFID tools
kali-tools-sdr - Kali Linux SDR tools
kali-tools-sniffing-spoofing - Kali Linux sniffing & spoofing tools menu
kali-tools-social-engineering - Kali Linux social engineering tools menu
kali-tools-top10 - Kali Linux top 10 tools
kali-tools-voip - Kali Linux VoIP tools
kali-tools-vulnerability - Kali Linux vulnerability analysis menu
kali-tools-web - Kali Linux webapp assessment tools menu
kali-tools-windows-resources - Kali Linux Windows resources
kali-tools-wireless - Kali Linux wireless tools menu

sudo dpkg --configure -a We ask the system to perform any automatic configuration on installed packages that aren’t configured as of yet.

touch /FINISHED.FLAG

Create a file in the root directory named FINISHED.FLAG. Since our system is performing this setup heedlessly we want to have an indication of when the startup script as completed.

  1. REMnux - A Linux Toolkit for Malware Analysts

What is it & Why do we want it

REMnux is for reverse engineering as Kali is for penetration testers. Your all in one toolkit to analyze malicious software.

Installation

Having analyzed the Kali Linux install script in detail, let’s move a little faster through this one.

#! /bin/bash — A bash script heading sudo su - — Elevate our privileges to the root user wget https://REMnux.org/remnux-cli — Download the REMnux cli tool mv remnux-cli remnux — Rename the tool filename chmod +x remnux — Give the file executable permissions mv remnux /usr/local/bin — Move the executable to a folder in the system$PATH remnux inatall --mode=cloud — Run the installer touch /FINISHED.FLAG — Let us know the setup is done

  1. Honeypot - (T-pot)

What is it & Why do we want it

T-pot is a low interaction honey pot all-in-one single pane of glass (did I get enough buzz words in there?). It runs a dozen honeypots and aggregates all that data into an ELK stack for analysis and visualization.

It has a very simple setup and gives the user a rich dashboard of analytics and the tools to dig in and analyze incoming threats.

(Longer post coming soon!)

Installation

After reviewing the first two installation scripts, I want to leave the comprehension of the individual commands to you, the reader. The script is short and the blocks are outlined, I know you can do it.

#!/bin/bash

if [[ ! -z /FINISHED.FLAG ]] THEN
  sudo su -

  # Clone the tpot repo
  git clone https://github.com/telekom-security/tpotce.git

  # installation instructions from repo
  cd tpotce/iso/installer/
  cp tpot.conf.dist tpot.conf
  ./install.sh --type=auto --conf=tpot.conf

  touch /FINISHED.FLAG

  # reboot the system
  reboot -n
FI

Bringing it all together

In the first post we left out all the scripts that we’ve spent time above reviewing and understanding and in this post we went over what goes into a system startup script. It’s important to note that the startup script will run EVERY TIME the system is booted and thats not going to be ideal for persistent systems, or systems that need to reboot during installation of tools or setup. In the last script for our honeypot there is some conditional code to prevent commands from running. It would be beneficial to add the code to our other scripts to make them more robust, this is another task I’ll leave to you, the reader.

Below is the full bash deployment script. Once executed it will take a few minutes to provision the network and compute resources and then another 10-15 minutes to perform system setup. Another reason for the flag files is to know when the headless setup has completed, just check for their existence to know your code has completed successfully and your system is setup!

Deploy_Cloud_Lab_v2.sh

#!/bin/bash

echo "Create VPC and subnets"
gcloud compute networks create lab-net  --subnet-mode=custom --bgp-routing-mode=regional

gcloud compute networks subnets create safe  --range=192.168.0.0/24 --network=lab-net --region=us-east1

gcloud compute networks subnets create unsafe --range=192.168.128.0/29 --network=lab-net --region=us-east1

echo "Creating REMNUX instance"
gcloud compute instances create sift-1 --tags=admin \
  --metadata startup-script='
#! /bin/bash
sudo su -
wget https://REMnux.org/remnux-cli
mv remnux-cli remnux
chmod +x remnux
mv remnux /usr/local/bin
remnux inatall --mode=cloud
touch /FINISHED.FLAG
  EOF'

echo "Creating Kali instance"
gcloud compute instances create kali-1 --tags=admin \
  --metadata startup-script='
  #! /bin/bash
sudo su -
export DEBIAN_FRONTEND=noninteractive
wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
apt-get update
apt-get install -yq kali-linux-default
touch /FINISHED.FLAG
  EOF'

echo "Creating Honeypot instance"
gcloud compute instances create honeypot-1 --tags=insecure \
  --metadata startup-script='
#! /bin/bash

if [[ ! -z /FINISHED.FLAG ]] THEN
sudo su - 
# Clone the tpot repo
git clone https://github.com/telekom-security/tpotce.git

# installation instructions from repo
cd tpotce/iso/installer/
cp tpot.conf.dist tpot.conf
./install.sh --type=auto --conf=tpot.conf

touch /FINISHED.FLAG
# reboot the system
reboot -n
EOF'

echo "Create Bucket for storage"
gsutil mb gs://bucket-of-bad-stuff

echo "Adding firewall rules"

gcloud compute firewall-rules create allow-ingress-admin-lab-net --direction=INGRESS --priority=1000 --network=lab-net --action=ALLOW --rules=tcp:22,tcp:80,tcp:443,icmp --source-ranges=0.0.0.0/0 --target-tags=admin

gcloud compute firewall-rules create allow-ingress-insecure-lab-net --direction=INGRESS --priority=1000 --network=lab-net --action=ALLOW --rules=all --source-ranges=0.0.0.0/0 --target-tags=insecure

echo "Done"

I hope you enjoyed this post, the next installment in this series will cover building this same environment using Terraform in GCP.

Subscribe to the cloud.weekly newsletter!

I write a weekly-ish newsletter on cloud, devops, and privacy called cloud.weekly!
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.