One Click Forensics Lab in the Cloud
In part one of this series we covered initial automating of our cloud forensics laboratory. In this installment we are going to build out our individual instances and take a look at a really cool piece of software that I stumbled upon in my internet travels.
Reviewing our infrastructure diagram we have the following VPC
Our instances exist but are otherwise in a default and unconfigured state.
Also there is also a minor change, SIFT has been replaced by REMnux due to the nature of the toolset (and ease of installation).
- Kali - Kali Linux Distribution Homepage Installing Kali on-top of an ubuntu system is documented and while this won’t be the first (and not the last) hopefully the code snippets below guide you more than I was guided.
What is it & Why do we want it
Kali Linux is a prepackaged and preconfigured distribution that’s focused on red teaming and penetration testing. Its a great distro for anyone looking to have a set of tools at the ready but I would expect the more seasoned users have their own preferred applications and installation scripts. There are plenty of enumeration and intelligence gathering tools as well so while not strictly malware focused it’s something I want to have available.
Let’s take a look at the system startup script , it’s not terribly long so let’s go through it line by line to get a thorough understanding.
The first line declares this as a script to be interpreted with
/bin/bash and can just as easily be replaced with the shell or scripting language of your choice
#!/bin/sh — Execute the file using sh, the Bourne shell, or a compatible shell #!/bin/csh — Execute the file using csh, the C shell, or a compatible shell #!/usr/bin/perl -T — Execute using Perl with the option for taint checks #!/usr/bin/php — Execute the file using the PHP command line interpreter #!/usr/bin/python -O — Execute using Python with optimizations to code #!/usr/bin/ruby — Execute using Ruby
sudo su -
Elevate our user permissions to root as the subsequent commands will need higher privileges than the standard user provides.
This is a variable used during the Kali linux install that informs it to use the default options as we do not have the ability to interact with it and select choices.
wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc
Download the Kali Linux public repo key and save it in the appropriate trusted folder.
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
Append the Kali Linux repo to the system package manager sources list.
This line uses
>> to add text to a specified file (
/etc/apt/sources.list) . The same technique can be applied to any text and any file. Be becareful not to mix up redirect & append (
>>) with just redirect (
>) or you’ll end up with a file that has less data than you’re expecting!
Update the system package manager application repository with the content from the newly added Kali Linux repository.
apt-get install -yq kali-linux-default
Kali Linux offers us various “metapackages”, packages that are representative of an application group or system configuration. For our purposes we’re going to choose
I couldn’t find a vendor supplied or even up-to-date list of meta packages offered so here’s the current list. Use any or all that suit your system needs.
kali-linux-arm - Kali Linux ARM system kali-linux-core - Kali Linux base system kali-linux-default - Kali Linux default system kali-linux-everything - Everything in Kali Linux kali-linux-large - Kali Linux large system kali-linux-nethunter - Kali Linux NetHunter tools kali-menu - Kali Linux custom menu kali-tools-802-11 - Kali Linux 802.11 attacks tools kali-tools-bluetooth - Kali Linux bluetooth attacks tools kali-tools-crypto-stego - Kali Linux Cryptography and Steganography tools kali-tools-database - Kali Linux database assessment tools menu kali-tools-exploitation - Kali Linux exploitation tools menu kali-tools-forensics - Kali Linux forensic tools menu kali-tools-fuzzing - Kali Linux fuzzing attacks tools kali-tools-gpu - Kali Linux GPU tools kali-tools-hardware - Kali Linux hardware attacks tools kali-tools-headless - Kali Linux headless tools kali-tools-information-gathering - Kali Linux information gathering menu kali-tools-passwords - Kali Linux password cracking tools menu kali-tools-post-exploitation - Kali Linux post exploitation tools menu kali-tools-reporting - Kali Linux reporting tools menu kali-tools-reverse-engineering - Kali Linux reverse engineering menu kali-tools-rfid - Kali Linux RFID tools kali-tools-sdr - Kali Linux SDR tools kali-tools-sniffing-spoofing - Kali Linux sniffing & spoofing tools menu kali-tools-social-engineering - Kali Linux social engineering tools menu kali-tools-top10 - Kali Linux top 10 tools kali-tools-voip - Kali Linux VoIP tools kali-tools-vulnerability - Kali Linux vulnerability analysis menu kali-tools-web - Kali Linux webapp assessment tools menu kali-tools-windows-resources - Kali Linux Windows resources kali-tools-wireless - Kali Linux wireless tools menu
sudo dpkg --configure -a
We ask the system to perform any automatic configuration on installed packages that aren’t configured as of yet.
Create a file in the root directory named
FINISHED.FLAG. Since our system is performing this setup heedlessly we want to have an indication of when the startup script as completed.
- REMnux - A Linux Toolkit for Malware Analysts
What is it & Why do we want it
REMnux is for reverse engineering as Kali is for penetration testers. Your all in one toolkit to analyze malicious software.
Having analyzed the Kali Linux install script in detail, let’s move a little faster through this one.
#! /bin/bash — A bash script heading
sudo su - — Elevate our privileges to the root user
wget https://REMnux.org/remnux-cli — Download the REMnux cli tool
mv remnux-cli remnux — Rename the tool filename
chmod +x remnux — Give the file executable permissions
mv remnux /usr/local/bin — Move the executable to a folder in the system
remnux inatall --mode=cloud — Run the installer
touch /FINISHED.FLAG — Let us know the setup is done
- Honeypot - (T-pot)
What is it & Why do we want it
T-pot is a low interaction honey pot all-in-one single pane of glass (did I get enough buzz words in there?). It runs a dozen honeypots and aggregates all that data into an ELK stack for analysis and visualization.
It has a very simple setup and gives the user a rich dashboard of analytics and the tools to dig in and analyze incoming threats.
(Longer post coming soon!)
After reviewing the first two installation scripts, I want to leave the comprehension of the individual commands to you, the reader. The script is short and the blocks are outlined, I know you can do it.
#!/bin/bash if [[ ! -z /FINISHED.FLAG ]] THEN sudo su - # Clone the tpot repo git clone https://github.com/telekom-security/tpotce.git # installation instructions from repo cd tpotce/iso/installer/ cp tpot.conf.dist tpot.conf ./install.sh --type=auto --conf=tpot.conf touch /FINISHED.FLAG # reboot the system reboot -n FI
Bringing it all together
In the first post we left out all the scripts that we’ve spent time above reviewing and understanding and in this post we went over what goes into a system startup script. It’s important to note that the startup script will run EVERY TIME the system is booted and thats not going to be ideal for persistent systems, or systems that need to reboot during installation of tools or setup. In the last script for our honeypot there is some conditional code to prevent commands from running. It would be beneficial to add the code to our other scripts to make them more robust, this is another task I’ll leave to you, the reader.
Below is the full bash deployment script. Once executed it will take a few minutes to provision the network and compute resources and then another 10-15 minutes to perform system setup. Another reason for the flag files is to know when the headless setup has completed, just check for their existence to know your code has completed successfully and your system is setup!
#!/bin/bash echo "Create VPC and subnets" gcloud compute networks create lab-net --subnet-mode=custom --bgp-routing-mode=regional gcloud compute networks subnets create safe --range=192.168.0.0/24 --network=lab-net --region=us-east1 gcloud compute networks subnets create unsafe --range=192.168.128.0/29 --network=lab-net --region=us-east1 echo "Creating REMNUX instance" gcloud compute instances create sift-1 --tags=admin \ --metadata startup-script=' #! /bin/bash sudo su - wget https://REMnux.org/remnux-cli mv remnux-cli remnux chmod +x remnux mv remnux /usr/local/bin remnux inatall --mode=cloud touch /FINISHED.FLAG EOF' echo "Creating Kali instance" gcloud compute instances create kali-1 --tags=admin \ --metadata startup-script=' #! /bin/bash sudo su - export DEBIAN_FRONTEND=noninteractive wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list apt-get update apt-get install -yq kali-linux-default touch /FINISHED.FLAG EOF' echo "Creating Honeypot instance" gcloud compute instances create honeypot-1 --tags=insecure \ --metadata startup-script=' #! /bin/bash if [[ ! -z /FINISHED.FLAG ]] THEN sudo su - # Clone the tpot repo git clone https://github.com/telekom-security/tpotce.git # installation instructions from repo cd tpotce/iso/installer/ cp tpot.conf.dist tpot.conf ./install.sh --type=auto --conf=tpot.conf touch /FINISHED.FLAG # reboot the system reboot -n EOF' echo "Create Bucket for storage" gsutil mb gs://bucket-of-bad-stuff echo "Adding firewall rules" gcloud compute firewall-rules create allow-ingress-admin-lab-net --direction=INGRESS --priority=1000 --network=lab-net --action=ALLOW --rules=tcp:22,tcp:80,tcp:443,icmp --source-ranges=0.0.0.0/0 --target-tags=admin gcloud compute firewall-rules create allow-ingress-insecure-lab-net --direction=INGRESS --priority=1000 --network=lab-net --action=ALLOW --rules=all --source-ranges=0.0.0.0/0 --target-tags=insecure echo "Done"
I hope you enjoyed this post, the next installment in this series will cover building this same environment using Terraform in GCP.