Virtual Lab Microcosm

Table of Contents

This document sets forth the entire design of my virtual lab architecture.

It also provides examples setting up each particular segment, enough to develop a microcosm of the greater lab, and serve as a guide for adding additional architecture components.

My goals are ambitious and I ultimately plan to implement this as a home network using a cluster of single-board computers. Given the complex architecture, it's prudent to test this thoroughly in a lab environment.

In general, I'd like to implement the following components in the most secure way.

Range architecture

I find the following layered architecture to meet all my conditions and provide a realistic environment for testing.

Sorry, your browser does not support SVG.

Virtual Lab Microcosm

Looking carefully, I can carve out the following microcosm which effectively demonstrates how to do most everything in the greater range architecture.

Sorry, your browser does not support SVG.

In VMWare, this necessitates the following Virtual Network Editor settings.

Virtual_Network_Editor.png

Note the following:

  • DHCP is disabled on all virtual networks.
  • All virtual networks use subnet mask 255.255.255.0.
  • All virtual networks are host-only and disconnected from the host network (i.e., custom connections).

Virtual machines

This microcosm utilizes the following operating system images.

  1. CentOS for the router.
  2. IPFire for the bastion host (firewall).
  3. Kali Linux for the attacker.
  4. Metasploitable Server honey pot for testing.
  5. Wazuh for the IDS manager server.
  6. Ubuntu Server in the DMZ and as an IDS agent host.

I bootstrap each in turn below.

PSA: This guide makes the following assumptions. Deviations will be loud and clear.

  • The virtualization platform is VMware Workstation Pro 15.
  • Allocate sufficient resources to VMs at setup, within the hosts limitations.
  • Unless stated otherwise, provide one bridged connection to new VMs during the setup phase. This is to facilitate downloading packages, rulesets, etc. Thereafter, I specify how to configure routes and attach custom networks.
  • Throughout this process, it's important to make note of your credentials selected at all stages. If another username is required for some step (typically root or admin), I will make note.
  • During installation, always elect to install operating systems directly onto the [virtual] hard disk.
  • During installation, always use DNS server 8.8.8.8 and local host 127.0.0.1.
  • Escalate privileges before all shell scripts by using sudo -i.
  • Aggressively take snapshots of VMs. 📷

While these are important to be aware of, I'm not going to harp on them because it becomes tiresome. Now onto business!

CentOS (router) bootstrap script

The most recent version can be found from here - I happen to be using the below iso (from August 2017).

cd ~/Documents/OS_Images/
wget http://vault.centos.org/7.4.1708/isos/x86_64/CentOS-7-x86_64-DVD-1708.iso

Create a new VM using the CentOS iso. Attach one network adapter to vmnet2 and one to vmnet8 in VMware. An Internet connection is not necessary for this VM.

Login as root to make things easy, then run the below script.

This script specifies static routing for adapters ens33 (to vmnet2) and ens34 (to vmnet8), then permits IPv4 traffic forwarding and enables IP masquerading (a form of network address translation).

cd /etc/sysconfig/network-scripts/
rm -f ifcfg-ens33
touch ifcfg-ens33
cat <<EOT >> ifcfg-ens33
DEVICE=ens33
BOOTPROTO=static
IPADDR=10.2.0.2
NETMASK=255.255.255.0
NETWORK=10.2.0.0
BROADCAST=10.2.0.255
GATEWAY=10.2.0.2
ONBOOT=yes
EOT
rm -f ifcfg-ens34
touch ifcfg-ens34
cat <<EOT >> ifcfg-ens34
DEVICE=ens34
BOOTPROTO=static
IPADDR=192.168.177.2
NETMASK=255.255.255.0
NETWORK=192.168.177.0
BROADCAST=192.168.177.255
GATEWAY=192.168.177.2
ONBOOT=yes
EOT
sleep 2
/etc/init.d/network restart
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sleep 2
systemctl start firewalld
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens34 -j MASQUERADE -s 10.2.0.0/24
sleep 2
systemctl restart firewalld

That's it!

IPFire bootstrapping

I've decided to go with IPFire since it is open source, Linux based, easy to use, highly flexible and powerful. Download using below.

cd ~/Documents/OS_Images/
wget https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core125/ipfire-2.21.x86_64-full-core125.iso

Create a virtual machine using the IPFire iso.

Important: Before finishing the New Virtual Machine Wizard, add and configure three network adapters to point to vmnet2, 3, and 5.

IPFire_VMware_Settings.png

Make note of the MAC Address VMware assigned to the network adapters - this will come in handy later. Notice, only the last 2 digits of the MAC address are distinct in VMware's Network Editor. In my instance, my network adapters have the following MAC addresses.

Network Adapter MAC Address
vmnet2 00:0C:29:9E:1D:C1
vmnet3 00:0C:29:9E:1D:CB
vmnet5 00:0C:29:9E:1D:D5

Then proceed with the OS installation.

Next I'll go through each of the following menu items.

IPFire_Network_Configuration_Menu.png

Change the Network configuration type to GREEN + RED + ORANGE.

Given my intended architecture, I will assign the cards as follows:

Network Adapter MAC Address Zone
vmnet2 00:0C:29:9E:1D:C1 Red
vmnet3 00:0C:29:9E:1D:CB Green
vmnet5 00:0C:29:9E:1D:D5 Orange

Set each interface to a specific card from the Drivers and card assignments menu option. After setting it up, I have the following configuration (refer to the MAC Addresses above):

IPFire_Assigned_Cards.png

Next up are the IP addresses. Assign the following settings to each of the cards.

Interface IP address Network mask
Green 10.3.0.10 255.255.255.0
Orange 10.5.0.10 255.255.255.0
Red 10.2.0.10 255.255.255.0

Primary DNS: 8.8.8.8, the IP address of Google's public DNS server. Default gateway: 10.2.0.10, the IP address of the Red interface on the bastion host.

Afterwards, do not enable DHCP on the Green interface. I will configure static IP addresses on all hosts, including the bastion host

IPFire will prompt Setup is complete. Press okay to reboot.

After booting, login to the VM directly with the username root. Add a route to vmnet8 via the router at 10.2.0.2.

echo "route add -net 192.168.177.0 netmask 255.255.255.0 dev red0" >> /etc/sysconfig/rc.local
reboot

Kali bootstrapping

The Kali Linux distribution from Offensive Security is very popular for penetration testing as it comes loaded with useful applications. Download their standard version using below.

cd ~/Documents/OS_Images/
wget http://cdimage.kali.org/kali-2018.4/kali-linux-2018.4-amd64.iso

Login with username root. The below script installs the OpenVAS vulnerability scanner, then creates a user with a custom password.

apt-get update
apt-get install -y openvas
openvas-setup
openvas-start
openvasmd --create-user=uname
openvasmd --user=uname --new-password=pword

Switch the network adapter to vmnet8 in VMware. Then run below script to set up static routing.

rm /etc/network/interfaces
touch /etc/network/interfaces
cat <<EOT >> /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# Custom static connection
auto eth0
iface eth0 inet static
  address 192.168.177.128
  netmask 255.255.255.0
  up route add -net 10.2.0.0 netmask 255.255.255.0 gw 192.168.177.2
EOT
reboot

Run ip route show table main to verify the routing changes have taken effect.

Metasploitable bootstrapping

Download and unzip the Metasploitable 2 VM.

cd ~/Documents/OS_Images/
wget https://sourceforge.net/projects/metasploitable/files/Metasploitable2/metasploitable-linux-2.0.0.zip
unzip metasploitable-linux-2.0.0.zip

In VMware, → File → Open → Select ~/Documents/OS_Images/Metasploitable2-Linux/Metasploitable.vmx. The default login credentials are printed in the console after booting.

Switch the network adapter to vmnet5. Then run the below script to configure static routes.

rm /etc/network/interfaces
touch /etc/network/interfaces
cat <<EOT >> /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# Custom static connection
auto eth0
iface eth0 inet static
  address 10.5.0.240
  netmask 255.255.255.0
  up route add -net 10.2.0.0 netmask 255.255.255.0 gw 10.5.0.10
  up route add -net 10.3.0.0 netmask 255.255.255.0 gw 10.5.0.10
EOT
reboot

Wazuh server bootstrapping

I've decided to go with the Wazuh IDS system because it's open source, has great documentation, and includes this VM image that's configured to work out of the box. This Wazuh VM happens to be on CentOS.

cd ~/Documents/OS_Images/
wget https://packages.wazuh.com/vm/wazuh3.7.0_6.4.3.ovf

Then, from VMware → File → Open → Select ~/Documents/OS_Images/wazuh3.7.0_6.4.3.ovf. Switch the network adapter to vmnet3 in VMware. After booting, login with username root and password wazuh. Change the password if desired using passwd, then set the routing using the below.

cd /etc/sysconfig/network-scripts/
rm -f ifcfg-ens33
touch ifcfg-ens33
cat <<EOT >> ifcfg-ens33
DEVICE=ens33
BOOTPROTO=static
IPADDR=10.3.0.250
NETMASK=255.255.255.0
NETWORK=10.3.0.0
BROADCAST=10.3.0.255
GATEWAY=10.3.0.10
ONBOOT=yes
EOT
/var/ossec/bin/ossec-authd
sleep 2
reboot

After rebooting, run ip route show table main to verify the routing changes have taken effect.

Ubuntu bootstrapping

The current Long Term Support (LTS) version of Ubuntu Server is 18.04, which can be found here.

cd ~/Documents/OS_Images/
wget http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-live-server-amd64.iso

Run the below after booting to install a desktop environment (xfce4).

apt update
apt upgrade
apt-get install xubuntu-desktop
reboot

Create full clones of this VM for each of the following purposes:

  • A general purpose server in the DMZ.
  • As a host of an IDS agent.

Then run the below scripts on the respective VMs.

DMZ Ubuntu Server bootstrap script

Attach the network adapter to vmnet3 in VMware, then assign static routes using below.

rm /etc/netplan/50-cloud-init.yaml
touch /etc/netplan/50-cloud-init.yaml
cat <<EOT >> /etc/netplan/50-cloud-init.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
      - 10.3.0.128/24
      dhcp4: no
      routes:
      - to: 10.2.0.0/24
        via: 10.3.0.10
      - to: 10.5.0.0/24
        via: 10.3.0.10
EOT
sleep 0.3
reboot

Run ip route show table main to verify the routing changes have taken effect.

IDS Agent bootstrap script

I'm using Wazuh for intrusion detection. Install the agent on this Ubuntu VM using the following.

apt-get update &&
apt-get install -y curl apt-transport-https lsb-release &&
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - &&
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list &&
apt-get update &&
apt-get install -y wazuh-agent

Switch the network adapter to vmnet5 in VMware, then assign routing using below.

rm /etc/netplan/50-cloud-init.yaml
touch /etc/netplan/50-cloud-init.yaml
cat <<EOT >> /etc/netplan/50-cloud-init.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
      - 10.5.0.251/24
      dhcp4: no
      routes:
      - to: 10.2.0.0/24
        via: 10.5.0.10
      - to: 10.3.0.0/24
        via: 10.5.0.10
EOT
sleep 0.5
reboot

Specify the manager IP and start the Wazuh agent using below.

sed -i 's/MANAGER_IP/10.3.0.250/g' /var/ossec/etc/ossec.conf
/var/ossec/bin/agent-auth -m 10.3.0.250
systemctl restart wazuh-agent

Excellent work traversing through virtual space!

Cyber_Switch_Motion.gif

Administration

One thing I like about this set of modern open source networking solutions are the web interfaces.

IPFire administration

IPFire can be entirely controlled from the web interface at https://10.3.0.10:444, accessible by any machine in the Green zone (I use the Ubuntu Server for this). Add a certificate exception and login using the admin username. The default homepage is below.

IPFire_Web_Interface_Home.png

From https://10.3.0.10:444/cgi-bin/firewall.cgi, and click New rule. Then, add a rule where the Destination is Red standard networks, and the Source is Orange standard networks. For now, set the rule to Accept all Protocols. Then give it a name and add and click Apply changes. The firewall settings will appear as follows on the GUI.

IPFire_New_Firewall_Rule.png

After saving the new firewall rule, you will be returned to the firewall rules landing page.

IPFire_Firewall_Homepage_With_Rule.png

Wazuh administration

Likewise, Wazuh can be controlled from a web interface, accessible at http://10.3.0.250:5601/app/wazuh. So long as wazuh-agent has been started, you should see the connection at http://10.3.0.250:5601/app/wazuh#/agents-preview as follows.

Wazuh_Agent_Management.png

From the Wazuh overview at http://10.3.0.250:5601/app/wazuh#/overview, one can manage security information, look for network vulnerabilities, and more.

Wazuh_Overview.png

In another post, I will perform thorough tests of this environment by launching attacks from vmnet8 against VMs in vmnet5 and vmnet3.

Last Modified: 2019-11-28 Thu 22:42

Built with Emacs 26.1 (Org mode 9.1.9)




Homepage
 | 
Contact Me
 | 
Git Repos
🔑 PGP Key