Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 age of "infrastructure as code," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should be a simpler way to deploy systems in a repeatable, virtualized way -- right?
Enter
DetectionLab, a project by
Chris Long. Briefly, Chris built a project that uses
Packer and
Vagrant to create an instrumented lab environment. Chris explained cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project in late 2017 in a
Medium post, which I recommend reading.
I can't even begin to describe all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running.
My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed
Virtualbox 6.0 with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate VirtualBox Extension Pack. I had also enabled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
native OpenSSH server and performed all DetectionLab installation functions over an OpenSSH session.
Install Chocolatey
My first step was to install
Chocolatey, a package manager for Windows. I wanted to use this to install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Git client I wanted to use to clone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DetectionLab repo. Commands I typed at each stage are in bold below.
root@LAPTOP-HT4TGVCP C:\Users\root>@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "ie
x ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
Getting latest version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chocolatey package for download.
Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.11.
Downloading 7-Zip commandline tool prior to extraction.
Extracting C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall...
Installing chocolatey on this machine
Creating ChocolateyInstall as an environment variable (targeting 'Machine')
Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
before you can use choco.
Restricting write permissions to Administrators
We are setting up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chocolatey package repository.
The packages cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves go to 'C:\ProgramData\chocolatey\lib'
(i.e. C:\ProgramData\chocolatey\lib\yourPackageName).
A shim file for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line goes to 'C:\ProgramData\chocolatey\bin'
and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.
Creating Chocolatey folders if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not already exist.
WARNING: You can safely ignore errors related to missing log files when
upgrading from a version of Chocolatey less than 0.9.9.
'Batch file could not be found' is also safe to ignore.
'The system cannot find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file specified' - also safe.
chocolatey.nupkg file not installed in lib.
Attempting to locate it from bootstrapper.
PATH environment variable does not have C:\ProgramData\chocolatey\bin in it. Adding...
WARNING: Not setting tab completion: Profile file does not exist at 'C:\Users\root\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'.
Chocolatey (choco.exe) is now ready.
You can call choco from anywhere, command line or powershell by typing choco.
Run choco /? for a list of functions.
You may need to shut down and restart powershell and/or consoles
first prior to using choco.
Ensuring chocolatey commands are on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 path
Ensuring chocolatey.nupkg is in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lib folder
root@LAPTOP-HT4TGVCP C:\Users\root>choco
Chocolatey v0.10.11
Please run 'choco -?' or 'choco -?' for help menu.
Install Git
With Chocolatey installed, I could install Git.
root@LAPTOP-HT4TGVCP C:\Users\root>choco install git -params '"/GitAndUnixToolsOnPath"'
Chocolatey v0.10.11
Installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following packages:
git
By installing you accept licenses for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages.
Progress: Downloading git.install 2.20.1... 100%
Progress: Downloading chocolatey-core.extension 1.3.3... 100%
Progress: Downloading git 2.20.1... 100%
chocolatey-core.extension v1.3.3 [Approved]
chocolatey-core.extension package files install completed. Performing ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r installation steps.
Installed/updated chocolatey-core extensions.
The install of chocolatey-core.extension was successful.
Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core'
git.install v2.20.1 [Approved]
git.install package files install completed. Performing ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r installation steps.
The package git.install wants to run 'chocolateyInstall.ps1'.
Note: If you don't run this script, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation will fail.
Note: To confirm automatically next time, use '-y' or consider:
choco feature enable -n allowGlobalConfirmation
Do you want to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script?([Y]es/[N]o/[P]rint): y
@{Inno Setup CodeFile: Path Option=CmdTools; PSPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Git_
is1; PSParentPath=Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall; PSChildName=Git_is1; PSDrive=HKLM; PS
Provider=Microsoft.PowerShell.Core\Registry}
Using Git LFS
Installing 64-bit git.install...
git.install has been installed.
git.install installed to 'C:\Program Files\Git'
git.install can be automatically uninstalled.
Environment Vars (like PATH) have changed. Close/reopen your shell to
see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes (or in powershell/cmd.exe just type `refreshenv`).
The install of git.install was successful.
Software installed to 'C:\Program Files\Git\'
git v2.20.1 [Approved]
git package files install completed. Performing ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r installation steps.
The install of git was successful.
Software install location not explicitly set, could be in package or
default install location if installer.
Chocolatey installed 3/3 packages.
See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Clone DetectionLab
With Git installed, I can clone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DetectionLab repo from Github.
root@LAPTOP-HT4TGVCP C:\Users\root>mkdir git
root@LAPTOP-HT4TGVCP C:\Users\root>cd git
root@LAPTOP-HT4TGVCP C:\Users\root\git>mkdir detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git>cd detectionlab
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone https://github.com/clong/DetectionLab.git
'git' is not recognized as an internal or external command,
operable program or batch file.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>refreshenv
Refreshing environment variables from registry for cmd.exe. Please wait...Finished..
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>git clone https://github.com/clong/DetectionLab.git
Cloning into 'DetectionLab'...
remote: Enumerating objects: 1, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 1163 (delta 0), reused 0 (delta 0), pack-reused 1162R
Receiving objects: 100% (1163/1163), 11.81 MiB | 12.24 MiB/s, done.
Resolving deltas: 100% (568/568), done.
Install Vagrant
Before going any furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I needed to install Vagrant.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab>cd ..\..\
root@LAPTOP-HT4TGVCP C:\Users\root>choco install vagrant
Chocolatey v0.10.11
Installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following packages:
vagrant
By installing you accept licenses for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages.
Progress: Downloading vagrant 2.2.3... 100%
vagrant v2.2.3 [Approved]
vagrant package files install completed. Performing ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r installation steps.
The package vagrant wants to run 'chocolateyinstall.ps1'.
Note: If you don't run this script, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation will fail.
Note: To confirm automatically next time, use '-y' or consider:
choco feature enable -n allowGlobalConfirmation
Do you want to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script?([Y]es/[N]o/[P]rint): y
Downloading vagrant 64 bit
from 'https://releases.hashicorp.com/vagrant/2.2.3/vagrant_2.2.3_x86_64.msi'
Progress: 100% - Completed download of C:\Users\root\AppData\Local\Temp\chocolatey\vagrant\2.2.3\vagrant_2.2.3_x86_64.msi (229.22 MB).
Download of vagrant_2.2.3_x86_64.msi (229.22 MB) completed.
Hashes match.
Installing vagrant...
vagrant has been installed.
Repairing currently installed global plugins. This may take a few minutes...
Installed plugins successfully repaired!
vagrant may be able to be automatically uninstalled.
Environment Vars (like PATH) have changed. Close/reopen your shell to
see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes (or in powershell/cmd.exe just type `refreshenv`).
The install of vagrant was successful.
Software installed as 'msi', install location is likely default.
Chocolatey installed 1/1 packages.
See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Packages requiring reboot:
- vagrant (exit code 3010)
The recent package changes indicate a reboot is necessary.
Please reboot at your earliest convenience.
root@LAPTOP-HT4TGVCP C:\Users\root>shutdown /r /t 0
Installing DetectionLab
Now we are finally at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where we can install DetectionLab. Note that in my example, I downloaded boxes already built by Chris. I did not build my own, in order to save time. You can follow his instructions to build boxes yourself.
I saw an error regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 win10 host, but that did not appear to be a real problem.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\root\git\detectionlab\DetectionLab> .\build.ps1 -ProviderName virtualbox -VagrantOnly
[preflight_checks] Running..
[preflight_checks] Checking if Vagrant is installed
[preflight_checks] Checking for pre-existing boxes..
[preflight_checks] Checking for vagrant instances..
[preflight_checks] Checking disk space..
[preflight_checks] Checking if vagrant-reload is installed..
The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now.
Installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'vagrant-reload' plugin. This can take a few minutes...
Installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugin 'vagrant-reload (0.0.1)'!
[preflight_checks] Finished.
[download_boxes] Running..
[download_boxes] Downloading windows_10_virtualbox.box
[download_boxes] Downloading windows_2016_virtualbox.box
[download_boxes] Getting filehash for: windows_10_virtualbox.box
[download_boxes] Getting filehash for: windows_2016_virtualbox.box
[download_boxes] Checking Filehashes..
[download_boxes] Finished.
[main] Running vagrant_up_host for: logger
[vagrant_up_host] Running for logger
Attempting to bring up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logger host using Vagrant
[vagrant_up_host] Finished for logger. Got exit code: 0
[main] vagrant_up_host finished. Exitcode: 0
Good news! logger was built successfully!
[main] Finished for: logger
[main] Running vagrant_up_host for: dc
[vagrant_up_host] Running for dc
Attempting to bring up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dc host using Vagrant
[vagrant_up_host] Finished for dc. Got exit code: 0
[main] vagrant_up_host finished. Exitcode: 0
Good news! dc was built successfully!
[main] Finished for: dc
[main] Running vagrant_up_host for: wef
[vagrant_up_host] Running for wef
Attempting to bring up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host using Vagrant
[vagrant_up_host] Finished for wef. Got exit code: 0
[main] vagrant_up_host finished. Exitcode: 0
Good news! wef was built successfully!
[main] Finished for: wef
[main] Running vagrant_up_host for: win10
[vagrant_up_host] Running for win10
Attempting to bring up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 win10 host using Vagrant
[vagrant_up_host] Finished for win10. Got exit code: 1
[main] vagrant_up_host finished. Exitcode: 1
WARNING: Something went wrong while attempting to build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 win10 box.
Attempting to reload and reprovision cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host...
[main] Running vagrant_reload_host for: win10
[vagrant_reload_host] Running for win10
[vagrant_reload_host] Finished for win10. Got exit code: 1
C:\Users\root\git\detectionlab\DetectionLab\build.ps1 : Failed to bring up win10 after a reload. Exiting
At line:1 char:1
+ .\build.ps1 -ProviderName virtualbox -VagrantOnly
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,build.ps1
[main] Running post_build_checks
[post_build_checks] Running Caldera Check.
[download] Running for https://192.168.38.105:8888, looking for
[download] Found at https://192.168.38.105:8888
[post_build_checks] Cladera Result: True
[post_build_checks] Running Splunk Check.
[download] Running for https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F, looking for This browser is not supported by Splunk
[download] Found This browser is not supported by Splunk at https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F
[post_build_checks] Splunk Result: True
[post_build_checks] Running Fleet Check.
[download] Running for https://192.168.38.105:8412, looking for Kolide Fleet
[download] Found Kolide Fleet at https://192.168.38.105:8412
[post_build_checks] Fleet Result: True
[post_build_checks] Running MS ATA Check.
[download] Running for https://192.168.38.103, looking for
[post_build_checks] ATA Result: True
[main] Finished post_build_checks
Checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMs
I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Virtualbox command line program to check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new VMs.
root@LAPTOP-HT4TGVCP c:\Program Files\Oracle\VirtualBox>VBoxManage list runningvms
"logger" {3da9fffb-4b02-4e57-a592-dd2322f14245}
"dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd}
"wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7}
"win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd}
Interacting with Vagrant and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Logger Host
Next I decided to use Vagrant to check on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 status of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boxes, and to interact with one if I could. I wanted to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bro and Suricata logs.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab>cd Vagrant
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant status
Current machine states:
logger running (virtualbox)
dc running (virtualbox)
wef running (virtualbox)
win10 running (virtualbox)
This environment represents multiple VMs. The VMs are all listed
above with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir current state. For more information about a specific
VM, run `vagrant status NAME`.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant ssh logger
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
29 packages can be updated.
24 updates are security updates.
Last login: Sun Jan 27 19:24:05 2019 from 10.0.2.2
root@logger:~# /opt/bro/bin/broctl status
Name Type Host Status Pid Started
manager manager localhost running 9848 27 Jan 17:19:15
proxy proxy localhost running 9893 27 Jan 17:19:16
worker-eth1-1 worker localhost running 9945 27 Jan 17:19:17
worker-eth1-2 worker localhost running 9948 27 Jan 17:19:17
vagrant@logger:~$ ls -al /opt/bro
total 32
drwxr-xr-x 8 root root 4096 Jan 27 17:19 .
drwxr-xr-x 5 root root 4096 Jan 27 17:19 ..
drwxr-xr-x 2 root root 4096 Jan 27 17:19 bin
drwxrwsr-x 2 root bro 4096 Jan 27 17:19 etc
drwxr-xr-x 3 root root 4096 Jan 27 17:19 lib
drwxrws--- 3 root bro 4096 Jan 27 18:00 logs
drwxr-xr-x 4 root root 4096 Jan 27 17:19 share
drwxrws--- 8 root bro 4096 Jan 27 17:19 spool
vagrant@logger:~$ ls -al /opt/bro/logs
ls: cannot open directory '/opt/bro/logs': Permission denied
vagrant@logger:~$ sudo bash
root@logger:~# ls -al /opt/bro/logs/
2019-01-27/ current/
root@logger:~# ls -al /opt/bro/logs/current/
total 3664
drwxr-sr-x 2 root bro 4096 Jan 27 19:20 .
drwxrws--- 8 root bro 4096 Jan 27 17:19 ..
-rw-r--r-- 1 root bro 475 Jan 27 19:19 capture_loss.log
-rw-r--r-- 1 root bro 127 Jan 27 17:19 .cmdline
-rw-r--r-- 1 root bro 83234 Jan 27 19:30 communication.log
-rw-r--r-- 1 root bro 1430714 Jan 27 19:30 conn.log
-rw-r--r-- 1 root bro 1340 Jan 27 19:00 dce_rpc.log
-rw-r--r-- 1 root bro 185114 Jan 27 19:28 dns.log
-rw-r--r-- 1 root bro 310 Jan 27 17:19 .env_vars
-rw-r--r-- 1 root bro 139387 Jan 27 19:30 files.log
-rw-r--r-- 1 root bro 544416 Jan 27 19:30 http.log
-rw-r--r-- 1 root bro 224 Jan 27 19:05 known_services.log
-rw-r--r-- 1 root bro 956 Jan 27 19:19 notice.log
-rw-r--r-- 1 root bro 5 Jan 27 17:19 .pid
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.capture_loss
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.communication
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.conn
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.conn-summary
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.dce_rpc
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.dns
-rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.dpd
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.files
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.http
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.kerberos
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_certs
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_hosts
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.known_services
-rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.loaded_scripts
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.notice
-rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.packet_filter
-rw-r--r-- 1 root bro 18 Jan 27 18:00 .rotated.reporter
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.smb_files
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.smb_mapping
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.software
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.ssl
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.stats
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.weird
-rw-r--r-- 1 root bro 18 Jan 27 19:00 .rotated.x509
-rw-r--r-- 1 root bro 1311 Jan 27 19:24 smb_mapping.log
-rw-r--r-- 1 root bro 15767 Jan 27 19:30 ssl.log
-rw-r--r-- 1 root bro 58 Jan 27 17:19 .startup
-rw-r--r-- 1 root bro 11326 Jan 27 19:30 stats.log
-rwx------ 1 root bro 18 Jan 27 17:19 .status
-rw-r--r-- 1 root bro 80 Jan 27 19:00 stderr.log
-rw-r--r-- 1 root bro 188 Jan 27 17:19 stdout.log
-rw-r--r-- 1 root bro 1141860 Jan 27 19:30 weird.log
-rw-r--r-- 1 root bro 2799 Jan 27 19:20 x509.log
root@logger:~# cd /opt/bro/logs/
root@logger:/opt/bro/logs# ls
2019-01-27 current
root@logger:/opt/bro/logs# cd current
root@logger:/opt/bro/logs/current# ls
capture_loss.log conn.log dns.log http.log notice.log smb_mapping.log stats.log stdout.log x509.log
communication.log dce_rpc.log files.log known_services.log smb_files.log ssl.log stderr.log weird.log
root@logger:/opt/bro/logs/current# jq -c . dce_rpc.log | head
{"ts":1548615615.836272,"uid":"CEmNr31qusp3G7GFg4","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":
"135","endpoint":"epmapper","operation":"ept_map"}
{"ts":1548615615.83961,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.0003
57,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"}
{"ts":1548615615.851544,"uid":"CJO7xe4JUo43IjGG01","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000
596,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"}
{"ts":1548615615.835628,"uid":"CgEcizh05xJ1ricP8","id.orig_h":"192.168.38.104","id.orig_p":49758,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":"
135","endpoint":"epmapper","operation":"ept_map"}
{"ts":1548615615.839587,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000
382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"}
{"ts":1548615615.852193,"uid":"CVV6WZ3vgpE673rl6a","id.orig_h":"192.168.38.104","id.orig_p":49759,"id.resp_h":"192.168.38.102","id.resp_p":49667,"rtt":0.000
382,"named_pipe":"49667","endpoint":"lsarpc","operation":"LsarLookupSids3"}
{"ts":1548618003.200283,"uid":"CGYDww34wYz8eCYr96","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":
"135","endpoint":"epmapper","operation":"ept_map"}
{"ts":1548618003.200403,"uid":"CrTZMz2nCXsiY5WOF8","id.orig_h":"192.168.38.103","id.orig_p":63295,"id.resp_h":"192.168.38.102","id.resp_p":135,"named_pipe":
"135","endpoint":"epmapper","operation":"ept_map"}
root@logger:~# head /var/log/suricata/fast.log
01/27/2019-17:19:08.133030 [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0
.2.15:51574 -> 195.135.221.134:80
01/27/2019-17:19:08.292747 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su
spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80
01/27/2019-17:19:08.356618 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su
spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:55260 -> 99.84.178.103:80
01/27/2019-17:19:08.432477 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su
spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:46630 -> 91.189.95.83:80
01/27/2019-17:19:08.448249 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Su
spicious Traffic] [Priority: 3] {TCP} 10.0.2.15:53932 -> 91.189.88.161:80
...trimmed...
Docker on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Logger Host
Chris is using Docker to provide some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Logger host functions, e.g.:
root@logger:~# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
343c18f933d9 kolide/fleet:latest "sh -c 'echo '\\n' | …" 3 hours ago Up 3 hours 0.0.0.0:8412->8412/tcp kolidequic
kstart_fleet_1
513cb0d61401 mysql:5.7 "docker-entrypoint.s…" 3 hours ago Up 3 hours 3306/tcp, 33060/tcp kolidequic
kstart_mysql_1
b0278855b130 mailhog/mailhog:latest "MailHog" 3 hours ago Up 3 hours 1025/tcp, 0.0.0.0:8025->8025/tcp kolidequic
kstart_mailhog_1
ddcd3e59dda2 redis:3.2.4 "docker-entrypoint.s…" 3 hours ago Up 3 hours 6379/tcp kolidequic
kstart_redis_1
Troubleshooting Localhost Bindings
One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues I encountered involved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP addresses to which VMs bound cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Virtualbox Remote Display Protocol servers. The default configuration bound cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to localhost on my Windows laptop. That was ok if I was interacting with that laptop in person, but I was doing this work remotely.
I could RDP to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 laptop, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n RDP from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 laptop to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMs. This works, but it was a slight hassle to log into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows 2016 server which required a ctrl-alt-del sequence. This is a nuanced issue that can be solved by using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 on screen keyboard (osk.exe) to enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ctrl-alt-end sequence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote laptop, but I wanted an easier solution.
Dustin Lee, who has done a lot of work customized DetectionLab to include Security Onion (a future post maybe?) suggested I modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vagrantfile with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following bolded content. This example is for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vagrantfile.
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "wef.windomain.local"
vb.default_nic_type = "82545EM"
vb.customize ["modifyvm", :id, "--vrde", "on"]
vb.customize ["modifyvm", :id, "--vrdeaddress", "0.0.0.0"]
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", "32"]
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
end
Basically, add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bold entries wherever you see a "virtualbox" option, to enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VRDP server binding to 0.0.0.0 (which should be all IP addresses, to include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public IP, as I want).
Before I restarted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host, you can see below how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VRDE server is listening only on localhost on port 5932 (in bold).
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local
| findstr /I vrde
VRDE: enabled (Address 127.0.0.1, Ports 5932, MultiConn: off, ReuseSingleConn: off, Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication type: null)
...trimmed...
After changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vagrant file, I restarted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host using Vagrant.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload wef
==> wef: Attempting graceful shutdown of VM...
==> wef: Clearing any previously set forwarded ports...
==> wef: Fixed port collision for 3389 => 3389. Now on port 2201.
==> wef: Fixed port collision for 22 => 2222. Now on port 2202.
==> wef: Fixed port collision for 5985 => 55985. Now on port 2203.
==> wef: Fixed port collision for 5986 => 55986. Now on port 2204.
==> wef: Clearing any previously set network interfaces...
==> wef: Preparing network interfaces based on configuration...
wef: Adapter 1: nat
wef: Adapter 2: hostonly
==> wef: Forwarding ports...
wef: 3389 (guest) => 2201 (host) (adapter 1)
wef: 22 (guest) => 2202 (host) (adapter 1)
wef: 5985 (guest) => 2203 (host) (adapter 1)
wef: 5986 (guest) => 2204 (host) (adapter 1)
==> wef: Running 'pre-boot' VM customizations...
==> wef: Booting VM...
==> wef: Waiting for machine to boot. This may take a few minutes...
wef: WinRM address: 127.0.0.1:2203
wef: WinRM username: vagrant
wef: WinRM execution_time_limit: PT2H
wef: WinRM transport: negotiate
==> wef: Machine booted and ready!
==> wef: Checking for guest additions in VM...
wef: The guest additions on this VM do not match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installed version of
wef: VirtualBox! In most cases this is fine, but in rare cases it can
wef: prevent things such as shared folders from working properly. If you see
wef: shared folder errors, please make sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guest additions within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
wef: virtual machine match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version of VirtualBox you have installed on
wef: your host and reload your VM.
wef:
wef: Guest Additions Version: 5.2.16
wef: VirtualBox Version: 6.0
==> wef: Setting hostname...
==> wef: Configuring and enabling network interfaces...
==> wef: Mounting shared folders...
wef: /vagrant =>
The bolded entry about port 2201 means I can log into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host as user vagrant / password vagrant, over RDP, directly from anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r computer.
After restarting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wef host, I check to see what IP address and port cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RDP server is listening (in bold):
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo wef.windomain.local
| findstr /I vrde
VRDE: enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication type: null)
...trimmed...
This should allow me to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "screen" of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM via port 5932 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host laptop. Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is some sort of conflict, as I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domain controller also reserved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same port for its VRDE.
root@LAPTOP-HT4TGVCP C:\Users\root>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" showvminfo dc.windomain.local | findstr /I vrde
VRDE: enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication type: null)
...trimmed...
I encountered a similar issue with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domain controller also failing to resolve a conflict with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host system RDP port.
root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>vagrant reload dc
==> dc: Attempting graceful shutdown of VM...
==> dc: Clearing any previously set forwarded ports...
==> dc: Fixed port collision for 22 => 2222. Now on port 2200.
==> dc: Clearing any previously set network interfaces...
==> dc: Preparing network interfaces based on configuration...
dc: Adapter 1: nat
dc: Adapter 2: hostonly
==> dc: Forwarding ports...
dc: 3389 (guest) => 3389 (host) (adapter 1)
dc: 22 (guest) => 2200 (host) (adapter 1)
dc: 5985 (guest) => 55985 (host) (adapter 1)
dc: 5986 (guest) => 55986 (host) (adapter 1)
I haven't solved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se problems yet. I wonder if it's a result of using pre-built VMs, which use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5.x series of Virtualbox extensions, while my Virtualbox system runs 6.0?
Summary
These are minor issues, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of all this work is four systems offering Windows client and server features, plus instrumentation. That could be anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r topic for discussion. I'm also excited by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prospect of
running all of this in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore,
Dustin Lee has a
fork of DetectionLab that replaces some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instrumentation with Security Onion!
