trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' into add-hyperv

Browse Source
This commit is contained in:
Chris Long
2020-08-28 14:21:52 -07:00
committed by GitHub
parent 1076565d34 52599dffdc
commit 59374ca601
18 changed files with 751 additions and 931 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
Vagrant/post_build_checks.ps1 Normal file
View File

@@ -0,0 +1,83 @@
function download {
param(
[string]$URL,
[string]$PatternToMatch,
[switch]$SuccessOn401
)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient
try {
$result = $wc.DownloadString($URL)
if ($result -like "*$PatternToMatch*") {
return $true
} else {
return $false
}
}
catch {
if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) {
return $true
} else {
Write-Host "Error occured on webrequest: $_" -ForegroundColor red
return $false
}
}
}
function post_build_checks {
$checkmark = ([char]8730)
Write-Host '[*] Verifying that Splunk is reachable...'
$SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk'
if ($SPLUNK_CHECK -eq $false) {
Write-Host '[!] Splunk was unreachable and may not have installed correctly.' -ForegroundColor red
}
else {
Write-Host ' ['$($checkmark)'] Splunk is running and reachable!' -ForegroundColor Green
}
Write-Host ''
Write-Host '[*] Verifying that Fleet is reachable...'
$FLEET_CHECK = download -URL 'https://192.168.38.105:8412' -PatternToMatch 'Kolide Fleet'
if ($FLEET_CHECK -eq $false) {
Write-Host '[!] Fleet was unreachable and may not have installed correctly.' -ForegroundColor red
}
else {
Write-Host ' ['$($checkmark)'] Fleet is running and reachable!' -ForegroundColor Green
}
Write-Host ''
Write-Host '[*] Verifying that Microsoft ATA is reachable...'
$ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401
if ($ATA_CHECK -eq $false) {
Write-Host '[!] Microsoft ATA was unreachable and may not have installed correctly.' -ForegroundColor red
}
else {
Write-Host ' ['$($checkmark)'] Microsoft ATA is running and reachable!' -ForegroundColor Green
}
Write-Host ''
Write-Host '[*] Verifying that Velociraptor is reachable...'
$VELOCIRAPTOR_CHECK = download -URL 'https://192.168.38.105:9999' -PatternToMatch 'app.html'
if ($VELOCIRAPTOR_CHECK -eq $false) {
Write-Host '[!] Velociraptor was unreachable and may not have installed correctly.' -ForegroundColor red
}
else {
Write-Host ' ['$($checkmark)'] Velocirpator is running and reachable!' -ForegroundColor Green
}
Write-Host ''
Write-Host '[*] Verifying that Guacamole is reachable...'
$GUACAMOLE_CHECK = download -URL 'http://192.168.38.105:8080/guacamole' -PatternToMatch 'Apache Software'
if ($GUACAMOLE_CHECK -eq $false) {
Write-Host '[!] Guacamole was unreachable and may not have installed correctly.' -ForegroundColor red
}
else {
Write-Host ' ['$($checkmark)'] Guacamole is running and reachable!' -ForegroundColor Green
}
Write-Host ''
}
post_build_checks

68
Vagrant/post_build_checks.sh Executable file
View File

@@ -0,0 +1,68 @@
#! /bin/bash
# This script is meant to verify that DetectionLab was built successfully.
# Only MacOS and Linux are supported. Use post_build_checks.ps1 for Windows.
# If you encounter issues, feel free to open an issue at
# https://github.com/clong/DetectionLab/issues
ERROR=$(tput setaf 1; echo -n " [!]"; tput sgr0)
GOODTOGO=$(tput setaf 2; echo -n " [✓]"; tput sgr0)
# A series of checks to ensure important services are responsive after the build completes.
post_build_checks() {
SPLUNK_CHECK=0
FLEET_CHECK=0
ATA_CHECK=0
VELOCIRAPTOR_CHECK=0
GUACAMOLE_CHECK=0
# If the curl operation fails, we'll just leave the variable equal to 0
# This is needed to prevent the script from exiting if the curl operation fails
SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk')
FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet')
ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2)
VELOCIRAPTOR_CHECK=$(curl -ks -m 2 https://192.168.38.105:9999 | grep -c 'app.html')
GUACAMOLE_CHECK=$(curl -ks -m 2 'http://192.168.38.105:8080/guacamole/#/' | grep -c 'Apache Software')
[[ $ATA_CHECK == 401 ]] && ATA_CHECK=1
echo "[*] Verifying that Splunk is running and reachable..."
if [ "$SPLUNK_CHECK" -lt 1 ]; then
(echo >&2 "${ERROR} Warning: Splunk was unreachable and may not have installed correctly.")
else
(echo >&2 "${GOODTOGO} Splunk is running and reachable.")
fi
echo ""
echo "[*] Verifying that Fleet is running and reachable..."
if [ "$FLEET_CHECK" -lt 1 ]; then
(echo >&2 "${ERROR} Warning: Fleet was unreachable and may not have installed correctly.")
else
(echo >&2 "${GOODTOGO} Fleet is running and reachable.")
fi
echo ""
echo "[*] Verifying that Microsoft ATA is running and reachable..."
if [ "$ATA_CHECK" -lt 1 ]; then
(echo >&2 "${ERROR} Warning: Microsoft ATA was unreachable and may not have installed correctly.")
else
(echo >&2 "${GOODTOGO} Microsoft ATA is running and reachable.")
fi
echo ""
echo "[*] Verifying that the Velociraptor service is running and reachable..."
if [ "$VELOCIRAPTOR_CHECK" -lt 1 ]; then
(echo >&2 "${ERROR} Warning: Velociraptor was unreachable and may not have installed correctly.")
else
(echo >&2 "${GOODTOGO} Velociraptor is running and reachable.")
fi
echo ""
echo "[*] Verifying that Guacamole is running and reachable..."
if [ "$GUACAMOLE_CHECK" -lt 1 ]; then
(echo >&2 "${ERROR} Warning: Guacamole was unreachable and may not have installed correctly.")
else
(echo >&2 "${GOODTOGO} Guacamole is running and reachable.")
fi
}
post_build_checks
exit 0

265
Vagrant/prepare.ps1 Normal file
View File

@@ -0,0 +1,265 @@
#Requires -Version 4.0
<#
.Synopsis
This script is used to ensure prerequisites for DetectionLab
are properly installed.
.DESCRIPTION
This scripts runs a series of tests. It checks:
* If Packer and Vagrant are installed
* If VirtualBox and/or VMware are installed
* If the proper vagrant plugins are available
* Various aspects of system health
If you encounter issues, feel free to open an issue at
https://github.com/clong/DetectionLab/issues
.EXAMPLE
./prepare.ps1
This runs a series of checks to ensure your system will successfully be
able to build DetectionLab.
#>
$VAGRANT_DIR = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition
$checkmark = ([char]8730)
function install_checker {
param(
[string]$Name
)
$results = Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName
$results += Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName
forEach ($result in $results) {
if ($result -like "*$Name*") {
return $true
}
}
return $false
}
function check_packer_path {
# Check if Packer is in path
Try {
Get-Command packer.exe -ErrorAction Stop | Out-Null
}
Catch {
Write-Host ' [-] Packer was not found in your PATH.' -ForegroundColor yellow
Write-Host ' [-] This is only needed if you plan to build your own boxes, otherwise you can ignore this message.' -ForegroundColor yellow
}
}
function check_vagrant_path {
# Check if Vagrant is in path
Try {
Get-Command vagrant.exe -ErrorAction Stop | Out-Null
}
Catch {
Write-Host ' [!] Vagrant was not found in your PATH. Please correct this before continuing.' -ForegroundColor red
Write-Host ' [!] Correct this by installing Vagrant with Choco or downloading from https://www.vagrantup.com/downloads.html' -ForegroundColor red
Break
}
# Check Vagrant version >= 2.2.9
[System.Version]$vagrant_version = $(vagrant --version).Split(' ')[1]
[System.Version]$version_comparison = 2.2.9
if ($vagrant_version -lt $version_comparison) {
Write-Host ' [-] It is highly recommended to use Vagrant 2.2.9 or above before continuing' -ForegroundColor yellow
}
else {
Write-Host ' ['$($checkmark)'] Your version of Vagrant ('$vagrant_version') is supported' -ForegroundColor Green
}
}
# Returns false if not installed or true if installed
function check_virtualbox_installed {
Write-Host ''
Write-Host '[+] Checking if Virtualbox is installed...'
if (install_checker -Name "VirtualBox") {
Write-Host ' ['$($checkmark)'] Virtualbox found.' -ForegroundColor green
return $true
}
else {
return $false
}
}
function check_vmware_workstation_installed {
Write-Host ''
Write-Host '[+] Checking if VMware Workstation is installed...'
if (install_checker -Name "VMware Workstation") {
Write-Host ' ['$($checkmark)'] VMware Workstation found.' -ForegroundColor green
return $true
}
else {
return $false
}
}
function check_vmware_vagrant_plugin_installed {
Write-Host ''
Write-Host '[+] Checking if the vagrant_vmware_desktop plugin is installed...'
if (vagrant plugin list | Select-String 'vagrant-vmware-workstation') {
Write-Host ' [!] The vagrant VMware Workstation plugin is no longer supported.' -ForegroundColor red
Write-Host ' [-] Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html' -ForegroundColor yellow
Write-Host ' [-] Please also uninstall the vagrant-vmware-fusion plugin and install the vmware-vagrant-desktop plugin' -ForegroundColor yellow
Write-Host ' [-] HINT: `vagrant plugin uninstall vagrant-vmware-workstation; vagrant plugin install vagrant-vmware-desktop`' -ForegroundColor yellow
return $false
}
if (vagrant plugin list | Select-String 'vagrant-vmware-desktop') {
Write-Host ' ['$($checkmark)'] Vagrant VMware Desktop plugin found.' -ForegroundColor green
return $true
}
else {
Write-Host ' [!] VMware Workstation is installed, but the vagrant-vmware-desktop plugin is not.' -ForegroundColor red
Write-Host ' [-] Visit https://www.vagrantup.com/vmware/index.html#buy-now for more information on how to purchase ($80) and install it' -ForegroundColor yellow
Write-Host ' [-] VMware Workstation will not be listed as a provider until the Vagrant plugin has been installed.' -ForegroundColor yellow
Write-Host ' [-] NOTE: The plugin does not work with trial versions of VMware Workstation' -ForegroundColor yellow
return $false
}
}
function check_vagrant_vmware_utility_installed {
Write-Host ''
Write-Host '[+] Checking if the Vagrant VMware Utility is installed...'
if (install_checker -Name "Vagrant VMware Utility") {
Write-Host ' ['$($checkmark)'] Vagrant VMware Utility is installed' -ForegroundColor green
return $true
}
else {
Write-Host ' [!] To use VMware Workstation as a provider, you need to install the Vagrant VMware Utility.' -ForegroundColor Red
Write-Host ' [-] To download and install it, visit https://www.vagrantup.com/docs/providers/vmware/vagrant-vmware-utility'
return $false
}
}
function list_providers {
[cmdletbinding()]
param()
$vboxInstalled = 0
$vmwareInstalled = 0
if (check_virtualbox_installed) {
$vboxInstalled = 1
}
if (check_vmware_workstation_installed) {
if ((check_vmware_vagrant_plugin_installed) -and (check_vagrant_vmware_utility_installed)) {
$vmwareInstalled = 1
}
}
# Warn users if Virtualbox and VMware Workstation are both installed.
if (( $vboxInstalled -eq 1 ) -and ( $vmwareInstalled -eq 1 )) {
Write-Host " [-] Both VMware Workstation and Virtualbox appear to be installed on this system." -ForegroundColor Yellow
Write-Host " [-] Please consider setting the VAGRANT_DEFAULT_PROVIDER environment variable to prevent confusion." -ForegroundColor Yellow
Write-Host " [-] More details can be found here: https://www.vagrantup.com/docs/providers/default" -ForegroundColor Yellow
Write-Host " [-] Additionally, please ensure only one providers' network adapters are active at any given time." -ForegroundColor Yellow
}
if (($vboxInstalled -eq 0) -and ($vmwareInstalled -eq 0)) {
Write-Error ' [!] You need to install a provider such as VirtualBox or VMware Workstation to continue.' -ForegroundColor red
Write-Error ' [!] Virtualbox is free, the VMware Vagrant Plugin costs $80.' -ForegroundColor red
break
}
Write-Host ''
Write-Host '[+] Enumerating available providers...'
Write-Host "[+] Available Providers: "
if ($vboxInstalled -eq 1) {
Write-Host ' [*] virtualbox' -ForegroundColor green
}
if ($vmwareInstalled -eq 1) {
Write-Host ' [*] vmware_desktop' -ForegroundColor green
}
}
function preflight_checks {
Write-Host ''
Write-Host '[+] Checking if CredentialGuard is enabled...'
# Verify CredentialGuard isn't enabled
if (('CredentialGuard' -match ((Get-ComputerInfo).DeviceGuardSecurityServicesConfigured) -eq "True")) {
Write-Host ' [!] CredentialGuard appears to be enabled on this system which can cause issues with Virtualbox.' -ForegroundColor red
Write-Host ' [!] See this thread for more info: https://forums.virtualbox.org/viewtopic.php?f=25&t=82106' -ForegroundColor red
}
Write-Host ''
Write-Host '[+] Checking if any boxes have been manually built...'
if ((Get-ChildItem "$VAGRANT_DIR\..\Boxes\*.box").Count -gt 0) {
Write-Host ' [-] You seem to have at least one .box file present in the Boxes directory already.' -ForegroundColor yellow
Write-Host ' [-] If you would like to use the pre-built boxes, please remove all .box files from the Boxes directory' -ForegroundColor yellow
}
else {
Write-Host ' ['$($checkmark)'] No custom Packer boxes found' -ForegroundColor green
}
# Check to see that no Vagrant instances exist
Write-Host ''
Write-Host '[+] Checking if any Vagrant instances have been created...'
$CurrentDir = Get-Location
Set-Location "$VAGRANT_DIR"
if (($(vagrant status) | Select-String -Pattern "not[ _]created").Count -ne 4) {
Write-Host ' [-] You appear to have already created at least one Vagrant instance.' -ForegroundColor yellow
vagrant status | Select-String 'not[ _]created' -NotMatch | Select-String -Pattern 'logger|dc|wef|win10'
Write-Host ''
Write-Host ' [-] If you want to start with a fresh install, you should run `vagrant destroy -f` to remove existing instances.' -ForegroundColor yellow
}
else {
Write-Host ' ['$($checkmark)'] No Vagrant instances have been created' -ForegroundColor green
}
Set-Location $CurrentDir
# Check available disk space. Recommend 80GB free, warn if less
Write-Host ''
Write-Host '[+] Checking available disk space...'
$drives = Get-PSDrive | Where-Object { $_.Provider -like '*FileSystem*' }
$drivesList = @()
forEach ($drive in $drives) {
if ($drive.free -lt 80GB) {
$DrivesList = $DrivesList + $drive
}
}
if ($DrivesList.Count -gt 0) {
Write-Host " [-] The following drives have less than 80GB of free space. They should not be used for deploying DetectionLab" -ForegroundColor yellow
forEach ($drive in $DrivesList) {
Write-Host " [*] $($drive.Name)" -ForegroundColor yellow
}
Write-Host ' [-] You can safely ignore this warning if you are deploying DetectionLab to a different drive.' -ForegroundColor yellow
}
else {
Write-Host ' ['$($checkmark)'] You have more than 80GB of free space on your primary partition' -ForegroundColor green
}
# Ensure the vagrant-reload plugin is installed
Write-Host ''
Write-Host '[+] Checking if vagrant-reload is installed...'
if (-Not (vagrant plugin list | Select-String 'vagrant-reload')) {
Write-Host ' [-] The vagrant-reload plugin is required and not currently installed. This script will attempt to install it now.' -ForegroundColor yellow
(vagrant plugin install 'vagrant-reload')
if ($LASTEXITCODE -ne 0) {
Write-Host ' [!] Unable to install the vagrant-reload plugin. Please try to do so manually via `vagrant plugin install vagrant-reload` and re-run this script.' -ForegroundColor red
break
}
}
else {
Write-Host ' ['$($checkmark)'] The vagrant-reload plugin is installed' -ForegroundColor green
}
}
# Run check functions
Write-Host ''
Write-Host '[+] Begining pre-build checks for DetectionLab'
Write-Host ''
Write-Host '[+] Checking for necessary tools in PATH...'
check_packer_path
check_vagrant_path
preflight_checks
list_providers
Write-Host ''
Write-Host 'To get started building DetectionLab, simply cd to DetectionLab/Vagrant'
Write-Host 'and run "vagrant up". If you run into any issues along the way, check out'
Write-Host 'the troubleshooting and known issues page: https://www.detectionlab.network/deployment/troubleshooting/'
Write-Host ''

252
Vagrant/prepare.sh Executable file
View File

@@ -0,0 +1,252 @@
#! /bin/bash
# This script is meant to verify that your system is configured to
# build DetectionLab successfully.
# Only MacOS and Linux are supported. Use prepare.ps1 for Windows.
# If you encounter issues, feel free to open an issue at
# https://github.com/clong/DetectionLab/issues
ERROR=$(tput setaf 1; echo -n " [!]"; tput sgr0)
GOODTOGO=$(tput setaf 2; echo -n " [✓]"; tput sgr0)
INFO=$(tput setaf 3; echo -n " [-]"; tput sgr0)
print_usage() {
echo "Usage: ./prepare.sh"
exit 0
}
check_packer_path() {
# Check for existence of Packer in PATH
if ! which packer >/dev/null; then
(echo >&2 "${INFO} Packer was not found in your PATH.")
(echo >&2 "${INFO} This is only needed if you plan to build you own boxes, otherwise you can ignore this message.")
else
(echo >&2 "${GOODTOGO} Packer was found in your PATH")
fi
}
check_vagrant_path() {
# Check for existence of Vagrant in PATH
if ! which vagrant >/dev/null; then
(echo >&2 "${ERROR} Vagrant was not found in your PATH.")
(echo >&2 "${ERROR} Please correct this before continuing. Exiting.")
(echo >&2 "${ERROR} Correct this by installing Vagrant with Homebrew or downloading from https://www.vagrantup.com/downloads.html")
exit 1
else
(echo >&2 "${GOODTOGO} Vagrant was found in your PATH")
fi
check_curl_path(){
# Check to see if curl is in PATH - needed for post-install checks
if ! which curl >/dev/null; then
(echo >&2 "${ERROR} Please install curl and make sure it is in your PATH.")
exit 1
else
(echo >&2 "${GOODTOGO} Curl was found in your PATH")
fi
}
# Ensure Vagrant >= 2.2.9
# https://unix.stackexchange.com/a/285928
VAGRANT_VERSION="$(vagrant --version | cut -d ' ' -f 2)"
REQUIRED_VERSION="2.2.9"
# If the version of Vagrant is not greater or equal to the required version
if ! [ "$(printf '%s\n' "$REQUIRED_VERSION" "$VAGRANT_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then
(echo >&2 "${ERROR} WARNING: It is highly recommended to use Vagrant $REQUIRED_VERSION or above before continuing")
else
(echo >&2 "${GOODTOGO} Your version of Vagrant ($VAGRANT_VERSION) is supported")
fi
}
# Returns 0 if not installed or 1 if installed
check_virtualbox_installed() {
if which VBoxManage >/dev/null; then
echo "1"
else
echo "0"
fi
}
# Returns 0 if not installed or 1 if installed
# Check for VMWare Workstation on Linux
check_vmware_workstation_installed() {
if which vmrun >/dev/null; then
echo "1"
else
echo "0"
fi
}
# Returns 0 if not installed or 1 if installed
check_vmware_fusion_installed() {
if [ -e "/Applications/VMware Fusion.app" ]; then
echo "1"
else
echo "0"
fi
}
# Returns 0 if not installed or 1 if installed
check_vmware_desktop_vagrant_plugin_installed() {
LEGACY_PLUGIN_CHECK="$(vagrant plugin list | grep -c 'vagrant-vmware-fusion')"
if [ "$LEGACY_PLUGIN_CHECK" -gt 0 ]; then
(echo >&2 "${ERROR} The VMware Fusion Vagrant plugin is deprecated and is no longer supported.")
(echo >&2 "${INFO} Please upgrade to the VMware Desktop plugin: https://www.vagrantup.com/docs/vmware/installation.html")
(echo >&2 "${INFO} Please also uninstall the vagrant-vmware-fusion plugin and install the vmware-vagrant-desktop plugin")
(echo >&2 "${INFO} HINT: \`vagrant plugin uninstall vagrant-vmware-fusion && vagrant plugin install vagrant-vmware-desktop\`")
(echo >&2 "${INFO} NOTE: The VMware plugin does not work with trial versions of VMware Fusion")
echo "0"
fi
VMWARE_DESKTOP_PLUGIN_PRESENT="$(vagrant plugin list | grep -c 'vagrant-vmware-desktop')"
if [ "$VMWARE_DESKTOP_PLUGIN_PRESENT" -eq 0 ]; then
(echo >&2 "VMWare Fusion or Workstation is installed, but the vagrant-vmware-desktop plugin is not.")
(echo >&2 "Visit https://www.hashicorp.com/blog/introducing-the-vagrant-vmware-desktop-plugin for more information on how to purchase and install it")
(echo >&2 "VMWare Fusion or Workstation will not be listed as a provider until the vagrant-vmware-desktop plugin has been installed.")
echo "0"
else
echo "1"
fi
}
check_vagrant_vmware_utility_installed() {
# Ensure the helper utility is installed: https://www.vagrantup.com/docs/providers/vmware/vagrant-vmware-utility
if pgrep -f vagrant-vmware-utility > /dev/null; then
echo "1"
else
echo "0"
fi
}
# List the available Vagrant providers present on the system
list_providers() {
VBOX_PRESENT=0
VMWARE_FUSION_PRESENT=0
if [ "$(uname)" == "Darwin" ]; then
# Detect Providers on OSX
VBOX_PRESENT=$(check_virtualbox_installed)
VMWARE_FUSION_PRESENT=$(check_vmware_fusion_installed)
VMWARE_WORKSTATION_PRESENT=0 # Workstation doesn't exist on Darwain-based OS
VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT=$(check_vmware_desktop_vagrant_plugin_installed)
VAGRANT_VMWARE_UTILITY_PRESENT=$(check_vagrant_vmware_utility_installed)
else
VBOX_PRESENT=$(check_virtualbox_installed)
VMWARE_WORKSTATION_PRESENT=$(check_vmware_workstation_installed)
VMWARE_FUSION_PRESENT=0 # Fusion doesn't exist on non-Darwin OS
VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT=$(check_vmware_desktop_vagrant_plugin_installed)
VAGRANT_VMWARE_UTILITY_PRESENT=$(check_vagrant_vmware_utility_installed)
fi
(echo >&2 "Available Providers:")
if [ "$VBOX_PRESENT" == "1" ]; then
(echo >&2 "${GOODTOGO} virtualbox")
fi
if [[ $VMWARE_FUSION_PRESENT -eq 1 ]] && [[ $VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT -eq 1 ]] && [[ $VAGRANT_VMWARE_UTILITY_PRESENT -eq 1 ]]; then
(echo >&2 "${GOODTOGO} vmware_desktop")
fi
if [[ $VMWARE_WORKSTATION_PRESENT -eq 1 ]] && [[ $VAGRANT_VMWARE_DESKTOP_PLUGIN_PRESENT -eq 1 ]] && [[ $VAGRANT_VMWARE_UTILITY_PRESENT -eq 1 ]]; then
(echo >&2 "${GOODTOGO} vmware_desktop")
fi
if [[ $VBOX_PRESENT -eq 0 ]] && [[ $VMWARE_FUSION_PRESENT -eq 0 ]] && [[ $VMWARE_WORKSTATION -eq 0 ]]; then
(echo >&2 "${ERROR} You need to install a provider such as VirtualBox or VMware Fusion/Workstation to build DetectionLab.")
exit 1
fi
if [[ $VBOX_PRESENT -eq 1 ]] && [[ $VMWARE_FUSION_PRESENT -eq 1 || $VMWARE_WORKSTATION_PRESENT -eq 1 ]]; then
(echo >&2 "${INFO} Both VMware Workstation/Fusion and Virtualbox appear to be installed on this system.")
(echo >&2 "${INFO} Please consider setting the VAGRANT_DEFAULT_PROVIDER environment variable to prevent confusion." )
(echo >&2 "${INFO} More details can be found here: https://www.vagrantup.com/docs/providers/default" )
(echo >&2 "${INFO} Additionally, please ensure only one providers' network adapters are active at any given time." )
fi
}
# Check to see if boxes exist in the "Boxes" directory already
check_boxes_built() {
BOXES_BUILT=$(find "$VAGRANT_DIR"/../Boxes -name "*.box" | wc -l)
if [ "$BOXES_BUILT" -gt 0 ]; then
(echo >&2 "${INFO} WARNING: You seem to have at least one .box file present in the Boxes directory already.")
(echo >&2 "${INFO} If you would like to use the pre-built boxes, please remove all files from the Boxes directory.")
(echo >&2 "${INFO} See https://www.detectionlab.network/customization/buildpackerboxes/ for more information about this message")
else
(echo >&2 "${GOODTOGO} No custom built boxes found")
fi
}
# Check to see if any Vagrant instances exist already
check_vagrant_instances_exist() {
cd "$VAGRANT_DIR"|| exit 1
# Vagrant status has the potential to return a non-zero error code, so we work around it with "|| true"
VAGRANT_STATUS_OUTPUT=$(vagrant status)
VAGRANT_BUILT=$(echo "$VAGRANT_STATUS_OUTPUT" | grep -c 'not created') || true
if [ "$VAGRANT_BUILT" -ne 4 ]; then
(echo >&2 "${INFO} You appear to have already created at least one Vagrant instance:")
# shellcheck disable=SC2164
cd "$VAGRANT_DIR" && echo "$VAGRANT_STATUS_OUTPUT" | grep -v 'not created' | grep -E 'logger|dc|wef|win10'
(echo >&2 "${INFO} If you want to start with a fresh install, you should run \`vagrant destroy -f\` to remove existing instances.")
else
(echo >&2 "${GOODTOGO} No Vagrant instances have been created yet")
fi
}
check_vagrant_reload_plugin() {
# Ensure the vagrant-reload plugin is installed
VAGRANT_RELOAD_PLUGIN_INSTALLED=$(vagrant plugin list | grep -c 'vagrant-reload')
if [ "$VAGRANT_RELOAD_PLUGIN_INSTALLED" != "1" ]; then
(echo >&2 "${ERROR} The vagrant-reload plugin is required and was not found. This script will attempt to install it now.")
if ! $(which vagrant) plugin install "vagrant-reload"; then
(echo >&2 "Unable to install the vagrant-reload plugin. Please try to do so manually and re-run this script.")
exit 1
else
(echo >&2 "${GOODTOGO} The vagrant-reload plugin was successfully installed!")
fi
else
(echo >&2 "${GOODTOGO} The vagrant-reload plugin is currently installed")
fi
}
# Check available disk space. Recommend 80GB free, warn if less.
check_disk_free_space() {
FREE_DISK_SPACE=$(df -m "$HOME" | tr -s ' ' | grep '/' | cut -d ' ' -f 4)
if [ "$FREE_DISK_SPACE" -lt 80000 ]; then
(echo >&2 -e "Warning: You appear to have less than 80GB of HDD space free on your primary partition. If you are using a separate parition, you may ignore this warning.\n")
(df >&2 -m "$HOME")
(echo >&2 "")
else
(echo >&2 "${GOODTOGO} You have more than 80GB of free space on your primary partition")
fi
}
main() {
# Get location of prepare.sh
# https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within
VAGRANT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
(echo >&2 "[+] Checking for necessary tools in PATH...")
check_packer_path
check_vagrant_path
check_curl_path
(echo >&2 "")
(echo >&2 "[+] Checking if any boxes have been manually built...")
check_boxes_built
(echo >&2 "")
(echo >&2 "[+] Checking for disk free space...")
check_disk_free_space
(echo >&2 "")
(echo >&2 "[+] Checking if any Vagrant instances have been created...")
check_vagrant_instances_exist
(echo >&2 "")
(echo >&2 "[+] Checking if the vagrant-reload plugin is installed...")
check_vagrant_reload_plugin
(echo >&2 "")
(echo >&2 "[+] Enumerating available providers...")
list_providers
(echo >&2 '')
# shellcheck disable=SC2016
(echo >&2 'To get started building DetectionLab, run `vagrant up`.')
(echo >&2 'If you run into any issues along the way, check out the troubleshooting and known issues page: ')
(echo >&2 'https://www.detectionlab.network/deployment/troubleshooting/')
}
main
exit 0

11
Vagrant/scripts/MakeWindows10GreatAgain.ps1
View File

@@ -11,15 +11,6 @@ if ($onedrive) {
}
c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
# Fix in 1903
#Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..."
#$appname = "Microsoft Edge"
#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
#$appname = "Microsoft Store"
#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
#$appname = "Mail"
#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..."
powercfg -change -monitor-timeout-ac 0
powercfg -change -standby-timeout-ac 0
@@ -28,6 +19,8 @@ powercfg -change -hibernate-timeout-ac 0
# Download and install ShutUp10
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading ShutUp10..."
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
$shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
$shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe"
if (-not (Test-Path $shutUp10RepoPath)) {

2
Vagrant/scripts/download_palantir_wef.ps1
View File

@@ -8,6 +8,8 @@ If (-not (Test-Path $wefRepoPath))
{
# GitHub requires TLS 1.2 as of 2/1/2018
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath
Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
}

4
Vagrant/scripts/install-microsoft-ata.ps1
View File

@@ -45,6 +45,8 @@ If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
If ($download -eq $true)
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
If (-not ($actualHash -eq $fileHash))
@@ -111,6 +113,8 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
If (-not (Test-Path "$env:temp\gatewaysetup.zip")) {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading ATA Lightweight Gateway from WEF now..."
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant")))
Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
}

2
Vagrant/scripts/install-osquery.ps1
View File

@@ -11,6 +11,8 @@ If (-not ($service)) {
# Download the flags file from the Palantir osquery-configuration Github
# GitHub requires TLS 1.2 as of 2/1/2018
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/palantir/osquery-configuration/master/Classic/Endpoints/Windows/osquery.flags" -OutFile $flagfile
## Use the TLS config

74
Vagrant/scripts/install-redteam.ps1
View File

@@ -3,6 +3,11 @@
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Red Team Tooling..."
$hostname = $(hostname)
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Windows Defender should be disabled already by O&O ShutUp10 and the GPO
If ($hostname -eq "win10") {
# Adding Defender exclusions just in case
@@ -18,75 +23,78 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl
Try {
Uninstall-WindowsFeature Windows-Defender -ErrorAction Stop
Uninstall-WindowsFeature Windows-Defender-Features -ErrorAction Stop
}
Catch {
} Catch {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender did not uninstall successfully..."
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1"
}
}
Else {
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows Defender has already been disabled or uninstalled."
}
# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Mimikatz..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
if (-not (Test-Path $mimikatzRepoPath)) {
If (-not (Test-Path $mimikatzRepoPath)) {
Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
}
else {
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Mimikatz was already installed. Moving On."
}
# Download and unzip a copy of PowerSploit
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Powersploit..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/dev.zip"
$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
if (-not (Test-Path $powersploitRepoPath)) {
If (-not (Test-Path $powersploitRepoPath)) {
Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
Copy-Item "c:\Tools\PowerSploit\PowerSploit-dev\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
}
else {
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) PowerSploit was already installed. Moving On."
}
# Download and unzip a copy of Atomic Red Team
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Atomic Red Team..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$atomicRedTeamDownloadUrl = "https://github.com/redcanaryco/atomic-red-team/archive/master.zip"
$atomicRedTeamRepoPath = "C:\Users\vagrant\AppData\Local\Temp\atomic_red_team.zip"
if (-not (Test-Path $atomicRedTeamRepoPath)) {
Invoke-WebRequest -Uri "$atomicRedTeamDownloadUrl" -OutFile "$atomicRedTeamRepoPath"
Expand-Archive -path "$atomicRedTeamRepoPath" -destinationpath 'c:\Tools\Atomic Red Team' -Force
}
else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Atomic Red Team was already installed. Moving On."
}
# Download and unzip a copy of BadBlood
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading BadBlood..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$badbloodDownloadUrl = "https://github.com/davidprowe/BadBlood/archive/master.zip"
$badbloodRepoPath = "C:\Users\vagrant\AppData\Local\Temp\badblood.zip"
if (-not (Test-Path $badbloodRepoPath)) {
If (-not (Test-Path $badbloodRepoPath)) {
Invoke-WebRequest -Uri "$badbloodDownloadUrl" -OutFile "$badbloodRepoPath"
Expand-Archive -path "$badbloodRepoPath" -destinationpath 'c:\Tools\BadBlood' -Force
# Lower the number of default users to be created by BadBlood
$invokeBadBloodPath = "c:\Tools\BadBlood\BadBlood-master\Invoke-BadBlood.ps1"
((Get-Content -path $invokeBadBloodPath -Raw) -replace '1000..5000','500..1500') | Set-Content -Path $invokeBadBloodPath
}
else {
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) BadBlood was already installed. Moving On."
}
# Download and install Invoke-AtomicRedTeam
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Invoke-AtomicRedTeam and atomic tests..."
If (-not (Test-Path "C:\Tools\AtomicRedTeam")) {
Install-PackageProvider -Name NuGet -Force
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -InstallPath "c:\Tools\AtomicRedTeam"
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Updating Profile.ps1 to import the Invoke-AtomicRedTeam module..."
Add-Content -Path C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1 'Import-Module "C:\Tools\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\AtomicRedTeam\atomics"}' -Force
} Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Invoke-AtomicRedTeam was already installed. Moving On."
}
# Purpose: Downloads the latest release of PurpleSharpNewtonsoft.Json.dll
New-Item -Path "c:\Tools\" -Name "PurpleSharp" -ItemType "directory"
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Purplesharp..."
$tag = (Invoke-WebRequest "https://api.github.com/repos/mvelazc0/PurpleSharp/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
$purplesharpDownloadUrl = "https://github.com/mvelazc0/PurpleSharp/releases/download/$tag/PurpleSharp.exe"
$purplesharpDllDownloadURL = "https://github.com/mvelazc0/PurpleSharp/releases/download/$tag/Newtonsoft.Json.dll"
If (-not (Test-Path "c:\Tools\PurpleSharp\PurpleSharp.exe")) {
Invoke-WebRequest -Uri $purplesharpDownloadUrl -OutFile "c:\Tools\PurpleSharp\PurpleSharp.exe"
Invoke-WebRequest -Uri $purplesharpDllDownloadUrl -OutFile "c:\Tools\PurpleSharp\Newtonsoft.Json.dll"
}
Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) PurpleSharp was already installed. Moving On."
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Red Team tooling installation complete!"

2
Vagrant/scripts/install-velociraptor.ps1
View File

@@ -12,6 +12,8 @@ If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "logger
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Velociraptor..."
# GitHub requires TLS 1.2 as of 2/27
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
$ProgressPreference = 'SilentlyContinue'
$tag = (Invoke-WebRequest "https://api.github.com/repos/Velocidex/velociraptor/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
# Workaround hardcoded URL until this issue gets fixed: https://github.com/Velocidex/velociraptor/issues/528
$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/v0.4.7/velociraptor-v0.4.7-1-windows-amd64.msi"

10
Vagrant/scripts/provision.ps1
View File

@@ -1,6 +1,7 @@
# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain.
# Source: https://github.com/StefanScherer/adfs2
$ProfilePath = "C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"
$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName"
$box = $box.ComputerName.ToString().ToLower()
@@ -10,6 +11,15 @@ c:\windows\system32\tzutil.exe /s "UTC"
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking if Windows evaluation is expiring soon or expired..."
. c:\vagrant\scripts\fix-windows-expiration.ps1
If (!(Test-Path $ProfilePath)) {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling the Invoke-WebRequest download progress bar globally for speed improvements."
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) See https://github.com/PowerShell/PowerShell/issues/2138 for more info"
New-Item -Path $ProfilePath | Out-Null
If (!(Get-Content $Profilepath| % { $_ -match "SilentlyContinue" } )) {
Add-Content -Path $ProfilePath -Value "$ProgressPreference = 'SilentlyContinue'"
}
}
# Ping DetectionLab server for usage statistics
curl -userAgent "DetectionLab-$box" "https://ping.detectionlab.network/$box" -UseBasicParsing | out-null