331 lines
16 KiB
Ruby
331 lines
16 KiB
Ruby
unless Vagrant.has_plugin?("vagrant-reload")
|
|
raise 'vagrant-reload plugin is not installed! - run: vagrant plugin install vagrant-reload'
|
|
end
|
|
|
|
Vagrant.configure("2") do |config|
|
|
|
|
config.vm.define "router" do |cfg|
|
|
cfg.vm.box = "ubuntu/focal64"
|
|
cfg.vm.hostname = "router"
|
|
cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1", dns: "8.8.8.8"
|
|
cfg.vm.provider "virtualbox" do |vb|
|
|
vb.gui = false
|
|
vb.name = "router"
|
|
vb.memory = "3072"
|
|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
|
end
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
rm -rf /var/lib/apt/lists/*
|
|
apt-get update
|
|
apt-get -y upgrade
|
|
apt-get -y autoremove
|
|
apt-get clean
|
|
cat <<-'EOF' >/opt/router.sh
|
|
#!/bin/bash
|
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
|
modprobe ip_tables
|
|
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
|
|
EOF
|
|
cat <<-'EOF' >/etc/systemd/system/router.service
|
|
[Unit]
|
|
After=network.service
|
|
Description=Router
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/opt/router.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
chmod 744 /opt/router.sh
|
|
chmod 664 /etc/systemd/system/router.service
|
|
systemctl daemon-reload
|
|
systemctl enable router.service
|
|
systemctl start router.service
|
|
SHELL
|
|
end
|
|
|
|
config.vm.define "logger" do |cfg|
|
|
cfg.vm.box = "bento/ubuntu-18.04"
|
|
cfg.vm.hostname = "logger"
|
|
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
|
|
cfg.vm.provision :shell, path: "logger_bootstrap.sh"
|
|
cfg.vm.provision "shell", run: "always", inline: <<-SHELL
|
|
route del default gw 10.0.2.2
|
|
route add default gw 192.168.38.2
|
|
SHELL
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
cat <<-'EOF' >/opt/default-gateway.sh
|
|
#!/bin/bash
|
|
route del default gw 10.0.2.2
|
|
route add default gw 192.168.38.2
|
|
EOF
|
|
cat <<-'EOF' >/etc/systemd/system/default-gateway.service
|
|
[Unit]
|
|
After=network.service
|
|
Description=default-gateway
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/opt/default-gateway.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
chmod 744 /opt/default-gateway.sh
|
|
chmod 664 /etc/systemd/system/default-gateway.service
|
|
systemctl daemon-reload
|
|
systemctl enable default-gateway.service
|
|
systemctl start default-gateway.service
|
|
SHELL
|
|
|
|
|
|
cfg.vm.provider "virtualbox" do |vb, override|
|
|
vb.gui = false
|
|
vb.name = "logger"
|
|
vb.customize ["modifyvm", :id, "--memory", 4096]
|
|
vb.customize ["modifyvm", :id, "--cpus", 2]
|
|
vb.customize ["modifyvm", :id, "--vram", "32"]
|
|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
|
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
|
vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
|
|
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
|
end
|
|
end
|
|
|
|
config.vm.define "dc" do |cfg|
|
|
cfg.vm.box = "detectionlab/win2016"
|
|
cfg.vm.hostname = "dc"
|
|
cfg.vm.boot_timeout = 600
|
|
cfg.winrm.transport = :plaintext
|
|
cfg.vm.communicator = "winrm"
|
|
cfg.winrm.basic_auth_only = true
|
|
cfg.winrm.timeout = 300
|
|
cfg.winrm.retry_limit = 20
|
|
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8"
|
|
|
|
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.102 -dns 8.8.8.8 -gateway 192.168.38.1"
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "reload"
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-rdp-user-gpo.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-disable-windows-defender-gpo.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-taskbar-layout-gpo.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
|
|
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
|
|
cfg.vm.provision "shell", inline: "Write-Host 'DC Provisioning Complete!'", privileged: false
|
|
cfg.vm.provision "shell", inline: "route delete -p 0.0.0.0 mask 0.0.0.0 10.0.2.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "route add -p 0.0.0.0 mask 0.0.0.0 192.168.38.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "netsh interface set interface \"Ethernet 2\" disable", privileged: true
|
|
|
|
cfg.vm.provider "virtualbox" do |vb, override|
|
|
vb.gui = false
|
|
vb.name = "dc.windomain.local"
|
|
vb.default_nic_type = "82545EM"
|
|
vb.customize ["modifyvm", :id, "--memory", 3072]
|
|
vb.customize ["modifyvm", :id, "--cpus", 2]
|
|
vb.customize ["modifyvm", :id, "--vram", "32"]
|
|
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
|
vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
|
|
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
|
end
|
|
end
|
|
|
|
config.vm.define "wef" do |cfg|
|
|
cfg.vm.box = "detectionlab/win2016"
|
|
cfg.vm.hostname = "wef"
|
|
cfg.vm.boot_timeout = 600
|
|
cfg.vm.communicator = "winrm"
|
|
cfg.winrm.basic_auth_only = true
|
|
cfg.winrm.timeout = 300
|
|
cfg.winrm.retry_limit = 20
|
|
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
|
|
|
|
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.103 -dns 8.8.8.8 -gateway 192.168.38.1"
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "reload"
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: "Write-Host 'WEF Provisioning Complete!'", privileged: false
|
|
cfg.vm.provision "shell", inline: "route delete -p 0.0.0.0 mask 0.0.0.0 10.0.2.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "route add -p 0.0.0.0 mask 0.0.0.0 192.168.38.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "netsh interface set interface \"Ethernet 2\" disable", privileged: true
|
|
|
|
cfg.vm.provider "virtualbox" do |vb, override|
|
|
vb.gui = false
|
|
vb.name = "wef.windomain.local"
|
|
vb.default_nic_type = "82545EM"
|
|
vb.customize ["modifyvm", :id, "--memory", 2048]
|
|
vb.customize ["modifyvm", :id, "--cpus", 2]
|
|
vb.customize ["modifyvm", :id, "--vram", "32"]
|
|
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
|
vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
|
|
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
|
end
|
|
end
|
|
|
|
config.vm.define "win10" do |cfg|
|
|
cfg.vm.box = "detectionlab/win10"
|
|
cfg.vm.hostname = "win10"
|
|
cfg.vm.boot_timeout = 1200
|
|
cfg.vm.communicator = "winrm"
|
|
cfg.winrm.basic_auth_only = true
|
|
cfg.winrm.timeout = 1200
|
|
cfg.winrm.retry_limit = 20
|
|
cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
|
|
|
|
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1"
|
|
cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "reload"
|
|
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
|
|
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
|
cfg.vm.provision "shell", inline: "Write-Host 'Win10 Provisioning Complete!'", privileged: false
|
|
cfg.vm.provision "shell", inline: "route delete -p 0.0.0.0 mask 0.0.0.0 10.0.2.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "route add -p 0.0.0.0 mask 0.0.0.0 192.168.38.2", privileged: true
|
|
cfg.vm.provision "shell", inline: "netsh interface set interface \"Ethernet 2\" disable", privileged: true
|
|
|
|
cfg.vm.provider "virtualbox" do |vb, override|
|
|
vb.gui = false
|
|
vb.name = "win10.windomain.local"
|
|
vb.default_nic_type = "82545EM"
|
|
vb.customize ["modifyvm", :id, "--memory", 2048]
|
|
vb.customize ["modifyvm", :id, "--cpus", 1]
|
|
vb.customize ["modifyvm", :id, "--vram", "32"]
|
|
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
|
vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
|
|
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
|
end
|
|
end
|
|
|
|
config.vm.define "securityonion", autostart: false do |cfg|
|
|
cfg.vm.box = "ubuntu/trusty64"
|
|
cfg.vm.hostname = "securityonion"
|
|
cfg.vm.network :private_network, ip: "192.168.38.10", gateway: "192.168.38.1", dns: "8.8.8.8"
|
|
cfg.vm.network :private_network, ip: "192.168.39.10", gateway: "192.168.39.1", dns: "8.8.8.8"
|
|
|
|
cfg.vm.provider "virtualbox" do |vb|
|
|
vb.name = "securityonion"
|
|
vb.memory = "4096"
|
|
vb.gui = false
|
|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
|
end
|
|
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
iptables -F
|
|
rm -rf /var/lib/apt/lists/*
|
|
apt-get update
|
|
apt-get -y install software-properties-common
|
|
add-apt-repository -y ppa:securityonion/stable
|
|
apt-get update
|
|
apt-get -y install securityonion-all syslog-ng-core
|
|
apt-get -y autoremove
|
|
apt-get clean
|
|
sosetup -y -f /vagrant/sosetup.conf
|
|
ufw allow 443/tcp
|
|
SHELL
|
|
end
|
|
|
|
config.vm.define "malcolm", autostart: false do |cfg|
|
|
cfg.vm.box = "ubuntu/bionic64"
|
|
cfg.vm.hostname = "malcolm"
|
|
cfg.vm.network :private_network, ip: "192.168.38.11", gateway: "192.168.38.1", dns: "8.8.8.8"
|
|
cfg.vm.network :private_network, ip: "192.168.39.11", gateway: "192.168.39.1", dns: "8.8.8.8"
|
|
|
|
cfg.vm.provider "virtualbox" do |vb|
|
|
vb.name = "malcolm"
|
|
vb.memory = "10240"
|
|
vb.gui = false
|
|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
|
end
|
|
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
iptables -F
|
|
apt update
|
|
apt install -y screen
|
|
|
|
echo "# the maximum number of open file handles" > /etc/security/limits.d/limits.conf
|
|
echo "* soft nofile 65535" > /etc/security/limits.d/limits.conf
|
|
echo "* hard nofile 65535" > /etc/security/limits.d/limits.conf
|
|
echo "# do not limit the size of memory that can be locked" > /etc/security/limits.d/limits.conf
|
|
echo "* soft memlock unlimited" > /etc/security/limits.d/limits.conf
|
|
echo "* hard memlock unlimited" > /etc/security/limits.d/limits.conf
|
|
|
|
echo fs.file-max=2097152 >> /etc/sysctl.conf
|
|
echo fs.inotify.max_user_watches=131072 >> /etc/sysctl.conf
|
|
echo fs.inotify.max_queued_events=131072 >> /etc/sysctl.conf
|
|
echo fs.inotify.max_user_instances=512 >> /etc/sysctl.conf
|
|
echo vm.max_map_count=262144 >> /etc/sysctl.conf
|
|
echo vm.swappiness=1 >> /etc/sysctl.conf
|
|
echo net.core.somaxconn=65535 >> /etc/sysctl.conf
|
|
echo vm.dirty_background_ratio=40 >> /etc/sysctl.conf
|
|
echo vm.dirty_ratio=80 >> /etc/sysctl.conf
|
|
echo sysctl -w vm.max_map_count=262144 >> /etc/sysctl.conf
|
|
SHELL
|
|
cfg.vm.provision "reload"
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
echo "### Copy Malcolm"
|
|
cp -r /vagrant/resources/malcolm /opt
|
|
chown -R vagrant /opt/malcolm
|
|
chgrp -R vagrant /opt/malcolm
|
|
cd /opt/malcolm
|
|
echo "### Install Malcolm"
|
|
su -l vagrant -c "cd /opt/malcolm ; sudo -u vagrant scripts/install.py --defaults --restart-malcolm"
|
|
#echo "### Configure Malcolm"
|
|
#su -l vagrant -c "cd /opt/malcolm ; scripts/install.py --defaults --restart-malcolm --configure"
|
|
SHELL
|
|
cfg.vm.provision "reload"
|
|
cfg.vm.provision "shell", inline: <<-SHELL
|
|
cd /opt/malcolm
|
|
echo "### Download Malcolm Containers"
|
|
sudo -u vagrant docker-compose pull -q
|
|
echo "### Start Malcolm"
|
|
ifconfig enp0s8 promisc
|
|
sed -i "s/PCAP_ENABLE_NETSNIFF.*'/PCAP_ENABLE_NETSNIFF : \'true\'/" docker-compose.yml·
|
|
sed -i "s/PCAP_IFACE.*'/PCAP_IFACE : \'enp0s8\'/" /opt/malcolm/docker-compose.yml | grep PCAP
|
|
sed -i "s/PCAP_ROTATE_MINUTES.*/PCAP_ROTATE_MINUTES : 1/" docker-compose.yml·
|
|
screen -dm bash -c "sudo -u vagrant scripts/start"
|
|
SHELL
|
|
end
|
|
end
|