Velociraptor was getting a lot of buzz and I’ve been wanting to experiment with it in my home lab for a while — now I’ve finally gotten around to it.
What is it?
Velociraptor is a server-client model artefact obtainer (‘a tool for collecting host based state information’). It can be installed agent style on an endpoint and communicates with its server over TLS to obtain tasking … I mean jobs, EDR and implant don’t even share any letters. Bought to us as an Open Source project by Velocidex, its creator and lead (only?) developer is Michael Cohen, of Rekall and GRR fame. The GRR (allegedly standing for: GRR Rapid Response, better known as Google Rapid Response) reference is relevant, this project is a re-write of GRR that aims to refocus, debloat, simplify, etc, more-betterer (perhaps for a slightly different purpose?), etc, the original.
The best way to get the true open source experience is to clone the beta branch of a project down with git and compile it from the source (struggling along the way with build environments, impossible dependency loops, and half-baked make files — while referring to doco which was meticulously created for just this purpose, only for three builds ago before the major api rewrite). I probably will actually do this, but let’s find out if its going to be worth it, Velociraptor comes with pre-built binaries for a variety of systems. The server and the client are the same binary, differentiated by what config options you provide. I’m going to install and configure the server on an Ubuntu 18.04 server and deploy clients across windows and linux hosts.
0. Have a Ubuntu 18.04 server lying (virtually) around.
- Get the linux binary and put it somewhere. Make sure you don’t use a standard location so that you increase the chances of something going wrong.
cd ~/home/user/velociraptor/binwget github.com/velocidex/velociraptor/releases/velociraptor-linux-v3.3.zip
sudo chmod +x velociraptor-linux-v3.3.zip
2. Generate a server config file
./velociraptor-linux-v3.3 config generate > server.config.yaml
mv server.config.yaml ../etc/
3. [Optional] Never open config files, the developer knows better than you and you risk learning something.
I changed the config in two places; the part where the GUI was binding to ‘localhost’ (added in the static IP address of my server) and the default locations Velociraptor is going to save its files. (My Ubuntu box has a 20GB SSD backed drive and 100GB slugish-spinner-backed drive mounted at /home)
When I skimmed the documentation I ignored words like ‘meta-data’, ‘content’, and ‘read me’ I should probably be putting some files on the SSD and others on the spinner, I’ll revisit this if I have performance issues (NB. I’m never revisiting this).
4. Add a user
./velociraptor-linux-v3.3 --config ../etc/server.config.yaml user add <username>
5. Start ‘er up
./velociraptor-linux-v3.3 --config ../etc/server.config.yaml frontend
Point a browser in the right direction and ignore the certificate warnings, just like you’ve been trained.
5. Make it do something, anything
We need a client for our server to be friends with. Let’s generate a client configuration file, get it onto our target/victim/etc and spin it up.
# ./velociraptor --config ../etc/server.config.yaml config client > ../etc/client.config.yaml
Truncated: Lots of output, scrolling along the screen — always a good or bad sign.
The process was identicalish on both hosts (Windows 10 and MacOS Mojave)(the -v is because are you even using a cli if there is no text scrolling across it?):
velociraptor.binary --config /path/to/client.config.yaml client -v
6. Do some incident responding. My computer has been going slow and I think it got infected when my grandson was using it last week. Let’s check the registry for handy artefacts.
The self-contained binaries just start, there is very little to change in the config to get going, TLS out of the box and the experience across platforms couldn’t be better. We haven’t really looked at any functionality yet, what can we do with Velociraptor and why is it a better choice than x? Still don’t know. But the learning curve for getting started and finding out is super gentle. I’m looking forward to digging in deeper.
Manufactured Outrage / To-do
- But her certificates! — Get some letsencrypt in here and banish the cert warnings
- Velociraptor has its own query language VQL, how can we use it to hunt against our (many, I may have scaled up in the meantime, you don’t know) endpoints?
Update: Continue the Velociraptor journey in Part2 where we install on windows using a .msi, and as a service on windows and linux. See you next time.