How to start penetration testing with a Windows VM

James Shakespear
Nov 19, 2019 · 6 min read
A sniper targeting a red window
A sniper targeting a red window

If you have ever managed Active Directory for a company, you have probably had some interest in validating the security (or lack of it) in your domain environment. Maybe you have some Linux experience, or you’ve installed distributions like Kali or it’s been a while, so it was Backtrack. It takes time and extra effort to leave that Windows environment that you’re dealing with everyday to tinker with those tools. How about we explore a new alternative to get started with a large set of penetration testing tools on a Windows VM?

If you haven’t heard of Commando VM yet, it is a project maintained by FireEye Labs Advanced Reverse Engineering team. Don’t worry, I don’t work for FireEye and am not looking to sell you on anything. I just started playing with automation setup it provides and want to help people in the same boat as me curb their appetite for learning about penetration testing, but sticking to a familiar Windows environment.

I recently provided a training where System Administrators and other IT professionals did a mini penetration test to learn about some of the tools used in the trade. By learning the tools, it also allowed them to validate the defenses they would set up in their company’s environment. I’d like to share the way I was able to automate the setup of a simple Windows Penetration testing VM.

I’ll walk you through the steps to have a Windows VM loaded with a few penetration testing tools and a package manager (Chocolatey) with a repository from FireEye to automatically install many more tools quickly and easily. Check out the script at the end if you want to just get your VM loaded quickly.


I didn’t want to install the full set of tools for the Commando VM, so let me share with you a quick way to get started and install only the tools that are of interest to you. First you’ll need a Windows VM running Windows 7 or Windows 10 (and it might as well be Windows 10 with support running out soon for Windows 7). I’m a Windows kind of guy, so I load up Hyper-V on my laptop and follow the oh so familiar setup of a Windows OS. Feel free to use the Hypervisor you are most familiar with for your VM.

Once you’ve installed Windows and are logged into the VM, we need to configure some Windows Defender settings, so it doesn’t kill some of the tools we’ll use. I prefer leaving Windows Defender running, so we’ll just setup some exceptions. When I test things, I usually want to run tools from either my desktop or downloads folder if I’m feeling lazy, so you may consider those locations as exceptions.

We’ll also be using the Chocolatey package manager. If you have not used Chocolatey before, it is pretty slick and easy, but for some of our tools, we will need to make exceptions for Windows Defender for the C:\Tools (where some programs/scripts get installed) and %LocalAppData%\Temp\chocolatey (a temporary download folder for Chocolatey packages) folders.

You can add exceptions through PowerShell and we can automate most of our setup in an Administrator PowerShell window for the rest of the tools. If you prefer a GUI, then open Settings for Windows Security and you can add exclusions in the Virus & threat protection settings.

C:\Tools and Chocolatey’s temp directory for downloads as exceptions in Windows Defender

Our next step would be to install the Chocolatey package manager. Visiting Chocolatey’s website (chocolatey.org), you’ll eventually find an install command to use in our PowerShell window.

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

As with all scripts found on the Internet, it’s usually best to go read through it to see if you find anything malicious. Even if you’re not as familiar with PowerShell, you can read the comments, check the URLs, and understand a few things about how Chocolatey gets installed from their script located in our command (https://chocolatey.org/install.ps1).

You’ll also want to notice the first command referenced above, as you may need it later if you plan to run other PowerShell scripts. I’d prefer setting the execution policy to Bypass or Unrestricted to the scope of CurrentUser if I’m going to use this for assessments.

Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
Output showing that Chocolatey was successfully installed

Once Chocolatey is successfully installed, we are going to take some snippets of code from the Commando VM project to add the FireEye repository to our Chocolatey configuration. These two commands should get us going with their repository:

$fireeyeFeed = "https://www.myget.org/F/fireeye/api/v2"
iex "choco sources add -n=fireeye -s $fireeyeFeed --priority 1"

Once we have that repository, let’s install our first package with Chocolatey. This package is required for the other FireEye repository packages to work. It took me a while to figure out why I was having problems with certain packages from their repository, so I’ll save you that extra hassle.

choco install common.fireeye

This will install some base environmental settings for many of the other packages they provide, as well as a Desktop link and Start Menu folder to the Tools that get installed. Their list continues to grow with new tools and scripts, so be sure to check out their GitHub repository for any of the tools that look interesting to you.

Installing applications or scripts is as simple as running choco install [packagename], and searching for packages are just a simple choco search [searchterm]. If you want to narrow the search down to just the packages provided by FireEye, you search just that source by running choco search -s fireeye (since that’s what we named our source in Chocolatey) and optionally a search term if you want to narrow your list down further.

I currently see 284 packages from their feed, and you may notice their naming convention of putting [packagename].fireeye for the programs to install. Also, notice the packages with .flare, which are ones typically used for their Flare VM distribution for malware analysis and incident response. There are no shortage of tools to play with currently, so sift through the ones that might be of interest.

For my initial environment, I wanted to do some network scanning, tinker with Mimikatz, and attempt a Kerberoast attack on my test domain.

Disclaimer: I had already set up an Active Directory test environment. Please only use the tools in an environment that you own or in one that you have permission to assess.

Below is the whole script that would get you started with everything from above with a couple extra settings and would install curl, Git, Nmap, Hashcat, Mimikatz, Remote Server Administration Tools: Active Directory Users and Computers and Group Policy and 7zip. It also downloads an Invoke-Kerberoast script from the Empire project and the compressed rockyou.txt password list (helpful for getting started with Hashcat) to the C:\Tools directory.

#Setup Environmental Variables used by Fireeye from Commando VM installs

Add-MpPreference -ExclusionPath "C:\Tools"
Add-MpPreference -ExclusionPath "$env:LocalAppData\Temp\chocolatey"
Set-MpPreference -SubmitSamplesConsent NeverSend

#Add Fireeye Repo
$fireeyeFeed = "https://www.myget.org/F/fireeye/api/v2"
iex "choco sources add -n=fireeye -s $fireeyeFeed --priority 1"

choco install common.fireeye -y
#refreshes Path and other variables
refreshenv
choco install curl nmap hashcat.fireeye mimikatz.fireeye 7zip -y

choco install git.install --params "/GitAndUnixToolsOnPath /NoGitLfs /SChannel /NoAutoCrlf" -y

choco install rsat -params '"/AD /GP"' -y

cd C:\Tools

curl.exe https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -o Invoke-Kerberoast.ps1
curl.exe http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 -o rockyou.txt.bz2

refreshenv

$addPath = ";C:\Tools\hashcat;C:\Tools\Mimikatz\x64;C:\Program Files (x86)\Nmap"

$newpath = '[Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", [EnvironmentVariableTarget]::Machine) + "' + $addPath + '", [EnvironmentVariableTarget]::Machine)'

$newpath
refreshenv
Write-Host "PATH variable has been updated and PowerShell may need to be relaunched if refreshenv didn't work."

You should be all set to start installing other tools, or playing with these ones. The Tools link on the Desktop makes it nice and easy to launch them, or if you noticed in my provided script, the command line tools are already loaded in the PATH variable for use in PowerShell or Command Prompt (whichever you’d prefer to use).

Now that you have a few tools to get you started with penetration testing, you’ll probably need somewhere to attack. I plan to have an article out soon for setting up an Active Directory environment for some practice.

References:

https://chocolatey.org
https://github.com/fireeye/commando-vm
https://github.com/fireeye/flare-vm

James Shakespear

Written by

System Administrator | Active Directory administrator | Windows Administrator | InfoSec on-the-side

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade