BlackHat Arsenal Demo — Cyber Range

The goal of the post is quite simple — it provides the Cyber Range users with a copy of the BlackHat Arsenal Demo.

There will be a combination of screenshots, sections, and screencast snippets that we will review during the demo. I’ve made some updates to the tooling, and while testing, I’ve identified some issues that need to be addressed in future updates.

All users of the Cyber Range are encouraged to participate in it’s evolution. I email everyone once they are setup and I encourage them to interact on github by submitting pull requests, opening issues, and/or sending over feature requests.

Setup / Configuration

At this point you’ve already submitted the Cyber Range Registration request using the FormAssembly form and you are starting to setup your laptop with the software needed to run the project.

Here are the versions I am currently using. NOTE, with CAPITIALIZATION, that newer versions of all software require integration testing.

• Terraform (v0.12.13)
• Vagrant (v2.2.6)
• Inspec (v4.10.4)
• Your own S3 bucket
• jq (v1.6)
• GNU Make (3.81)

You will also want to increase the instance quota of your AWS account if you experience any InstanceLimitExceeded errors — here are the official AWS steps: https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html#first-concept-chapter

Pre-reqs:

• AWS access keys are setup w/ a default profile in ~/.aws/credentials file
• *nix/OSX Host

Initializing Terraform

The project has a makefile. The goal of the make file is to simply how you interact with the terraform.

Makefile s3 bucketname

Before you get started, you need to update the makefile & the terraform manifests with the s3 bucket name.

The terraform main.tf manifest that needs to be updated is located in CyberRange-gitclone/terraform/environments/<REGION>/main.tf

terraform main.tf s3 declaration

The first step is to perform the initializing of terraform using the AWS_PROFILE=default ENV=BHEU REGION=eu-west-2 make init command

The s3 backend was configured & the new terraform workspace didn’t exist yet was created successfully

Now we can perform an empty make command and dive deeper into the many terraform scenarios that exist:

makefile menu of options (subject to change)

Cyber Range YouTube Recordings

• Make the Network: https://youtu.be/xDNYYpaf_RY
• Make the Core Components of the Range: https://youtu.be/ft1-mEXrrqw
• Explore the Customized Kali 2019.4 w/ RDP, Vulnerable Docker, & Nessus Essentials: https://youtu.be/LybXQM-W4zs
• Exploring CommandoVM: <to be posted>
• Exploring the custom FlareVM on-top of CommandoVM: https://youtu.be/GiVDSYGR6uA
• Exploring the Detection Lab — https://youtu.be/PRs8v98oEhY
• Exploring T-Pot HoneyPot — <to be posted>

Using Terraform & Vagrant

Pre-Req: You’ve performed the Make Network command to build the network and now you want to use vagrant to start-up / halt / restart AWS assets.

The make network command provides 3 critical bits of information to you upon completion:

• the VPC_ID, Security Group ID, and the Subnet ID

./vagrant/yaml/aws.yaml

You place this information into the ./vagrant/yaml/aws.yaml file as noted above. Then you create/update the ./vagrant/yaml/vagrant.yaml file with the appropriate AMI ID’s.

make show — Getting the AMI-IDs

Pre-Req — JQ is installed.

make show provides you with a listing of the AMI IDs available in the Cyber Range. These ID’s are only available once you register for the project using the FormAssembly form directly below.

make show provides a listing of all ami’s and the layman name of the asset (subject to change)

Now — update the AMI IDs in the ./vagrant/yaml/vagrant.yaml

Exploring Detection Lab

Detection Lab is an integrated set of 4 systems best explained by Chris Long’s visual below:

Detection Lab Wiki — https://github.com/clong/DetectionLab/wiki/Lab-Information-&-Credentials

Initializing Inspec

Pre:Req — Inspec is installed, here is the Download link to v4.10.4

The goal of inspec is to automate the validation of the Cyber Range. Before we can test the setup, Inspec needs to be initialized if you plan to perform any automated testing of the Cyber Range setup. If you choose not to execute any checks of the environment then you can skip this step.

After you clone the github project you can simply enter inspec init profile default to initialize inspec.

Destroying ALL assets using AWS-NUKE

This tool is highly destructive. I use it because Terraform does not always clean-up every asset, especially volumes. As a result, I nuke my environment often and destroy everything to help keep costs down.

rebuy-de/aws-nuke

Demo:

https://www.youtube.com/watch?v=af2rZc1nbwU&feature=youtu.be