BlackHat Arsenal Demo — Cyber Range
The goal of the post is quite simple — it provides the Cyber Range users with a copy of the BlackHat Arsenal Demo.
There will be a combination of screenshots, sections, and screencast snippets that we will review during the demo. I’ve made some updates to the tooling, and while testing, I’ve identified some issues that need to be addressed in future updates.
All users of the Cyber Range are encouraged to participate in it’s evolution. I email everyone once they are setup and I encourage them to interact on github by submitting pull requests, opening issues, and/or sending over feature requests.
Setup / Configuration
At this point you’ve already submitted the Cyber Range Registration request using the FormAssembly form and you are starting to setup your laptop with the software needed to run the project.
Here are the versions I am currently using. NOTE, with CAPITIALIZATION, that newer versions of all software require integration testing.
- Terraform (v0.12.13)
- Vagrant (v2.2.6)
- Inspec (v4.10.4)
- Your own S3 bucket
- jq (v1.6)
- GNU Make (3.81)
You will also want to increase the instance quota of your AWS account if you experience any InstanceLimitExceeded errors — here are the official AWS steps: https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html#first-concept-chapter
Pre-reqs:
- AWS access keys are setup w/ a default profile in ~/.aws/credentials file
- *nix/OSX Host
Initializing Terraform
The project has a makefile. The goal of the make file is to simply how you interact with the terraform.
Before you get started, you need to update the makefile & the terraform manifests with the s3 bucket name.
The terraform main.tf manifest that needs to be updated is located in CyberRange-gitclone/terraform/environments/<REGION>/main.tf
The first step is to perform the initializing of terraform using the AWS_PROFILE=default ENV=BHEU REGION=eu-west-2 make init
command
Now we can perform an empty make
command and dive deeper into the many terraform scenarios that exist:
Cyber Range YouTube Recordings
- Make the Network: https://youtu.be/xDNYYpaf_RY
- Make the Core Components of the Range: https://youtu.be/ft1-mEXrrqw
- Explore the Customized Kali 2019.4 w/ RDP, Vulnerable Docker, & Nessus Essentials: https://youtu.be/LybXQM-W4zs
- Exploring CommandoVM: <to be posted>
- Exploring the custom FlareVM on-top of CommandoVM: https://youtu.be/GiVDSYGR6uA
- Exploring the Detection Lab — https://youtu.be/PRs8v98oEhY
- Exploring T-Pot HoneyPot — <to be posted>
Using Terraform & Vagrant
Pre-Req: You’ve performed the Make Network
command to build the network and now you want to use vagrant to start-up / halt / restart AWS assets.
The make network command provides 3 critical bits of information to you upon completion:
- the VPC_ID, Security Group ID, and the Subnet ID
You place this information into the ./vagrant/yaml/aws.yaml
file as noted above. Then you create/update the ./vagrant/yaml/vagrant.yaml
file with the appropriate AMI ID’s.
make show
— Getting the AMI-IDs
Pre-Req — JQ is installed.
make show
provides you with a listing of the AMI IDs available in the Cyber Range. These ID’s are only available once you register for the project using the FormAssembly form directly below.
Now — update the AMI IDs in the ./vagrant/yaml/vagrant.yaml
Exploring Detection Lab
Detection Lab is an integrated set of 4 systems best explained by Chris Long’s visual below:
Detection Lab Wiki — https://github.com/clong/DetectionLab/wiki/Lab-Information-&-Credentials
Initializing Inspec
Pre:Req — Inspec is installed, here is the Download link to v4.10.4
The goal of inspec is to automate the validation of the Cyber Range. Before we can test the setup, Inspec needs to be initialized if you plan to perform any automated testing of the Cyber Range setup. If you choose not to execute any checks of the environment then you can skip this step.
After you clone the github project you can simply enter inspec init profile default
to initialize inspec.
Destroying ALL assets using AWS-NUKE
This tool is highly destructive. I use it because Terraform does not always clean-up every asset, especially volumes. As a result, I nuke my environment often and destroy everything to help keep costs down.
Demo:
https://www.youtube.com/watch?v=af2rZc1nbwU&feature=youtu.be