Building a Cybersecurity Purple Team Home Lab — Part Three (with Security Onion)
In this part, I will show you how to setup the Security Onion SOC and the endpoints that need to be monitored. In an alternate version of this article [coming soon] I show you how to setup Splunk instead of Security Onion. In the article with Splunk it is assumed you already have your endpoints configured and ready for Splunk Universal Forwarder installations.
All of these parts have instructions that are cumulative for the home lab. You should be familiar with part one and part two before applying the instructions in part three (this article). If you haven’t already, check out part one and part two in this cyber home lab creation series.
Security Onion
Initial Setup
Download the Security Onion ISO from GitHub: https://download.securityonion.net/file/securityonion/securityonion-2.4.70-20240529.iso
Create the Security Onion VM:
See the Security Onion hardware requirements: https://docs.securityonion.net/en/2.4/hardware.html
I chose the standalone deployment therefore:
- Instead of the recommended 24GB of ram, I configured almost 28GB
- 4 CPU cores
- 500GB of storage, instead of the recommended minimum of 200GB
Regarding networking:
- The first interface is vmbr1 (which is the sniffer bridge for the entire LAN network).
- The second interface (vmbr1.20) is the management interface which exists on its own VLAN.
Installation Steps
Correction: The steps below were done on Security Onion 2.3.290. But since then I have redone these steps on Security Onion 2.4.70. The installation steps are almost the same.
Pick username/password
Log in with your username/password and you will see this screen:
I recommend configuring networking first:
Select your managed NIC to be eth1 (vmbr1) since that is our vmbr1.20 VLAN. eth0 (vmbr0) is the monitor NIC, it does not have an IP address
Setup static addressing.
Pick an address that is within your vmbr1.20 VLAN subnet that we configured during pfSense setup in part two. In my case I picked 10.0.2.5
Gateway IP address
This is the gateway address that your pfSense VM is directly responsible for within your Blue Team VLAN.
Setup DNS
I used the CloudFlare DNS servers:
Setup search domain
My search domain is hive-mind.lan
Type of Installation
I picked standalone, but you may pick a different option depending on your needs.
The other installation steps are straightforward. One important thing to note is that the VPN subnet (10.0.5.0/24) should be added when asked for “Allowed IP or Subnet”, see final installation parameters below.
If you’re having issues with networking and need to run the installation again, try the command below. This documentation may also help: https://docs.securityonion.net/en/2.4/proxmox.html
sudo SecurityOnion/setup/so-setup isoIf you’re not able to ping outside of Security Onion, my other suggestion is to delete the network interfaces and recreate them with eth0 being vmbr1 and and eth1 being vmbr1.20. The network interfaces may be named something similar on your Proxmox and security onion installation. Just make sure that one interface is assigned vmbr1 (which is a mirrored bridge interface for the whole hive-mind LAN) and vmbr1.20 represents the Blue Team VLAN segment which is also used as the management interface.
If you’re still having issues with Security Onion not communicating with the pfSense router, I suggest troubleshooting by going up the OSI layer, starting at the physical layer (the NICs) and up to the application layer (DNS, HTTP, DHCP etc). For example a physical layer issue could be something simple such as you forgetting to plug in an ethernet cord from your switch to your router or from your switch to your Proxmox hardware. One network layer issue may be the router not being configured properly and you’re missing a default gateway for the Security Onion VLAN.
Here are my final installation parameters:
From my previous post in this home lab creation series, we know that vmbr1 is the bridge that sniffs the entire LAN
If for whatever reason, eth0 was not configured during the installation to be the monitoring (sniffing/mirrored) NIC it can be added into Security Onion’s shell with the command below:
sudo so-monitor-add eth0eth1 is our Security Onion’s IP (the red box) and that IP will be used when we access Security Onion’s SOC interface on our browser.
Configuring Access to the SOC Console
Connect to the VPN we created in part two. The VPN subnet (10.0.5.0/24) should have been configured during the security onion installation phase, but if for some reason you cannot communicate with the Security Onion server or access its web interface you may have to allow your VPN address through the security onion firewall manually. Remember, your main way to access your home lab is through the VPN we had defined with the firewall rules in part two.
sudo so-firewall includehost analyst <YOUR-VPN-IP>Our SOC firewall rules need to be configured to allow three subnets on the console. Subnets (or individual IPs) also need to be added as endpoints that will be reporting to the Security Onion SOC.
For now, we are collecting logs from the Windows AD-Victim subnet and Vulnerable Web Server subnet. For firewall rules, we are allowing the Windows Victim and Vulnerable Web Server subnet alongside the VPN subnet through the firewall.
Note: we will configure the vulnerable web server subnet in a later article as the container requires different steps.
This video is a good guide in setting up security onion endpoints:
https://www.youtube.com/watch?v=cGmQMsFuAvw&ab_channel=SecurityOnion
After adding the elastic endpoint subnets, allow the vulnerable web server, Windows AD VLAN, and VPN subnets through the security onion firewall.
“Synchronize Grid” again. Give it about 5–10 minutes before downloading the installer files next.
Next we have to setup the endpoints that Security Onion will be monitoring.
Pre-requisites for Endpoint Setup
- Windows Server 2019 iso download: https://go.microsoft.com/fwlink/p/?LinkID=2195167&clcid=0x409&culture=en-us&country=US
- Download the Windows Proxmox drivers: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
- Windows 10 installation media: https://www.microsoft.com/en-us/software-download/windows10 — Download the installation media and follow the steps to create an ISO
Load the proxmox drivers ISO into Proxmox’s database:
Creating the Windows DC “Hive-Mind”
Make sure to boot up the Windows DC with the ISO and these hardware requisites:
The Windows_Server_2019 iso and Proxmox windows guest tools iso are loaded. The virtio toolkit helps with copy/pasting. Allowing cache write back to the processor on the hard disk improves performance. For networking we have VLAN 40 on the subnet 10.0.4.0/24.
Windows Active Directory DC Setup
Change the PC Name
Elevate Server to a Domain Controller
Click “Manage” and then “Add Roles and Features”
Click “next” in the wizard and make sure “role-based or feature based” installation is selected.
When you come to the Select server roles window, make sure to select Active Directory Domain Services, and then click “Add Features.”
Keep clicking next and at the “Confirm installation selections” check “Restart the destination server automatically if requires.” Then click “yes” and “Install”
Click on “Promote this server to a domain controller”.
Specify root domain name. I used “hive-mind.lan” for my lab.
On the next screen, enter a simple password you can remember, keep it the same as your Admin password. We will be brute forcing and exploiting these passwords later on.
Your domain name should populate on the next screen
Once you pass the “Prerequisites Check”, click “Install”
After you reboot, log back in, you should see the server manager dashboard. Click on Manage -> Add roles and features -> Click next and make sure “Role-based or feature-based installation” is selected -> Click next until you get to server roles.
On server roles make sure you select “Active Directory Certificate Services.” This role is used to verify identities in a domain controller, enhances security and allows use of LDAP[S]ecure. LDAP is needed for an AD build.
Click Next until you reach the “Confirmation” window and select the option to restart your DC and then click “Install.”
Once installation is finished click on “Configure Active Directory Certificate Services on the destination server.”
Click Next, select “Certification Authority” and keep clicking next accepting the defaults.
Set the validity period for a long time. Like “80” years for example.
Get to the Confirmation page, click “Configure” and reboot.
Install Proxmox Guest Tools on Windows Server (the DC)
Windows DC (RDP)
I recommend enabling RDP on your new Windows DC for remote management as this makes everything much easier. My Windows Server VM was pretty sluggish so I used RDP to manage my Windows Server through my lab VPN.
Connect to your VPN first and then RDP to your AD-DC from your Windows box.
Setup AD DNS
Open up DNS Manager
Right-click “Reverse Lookup Zones” in the left panel and select “New Zone”
Follow the default settings recommended in the wizard until you are prompted for a Network ID, for which you should use the first three parts or octets of your blue team subnet address.
After we create the zone we have to create a PTR record.
Click Create “New Pointer (PTR)” with the following Name: [IP of your DC] and Data is [DC Hostname].[Name of Domain].[Your local TLD].
If you want to know your DC hostname definitively, type “hostname” in your command prompt.
Creating the Windows Desktops “Drones”
For Windows 10 Pro download the installation media and follow the directions to create an ISO.
You may need the virto drivers (in iso format) for your drives to be seen by the Windows installation software.
If you haven’t already, make sure you download the virtio drivers and load them into your Proxmox ISO storage: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
You also have to load the virtio ISO as “an additional drive”, see the screenshot below.
On your Proxmox Hypervisor, click “Create Virtual Machine”
Power on your VM and run through the installation steps, you don’t need a product key, go on without it, and select Windows 10 Pro.
Accept the License terms and click “Custom”
If your allocated disk space doesn’t show up, we would have to load the virtio driver that we mounted alongside the iso in the new VM configuration.
Let the installation finish, log on to your windows desktop and install the virtio drivers as Admin.
P.S. if you’re having trouble getting the virtio drivers loaded and for the Windows hard disk to be initialized, let me know in the comments and I can try to help troubleshoot.
Join Windows 10 Endpoint to the Hive-Mind AD
Enter Domain Admin credentials (created on the Windows 2019 server)
Connect to DC DNS Server
Windows Endpoint Logging Configuration
The Windows 10 computers and Windows 2019 server need to be configured for monitoring with the Security Onion SOC. We need to download the installer files from the Security Onion Console, transfer it to our endpoints with a USB mapping through Proxmox and download it on the Windows devices to run the installers.
We have to download these files for Windows:
Download the files to your host machine onto your USB.
Plug in our USB on the PVE hardware running Proxmox.
Click Add
Add the USB Hardware onto our Windows 2019 Server VM
On your Windows 2019 Server VM, you should be able to initiate the install.
Make sure to run the .exe as an administrator
Go to your security onion dashboard and you should see your AD-DC sending logs:
Side note: I was having issues with time syncing to my time zone on my Windows 2019 server, I used these commands to make it work:
w32tm /query /status
w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org,1.us.pool.ntp.org"
net stop w32tm && net start w32tm
w32tm /query /source w32tm /query /configurationI rebooted to let the changes take effect.
If needed, see network map to better understand what subnets are being monitored:
Repeat the same endpoint configuration steps as above on the Windows 10 endpoint. You have to run the elastic agent with admin privileges and then check your Security Onion SOC console to see if the endpoint is sending events.
References
https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
https://download.securityonion.net/file/securityonion/securityonion-2.4.70-20240529.iso
