Saturday, April 3, 2021

Running Remnux on a Proxmox Server

One of techy things I really enjoy is working with virtual machines. I decided to set up a VM server a while back. There are several to pick from, but just for the sake of learning something new I set up a Proxmox Virtual Environment. While the computer I installed it on is ancient (AMD Phenom X4 965 with 8GB RAM), it still seems to run pretty well. I've been running two different Ubuntu server VM's on it since then. One is a Minecraft server for the grandkids and friends (and maybe me too) while the other is a simple file server. I also have one Windows virtual machine on there, but rarely use it.

Today, I started the Performing Malware Analysis on Malicious Documents course by Tyler Hudak on Pluralsight. The course makes use of the great Remnux Linux virtual machine by Lenny Zeltser. For those unfamiliar (if any such person exists), Remnux is a distro dedicated to malware analysis and comes with tons of malware analysis tools. Instead of adding Remnux to my nearly full laptop hard drive (too many other VM's taking up space), I decided to run it from my Proxmox server instead.

Remnux is available for download as a .ova file. The ova file is simply a compressed file containing other files. The files within the ova can be extracted with tar or 7zip (I used the 7z command line version). The only file within that we care about for this situation is the .vmdk virtual hard drive file. I went on to the next step while waiting for the vmdk to be extracted. I should note that what I describe below should apply for most any ova file. I just happened to be using Remnux.

Importing a virtual machine from an ova file to Proxmox isn't exactly a straightforward thing to do, but if you don't mind spending just a bit getting it ready it will work just fine. I'll talk about one issue I encountered later in this post.

The first step over on the Proxmox server is creating a new virtual machine. I won't go through the entire process of doing this, as there are plenty of other guides out there explaining it. However, during the creation process you are asked to create a new hard drive. Go ahead and do it, although we'll delete it later. I created the machine with a virtual dual-core processor, 4GB of RAM, a 10GB hard drive and accepted default setting for everything else.

Upon creating the VM, it was assigned an ID of 103. This meant that the temporary hard drive I mentioned above was created at /var/lib/vz/images/103 on the server. This temporary hard drive was just created so that the above directory would be created. This is where the Remnux vmdk we extracted earlier needs to be placed for the next step.

To get it there, I uploaded the vmdk from my laptop to the Proxmox server using the scp (Secure Copy) command. The syntax for the upload looks like this: scp <file-to-upload> <user@ipaddress:/path-to-folder>. In my case, it looked like scp remnux-v7-focal-disk1.vmdk root@192.168.x.x:/var/lib/vz/images/103. With that done, it's time to switch over to the Proxmox server view page located at <server-IP-address> port 8006 and start working in a shell (see pic).

Remember, you're logged in here as root so be careful if you're not really up on working at the Linux command line.

Upon logging in to the Promox page and going to the shell, we need to navigate to the directory mentioned above where our hard drive was uploaded to. Once there, we can just delete that temporary hard drive we created with a simple rm <filename>. In this case, it was rm vm-103-disk-0.qcow2. That leaves us with only the vmdk file still in the directory. Now, we have to convert it for use with Proxmox.

Still working from the command line, we need to type the following command: qm importdisk 103 remnux-v7-focal-disk1.vmdk local -format qcow2. The 103 in all of that of course is our machine ID. The command will convert our disk file from a vmdk to a qcow2. Qcow2 is a file format for QEMU virtual machines. Upon completion of the conversion, we are left with the original vmdk file and the newly created vm-103-disk-0.qcow2. We can now safely delete the vmdk as we won't be needing it anymore.

Now we go to the hardware settings for our new VM. We'll need to add our new hard drive to the machine. You'll see it listed as an unused hard drive. Double click it and check your settings. Once satisfied, you can click Add and it will be attached to your VM. In my case, I set the drive as a SCSI device and clicked Add. My hardware settings are picture below.

Next I clicked options (see pic) and double clicked the boot order setting. I clicked the check box to enable the hard drive and then dragged it to the top of the boot order.

We're done! Well, almost. After getting the boot order set, I switched to console view and clicked Start to boot the VM. In the console I was greeted with...a black screen. That's it. A little troubleshooting led me to change the display settings in the VM hardware from default to VMWare compatible and finally I got to the Remnux desktop.

Finally, once on the Remnux desktop, we need to enable networking so we can update. At the Bash prompt in the terminal, we type sudo ifconfig ens18 up. Actually, type sudo ifconfig -a to make sure yours shows up at ens18 as well and adjust accordingly. It didn't pick up an IP address at first in my case, so I typed sudo dhclient ens18 and the IP was set. After that, it was just a matter of running sudo apt update and sudo apt upgrade to get things updated.

If you have any questions or if I got something wrong or left something out, please comment below and I'll take care of it. Have a great day!

Friday, March 19, 2021

Feeling kinda blue (team)

Hello all! It took me much longer than I had planned to post again, but life has a way of keeping one busy. Between extra crazy hours at work, spending two weeks in bed "enjoying" the Covid-19 experience and otherwise just being busy as heck, I'm finally back to write a little.

In my last post, I said that I felt like it was unlikely I'd work in a digital forensics or any other security role ever again. I just didn't feel like I had a real chance to do anything in the field again. However, thanks to a lot of encouragement from a good friend, I'm studying and hoping to land a job as a entry level SOC analyst. The work seems very interesting to me and I believe it's something I would love.

Just like my earlier days getting into digital forensics, the ol' budget is pretty much nothing, so I'm actively searching out free and low cost training opportunities. The best source I've found for information on free and low cost training is on the DFIR Diva site. Along with her training information pages, Elan has so much more on the site that helps security noobs and veterans as well. I nominated her site for the DFIR Resource of the Year Forensic 4:cast Award and I hope you will too. There are so many great resources out there, but I think this one deserves recognition for it's fantastic wealth of information for those new or returning to the field.

One fantastic training I attended last month was the SOC Core Skills course taught by John Strand. This is a 16 hour (4 hours per day, 4 days) class that teaches entry level folks the basics they need to work in a SOC. It includes both lecture and labs. From the course info page, here's what the class teaches:

  1. Core networking skills
  2. Live Windows Forensics
  3. Live Linux Forensics
  4. Memory Forensics
  5. Active Directory Analysis
  6. Network Threat Hunting
  7. Basics of Vulnerability Management
  8. The Incident Response Process

The class is "pay what you can", so there is no reason for anyone to say they can't afford it. I was very impressed with the quality of the training. A Windows virtual machine is used in the course and it has all the lab materials. The lab materials are frequently updated.

Another opportunity I'm taking advantage of is the community version of Rangeforce. This free version of the site includes 20 course modules covering such things as Splunk, Docker, regular expressions, Kubernetes and so much more. This is an incredible resource and I'm learning a lot from it. The modules are taught in virtual machines so you can do hands on learning. I absolutely love this site and encourage you to give it a look.

I'm also training on the TryHackMe site. Like Rangeforce, there is free and paid training available and it too uses virtual machines in the browser to perform the labs. I'm having a lot of fun with this site too. I'm enrolled in the free Cyber Defense path which includes modules like Intro to Networking, Network Services, Active Directory Basics and more.

I've spent a little time on LetsDefend.IO This site simulates working in a SOC environment and does it pretty well. I've worked through the free exercises and plan to subscribe soon so that I can do more.

Finally, a great video resource I've found is the YouTube channel of Gerald Auger called Simply Cyber. He does a lot of great videos on getting into Cyber Security.

So that's all I've got for now. My progress through all of this is pretty slow, given my work schedule. When I have free time, I spend a lot of it working through this excellent training and look forward to finding more. Hope you all are well and thanks for reading!