The main objective is to deploy a virtual machine to perform cybersecurity exercises. The target virtual machine can be found here CYB 505 Web For PentesterLab
This virtual machine will be written on a virtual disk file with qcow2 extension format
qemu-img create -f qcow2 cyb-505.qcow2 10G
It is not necessary to perform an installation process, we do not need to persistency, we execute it, the operating system runs, we perform the exercises and we shut down the target system.
qemu-system-x86_64 \
-display curses \
-enable-kvm \
-cpu host \
-m 2G \
-nic user,model=virtio \
-drive file=cyb-505.qcow2,if=virtio \
-cdrom /home/athena-0x0000/isos/web_for_pentester_i386.iso
We need to solve an issue
Once we solve this issue, we will execute the virtual machine as a daemon. In this way, we can turn on and turn off the virtual machine in a more comfortable way. Another idea we can explore is the deployment of a DNS Server to perform the HTTPS transactions more easily
The solution resides in the definition of virtual network interfaces.
VLAN technology allows one physical network (an ethernet socket where you put your internet cable) to have many IP addresses like if the device has many ports. Any establishing communication with the system does not know it is talking to a virtual ethernet port.
The physical system unit has only one ethernet port. For this activity we will define a vlan in the nix configuration file
cat /etc/nixos/network.nix
{ config, pkgs, ...}:
{
systemd.network.enable = true;
networking.networkmanager.enable = false;
# networking.useDHCP = false;
networking.useNetworkd = true;
networking = {
defaultGateway = {
address = "10.0.0.1";
interface = "enp2s0";
};
nameservers = ["10.0.138.188" "1.1.1.1" "8.8.8.8" "8.8.4.4"];
domain = "galadriel-uno.lorien.syste";
search = [ "galadriel-uno.lorien.system" ];
interfaces = {
# we set a static IP address for the physical interface
enp2s0.ipv4.addresses = [{
address = "10.0.2.8";
prefixLength = 16;
}];
# the definition of the first virtual device
erg01.ipv4.addresses = [{
address = "10.0.155.221";
prefixLength = 16;
}];
# the definition of the second virtual device
erg02.ipv4.addresses = [{
address = "10.0.66.165";
prefixLength = 16;
}];
# we give the virtual network device a MAC address to distinguish it from the original one.
# with this, the DHCP server of the router will assign an IP address to the device without overwritting the one from the real physical one
"erg01" = {
macAddress = "e8:b4:70:c0:00:01";
};
"erg02" = {
macAddress = "e8:b4:70:c0:00:02";
};
};
vlans = {
# we name the new virtual ethernet port
erg01 = {
id = 1;
# we mount this new virtual network device to the real physical one.
interface = "enp2s0";
};
erg02 = {
id = 2;
interface = "enp2s0";
};
};
};
}
You apply nixos-rebuild switch and reboot the computer.
What else...check the status of the network devices with ip a
ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp2s0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:e0:4c:4b:08:c6 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.8/16 brd 10.0.255.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fe80::2e0:4cff:fe4b:8c6/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: wlp1s0: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether e8:5c:5f:bb:96:a4 brd ff:ff:ff:ff:ff:ff
4: erg02@enp2s0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e8:b4:70:c0:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.66.165/16 brd 10.0.255.255 scope global erg02
valid_lft forever preferred_lft forever
inet6 fe80::eab4:70ff:fec0:2/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: erg01@enp2s0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e8:b4:70:c0:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.155.221/16 brd 10.0.255.255 scope global erg01
valid_lft forever preferred_lft forever
inet6 fe80::eab4:70ff:fec0:1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
So we have a couple of virtual network devices ready to work with. The next step is to boot qemu like the past week and give it the program the instruction of using erg01 o erg02 to serve the virtual machine
qemu-system-x86_64 -display curses -enable-kvm -cpu host -m 2G -netdev tap,id=net0,br=br1,script=no,downscript=no -device virtio-net-pci,netdev=net0 -drive file=cyb-505-lab/cyb-505.qcow2,if=virtio -cdrom /home/athena-0x0000/isos/web_for_pentester_i386.iso
user@debian:~$ sudo dhclient -v eth0
Internet Systems Consortium DHCP Client 4.1.1-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/52:54:00:12:34:56
Sending on LPF/eth0/52:54:00:12:34:56
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 12
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7
sudo tcpdump -i tap0 -nA
[sudo] password for control:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:08:16.626524 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
E..H......9..........D.C.4v.....I..I....................RT..4V..........................................................................................................................................................................................................c.Sc5..7.......w.,/.y*..........................................
18:08:22.628546 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
E..H......9..........D.C.4v.....I..I....................RT..4V..........................................................................................................................................................................................................c.Sc5..7.......w.,/.y*..........................................
18:08:37.637842 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
E..H......9..........D.C.4u.....I..I....................RT..4V..........................................................................................................................................................................................................c.Sc5..7.......w.,/.y*..........................................
18:08:49.634993 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
E..H......9..........D.C.4u.....I..I.!..................RT..4V..........................................................................................................................................................................................................c.Sc5..7.......w.,/.y*..........................................
18:09:10.624700 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
E..H......9..........D.C.4u.....I..I.6..................RT..4V..........................................................................................................................................................................................................c.Sc5..7.......w.,/.y*..........................................
[control@galadriel-one:~]$ sudo tcpdump -i enp2s0 -n 'port 67 or port 68'
[sudo] password for control:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:13:02.630983 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
18:13:02.635317 IP 10.0.0.1.67 > 10.0.158.53.68: BOOTP/DHCP, Reply, length 298
18:13:04.624693 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
18:13:04.629311 IP 10.0.0.1.67 > 10.0.158.53.68: BOOTP/DHCP, Reply, length 298
18:13:07.629937 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
18:13:07.634506 IP 10.0.0.1.67 > 10.0.158.53.68: BOOTP/DHCP, Reply, length 298
18:13:16.630146 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
18:13:16.634570 IP 10.0.0.1.67 > 10.0.158.53.68: BOOTP/DHCP, Reply, length 298
18:13:33.632667 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 52:54:00:12:34:56, length 300
18:13:33.637514 IP 10.0.0.1.67 > 10.0.158.53.68: BOOTP/DHCP, Reply, length 298