1 Purpose of this Book. 13

1.1 A Note About Software Versions. 15

2 Prerequisite Knowledge. 16

3 Hypervisor and Hardware Considerations. 18

3.1 Introduction to Virtualization. 18

3.2 Introduction to Hypervisors. 20

3.3 What is a Hypervisor?. 20

3.4 Bare-metal Hypervisors. 20

3.5 Hosted Hypervisors. 22

4 Hardware Considerations. 23

4.1 RAM as a Performance Factor 23

4.2 Disk I/O as a Performance Factor 23

What is seek time?. 24

4.3 CPU Cores and Features as a performance Factor 24

4.4 Performance is a Vicious Cycle. 25

5 Understanding Virtual Networks - Hosted vs. Bare-metal Hypervisor Networking. 26

5.1 Hosted Hypervisor Networking - Host-Only, Bridged, and NAT Network Segments. 26

5.2 Bridged Networking. 26

5.3 NAT Networking. 26

5.4Host-Only Networking. 27

5.5 Virtual Network Adapters and You. 27

5.6 Bare-metal Hypervisor Networking - Virtual Switches. 27

6 Lab Overview.. 29

6.1 Design. 30

6.2 Lab Network Description. 31

6.3 Bridged Network. 31

6.4 Management Network. 31

6.5 IPS 1 and IPS 2 Networks. 31

6.6 AFPACKET Bridging between IPS 1 and IPS 2. 32

6.7 Why All The Trouble?. 32

7 VMs, Resource Allocations, and Minimum Hardware Requirements. 34

8 Hypervisor Guides. 35

9 Setup - Microsoft Client Hyper-V.. 37

9.1 Installation. 37

9.2 Hypervisor Preferences. 41

9.3 Server Settings. 42

9.4 User Settings. 46

9.5 Virtual Switches. 47

9.6 Virtual Switch Types. 47

9.7 Creating Virtual Switches Using the Virtual Switch Manager 48

9.8 Creating the First VM, pfSense. 52

9.9 Adding a New VM.. 52

9.10 Initial VM Settings. 60

9.11 Installing pfSense. 65

9.12 Final VM Settings. 70

9.13 Network Configuration. 73

9.14 webConfigurator - Initial Setup. 77

9.15 Making Checkpoints. 79

9.16 pfSense Summary. 81

9.17 What’s Next?. 82

9.18 Final Connectivity Checks and Troubleshooting. 82

9.20 Your Turn. 85

9.21 Kali Linux VM.. 86

9.22 SIEM VM.. 88

9.23 IPS VM.. 90

9.24 Metasploitable 2. 93

9.25 Port Mirroring and MAC spoofing. 98

9.26 Configuring the IPS VM as a Port Mirroring Destination. 100

9.27 Configuring the pfSense VM as a Port Mirroring Source. 101

9.28 Port Mirroring for the Remaining VMs. 102

9.29 Next Steps. 102

10 Setup - Oracle VirtualBox. 103

10.1 Installation. 103

10.2 Hypervisor Preferences. 103

10.3 Creating the first VM, pfSense. 106

10.4 Adding a New VM.. 107

10.5 Initial VM Settings. 113

10.6 Installing pfSense. 122

10.7 Final VM Settings. 123

10.8 Network Configuration. 126

10.9 webConfigurator - Initial Setup. 131

10.10 Take a Snapshot 134

10.11 pfSense Summary. 139

10.12 What’s Next?. 140

10.13 Final Connectivity Checks and Troubleshooting. 140

10.14 Your turn. 143

10.15 Kali Linux VM.. 144

10.16 SIEM VM.. 146

10.17 IPS VM.. 148

10.18 Promiscuous Mode. 151

10.19 Metasploitable 2. 152

10.20 Next Steps. 159

11 Setup - VMware Fusion Pro. 160

11.1 Installation. 160

11.2 Hypervisor Preferences. 160

11.3 Creating the First VM, pfSense. 165

11.4 Adding a New VM.. 166

11.5 Installing pfSense. 183

11.6 Final VM Settings. 186

11.7 Network Configuration. 187

11.8 webConfigurator - Initial Setup. 190

11.9 Take a Snapshot 194

pfSense Summary. 197

11.10 What’s Next?. 198

11.11 Final Connectivity Checks and Troubleshooting. 198

11.12 Your Turn. 201

11.13 Kali Linux VM.. 202

11.14 SIEM VM.. 204

11.15 IPS VM.. 206

11.16 Metasploitable 2. 209

11.17 Next Steps. 210

12 Setup - VMware Workstation Pro. 211

12.1 Installation. 211

12.2 Hypervisor Preferences. 212

12.3 Virtual Networks. 214

Creating the First VM, pfSense. 218

12.4 Adding a New VM.. 219

12.5 Installing pfSense. 232

12.6 Final VM Settings. 236

12.7 Network Configuration. 238

12.8 webConfigurator - Initial Setup. 241

12.9 Take a Snapshot 244

12.10 pfSense Summary. 246

12.11 What’s Next?. 247

12.12 Final Connectivity Checks and Troubleshooting. 247

12.13 Your Turn. 250

12.14 Kali Linux VM.. 251

12.15 SIEM VM.. 253

12.16 IPS VM.. 256

12.17 Metasploitable 2. 259

12.18 Next Steps. 261

13 Setup - VMware vSphere Hypervisor (ESXi) 262

13.1 Installation. 262

13.2 Accessing ESXi 265

13.3 Hypervisor Setup. 268

13.4 Licensing. 268

13.5 Networking and Virtual Switches. 268

13.6 Creating Virtual Switches. 269

13.7 Port Groups. 273

13.8 Adding Port Groups via the ESX Web Interface. 274

13.9 Resolving Some Web Interface Bugs. 275

13.10 VMware Flings. 275

13.11 What if I don’t want to use experimental software?. 281

13.12 Final Flight Check. 287

13.13 Creating the First VM, pfSense. 289

13.14 Adding a New VM.. 293

13.15 Installing pfSense. 301

13.16 Final VM Settings. 305

13.17 Network Configuration. 307

13.18 webConfigurator - Initial Setup. 311

13.19 Take a Snapshot 314

13.20 pfSense Summary. 316

13.21 What’s Next?. 317

13.22 Final Connectivity Checks and Troubleshooting. 317

13.23 Your Turn. 320

13.24 Kali Linux VM.. 321

13.25 SIEM VM.. 323

13.26 IPS VM.. 325

13.27 Metasploitable 2. 327

13.28 Next Steps. 336

14 pfSense Firewall Rules and Network Services Guide. 337

14.1 Firewall Rule Configuration - Hosted Hypervisors. 337

14.2 Firewall Rules for the Bridged Network. 337

14.3 Firewall Rules for the Management Network. 338

14.4 Firewall Rules for the IPS Network. 340

14.5 Firewall Rule Configuration - Bare-metal Hypervisors. 342

14.6 Firewall rules for the Bridged Network. 342

14.7 Firewall Rules for the Management Network. 343

14.8 Firewall Rules for the IPS Network. 344

14.9 Network Configuration - Core Network Services. 346

14.10 NTP.. 346

14.11 DHCP.. 348

14.12 DNS Resolver 350

14.13 Squid Proxy. 352

15 Defense in Depth for Windows Hosted Hypervisors. 355

15.1 Unbinding Network Protocols on Windows Virtual Adapters. 356

15.2 Using Windows Firewall to Limit Exposure of Windows Hypervisor Hosts. 361

16 Automated Patching for Linux Lab VMs. 370

16.1 updater.sh. 370

17 Remote Lab Management 372

17.1 Windows Remote Access. 372

17.2 Persistent Static Routes. 372

17.3 Windows SSH and SCP Software. 375

17.4 Generating an SSH key in Windows using PuTTYgen. 376

17.5 Using mRemoteNG - Connection Files. 386

17.6 Using mRemoteNG - PuTTY Saved Sessions. 391

17.7 Enabling Key-Based Authentication on Linux/Unix systems. 396

17.8 Key Copy Method 1: echo append to authorized_keys. 397

17.9 Key Copy Method 2: using vi. 398

17.10 Key Copy Method 3: SCP.. 400

17.11 Making sure it worked. 404

17.12 How to use Key-Based Authentication with WinSCP.. 405

17.13 Linux, BSD, and OS X Remote Access. 409

17.14 Static Routes in Linux and OS X.. 409

17.15 Adding Routes to Linux with the ip Command. 409

17.16 Adding Routes to OS X/BSD with the route command. 410

17.17 Making Static Routes Persistent 411

17.18 Linux and BSD Route Persistence via /etc/rc.local. 411

17.19 OS X Route Persistence with Hosted Hypervisors. 413

17.20 flightcheck.sh. 414

17.21 OS X route persistence for Bare-metal Hypervisors. 417

17.22 flightcheckBM.sh. 417

17.23 The ssh and scp terminal Applications. 419

17.24 iTerm2 and Terminator 420

17.25 Generating ssh keys using ssh-keygen. 422

17.26 The alias Command. 424

17.27 Enabling Key-Based Authentication in Unix/Linux Systems. 428

17.28 Key Copy Method 1: echo append to authorized_keys. 429

17.29 Key Copy Method 2: using vi. 432

17.30 Key Copy Method 3: SCP.. 435

17.31 Making Sure it worked. 437

17.32 Using key-based authentication with the SCP command. 440

17.33 How to Enable SSH on Kali Linux. 442

17.34 Enabling, and securing root SSH.. 448

17.35 Adding your SSH public key to root’s authorized_keys file. 449

17.36 Disabling password authentication entirely via sshd_config. 453

18 Network Design Factors When Working with bare-metal Hypervisors. 456

18.1 Prereqs. 458

18.2 Creating Static Routes. 459

18.3 Creating Firewall Rules. 460

18.4 Dealing with DHCP.. 464

18.5 Jump Boxing. 465

18.6 Using a Raspberry Pi as a Jump Box. 467

18.7 Installing the Raspbian Image to your Raspberry Pi 467

18.8 Configuring Raspbian. 473

18.9 Creating a Jump Box VM.. 478

18.10 Other Physical Jump Boxes. 484

18.11 Preparing Your Jump Box for Service. 485

18.12 Configuring Static DHCP Address Allocations. 485

18.13 Enabling Key-Based Authentication for your Jump Box. 486

18.14 Windows. 486

18.15 Linux/OS X/BSD.. 489

18.16 Adding Static Routes to your Jump Box. 491

18.17 Adding Firewall Rules and SSH tunnels to allow access to the VM lab networks. 492

18.18 I Can Still Access the pfSense webConfigurator with my Management Workstation 493

18.19 I Have Lost Access to the pfSense webConfigurator UI 495

18.20 TCP Forwarding and You. 499

18.21 Windows SSH Tunnels. 500

18.22 Linux/BSD/OS X SSH Tunnels. 507

18.23 Testing your Dynamic Tunnels with FoxyProxy. 510

18.24 Troubleshooting Dynamic Tunnels. 516

18.25 Testing Your Forward Tunnels. 520

18.26 Windows. 520

18.27 Linux/OS X/BSD.. 524

18.28 Understanding SSH Tunnels. 527

18.29 Closing Notes on Jump Boxing. 528

18.30 Key-Based Authentication: Managing SSH Keys for Tunneled Connections. 528

19 IPS Installation Guide. 530

19.1 Installing and configuring Snort (via Autosnort) 530

19.2 Installing and configuring Suricata (via Autosuricata) 536

19.3 Testing your IPS Bridge. 541

20 Splunk Installation Guide. 544

20.1 Initial Setup (Server Installation) 545

20.2 (Optional) Requesting and Implementing a Splunk Dev License. 556

20.3 Universal Forwarder Setup. 560

20.4 Splunk TA for Suricata. 563

20.5 Hurricane Labs Add-On for Unified2. 568

20.6 Starting The Forwarder + Persistence. 572

20.7 Testing Splunk and the Universal Forwarder 575

20.8 Generating The Test Battery. 576

20.9 Verifying Results with Snort 584

20.10 Verifying Results with Suricata. 587

21 In Your Own Image. 590

21.1 Visions of What Might Be. 590

21.2 Malware Analysis Lab. 591

21.3 Penetration Testing Lab. 594

21.4 IT/OPs Lab. 596

22 Summary. 598

22.1 What Have We Learned Today?. 598

23 Epilogue: We Need You (Now More than Ever) 600