Recommended Ways to Setup Security Labs? (Pentesting Lab, Malware Lab)

General Discussion
23

Just a quick hack… you would have to setup the following two files in sys-bridge’s /rw/config :

/rw/config/rc.local

#! /bin/sh
# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1

# there is no place like 127.0.0.1
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

# enable hotplugging survival
/usr/bin/qubesdb-write /qubes-primary-dns 127.0.0.1
/usr/bin/qubesdb-write /qubes-secondary-dns 127.0.0.1

# rerun setup of DNAT rules
/usr/lib/qubes/init/network-proxy-setup.sh

# setup and start dnsmasq
/usr/bin/cp /rw/config/dnsmasq.sys-bridge /etc/dnsmasq.d/dnsmasq.sys-bridge
/usr/bin/systemctl start dnsmasq.service

# nuke all but NAT table
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -X
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X -t mangle

# setup iptables to allow network scans
/usr/sbin/iptables -t nat -D POSTROUTING 3
/usr/sbin/iptables -t nat -A POSTROUTING ! -d 10.137.0.0/24 -j MASQUERADE

/rw/config/dnsmasq.sys-bridge

# dns stuff
port=53
domain-needed
bogus-priv
no-resolv

address=/red.lab/10.137.0.a
address=/blue.lab/10.137.0.b
address=/admin.lab/10.137.0.c
address=/empire.lab/10.137.0.d
address=/work.lab/10.137.0.e
address=/offsec.lab/10.137.0.f
address=/router.lab/10.137.0.g

# dhcp stuff
dhcp-range=10.137.0.1,10.137.0.250,255.255.255.255,1m
dhcp-host=red,10.137.0.a
dhcp-host=blue,10.137.0.b
dhcp-host=admin,10.137.0.c
dhcp-host=empire,10.137.0.d
dhcp-host=work,10.137.0.e
dhcp-host=offsec,10.137.0.f
dhcp-host=router,10.137.0.g

#log-queries
#log-dhcp

You need to

  • adapt a, b, c, d, e, f, g and the machine names to your local lab specifics ( qvm-prefs <machine-name> | grep '10')
  • have dnsmasq installed in your sys-bridge’s template, preferably disabled
  • leave the lease time set to one minute for starters.

I didn’t have time to test this, have no idea if it work on Qubes 4.2-rcX as they changed to nftables.

But I think it’s a start.

And I’d be happy to hear if that worked or what tweaks have had to be done to make it work.

1 Like