Recommended Ways to Setup Security Labs? (Pentesting Lab, Malware Lab)

dotivarup.hofamucum · October 9, 2023, 11:26am

I’m new to this, I was able to handle the conversion of the vulnhub machine to an HVM vm and then with the help of your iptables instructions, I was able to get the appwm kali to be fully operational along with the jobs from the hackthebox site, thank you for that. but I can’t get my nmap to see my vulnhub vm Nully Cybersecurity: 1 ~ VulnHub I suspect I’m not configuring dnsmasq or dhcpd correctly in sys-bridge I’ve been trying to find the root password for a given vulnhub machine to do the configuration inside but it doesn’t seem to be listed publicly for this machine I’m asking for help configuring dhcpd and dnsmasq if it’s not difficult for you

I apologize if I gave the impression of not being a dishonest user, usually I’m only in forum reading mode, as I don’t have much to share with people, because I’m just learning qubes, I had to create a new account because the first one I created in a disposable dvm virtual machine and forgot to save the login credentials, I’m really sorry if it could somehow harm the forum, now I have a permanent account

ckN6QwSZ · October 16, 2023, 9:40am

It is difficult to answer a question if the information you provide are somewhat vague, but I will still try.

dom0 has assigned an IP-address and routes for your HVM. But your HVM does not know these parameters as it does not run the startup scripts. If you can’t setup IP and routes manually in the HVM because you don’t have the privileges to do so and if you assume your HVM asks a DHCP-server on it’s uplink, it is probably a reasonable approach to run a DHCP-server in your sys-bridge.

To my knowledge or experience your DHCP-server has to provide the exact same IP and route dom0 assigned for the relevant HVM. Otherwise you won’t have connectivity between sys-bridge and your nully-HVM.

Therefore you might want to do this first:

[user@dom0 ~]$ qvm-prefs nully-HVM | grep '10'
dns                   D  10.139.1.1 10.139.1.2
ip                    D  10.137.0.32
visible_gateway       D  10.137.0.9
visible_ip            D  10.137.0.32

and then hand those preferences over to your DHCP-server.

If you got your dhcpd working, please be so kind to share your solution in this thread as others might profit from that. “it works now, thank you” doesn’t help future visitors of this thread.

You might get an answer from the creator of that vulnhub machine, but you certainly won’t find it here. Or at least I suspect that being unlikely.

ckN6QwSZ · October 16, 2023, 2:18pm

Just a quick hack… you would have to setup the following two files in sys-bridge’s /rw/config :

/rw/config/rc.local

#! /bin/sh
# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1

# there is no place like 127.0.0.1
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

# enable hotplugging survival
/usr/bin/qubesdb-write /qubes-primary-dns 127.0.0.1
/usr/bin/qubesdb-write /qubes-secondary-dns 127.0.0.1

# rerun setup of DNAT rules
/usr/lib/qubes/init/network-proxy-setup.sh

# setup and start dnsmasq
/usr/bin/cp /rw/config/dnsmasq.sys-bridge /etc/dnsmasq.d/dnsmasq.sys-bridge
/usr/bin/systemctl start dnsmasq.service

# nuke all but NAT table
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -X
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X -t mangle

# setup iptables to allow network scans
/usr/sbin/iptables -t nat -D POSTROUTING 3
/usr/sbin/iptables -t nat -A POSTROUTING ! -d 10.137.0.0/24 -j MASQUERADE

/rw/config/dnsmasq.sys-bridge

# dns stuff
port=53
domain-needed
bogus-priv
no-resolv

address=/red.lab/10.137.0.a
address=/blue.lab/10.137.0.b
address=/admin.lab/10.137.0.c
address=/empire.lab/10.137.0.d
address=/work.lab/10.137.0.e
address=/offsec.lab/10.137.0.f
address=/router.lab/10.137.0.g

# dhcp stuff
dhcp-range=10.137.0.1,10.137.0.250,255.255.255.255,1m
dhcp-host=red,10.137.0.a
dhcp-host=blue,10.137.0.b
dhcp-host=admin,10.137.0.c
dhcp-host=empire,10.137.0.d
dhcp-host=work,10.137.0.e
dhcp-host=offsec,10.137.0.f
dhcp-host=router,10.137.0.g

#log-queries
#log-dhcp

You need to

adapt a, b, c, d, e, f, g and the machine names to your local lab specifics ( qvm-prefs <machine-name> | grep '10')
have dnsmasq installed in your sys-bridge’s template, preferably disabled
leave the lease time set to one minute for starters.

I didn’t have time to test this, have no idea if it work on Qubes 4.2-rcX as they changed to nftables.

But I think it’s a start.

And I’d be happy to hear if that worked or what tweaks have had to be done to make it work.

dotivarup.hofamucum · October 16, 2023, 7:32pm

Hi, thank you very much for taking the time to help, I did everything exactly as written, but it doesn’t work

I used the standard debian-11 template, installed dnsmasq in it, then created sys-bridge, enabled the provides network checkbox, then copied the qubes-firewall-user-script configuration from the post just above, and also ran sudo chmod +x, then did exactly as in the post above and changed the IP and VM names, additionally ran sudo chmod +x, and I ended up with this

# dns stuff
port=53
domain-needed
bogus-priv
no-resolv

address=/kalitest.lab/10.137.0.21
address=/nully.lab/10.137.0.31

# dhcp stuff
dhcp-range=10.137.0.1,10.137.0.250,255.255.255.255,1m
dhcp-host=kalitest,10.137.0.21
dhcp-host=nully,10.137.0.31

#log-queries
#log-dhcp

but it causes a systemd error with this text

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2023-10-16 14:48:31 EDT; 2s ago
    Process: 1466 ExecStartPre=/etc/init.d/dnsmasq checkconfig (code=exited, status=1/FAILURE)
        CPU: 14ms

Oct 16 14:48:31 sys-bridge systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Oct 16 14:48:31 sys-bridge dnsmasq[1474]: inconsistent DHCP range at line 11 of /etc/dnsmasq.d/dnsmasq.sys-bridge
Oct 16 14:48:31 sys-bridge dnsmasq[1474]: FAILED to start up
Oct 16 14:48:31 sys-bridge systemd[1]: dnsmasq.service: Control process exited, code=exited, status=1/FAILURE
Oct 16 14:48:31 sys-bridge systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
Oct 16 14:48:31 sys-bridge systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server.

Apparently 255.255.255.255 causes the error, I tried to remove it from the string and then systemd started successfully, so I tried 255.255.255.0 and with it systemd also runs successfully

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-10-16 15:28:18 EDT; 1s ago
    Process: 2815 ExecStartPre=/etc/init.d/dnsmasq checkconfig (code=exited, status=0/SUCCESS)
    Process: 2823 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
    Process: 2831 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
   Main PID: 2830 (dnsmasq)
      Tasks: 1 (limit: 4620)
     Memory: 1.0M
        CPU: 63ms
     CGroup: /system.slice/dnsmasq.service
             └─2830 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trus>

Oct 16 15:28:18 sys-bridge systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Oct 16 15:28:18 sys-bridge dnsmasq[2830]: started, version 2.85 cachesize 150
Oct 16 15:28:18 sys-bridge dnsmasq[2830]: DNS service limited to local subnets
Oct 16 15:28:18 sys-bridge dnsmasq[2830]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth >
Oct 16 15:28:18 sys-bridge dnsmasq-dhcp[2830]: DHCP, IP range 10.137.0.1 -- 10.137.0.250, lease time 2m
Oct 16 15:28:18 sys-bridge dnsmasq[2830]: read /etc/hosts - 5 addresses
Oct 16 15:28:18 sys-bridge systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
lines 1-20/20 (END)

but with none of these options, kalitest does not see nully, here is an example of how ping works

ping 10.137.0.31
PING 10.137.0.31 (10.137.0.31) 56(84) bytes of data.
From 10.137.0.8 icmp_seq=1 Destination Host Unreachable
From 10.137.0.8 icmp_seq=2 Destination Host Unreachable
From 10.137.0.8 icmp_seq=3 Destination Host Unreachable
From 10.137.0.8 icmp_seq=4 Destination Host Unreachable
^C
--- 10.137.0.31 ping statistics ---
6 packets transmitted, 0 received, +4 errors, 100% packet loss, time 5115ms
pipe 4

I also tried this configuration option, but it didn’t work either

# dhcp stuff
dhcp-range=10.137.0.1,10.137.0.250,1m
# subnet mask
dhcp-option=1,255.255.255.255
# gateway
dhcp-option=3,10.137.0.8
# dns
dhcp-option=6,10.139.1.1,10.139.1.2

I’ve also tried using standalone instead of appvm and disabling the networkmanager with sudo systemctl disable --now NetworkManager, but unfortunately none of that helped, kalitest still doesn’t see nully with nmap, ping, and netdiscover

addendum, I tried to enable netvm in sys-bridge and disable it by setting the value of none, but it didn’t help