top of page

Building Red And Blue Team Infrastructure For Adversary Emulation

Updated: Apr 11

"The most secure computer is the computer that’s turned off!!"

Introduction


Red and blue teams and penetration testers have a common goal: to exploit an adversary's network, whether that adversary is human or artificial. The "Red and Blue Team Infrastructure" post helps red teamers, blue teamers, and penetration testers build their own red and blue team infrastructure for adversary emulation.


Our infrastructure below consists of a C2(Kali) Server, Payload Server, Redirector, Domain Controller(DC), EDR (Wazuh), Linux, and Windows domain members as our targets.


Hardware & Software Requirments: 100 GB SSD, RAM 16 GB (Recommended), VirtualBox Hypervisor, Windows 10 or 11 OS.



We will build the above infrastructure as per the below plan:


Part A: Configure the DNS Server


We will start building our lab by installing and configuring the DC. Download Windows 2019 Server ISO from here. Install the Windows Server 2019 Standard Desktop Experience Version on VirtualBox.


Once the installation is complete, reboot DC, navigate to the Server Manager, and click Add Roles and Features.


Click Next.



Click Next.



Click Next.



Select DNS Server and Click on Next. Optionally, select Web Server(IIS), SMTP, and DHCP Server.



Click on Add Features.



Click Continue.



Click Next.



Select Active Directory Domain Services and Click on Add Features.



Click Next.



Click Next.



Click Next.



Click Install



Wait for the installation to end and restart the DC.



To review your changes, revisit


Once reviewed, go to Part B.


Part B: Configure the AD Domain Services


In this section, we will learn how to configure AD Domain Services. As shown below, shut down the DC machine and attach the Network Adapter to Internal Network.



Start the DC, manually configure the IPv4 address, and click OK to save the changes.



Go to the Server Manager, click the Notifications icon, and click on the link "Promote this server to a domain controller."



Enter the root domain name of your choice. We have used darkrelay.io as our domain name and clicked Next.



Set the password and click Next.



Click Next.



Click Next.



Click Next.



Click Next.



Click Install. Wait for the installation to complete. Click close if prompted.



Login to the Domain DarkRelay on DC as an Administrator user. Go to Control Panel\System and Security\System and Click on Change Settings.



Click Change to update the Computer name. Click OK and restart the DC to apply the changes.



Zone & Lookups Configuration:

Log in to DC to configure the Zones & Lookups. In Server Manager, click Tools and then DNS.



Right-click on Reverse Lookup Zones and click New Zone.



Click Next.



Leave all settings to default, and click Next. Enter the Network ID as 192.168.1 and Click Next.



Select Do not allow dynamic updates and Click Next.



Click Finish.




Expand Forward Lookup Zones, Right-click on zone name darkrelay.io, and click Create New Host.



Configure the domain name as below. The below domain name will be assigned to a damn vulnerable Linux domain.



Click Add Host and Click OK.



To review your changes, revisit

Once reviewed, go to Part C.


Part C: Install Wazuh EDR and Agents


Wazuh is a security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. The solution comprises a single universal agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. For more information, check the Getting Started documentation.



Load the Wazuh ova file inside VirtualBox and log in using the below credentials.


username:wazuh
Password:wazuh 

Login to Wazuh and set up a network IP to connect with DC.


sudo ifconfig eth0 192.168.1.60
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1 

To review your changes, revisit



Once reviewed, go to Part D.


Part D: Add the Domain Members


We will configure and connect two target machines to our DC. The target machines are used to install vulnerable applications and services.


Add Linux Domain Member:

Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Nat mode, and boot the machine. Install Damn Vulnerable Web Application on this host as below.


# Clone DVWA
cd /var/www/html
sudo git clone https://github.com/ethicalhack3r/DVWA.git

Add another Network Adapter, and set it to Internal Network in Virtual Box Machine Settings. Configure the IP address manually by running the below commands in the terminal. This network will connect the host to DC.


sudo ifconfig eth1 192.168.1.20
sudo ifconfig eth1 netmask 255.255.255.0
sudo ifconfig eth1 broadcast 192.168.1.1 

Configure the DVWA application.


sudo cp /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php

sudo systemctl start apache2
sudo systemctl enable apache2
sudo systemctl restart apache2

sudo chown www-data:www-data /var/www/html/DVWA/hackable/uploads/
sudo chown www-data:www-data /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

# Login to MySQL, and run the below commands. Password is blank
sudo mysql -u 'root' -p                                                  

mysql> CREATE DATABASE dvwa;
mysql> CREATE USER 'dvwa'@'localhost' identified by 'p@ssw0rd';
mysql> GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> exit

# Edit the existing /var/www/html/DVWA/.htaccess file.
sudo nano /var/www/html/DVWA/.htaccess

php_flag magic_quotes_gpc Off
php_flag allow_url_fopen On
php_flag allow_url_include On
php_flag display_errors On

# Edit  /etc/php/7.4/apache2/
sudo sed 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.4/apache2/php.ini -i.bak

# Restart apache server
sudo systemctl restart apache2.service

Install Wazuh Agent.


# Install Curl on Lubuntu
sudo apt install curl

# Download and Configure Agent
sudo curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.60' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb 


Add Windows Domain Member:


Log in to DC as Administrator. Go to Server Manager, Click Tools, and select Active Directory Users and Computers.



Right-click on Users and select New User.



Add new user



Configure the Password and account options, click Next, and click Finish.



Download Windows 10 ISO and Install it on VirtualBox: https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise


Login to Windows 10 guest as Administrator. Download the Vulnerable Windows Application from here https://github.com/DarkRelayLabs/VWA


Install Wazuh Agent. Open Powershell as Administrator and run the below command.


Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile wazuh-agent-4.2.6.msi; ./wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='192.168.1.60' WAZUH_REGISTRATION_SERVER='localhost' WAZUH_AGENT_GROUP='default'  

Configure the IP4 address as below.



Go to Control Panel\System and Security\System. Click Change Settings. Enter domain details and click OK. We are connecting this guest machine to the domain darkrelay.io.



Restart the Windows 10 guest machine and verify that you can log in as user Bob under the domain DARKRELAY.



Install the downloaded Vulnerable Windows Application. Installation instructions are here https://www.darkrelay.com/post/thick-client-penetration-testing


Now we have vulnerable Windows and Linux guest machines as our domain members.


To review your changes, revisit


Once reviewed, go to Part E.


Part E: Configure the C2, Redirector, and the Payload Server


Configure the C2:

Please feel free to refer to the following video for steps by step instructions:



Load Kali into Virtual Box. Attach the machine Network to Internal Network in the VirtualBox. Run the below commands to set up the IPv4 address.


sudo ifconfig eth0 192.168.1.30
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1 

Configure Redirector:

Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Internal Network, and boot the machine. Run the below commands to set up the IPv4 address.


sudo ifconfig eth0 192.168.1.80
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1 

We will use Socat to redirect target traffic to our C2 and Payload Server. Run the below commands per the listening ports you have configured on C2 and Payload Server or targets to connect. For example, this enables the redirector's network traffic on port 4444,8080 to communicate with port 4444,8080 on the C2 server.


# Redirect to C2
sudo socat TCP4-LISTEN:4444,fork TCP:192.168.1.30:4444
sudo socat TCP4-LISTEN:8080,fork TCP:192.168.1.30:8080

# Redirect to Payload Server
sudo socat TCP4-LISTEN:443,fork TCP:192.168.1.70:443
sudo socat TCP4-LISTEN:80,fork TCP:192.168.1.70:80

Configure Payload Server:

Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Internal Network, and boot the machine. Run the below commands to set up the IPv4 address.


sudo ifconfig eth0 192.168.1.70
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1 

That's it! The Red and Blue team lab is now ready for you to start the adversary emulation games.


 

Register for instructor-led online courses today!


Check out our free programs!


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.


4,225 views

Recent Posts

See All

Comments


bottom of page