"The most secure computer is the computer that’s turned off!!"
Introduction
Red and blue teams and penetration testers have a common goal: to exploit an adversary's network, whether that adversary is human or artificial. The "Red and Blue Team Infrastructure" post helps red teamers, blue teamers, and penetration testers build their own red and blue team infrastructure for adversary emulation.
Our infrastructure below consists of a C2(Kali) Server, Payload Server, Redirector, Domain Controller(DC), EDR (Wazuh), Linux, and Windows domain members as our targets.
Hardware & Software Requirments: 100 GB SSD, RAM 16 GB (Recommended), VirtualBox Hypervisor, Windows 10 or 11 OS.
We will build the above infrastructure as per the below plan:
Part A: Configure the DNS Server
We will start building our lab by installing and configuring the DC. Download Windows 2019 Server ISO from here. Install the Windows Server 2019 Standard Desktop Experience Version on VirtualBox.
Once the installation is complete, reboot DC, navigate to the Server Manager, and click Add Roles and Features.
Click Next.
Click Next.
Click Next.
Select DNS Server and Click on Next. Optionally, select Web Server(IIS), SMTP, and DHCP Server.
Click on Add Features.
Click Continue.
Click Next.
Select Active Directory Domain Services and Click on Add Features.
Click Next.
Click Next.
Click Next.
Click Install
Wait for the installation to end and restart the DC.
To review your changes, revisit
Once reviewed, go to Part B.
Part B: Configure the AD Domain Services
In this section, we will learn how to configure AD Domain Services. As shown below, shut down the DC machine and attach the Network Adapter to Internal Network.
Start the DC, manually configure the IPv4 address, and click OK to save the changes.
Go to the Server Manager, click the Notifications icon, and click on the link "Promote this server to a domain controller."
Enter the root domain name of your choice. We have used darkrelay.io as our domain name and clicked Next.
Set the password and click Next.
Click Next.
Click Next.
Click Next.
Click Next.
Click Install. Wait for the installation to complete. Click close if prompted.
Login to the Domain DarkRelay on DC as an Administrator user. Go to Control Panel\System and Security\System and Click on Change Settings.
Click Change to update the Computer name. Click OK and restart the DC to apply the changes.
Zone & Lookups Configuration:
Log in to DC to configure the Zones & Lookups. In Server Manager, click Tools and then DNS.
Right-click on Reverse Lookup Zones and click New Zone.
Click Next.
Leave all settings to default, and click Next. Enter the Network ID as 192.168.1 and Click Next.
Select Do not allow dynamic updates and Click Next.
Click Finish.
Expand Forward Lookup Zones, Right-click on zone name darkrelay.io, and click Create New Host.
Configure the domain name as below. The below domain name will be assigned to a damn vulnerable Linux domain.
Click Add Host and Click OK.
To review your changes, revisit
Once reviewed, go to Part C.
Part C: Install Wazuh EDR and Agents
Wazuh is a security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. The solution comprises a single universal agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. For more information, check the Getting Started documentation.
Download Wazuh Virtual Machine: https://documentation.wazuh.com/current/virtual-machine/virtual-machine.html#virtual-machine
Load the Wazuh ova file inside VirtualBox and log in using the below credentials.
username:wazuh
Password:wazuh
Login to Wazuh and set up a network IP to connect with DC.
sudo ifconfig eth0 192.168.1.60
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1
To review your changes, revisit
Once reviewed, go to Part D.
Part D: Add the Domain Members
We will configure and connect two target machines to our DC. The target machines are used to install vulnerable applications and services.
Add Linux Domain Member:
Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Nat mode, and boot the machine. Install Damn Vulnerable Web Application on this host as below.
# Clone DVWA
cd /var/www/html
sudo git clone https://github.com/ethicalhack3r/DVWA.git
Add another Network Adapter, and set it to Internal Network in Virtual Box Machine Settings. Configure the IP address manually by running the below commands in the terminal. This network will connect the host to DC.
sudo ifconfig eth1 192.168.1.20
sudo ifconfig eth1 netmask 255.255.255.0
sudo ifconfig eth1 broadcast 192.168.1.1
Configure the DVWA application.
sudo cp /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php
sudo systemctl start apache2
sudo systemctl enable apache2
sudo systemctl restart apache2
sudo chown www-data:www-data /var/www/html/DVWA/hackable/uploads/
sudo chown www-data:www-data /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
# Login to MySQL, and run the below commands. Password is blank
sudo mysql -u 'root' -p
mysql> CREATE DATABASE dvwa;
mysql> CREATE USER 'dvwa'@'localhost' identified by 'p@ssw0rd';
mysql> GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> exit
# Edit the existing /var/www/html/DVWA/.htaccess file.
sudo nano /var/www/html/DVWA/.htaccess
php_flag magic_quotes_gpc Off
php_flag allow_url_fopen On
php_flag allow_url_include On
php_flag display_errors On
# Edit /etc/php/7.4/apache2/
sudo sed 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.4/apache2/php.ini -i.bak
# Restart apache server
sudo systemctl restart apache2.service
Install Wazuh Agent.
# Install Curl on Lubuntu
sudo apt install curl
# Download and Configure Agent
sudo curl -so wazuh-agent-4.2.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.6-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.60' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.2.6.deb
Add Windows Domain Member:
Log in to DC as Administrator. Go to Server Manager, Click Tools, and select Active Directory Users and Computers.
Right-click on Users and select New User.
Add new user
Configure the Password and account options, click Next, and click Finish.
Download Windows 10 ISO and Install it on VirtualBox: https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
Login to Windows 10 guest as Administrator. Download the Vulnerable Windows Application from here https://github.com/DarkRelayLabs/VWA
Install Wazuh Agent. Open Powershell as Administrator and run the below command.
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile wazuh-agent-4.2.6.msi; ./wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='192.168.1.60' WAZUH_REGISTRATION_SERVER='localhost' WAZUH_AGENT_GROUP='default'
Configure the IP4 address as below.
Go to Control Panel\System and Security\System. Click Change Settings. Enter domain details and click OK. We are connecting this guest machine to the domain darkrelay.io.
Restart the Windows 10 guest machine and verify that you can log in as user Bob under the domain DARKRELAY.
Install the downloaded Vulnerable Windows Application. Installation instructions are here https://www.darkrelay.com/post/thick-client-penetration-testing
Now we have vulnerable Windows and Linux guest machines as our domain members.
To review your changes, revisit
Once reviewed, go to Part E.
Part E: Configure the C2, Redirector, and the Payload Server
Configure the C2:
Download Kali Linux and configure it in VirtualBox: https://kali.download/virtual-images/kali-2022.2/kali-linux-2022.2-virtualbox-amd64.ova
Please feel free to refer to the following video for steps by step instructions:
Load Kali into Virtual Box. Attach the machine Network to Internal Network in the VirtualBox. Run the below commands to set up the IPv4 address.
sudo ifconfig eth0 192.168.1.30
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1
Configure Redirector:
Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Internal Network, and boot the machine. Run the below commands to set up the IPv4 address.
sudo ifconfig eth0 192.168.1.80
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1
We will use Socat to redirect target traffic to our C2 and Payload Server. Run the below commands per the listening ports you have configured on C2 and Payload Server or targets to connect. For example, this enables the redirector's network traffic on port 4444,8080 to communicate with port 4444,8080 on the C2 server.
# Redirect to C2
sudo socat TCP4-LISTEN:4444,fork TCP:192.168.1.30:4444
sudo socat TCP4-LISTEN:8080,fork TCP:192.168.1.30:8080
# Redirect to Payload Server
sudo socat TCP4-LISTEN:443,fork TCP:192.168.1.70:443
sudo socat TCP4-LISTEN:80,fork TCP:192.168.1.70:80
Configure Payload Server:
Download Lubuntu ISO: https://lubuntu.me/downloads. Install Lubuntu on VirtualBox, set the network to Internal Network, and boot the machine. Run the below commands to set up the IPv4 address.
sudo ifconfig eth0 192.168.1.70
sudo ifconfig eth0 netmask 255.255.255.0
sudo ifconfig eth0 broadcast 192.168.1.1
That's it! The Red and Blue team lab is now ready for you to start the adversary emulation games.
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.
Comments