Flare & Commando VM - Windows 10 labs reinvented

malware-analysis
red-team
windows-environment
blue-team
Tags: #<Tag:0x00007fe3c187f198> #<Tag:0x00007fe3c187eec8> #<Tag:0x00007fe3c187ec20> #<Tag:0x00007fe3c187e9a0>
#1

Flare / Commando VM - Windows 10

This is a short usage Wiki about Flare and Commando VM. These specialised Windows environments can be useful for “Red Team” / “Blue Team” labs.

I like to use them for vulnerability analysis and those security tasks which I can run “remotely”.

The environments are config-managed, which makes the approaches reproducible. Plus if the analysis tasks take days to finish, a “cloud Desktop” is very comfy.

Temporary systems for special use-cases

The environments are temporary, and intended as separate lab environments. Do not run them on your Windows Home laptop or on your work PC. :wink: Just saying…

Hosting environment

Everything is basics.

41

Here I use a dedicated hardware or a KVM setup, that gets managed with libvirt.

In my experience Ubuntu Server packages libvirtd to support Windows guests (UEFI drivers, SecureBoot etc.). Distributions like Arch Linux or Gentoo Linux may not do that, and require extra configuration steps.

The hosting environment will run qemu and libvirtd, dnsmasq, bridge-utils etc…

[email protected] ~ # systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-03-11 20:47:19 CET; 1 weeks 1 days ago
     Docs: man:libvirtd(8)
           https://libvirt.org
 Main PID: 14199 (libvirtd)
    Tasks: 35 (limit: 32768)
   CGroup: /system.slice/libvirtd.service

In short: setting up an Ubuntu server is fast. It’s effective and has readily available packages. If you use KVM you do not need guest utilities. That means the Windows host system preparation is straight forward.

Enumerate libvirt KVM guests on the command-line

Get the guest list and map guest to IP post boot (DHCP)

[email protected] ~ # virsh list
 Id    Name                           State
----------------------------------------------------
 17    ubuntu16.04                    running
 19    win10                          running

Ok, now we list the network interface(s):

[email protected] ~ # virsh domiflist win10
Interface  Type       Source     Model       MAC
-------------------------------------------------------
vnet0      network    default    rtl8139     52:54:00:25:c9:13

And lookup the MAC address on the host:

[email protected] ~ # arp -e
Address                  HWtype  HWaddress           Flags Mask            Iface
[...]
192.168.123.456          ether   52:54:00:25:c9:13   C                     virbr0

Setup via virt-manager

Next, next, finish! Straight forward.

Guest / host setup

Depending on the image you chose, you may end up with an non-activated copy of a Windows build, that will last for three months. For the purpose of Malware Analysis it may not be required to register the copy.

35

Installation of Flare

Follow the white rabbit.

Windows Defender

Windows Defender can be disabled for “throwaway” Windows hosts.

Cmder and the ls alias

You may need to remove the ls alias from Cmder’s config in %CMDER_ROOT%. The UnxUtils Flare VM’s Powershell / Choco scripts install do not support the--show-control-chars option.

Java 11 on Flare VM (for Ghidra)

If you require the Ghidra tools, you can setup the prerequisites with 2 commands. by default Flare install Java 8, which is reasonable.

cinst openjdk
setx -m JAVA_HOME "C:\Program Files\Java\jdk-11.0.2\"

Then download and install the tool.

Good FreeRDP parameters (and how to use Socks 5 for RDP)

One of the key things I need for these Windows labs is RDP over SSH. I don’t like to use port forwarding and prefer Socks5.

➜  ~ tail -n 2 /etc/proxychains.conf
socks5 	127.0.0.1 5000

➜  ~ ssh -D 5000 [email protected]

➜  ~ proxychains xfreerdp /u:user /v:192.168.123.456 /rfx +fonts +clipboard +compression +smart-sizing

NX client and NX server via SSH (Socks 5)

In case you don’t want to use RDP, NX is a popular choice (much better than the Spice-based console in virt-manager).

There are different NX servers: NoMachine, FreeNX etc… You can use proxychains or the application’s Socks 5 support.

Installation of Commando

Before you can run the install.ps1 you may need to enable Windows updates.

Summary

  • this is a simple and comfortable way to get Windows hosts for security work
  • RDP is probably a better choice than NX for Windows