Flare / Commando VM - Windows 10
This is a short usage Wiki about Flare and Commando VM. These specialised Windows environments can be useful for “Red Team” / “Blue Team” labs.
I like to use them for vulnerability analysis and those security tasks which I can run “remotely”.
The environments are config-managed, which makes the approaches reproducible. Plus if the analysis tasks take days to finish, a “cloud Desktop” is very comfy.
Temporary systems for special use-cases
The environments are temporary, and intended as separate lab environments. Do not run them on your Windows Home laptop or on your work PC. Just saying…
Everything is basics.
Here I use a dedicated hardware or a KVM setup, that gets managed with
In my experience Ubuntu Server packages
libvirtd to support Windows guests (UEFI drivers, SecureBoot etc.). Distributions like Arch Linux or Gentoo Linux may not do that, and require extra configuration steps.
The hosting environment will run
[email protected] ~ # systemctl status libvirtd ● libvirtd.service - Virtualization daemon Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2019-03-11 20:47:19 CET; 1 weeks 1 days ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 14199 (libvirtd) Tasks: 35 (limit: 32768) CGroup: /system.slice/libvirtd.service
In short: setting up an Ubuntu server is fast. It’s effective and has readily available packages. If you use KVM you do not need guest utilities. That means the Windows host system preparation is straight forward.
Enumerate libvirt KVM guests on the command-line
Get the guest list and map guest to IP post boot (DHCP)
[email protected] ~ # virsh list Id Name State ---------------------------------------------------- 17 ubuntu16.04 running 19 win10 running
Ok, now we list the network interface(s):
[email protected] ~ # virsh domiflist win10 Interface Type Source Model MAC ------------------------------------------------------- vnet0 network default rtl8139 52:54:00:25:c9:13
And lookup the MAC address on the host:
[email protected] ~ # arp -e Address HWtype HWaddress Flags Mask Iface [...] 192.168.123.456 ether 52:54:00:25:c9:13 C virbr0
Setup via virt-manager
Next, next, finish! Straight forward.
Guest / host setup
Depending on the image you chose, you may end up with an non-activated copy of a Windows build, that will last for three months. For the purpose of Malware Analysis it may not be required to register the copy.
Installation of Flare
Follow the white rabbit.
Windows Defender can be disabled for “throwaway” Windows hosts.
Cmder and the ls alias
You may need to remove the
ls alias from Cmder’s config in
%CMDER_ROOT%. The UnxUtils Flare VM’s Powershell / Choco scripts install do not support the
Java 11 on Flare VM (for Ghidra)
If you require the Ghidra tools, you can setup the prerequisites with 2 commands. by default Flare install Java 8, which is reasonable.
cinst openjdk setx -m JAVA_HOME "C:\Program Files\Java\jdk-11.0.2\"
Then download and install the tool.
Good FreeRDP parameters (and how to use Socks 5 for RDP)
One of the key things I need for these Windows labs is RDP over SSH. I don’t like to use port forwarding and prefer Socks5.
➜ ~ tail -n 2 /etc/proxychains.conf socks5 127.0.0.1 5000 ➜ ~ ssh -D 5000 [email protected] ➜ ~ proxychains xfreerdp /u:user /v:192.168.123.456 /rfx +fonts +clipboard +compression +smart-sizing
NX client and NX server via SSH (Socks 5)
In case you don’t want to use RDP, NX is a popular choice (much better than the Spice-based console in
There are different NX servers: NoMachine, FreeNX etc… You can use
proxychains or the application’s Socks 5 support.
Installation of Commando
Before you can run the
install.ps1 you may need to enable Windows updates.
- this is a simple and comfortable way to get Windows hosts for security work
- RDP is probably a better choice than NX for Windows