Solving for Silicon¶
During Apple's transition to ARM architecture, there were significant challenges with VM compatibility due to the differences between ARM and x86 architectures. While ARM Assembly has been prevalent in devices like Raspberry Pis and other IoT devices, its introduction to personal computers like desktops and laptops is relatively recent. This transition prompted many cybersecurity and IT educational institutions to adapt their VM labs. To address compatibility issues, some institutions shifted from using downloadable .ISO files to web-based environments, utilizing tools like Cockpit and KVM for easier management and deployment of virtual machines. However, not all institutions have made this shift, necessitating a different solution for this student. Switching to a PC was not an option so I decided to host my VMs on a server connected to my local network.
Initially, I tried using Cockpit and KVM, but the setup didn't meet my needs. The web browser interface didn't provide enough screen real estate, and I wanted the ability to have separate VMs that could each be full-screen workspaces, not confined to the browser. I needed something more robust—a type 1 hypervisor.
I had loved using VMWare Fusion, but the Broadcom takeover turned me away. The customer experience for downloading any VMWare tools/products was frustratingly difficult. Thus, ESXi was not an option. Eventually, I landed on Proxmox—an open-source type 1 hypervisor that operates similarly to ESXi but without the headaches. Below is the process for installing the system and links to each of the VMs I chose to add to my lab environment with their individual setups.
Installing and Setting up Proxmox VE¶
Step 1: Download and Flash Proxmox VE¶
- Go to the Proxmox VE website and download the latest ISO image.
-
Use a tool like Etcher (official website) to flash the ISO image onto a USB drive.
-
Insert the USB drive into your computer and restart it.
Step 2: Boot from the USB Drive¶
- Enter the BIOS settings (usually by pressing
F2,F12, orDEL) and set the USB drive as the first boot device. - Save the changes and exit the BIOS settings.
- Your computer should now boot from the Proxmox VE USB drive.
Step 3: Install Proxmox VE¶
- Follow the installation wizard to install Proxmox VE. You will be prompted to:
- Choose the language and keyboard layout
- Set the root password (strongly recommended)
- Configure the network settings (DHCP or static IP address)
- Partition the hard drive (recommended: LVM)
Step 4: Reboot¶
Step 5: Access Proxmox VE Web Interface¶
- From another device on the network, open a web browser and navigate to
https://your-server-ip:8006(replace with your server's IP address). - Log in using the root username and password you set during installation.
Adding Virtual Machines from ISO Files
Adding VMs¶
If you do not already have the ISO files for the VMs you want for your lab, download them from their respective sites. For example, Mac users can use CrystalFetch to download the latest Windows ISOs, or simply visit the Microsoft website.
Kali Linux VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: Kali Linux
- CPU: 4 cores
- RAM: 4096 MB
- Disk size: 60 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install Kali Linux as you would on a physical machine.
Purpose¶
This VM allows penetration testers and cybersecurity professionals to hone their skills by attacking other clients/servers on the network, assuming you have permission to do so.
Windows 11 VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: Windows 11
- CPU: 2 cores
- RAM: 4096 MB
- Disk size: 50 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install Windows 11 using Crystal Fetch as you would on a physical machine.
Purpose¶
This VM allows users to become familiar with the latest Windows OS and conduct tasks such as penetration testing, forensic analysis, etc.
Ubuntu Server LTS VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: Ubuntu Server LTS
- CPU: 2 cores
- RAM: 2048 MB
- Disk size: 20 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install Ubuntu Server LTS as you would on a physical machine.
Purpose¶
This VM serves as a DNS, log, web, or database server, providing foundational knowledge of how each server functions and potential cybersecurity vulnerabilities.
RHEL Desktop VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: RHEL Desktop
- CPU: 2 cores
- RAM: 4096 MB
- Disk size: 50 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install RHEL as you would on a physical machine.
Purpose¶
This VM can be used for various purposes including a web server, a client to attack, or simply to become familiar with a common Linux OS used in enterprises.
Ubuntu Desktop VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: Ubuntu Desktop
- CPU: 2 cores
- RAM: 2048 MB
- Disk size: 20 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install Ubuntu Desktop as you would on a physical machine.
Purpose¶
Ubuntu Desktop is essential in a virtual lab for cybersecurity professionals due to its widespread use in open-source environments.
Windows 10 VM¶
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: Windows 10
- CPU: 2 cores
- RAM: 4096 MB
- Disk size: 50 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install Windows 10 using Crystal Fetch as you would on a physical machine.
Purpose¶
The most common Windows OS should be part of every cybersecurity professional's lab environment.
RHEL Server VM¶
Use the same ISO as the RHEL Desktop; select server during the installation process.
- Click on "VMs" > "Create VM"
- Set the following options:
- Name: RHEL Server
- CPU: 2 cores
- RAM: 4096 MB
- Disk size: 50 GB
- Storage: local
- Boot order: CD/DVD first, then hard drive
- Install RHEL as you would on a physical machine.
Purpose¶
This VM serves as a DNS, log, web, or database server.
Juice Shop¶
Juice Shop is actually a docker container installed on a server VM that can be used for web application target practice. It is designed to have at least the top 10 OWASP vulnerabilities so that identifying them can be practiced by cybersecurity professionals. For install, you basically just load a lightweight server of your choosing (e.g. Ubuntu Server LTS 2X.XX) as mentioned above, install docker on the machine and then pull and run the docker image:
Install Docker¶
sudo apt install docker
Pull the Juice Shop Image¶
sudo docker pull bkimminich/juice-shop
Run the Juice Shop¶
sudo docker run -d -p 0.0.0.0:3000:3000 bkimminich/juice-shop
See the juiceshop post for more details on Juice Shop or the OWASP's Juice Shop pages.
DVWA¶
Similarly to the Juice Shop, the Damn Vulnerable Web Application runs on a Linux server so you can simply install the server of your choice using the examples above and then follow this process on that server to add DVWA to it.
1. Install Required Packages¶
First, ensure your system has all the necessary packages installed. DVWA requires a web server, PHP, and a MySQL/MariaDB database.
sudo apt update
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql git -y
2. Download DVWA¶
Next, you need to download the DVWA files from the official GitHub repository.
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
This will clone the DVWA repository into the /var/www/html/DVWA directory.
3. Set Permissions¶
You need to adjust the permissions of the DVWA directory to ensure that the web server can read and write to it.
sudo chown -R www-data:www-data /var/www/html/DVWA/
sudo chmod -R 755 /var/www/html/DVWA/
4. Configure the Database¶
Start by securing your MySQL installation if you haven’t done so:
sudo mysql_secure_installation
Log into MySQL as the root user:
sudo mysql -u root -p
Create a database and a user for DVWA:
CREATE DATABASE dvwa;
CREATE USER 'dvwauser'@'localhost' IDENTIFIED BY 'your_password';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwauser'@'localhost';
FLUSH PRIVILEGES;
EXIT;
5. Configure DVWA¶
DVWA comes with a sample configuration file. You need to copy it and edit it with your database details.
cd /var/www/html/DVWA/config
sudo cp config.inc.php.dist config.inc.php
sudo nano config.inc.php
In the config.inc.php file, find and update the following lines with your database details:
$_DVWA = array();
$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ] = 'dvwauser';
$_DVWA[ 'db_password' ] = 'your_password';
Save and close the file.
6. Configure PHP¶
You may need to adjust some PHP settings. Open the PHP configuration file:
sudo nano /etc/php/7.4/apache2/php.ini
Look for the following settings and ensure they are set as below:
allow_url_include = On
Save and close the file.
7. Enable Apache Rewrite Module¶
DVWA requires the mod_rewrite module to be enabled in Apache.
sudo a2enmod rewrite
sudo systemctl restart apache2
8. Set Up the DVWA Database¶
Navigate to http://your_server_ip/DVWA/setup.php in your web browser to complete the database setup.
- Click on the "Create / Reset Database" button.
9. Login to DVWA¶
Once the setup is complete, you can log in to DVWA:
- Navigate to
http://your_server_ip/DVWA/login.php - Use the default credentials:
- Username:
admin - Password:
password
10. Adjust DVWA Security Level¶
Once logged in, you can adjust the security level from the DVWA interface:
- Go to the "DVWA Security" tab.
- Set the security level to your desired setting (low, medium, high, or impossible).
Converting a VMDK File and Importing the Disk Image
Metasploitable¶
Metasploitable2 is the disk used in this example. You can grab yourself a copy of the image here:
wget https://sourceforge.net/projects/metasploitable/files/Metasploitable2/metasploitable-linux-2.0.0.zip/download -O metasploitable-linux-2.0.0.zip
Unzip:
unzip metasploitable-linux-2.0.0.zip
If you don't yet have qemu-utils installed, you'll need that:
sudo apt-get install qemu-utils
Convert the file to qcow2:
qemu-img convert -f vmdk -O qcow2 Metasploitable.vmdk Metasploitable2.qcow2
Transfer the converted qcow2 file from your host machine to the Proxmox machine:
scp -i ~/.ssh/id_rsa ~/Desktop/Metasploitable2.qcow2 root@10.10.10.11:/var/lib/vz/images
/var/lib/images is the default location.
In your Proxmox host's interface, it is time to create a VM, but for the OS, be sure to select "Do not use any media" as you will import the image later. In this example, the VM ID is 113.
From your proxmox host, import the image into your newly created VM:
qm importdisk 113 /var/lib/vz/images/Metasploitable2.qcow2 local-lvm
local-lvm storage pool is a default storage pool used for disk images rather than ISOs.
When this transfer is completed, there will be a message indicating where you will find it, for example:
Successfully imported disk as 'unused2:local-lvm:vm-113-disk-0'
In this case, the unused2 indicates that we will need to add that hard disk to the VM.
Double-click the unused disk and click Add.
Now that it's added, you'll make sure that when you fire up this VM, it knows to check that hard disk in its Boot Order. To check this, go to Options, ensure the hard disk's box is checked, and reorder it to first so that it will check there first on booting.
Proxmox without a Subscription¶
If you are not paying for a Proxmox subscription, you'll want to follow these prompts in order to update your packages:
sudo nano /etc/apt/sources.list
# deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm InRelease
# deb https://enterprise.proxmox.com/debian/pve bookworm InRelease
Add the following line to /etc/apt/sources.list.d/pve-nosubscription.list:
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
Once this is complete, you should be able to run package updates through the community edition rather than the subscription.
If you need to check for where other entries might be where the sources list might still cause errors, you can run:
grep -r "deb" /etc/apt/sources.list /etc/apt/sources.list.d/
Segmenting a Network of VMs on Proxmox¶
Now suppose you're wanting to set up a more realistic lab environment such that not all hosts are on the same network and perhaps our vulnerable web application hosts are in a DMZ that is internet-facing but is still accessible to an otherwise closed-off network. This next section will walk through how that segmentation might be approached using Proxmox and the Unifi GUI interface.
Create Networks on Unifi Router¶
First, you need to create the necessary networks on your Unifi router to segment the VMs on your Proxmox server into different VLANs.
DMZ¶
1. Log in to the Unifi Controller¶
- Access your Unifi Controller interface through a web browser.
2. Navigate to Networks¶
- Go to Settings > Networks.
3. Create a New Network¶
- Click Create New Network.
- Name: DMZ
- Purpose: Corporate
- Network Type: VLAN Only
- VLAN ID: Assign a VLAN ID (e.g., 10).
- DHCP Mode: Set to None if you don't want the router to assign IP addresses.
4. Save the DMZ Network¶
- Click Apply Changes to save the network.
Internal Network¶
1. Create a New Internal Network¶
- In Settings > Networks, click Create New Network again.
- Name: Internal.
- Purpose: Corporate.
- Network Type: VLAN
- VLAN ID: Assign a different VLAN ID (e.g., 20).
- DHCP Mode: Set to None unless the router should handle DHCP.
2. Save the Internal Network¶
- Click Apply Changes to save the network.
Establish Network Connectivity for New Networks¶
1. In the Unifi Controller interface, go to Ports and click the port that your Proxmox server is plugged using.¶
2. Make sure that the networks you've added to VMs through VLAN tagging are selected in the "Tagged VLANS" field.¶
Establish Firewall Rules for Each Network¶
With the networks created, the next step is to establish firewall rules that control traffic between these VLANs.
DMZ¶
1. Allow Traffic from DMZ to WAN (Internet)¶
Explanation
This is giving our DMZ the ability to get software updates.
- Go to Settings > Routing & Firewall > Firewall.
- Under WAN OUT, click Create New Rule.
- Action: Accept.
- Source: DMZ.
- Destination: WAN.
- Description: Allow DMZ to Internet.
- Save the rule.
2. Restrict Unsolicited Inbound Traffic to DMZ¶
Explanation
This is dropping all traffic that we didn't initiate that's coming from the wild west internet.
- Under WAN IN, click Create New Rule.
- Action: Drop.
- Source: WAN.
- Destination: DMZ.
- Description: Block Unsolicited Inbound to DMZ.
- Save the rule.
3. Allow Specific Traffic Between Internal and DMZ¶
Explanation
This allows traffic from the Internal Network to reach specific services in the DMZ, such as the Juice Shop and DVWA applications.
- Under LAN IN, click Create New Rule.
- Action: Accept.
- Source: Internal.
- Destination: DMZ.
- Port/Protocol: Set the Destination Port to 3000 for Juice Shop and 8080 for DVWA. Use TCP for the Protocol.
- Description: Allow Internal to DMZ (Ports 3000 and 8080).
- Save the rule.
4. Drop All Other Traffic from Internal Network to DMZ¶
Explanation
This drops any traffic from the Internal Network to the DMZ that is not specifically allowed, tightening security by ensuring only the necessary ports are open.
- Under LAN IN, click Create New Rule.
- Action: Drop.
- Source: Internal Network.
- Destination: DMZ Network.
- Port/Protocol: Leave as Any to cover all other traffic.
- Description: Drop All Other Internal to DMZ Traffic.
- Save the rule.
Internal Network¶
1. Restrict Traffic from Internal Network to DMZ¶
Explanation
This rule ensures that only specified traffic can reach the DMZ, blocking everything else.
- Under LAN IN, create a new rule:
- Action: Drop.
- Source: Internal Network.
- Destination: DMZ Network.
- Description: Block Internal to DMZ.
- Save the rule.
2. Allow Internal Network to Communicate Within Itself¶
Explanation
This allows all devices within the Internal Network to communicate freely with each other, which is typically necessary for internal operations.
- Under LAN IN, create a new rule:
- Action: Accept.
- Source: Internal Network.
- Destination: Internal Network.
- Description: Allow Internal Traffic.
- Save the rule.
Ensure the Bridge in Proxmox is VLAN-Aware¶
Now, configure the network bridge on your Proxmox server to ensure it handles VLAN tagging correctly.
1. Log in to the Proxmox Web Interface¶
- Access your Proxmox server through a web browser.
2. Navigate to the Network Settings¶
- Go to Datacenter > Node (your Proxmox server) > Network.
3. Edit the Existing Bridge (vmbr0)¶
- Select the bridge (likely vmbr0) you’re using for network connections.
- Click Edit.
- VLAN Aware: Yes.
- Bridge Ports: Should be set to the physical network interface (e.g., eth0).
- Save the settings.
Tag Each VM in Proxmox with the Appropriate VLAN Tag¶
With the VLAN-aware bridge in place, the next step is to assign the correct VLAN tags to each VM.
DMZ¶
Repeat for both Juice Shop and DVWA VMs.
1. Access VM Hardware Settings¶
- Navigate to Datacenter > Node > Virtual Machines > VM ID > Hardware.
- Select the Network Device for each VM.
2. Assign VLAN Tag¶
- Bridge: vmbr0
- VLAN Tag: 10 (the VLAN ID for the DMZ).
- Save the settings.
Internal Network¶
Repeat for all internal network VMs.
1. Access VM Hardware Settings¶
- Navigate to Datacenter > Node > Virtual Machines > VM ID > Hardware.
- Select the Network Device for each VM.
2. Assign VLAN Tag¶
- Bridge: vmbr0.
- VLAN Tag: 20 (the VLAN ID for the Internal network).
- Save the settings.
Restart and Check for Connectivity¶
1. Restart All VMs¶
- Restart each VM to apply the network settings.
2. Verify Network Connectivity¶
- Check that the VMs in the DMZ can access the internet and communicate with each other as per the rules.
- Ensure that the Internal Network VMs can communicate with each other and access the DMZ according to the firewall rules.
- Verify that the firewall rules correctly block or allow traffic as designed.