Month: January 2024

The final step for the internal network is enabling access to the DMZ network from external devices by changing the Firewall and DNS configuration. This involves configuring port forwarding to route external traffic to the appropriate internal devices. I also need to change the DNS configuration to route the traffic for the domain correctly. First step, port forwarding in pfsense.

Prerequisite: Installing a Network Firewall

Firewall Configuration in pfsense

To route external traffic to internal devices, we will configure port forwarding. This routes external traffic destined to certain ports, like port 443 for HTTPS, to the appropriate internal server in the DMZ. Within pfsense, we go to NAT settings, and port forward. The image below shows an example configuration to route inbound HTTP traffic on the WAN interface to my DMZ host 10.10.1.12.

For my lab, I also added rules for DNS, SMTP, and HTTPS.

Due to my lab’s configuration using all private IP addresses and having a private IP on the WAN interface for the lab, I also had to remove the reserved network block.

To test the configuration, I used my external Kali machine to run an Nmap scan of port 80 and 443 of my firewall.

Configure DNS for External Access

The next step is to configure the simulated external DNS to route traffic to my lab network from the external network. I added an A record to the external Pihole.

I also need an A record for the email server.

Next, I need to create an MX record. For dnsmasq, this requires a custom configuration file.

# touch /etc/dnsmasq.d/99-mail.conf

# pihole restartdns

To check that the MX record is working, I use nslookup on the external Kali machine.

Now that the configuration is complete, I run a few Nmap scans to check that the ports are forwarded to the correct internal devices, and that I can scan by domain name.

With that, my Firewall and DNS configuration is complete and my lab is accessible from the simulated external network devices.

I could practice and work on hacking the machines I already built, but another good addition to my lab is vulnerable machines. A good source of these is VulnHub. In this post I will cover how to add a VulnHub machine to Proxmox.

Prerequisite: Install Proxmox and Configure a Cluster

Download and Extract the Machine

The first step in adding the machine is to download it from vulnhub onto the host and extract it. For this example, I am using the machine Earth. To accomplish this, I entered the three commands below.

# mkdir vulnhub && cd vulnhub
# wget -O Earth.ova https://download.vulnhub.com/theplanets/Earth.ova
# tar xvf Earth.ova

Once downloaded you should have 3 files in the vulnhub directory.

Adding the VulnHub Machine to Proxmox

Now we need to create the VM in Proxmox to tie to the disk we downloaded. First we create the machine, and under operating system, select “Do not use any media.”

For the other options, I configured:

• System: default
• Disks: default
• CPU: 1 socket / 1 core
• Memory: 1024MB
• Network: DMZnet / MTU: 1450

Once created, but before booting, the next step is to remove the hard disk. You do that by first detaching the existing disk, and then remove the unused disk.

Now you import the disk, using the command below. Replace “115” with the number corresponding to your virtual machine in Proxmox, and the vmdk file with the correct file corresponding to the machine you downloaded.

# qm importdisk 115 Earth_dev-disk001.vmdk local-lvm --format vmdk

Once the disk imports, you need to go back to the GUI and change the disk type to SATA in the Proxmox interface.

After changing, you should see the hard drive in sata0.

The last step is to change the boot order to boot to the hard drive first, and then start the VM. After starting you should get the login screen.

The whole process is that simple. Now you can import new VulnHub machines anytime to try them out in your new Proxmox lab. Now that we have machines ready, its time to configure the DNS and firewall for external access.