The final step for the internal network is enabling access to the DMZ network from external devices by changing the Firewall and DNS configuration. This involves configuring port forwarding to route external traffic to the appropriate internal devices. I also need to change the DNS configuration to route the traffic for the domain correctly. First step, port forwarding in pfsense.
To route external traffic to internal devices, we will configure port forwarding. This routes external traffic destined to certain ports, like port 443 for HTTPS, to the appropriate internal server in the DMZ. Within pfsense, we go to NAT settings, and port forward. The image below shows an example configuration to route inbound HTTP traffic on the WAN interface to my DMZ host 10.10.1.12.
For my lab, I also added rules for DNS, SMTP, and HTTPS.
Due to my lab’s configuration using all private IP addresses and having a private IP on the WAN interface for the lab, I also had to remove the reserved network block.
To test the configuration, I used my external Kali machine to run an Nmap scan of port 80 and 443 of my firewall.
Configure DNS for External Access
The next step is to configure the simulated external DNS to route traffic to my lab network from the external network. I added an A record to the external Pihole.
I also need an A record for the email server.
Next, I need to create an MX record. For dnsmasq, this requires a custom configuration file.
# touch /etc/dnsmasq.d/99-mail.conf
# pihole restartdns
To check that the MX record is working, I use nslookup on the external Kali machine.
Now that the configuration is complete, I run a few Nmap scans to check that the ports are forwarded to the correct internal devices, and that I can scan by domain name.
With that, my Firewall and DNS configuration is complete and my lab is accessible from the simulated external network devices.
I could practice and work on hacking the machines I already built, but another good addition to my lab is vulnerable machines. A good source of these is VulnHub. In this post I will cover how to add a VulnHub machine to Proxmox.
The first step in adding the machine is to download it from vulnhub onto the host and extract it. For this example, I am using the machine Earth. To accomplish this, I entered the three commands below.
# mkdir vulnhub && cd vulnhub
# wget -O Earth.ova https://download.vulnhub.com/theplanets/Earth.ova
# tar xvf Earth.ova
Once downloaded you should have 3 files in the vulnhub directory.
Adding the VulnHub Machine to Proxmox
Now we need to create the VM in Proxmox to tie to the disk we downloaded. First we create the machine, and under operating system, select “Do not use any media.”
For the other options, I configured:
System: default
Disks: default
CPU: 1 socket / 1 core
Memory: 1024MB
Network: DMZnet / MTU: 1450
Once created, but before booting, the next step is to remove the hard disk. You do that by first detaching the existing disk, and then remove the unused disk.
Now you import the disk, using the command below. Replace “115” with the number corresponding to your virtual machine in Proxmox, and the vmdk file with the correct file corresponding to the machine you downloaded.
Once the disk imports, you need to go back to the GUI and change the disk type to SATA in the Proxmox interface.
After changing, you should see the hard drive in sata0.
The last step is to change the boot order to boot to the hard drive first, and then start the VM. After starting you should get the login screen.
The whole process is that simple. Now you can import new VulnHub machines anytime to try them out in your new Proxmox lab. Now that we have machines ready, its time to configure the DNS and firewall for external access.
The remaining server left to create in my lab is a Security Onion server. Security Onion is an out of the box blend of multiple open source tools that feed a central alert dashboard. I actually created a whole separate Pluralsight course called Security Onion Concepts and Basic Functionality if you are interested. The course covers the fundamentals, installation, and basic operation of the tool. This post is focused on capturing network traffic using my lab’s Security Onion server. To enable that, I configure a SPAN port for Security Onion in Proxmox on my pfsense virtual machine.
My Proxmox lab has multiple hosts which significantly complicate this operation. The Security Onion server and pfsense firewall are located on separate hosts which means I have to pass the network traffic between hosts. I enabled this capability previously with software defined networking. There was a problem though, this does not support SPAN ports effectively. The best way I found to enable a SPAN port in Proxmox is to configure a physical NIC passthrough on the host. This allows me to assign a physical port on the host directly to a virtual machine which successfully passes all traffic.
The first step I took is to enable IOMMU in the /etc/default/grub file by adding the line below as seen in the image.
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"
Then I ran update-grub and reboot the machine. To check that the setting is correct after reboot, I ran the command below and looked for “IOMMU enabled”.
# dmesg | grep -e DMAR -e IOMMU
Next I added the required modules to enable physical NIC passthrough by editing the /etc/modules file and adding the modules in the image below.
Just to be safe, I rebooted the machine at this point and then checked that I could add a PCI device in the hardware setting in Proxmox.
Configure a SPAN port for Security Onion in Proxmox
Now that I can map a physical NIC to one of my virtual machines, I added one of the host ethernet adapters to the hardware on my pfsense virtual machine.
To make this work correctly on my old servers, I also had to enable unsafe interrupts with this command:
Now when I access the pfsense interface menu from the command line, the new interface is available as bce0.
I assigned the interface the name OPT2 and then in the web configurator I enabled it and gave it a description of SPANport.
To configure a SPAN port in pfsense, you actually create a bridge within the interface menu. I went to Interfaces > Interface Assignments > Bridges and made a new one to create the SPAN port. I selected the LAN interface, added a description and then selected the SPANPORT interface under Span Port in the advanced configuration.
To complete my lab setup I did the same thing for the DMZ network, leaving me with two bridges.
The last step to verify operation is to test the SPAN port. To test, I used the packet capture tool in pfsense and set the interface to SPANPORT. I also enabled promiscuous mode to capture all data seen by the adapter.
Once I ran it, I could see multiple packets showing it was working as intended.
On the Security Onion server I will add another physical adapter, just like the pfsense machine. Then I will connect the interfaces directly with an ethernet cable.
Skipping ahead a bit to show it works
The output in Security Onion is not something I cover in the lab build, but it worked as configured in this post. Here is a tcpdump on my Security Onion Server and an overview of alerts.
I covered the how to install in a Pluralsight course, and you could also follow their documentation to build it. Security Onion is really one of the last steps to creating the basic structure of this lab other than adding the Kali machine and enabling remote access, but I also cover in the next post how to add VulnHub machines to the DMZ.
The next step to finish off my client machine setup is to add my Linux machine to the domain. I am going to join Ubuntu to Active Directory so I can use the domain accounts to authenticate and login. Once joined, I login with my admin account to test. The first step is to prepare the client machine by setting the hostname and changing DHCP settings.
The first thing I need to do is change my Ubuntu machine’s hostname to a fully qualified domain name (FQDN). I used the command below to fix my machine’s hostname and then the next command to check it.
Now that my hostname is fixed, the next step is to configure the DNS domain and set it to the internal Active Directory domain. You can make this change by adding the line to resolv.conf, but since I am using DHCP I set the search domain on my firewall which is my DHCP server. Both options are shown below.
Now I check the status using resolvectl status to make sure the changes took effect.
Now that the networking is set up correctly, the next step on my client is to install the necessary packages. I used the apt command below to install everything I needed.
Now I am ready for the next step which is actually joining the Ubuntu client to the domain.
Join Ubuntu to Active Directory
Joining Ubuntu to Active Directory is a multi-step process where I will use the terminal. The actual domain join is a single command, but after that I am going to take some additional steps to set up the users. The first step is to use realm to discover and then join the domain. Realm discover is used to obtain information about the domain and also list the required packages to connect, which I installed already in the previous step.
$ sudo realm discover corp.globomantics.local
Since all packages were already installed, I can use realm join to join the domain, and then realm list to confirm.
Now I need to set up home directories, which I can do using pam_mkhomedir. I first used nano to edit mkhomedir in /usr/share/pam-configs. Following the Manpage, I decided to stick with the default umask and skeleton directory settings.
Next I entered the command below to update and set the options shown in the image. Then I resarted sssd after pam-path-update. After that, I set realm to enable everyone to login.
Once everyone is configured to login the next step is to enable admins on my domain admin privileges on the Ubuntu machine. I set this in the sudoers file for the admin accounts in the image below.
Now that everything is set up, I should be able to login with a domain account and if it is admin then sudo should work.
Testing Domain Login and Admin Access
To test login, I will use SSH to access the Ubuntu machine from my Windows 10 admin machine. If everything is set up correctly I should be able to SSH without specifying a login name from Windows 10 while logged in as BAdmin, and then enter a sudo command.
That’s it! My configuration is successful and I can login to my Ubuntu machine using domain credentials. My client machines are all set up correctly and ready for testing. The next step in my process is to install and configure Security Onion which is the topic for the next series of posts.
Sadly, my plans with my budget private cloud did not work out. Long story short, I moved internationally twice since I initially made plans to build that cloud. The first move was to Japan, and the second to Italy. Through each of those moves I lost two servers. On the upside, I have plans for the remaining three servers: a better home hacking and lab using Proxmox.
Designing a new hacking lab with Proxmox for learning and new courses.
After taking a year off I am back to making Pluralsight courses. I recently published Security Onion Basic Concepts and Functionality. I am currently working on a new course: Command and Control with Sliver. While creating the new course, I decided that I needed a better lab to simulate an actual network and make use of the Globomantics domain. Globomantics is a fake company Pluralsight uses for demos. I decided to take some old servers I had from a previous project, drew up a design for a potential network, and got to work. The design I came up with is below.
The design includes a firewall with separate internal and DMZ networks. The DMZ contains a vulnerable web server fromVulnHub, a DNS server using Pi-Hole, and an email server running iRedMail. The DMZ is used because I want to keep the vulnerable hosts separate from the internal network. The internal network is a Microsoft Active Directory domain with a few workstations and a file server. I included one Ubuntu workstation as well that is joined to the domain. For security I have a firewall running pfsense and a Security Onion server acting as an IDS and SIEM.
On the external side I have a Kali Linux VM that is my main workstation for hacking, along with a phishing LXC running Gophish. I also have another Pi-Hole DNS server running that the internal network forwards requests to. This allows me to configure DNS records for fake websites without having to register actual domains.
Available Equipment for Home Lab
The three servers I have left are:
VMhost1: Dell Poweredge R610
2x 6 core Intel Xeon processors
16 GB RAM
600 GB HDD
VMhost2: Dell Poweredge R610
2x 6 core Intel Xeon processors
16 GB RAM
600 GB HDD
VMhost3: Dell Poweredge R510
2x 6 core Intel Xeon processors
16 GB RAM
1.8 TB HDD
The biggest issue I will face is the available RAM with the amount of machines I plan to run. So, I will make use of Linux Containers (LXC) where possible to reduce the resources required for particular services. I should be able to use an LXC for DNS, email, and the phishing server because these services use fewer resources.
Additional Considerations for Network and Proxmox
I am building this on a separate segment of my home network. It will remain behind a firewall, and none of the vulnerable machines will be exposed to the Internet.
I am using Proxmox as the virtualization software because it is free and allows me to use features like software defined networking, clusters for management, and VM migration between hosts.
I have limits on host performance due to using very old equipment. I will likely need to build a new host in the future to improve performance and reduce power consumption in the long term.
Ready to Build the Home Hacking Lab with Proxmox
For this build I am going to create posts about each step that serve as a guide for anyone looking to build something similar. The first post in that series will show the VMhost cluster and cover software defined networking installation.
I have two business ideas to explore, and I decided that now is a good time to take the plunge and create a prototype. My hesitation throughout the last year of was due to the time and financial investment required. After some inspiration, detailed thought, and self-evaluation, I am ready to go for it. Worst case scenario, this is going to eat up a lot of my time. Even if I lose time, I will learn a lot about cloud infrastructure, cloud networking, and cloud instance provisioning. My first business idea is in the realm of home and small business network cyber security. The second utilizes a private cloud platform to provision labs for IT and cyber security training. A small virtual lab isn’t going to cut it for these ventures.
My Current Setup
Before I can pursue these builds, I need to upgrade my home network and lab and select a platform. I currently have 3 old used servers (2 Dell PowerEdge R510s and an HP Proliant DL360) for the cloud. For networking, I have ancient Cisco switch. I think I can get by with the old switch for now, but my a small private cloud requires more servers. I can use the private cloud to provision networks to test out capabilities, learn, and design. These can also hold prototypes and proof of concepts for demonstrations. For the private cloud I selected Openstack as my platform. This will allow me to provision instances using Terraform, and have more flexibility with networking configuration. I can also avoid a large AWS and Azure bill while I experiment with different configurations. The only thing that will suffer is my power bill 😊.
Project Goals
Based on the Open Stack documentation I will need at least 4-5 servers to support my configuration which is a small compute cloud. To use Juju and Metal as a Service (MAAS) to deploy the cloud I will need 2 more servers, but I could probably use one of my servers and host 2 VMs instead of purchasing another server. I haven’t yet decided whether I am going to use Juju and MAAS to deploy Openstack, but I do know that I need at least 2 more servers for my project. I also want to separate my private cloud from the rest of my network and still maintain network performance with the added security, so I will need a firewall / IPS appliance. Once complete, my home network will look something like this:
My Private Cloud Budget
I am trying to stay under $2,000 total for this project (including what I already spent). Below is the price I paid for everything I already have.
Device
Qty
Unit Cost
Shipping
Total Cost
HP ProLiant DL360
1
$149.99
$112.89
$262.88
Dell PowerEdge R510
2
$238.99
$75.00
$552.98
Cisco Catalyst 3560
1
$69.00
$17.95
$86.95
Total Cost
$902.81
Existing devices with costs at time of purchase
So, based on that I have about $1100 to spend. Although I have plenty of room, I am sticking with used equipment. The only exception I am making is my firewall appliance.
Purchasing New Equipment
I was able to find 2 Dell PowerEdge R610s for $157 each, well within budget. My shipping costs to my location are really high, so I have to keep that in mind. Even with the shipping costs, I still consider these a bargain and they meet my needs. These servers also come from the same vendor as my previous purchases (PC Server and Parts), so I know they will arrive in good condition and operate well.
Next I need a firewall appliance, for this I am going straight to a vendor because their site is a lot cheaper than Amazon. This appliance from Protectli has 4 NICs, a quad core processor, and a small SSD. This is more than enough to run pfsense (and it was already tested for it), so it will easily meet my needs and be a step up from my current options for under $300.
Total Costs
With those 2 purchases I have all the equipment I will need, and significantly under my max budget! The only other purchase I might make is a rack to store the equipment and a PDU. For now, I just have to wait for them to arrive. I plan to start sometime in December. While I wait, I am going to work on my remote access solutions, determine what IDS/IPS I am going to use (Suricata, Snort, or Bro), and finalize my design of how this will all fit together.