Splunk Attack Range in a virtualized Ubuntu Guest VM — Guide
A quick guide to get this fantastic project running locally not in AWS.
Project Link: https://github.com/splunk/attack_range
!!!UPDATE!!! Read
This guide no longer works as a step by step guide.
The Splunk Attack Range does not support local installs with vagrant any more. However, the project https://github.com/splunk/attack_range_local/ does so all is well 😉
You can still read this guide to get an understanding of how to install the Attack Range in a VM, what system requirements you need etc. However for ‘what commands to run’ aka what to put in a terminal window please use the github documentation/wiki which is up to date and correct.
Foreword
The Splunk Attack Range is a wonderful project by Splunk that allows anyone interested to quickly (automatically) build and deploy a whole Infrastructure stack with various software/tooling to test Cyber Attacks against vulnerable hosts, capture and send event logs from hosts, forward said event data into Splunk and even implement SOAR playbooks; go see the GitHub project page above for more information 😉
Deploying this ‘locally’ (not in the AWS Cloud) though I found a little bit more involved than the light documentation on the GitHub project page which initially makes you believe this is a 5 minute tasks. Furthermore is the documentation for Apple MacOS and there is no guide for running this locally inside a virtual machine.
Yes this will/should work and the light documentation might be fine for a lot of people but I know plenty of Cyber Security people who just want to learn and use Splunk with the required ‘security events’ coming in to test their Splunk searches but don’t want to get frustrated with “all the other stuff” to get something like below working.
Why run this locally and in a VM
I like my host Operating System (Windows 10) clean as a whistle and apart from Microsoft Office, NAPS, VmWare, Steam, iTunes, Dropbox and Firefox + a Password manager there is nothing else on it and everything else is put in one or two VMs in VMware.
Running things in a VM means I can take a “snapshoot” of a good know state and revert back to that state in seconds. This allows you to ‘go test/break stuff’ which as somebody in Information Technology and as a “hacker” you are supposed to do 😁 [really I just break stuff so this helps]
AWS is great and I love “the cloud” 🌧️; however the costs of running multiple VMs in AWS is not exactly free and destroying/stopping the range in AWS is not as fast as locally inside virtualization software like VMware.
Cyber Paranoia
If you download stuff from the Internet that “run’s code” you never know what actually happening unless you review the code and all dependencies the code needs…
Total paranoia but hence I run this inside a “clean” for only this purpose VM not my main Operating System or a VM that has access to my files or accounts.
Yes I worked in Security to long 😂 but the amount of software supply chain attacks the last few years is very high and this is my job.
Step by Step Guide
Read this top to bottom! Read this after reading the Splunk Attack Range Github project page and the ‘local’ Vagrant and Virtualbox installation configuration guide.
Also basic knowledge in Linux and your virtualization software is required and how to login into Splunk and change “Apps” in Splunk.
Where do I run this
I run the the environment on my Windows 10 PC in VMware Workstation 15 Pro.
Theoretically any decent virtualization platform will do but VMware has worked for me for years. If you use a Mac use Paralleles or VMware Fusion etc. but anything good should work.
What Guest Operating System are you using for VMware
Very important as this is where the dependency/software nightmare can start.
The guest OS of choice for me is Ubuntu 18.04.4 LTS Desktop. https://releases.ubuntu.com/18.04.4/
The Splunk Attack project team seems to run the range locally on their Mac OS machines not virtualized.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Virtualization: vmware
Operating System: Ubuntu 18.04.4 LTS
Kernel: Linux 4.15.0–99-generic
Architecture: x86–64
What Virtual Machine Guest settings do you use
Amazingly the project does not make any recommendations here and twice I had to resize my hard disk space as running four virtual Operating Systems for ‘my’ attack range (this is configurable, see below) require plenty of disk space. So my recommendation for running four to five OSs would be:
- 8 x CPU (Number of processors! Not number of cores = 1! More cores in VMware leads to the hypervisor having to do ‘more virtual CPU load distribution’ and will underutilized your real CPU power aka VM is slow)
- ~16GB of RAM
- ~ 140GB of Disk Space
- Virtualization Engine (CPU Hardware) options enabled!
If you run just Splunk and one Windows machine 35GB disk space should be fine with 8GB of RAM; if you want the full “windows domain” experience and Kali and cannot spare 16GB of RAM for your Guest VM go the AWS route.
The last point depends on the virtualization software but make sure ‘whatever option’ is enabled that allows the virtualization software to use your CPUs virtualization features. The Windows machines would not start for me inside the guest without this.
Wait you run Virtual Machines in a Virtual Machine
Yes of course. This works fine and the speed is fine on a modern good machine with fast SSD storage (or NVME) and plenty of RAM and a good CPU.
Prerequisites for the Guest Ubuntu VM
The below needs to happen before you try running anything from the Splunk Attack Range project.
Python DEV
A lot of python is used and a virtualenv python environment is created using pip (python package manager) and a ton of python packages are downloaded/installed and this failed for me until I installed python-dev in Ubuntu for one package. The pip psutil package build error looked similar to this:
ERROR: Command errored out with exit status 1:
command: /home/user/attack_range/venv/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-rneywg_0/psutil/setup.py'"'"'; file='"'"'/tmp/pip-install-rneywg_0/psutil/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-1uxg11up/install-record.txt --single-version-externally-managed --compile --install-headers /home/user/attack_range/venv/include/site/python3.6/psutilPython 3.6 is already installed on Ubuntu but some libraries/headers are only available in the -dev version (?unsure myself?) which psutil with pip needs.
So to avoid this pip error install python DEV:
sudo apt-get install python3.6-dev
Virtualbox Virtualization Software
sudo apt-get install virtualbox virtualbox-qt virtualbox-dkms
After install just start virtualbox and see if it starts. Note the Virtual Machines are stored in a folder under the users home directory.
Vagrant
🛑Do not use the Ubuntu packaged version! 🛑
This did not include some library needed for Windows machines so they could not get started by virtualbox.
You need to manually download and install Vagrant and to do this in Ubuntu requires the RPM software also.
Download the CentOS Vagrant RPM package from https://www.vagrantup.com/downloads.html and then in your terminal install RPM
sudo apt-get install rpm
and then install the downloaded Vagrant RPM package
sudo rpm -ivh vagrant_2.2.7_x86_64.rpm
Check that vagrant was installed correctly by running
vagrant -v
Downloading and Preparing the Attack Range
Basically now we are following the Prerequisite: ‘Configure Attack Range for Vagrant’ steps now from the Project; but let’s break this down.
Change in the terminal to the directory to where you want the Splunk Attack range to be in. I choose the Desktop folder for this for quick access.
Then
git clone https://github.com/splunk/attack_range && cd attack_range
This clones (downloads) the project from Github and you change directory into this folder. Then run
pip install virtualenv
This installs the python virtualenv package. This is a tool to create isolated Python environments. In this case for the Attack Range:
virtualenv -p python3 venv
we create a new virtualenv environment called venv. Then:
source venv/bin/activate
this activates the virtualenv.
Note that you should see this in the terminal window.
Next run
pip install -r requirements.txt
This installs dozens of python packages into the python virtualenv that are required to run the attack range scripts. If you get any errors here good luck troubleshooting pip.
What is actually happening when I build the “Range” using attack_range.py
This python script (.py) reads the attack_range.conf config file on what to build and how to build.
As we run this locally not in the cloud ‘Vagrant’ is started and starts “building” Virtual machines against various templates in the attack range folder.
Vagrant is an automation tool that basically build/starts virtual machines against preconfigured templates in the attack range using the free virtualization software Virtualbox.
Once the virtual machine is running (in virtualbox) ansible scripts configure the machines and deploy software etc. on them.
Ansible is automation software for “Operating Systems”.
First time building the Attack Range
Now you are ready to build the range.
🛑Do not change the attack_range.conf configuration file just yet.🛑
Make sure you are in the right folder in your terminal and the virtualenv venv is also set for your python environment and then build the environment
python attack_range.py -m vagrant -a build
At the time of writing the default configuration just builds the Splunk server and nothing else. As the server is downloaded, packages for the server are downloaded and installed etc. this while take a few minutes. Drink ☕ and relax.
If the build works the python script should finish running and you should be back in the shell in your terminal.
Splunk can now be accessed via your web browser inside your Guest VM at:
Username is admin and password is inside the attack_range.conf file.
You should also see the Splunk Virtualbox VM running.
A picture to explain
On the left is the terminal where I ran the build attack range python script. The Firefox browser is open and connected to the Splunk server and on the right is Virtualbox running the Splunk server. All this inside the Ubuntu guest VM.
If this default build fails
Start from the top and see if you missed anything. Check the error message or why the scripts failed and what failed (vagrant, ansible, python)? Are there any open issues in GitHub that sound familiar?
See also the Gotcha’s when building section.
Google is your friend here and if all else fails raise an Issue on the GitHub project page.
A proper Attack Range build
Now lets build an attack range with some actual Windows machines that send logs into Splunk and we can attack.
First of all stop the current environment.
python attack_range.py -m vagrant -a stop
Let the script finish and open the attack_range.conf file in your text editor of choice and find the [environment] section and then change the 0s to 1s for the following:
windows_domain_controller = 1windows_server = 1kali_machine = 1windows_client = 1windows_server_join_domain = 1windows_client_join_domain = 1
Obviously this depends on what you want to do/archive but I want to play with some Windows GPO policies, deploy/manage sysmon via GPO and use metasploit (from Kali) against the Windows machines.
Save your changes in the configuration file and build the environment again.
python attack_range.py -m vagrant -a build
If all goes well in about ~30–40 minutes (yes!) everything should be running.
A fast Internet connection helps obviously as downloading Windows etc. takes time. Note the first build takes longer then consequent builds.
Gotcha’s when building
Two things that have happened to me:
- Downloading software: The scripts download from AWS images/software and this fails. Re-running the build 5 minutes later worked fine; makes you wonder though how this can happen.
- Build connection timeout issues: This happened only once. Kali was build, the Kali virtualbox was up and running but the vagrant script was waiting for the virtualbox to come back up and trying to connect to it… took forever to timeout but the script did eventually timeout.
So what now —> Let’s run an Attack!
The first thing you want to do is ‘test’ if a simulated attack actually works and if events make it into Splunk.
Using the scripted attack range attack method (which is using Caldera and Atomic Red Team) we can run two MITRE ATT&CK techniques Regsvr32 and Credential Dumping against the Windows Domain Controller by running
python attack_range.py -m vagrant -a simulate -st T1117,T1003 -t attack-range-windows-domain-controller
In less then 2 minutes the attack simulation should have completed and you should see the below in Splunk inside the “Attack Range Reporting” Splunk App.
👍 !Success!💪 the range is most definitely working and you can use it.
Anything else to note?
Take a “Snapshoot” of the Guest VM before/after installing software etc.
The “Attack Range” commands are well explained on GitHub but if something “fails” and goes wrong I found that opening the Virtualbox GUI and stopping and destroying/deleting the VMs really helps. Once I had to manually delete a Virtualbox VM folder in the users “VirtualBox VMs” for additional cleanup after running out of disk space but afterwards “re-building” the range worked fine.
Thanks
Well a big thank you for all the contributes who maintain and build the Splunk Attack Range plus the other dozens of projects that are inside this project like MITRE Caldera, Atomic Red Team, Sysmon and the Sysmon configurations, etc. etc.
Thank you 🙏
I hope this helped some people.
