Digital Forensics, Incident Response & Security

My Environment

Lennaert Oudshoorn -

With the intention to showcase some of my work, and publish tutorials for people to follow along with on this blog I feel like it is important to have a certain baseline environment. In this post I will describe and document my environment this should enable people to create a similar setup for themselves as to avoid issues where examples I show don't work for others. As the title of this post says, this is my environment, configured how I like it. This is by no means the only, or the best way, but it is what works for me.

As I learn more, and new tools and software gets released its only natural that my toolbox and thus my environment keeps evolving. With this in mind I intend to keep this post up-to-date to reflect changes I make, so feel free to check back here once in awhile to see what is new.

As virtualization software I use VMWare Workstation Pro. But as a free alternative you can use VMWare Workstation Player, this free version is available for non-commercial, personal and home use and can be downloaded from: https://www.vmware.com/products/workstation-player.html.

My OS of choice is Kali Linux, a distribution aimed at security professionals. There are a few great alternatives, most notably Parrot OS. Personally I chose for Kali Linux as I'm most familiar with this distribution, but I encourage you all to experiment around with different options and find out what works for you. Next to the disc images (ISO files) to install Kali Linux with, Offensive Security has Virtual Machine versions available. I find that using these makes it fast and easy to get your environment up and running, they can be downloaded from here, as I'm using VMware I grab the Kali Linux VMware 64-Bit image, but images for Virtual Box and Hyper-V are also available if you chose for different virtualization software.

With your virtualization software of choice installed, and the appropriate image of Kali downloaded its time to make the machine, screenshots are taken from the VMware version that I use, but steps should not be to different with other software.

Creating the Virtual Machine

On the Home screen of VMware we need the option "Open a Virtual Machine":

Navigate to the folder where you've unpacked the archive containing the Kali Linux image, and select the vmx file and open it. You can assign more cores and/or memory to the VM in the "Virtual Machine settings" menu (shortcut CTRL+D), but in most cases the default settings should be fine, you can always change this later if you find the VM not running well enough.

The first thing I like to do is take a snap shot of the current state of the machine, so we can always easily revert back to here in case we make a mistake somewhere and something breaks. In fact, I often take snapshots before and after making major changes to my environment. To do this, open the snapshot manager by pressing CTRL+M or navigating to it through the menu " VM --> Snapshot --> Snapshot Manager".

Click the "Take Snapshot..." button and give your snapshot a name and a description so that you can remember what state the machine was in at this point. For the first snapshot I often chose "Fresh Install Kali $version" as a description, so in this case "Fresh install Kali 2020.2". That is all there's to it.

You can now start the machine by clicking the play button, the first time it starts you should get the following prompt:

Choose 'I Copied It'.

After the machine has finished booting up, you should be greeted by the Kali Linux login prompt.

In the past Kali Linux came with a root account by default, but recently this has changed and the default user is called kali, with as password kali. Enter these credentials and you should land on the desktop of your very own Kali Linux VM.

Bringing Kali up-to-date

Now we have a running Kali Linux machine, lets first bring her up to date. To do this open a terminal and run the following command.

sudo apt update && sudo apt dist-upgrade -y

Running this command will first prompt you for your password, as we are using sudo to run this command with elevated rights as an administrator, after you entered your credentials the system will start downloading the latest updates.

Configuring the correct timezone and keyboard layout

Chances are, especially if you are not from the United States, that the default VM Image does not have your correct timezone and/or keyboard layout, so lets fix that.

First for timezone, enter the following command in the terminal.

sudo dpkg-reconfigure tzdata

Again this command needs to be ran with elevated privileges so enter your sudo password, and follow the instructions on the screen.

Changing the keyboard layout works much the same, this time the command required is:

sudo dpkg-reconfigure keyboard-configuration

And again, follow the instructions on the screen to select the correct layout.

Change the default password and creating a new user

With the VM by default configured with kali/kali as username and password, it is advised to change this password, to do so type the passwd command in to the terminal.

passwd

After typing this command you will be asked for your current password, a new one, and once more to confirm this new password.

You can continue working as the kali user, now with a new password that not everyone knows, or you can choose to make your own user. If you want to create a new user follow these steps. First, create the user.

sudo adduser UserName

Replace UserName with your desired new username, this command will ask you for a new password for this user and a few other details, these other details you can leave blank. Now we have created the user and a home directory for this user.

As you have noticed before, we've quite often used the sudo command to run other commands with elevated privileges, to give our new user the rights to also use this command we need to add them to the sudo group.

sudo usermod -aG sudo UserName

Again, replace UserName with the name of your new user.

As a last step, we should change the default shell of our user to Bash, in order to do that run:

sudo chsh -s /bin/bash UserName

Finally we can now logout, and sign in as our new user.

Changing your SSH keys

Because the default image we used has the same SSH keys for everyone, an attacker could use this knowledge to perform Man in the Middle attack on your SSH session. Therefor it is advised to change these keys.

These keys we need to change are inside /etc/ssh, and all start with ssh_host_*

First I'd start by making a backup of these keys. To do this we will create a backup-keys directory inside the /etc/ssh directory and move all the files starting with ssh_host_ in to it.

sudo mkdir /etc/ssh/backup-keys && sudo mv /etc/ssh/ssh_host_* /etc/ssh/backup-keys

With the keys moved in to the backup directory we can create new keys.

sudo dpkg-reconfigure openssh-server

The output of this command should look something like this:

Now to confirm our new keys are different than the ones we just created, we can compare them to the keys in the backup folder, to do this we will take a MD5 sum of both sets of files.

As you can see, the computed checksum for all the files is different.

You now have a fully functional and up-to-date Kali Linux VM to use in a CTF or participate in various bug bounty programs with. Anything after this is installation of software I use and tweaking of configurations to suit my personal preferences. Non of it is mandatory or required but feel free to take from it what you feel might be useful.

Create a shared directory between host and VM

I like to have a shared folder between my host machine and the virtual machine where I keep most of the work I do in. This way if I spin up a new VM I still have all the work files readily available. To create a shared folder, open up the Virtual Machine Settings menu in VMware (CTRL+D), go to the options tab, select the 'Shared Folders' option and make sure 'Always Enabled' is checked. You can now pick which folder you want to share by clicking the Add button.

Try to avoid using spaces in your folder name, as Linux does not always play nice with this. Afterwards you can mount your shared folder with this command.

sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt -o allow_other

If you want to automatically mount your shared folder on boot, you can add the following to the /etc/fstab file:

# Use shared folders between VMWare guest and host
.host:/    /mnt/hgfs/    fuse.vmhgfs-fuse    defaults,allow_other,uid=1000     0    0

Your shared folder should now be inside /mnt/hgfs/ everytime you start your virtual machine.

Install Atom

Atom is a hackable text editor, and it is my editor of choice to modify scripts or take notes in. You can read more about this tool over at their own website, https://atom.io/.

First we need to download Atom:

https://github.com/atom/atom/releases/download/v1.47.0/atom-amd64.deb

After downloading the file we can install it:

sudo dpkg -i atom-amd64.deb

After installing, you can start the program via the menu, or by typing the atom command inside your terminal.

Install tree, htop, nethog

sudo apt-get install -y tree htop nethogs

I like knowing what is going on on my system. These tools help me get insight in that.

  • Tree gives a depth indented recursive listing of files and directories.
  • Htop is an alternative to the default top and is used for real-time process monitoring.
  • Nethogs can be used to view the network traffic to see which applications are using up your bandwidth.

Install FileZilla

If you are participating in a CTF chances are you will have to interact with an FTP server at some point. I know this can all be done from the terminal, but personally I prefer to have a graphical FTP program, and FileZilla is the one that I like most.

The command:

sudo apt-get install filezilla

Will install this application for you, just like Atom you can then start it from the menu, or by typing filezilla in to your terminal.

Install Jopin

Taking notes is extremely important. They help you writing your report for bug bounties, and they let you search back how you did something in the past if you encounter something that is very similar to something you have seen before.

My application of choice for taking notes is Joplin, you can install it with:

sudo apt-get install joplin

If you choose to use Joplin for taking notes like I do, I'd advice you to look in to how to configure syncing for it, and use the application on multiple of your devices.

Install Chrome

Kali comes default with FireFox as the web browser, personally I prefer Chrome while conducting tests against websites, so lets install that. 

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install -y ./google-chrome-stable_current_amd64.deb

I add two addons to chrome, both can be downloaded in the chrome webstore:

  • Foxy Proxy Standard, to quickly turn on/off a webproxy such as Burp Suite or OWASP ZAP
  • Joplin Web Clipper, to capture and save things from the web in to my notes

Seclists

Word lists are super useful when brute forcing passwords, subdomains, or directories. A great collection of word lists is Seclists, you can read more about this project on the github page https://github.com/danielmiessler/SecLists/. On kali you can install it with the command: 

sudo apt -y install seclists

Customizing your terminal

This will probably be different for everyone, there are many different terminal emulators to choose from, for example Guake or Terminator. Personally I use a combination of Terminator/ZSH/Oh-My-ZSH/P10K Theme.

Adding some fun

sudo apt-get install -Y cmatrix cowsay sl lolcat

This command will install:

  • cmatrix
  • cowsay
  • sl (steam locomotive)
  • lolcat

Non of these add any value to being productive, but they are fun when you find yourself giving a demo or just need a little something to cheer yourself up with.