[ { "path": "README.md", "content": "# ad-honeypot-autodeploy\n\nDeploy a small, intentionally insecure, vulnerable Windows Domain\nfor RDP Honeypot fully automatically.\n\nRuns on self-hosted virtualization using [libvirt](https://libvirt.org)\nwith [QEMU](https://www.qemu.org/)/[KVM](https://www.linux-kvm.org/page/Main_Page) (but it can be customized easily for cloud-based solutions).\n\nUsed for painlessly set up a small Windows Domain from scratch\nautomatically (without user interaction) for the purpose of RDP Honeypot\ntesting.\n\nFeatures a Domain Controller, a Desktop Computer and a configured\nGraylog server for logging the actions of the bad guys.\n\n## Automatic deployment phases\n\n1. [Packer](https://www.packer.io/): download the necessary install media and setup the\nautomated base virtual machine images unattended.\n\n2. [Terraform](https://www.terraform.io/): provision the libvirt virtualization infrastructure\n(network + virtual machines) using the packer-prepared\nvirtual machine images.\n\n3. [Ansible](https://www.ansible.com/): Configure the infrastructure (DC, Desktop, Graylog)\nautomatically, without user interaction.\n\nAfter going through the Packer+Terraform+Ansible pipeline,\nthe configured Windows Domain should be up and running, you could\nattach the RDP service of the Desktop to the public internet, and\nlet's monitor the events through the Graylog.\n\n## Features\n\nFeatures of the running system are:\n\n* a Windows Server 2016 as a Domain Controller\n* a Windows 10 Desktop (version 21H2) as a Domain Computer\n* a [Graylog](https://www.graylog.org/) 3.3 (Open Source edition) running as a Log Collector on [Ubuntu](https://ubuntu.com/) 18.04 LTS\n* Using [VirtIO](https://wiki.libvirt.org/page/Virtio) drivers for best performance\n* Enabled RDP and WinRM Services\n* Populated Windows Active Directory with random users\n* [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) (from [Windows Sysinternals](https://docs.microsoft.com/en-us/sysinternals/)) installed and running on Domain Computers\n* [NXLog](https://nxlog.co/) Collector running a Domain Computers and forwarding logs to Graylog\n* Configured Graylog GeoIP lookup table and pipeline for IP addresses (useful for showing a map of invalid RDP login attempts)\n* Graylog World Map of RDP attacks\n* an extra [Kali](https://www.kali.org/) VM attached to the Windows subnet for playing with attack techniques\n\n## Host System Requirements\n\nVirtualization needs some power of your host system:\n\n* ~100 GB disk space for the base images and the sparse images of the guest computers.\n* at least 4 x 4 GB memory for the guest machines\n(may run with less than 16 GB because of overcommitment)\n* installed up-to-date libvirt with QEMU/KVM (official current packages in Ubuntu 18.04 LTS should work)\n* Python 3 (preferably with venv) for Ansible\n\nTested on Ubuntu 18.04 LTS host.\n\n## Installation and Usage\n\nFirst, clone the repo:\n\n```\ngit clone https://github.com/tothi/ad-honeypot-autodeploy\ncd ad-honeypot-autodeploy\n```\n\nBefore starting with Packer, set up the intial passwords (watch for complexity requirements):\n\n```\n./init_passwords.sh\n```\n\n### Packer\n\nNow build the initial images.\n\n```\ncd packer\n```\n\nWindows Server 2016 and Ubuntu installation media should be downloaded\nby the Packer script. VirtIO needs to be downloaded by the attached\nget-virtio.sh script:\n\n```\n./get-virtio.sh\n```\n\nWindows 10 should be downloaded manually by getting a temporary\ndownload link and save it to the ISO folder. The download link\ncould be obtained from [here](https://www.microsoft.com/hu-hu/software-download/windows10ISO). Select the English (International), 64-bit version and\nsave the ISO to `ISO/Win10_21H2_EnglishInternational_x64.iso`.\n\nFor mapping IP locations on a World Map in Graylog, the MaxMind GeoIP\ndatabase is needed. Unfortunately due to licensing terms it cannot\nbe redistributed, so you have to download it manually (after registering)\nfrom the [MaxMind site](https://www.maxmind.com). The free GeoLite2 version should work, get the\n\"GeoLite2 City\" Database in MMDB format (download the GZIP and untar)\nand put it at `resources/GeoLite2-City.mmdb`.\n\nIf you do not have Packer, get the latest version from the packer.io site\n([download the pre-compiled binary](https://www.packer.io/downloads.html))\nor try to [add the Hashicorp repository](https://learn.hashicorp.com/tutorials/terraform/install-cli) to your packaging system (useful for Terrafrom also).\n\nIf you are rebuilding the images, do not forget to clean up previous\nbuilds:\n\n```\nrm -fr output_*\n```\n\nIf you want to re-download the images, remove packer_cache:\n\n```\nrm -fr packer_cache\n```\n\nAfter these preparing steps, run the Packer builds in parallel:\n\n```\n./packer-build-all.sh\n```\n\n![Packer in action](./packer.png)\n\nThe images should be ready in a reasonable time (~20-30 mins depending\non your host hardware power).\n\n### Terraform\n\nNow the infrastructure can be deployed using Terraform.\n\nGet Terraform (>=0.13) if you do not have it (look at the install methods\nat Packer, above).\n\n[Terraform provider for libvirt](https://github.com/dmacvicar/terraform-provider-libvirt)\nshould be automatically downloaded from the [Terraform Registry](https://registry.terraform.io/)\nduring the apply phase.\n\nEnter Terraform folder:\n\n```\ncd ../terraform\n```\n\nInitialize the working directory (only needed for first time use):\n```\nterraform init\n```\n\nBuild and launch the infrastructure (\"apply the changes\"):\n```\nterraform apply\n```\n\nNote, that if the user running `terraform apply` is not root, sudo privileges for running `/usr/sbin/iptables`\nis needed (without password).\n\n![Terraform in action](./terraform.png)\n\nAfter a short time (~2-3 mins),\nthe network and virtual machines are up and running. If there are any failures, `terraform destroy` might not be enough,\nmanual undefining resources may be necessary.\n\n> WARNING: You should take care of protecting your private\n> network. The terraform config (main.tf) provided here just contains\n> a custom firewall rule for my own testing environment\n> (blocking 192.168.0.0/16 destination traffic from the\n> 192.168.3.0/24 honeypot network).\n\nNext is the configuration phase.\n\n### Ansible\n\nGet into the ansible folder:\n\n```\ncd ../ansible\n```\n\nRecommended installation method is installing the latest Ansible\nwith some required additional dependencies in a Python venv virtualized\nenvironment:\n```\npython3 -m venv venv\n. ./venv/bin/activate\npip3 install -r requirements.txt\n```\n\nFor later use just activate the venv by\n```\n. ./venv/bin/activate\n```\n\nAnd just `deactivate` if it is not needed anymore in your\ncurrent session.\n\nYou should put an SSH public key with filename `id.pub` (use `ssh-keygen`) into the ansible\nfolder for accessing the Ubuntu Graylog machine with the ubuntu user\n(ansible will add it to `~ubuntu/.ssh/authorized_keys`).\n\nThe `wordlist.txt` file contains some (intentionally weak) passwords\nfor the populated domain users which can be customized.\n\nRun the configuration phase:\n\n```\nansible-playbook -i hosts setup-domain.yml -v\n```\n\n![Ansible in action](./ansible.png)\n\nAfter 20-25 mins everything is ready.\n\n## The deployed system\n\n| hostname | ip address | operating system | role |\n| --------- | ------------- | ------------------------- | ------------------------- |\n| dc1 | 192.168.3.100 | Windows Server 2016 | Domain Controller |\n| desktop12 | 192.168.3.112 | Windows 10 (version 2004) | Domain Member Workstation |\n| graylog | 192.168.3.191 | Ubuntu 18.04 LTS | Graylog Server |\n| kali | 192.168.3.192 | Kali Rolling (2022.3) | Offensive Operations |\n\nAccording to the libvirt network configuration (NAT), the hosts can access\nthe public internet (if your host system allows it).\n\nAccessing the hosts is possible through the host system.\nPractically using an SSH socks tunnel and proxychains for RDP or WinRM\naccess is very comfortable.\n\nFor example, if your libvirt host IP is 192.168.0.10,\ncreate a socks tunnel listening on `localhost:5000` by\n```\nssh 192.168.0.10 -D5000 -NTv\n```\n\nAnd access the Windows 10 desktop (using an appropriate `/etc/proxychains.conf`\nconfigured for the :5000 tunnel):\n```\nproxychains xfreerdp /v:192.168.3.112 /u:administrator\n```\n\nOr, access the Graylog web interface listening on :9000 locally on\nthe Graylog Ubuntu server by SSH ProxyJump and custom forward tunnel:\n```\nssh -J 192.168.0.10 ubuntu@192.168.3.191 -NTv -L9000:127.0.0.1:9000\n```\n\nThen open URL `http://localhost:9000` and you reach the Graylog web\ninterface.\n\nFor activating the RDP honeypot, just allow public access\nto 192.168.3.112:3389 (for example with some port forwarding\nconfiguration on your router and iptables rules on the host\nmachine; my helper script is [rdp_public.sh](ansible/rdp_public.sh))\nand keep watching the Graylog. ;)\n\n" }, { "path": "ansible/dashboard.json", "content": "{\n \"v\": 1,\n \"id\": \"2397d589-a1fd-4ad8-b271-e72f44b4611f\",\n \"rev\": 1,\n \"name\": \"RDP Attack Dashboard\",\n \"summary\": \"Monitoring Dashboard for RDP Attacks\",\n \"description\": \"\",\n \"vendor\": \"an0n\",\n \"url\": \"\",\n \"parameters\": [],\n \"entities\": [\n {\n \"v\": \"1\",\n \"type\": {\n \"name\": \"dashboard\",\n \"version\": \"2\"\n },\n \"id\": \"e42b37b9-3e53-4e0e-ab66-064d57feacab\",\n \"data\": {\n \"summary\": {\n \"@type\": \"string\",\n \"@value\": \"Monitor RDP Attacks\"\n },\n \"search\": {\n \"queries\": [\n {\n \"id\": \"703206bc-2209-44c6-9027-148d841210ba\",\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 300\n },\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"\"\n },\n \"search_types\": [\n {\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"name\": \"chart\",\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"streams\": [],\n \"series\": [\n {\n \"type\": \"count\",\n \"id\": \"Message Count\",\n \"field\": null\n }\n ],\n \"filter\": null,\n \"rollup\": true,\n \"row_groups\": [],\n \"type\": \"pivot\",\n \"id\": \"30b34c81-72ee-411e-a9e6-8bfc6d13fdce\",\n \"column_groups\": [],\n \"sort\": []\n },\n {\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"name\": \"chart\",\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"streams\": [],\n \"series\": [\n {\n \"type\": \"count\",\n \"id\": \"count()\",\n \"field\": null\n }\n ],\n \"filter\": null,\n \"rollup\": true,\n \"row_groups\": [\n {\n \"type\": \"values\",\n \"field\": \"IpAddress_geo_city\",\n \"limit\": 15\n }\n ],\n \"type\": \"pivot\",\n \"id\": \"56cd0b71-feac-4765-9750-7fc3f20486c2\",\n \"column_groups\": [],\n \"sort\": []\n },\n {\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"name\": \"chart\",\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"streams\": [],\n \"series\": [\n {\n \"type\": \"count\",\n \"id\": \"count()\",\n \"field\": null\n }\n ],\n \"filter\": null,\n \"rollup\": true,\n \"row_groups\": [\n {\n \"type\": \"values\",\n \"field\": \"IpAddress_geo_location\",\n \"limit\": 15\n }\n ],\n \"type\": \"pivot\",\n \"id\": \"1f393b80-ef25-40d4-b04d-0d4a9d8156f1\",\n \"column_groups\": [],\n \"sort\": []\n },\n {\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4624 AND LogonType: 10\"\n },\n \"name\": \"chart\",\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"streams\": [],\n \"series\": [\n {\n \"type\": \"count\",\n \"id\": \"Message Count\",\n \"field\": null\n }\n ],\n \"filter\": null,\n \"rollup\": true,\n \"row_groups\": [],\n \"type\": \"pivot\",\n \"id\": \"3963de17-64fb-4178-8aec-11b4951cbb2e\",\n \"column_groups\": [],\n \"sort\": []\n }\n ]\n }\n ],\n \"parameters\": [],\n \"requires\": {},\n \"owner\": \"admin\",\n \"created_at\": \"2020-10-05T23:20:44.620Z\"\n },\n \"created_at\": \"2020-10-05T22:34:45.717Z\",\n \"requires\": {},\n \"state\": {\n \"703206bc-2209-44c6-9027-148d841210ba\": {\n \"selected_fields\": null,\n \"static_message_list_id\": null,\n \"titles\": {\n \"widget\": {\n \"3c978baf-6e85-431a-b4c1-6d82c3ddddc4\": \"RDP Attack Origin World Map\",\n \"4db2a07e-8b77-4716-b659-029e2750dbf8\": \"Failed Login Attempts\",\n \"c1e773ab-706a-4935-9c9c-7e23c02e6820\": \"RDP Attack Origin\",\n \"496f078b-9707-47c2-8829-094b35d61004\": \"Successful RDP Logins\"\n }\n },\n \"widgets\": [\n {\n \"id\": \"3c978baf-6e85-431a-b4c1-6d82c3ddddc4\",\n \"type\": \"aggregation\",\n \"filter\": null,\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"streams\": [],\n \"config\": {\n \"visualization\": \"map\",\n \"event_annotation\": false,\n \"row_pivots\": [\n {\n \"field\": \"IpAddress_geo_location\",\n \"type\": \"values\",\n \"config\": {\n \"limit\": 15\n }\n }\n ],\n \"series\": [\n {\n \"config\": {\n \"name\": null\n },\n \"function\": \"count()\"\n }\n ],\n \"rollup\": true,\n \"column_pivots\": [],\n \"visualization_config\": {\n \"viewport\": {\n \"zoom\": 1,\n \"center_x\": 51.83577752045248,\n \"center_y\": 23.203125000000004\n }\n },\n \"formatting_settings\": null,\n \"sort\": []\n }\n },\n {\n \"id\": \"4db2a07e-8b77-4716-b659-029e2750dbf8\",\n \"type\": \"aggregation\",\n \"filter\": null,\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"streams\": [],\n \"config\": {\n \"visualization\": \"numeric\",\n \"event_annotation\": false,\n \"row_pivots\": [],\n \"series\": [\n {\n \"config\": {\n \"name\": \"Message Count\"\n },\n \"function\": \"count()\"\n }\n ],\n \"rollup\": true,\n \"column_pivots\": [],\n \"visualization_config\": null,\n \"formatting_settings\": null,\n \"sort\": []\n }\n },\n {\n \"id\": \"496f078b-9707-47c2-8829-094b35d61004\",\n \"type\": \"aggregation\",\n \"filter\": null,\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4624 AND LogonType: 10\"\n },\n \"streams\": [],\n \"config\": {\n \"visualization\": \"numeric\",\n \"event_annotation\": false,\n \"row_pivots\": [],\n \"series\": [\n {\n \"config\": {\n \"name\": \"Message Count\"\n },\n \"function\": \"count()\"\n }\n ],\n \"rollup\": true,\n \"column_pivots\": [],\n \"visualization_config\": null,\n \"formatting_settings\": null,\n \"sort\": []\n }\n },\n {\n \"id\": \"c1e773ab-706a-4935-9c9c-7e23c02e6820\",\n \"type\": \"aggregation\",\n \"filter\": null,\n \"timerange\": {\n \"type\": \"relative\",\n \"range\": 0\n },\n \"query\": {\n \"type\": \"elasticsearch\",\n \"query_string\": \"EventID: 4625\"\n },\n \"streams\": [],\n \"config\": {\n \"visualization\": \"table\",\n \"event_annotation\": false,\n \"row_pivots\": [\n {\n \"field\": \"IpAddress_geo_city\",\n \"type\": \"values\",\n \"config\": {\n \"limit\": 15\n }\n }\n ],\n \"series\": [\n {\n \"config\": {\n \"name\": null\n },\n \"function\": \"count()\"\n }\n ],\n \"rollup\": true,\n \"column_pivots\": [],\n \"visualization_config\": null,\n \"formatting_settings\": null,\n \"sort\": []\n }\n }\n ],\n \"widget_mapping\": {\n \"4db2a07e-8b77-4716-b659-029e2750dbf8\": [\n \"30b34c81-72ee-411e-a9e6-8bfc6d13fdce\"\n ],\n \"496f078b-9707-47c2-8829-094b35d61004\": [\n \"3963de17-64fb-4178-8aec-11b4951cbb2e\"\n ],\n \"c1e773ab-706a-4935-9c9c-7e23c02e6820\": [\n \"56cd0b71-feac-4765-9750-7fc3f20486c2\"\n ],\n \"3c978baf-6e85-431a-b4c1-6d82c3ddddc4\": [\n \"1f393b80-ef25-40d4-b04d-0d4a9d8156f1\"\n ]\n },\n \"positions\": {\n \"4db2a07e-8b77-4716-b659-029e2750dbf8\": {\n \"col\": 9,\n \"row\": 1,\n \"height\": 2,\n \"width\": 2\n },\n \"c1e773ab-706a-4935-9c9c-7e23c02e6820\": {\n \"col\": 7,\n \"row\": 1,\n \"height\": 4,\n \"width\": 2\n },\n \"3c978baf-6e85-431a-b4c1-6d82c3ddddc4\": {\n \"col\": 1,\n \"row\": 1,\n \"height\": 4,\n \"width\": 6\n },\n \"496f078b-9707-47c2-8829-094b35d61004\": {\n \"col\": 9,\n \"row\": 3,\n \"height\": 2,\n \"width\": 2\n }\n },\n \"formatting\": {\n \"highlighting\": []\n },\n \"display_mode_settings\": {\n \"positions\": {}\n }\n }\n },\n \"properties\": [],\n \"owner\": \"admin\",\n \"title\": {\n \"@type\": \"string\",\n \"@value\": \"RDP Attacks\"\n },\n \"type\": \"DASHBOARD\",\n \"description\": {\n \"@type\": \"string\",\n \"@value\": \"Basic Monitoring Dashboard\"\n }\n },\n \"constraints\": [\n {\n \"type\": \"server-version\",\n \"version\": \">=3.3.6+92fb41e\"\n }\n ]\n }\n ]\n}" }, { "path": "ansible/gen_users.py", "content": "#!/usr/bin/env python3\n#\n# generate fake users for ad:\n# * importable by ansible win_domain_user module users.yml var file (slow)\n# * ps1 script format (fast)\n#\n\nfrom faker import Factory\nimport random\n\nNUM_OF_USERS = 1000\nOUT_YML = \"users.yml\"\nOUT_PS1 = \"users.ps1\"\nOU = \"Staff\"\n\nfake = Factory.create('en-GB')\n\ngroup_chance = {\"Domain Admins\": 0.05, \"RDP All\": 0.8}\n\nwordlist = list(map(lambda x: x.rstrip(), open(\"wordlist.txt\", \"r\").readlines()))\n\ndef grouplist():\n res = []\n for g in group_chance:\n if random.random() < group_chance[g]:\n res.append(g)\n return res\n\nyml = open(OUT_YML, \"w\")\nps1 = open(OUT_PS1, \"w\")\n\nps1.write('$d = (Get-ADDomain).DistinguishedName\\r\\n')\nps1.write('If (Get-ADOrganizationalUnit -Filter \"distinguishedName -eq \\'OU={},$d\\'\") {{ Remove-ADOrganizationalUnit -Identity \"OU={},$d\" -Confirm:$False }}\\r\\n'.format(OU, OU))\nps1.write('New-ADOrganizationalUnit -Name \"{}\" -Path $d -ProtectedFromAccidentalDeletion $false\\r\\n'.format(OU))\nyml.write(\"users:\\n\")\ngroupdb = {}\nsamdb = []\nfor i in range(NUM_OF_USERS):\n fn = fake.first_name()\n ln = fake.last_name()\n pw = random.choice(wordlist)\n samname_base = \"{}.{}\".format(fn.lower(), ln.lower())\n samname = samname_base\n idx = 0\n while samname in samdb:\n idx += 1\n samname = \"{}.{}\".format(samname_base, idx)\n samdb.append(samname)\n if idx > 0:\n cn = \"{} {} {}\".format(fn, ln, idx)\n else:\n cn = \"{} {}\".format(fn, ln)\n yml.write(\" - name: {}\\n\".format(samname))\n yml.write(\" firstname: {}\\n\".format(fn))\n yml.write(\" surname: {}\\n\".format(ln))\n yml.write(\" password: {}\\n\".format(pw))\n yml.write(\" state: present\\n\")\n yml.write(\" groups:\\n\")\n ps1.write('New-ADUser -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText \"{}\" -Force) -Name \"{}\" -GivenName \"{}\" -Surname \"{}\" -SamAccountName \"{}\" -Path \"OU={},$d\"\\r\\n'.format(pw, cn, fn, ln, samname, OU))\n for g in grouplist():\n yml.write(\" - {}\\n\".format(g))\n if g not in groupdb:\n groupdb[g] = []\n groupdb[g].append(samname)\nfor g in groupdb:\n ps1.write('If (-Not (Get-ADGroup -Filter \"Name -eq \\'{}\\'\")) {{ New-ADGroup -Name \"{}\" -GroupScope Global }}'.format(g, g))\n ps1.write('Add-ADGroupMember -Identity \"{}\" -Members \"{}\"\\r\\n'.format(g, '\",\"'.join(groupdb[g])))\n\nyml.close()\nps1.close()\n" }, { "path": "ansible/graylog_config.sh", "content": "#!/bin/bash\n#\n# create Graylog lookup table (using previously created adapter + caches) by API calls\n#\n\nUSER=\"$1\"\nPASS=\"$2\"\n\nADAPTER=`/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' http://${USER}:${PASS}@127.0.0.1:9000/api/system/lookup/adapters | /usr/bin/jq '.data_adapters[] | select(.name==\"geoip\")' | /usr/bin/jq -r '.id'`\nCACHE=`/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' http://${USER}:${PASS}@127.0.0.1:9000/api/system/lookup/caches | /usr/bin/jq '.caches[] | select(.name==\"geoip\")' | /usr/bin/jq -r '.id'`\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/lookup/tables\" -X POST --data \"{\\\"title\\\":\\\"GeoIP\\\",\\\"description\\\":\\\"GeoIP Lookup Table\\\",\\\"name\\\":\\\"geoip\\\",\\\"cache_id\\\":\\\"${CACHE}\\\",\\\"data_adapter_id\\\":\\\"${ADAPTER}\\\",\\\"content_pack\\\":null,\\\"default_single_value\\\":\\\"\\\",\\\"default_single_value_type\\\":\\\"NULL\\\",\\\"default_multi_value\\\":\\\"\\\",\\\"default_multi_value_type\\\":\\\"NULL\\\"}}\"\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/pipelines/rule\" -X POST --data '{\"title\":\"GeoIP lookup: IpAddress\",\"description\":\"\",\"source\":\"rule \\\"GeoIP lookup: IpAddress\\\"\\nwhen\\n has_field(\\\"IpAddress\\\")\\nthen\\nlet geo = lookup(\\\"geoip\\\", to_string($message.IpAddress));\\nset_field(\\\"IpAddress_geo_location\\\", geo[\\\"coordinates\\\"]);\\nset_field(\\\"IpAddress_geo_country\\\", geo[\\\"country\\\"].iso_code);\\nset_field(\\\"IpAddress_geo_city\\\", geo[\\\"city\\\"].names.en);\\nend\\n\"}'\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/pipelines/pipeline\" -X POST --data '{\"title\":\"GeoIP lookup\",\"description\":\"\",\"source\":\"pipeline \\\"GeoIP lookup\\\"\\nstage 0 match either\\nrule \\\"GeoIP lookup: IpAddress\\\"\\nend\",\"stages\":[{\"stage\":0,\"match_all\":false,\"rules\":[\"GeoIP lookup: IpAddress\"]}]}'\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/pipelines/pipeline\"\n\nPIPELINE=`/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/pipelines/pipeline\" | /usr/bin/jq '.[] | select(.title==\"GeoIP lookup\")' | /usr/bin/jq -r '.id'`\nSTREAM=\"000000000000000000000001\"\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/pipelines/connections/to_stream\" -X POST --data \"{\\\"stream_id\\\":\\\"${STREAM}\\\",\\\"pipeline_ids\\\":[\\\"${PIPELINE}\\\"]}\"\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/content_packs\" -X POST -d @/home/ubuntu/dashboard.json\n\n/usr/bin/curl -s -H 'Content-Type: application/json' -H 'X-Requested-By: cli' \"http://${USER}:${PASS}@127.0.0.1:9000/api/system/content_packs/2397d589-a1fd-4ad8-b271-e72f44b4611f/1/installations\" -X POST -d '{\"parameters\": {}, \"comment\": \"\"}'\n" }, { "path": "ansible/hosts", "content": "[domain]\ndc1 ansible_host=192.168.3.100 ansible_user=Administrator ansible_password='{{ domain_admin_password }}'\ndesktop12 ansible_host=192.168.3.112 ansible_user=Administrator ansible_password='{{ default_password }}'\n\n[domain:vars]\nansible_connection=winrm\nansible_winrm_transport=ntlm\nansible_port=5985\ndns_name=ecorp.local\ndefault_password=\ndomain_admin_password=\ndsrm_password=\n\n[monitor]\ngraylog ansible_host=192.168.3.191 ansible_connection=ssh ansible_user=ubuntu ansible_ssh_private_key_file=../packer/.ssh/id_ed25519\n\n[monitor:vars]\nubuntu_password=\ngraylog_admin=admin\ngraylog_pwd=\n" }, { "path": "ansible/id.pub", "content": "" }, { "path": "ansible/nxlog.conf", "content": "define ROOT C:\\Program Files (x86)\\nxlog\r\nModuledir %ROOT%\\modules\r\n\r\n\r\n Module xm_gelf\r\n\r\n\r\n\r\n Module im_msvistalog\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n\r\n\r\n\r\n Module om_udp\r\n Host 192.168.3.191\r\n Port 12201\r\n OutputType GELF\r\n\r\n\r\n\r\n Path eventlog => graylog\r\n\r\n" }, { "path": "ansible/rdp_public.sh", "content": "#!/bin/bash\n#\n\nhelp () {\n echo \"$0 [on/off]\"\n}\n\nif [ $# -ne 1 ]; then\n help\n exit 0\nfi\n\nif [ \"$1\" == \"on\" ]; then\n iptables -I FORWARD -p tcp -d 192.168.3.112 --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n iptables -t nat -A PREROUTING -p tcp -i br0 --dport 14999 -j DNAT --to-destination 192.168.3.112:3389\n echo \"Public RDP access enabled\"\n exit 0\nelif [ \"$1\" == \"off\" ]; then\n iptables -D FORWARD -p tcp -d 192.168.3.112 --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n iptables -t nat -D PREROUTING -p tcp -i br0 --dport 14999 -j DNAT --to-destination 192.168.3.112:3389\n echo \"Public RDP access disabled\"\n exit 0\nfi\n\nhelp\nexit 0\n" }, { "path": "ansible/requirements.txt", "content": "wheel\nansible\npywinrm\nfaker\n" }, { "path": "ansible/setup-domain.yml", "content": "- name: Configure DC1\n hosts: dc1\n gather_facts: false\n# vars_files:\n# - users.yml\n tasks:\n - name: Using the default admin password\n set_fact: ansible_password='{{ default_password }}'\n\n - name: Waiting for WinRM...\n wait_for_connection:\n\n - name: Install AD Features\n win_feature:\n name: AD-Domain-Services\n include_management_tools: yes\n include_sub_features: yes\n state: present\n register: ad_features\n\n - name: Set Hostname\n win_hostname:\n name: '{{ inventory_hostname }}'\n register: dc_hostname\n\n - name: Reboot Server\n win_reboot:\n msg: \"Installing AD. Rebooting...\"\n pre_reboot_delay: 15\n when: ad_features.reboot_required or dc_hostname.reboot_required\n\n - name: Install Domain\n win_domain:\n dns_domain_name: '{{ dns_name }}'\n safe_mode_password: '{{ dsrm_password }}'\n register: ad\n\n - name: Reboot Server\n win_reboot:\n msg: \"Installing AD. Rebooting...\"\n pre_reboot_delay: 15\n when: ad.reboot_required\n\n - name: Waiting for Active Directory Web Services...\n win_wait_for:\n port: 9389\n\n - name: Weaken Security Policy\n win_shell: Set-ADDefaultDomainPasswordPolicy -Identity {{ dns_name }} -ComplexityEnabled 0 -LockoutThreshold 0\n retries: 10\n delay: 30\n register: result\n until: result.rc == 0\n\n - name: Change Administrator password in domain\n win_domain_user:\n name: Administrator\n state: present\n password: '{{ domain_admin_password }}'\n\n - name: Using the new domain Administrator password\n set_fact: ansible_password='{{ domain_admin_password }}'\n\n - name: Generate ADUser PS script\n command: ./gen_users.py\n delegate_to: 127.0.0.1\n\n - name: Populate domain users\n script: users.ps1\n\n# - name: Populate domain users\n# win_domain_user:\n# name: '{{ item.name }}'\n# state: present\n# password: '{{ item.password }}'\n# groups: '{{ item.groups }}'\n# with_items: '{{ users }}'\n# async: 600\n# poll: 0\n# register: create_users\n#\n# - name: Check users\n# async_status:\n# jid: \"{{ create_users.ansible_job_id }}\"\n# register: job_result\n# until: job_result.finished\n# retries: 30\n\n- name: Configure Graylog\n hosts: graylog\n gather_facts: false\n tasks:\n - name: Write new host keys to known hosts\n shell: '/usr/bin/ssh-keygen -R {{ ansible_host }}; /usr/bin/ssh-keyscan -H {{ ansible_host }} | /bin/grep -v \"^#\" >> ~/.ssh/known_hosts'\n delegate_to: 127.0.0.1\n\n - name: Configure GELF UDP Collection\n uri:\n url: http://127.0.0.1:9000/api/system/inputs\n method: POST\n user: \"{{ graylog_admin }}\"\n password: \"{{ graylog_pwd }}\"\n body: '{\"title\":\"nxlog_udp\",\"type\":\"org.graylog2.inputs.gelf.udp.GELFUDPInput\",\"configuration\":{\"bind_address\":\"0.0.0.0\",\"port\":12201,\"recv_buffer_size\":262144,\"override_source\":null,\"decompress_size_limit\":8388608},\"global\":true}'\n force_basic_auth: yes\n status_code: 201\n body_format: json\n headers:\n X-Requested-By: cli\n\n - name: Add Graylog Adapter for GeoIP Lookup\n uri:\n url: http://127.0.0.1:9000/api/system/lookup/adapters\n method: POST\n user: \"{{ graylog_admin }}\"\n password: \"{{ graylog_pwd }}\"\n body: '{\"title\":\"GeoIP\",\"description\":\"GeoIP Adapter\",\"name\":\"geoip\",\"custom_error_ttl_enabled\":false,\"custom_error_ttl\":null,\"custom_error_ttl_unit\":null,\"content_pack\":null,\"config\":{\"type\":\"maxmind_geoip\",\"type\":\"maxmind_geoip\",\"path\":\"/etc/graylog/server/GeoLite2-City.mmdb\",\"database_type\":\"MAXMIND_CITY\",\"check_interval\":1,\"check_interval_unit\":\"HOURS\"}}'\n force_basic_auth: yes\n status_code: 200\n body_format: json\n headers:\n X-Requested-By: cli\n\n - name: Add Graylog Cache for GeoIP Lookup\n uri:\n url: http://127.0.0.1:9000/api/system/lookup/caches\n method: POST\n user: \"{{ graylog_admin }}\"\n password: \"{{ graylog_pwd }}\"\n body: '{\"config\":{\"type\":\"guava_cache\",\"type\":\"guava_cache\",\"max_size\":1000,\"expire_after_access\":1,\"expire_after_access_unit\":\"HOURS\",\"expire_after_write\":0,\"expire_after_write_unit\":null},\"title\":\"GeoIP\",\"description\":\"GeoIP Cache\",\"name\":\"geoip\",\"content_pack\":null}'\n force_basic_auth: yes\n status_code: 200\n body_format: json\n headers:\n X-Requested-By: cli\n\n - name: Copy dashboard.json\n copy:\n src: dashboard.json\n dest: '/home/ubuntu/dashboard.json'\n\n - name: More Configuration for Graylog...\n script: graylog_config.sh '{{ graylog_admin }}' '{{ graylog_pwd }}'\n\n - name: Disable SSH Password Auth\n shell: \"echo {{ ubuntu_password }} | /usr/bin/sudo -S /bin/sh -c '/bin/sed -i \\\"/PasswordAuthentication/cPasswordAuthentication no\\\" -i /etc/ssh/sshd_config; /bin/systemctl reload sshd'\"\n\n - name: Add extra SSH key\n lineinfile:\n path: /home/ubuntu/.ssh/authorized_keys\n insertafter: EOF\n line: \"{{ lookup('file', 'id.pub') }}\"\n \n- name: Join Desktops\n hosts: domain\n gather_facts: true\n tasks:\n - name: Sync NTP Time\n win_command: w32tm /resync\n\n - name: Join Desktops\n win_domain_membership:\n dns_domain_name: '{{ dns_name }}'\n hostname: '{{ inventory_hostname }}'\n domain_admin_user: Administrator@{{dns_name}}\n domain_admin_password: '{{ domain_admin_password }}'\n state: domain\n register: domain_state\n\n - name: Reboot Server\n win_reboot:\n msg: 'Joined Domain. Rebooting...'\n when: domain_state.reboot_required\n\n- name: Install Softwares on Domain\n hosts: domain\n gather_facts: false\n tasks:\n - name: Install Firefox\n win_chocolatey:\n name: firefox\n state: present\n\n - name: Install NXLog Collector\n win_chocolatey:\n name: nxlog\n state: present\n\n - name: Install Sysmon\n win_chocolatey:\n name: sysmon\n ignore_checksums: true\n state: present\n\n- name: Configure Logging\n hosts: domain\n gather_facts: false\n tasks:\n - name: Configure NXLog\n win_copy:\n src: nxlog.conf\n dest: 'c:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf'\n\n - name: Fetch Sysmon config\n win_get_url:\n url: https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml\n dest: 'c:\\windows\\sysmonconfig-export.xml'\n\n - name: Launch Sysmon Service\n win_command: 'c:\\ProgramData\\chocolatey\\bin\\Sysmon64.exe -accepteula -i c:\\windows\\sysmonconfig-export.xml'\n\n - name: Restart NXLog\n win_service:\n name: nxlog\n state: restarted\n" }, { "path": "ansible/wordlist.txt", "content": "Summer2020\nSpring2020\nSpring2019\nWinter2019\nAutumn2019\nPassword123\n" }, { "path": "init-passwords.sh", "content": "#!/bin/bash\n#\n\necho \"[*] Setting initial passwords.\"\n\necho -n \"[?] Enter default Windows local Administrator password: \"\nread -s adminpass\necho\n\necho -n \"[?] Enter Windows Domain Admin password for user ECORP\\\\Administrator: \"\nread -s domainadminpass\necho\n\necho -n \"[?] Enter DSRM password for Windows Domain: \"\nread -s dsrmpass\necho\n\necho -n \"[?] Enter password for sudo user 'ubuntu' on Ubuntu (Graylog) system: \"\nread -s ubuntupass\necho\n\necho -n \"[?] Enter Graylog password for root user 'admin': \"\nread -s graylogpass\necho\n\necho -n \"[?] Enter password for sudo user 'kali' on Kali system: \"\nread -s kalipass\necho\n\necho \"[*] Setting Windows local Administrator password, Ubuntu user password and Kali password in packer/private.json\"\nadminpass_esc=$(printf '%s\\n' \"${adminpass}\" | sed -e 's/[\\/&]/\\\\&/g')\nubuntupass_esc=$(printf '%s\\n' \"${ubuntupass}\" | sed -e 's/[\\/&]/\\\\&/g')\nkalipass_esc=$(printf '%s\\n' \"${kalipass}\" | sed -e 's/[\\/&]/\\\\&/g')\nsed -i packer/private.json -e \"s/\\\"administrator_password\\\": \\\".*\\\"/\\\"administrator_password\\\": \\\"${adminpass_esc}\\\"/\" \\\n -e \"s/\\\"ubuntu_password\\\": \\\".*\\\"/\\\"ubuntu_password\\\": \\\"${ubuntupass_esc}\\\"/\" \\\n -e \"s/\\\"kali_password\\\": \\\".*\\\"/\\\"kali_password\\\": \\\"${kalipass_esc}\\\"/\"\n\np1=`echo -n \"${adminpass}Password\" | iconv -tutf-16le | base64 -w0`\np2=`echo -n \"${adminpass}AdministratorPassword\" | iconv -tutf-16le | base64 -w0`\nfor w in win2016 win10 win2012r2; do\n a=\"packer/answer_files/${w}/Autounattend.xml\"\n echo \"[*] Setting Windows local Administrator password in ${a} for UserAccounts and AutoLogon\"\n sed -i \"$a\" -e \"//,/<\\/Password>/ s/.*<\\/Value>/${p1}<\\/Value>/\" \\\n -e \"//,/<\\/AdministratorPassword>/ s/.*<\\/Value>/${p2}<\\/Value>/\"\ndone\n\necho \"[*] Creating SSH key for Ubuntu (Graylog) and Kali access...\"\nrm -fr packer/.ssh\nmkdir packer/.ssh\nssh-keygen -t ed25519 -f packer/.ssh/id_ed25519 -N \"\" -C supervisor@infra\nSSH_PUBKEY=`cat packer/.ssh/id_ed25519.pub | tr -d '\\n'`\n\necho \"[*] Setting Ubuntu password and SSH key in packer/answer_files/graylog/preseed.cfg\"\nubuntupasscrypt=`mkpasswd -m sha-512 -S $(pwgen -ns 16 1) ${ubuntupass}`\nsed -i packer/answer_files/graylog/preseed.cfg -e \"s#d-i passwd/user-password-crypted password .*#d-i passwd/user-password-crypted password ${ubuntupasscrypt}#\" \\\n -e \"s#echo ssh-ed25519 AAA.* supervisor@infra#echo ${SSH_PUBKEY}#\"\n\necho \"[*] Setting Graylog password in packer/scripts/graylog.sh\"\ngraylogsha2=`echo -n \"${graylogpass}\" | sha256sum | cut -d' ' -f1`\nsed -i packer/scripts/graylog.sh -e \"s/GRAYLOG_SHA2=\\\".*\\\"/GRAYLOG_SHA2=\\\"${graylogsha2}\\\"/\"\n\necho \"[*] Setting Kali password and SSH key in packer/answer_files/kali/preseed.cfg\"\nkalipasscrypt=`mkpasswd -m sha-512 -S $(pwgen -ns 16 1) ${kalipass}`\nsed -i packer/answer_files/kali/preseed.cfg -e \"s#d-i passwd/user-password-crypted password .*#d-i passwd/user-password-crypted password ${kalipasscrypt}#\" \\\n -e \"s#echo ssh-ed25519 AAA.* supervisor@infra#echo ${SSH_PUBKEY}#\"\n\necho \"[*] Updating passwords in ansible/hosts\"\ndomainadminpass_esc=$(printf '%s\\n' \"${domainadminpass}\" | sed -e 's/[\\/&]/\\\\&/g')\ndsrmpass_esc=$(printf '%s\\n' \"${dsrmpass}\" | sed -e 's/[\\/&]/\\\\&/g')\ngraylogpass_esc=$(printf '%s\\n' \"${graylogpass}\" | sed -e 's/[\\/&]/\\\\&/g')\nsed -i ansible/hosts -e \"s/^default_password=.*/default_password=\\\"${adminpass_esc}\\\"/\" \\\n -e \"s/^domain_admin_password=.*/domain_admin_password=\\\"${domainadminpass_esc}\\\"/\" \\\n -e \"s/^dsrm_password=.*/dsrm_password=\\\"${dsrmpass_esc}\\\"/\" \\\n -e \"s/^ubuntu_password=.*/ubuntu_password=\\\"${ubuntupass_esc}\\\"/\" \\\n -e \"s/^graylog_pwd=.*/graylog_pwd=\\\"${graylogpass_esc}\\\"/\"\n\necho \"[+] Done. Deploy with packer+terraform+ansible.\"\n" }, { "path": "packer/.ssh/id_ed25519", "content": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACCGBoPvk7BWDdlq9umPbz3LbaDEV8egoPlg++gzywglxwAAAJhCYCqIQmAq\niAAAAAtzc2gtZWQyNTUxOQAAACCGBoPvk7BWDdlq9umPbz3LbaDEV8egoPlg++gzywglxw\nAAAEA7owk2wVvt21vApPlle6zQ8IaQpi/LiTh2aab5jFiwh4YGg++TsFYN2Wr26Y9vPctt\noMRXx6Cg+WD76DPLCCXHAAAAEnVidW50dUBwYWNrZXItaG9zdAECAw==\n-----END OPENSSH PRIVATE KEY-----\n" }, { "path": "packer/.ssh/id_ed25519.pub", "content": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYGg++TsFYN2Wr26Y9vPcttoMRXx6Cg+WD76DPLCCXH ubuntu@packer-host\n" }, { "path": "packer/answer_files/graylog/preseed.cfg", "content": "#d-i debconf/priority string critical\n#d-i auto-install/enable boolean true\n\n# localization\nd-i debian-installer/locale string en_US\n\n# keyboard\nd-i console-setup/ask_detect boolean false\nd-i keyboard-configuration/xkb-keymap select us\n\n# use dhcp network configuration\nd-i netcfg/choose_interface select auto\n\n# user setup\nd-i passwd/user-fullname string ubuntu\nd-i passwd/username string ubuntu\n\n# mkpasswd -m sha-512 -S $(pwgen -ns 16 1) mypassword\nd-i passwd/user-password-crypted password $6$r7ItP8TFvsgaLKsa$MvlIgvX/wpjITq/74dPLebOfoS9CoEA9NWuFPKfVonmZKiPQGYI6f6wflHPgOEBGGRAHRDd9vDM7Ox9TbPrOh1\n\n# clock & timezone\nd-i clock-setup/utc boolean true\nd-i time/zone string Europe/Budapest\n\n# auto-partition, all files in one partition\nd-i partman-auto/method string regular\nd-i partman-auto/choose_recipe select atomic\nd-i partman/choose_partition select finish\nd-i partman/confirm_nooverwrite boolean true\nd-i partman/confirm boolean true\n\n# packages\nd-i pkgsel/include string openssh-server\nd-i pkgsel/upgrade select full-upgrade\nd-i pkgsel/update-policy select none\n\n# reboot at the end\nd-i finish-install/reboot_in_progress note\n\nd-i preseed/late_command string \\\nin-target sh -c \"mkdir -m 700 /home/ubuntu/.ssh ; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYGg++TsFYN2Wr26Y9vPcttoMRXx6Cg+WD76DPLCCXH ubuntu@packer-host > /home/ubuntu/.ssh/authorized_keys; chmod 600 /home/ubuntu/.ssh/authorized_keys; chown -R ubuntu:ubuntu /home/ubuntu/.ssh\"\n" }, { "path": "packer/answer_files/graylog/preseed.cfg~", "content": "#d-i debconf/priority string critical\n#d-i auto-install/enable boolean true\n\n# localization\nd-i debian-installer/locale string en_US\n\n# keyboard\nd-i console-setup/ask_detect boolean false\nd-i keyboard-configuration/xkb-keymap select us\n\n# use dhcp network configuration\nd-i netcfg/choose_interface select auto\n\n# user setup\nd-i passwd/user-fullname string ubuntu\nd-i passwd/username string ubuntu\n\n# mkpasswd -m sha-512 -S $(pwgen -ns 16 1) mypassword\nd-i passwd/user-password-crypted password $6$WwICQQbv2lPNRZLh$4oivwzgiU/ydX4NcljluqtJfRKmJO.ktaj/fDCiv.bcqzxeQiEfDwcK8mKMteNHKzYtapG6znOhNTFpDIeuFI.\n\n# clock & timezone\nd-i clock-setup/utc boolean true\nd-i time/zone string Europe/Budapest\n\n# auto-partition, all files in one partition\nd-i partman-auto/method string regular\nd-i partman-auto/choose_recipe select atomic\nd-i partman/choose_partition select finish\nd-i partman/confirm_nooverwrite boolean true\nd-i partman/confirm boolean true\n\n# packages\nd-i pkgsel/include string openssh-server\nd-i pkgsel/upgrade select full-upgrade\nd-i pkgsel/update-policy select none\n\n# reboot at the end\nd-i finish-install/reboot_in_progress note\n\nd-i preseed/late_command string \\\nin-target sh -c \"mkdir -m 700 /home/ubuntu/.ssh ; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMR2FQi9N1SCsnrwpAuyiGo4e/rpZ665q28wu3QPvXBh istvan@archive01-host > /home/ubuntu/.ssh/authorized_keys; chmod 600 /home/ubuntu/.ssh/authorized_keys; chown -R ubuntu:ubuntu /home/ubuntu/.ssh\"\n" }, { "path": "packer/answer_files/win10/Autounattend.xml", "content": "\r\n\r\n \r\n \r\n \r\n en-US\r\n \r\n 0409:00000409\r\n en-GB\r\n en-GB\r\n en-GB\r\n \r\n \r\n \r\n \r\n a:\\\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n 1\r\n 350\r\n Primary\r\n \r\n \r\n 2\r\n true\r\n Primary\r\n \r\n \r\n \r\n \r\n true\r\n false\r\n NTFS\r\n \r\n 1\r\n 1\r\n \r\n \r\n false\r\n false\r\n NTFS\r\n \r\n C\r\n 2\r\n 2\r\n \r\n \r\n 0\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n /IMAGE/NAME\r\n Windows 10 Pro\r\n \r\n \r\n \r\n 0\r\n 2\r\n \r\n false\r\n OnError\r\n \r\n \r\n \r\n \r\n VK7JG-NPHTM-C97JM-9MPGT-3V66T\r\n OnError\r\n \r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n UABhAHMAcwB3AG8AcgBkAA==\r\n false</PlainText>\r\n </Password>\r\n <Enabled>true</Enabled>\r\n <LogonCount>1</LogonCount>\r\n <Username>administrator</Username>\r\n </AutoLogon>\r\n <FirstLogonCommands>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <CommandLine>reg add &quot;HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon&quot; /v AutoLogonCount /t REG_DWORD /d 0 /f</CommandLine>\r\n <Description>Disable AutoLogon (LogonCount issue fix)</Description>\r\n <Order>1</Order>\r\n </SynchronousCommand>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <Order>2</Order>\r\n <Description>Bootstrap Script</Description>\r\n <CommandLine>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass a:\\bootstrap.ps1</CommandLine>\r\n </SynchronousCommand>\r\n </FirstLogonCommands>\r\n <OOBE>\r\n <HideEULAPage>true</HideEULAPage>\r\n <HideLocalAccountScreen>true</HideLocalAccountScreen>\r\n <HideOnlineAccountScreens>true</HideOnlineAccountScreens>\r\n <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>\r\n <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>\r\n <ProtectYourPC>3</ProtectYourPC>\r\n </OOBE>\r\n <UserAccounts>\r\n <AdministratorPassword>\r\n <Value>QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA</Value>\r\n <PlainText>false</PlainText>\r\n </AdministratorPassword>\r\n </UserAccounts>\r\n <TimeZone>Central Europe Standard Time</TimeZone>\r\n </component>\r\n <component name=\"Microsoft-Windows-International-Core\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <InputLocale>0409:00000409</InputLocale>\r\n <UserLocale>en-GB</UserLocale>\r\n <UILanguage>en-GB</UILanguage>\r\n <SystemLocale>en-GB</SystemLocale>\r\n </component>\r\n </settings>\r\n <cpi:offlineImage cpi:source=\"wim://vboxsvr/_shared/win10_rw/install.wim#Windows 10 Pro\" xmlns:cpi=\"urn:schemas-microsoft-com:cpi\" />\r\n</unattend>\r\n" }, { "path": "packer/answer_files/win2012r2/Autounattend.xml", "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<unattend xmlns=\"urn:schemas-microsoft-com:unattend\">\r\n <settings pass=\"windowsPE\">\r\n <component name=\"Microsoft-Windows-Setup\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <DiskConfiguration>\r\n <Disk wcm:action=\"add\">\r\n <CreatePartitions>\r\n <CreatePartition wcm:action=\"add\">\r\n <Order>1</Order>\r\n <Size>350</Size>\r\n <Type>Primary</Type>\r\n </CreatePartition>\r\n <CreatePartition wcm:action=\"add\">\r\n <Extend>true</Extend>\r\n <Order>2</Order>\r\n <Type>Primary</Type>\r\n </CreatePartition>\r\n </CreatePartitions>\r\n <ModifyPartitions>\r\n <ModifyPartition wcm:action=\"add\">\r\n <Active>true</Active>\r\n <Extend>false</Extend>\r\n <Format>NTFS</Format>\r\n <Label>Boot</Label>\r\n <Order>1</Order>\r\n <PartitionID>1</PartitionID>\r\n </ModifyPartition>\r\n <ModifyPartition wcm:action=\"add\">\r\n <Active>false</Active>\r\n <Extend>false</Extend>\r\n <Format>NTFS</Format>\r\n <Label>OS</Label>\r\n <Letter>C</Letter>\r\n <Order>2</Order>\r\n <PartitionID>2</PartitionID>\r\n </ModifyPartition>\r\n </ModifyPartitions>\r\n <DiskID>0</DiskID>\r\n <WillWipeDisk>true</WillWipeDisk>\r\n </Disk>\r\n </DiskConfiguration>\r\n <ImageInstall>\r\n <OSImage>\r\n <InstallFrom>\r\n <MetaData wcm:action=\"add\">\r\n <Key>/IMAGE/NAME</Key>\r\n <Value>Windows Server 2012 R2 SERVERSTANDARD</Value>\r\n </MetaData>\r\n </InstallFrom>\r\n <InstallTo>\r\n <DiskID>0</DiskID>\r\n <PartitionID>2</PartitionID>\r\n </InstallTo>\r\n <InstallToAvailablePartition>false</InstallToAvailablePartition>\r\n <WillShowUI>OnError</WillShowUI>\r\n </OSImage>\r\n </ImageInstall>\r\n <UserData>\r\n <ProductKey>\r\n <WillShowUI>OnError</WillShowUI>\r\n </ProductKey>\r\n <AcceptEula>true</AcceptEula>\r\n </UserData>\r\n </component>\r\n <component name=\"Microsoft-Windows-International-Core-WinPE\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <SetupUILanguage>\r\n <UILanguage>en-US</UILanguage>\r\n </SetupUILanguage>\r\n <InputLocale>en-US</InputLocale>\r\n <SystemLocale>en-US</SystemLocale>\r\n <UILanguage>en-US</UILanguage>\r\n <UserLocale>en-US</UserLocale>\r\n </component>\r\n <component name=\"Microsoft-Windows-PnpCustomizationsWinPE\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <DriverPaths>\r\n <PathAndCredentials wcm:action=\"add\" wcm:keyValue=\"1\">\r\n <Path>a:\\</Path>\r\n </PathAndCredentials>\r\n </DriverPaths>\r\n </component>\r\n </settings>\r\n <settings pass=\"oobeSystem\">\r\n <component name=\"Microsoft-Windows-Shell-Setup\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <UserAccounts>\r\n <AdministratorPassword>\r\n <Value>QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA</Value>\r\n <PlainText>false</PlainText>\r\n </AdministratorPassword>\r\n </UserAccounts>\r\n <AutoLogon>\r\n <Password>\r\n <Value>UABhAHMAcwB3AG8AcgBkAA==</Value>\r\n <PlainText>false</PlainText>\r\n </Password>\r\n <Enabled>true</Enabled>\r\n <Username>administrator</Username>\r\n <LogonCount>1</LogonCount>\r\n </AutoLogon>\r\n <FirstLogonCommands>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <Order>2</Order>\r\n <Description>Bootstrap Script</Description>\r\n <CommandLine>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass a:\\bootstrap.ps1</CommandLine>\r\n </SynchronousCommand>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <CommandLine>reg add &quot;HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon&quot; /v AutoLogonCount /t REG_DWORD /d 0 /f</CommandLine>\r\n <Description>Disable AutoLogon (LogonCount issue fix)</Description>\r\n <Order>1</Order>\r\n </SynchronousCommand>\r\n </FirstLogonCommands>\r\n <TimeZone>Central Europe Standard Time</TimeZone>\r\n </component>\r\n </settings>\r\n <cpi:offlineImage cpi:source=\"wim://vboxsvr/shared/win2012r2_rw/install.wim#Windows Server 2012 R2 SERVERSTANDARD\" xmlns:cpi=\"urn:schemas-microsoft-com:cpi\" />\r\n</unattend>\r\n" }, { "path": "packer/answer_files/win2016/Autounattend.xml", "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<unattend xmlns=\"urn:schemas-microsoft-com:unattend\">\r\n <settings pass=\"windowsPE\">\r\n <component name=\"Microsoft-Windows-International-Core-WinPE\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <SetupUILanguage>\r\n <UILanguage>en-US</UILanguage>\r\n </SetupUILanguage>\r\n <InputLocale>en-US</InputLocale>\r\n <SystemLocale>en-US</SystemLocale>\r\n <UILanguage>en-US</UILanguage>\r\n <UserLocale>en-US</UserLocale>\r\n </component>\r\n <component name=\"Microsoft-Windows-PnpCustomizationsWinPE\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <DriverPaths>\r\n <PathAndCredentials wcm:action=\"add\" wcm:keyValue=\"1\">\r\n <Path>a:\\</Path>\r\n </PathAndCredentials>\r\n </DriverPaths>\r\n </component>\r\n <component name=\"Microsoft-Windows-Setup\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <DiskConfiguration>\r\n <Disk wcm:action=\"add\">\r\n <CreatePartitions>\r\n <CreatePartition wcm:action=\"add\">\r\n <Order>1</Order>\r\n <Size>350</Size>\r\n <Type>Primary</Type>\r\n </CreatePartition>\r\n <CreatePartition wcm:action=\"add\">\r\n <Order>2</Order>\r\n <Extend>true</Extend>\r\n <Type>Primary</Type>\r\n </CreatePartition>\r\n </CreatePartitions>\r\n <ModifyPartitions>\r\n <ModifyPartition wcm:action=\"add\">\r\n <Active>true</Active>\r\n <Label>Boot</Label>\r\n <Order>1</Order>\r\n <PartitionID>1</PartitionID>\r\n <Format>NTFS</Format>\r\n <Extend>false</Extend>\r\n </ModifyPartition>\r\n <ModifyPartition wcm:action=\"add\">\r\n <Active>false</Active>\r\n <Extend>false</Extend>\r\n <Format>NTFS</Format>\r\n <Label>OS</Label>\r\n <Letter>C</Letter>\r\n <Order>2</Order>\r\n <PartitionID>2</PartitionID>\r\n </ModifyPartition>\r\n </ModifyPartitions>\r\n <DiskID>0</DiskID>\r\n <WillWipeDisk>true</WillWipeDisk>\r\n </Disk>\r\n </DiskConfiguration>\r\n <ImageInstall>\r\n <OSImage>\r\n <InstallFrom>\r\n <MetaData wcm:action=\"add\">\r\n <Key>/IMAGE/NAME</Key>\r\n <Value>Windows Server 2016 SERVERSTANDARD</Value>\r\n </MetaData>\r\n </InstallFrom>\r\n <InstallTo>\r\n <DiskID>0</DiskID>\r\n <PartitionID>2</PartitionID>\r\n </InstallTo>\r\n <InstallToAvailablePartition>false</InstallToAvailablePartition>\r\n <WillShowUI>OnError</WillShowUI>\r\n </OSImage>\r\n </ImageInstall>\r\n <UserData>\r\n <ProductKey>\r\n <WillShowUI>OnError</WillShowUI>\r\n </ProductKey>\r\n <AcceptEula>true</AcceptEula>\r\n </UserData>\r\n </component>\r\n </settings>\r\n <settings pass=\"oobeSystem\">\r\n <component name=\"Microsoft-Windows-Shell-Setup\" processorArchitecture=\"amd64\" publicKeyToken=\"31bf3856ad364e35\" language=\"neutral\" versionScope=\"nonSxS\" xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <AutoLogon>\r\n <Password>\r\n <Value>UABhAHMAcwB3AG8AcgBkAA==</Value>\r\n <PlainText>false</PlainText>\r\n </Password>\r\n <Enabled>true</Enabled>\r\n <LogonCount>1</LogonCount>\r\n <Username>administrator</Username>\r\n </AutoLogon>\r\n <FirstLogonCommands>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <Order>1</Order>\r\n <Description>Disable AutoLogon (LogonCount issue fix)</Description>\r\n <CommandLine>reg add &quot;HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon&quot; /v AutoLogonCount /t REG_DWORD /d 0 /f</CommandLine>\r\n </SynchronousCommand>\r\n <SynchronousCommand wcm:action=\"add\">\r\n <Order>2</Order>\r\n <Description>Bootstrap Script</Description>\r\n <CommandLine>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass a:\\bootstrap.ps1</CommandLine>\r\n </SynchronousCommand>\r\n </FirstLogonCommands>\r\n <UserAccounts>\r\n <AdministratorPassword>\r\n <Value>QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA</Value>\r\n <PlainText>false</PlainText>\r\n </AdministratorPassword>\r\n </UserAccounts>\r\n <TimeZone>Central Europe Standard Time</TimeZone>\r\n </component>\r\n </settings>\r\n <cpi:offlineImage cpi:source=\"wim://vboxsvr/shared/win2016_rw/install.wim#Windows Server 2016 SERVERSTANDARD\" xmlns:cpi=\"urn:schemas-microsoft-com:cpi\" />\r\n</unattend>\r\n" }, { "path": "packer/get-virtio.sh", "content": "#!/bin/bash\n#\n\necho \"[*] Cleaning up & init virtio folder...\"\nrm -fr virtio\nmkdir virtio\nif ! cd virtio; then\n echo \"[!] Problem creating virtio folder\"\n exit 0\nfi\n\necho \"[*] Downloading stable virtio-win.iso...\"\nwget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso\n\necho \"[*] Extracting iso...\"\nmkdir virtio-win\n7z x -ovirtio-win virtio-win.iso\n\necho \"[*] Arranging drivers...\"\nshopt -s nullglob\nfor winver in w10 w8.1 2k16; do\n mkdir -p ${winver}/core\n mkdir -p ${winver}/extra\n for driver in NetKVM viostor; do\n for f in virtio-win/${driver}/${winver}/amd64/*.{inf,cat,sys,dll}; do\n mv $f ${winver}/core\n done\n done\n for driver in Balloon viorng vioserial qxldod; do\n for f in virtio-win/${driver}/${winver}/amd64/*.{inf,cat,sys,dll}; do\n mv $f ${winver}/extra\n done\n done\ndone\nshopt -u nullglob\n\necho \"[*] Cleaning up...\"\nrm -fr virtio-win\n\n" }, { "path": "packer/graylog.json", "content": "{\n \"builders\": [\n {\n \"type\": \"qemu\",\n \"name\": \"qemu-graylog\",\n \"iso_url\": \"http://cdimage.ubuntu.com/releases/18.04/release/ubuntu-18.04.6-server-amd64.iso\",\n \"iso_checksum\": \"sha256:f5cbb8104348f0097a8e513b10173a07dbc6684595e331cb06f93f385d0aecf6\",\n \"output_directory\": \"output_graylog\",\n \"disk_size\": \"20480M\",\n \"format\": \"qcow2\",\n \"accelerator\": \"kvm\",\n \"cpus\": \"2\",\n \"memory\": \"4096\",\n \"vm_name\": \"graylog\",\n \"net_device\": \"virtio-net\",\n \"disk_interface\": \"virtio\",\n \"http_directory\": \"answer_files/graylog\",\n \"communicator\": \"ssh\",\n \"ssh_username\": \"ubuntu\",\n \"ssh_private_key_file\": \".ssh/id_ed25519\",\n \"ssh_timeout\": \"20m\",\n \"headless\": true,\n \"boot_wait\": \"10s\",\n \"boot_command\": [\n \"<esc><wait>\", \"<esc><wait>\", \"<enter><wait>\",\n \"/install/vmlinuz<wait>\", \" initrd=/install/initrd.gz\",\n \" auto-install/enable=true\",\n \" debconf/priority=critical\",\n \" preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg<wait>\",\n \" -- <wait>\",\n \"<enter><wait>\"\n ],\n \"shutdown_command\": \"echo '{{user `ubuntu_password`}}' | sudo -S shutdown -P now\"\n }\n ],\n \"provisioners\": [\n {\n \"type\": \"file\",\n \"source\": \"resources/GeoLite2-City.mmdb\",\n \"destination\": \"GeoLite2-City.mmdb\"\n },\n {\n \"type\": \"shell\",\n \"script\": \"scripts/graylog.sh\",\n \"execute_command\": \"echo '{{user `ubuntu_password`}}' | sudo -S bash {{.Path}}\"\n }\n ]\n}\n" }, { "path": "packer/packer-build-all.sh", "content": "#!/bin/bash\n#\n\necho \"[*] Running packers...\"\npacker build -timestamp-ui -var-file private.json win2016.json &\npacker build -timestamp-ui -var-file private.json win10.json &\npacker build -timestamp-ui -var-file private.json graylog.json &\npacker build -timestamp-ui -var-file private.json kali.json &\n\nwait\n\necho \"[+] All of the builds have been completed.\"\n" }, { "path": "packer/private.json", "content": "{\n \"administrator_password\": \"\",\n \"ubuntu_password\": \"\",\n \"kali_password\": \"\"\n}\n" }, { "path": "packer/scripts/bootstrap.ps1", "content": "# bootstrap script for win2012r2 and win2016 packer image\n\nNew-Item -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Network\\NewNetworkWindowOff\" -Force\nWrite-Output \"[*] New Network Window Popup -> OFF\"\n\n$ifaceinfo = Get-NetConnectionProfile\nSet-NetConnectionProfile -InterfaceIndex $ifaceinfo.InterfaceIndex -NetworkCategory Private \nWrite-Output \"[*] NetConnectionProfile -> Private\"\n\nSet-WSManQuickConfig -Force\nSet-Item WSMan:\\localhost\\Service\\AllowUnencrypted $true\nWrite-Output \"[!] INSECURE!!! WARNING!!! AllowUnencrypted WSMan over HTTP\"\n" }, { "path": "packer/scripts/graylog.sh", "content": "#!/bin/bash\n#\n\necho \"=== Setup Graylog ===\"\n\nGRAYLOG_TIMEZONE=\"Europe/Budapest\"\nGRAYLOG_SHA2=\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\" # Gr@yl0g_Rul3z\nDEBIAN_FRONTEND=noninteractive\n\necho \"[*] Upgrade base\"\napt-get install -y software-properties-common\nadd-apt-repository universe\napt-get update && apt-get upgrade\napt-get install -y apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen gnupg libterm-readline-gnu-perl curl jq\n\necho \"[*] Installing MongoDB\"\napt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4\necho \"deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse\" | tee /etc/apt/sources.list.d/mongodb-org-4.0.list\napt-get update\napt-get install -y mongodb-org\n\necho \"[*] Enabling mongodb\"\nsystemctl daemon-reload\nsystemctl enable mongod.service\nsystemctl restart mongod.service\nsystemctl --type=service --state=active | grep mongod\n\necho \"[*] Installing Elasticsearch\"\nwget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey\napt-key add myKey\nrm myKey\necho \"deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main\" | tee -a /etc/apt/sources.list.d/elastic-6.x.list\napt-get update && apt-get install -y elasticsearch-oss\n\necho \"[*] Configuring Elasticsearch\"\nsed -i /etc/elasticsearch/elasticsearch.yml \\\n -e '/cluster\\.name:/c\\cluster.name: graylog' \\\n -e '$ a action.auto_create_index: false'\n\necho \"[*] Enabling Elasticsearch\"\nsystemctl daemon-reload\nsystemctl enable elasticsearch.service\nsystemctl restart elasticsearch.service\nsystemctl --type=service --state=active | grep elasticsearch\n\necho \"[*] Installing Graylog\"\nwget https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.deb\ndpkg -i graylog-3.3-repository_latest.deb\nrm graylog-3.3-repository_latest.deb\napt-get update && apt-get install -y graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins\n\necho \"[*] Installing Slack plugin\"\nwget https://github.com/graylog-labs/graylog-plugin-slack/releases/download/3.1.0/graylog-plugin-slack-3.1.0.deb\ndpkg -i graylog-plugin-slack-3.1.0.deb\nrm graylog-plugin-slack-3.1.0.deb\n\necho \"[*] Configuring Graylog\"\nSECRET=`pwgen -N 1 -s 96`\nsed -i /etc/graylog/server/server.conf \\\n -e \"/^password_secret/c\\\\password_secret = ${SECRET}\" \\\n -e \"/^root_password_sha2/c\\\\root_password_sha2 = ${GRAYLOG_SHA2}\" \\\n -e \"/root_timezone/c\\\\root_timezone = ${GRAYLOG_TIMEZONE}\"\n\necho \"[*] Enabling Graylog\"\nsystemctl daemon-reload\nsystemctl enable graylog-server.service\nsystemctl start graylog-server.service\nsystemctl --type=service --state=active | grep graylog\n\necho \"[*] Copying GeoLite2-City.mmdb to /etc/graylog/server/\"\ncp ~ubuntu/GeoLite2-City.mmdb /etc/graylog/server/\n\necho \"=== Setup Graylog Done ===\"\n" }, { "path": "packer/scripts/setupcomplete.ps1", "content": "Write-Output \"[*] Installing extra VirtIO drivers...\"\n\n<# this was fixed in new VirtIO release, no need to install custom cert\n$driverFile = \"c:\\windows\\temp\\extra\\balloon.sys\"\n$certFile = \"c:\\windows\\temp\\extra\\redhat.cer\"\n$exportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert\n$cert = (Get-AuthenticodeSignature $driverFile).SignerCertificate;\n[System.IO.File]::WriteAllBytes($certFile, $cert.Export($exportType));\nImport-Certificate -FilePath $certFile -CertStoreLocation Cert:\\LocalMachine\\TrustedPublisher\n#>\n\npnputil -i -a c:\\windows\\temp\\extra\\balloon.inf\npnputil -i -a c:\\windows\\temp\\extra\\qxldod.inf\npnputil -i -a c:\\windows\\temp\\extra\\viorng.inf\npnputil -i -a c:\\windows\\temp\\extra\\vioser.inf\n\nWrite-Output \"[*] Disabling Auto-Hibernate...\"\npowercfg -hibernate OFF\n\nWrite-Output \"[*] Enabling Windows Time Service\"\nSet-Service -Name w32time -StartupType Automatic\nsc.exe triggerinfo w32time delete\n\nWrite-Output \"[*] Checking for Windows 10...\"\nIf ([Environment]::OSVersion.Version -ge (new-object 'Version' 10,0)) {\n Write-Output \"[+] Validated Windows 10\"\n Write-Output \"[*] Disabling Windows AutoUpdate\"\n New-Item HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows -Name WindowsUpdate\n New-Item HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate -Name AU\n New-ItemProperty HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU -Name NoAutoUpdate -Value 1\n Write-Output \"[*] Disabling Windows Defender\"\n Set-MpPreference -DisableIntrusionPreventionSystem $true `\n -DisableIOAVProtection $true `\n -DisableRealtimeMonitoring $true `\n -DisableScriptScanning $true `\n -EnableControlledFolderAccess Disabled `\n -EnableNetworkProtection AuditMode `\n -Force -MAPSReporting Disabled `\n -SubmitSamplesConsent NeverSend\n} Else {\n Write-Output \"[!] Older Windows detected\"\n}\n\nWrite-Output \"[*] Allowing incoming WinRM on Any Profile in Firewall...\"\nNew-NetFirewallRule -DisplayName \"Allow WinRM\" -Direction Inbound -LocalPort 5985 -Protocol TCP -Action Allow -Profile Any\n\nWrite-Output \"[*] Enabling RDP...\"\nSet-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server' -name \"fDenyTSConnections\" -value 0\nEnable-NetFirewallRule -DisplayGroup \"Remote Desktop\"\n\nWrite-Output \"[+] Setup complete. Cleaning up files...\"\nRemove-Item -Recurse -Force -Path c:/windows/temp/extra\n" }, { "path": "packer/scripts/shutdown.ps1", "content": "Set-Item WSMan:\\localhost\\Service\\AllowUnencrypted $false\nWrite-Output \"[+] Disabled Unencrypted WSMan over HTTP\"\n\nshutdown /s /t 5 /f /d p:4:1 /c \"Packer Shutdown\"\n" }, { "path": "packer/scripts/win2012r2-dotnet-fix.ps1", "content": "Write-Host \"[*] Fixing CPU spiking caused by .NET Runtime Optimization Service\"\nGet-ChildItem $env:SystemRoot/Microsoft.net/NGen.exe -recurse | %{ & $_ executeQueuedItems }\n" }, { "path": "packer/win10.json", "content": "{\n \"builders\": [\n {\n \"type\": \"qemu\",\n \"name\": \"qemu-win10\",\n \"iso_url\": \"ISO/Win10_21H2_EnglishInternational_x64.iso\",\n \"iso_checksum\": \"sha256:06fd4a512c5f3e8d16f77ca909c4f20110329b8cdd5ad101e2afc0d58b06d416\",\n \"output_directory\": \"output_win10\",\n \"disk_size\": \"40960M\",\n \"format\": \"qcow2\",\n \"accelerator\": \"kvm\",\n \"cpus\": \"2\",\n \"memory\": \"4096\",\n \"vm_name\": \"win10\",\n \"net_device\": \"virtio-net\",\n \"disk_interface\": \"virtio\",\n \"floppy_files\": [ \"answer_files/win10/Autounattend.xml\", \"virtio/w10/core/*\", \"scripts/bootstrap.ps1\" ],\n \"communicator\": \"winrm\",\n \"winrm_username\": \"administrator\",\n \"winrm_password\": \"{{user `administrator_password`}}\",\n \"winrm_use_ntlm\": true,\n \"shutdown_command\": \"powershell -ep bypass c:\\\\windows\\\\temp\\\\shutdown.ps1\",\n \"headless\": true\n }\n ],\n \"provisioners\": [\n {\n \"type\": \"file\",\n \"source\": \"scripts/shutdown.ps1\",\n \"destination\": \"c:/windows/temp/shutdown.ps1\"\n },\n {\n \"type\": \"file\",\n \"source\": \"virtio/w10/extra\",\n \"destination\": \"c:/windows/temp/\"\n },\n {\n \"type\": \"powershell\",\n \"script\": \"scripts/setupcomplete.ps1\"\n }\n ]\n}\n" }, { "path": "packer/win2012r2.json", "content": "{\n \"builders\": [\n {\n \"type\": \"qemu\",\n \"name\": \"qemu-win2012r2\",\n \"iso_url\": \"http://download.microsoft.com/download/6/2/A/62A76ABB-9990-4EFC-A4FE-C7D698DAEB96/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_SERVER_EVAL_EN-US-IR3_SSS_X64FREE_EN-US_DV9.ISO\",\n \"iso_checksum\": \"sha256:6612b5b1f53e845aacdf96e974bb119a3d9b4dcb5b82e65804ab7e534dc7b4d5\",\n \"output_directory\": \"output_win2012r2\",\n \"disk_size\": \"40960M\",\n \"format\": \"qcow2\",\n \"accelerator\": \"kvm\",\n \"cpus\": \"2\",\n \"memory\": \"4096\",\n \"vm_name\": \"win2012r2\",\n \"net_device\": \"virtio-net\",\n \"disk_interface\": \"virtio\",\n \"floppy_files\": [ \"answer_files/win2012r2/Autounattend.xml\", \"virtio/w8.1/core/*\", \"scripts/bootstrap.ps1\" ],\n \"communicator\": \"winrm\",\n \"winrm_username\": \"administrator\",\n \"winrm_password\": \"{{user `administrator_password`}}\",\n \"winrm_use_ntlm\": true,\n \"shutdown_command\": \"powershell -ep bypass c:\\\\windows\\\\temp\\\\shutdown.ps1\",\n \"headless\": true\n }\n ],\n \"provisioners\": [\n {\n \"type\": \"file\",\n \"source\": \"scripts/shutdown.ps1\",\n \"destination\": \"c:/windows/temp/shutdown.ps1\"\n },\n {\n \"type\": \"file\",\n \"source\": \"virtio/w8.1/extra\",\n \"destination\": \"c:/windows/temp/\"\n },\n {\n \"type\": \"powershell\",\n \"script\": \"scripts/setupcomplete.ps1\"\n },\n {\n \"type\": \"powershell\",\n \"script\": \"scripts/win2012r2-dotnet-fix.ps1\"\n }\n ]\n}\n" }, { "path": "packer/win2016.json", "content": "{\n \"builders\": [\n {\n \"type\": \"qemu\",\n \"name\": \"qemu-win2016\",\n \"iso_url\": \"https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO\",\n \"iso_checksum\": \"sha256:1ce702a578a3cb1ac3d14873980838590f06d5b7101c5daaccbac9d73f1fb50f\",\n \"output_directory\": \"output_win2016\",\n \"disk_size\": \"40960M\",\n \"format\": \"qcow2\",\n \"accelerator\": \"kvm\",\n \"cpus\": \"2\",\n \"memory\": \"4096\",\n \"vm_name\": \"win2016\",\n \"net_device\": \"virtio-net\",\n \"disk_interface\": \"virtio\",\n \"floppy_files\": [ \"answer_files/win2016/Autounattend.xml\", \"virtio/2k16/core/*\", \"scripts/bootstrap.ps1\" ],\n \"communicator\": \"winrm\",\n \"winrm_username\": \"administrator\",\n \"winrm_password\": \"{{user `administrator_password`}}\",\n \"winrm_use_ntlm\": true,\n \"shutdown_command\": \"powershell -ep bypass c:\\\\windows\\\\temp\\\\shutdown.ps1\",\n \"headless\": true\n }\n ],\n \"provisioners\": [\n {\n \"type\": \"file\",\n \"source\": \"scripts/shutdown.ps1\",\n \"destination\": \"c:/windows/temp/shutdown.ps1\"\n },\n {\n \"type\": \"file\",\n \"source\": \"virtio/2k16/extra\",\n \"destination\": \"c:/windows/temp/\"\n },\n {\n \"type\": \"powershell\",\n \"script\": \"scripts/setupcomplete.ps1\"\n }\n ]\n}\n" }, { "path": "terraform/main.tf", "content": "provider \"libvirt\" {\n uri = \"qemu:///system\"\n}\n\nlocals {\n mac_dc1 = \"50:73:0F:31:81:E1\"\n mac_desktop12 = \"50:73:0F:31:81:E2\"\n mac_graylog = \"50:73:0F:31:81:F1\"\n mac_kali = \"50:73:0F:31:81:F2\"\n}\n\nresource \"libvirt_network\" \"honeypot\" {\n name = \"honeypot\"\n mode = \"nat\"\n bridge = \"honeybr0\"\n addresses = [\"192.168.3.0/24\"]\n dhcp {\n enabled = true\n }\n dns {\n enabled = true\n forwarders {\n address = \"192.168.3.100\"\n domain = \"local\"\n }\n }\n\n xml {\n xslt = file(\"network-dhcp-lease.xsl\")\n }\n\n provisioner \"local-exec\" {\n command = \"/usr/bin/sudo /usr/sbin/iptables -I FORWARD -j DROP -i honeybr0 -d 192.168.0.0/16; /usr/bin/sudo /usr/sbin/iptables -I FORWARD -j ACCEPT -i honeybr0 -o honeybr0\"\n }\n provisioner \"local-exec\" {\n command = \"/usr/bin/sudo /usr/sbin/iptables -D FORWARD -j DROP -i honeybr0 -d 192.168.0.0/16; /usr/bin/sudo /usr/sbin/iptables -D FORWARD -j ACCEPT -i honeybr0 -o honeybr0\"\n when = destroy\n }\n}\n\nresource \"libvirt_pool\" \"honeypot\" {\n name = \"honeypot-pool\"\n type = \"dir\"\n path = \"/mnt/archive01/vm/honeypot-pool\"\n}\n\nresource \"libvirt_volume\" \"dc1-vol\" {\n pool = libvirt_pool.honeypot.name\n name = \"dc1-vol\"\n source = \"../packer/output_win2016/win2016\"\n}\n\nresource \"libvirt_volume\" \"desktop12-vol\" {\n pool = libvirt_pool.honeypot.name\n name = \"desktop12-vol\"\n source = \"../packer/output_win10/win10\"\n}\n\nresource \"libvirt_volume\" \"graylog-vol\" {\n pool = libvirt_pool.honeypot.name\n name = \"graylog-vol\"\n source = \"../packer/output_graylog/graylog\"\n}\n\nresource \"libvirt_volume\" \"kali-vol\" {\n pool = libvirt_pool.honeypot.name\n name = \"kali-vol\"\n source = \"../packer/output_kali/kali\"\n}\n\nresource \"libvirt_domain\" \"dc1-dom\" {\n provider = libvirt\n name = \"h-dc1\"\n memory = \"4096\"\n vcpu = 4\n\n disk {\n volume_id = libvirt_volume.dc1-vol.id\n }\n\n network_interface {\n network_id = libvirt_network.honeypot.id\n hostname = \"dc1\"\n mac = local.mac_dc1\n }\n\n xml {\n xslt = file(\"timer-patch.xsl\")\n }\n}\n\nresource \"libvirt_domain\" \"desktop12-dom\" {\n provider = libvirt\n name = \"h-desktop12\"\n memory = \"4096\"\n vcpu = 4\n\n disk {\n volume_id = libvirt_volume.desktop12-vol.id\n }\n\n network_interface {\n network_id = libvirt_network.honeypot.id\n hostname = \"desktop12\"\n mac = local.mac_desktop12\n }\n\n xml {\n xslt = file(\"timer-patch.xsl\")\n }\n}\n\nresource \"libvirt_domain\" \"graylog-dom\" {\n provider = libvirt\n name = \"h-graylog\"\n memory = \"4096\"\n vcpu = 4\n\n disk {\n volume_id = libvirt_volume.graylog-vol.id\n }\n\n network_interface {\n network_id = libvirt_network.honeypot.id\n hostname = \"graylog\"\n mac = local.mac_graylog\n }\n\n xml {\n xslt = file(\"timer-patch.xsl\")\n }\n}\n\nresource \"libvirt_domain\" \"kali-dom\" {\n provider = libvirt\n name = \"h-kali\"\n memory = \"4096\"\n vcpu = 4\n\n disk {\n volume_id = libvirt_volume.kali-vol.id\n }\n\n network_interface {\n network_id = libvirt_network.honeypot.id\n hostname = \"kali\"\n mac = local.mac_kali\n }\n\n xml {\n xslt = file(\"timer-patch.xsl\")\n }\n}\n\nterraform {\n required_version = \">= 0.13\"\n required_providers {\n libvirt = {\n source = \"dmacvicar/libvirt\"\n version = \"0.6.14\"\n }\n }\n}\n" }, { "path": "terraform/network-dhcp-lease.xsl", "content": "<?xml version=\"1.0\" ?>\n<xsl:stylesheet version=\"1.0\"\n xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n <xsl:output omit-xml-declaration=\"yes\" indent=\"yes\"/>\n\n <xsl:template match=\"node()|@*\">\n <xsl:copy>\n <xsl:apply-templates select=\"node()|@*\"/>\n </xsl:copy>\n </xsl:template>\n\n <xsl:template match=\"/network/ip/dhcp\">\n <xsl:copy>\n <xsl:copy-of select=\"@*\"/>\n <xsl:copy-of select=\"node()\"/>\n <host mac='50:73:0F:31:81:E1' ip='192.168.3.100'/>\n <host mac='50:73:0F:31:81:E2' ip='192.168.3.112'/>\n <host mac='50:73:0F:31:81:F1' ip='192.168.3.191'/>\n <host mac='50:73:0F:31:81:F2' ip='192.168.3.192'/>\n </xsl:copy>\n </xsl:template>\n\n</xsl:stylesheet>\n" }, { "path": "terraform/timer-patch.xsl", "content": "<?xml version=\"1.0\" ?>\n<xsl:stylesheet version=\"1.0\"\n xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n <xsl:output omit-xml-declaration=\"yes\" indent=\"yes\"/>\n <xsl:template match=\"node()|@*\">\n <xsl:copy>\n <xsl:apply-templates select=\"node()|@*\"/>\n </xsl:copy>\n </xsl:template>\n\n <xsl:template match=\"/domain/clock\">\n <xsl:copy>\n <xsl:copy-of select=\"@*\"/>\n <xsl:copy-of select=\"node()\"/>\n <timer name='hpet' present='yes'/>\n <timer name='hypervclock' present='yes'/>\n </xsl:copy>\n </xsl:template>\n\n</xsl:stylesheet>\n" } ]