Security Onion Installation in Proxmox

3 Comments Sticky

In this post I will show how to create an air gapped network in Proxmox where you can add your vulnerable VM’s, an attacking machine and Security Onion for monitoring.

Now why would you want this?

As a penetration tester, you need to know how a blue team will be able to track you down and stop you. As a pen tester you should actually be happy when you get caught. This shows that the network got good security and detection, right? Well if you bust the door open and make a huge noise, you will be noticed. Even if the network you are testing does not really have good security. That will not be of any use for the client. An adversary will try their best to be as covert as possible. A penetration tester should try and mimic that behavior in order to give a more accurate report at the end of the engagement. Using the tools that the blue team would be using gives you the insight to know how to be more covert. This is why you need Security Onion or similar tools.

As a defender, you need to know how to use the tools of the trade. You need to know what to look out for in order to defend against it. I also believe that some basic penetration testing skills will give you a huge advantage as you will be able to spot things easier. That is why you would want to have this setup in your home lab and learn some attack techniques too. You also might want to play around with some dangerous malware which you don’t want to let loose on your network. So an air gapped network will be a very good idea.

How to Install Security Onion on Proxmox

Create the Bridges (Virtual Switches)

If you do not have Open-V Switch installed, run the following commands (as root):
apt update
apt install openvswitch-switch

Now I will create the 2 bridges.

Management Bridge
Tap Network Bridge

Create the Security Onion VM

It is important to note that Security Onion wants the following minimum hardware:
CPU – 4 cores (I only have 2 core available and it is slow!)
RAM – 12GB
HDD – 200GB
NIC – 2

Security Onion VM creation

Ensure that the first NIC is connected to the Management Interface Bridge (vmbr4 on mine).
Add one more NIC. Connect this one to the Tap Bridge (vmbr5 on mine).
I also unticked the firewall on both so that we don’t have anything that may interfere.

NIC Connected to Tap Bridge

Security Onion Installation

Start your VM. If you get this error message then you need to apply the network configuration. If you are not using ifupdown2 then you need to restart your Proxmox node.

Error Because of Pending Proxmox Network Settings

Now choose your administrator username and password.

Security Onion Installer

The install script will start running. My system is quite slow and this took about 15 minutes.

Automated Install Running

When the installer completes your will be greeted by this screen:

Initial Installation Done

Press Enter to reboot and you will be asked to enter your credentials again. This is the admin username and password chosen earlier.

First Boot Screen

Follow the On Screen instructions. I will show all steps here if you would like to follow along.

Choose Yes
Choose Install

Use spacebar to make the selection and press Enter for OK. I will use the evaluation version as this is not a production environment. This setup in Proxmox is definitely not recommended in production!

Choose Eval
Type Agree and Press Enter
Choose Airgap

I get this warning because my hardware does not meet the minimum recommended specifications

Choose Yes to Continue

Choose a hostname. Try not to use the default hostname as it will give you extra warnings.

Type a Hostname and Press Enter
Add a Description if You Want

Choose the first NIC for management because that is the NIC that we connected to our Management Bridge.

Choose the Management NIC

Choose a static IP address as we do not have a DHCP server on this network. It is also recommended to always use static IP addresses for this type of devices.

Choose Static
Set an IP
Add the IP of your Bridge or Gateway
I leave this as default.
I do not have a domain so leave this default
Press Enter for OK
Choose the second NIC for your Monitor Interface
Type the Monitored Network ID in.
Click OK
Leave all the services selected that you want.
The Docker Network is internal and can be left as default.

Add an email address that will be used to sign in to the Web Interface. This does not really have to exist for our purposes.

Enter email for admin account
Choose a password and re-enter in the next screen.
We do not have DNS so choose IP.
We do not have NTP servers available so choose No.
Choose yes to allow access to the web tools.
Add the network ID of the Management Interface Network
Confirm the information and select Yes.

Now the installation will continue. This takes a long time, so go grab a coffee! On my machine it took about 1 hour.

Final Installation Screen
Successfully installed! Press Enter.

Connect to Security Onion Web Interface

Change the network settings on the machine that you will use to access the Security Onion web interface.

Make sure the IP is in the Management Interface Range.

Navigate to the IP you chose for Security Onion. Mine is 192.168.0.2
You will get a warning due to the certificate being self-signed. In Firefox you can click on “Advanced” and then “Accept the risk and continue”. Use your email address account created earlier to login.

Security Onion Login Screen

Now you will see the Security Onion Web Interface.

Security Onion Web Interface

Almost there..

Create the Tap Port

Using the Proxmox web shell or SSH (my preferred method), login to your Proxmox node.

Run the following sequence of commands:
ip -brie a
Look for the tap port name. My Security Onion machine ID is 118.

This command will create a mirror port for the interface connected to my Security Onion machine (ID 118). It is important to note that the first port, tap118i0 is connected to the monitor interface, so we need to create the mirror port on “tap118i1


ovs-vsctl -- --id=@p get port tap118i1 -- --id=@m create mirror name=span1 select-all=true output-port=@p -- set bridge vmbr5 mirrors=@m

You should get something like this as the output.

NB: Everytime that the node is restarted this command needs to be run. You can add it as a cron job if you want.

To confirm that the port was created or still exists you can run this command anytime:
ovs-vsctl list Mirror

Final Testing

Now back on your Security Onion Web Interface, Click on the “Alerts Tab”. Acknowledge all the sample alerts by clicking the bell icon .

Now use any attacking machine (I use a Parrot machine) and target on the tapped network (192.168.1.0/24) and run an nmap scan. I have a target machine on 192.168.1.10 so I used the following:
nmap -T4 -A 192.168.1.10

Click the refresh button on your Security Onion Web Interface and you should see the alerts..

Security Onion Alerts

Conclusion

Thanks for sticking with me till the end! This was a long and detailed guide. I give as much information as possible because I know how frustrating it can be when the “trivial” information is left out and you are just a beginner. I hope you enjoyed this post. If you need any extra information or have any questions about this installation, please leave a comment and I will try my best to answer your questions.

References:

Omar Santos – Security Onion, RedHunt OS, Proxmox, and Open vSwitch
https://santosomar.medium.com/security-onion-redhunt-os-proxmox-and-open-vswitch-6d6fbaaf0a51

Security Onion Website
https://securityonionsolutions.com/

Introduction

Leave a comment Sticky

I am passionate about Cybersecurity. My nickname, SaIS is an acronym for “Serious about Information Security”. I am currently working in a different industry, but I am trying to break into the Cybersec field. The community has been very welcoming and it is an amazing community to be part of. Using this blog, I am hoping to help other newcomers and document what I am doing in order to advance my career. I hope that this blog would help potential employers to see what I am busy with and that it will showcase my skills as I am progressing.

I am quite new to the field, but I am putting in a lot of effort to learn and gain the knowledge and skills needed to be a valuable member of the community and help making the digital world a safer place. The things that I am doing might help someone else and what I am struggling with might be what other beginners also struggle with. I will try and document how I manage to overcome the things that the professionals would see as “simple”, but which I find really difficult.

Most people that are new to this field need to know where to start. I found that there are so much information out there that I am jumping around too much. From now on I will be doing one thing at a time and ensure that I document it. This will help me to have a reference, as well as others who might want to do the same thing.

The plan is to split my blog into different streams and posting information that will help both people in the Cybersec field, as well as people from the “outside” who don’t know all the terms, but also need to know how to safeguard themselves as much as possible. I will try and tag the posts accordingly.

Thanks for reading and I hope that my blog will be valuable to everyone who stumbles across it. I am open to constructive criticism and would appreciate suggestions. Please remember that not all suggestions will be followed as I will pick and choose the ones that fits into what I am planning for this blog.

How to Install Kioptrix Level 1 in Proxmox

Leave a comment

I am currently doing the Practical Ethical Hacker course by Heath Adams (The Cybermentor).

In this course he uses the vulnerable Kioptrix Level 1 VM available on VulnHub. I set up my home-lab in a Proxmox VE. This allows me to do my Cybersec training separate from my home network. Here I can play around and test things without putting my home network at risk. If I mess things up in my home-lab I can just reload it without too much worries. I will do a series of posts on my setup later.

So wanting to use my home-lab and not just a VMware virtual machine, I started using the normal techniques of how to move a VMware virtual machine to Proxmox. I encountered a lot of problems, like Kernel panic and no network connection. After a long struggle, I finally managed to get it to boot and receive an IP address from my DHCP server.

Here I will explain step by step how to create the machine and ensure that it will configure the network in order to get an IP from the DHCP server:

Step 1 (Create your VM):

In the general tab, choose your node and name your VM.

In the OS tab, choose “Do not use any media” and for the Guest OS choose Linux 2.4 Kernel.

Check that your System tab match the following:

In the Hard Disk tab, make sure to choose “IDE”. The disk size does not matter as we will delete it later.

Under CPU tab, you can give the VM just one core. It is a very lightweight version of Linux, so it does not need a lot of processing power. The “kvm64” type worked fine for me.

256MB Memory is enough for this machine.

In the network tab, ensure that you choose your correct LAN bridge where your attack machine will be able to reach the VM. Also make sure to use the Realtek RTL8139 device, this was the only one that worked for me.

Confirm the settings. Your settings will differ here, that won’t be a problem if you followed the other settings as explained above.

Step 2 (Remove HDD):

Under Hardware, click on the Hard Disk and click Detach, click yes to confirm.

Click on the “Unused Disk” and click remove. Click yes to confirm.

Optionally click on the CD-ROM and remove that too. I did it, but it is not necessary.

Step 3 (Import Disk):

Download Kioptrix. The download link did not work for me, but the mirror did.

Extract the files. I just right clicked and used “extract here”.
Now open a terminal in this directory. If you are using Windows, I would recommend using WSL (you can Shift+right click and choose open Linux Shell Here).
In Linux I just right-click in the folder and choose “Open Terminal Here”.

Using secure copy, I will copy the disk over to Proxmox (replace the IP address with that of your Proxmox node:
scp Kioptix\ Level\ 1.vmdk [email protected]:/tmp/
Enter the root password of your Proxmox node and press enter. This will copy the disk to the temp folder of your Proxmox node.

Now I will use ssh to connect to my node:
ssh [email protected]
Change the directory to /tmp
cd /tmp/
Convert the disk to qcow2
qemu-img convert -f vmdk Kioptix\ Level\ 1.vmdk -O qcow2 KioptixLevel1.qcow2
Import the disk using the following command, but change the 114 to your VM ID and the local-zfs to your storage pool name
qm importdisk 114 KioptixLevel1.qcow2 local-zfs

When this is done, you can close the ssh session by typing exit. The /tmp folder will be wiped at shutdown/reboot or you can manually remove the files now if you want.

Open the Proxmox web interface again. You may need to navigate away from your Kioptrix VM and back in order to see the newly added disk, which will show as “Unused Disk 0”.

Double-click the disk, confirm that the settings are as below and click on “Add”.

The disk will now show as “Hard Disk (ide0)

Click on options and double-click on “Boot Order”.

Untick net0 (and also the cd-rom if not removed) and only tick the hard disk. Click on OK.

This is optional, but I would highly recommend taking a snapshot before booting.

Navigate to Snapshots and click on Take Snapshop. Type a descriptive name and click on Take Snapshot on the dialog box.

Step 4 (Change Network Config on the VM):

Now right click on the VM and click on start. Wait a few moments for the machine to start and then double-click on the machine to open a noVNC session.

This is important. Before the timer runs out, tap on any key so that you can configure the changed network card. If you missed this window, you have to stop the VM and start it again in order to get to this step.

Ensure that “Remove Configuration” is selected and press enter.

On the next window, choose Configure.

Migrate the existing network configuration by selecting “Yes” and press enter.

For the USB configuration, you can choose “Ignore” and press enter.

Kioptrix will now continue to boot and show you the welcome screen.

Step 5 (Scan for the Machine):

From any other machine on the network (Most likely your attacking machine) run the following command to scan for machines. This command must be run as root.
arp-scan -l

On mine, my new Kioptrix machine received the IP address of 10.10.1.112

Have fun!