BUILDING A CYBERSECURITY DETECTION AND MONITORING LAB BY LEVERAGING LOCAL VIRTUAL MACHINES (VMs) AND MICROSOFT AZURE

Introduction

Learning and implementing cybersecurity concepts can be challenging without access to practical and secure infrastructure. These challenges are further complicated by budget constraints that limit the acquisition of necessary hardware resources.

To overcome this, this home lab guide provides instructions for provisioning, configuring, optimizing, and securing IT infrastructure using a combination of local virtual machines (VMs) and cloud resources for practical use cases. This approach enables deploying less resource-intensive tools on local VMs while leveraging the cloud for more demanding applications. It simulates both on-premises and cloud environments. The knowledge gained here can aid in production and large-scale, enterprise-level infrastructures despite your smaller scale.

What is a Home Lab?

A home lab is a personal setup within your home designed for hands-on practice and skill development in specific fields such as IT or cybersecurity. It mimics larger-scale infrastructures using similar components and tools, providing a safe and controlled environment to experiment, learn, and refine your skills.

Lab Contents

• Lab Design and Topology
• Building/Choosing a Host PC
  • Additional Suggestions for Local Setup Without Cloud Tunneling
• Downloading, Installing, and Setting Up VMware Fusion for Mac (VMware Workstation Pro for Windows)
  • Setting Up Virtual Machine Networks (VMNets) on VMware
• Installing pfSense for Network Segmentation and Security
• Installing Kali Linux
• Configuring PfSense Interfaces and Dynamic DNS
  • Configuring Dynamic DNS (DDNS)
• Creating and Setting Up a Microsoft Azure Account
• Creating a Virtual Network And Setting Up a VPN Connection on Azure
• Configuring VPN connection on pfSense
• Installing and Configuring Security Onion
• Configuring Packet Forwarding from pfSense to Security Onion using Netflow protocol
• Configuring a Windows Server as a Domain Controller
  • Configuring Active Directory Certificate Services on our Domain Controller
  • Configuring DHCP Server on our Domain Controller
• Configuring Windows Desktops & Onboarding Users Accounts to the AD Domain
• Installing and Configuring Splunk
• Installing Splunk Universal Forwarder on Windows Server
• Ubuntu/CentOS/Metasploitable/DVWA/Vulnhub Machines: Optional machines for exploitation, detection, and monitoring purposes

Lab Design and Topology

Building/Choosing a Host PC

Due to budget constraints, I will use a MacBook Pro 2018 with 16GB of RAM, a 4GB dedicated graphics card, and a 512GB SSD for this lab. The recommended requirements for this lab are the same, a machine with at least 512GB of storage, an Intel Core i5 CPU (or its AMD equivalent), and 16GB of RAM. This lab is inspired by an article from Cyberwox's blog.

Note: While macOS is used as the host platform for this lab, the hypervisor (virtualization software) is available on most platforms, including Windows, though configuration steps may vary slightly.

Additional Suggestions for Local Setup Without Cloud Tunneling

• Build a Customized PC: To run all virtual machines and instances locally, consider building a customized PC that meets the lab's requirements. You can follow this article for guidance.

• Leverage Existing Hardware: If you have additional machines available, set up a cluster using Proxmox, provisioning networks, and VM instances as needed. Numerous tutorials are available on YouTube to help you through this process. I plan to explore this lab setup in the future.

Downloading, Installing, and Setting Up VMware Fusion for Mac (VMware Workstation Pro for Windows)

VMware, (now owned by Broadcom) has made VMware Fusion and VMware Workstation Pro free for personal use. You can download and install these products by following their official blog here. If you encounter difficulties during the download or installation process, refer to these YouTube tutorials here or here.

Alternatively, VirtualBox is another virtualization option and can be downloaded here.

Setting Up Virtual Machine Networks (VMNets) on VMware

After installing VMware, launch the software and navigate to the menu bar at the top left corner.

Click on VMware Fusion and select Settings.

Then, click on the Network tab in the settings window.

Here, you will see the predefined network configurations that define different network settings

• "Share with my Mac": Allows any VM using this setting to communicate externally (with the internet and other physical machines on the host’s network) using the host machine's IP address. All communications appear to originate from the host machine.
• "Bridged Networking": Enables the VM to act like a physical computer connected to the physical network.
• "Private to my Mac": Creates an isolated network where VMs can communicate only among themselves and are isolated from devices on the physical network.

Next, we will create four custom VMNets (vmnet2 to vmnet5) to assign machines to. Think of VMNets as networks on a router, where multiple machines can be connected. Each of these VMNets will be isolated, but they will be able to communicate with each other through a router. In this lab, pfSense will act as our router. Here is the configuration for VMNET2 to VMNET5:

• Click the + icon to add new VMNets (vmnet2 to vmnet5).
• Leave the settings unchanged; there is no need to connect through the internet directly. Instead, we will use our virtual router device (pfSense) for greater flexibility.
• Ensure the host machine is not connected to any of these networks.
• Untick provide addresses on this network via DHCP

Installing pfSense for Network Segmentation and Security

pfSense provides routing, firewall, and VPN functionality. In this lab, we will use pfSense as a firewall to segment our networks and set up a VPN tunnel from our networks to our AWS VPC.

1. Download the pfSense ISO file, selecting "ISO IPMI/Virtual Machines."
2. Once downloaded, open your terminal, navigate to the download directory, and type gunzip -d <file_name> to uncompress the file.
3. Open VMware and create a new Virtual Machine.

4. Choose "Install from disc or image" and click Continue.
   

5. Select the uncompressed ISO file and click Continue.

6. Choose "Legacy BIOS" if prompted.

7. Click Customize Settings and name the VM "pfSense" or a suitable name.

8. In the configuration window, click Network Adapter under Removable Devices. Add four (4) virtual network adapters and assign each adapter to the VMNets created earlier. This VM will act as a router and firewall, so it should be connected to all 4 custom networks.

9. Click Add Device to add additional network adapters until all VMNets are assigned.
   

10. Go back to the main configuration window and click on Hard Disk (SCSI). Set the disk size to 20GB and ensure "Split into multiple files" is selected.
    

11. Click on Processors and Memory to allocate resources. Assign one processor and 2GB (2048 MB) of RAM.

12. Close the window and click the icon to start the VM.
    

13. Proceed with the installation by accepting all defaults, and pfSense will configure itself and reboot. If you encounter any issues, restart the VM.
    
    

14. After a successful reboot, select Option 1.

15. When prompted "Should VLANs be set now?", enter n.

16. Assign em0, em1, em2, em3, and em4 to each respective question.

17. Confirm by entering y.
    

18. Now, configure the network interfaces:

• LAN Interface (em1): Use IP 192.168.1.1 to access the pfSense WebGUI via a Kali machine.

• OPT1 and OPT2 Interfaces: Configure as required.

• OPT3 Interface: Leave without an IP for span port traffic monitoring with Security Onion.

Further configuration will be done through the pfSense WebConfigurator via the Kali machine.

Installing Kali Linux

Kali Linux is amongst the few Linux distros that come with a set of tools that can be used for offensive security. An alternative to Kali Linux is ParrotOS. Kali Linux can be used to perform attacks on the domain controller and other vulnerable machines in the lab. To begin, you can download the Kali Linux ISO image from here.

Download the image according to the VM platform you are using, for this lab, which will be VMWare. After downloading, extract the archive into an appropriate folder, and open the .vmwarevm file. You should see a window that starts the VM, kindly shut it down so we can configure its resources. Click the settings icon

You should get the window below,

Proceed to Processors & Memory to provision the right resources, I will be using 2 cores, and 2GB (2048 MB) RAM for this VM. Also, go to Network Adapter to assign the default network adapter to vmnet2.

You can start the VM when done. The default user and password is kali. You can change the password by launching the terminal and using the **passwd** command.

Configuring PfSense Interfaces and Dynamic DNS

Now that the Kali machine is set up, navigate to the top left corner of the desktop window to open the Firefox browser, and enter https://192.168.1.1, this is the URL pfSense Web Configurator.

Click Advanced, then, Accept the Risk and Continue. You should see the login page for the pfSense web Configurator. Login to pfSense using the default credentials, admin and pfsense.

Though this is a home lab, it is recommended to always change the default password of machines and software/platforms when provisioned.

Proceed with the wizard by clicking Next till you get to Step 2 of 9

Add 8.8.8.8 as the Primary DNS Server, and Add 1.1.1.1 as the Secondary DNS Server, these are Google's and Cloudflare's public DNS Servers respectively.

Proceed by clicking Next, at Step 3 of 9, Select your timezone.

Click Next,
Untick the last two options at Step 4 of 9

At Step 5 of 9, Click Next
At Step 6 of 9, Set a new Admin Password, then Click Next
At Step 7 of 9, Click Reload, Click Finish.

At this point, the pfSense Wizard is complete and further configurations can be made. This is a home lab but, I recommend that you develop habits of creating a least-privileged user whenever you are using a root credential, as this will prevent account take-overs in real systems and ends up locking you out or wreaking havoc. You will find tons of tutorials about this on YouTube.

Now, let us proceed with configuring our interfaces.

Click on Interfaces

Select LAN

For Description, Change LAN to SecAssessmentNetwork as this is the network interface where Kali and Analyst machines will belong.

Scroll to the bottom of the page, Click Save and Apply Changes

If you encounter an error, you should check out this article to fix it.

Repeat the above steps until you have the named interfaces below

For OPT3, ensure you enable the interface as shown below

Next, Navigate to Interfaces >> Assignments

Select Bridges, click Add

Member Interfaces, Select VICTIMNETWORK

Click Display Advanced, under Advanced Configuration in the Span Port field, select SPANPORT

Scroll down to the bottom of the page and click Save

Next, we need to configure firewall rules,

On pfSense, navigate to Firewall >> Rules

Under the SECASSESSMENTNETWORK tab, click Add to create a new firewall rule

Under Edit Firewall Rule, in the Protocol field, select Any, scroll to the page's bottom, click Save

Note: There's a predefined rule, the Anti-Lockout Rule created by pfSense to allow incoming connections to ports 80 and 443 which are the ports to its Web Configurator.

We added a rule to allow all connections to/from the SecAssessmentNetwork. We should avoid this as much as possible, this is only done for the convenience of the lab, and it is recommended for tweaking after the lab.

Configuring Dynamic DNS (DDNS)

When we configure the Azure side of our VPN Tunnel, it is important that our VPN gateway can communicate with our on-prem gateway/router, which in the case of our home lab is our CPE (Customer Premises Equipment). Most SOHO (Small Office / Home Office) routers do not come bundled with a static or leased public IP address.

If we use the current public IP assigned, there is a high chance that Azure will lose communication with our gateway after some time (this is due to dynamic IP leasing by our ISP). To solve this, we can either lease some IPs from our ISP or use Dynamic DNS which enables Azure to track our public IP as it changes. Most SOHO routers have DDNS functionality, but in this lab, we will use pfSense.

There are so many DDNS providers, some domain name providers offer its functionality, while some providers offer it exclusively. Namecheap, Cloudflare, DynDNS, and NoIP, are some of these providers. For this lab, we will make use of DuckDNS (this is for practical purposes only, I recommend using Azure DNS, Cloudflare or Namecheap for reliable connections)

Proceed to DuckDNS.org to get started. Next, create an account and sign in. Enter the subdomain name of your choice and check if it is available. Once you have a domain name, note it and the generated token as it is needed in the following sections.

Next, navigate to the install section at the page's top nav bar.

Next, go back to our pfSense Web Configurator and log in, navigate to the services section and Click Dynamic DNS

Click Add
Select Service Type and Choose Custom
Navigate below to the Update URL section, and paste this
https://www.duckdns.org/update?domains=<domain name given to you>&token=&<generated token>ip=%IP% e.g, https://www.duckdns.org/update?domains=example&token=f43562542412345676ip=%IP%

In Result Match type OK. Enter DUCKDNS in the Description field. Click Save & Force Update to finish setting it up. You should end up with something like this

We have successfully configured our DDNS.

Creating and Setting Up a Microsoft Azure Account

In this lab, we decided to choose Azure as our Cloud Service Provider (CSP). To get started with this section you can log in with your existing credentials or open an account if you do not have one already, proceed to the azure portal.

Once created, new accounts are given $200 worth of credits to try out their services, while some services are always free, some have quotas, which is useful for this lab. One of the security best practices I have over time gotten accustomed to is avoiding using a super-user or root account for my regular tasks. This is useful as whenever your standard/privileged account gets compromised, you can quickly use the root account to withdraw its access compared to when a root account is ATOed. So let us create a different account for our daily use.

Proceed to the top-left corner of the page's nav bar, Click the hamburger menu

Click on Microsoft Entra ID

Click on Users, and you should see a page with a list of users. When you open an Azure account, by default a new user is created for you, and it is assigned a Global Administrator role, this is the same thing as a root user.

Click on New user

Click Create new user, fill in the fields

Proceed by clicking Next: Properties, Fill the necessary fields

Continue by clicking Next: Assignments

Click on Add role and Add the following roles

• Network Administrator

Click *Review + create * to finish the user creation process.

We are done with our user creation, but we need to assign access to our created user on the subscription level. Click the hamburger menu and proceed to Home.

Click the Subscriptions from the Azure services section

Alternatively, you can search subscription on the search menu also

Select the subscription name, for new users, this will be Azure subscription 1.

Click on Access control (IAM)

Click Add, then Add role assignment

Select Privileged administrator roles

Select Owner, Click Next

Click Select members and add our newly created user

Add a description (optional)

Proceed by clicking Next

Select *Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended) *

Click Next, then Review + assign

Sign out and re-login with the new user credentials, make sure you follow the prompts to enable MFA on the newly provisioned user.

Creating a Virtual Network And Setting Up a VPN Connection on Azure

For the following steps, ensure you are logged in as our newly created and less privileged user.

Click on Resource groups, this will help us create a container where we can create resources for our home labs and also assign a created user as the owner.

Click Create

Assign a subscription (The free trial subscription is assigned to new accounts by default)

Enter homelab-rg in the Resource group field

Select an appropriate region closer to you and Click Next: Tags

Assign tag name environment and value homelab, this helps us to quickly filter our resources in the future.

Proceed by clicking Next: Review + create, Click Create

Click the refresh icon to see the newly created resource group. Proceed by clicking the resource name.

Now, let us create our virtual network

Proceed by clicking the hamburger menu, then click on Virtual Networks

Click Create

Leave the defaults, and Enter a Virtual network name and Region

Click Next until you get to the IP addresses section

Enter 172.16.0.0/16 as the address space

Click Add a subnet

Choose Virtual Network Gateway as the subnet purpose, and fill in the necessary fields using the below sample

Proceed with the remaining defaults by clicking Add

Click Add a subnet again. This time, we are creating a subnet with outbound internet access but restrictive inbound internet access. We need a subnet to place a NAT gateway, as our Security Onion instance will need to communicate with the Internet during installation.

A NAT (Network Address Translation) gateway allows our resources to reach the Internet but prevents the Internet from reaching them. Although we can use the default subnet created automatically for us, I decided to have the default subnet be a more restrictive private subnet that does not have access to the Internet, so I will not be assigning a NAT gateway to it.

Now let us create our NAT-enabled private subnet

Proceed by following the inputs in the sample

Ensure you selected Enable private subnet (no default outbound access) as we want to explicitly grant outbound access.

Next, in the NAT gateway section, click Create new

Enter a name for the NAT gateway

Create a Public IP address for the NAT gateway also

You should end up with the below setup

Proceed by clicking Next

Add a tag name environment and a tag value homelab

Click Review + create, then Create

Next, You can go to the home screen.

Now that we have successfully created our Virtual Network, Let us create our VPN gateway and set up our site-to-site VPN connection.

On the home screen, proceed by clicking Create a resource

Under the Categories section, click Networking

Click on create under the Virtual network gateway section

Enter a name, homelab-vnetgw

Proceed to the Virtual network field and select the virtual network we created

In the Public IP address, select Create new

Give the Public IP address resource a name

Fill in the remaining fields by using the sample below

Click Review + create, then Create

It takes roughly 20 minutes for our Virtual Network Gateway to be fully deployed.

Next, we need to create a local network gateway to enable us to create a connection to our on-prem machine.

To begin, proceed by Clicking Create a resource on the home screen and selecting Networking on the Categories section

Click on Create in the Local network gateway section.

Select the appropriate resource group

On the Instance details section, enter an instance name of your choice

Select FQDN on our Endpoint field

Enter our DDNS FQDN (Fully Qualified Domain Name) we created from duckDNS.org e.g. example.duckdns.org

Next, add the address spaces to our on-prem machine. You should end up with something similar to the one below

Proceed by clicking Review + create, then Create

Finally, to finalize the Azure end of the VPN connection, we need to create a connection instance.

Let's proceed by creating another network resource, this time a connection.

Proceed by clicking Create

Select the appropriate resource group

In the Connection type field, select Site-to-site (IPsec)

Give it an appropriate name

Proceed by clicking Next: Settings

In the Virtual network gateway field, select the virtual network gateway we created earlier

In the Local network gateway field, select the local network gateway we had earlier created

In the Authentication Method field, leave it as Shared Key(PSK)

Enter a Pre-Shared Key (PSK) of your choice, this is more like a password, but I recommend that it should be complex and hard to brute force, though in a production environment, you will use a Public Key Infrastructure. I will be generating a key here.

Do save your PSK as it is needed on the pfSense side.

Next, Choose Custom in the IPsec / IKE policy field, and use the below entries

Proceed by clicking Review + create, then Create.

Once the connection is created, click Go to resource and Download configuration

Fill in the fields with the values in the sample below

Save the configuration file as it will be needed in setting up the pfSense end of the VPN connection.

We are done setting up the VPN connection at the Azure end.

Configuring VPN connection on pfSense

In this section, we are going to configure the pfSense part of the VPN connection. We proceed by navigating to our pfSense Web Configurator via our Kali Linux VM. Login to the pfSense Web Configurator portal.

Click VPN, then IPsec

Go to Tunnels

Click Add P1

In the Description field, enter any description of your choice, e.g. Homelab to Azure Site-to-site tunnel

In the Remote Gateway field of the IKE Endpoint Configuration section, enter the Public address found in the Network parameters of the configuration file we downloaded.

The configuration entries we use in this section can be found in the Network parameters and IPsec/IKE parameters sections of the configuration file we downloaded.

Next, skip to the Pre-shared key field, and enter the PSK we used while setting up the Azure part of the connection, you can also find it in the IPsec/IKE parameters section of the configuration file we downloaded.

Proceed with the defaults, and click Save, then Apply Changes

Next, click Show Phase 2 entries, click Add P2, Enter the next configurations using the sample below

Click Save and Apply Changes

Next, proceed by navigating to Status, Click IPsec

Click Connect P1 and P2s, You should get something similar to the below output

Note: If you encounter any issues with the above step, make sure you are not behind a firewall or be sure to allow IPsec traffic on your host machine or modem.

After a couple of minutes (which takes around 10 minutes), hit the refresh button on the connection instance, and you should see that you are connected

And, we are done setting up our Site-to-site VPN tunnel

Installing and Configuring Security Onion

In the previous section, we successfully configured our VPN tunnel. In this section, we will configure Security Onion as our IDS solution. Security Onion is a free and open platform that can be used by cybersecurity analysts and engineers. You can read more about Security Onion here.

We will be using the Eval Node Type of the Security Onion Architecture which is used mainly for testing purposes, it enables us to sniff live network traffic. The evaluation mode simply allows us to test out Security Onion.

source https://docs.securityonion.net/en/2.4/_images/network-horiz.png

Security Onion has heavy resource requirements, for high-end labs, you may not worry about it, but this lab allows us to provision resources in the cloud when our lab cannot handle such resources.

Let us head to Azure to provision our security onion instance.

There are two ways we can provision our Security Onion instance, the first is using a production-ready image from the Azure marketplace, and the other is creating one from scratch, while I will show you how to accomplish the first, this lab will focus on the latter.

Option 1 - Creating a Security Onion distro via Azure Marketplace

Navigate to the portal's home screen, Click the search bar and search security onion, you should see something similar to the one below

Click Security Onion in the Marketplace search results

Note, You get a first month free using this image from the marketplace, then starting at 0.028/hr plus Azure Infrastructure costs. Alternatively, you can rent a VM and upload the security onion image which is free (though you need to still take into account Azure infra costs).

Click Create

Next, you will be taken to Create a virtual machine window

For new customers with trial subscriptions, most of the costs incurred in creating and using this machine will be deducted from the trial credits of $200. Let us proceed

Select the appropriate resource group

Enter a Virtual machine name

For Availability options, select No infrastructure redundancy required

Security Type, enter Standard

Size, It is recommended to use 4vcpus and a minimum of 12GiB memory to run an Evaluation instance, please be cost-conscious.

Authentication type, Select SSH public key, this is needed as we will configure the instance via our home-lab Kali Linux.

Generate a new key pair

Click Next: Disks for disk set-up

At the OS disk type, change to Standard SSD

Untick Delete with VM, This enables us to tear down the instance without losing the saved data (we avoid paying for the VM instance, but pay little for the storage), you will have to delete it separately if not needed

Proceed by clicking Next: Networking to set up our network configuration

We want to select our home lab virtual network

Subnet should be the default or any private subnet within the vnet.

Public IP, select None

Proceed with the remaining defaults by Clicking Review + create

Option 2 - Creating a Security Onion distro from scratch

Using the previous step is great for production use cases especially when we have extra bucks to spare. But in this lab setup, we will build our instance by creating our Security Onion distro. Let's get started by going to our Azure portal.

Proceed by creating a new virtual machine,

Resource group, select the homelab-rg resource group we created

Virtual machine name, give it an appropriate name

Image, click See all images

Search for Rocky Linux

Choose Rocky Linux for x86_64 (AMD64) - Official

Select Rocky Linux 9 - x64 Gen 2

Size, select B4ms (this has 4 vCPUs and 16 GiB RAM which is the recommended requirements to run an EVAL version of Security Onion)

Note Make sure you deallocate all VM instances when not in use as they can accumulate costs.

Authentication type, select Password

Username, enter securityonion

Password, Enter a password

Public inbound ports, select None

Proceed with the remaining defaults,

Click Next: Disks

OS disk size, Select at least 200GB as it is the least recommended in the Security Onion docs.

OS disk type, Select Standard SSD (gives us reduced cost)

Click Next: Networking

Subnet, Select a subnet with a NAT gateway attached (as it is needed to connect to the internet)

Public IP, select None (we only want to connect via our VPN and not via the public internet)

Click Review + create, click Create

Once created, Click Go to resource*

Click on Stop to stop the running VM

Next, we need to create 2 network adapters to be attached to our instance

select Network settings under the Networking section at the left sidebar of the page.

Next, click on Attach network interface

Click Create and attach network interface

Resource group, choose the homelab-rg resource group

Subnet, choose the default subnet (172.16.0.0)

Private IP address assignment, choose Static and provide an IP address

Proceed by clicking Create

Once created, we need to create another one,

Next, go back to Overview and Start the machine (ensure the 2 NICs are attached before starting).

Now, let us connect to our instance via our local Kali VM. Proceed by launching the terminal on Kali, and make sure that you are connected to our Azure VPC via VPN.

First, we try to ping our security onion instance

If you are having any trouble,

• Make sure your VPN is working
• Your remote instance is up and running
• Your DDNS settings are correct and your current IP has been updated

Next, we SSH into our remote VM

Before we install Security Onion, we must configure the newly attached Network Interface Card (NIC).

First, we need to know the network adapters we will be configuring. We can know this by listing the interfaces on our instance. Type:

sudo ip addr show

In the screenshot above, we have the following NICs

While the IPs and interface cards might be similar in your set-up, the MACs will be different, and it is okay.

eth0 interface will be used as the management interface, take note of its MAC address

eth1 will be used as a monitor interface

eth2 will be used to receive NetFlow traffic from our pfSense machine.

Let us configure the newly attached NICs.

sudo dnf update -y

sudo dnf install NetworkManager-dispatcher-routing-rules -y

sudo systemctl enable NetworkManager-dispatcher.service

sudo systemctl start NetworkManager-dispatcher.service

echo "201 eth1-rt" | sudo tee -a /etc/iproute2/rt_tables
echo "202 eth2-rt" | sudo tee -a /etc/iproute2/rt_tables

sudo tee -a /etc/sysconfig/network-scripts/rule-eth1 <<EOF
from 172.16.0.10/32 table eth1-rt
to 172.16.0.10/32 table eth1-rt
EOF

sudo tee -a /etc/sysconfig/network-scripts/rule-eth2 <<EOF
from 172.16.0.11/32 table eth2-rt
to 172.16.0.11/32 table eth2-rt
EOF

sudo tee -a /etc/sysconfig/network-scripts/route-eth1 <<EOF
172.16.0.0/24 dev eth1 table eth1-rt
default via 172.16.0.1 dev eth1 table eth1-rt
EOF

sudo tee -a /etc/sysconfig/network-scripts/route-eth2 <<EOF
172.16.0.0/24 dev eth2 table eth2-rt
default via 172.16.0.1 dev eth2 table eth2-rt
EOF

sudo systemctl restart NetworkManager

We can now proceed to install some packages (creating our Security Onion distro)

SEC_ONION_REPO="https://github.com/Security-Onion-Solutions"

sudo dnf update -y 

sudo dnf install git -y

git clone ${SEC_ONION_REPO}/securityonion.git

sudo chown $USER:$USER securityonion

sudo mv securityonion /opt/

sudo /opt/securityonion/so-setup-network

Next, you should see an interface like this

Would you like to continue the install?, select Yes

Would you like to continue?, select Yes

What kind of installation would you like to do?, select EVAL

Type AGREE, and select Ok

Enter the hostname (not FQDN) you would like to set:

Enter a hostname of your choice

Select Ok or press Enter key to proceed

Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select Yes if you've already configured these settings. Otherwise, select No to quit., Select Yes

Next, select Ok

Please select the NIC you would like to use for management., Select the first item, eth0 and proceed by pressing Enter key or Ok

How would you like to connect to the Internet?, Select Direct

Do you want to keep the default Docker IP range?, select Yes

Please add NICs to the Monitor Interface:, Using the Spacebar Select eth1 as the monitor interface.

Next, Enter an email and password which will be used to create the admin account.

How would you like to access the web interface?, Select IP

Do you want to allow access to this Security Onion installation via the web interface?, Select Yes

Enter a single IP address or an IP range, in CIDR notation, to allow:, Enter 192.168.1.0/24

Next, your choice

Proceed by selecting Yes

Next, Security Onion will start installing some necessary packages and proceed to configuring them. Go have a coffee, as this may take a while.

After a while, you should get an interface similar to the one below indicating a successful installation.

Next, open our browser on the Kali VM, navigate to https://172.16.2.4, Click Advanced, then click Accept the Risk and Continue

We should have something similar to the one below

This is the Security Onion Console's login page, enter the email and password you used when setting up Security Onion. You should see something similar to the one below on a successful login

We now have a Security Onion instance we can practice with.

Configuring Packet Forwarding from pfSense to Security Onion using Netflow protocol

In this lab session, we need to forward packets captured by the SpanPort interface to our security onion instance on Azure.

Firstly, we need to add the Elastic integration for NetFlow Records on our Security Onion instance, we can do this by logging into our Security Onion console page via our Analyst Workstation (Kali VM).

Next, click on Elastic Fleet, enter the credentials you used when creating the Security Onion instance

On Elastic dashboard, click Agent policies tab, click so-grid-nodes-general

Click Add integration

Search for netflow and then click on NetFlow Records

The Elastic Integration page will show an overview of the NetFlow Integration. Review all information on the page and then click the Add NetFlow Records button.

In the Add NetFlow Records integration page, enter the following values for the fields:

integration name: netflow

UDP host to listen on: 0.0.0.0

UDP port to listen on: 2055

Click the Save and continue button and then click Save and deploy changes

Next, we need to allow netflow traffic through the firewall on our Security Onion instance. Let us do this going back through our Console dashboard

Navigate to Administration >> Configuration

At the top of the page, click the Options menu and then enable the Show advanced settings option

On the left side, go to firewall, select hostgroups, and click the customhostgroup0 group. On the right side, enter the IP address/CIDR block of the NetFlow exporter (192.168.0.0/16) and click the checkmark to save.

On the left side, go to firewall, select portgroups, select the customportgroup0 group, and then click udp. On the right side, enter the NetFlow listener port (2055) and click the checkmark to save.

On the left side, go to firewall, select role, and then select the node type that will receive the NetFlow records (eval). Then drill into chain >> INPUT >> hostgroups >> customhostgroup0 >> portgroups. On the right side, enter customportgroup0 and click the checkmark to save.

Under the Options menu at the top of the page, click the SYNCHRONIZE GRID button to immediately apply the rules

Next, let us proceed by logging into our pfSense dashboard, navigate to System >> Package Manager >> Available Packages

In the Search term field, search for softflowd and install it

Next, navigate to Services >> softflowd

Under the General Settings, in the Interface selection box, select SPANPORT

Host, enter 172.16.0.11
Port, enter 2055

Scroll to the bottom of the page and click Save

Once all configuration is complete, you should be able to go to the Security Onion Console and under Dashboards, select the NetFlow dashboard to see your NetFlow records.

You can also collect firewall logs from pfSense by following the steps here

That is all for Security Onion

Configuring a Windows Server as a Domain Controller

In this section of the lab, we will set up an Active Directory (AD) Domain using a Windows 2019 Server as the Domain Controller and also proceed to add 2 Windows machines to the Domain Controller.

Proceed by downloading the Windows 2019 Server Eval Copy and Windows 11

Note: Before proceeding with the Windows Server installation, do not start the machine, until:

• Ensure you install on VMWare with the defaults
• Ignore the Product key and simply skip it
• By default, a network adapter is attached when creating the VM, ensure you change the assigned network to VMnet3

Let us proceed by powering up the VM.

Click Next

Click Install now

Select *Windows Server 2019 Standard Evaluation (Desktop Experience) *

Accept the licence terms and Click Next

Select Custom: Install Windows only (advanced)

Click Next

When the installation completes, create a password, and sign in

Upon a successful installation, you should end up with the screen below

Rename the Domain Controller

1. Open System Properties:

   • Press Win + R to open the Run dialog.
   • Type sysdm.cpl and press Enter.

2. Change the Computer Name:

   • In the System Properties window, go to the Computer Name tab.
   • Click on Change to rename the domain controller.

3. Enter the New Name:

   • Under Computer Name, type the new name for your domain controller.
   • Click OK and follow any prompts.

4. Restart the Domain Controller:

   • A restart is required to apply the name change.
   • The domain controller will restart and reflect the new name upon completion.

After the reboot, On the Server Manager Dashboard, Click Manage >> Add Roles and Features

Click Next until you get to Server Roles Menu, Select Active Directory Domain Services

Click Add Features

Proceed by Click Next until you get to Confirmation Menu, then click Install

After the installation, Click Close

Next, on the top-right corner of the dashboard, click on the flag with a yellow caution icon. Then click Promote this server to the domain controller

• Select Add a new forest
• Specify a domain name
• Click Next

Set a password

Click Next until you get to the Prerequisites Check Menu

Click Install and wait for reboot.

Configuring Active Directory Certificate Services on our Domain Controller

In this sub-section, We aim to install and configure AD Certificate Services

Once the system reboots, Log back in

Select Manage >> Add Roles and Features

Click Next until you get to Server Roles

Select Active Directory Certificate Services

Click Add Features

Click Next until you get to Confirmation Menu

Check Restart the destination server automatically if required

Click Yes in the pop-up dialog box

Click Install

After the installation, click Close

Next, Click on the flag with the yellow caution icon located at the top-right corner of the page

Click Configure Active Directory Certificate Services on the destination server

On the wizard screen, click Next

On the Role Services Menu, check Certification Authority

Click Next until you get to Validity Period Sub-Menu under Private Key

Change to 15 Years, Click Next until you get to Confirmation menu

Click Configure, then click Close

You should manually restart the server for changes to take effect.

Configuring DHCP Server on our Domain Controller

In this sub-section, our aim is to set up Dynamic Host Configuration Protocol (DHCP) Service so our domain controller can issue IPs on its network.

Note: We could have enabled DHCP for the network on the pfSense side, I chose this approach instead.

Select Manage >> Add Roles and Features

Click Next until you get to Server Roles

Select DHCP Server

Click Add Features

Click Next until you get to Confirmation Menu

Check Restart the destination server automatically if required

Click Yes in the pop-up dialog box

Click Install

After the installation, click Close

Next, Click on the flag with the yellow caution icon located at the top-right corner of the page

Click Complete DHCP configuration

On the wizard screen, click Next

On the Authorization Menu, click Commit

Click Close

Next, let's configure DHCP Scopes

On the top-right corner, click tools >> DHCP

In the DHCP management console, click on our domain name **(cybercrex.internal)

Right-click on IPv4 (or IPv6 if applicable) and select New Scope.

Follow the New Scope Wizard to configure a range of IP addresses, subnet mask, and other options to be distributed to clients.

Name, enter Desktop clients

Click Next

Start IP address, enter 192.168.2.1

End IP address, enter 192.168.2.254

Click Next

Exclude the following ranges,

192.168.2.1 to 192.168.2.10

192.168.2.201 to 192.168.2.254

Click Next until you get to **Router (Default Gateway)

Add 192.168.2.1

Click Next

Server name, enter your domain controller name -dc (e.g.cybercrex-dc) and click resolve

Next, click Add

Click Next until Finish

Next, let us add some users

On the Server Manager dashboard, Navigate to the top-right corner of the screen, click Tools >> Active Directory Users and Computers

Select your domain name (cybercrex.internal) > Users

Right-Click on Users > New > User

Fill in the User details, First Name, Last Name, and User logon name

Enter a password (in an organization, this can be a deterministically created password which is then required from the user to change at the next logon)

Check User must change password at next logon

Click Next, >> Finish

Next, create another user with different details

Next, we must configure our AD's default gateway to pfSense.

To open Network Connections settings, you can follow these steps:

1. Press Win + R to open the Run dialog.
2. Type ncpa.cpl and press Enter.

This will open the Network Connections window, where we can view and manage your network adapters and settings.

Right-click on the adapter Ethernet 0, click Properties

Double-click on Internet Protocol Version 4 (TCP/IPv4)

Enter the following configuration, and click Ok

This is the end of the Domain Controller's configuration. You can check The Cyber Mentor's video and follow it by this lab.

Configuring Windows Desktops & Onboarding Users Accounts to the AD Domain

In this lab section, we aim to add 2 Windows desktops to the Domain and complete the AD lab. This portion of the lab is easy to set up, and it will be on The Cyber Mentor's YouTube guide, which is referenced on the original Cyberwox's lab.

It is not a must to add 2 Desktops in this lab, successfully adding one is sufficient.

Ensure you have the Windows 11 evaluation copy downloaded.

Note: Before proceeding with the Windows Desktop installation, do not start the machine, until:

• Ensure you install on VMWare with the defaults
• Ignore the Product key and simply skip it
• By default, a network adapter is attached when creating the VM, ensure you change the assigned network to VMnet3

Next, power on the VM to begin the installation

Click Next

Click Next

Make sure Install Windows 11 is selected

Check I agree everything will be deleted including files, apps, and settings

Click Next

Click Accept

Click Next

Click Install

After installation, the VM will restart

Select your preferred language and keyboard

Select I don't have internet

Enter the name of the first user we created on our AD (John Doe)

Create a password and follow the wizard through

Once installation is finished, we proceed to join this PC to our Domain

To join our domain, follow these steps:

1. Press Win + R to open the Run dialog.
2. Type sysdm.cpl and press Enter. This opens the System Properties window.
3. In the System Properties window, make sure you are at the Computer Name tab.
4. Click on Change... next to "To rename this computer or change its domain..."
5. In the next window, select Domain under "Member of," and enter the name of the domain you want to join e.g. (cybercrex.internal).
6. Click OK and provide domain credentials when prompted.
7. Restart the computer to complete the process.

After the restart, Click Other User then sign in with any of the user's credentials we created on our AD

Login and complete the onboarding process

Repeat the steps with the other machine, you can try it using Windows 10 too. Download Windows 10 Evaluation

Installing and Configuring Splunk

In this section, we are going to install and configure Splunk.

In the cybersecurity industry, Splunk is a leading platform for collecting, monitoring, and analyzing security data in real time, enabling rapid threat detection, incident response, and compliance through powerful data insights and automation.

You can learn more about Splunk here

We will be creating our Splunk instance on a Ubuntu Server VM, so let us download the Ubuntu server image here

After downloading the image, create a new VM using the Ubuntu Server image. The VM should have the following setup:

• RAM: 4GB (4096 MB)
• Processors: 2
• Hard Disk: 100GB

You can start the VM to begin the installation

Proceed by accepting the defaults

Use the following settings for Guided Storage configuration

Next set up a profile

Upgrade to Ubuntu Pro, select Skip for now

Next, SSH configuration, depending on your preference, you can install OpenSSH server

Next, proceed with the defaults and reboot when installation is complete.

During reboot, you will asked to unmount the image, simply press the Enter key to proceed

After a successful reboot, you should be shown a similar interface as below, simply enter the credentials you used during the Ubuntu installation

For the Splunk server installation, there are two options:

1. Accessing it via an Analyst workstation/VM using SSH
2. Installing a GUI (Ubuntu Desktop) on the Ubuntu Server

In this lab, I'll be installing a GUI on the Ubuntu Server for this lab using the following steps:

# Install tasksel

sudo apt update
sudo apt install tasksel

# Install the Ubuntu desktop GUI but note that there are a variety of desktop flavors to choose from

sudo tasksel install desktop

# Reboot the server
reboot

After rebooting, you should have your GUI

Installing Splunk

On the Ubuntu server, open your browser and navigate to https://splunk.com

Click on Free Splunk

Create an account or log in

Under Products >> Free Trials & Downloads >> Splunk Enterprise

Click Get My Free Trial

Select the linux package and download the .tgz package

Next, open the terminal and navigate to the Downloads directory

Next, untar and install Splunk

# Untar the download

tar -zxf splunk-*

./splunk/bin/splunk start

Enter an administrator username and a password

Next, open your browser and navigate to HTTP://splunk:8000

Login with the credentials you created

Installing Splunk Universal Forwarder on Windows Server

One of the processes to accomplish Endpoint Detection and Response (EDR) is to log the activities of our endpoint. To log the activities on our endpoint, Splunk uses a method or agent called the Universal Forwarder. The Universal Forwarder can be installed on Linux/Unix, Windows and Mac systems to forward logs to our Splunk instance.

Before proceeding to our Windows Server, Add a new network adapter to the Splunk instance, and ensure you assign the adapter to the vmnet4 network.

After adding the network adapter, open the Splunk dashboard, navigate to Settings >> Forwarding and receiving >> Add new receiving port

Enter 9997 and Click Save

Navigate to Settings >> Indexes >> New Index

Index Name, enter wineventlog and Click Save

Next, open your terminal and type

sudo ip link show, what we are looking for is the name of our newly attached interface which is currently down. In my own case below, it is ens7

Next type sudo ip link set dev up e.g. sudo ip link set dev ens37 up

Next run this script, replace ens37 with the appropriate interface

sudo tee -a /etc/netplan/01-netcfg.yaml <<EOF

network:
  version: 2
  ethernets:
    ens37:  # Replace with your network interface name
      dhcp4: false
      addresses:
        - 192.168.3.10/24  
      routes:
        - to: default
          via: 192.168.3.1  
      nameservers:
        addresses:
          - 192.168.3.1
          - 8.8.4.4

EOF

sudo netplan apply

We can now proceed to the Windows Server, open the browser and download the Universal Forwarder

You may encounter an issue when using Internet Explorer, follow these steps to fix it:

1. Open Internet Options by clicking on the gear icon or from the Control Panel.
2. Go to the Security tab, select Internet zone, then click Custom level....
3. Scroll to Downloads, locate File download, and select Enable.
4. Click OK to save the settings, then Apply and OK to close.

Restart Internet Explorer and try the download again.

I recommend you download a different browser

After downloading, install it

Accept the License Agreement

Click Next

Create a username and password and Click Next

Under the Deployment Server,

In the Hostname field, enter 192.168.3.10, and enter 8089 in the Port field

Under the Receiving Indexer

In the Hostname field, enter 192.168.3.10, and enter 9997 in the Port field

Next, let's proceed to our Splunk Instance's dashboard

Navigate to Settings >> Add Data >> Forward

Select a Server Class under the Available hosts(s) menu, select our Windows Domain Controller, in the New Server Class Name field,enter Domain Controller

At the top-right corner, Click Next

Select Local Event Logs, choose your desired event logs

Click Next

Select wineventlog (the receiver index we created) as the index

Click Next and click Submit

Ubuntu/CentOS/Metasploitable/DVWA/Vulnhub Machines: Optional machines for exploitation, detection, and monitoring purposes

We have concluded the lab, note that we can further advance the lab by adding different types of machines for practice.

You have garnered the knowledge and tools you need to do a lot of labs, research, and anything you want to do. Work on detection rules, SIEM content, rule tuning, and attack scenarios to build skills from various angles.

Important Notes

1. To avoid outrageous costs in the cloud, ensure all VMs are shut down via the Azure console, APIs or CLI when not in use.

2. After shutting down VMs, you will be charged for storage, and public IP resources that are not deprovisioned.

3. Also, you will be charged for the VPN appliance until you deprovision it.

4. You are also charged for egress traffic to the internet and cross-regional communication.