Need a way to throw yourself off of the deep end and dive into Ansible, Terraform, Vagrant, Powershell, Python, and Packer, all while setting up a lab full of security exploration, monitoring, and exploitation tools? Good, you should check out DetectionLab!
I’ve been configuring my own labs for years, the manual way. That means downloading iso files for Windows desktop/server, Linux, and whatever else I want to deploy at the time. Then running through the installation of each.
Want to setup an Active Directory domain to test various exploits against? No problem, go through and set it up. Of course, that means installing all the services it requires like DNS, creating user accounts, setting up DHCP, group policy, etc. Is it hard to do? No, I wouldn’t say that. It’s just time consuming. Plus, we haven’t even talked about tools like Splunk, Zeek, Suricata, Osquery, Velociraptor, Guacamole, setting up logging and log forwarding…well, you get the point!
Enter DetectionLab! It’s a project that was put together for defensive security folks to have a quick way to deploy a pre-configured test lab full of tools and hosts to play with.
For me, I wanted to learn about the scripting tools used to deploy the lab. I figured this as good way to force my hand!
I started with the Azure deployment, because I’m a cloud geek, and this would allow me to get familiar with automating deployments into Azure.
Here are a few things I learned during the process:
- If you’re doing this from a Mac, don’t forget to install Homebrew, it makes working with and installing various packages much easier.
- You can do this from Windows, but for me, I found working with the various scripts and files to be slightly smoother on MacOS. I’m not a programmer, and I’ve been a Windows user for years, but the Mac terminal is very similar to Linux and it just felt a bit less clunky for this process. That’s just my opinion after trying on both.
- If you run into the “ERROR! A worker was found in a dead state” message when running Ansible commands, put this in front of the command: no_proxy=”*”
- When using python commands type python3 if you are running python3 scripts, you may know this, but again, I’m not a coder lol.
- Similarly, when using pip commands type pip3 for the commands. I spent a lot of time scratching my head as to why my commands weren’t working properly.
- If you’ve never created a key pair before, you can quickly create ssh key pair using: ssh-keygen -t rsa
- If you add a passcode to your key pair, Terraform will error out during the build process. I’m sure there’s a way to do it, but I just created a deployment key pair without a passcode attached for testing the process.
- Terraform, along with Ansible, are really cool tools!
I thought about doing a video on the process, but to be honest it takes a while for DetectionLab to download and install everything. Still, it is much less time than deploying each host and tool manually.
Oh and please note that if you’re not on an Azure free plan, you WILL rack up a bill for this. So I basically deployed it, checked that everything was working, and deleted the resources from my Azure subscription.
What I loved most about the process is the troubleshooting I had to do when things didn’t work. I got frustrated, I doubted myself, and I almost threw my keyboard at the monitor a few times. Once I got it deployed, it was all worth it though! I ended up running the deployment multiple times over a weekend and got familiar with various commands within Terraform and Ansible, along with getting to know Homebrew, Powershell, Python syntax, etc.
Deploying the VMWare version was a bit more straight-forward for me, but this was my first time using Vagrant as well, so there was a slight learning curve when it came to syntax and using it properly. All of the troubleshooting during the Azure deployment definitely proved to be useful for me here.
I still have the VMWare version of DetectionLab setup, so if I want to fire it up and play around without racking up an Azure bill I can. I’m going to try deploying it to AWS as well, just to get familiar with the process. Of course I’ll let you know how that goes.
Overall I think DetectionLab is worth installing for anyone who wants to get experience deploying infrastructure to the cloud, running Vagrant, or get familiar with the various tools used to automate infrastructure deployments in the cloud or locally in a virtualized environment. Of course once you have it deployed you have a pretty cool lab for security analysis, testing, and monitoring.
Though it is aimed at defensive security, it is no doubt useful for offensive security as well. It gives you safe place to test attacks and vulnerabilities while also seeing how that activity will show up within the various monitoring tools within the lab.
If you’ve tried it yourself I’d love to hear what you think, what you’ve learned, and where you had troubles, if any.
As someone who is NOT a coder, I felt this was a great way to get my hands dirty with a lot of scripting and automation because there was an end goal I was trying to reach. It wasn’t just theory, I was actually working towards a result.
I wanted to have a cool lab environment to test in!
You can check out the DetectionLab project here: https://detectionlab.network/introduction/
Have fun!
Leave a Reply