The Complete Mandiant Offensive Virtual Machine (“ href="https://github.com/fireeye/commando-vm">Commando VM”)
swept the penetration testing community by storm when it debuted in
early 2019 at Black Hat Asia Arsenal. Our href="/content/fireeye-www/en_US/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html">1.0
release made headway featuring more than 140 tools. Well now we
are back again for another spectacular release, this time at Black Hat
USA Arsenal 2019! In this 2.0 release we’ve listened to the community
and implemented some new must have features: Kali Linux, Docker
containers, and package customization.
Penetration testers commonly use their own variants of Windows
machines when assessing Active Directory environments. We specifically
designed Commando VM to be the go-to platform for performing internal
penetration tests. The benefits of using Commando VM include native
support for Windows and Active Directory, using your VM as a staging
area for command and control (C2) frameworks, more easily (and
interactively) browsing network shares, and using tools such as href="https://www.harmj0y.net/blog/redteaming/powerview-2-0/">PowerView
and BloodHound without any worry
about placing output files on client assets.
Commando VM uses Boxstarter,
Chocolatey, and href="https://myget.org/">MyGet packages to install software and
delivers many tools and utilities to support penetration testing. With
over 170 tools and growing, Commando VM aims to be the de facto
Windows machine for every penetration tester and red teamer.
Since its initial release at Black Hat Asia Arsenal in March 2019,
Commando VM has received three additional updates, including new tools
and/or bug fixes. We closed 61 issues on GitHub and added 26 new
tools. Version 2.0 brings three major new features, more tools, bug
fixes, and much more!
In 2016 Microsoft released the href="https://docs.microsoft.com/en-us/windows/wsl/about">Windows
Subsystem for Linux (WSL). Since then, pentesters have been
trying to leverage this capability to squeeze more productivity out of
their Window systems. The fewer Virtual Machines you need to run, the
better. With WSL you can install Linux distributions from the Windows
Store and run common Linux commands in a terminal such as starting up
an SSH, MySQL or Apache server, automating mundane tasks with common
scripting languages, and utilizing many other Linux applications
within the same Windows system.
In January 2018, Offensive Security announced support for href="https://www.kali.org/tutorials/kali-on-the-windows-subsystem-for-linux/">Kali
Linux in WSL. With our 2.0 release, Commando VM officially
supports Kali Linux on WSL. To get the most out of Kali, we've also
included href="https://sourceforge.net/projects/vcxsrv/">VcXsrv, an X
Server that allows us to display the entire Linux GUI on the Windows
Desktop (Figure 1). Displaying the Linux GUI and passing windows to
Windows had been href="https://www.kali.org/news/kali-linux-in-the-windows-app-store/">previously
documented by Offensive Security and other href="https://blog.ropnop.com/configuring-a-pretty-and-usable-terminal-emulator-for-wsl/">professionals,
and we have combined these to include the GUI as well as shortcuts to
take advantage of popular programs such as href="https://launchpad.net/terminator">Terminator (Figure 2) and
href="https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project">DirBuster (Figure 3).
Figure 1: Kali XFCE on WSL with VcXsrv
Figure 2: Terminator on Commando VM –
Kali WSL with VcXsrv
Figure 3: DirBuster on Commando VM – Kali
WSL with VcXsrv
Docker is becoming increasingly popular within the penetration
testing community. Multiple blog posts exist detailing href="https://blog.ropnop.com/docker-for-pentesters/">interesting
functionality using href="https://www.vdalabs.com/2019/04/09/docker-for-hackers-from-apt-install-docker-ce-to-pwn-in-10-minutes-or-less/">Docker
for pentesting. Based on its popularity href="https://github.com/fireeye/commando-vm/wiki/Commando-VM-Roadmap">Docker
has been on our roadmap since the 1.0 release in March 2019, and
we now support it with our release of Commando VM 2.0. We pull tools
such as Amass and href="https://github.com/smicallef/spiderfoot">SpiderFoot and
provide scripts to launch the containers for each tool. Figure 4 shows
an example of SpiderFoot running within Docker.
Figure 4: Impacket container running on Docker
For command line docker containers, such as Amass, we created a
PowerShell script to automatically run Amass commands through docker.
This script is also added to the PATH, so users can call class="code">amass from anywhere. This script is shown in
Figure 5. We encourage users to come up with their own scripts to do
more creative things with Docker.
Figure 5: Amass.ps1 script
This script is also executed when the shortcut is opened.
Figure 6: Amass Docker container executed
via PowerShell script
Not everyone needs all of the tools all of the time. Some tools can
extend the installation process by hours, take up many gigabytes of
hard drive space, or come with unsuitable licenses and user
agreements. On the other hand, maybe you would like to install
additional reversing tools available within our popular href="https://github.com/fireeye/flare-vm">FLARE VM; or you
would prefer one of the many alternative text editors or browsers
available from the
chocolatey community feed.
Either way, we would like to provide the option to selectively install
only the packages you desire. Through customization you and your
organization can also share or distribute the profile to make sure
your entire team has the same VM environment. To provide for these
scenarios, the last big change for Commando 2.0 is the support for
installation customization. We recommend using our href="https://github.com/fireeye/commando-vm/blob/master/commandovm.win10.installer.fireeye/tools/packages.json">default
profile, and removing or adding tools to it as you see fit. Please
read the following section to see how.
Before we start, please note that after customizing your own edition
of Commando VM, the
cup all command will only upgrade
packages pre-installed within your customized distribution. New
packages released by our team in the future will not be installed or
upgraded automatically with
cup all. When needed, these new
packages can always be installed manually using the
cinst or
choco install command, or by adding
them to your profile before a new install.
To start customizing your own distribution, you need the following
three items* from our public href="https://github.com/fireeye/commando-vm">GitHub repository:
*Note: If you download the project ZIP from GitHub it will contain
all three items.
The install script will now support an optional
-profile_file argument, which
specifies a JSON profile. Without the
-profile_file argument, running
.\install.ps1 will install the default
Commando VM distribution. To customize your edition of Commando VM,
you need to create a profile in JSON format, and then pass that to the
-profile_file argument. Let us explore
the sample
profile.json profile (Figure 7).
Figure 7: profile.json profile
This JSON profile starts with the
env dictionary which specifies many
environment variables used by the installer. These environment
variables can, and should, be left to their default values. Here is a
list of the supported environment variables:
With the packages variables set, you can now specify which packages
to install on your own distribution. Some packages accept additional
installation arguments. You can see an example of this by looking at
the
openvpn.fireeye entry. For a complete
list of packages available from our feed, please see our href="https://github.com/fireeye/commando-vm/blob/master/packages.csv">package list.
Once you finish modifying your profile, you are ready for
installation. Run
powershell.exe with elevated
privileges and execute the following commands to install your own
edition of Commando VM, assuming you saved your version of the profile
named:
myprofile.json (Figure 8).
Figure 8: Example myprofile.json
The
myprofile.json file can then be shared
and distributed throughout your entire organization to ensure everyone
has the same VM environment when installing Commando VM.
Commando VM was originally designed to be the de facto Windows
machine for every penetration tester and red teamer. Now, with the
addition of Kali Linux support, Docker and installation customization,
we hope it will be the one machine for all penetration testers
and red teamers. For a complete list of tools, and for the
installation script, please see the href="https://github.com/fireeye/commando-vm">Commando VM GitHub
repository. We look forward to addressing user feedback, adding
more tools and features, and creating many more enhancements for this
Windows attack platform.