IR 371: Velociraptor Server on Linux (25 pts)

What You Need for This Project

Purpose

To install a Velociraptor Linux server and use it to monitor a Windows endpoint. This is the normal arrangement.

Task 1: Installing Velociraptor on Linux

Preparing the Server

On your Linux server, in a Terminal or SSH window, execute these commands, adjusting the velociraptor filename to match the file you noted earlier.

These commands download the Linux installer, make it executable, and run it to create a server configuration file:

cd
mkdir velociraptor
cd velociraptor

wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-2-linux-amd64

chmod +x velociraptor-v0.7.0-2-linux-amd64
./velociraptor-v0.7.0-2-linux-amd64 config generate > velociraptor.config.yaml
On your Linux server, execute this command:

Find your server's IP address and make a note of it.

ip a
On your Linux server, execute this command, to edit the server configuration file:
nano velociraptor.config.yaml
Press Ctrl+W, Ctrl+R. Find localhost and replace it with your server's IP address for all occurrences (there are two of them).

Repeat the process to replace 127.0.0.1 with your server's IP address for all occurrences (there are three of them).

Save the file with Ctrl+X, Y, Enter.

On your Linux server, execute these command, to move the server configuration file to its home and create an admin user:

sudo mv velociraptor.config.yaml /etc

./velociraptor-v0.7.0-2-linux-amd64 --config /etc/velociraptor.config.yaml user add admin --role administrator
When you are prompted to, enter a password you can remember.

On your Linux server, execute this command, to start the server:

./velociraptor-v0.7.0-2-linux-amd64 --config /etc/velociraptor.config.yaml frontend -v
The server starts, as shown below.

Leave this window open, and leave the process running.

Viewing the GUI

On your Windows machine, in a Web browser, open the GUI URL, for your server. My URL is outlined in the image above--yours will be different.

Approve the use of an unsigned certificate.

Log in as admin with the password you chose earlier.

You see the GUI, as shown below.

Note for Azure Users

If you are using Azure cloud machines, you will need to open TCP ports 8000 and 8889 in the Azure firewall on your Linux server, and view the GUI using the public IP address of your Linux server.

To reach the firewall settings, start at https://portal.azure.com/#home and click "Virtual machines", click the name of your Linux server, and click Networking.

Then click the "Add inbound port rule" and configure a rule as shown below.

IR 371.1: Server Name (5 pts)

At the top left, click the house icon to go to the home page, which shows "Server status".

Scroll to the bottom of the page.

The flag is covered by a green rectangle in the image below.

Task 2: Adding a Windows Client

Preparing a Client Config File

On your Linux server, open a new Terminal or SSH session and execute this command, to edit the server configuration file:
sudo nano /etc/velociraptor.config.yaml
Scroll down to the first END CERTIFICATE line.

Below the "nonce: line, insert this line, as shown in the image below:

use_self_signed_ssl: true

Save the file with Ctrl+X, Y, Enter.

Preparing a Windows Client Installer

On your Linux server, execute these commands, to prepare a client config file, download the EXE installer, and combine the two into a repackaged single-file Windows installer.

The last commands make sure your Debian server has an SSH server running.

cd
cd velociraptor

./velociraptor-v0.7.0-2-linux-amd64 --config /etc/velociraptor.config.yaml config client > client.config.yaml

wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-2-windows-amd64.exe

./velociraptor-v0.7.0-2-linux-amd64 config repack --exe velociraptor-v0.7.0-2-windows-amd64.exe client.config.yaml repackaged_velociraptor.exe

sudo apt update
sudo apt install openssh-server -y

Note for Azure Users

Before packaging the Windows client, edit the client.config.yaml file and replace the IP address in the Client section with the public address of your Linux server, as shown below.

Installing the Windows Client

On your Windows machine, in a Web browser, go to
https://winscp.net/eng/index.php
Download and install WinSCP, as shown below.

When WinSCP launches, fill in the IP address, username, and password of your Linux server, as shown below.

Click Login. Click Yes. Click Continue.

In the right pane, double-click the velociraptor folder.

Drag the repackaged_velociraptor.exe file to your Windows desktop, as shown below.

Then close WinSCP.

Alternative Method

If you are using the Google Cloud, you cannot connect to your Linux machine with a username and password.

Instead, execute these commands on your Linux machine:

sudo apt update
sudo apt install apache2 -y
sudo cp repackaged_velociraptor.exe /var/www/html
sudo chmod a+r /var/www/html/*
Then, on your Windows machine, in a Web browser, go to this address, replacing the IP address with the IP address of your Linux server:
http://10.128.0.2/repackaged_velociraptor.exe
The repackaged_velociraptor.exe file should download onto your Windows machine.
On your Windows machine, open an Administrator Command Prompt and execute these commands, as shown below.
cd %userprofile%\Desktop
repackaged_velociraptor.exe service install

Troubleshooting

Windows Defender may block the velociraptor executable because it's unsigned.

To prevent that, open "Windows Defender settings" and disable Virus protection, or exclude the folder Velociraptor is in from scanning.

Another solution is to install the signed Velociraptor executable and add a configuration file, as explained here.

Viewing the Client

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text, as shown below.

IR 371.2: Agent Name (5 pts)

The flag is covered by a green rectangle in the image below.

Using the Virtual File System

At the top left, click the VFS button.

At the top left, there are three top-level categories: auto, ntfs, and registry.

Click ntfs. In the top center, click the first folder icon to refresh this directory, outlined in red in the image below.

IR 371.3: Registry Information (5 pts)

Refresh the registry category the same way.

On the left side, click HKEY_CURRENT_USER. Refresh this container to see the contents.

The flag appears, covered by a green rectangle in the image below.

IR 371.4: Exploring the File System (5 pts)

In the ntfs category, refresh these items:
  • \\.\C: (You may need to refresh the browser to see the tree on the left side)
  • Users (You may need to refresh the browser to see the tree on the left side)
  • Default
The flag appears, covered by a green rectangle in the image below.

Collecting an Artifact

At the top left, click the house icon to go to the home page, which shows "Server status".

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text.

At the top center, click the Collected button.

At the top left, click the plus-sign, outlined in red in the image below.

At the top left, in the search box, type netstat.

Click Windows.Network.NetstatEnriched.

A description of this artifact appears, as shown below.

At the lower left, click the "Configure Parameters" button.

At the top left, click the wrench icon.

In the "ProcessNameRegex" field, enter velociraptor as shown below.

At the lower right, click the Launch button.

In the next screen, at the top center, click the Windows.Network.NetstatEnriched line to highlight it.

In the lower pane, click the Results tab.

You see information about the Velociraptor process, as shown below.

IR 371.5: DestPort (5 pts)

In the lower pane, click the binoculars icon, outlined in red in the image above.

The flag appears, covered by a green rectangle in the image below.

References

Velociraptor Documentation
Velociraptor Course: Digging deeper (May 2021)

Posted 5-7-2021
Openssh install added 7-31-2021
IP address change marked as optional 8-2-2021
Azure notes added 11-4-21
Windows Defender note added 9-16-22
Version box added 10-24-22
Updated and flag 2 changed 11-21-23
Alternative method of moving the file added 3-27-24