IR 371: Velociraptor Server on Linux (25 pts)

What You Need for This Project

Purpose

To install a Velociraptor Linux server and use it to monitor a Windows endpoint. This is the normal arrangement.

Task 1: Installing Velociraptor on Linux

Finding the Latest Version

In a Web browser, go to

https://github.com/Velocidex/velociraptor/releases

Identify the latest version, as shown below.

Scroll down and expand the Assets container.

We will use two of these files: the 64-bit Linux installer and the Windows 64-bit EXE installer, outlined in the image below.

Make a note of these filenames.

Preparing the Server

On your Linux server, in a Terminal or SSH window, execute these commands, adjusting the velociraptor filename to match the file you noted earlier.

These commands download the Linux installer, make it executable, and run it to create a server configuration file:

cd
mkdir velociraptor
cd velociraptor

wget https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-linux-amd64

chmod +x velociraptor-v0.73.1-linux-amd64
./velociraptor-v0.73.1-linux-amd64 config generate > velociraptor.config.yaml
On your Linux server, execute this command:

Find your server's IP address and make a note of it.

ip a

Editing the Config File

On your Linux server, execute this command, to edit the server configuration file:
nano velociraptor.config.yaml
Press Ctrl+W, Ctrl+R. Find localhost and replace it with your Linux server's IP address for all occurrences (there are two of them).

Repeat the process to replace 127.0.0.1 with your Linux server's IP address for all occurrences (there are three of them).

Save the file with Ctrl+X, Y, Enter.

Creating the Administrator User

On your Linux server, execute this command to an admin user:
./velociraptor-v0.73.1-linux-amd64 --config velociraptor.config.yaml user add admin --role administrator
When you are prompted to, enter a password you can remember.

Starting the Velociraptor Server

On your Linux server, execute this command, to start the server:
./velociraptor-v0.73.1-linux-amd64 --config velociraptor.config.yaml frontend -v
The server starts, as shown below.

Leave this window open, and leave the process running.

Viewing the GUI

On your Windows machine, in a Web browser, open the GUI URL, for your server. My URL is outlined in the image above--yours will be different.

USE PORT 8889! If you use port 8000, you'll get a 404 error.

Approve the use of an unsigned certificate.

Log in as admin with the password you chose earlier.

You see the GUI, as shown below.

Note for Azure Users

If you are using Azure cloud machines, you will need to open TCP ports 8000 and 8889 in the Azure firewall on your Linux server, and view the GUI using the public IP address of your Linux server.

To reach the firewall settings, start at https://portal.azure.com/#home and click "Virtual machines", click the name of your Linux server, and click Networking.

Then click the "Add inbound port rule" and configure a rule as shown below.

IR 371.1: Server Version (5 pts)

At the top left, click the house icon to go to the home page, which shows "Server status".

Scroll to the bottom of the page.

The flag is covered by a green rectangle in the image below.

Troubleshooting

If the IP address of your Velociraptor server changes, you need to delete the /var/tmp/velociraptor folder or it will continue to tell clients to use the old IP address, even after you update the configuration files.

Task 2: Adding a Windows Client

Preparing a Client Config File

On your Linux server, open a new Terminal or SSH session and execute these commands, to edit the server configuration file:
cd
cd velociraptor
nano velociraptor.config.yaml
Scroll down to the first END CERTIFICATE line.

Below the "nonce: line, insert this line, as shown in the image below.

CAREFULLY INDENT the line with two spaces so it matches the lines above and below it.

use_self_signed_ssl: true

Save the file with Ctrl+X, Y, Enter.

Preparing a Windows Client MSI Installer

In the Veliciraptor GUI, at the top left, click the icon outlined in red in the image below, to see "Server Artifacts".

Then click the + sign, outlined in blue in the image below.

In the "New Collection: Select Artifacts to collect" box, search for msi.

Click "Server.Utils.CreateMSI", as shown below.

At the bottom, click the "Configure Parameters" button, outlined in red in the image above.

In the "New Collection: Configure Parameters" box, at the top left, click the wrench icon, outlined in red in the image below.

In the CustomConfig field, enter the path to your client configuration file, which should be:

/home/debian/velociraptor/client.config.yaml
as shown below.

At the bottom right, click Launch.

On the next page, in the top pane, click the first row.

In the lower pane, click the Log tab.

You should see a velociraptor MSI file created and uploaded, as outlined in red in the image below.

Serving the Windows Client over the Web

Open a new Terminal or SSH window on your Linux server.

Then execute this command:

sudo find / | grep velociraptor | grep msi
You see the path to the MSI file, which is ridiculously long, as shown below.

Execute these commands:

sudo apt update
sudo apt install apache2 -y
sudo cp $(sudo find / | grep velociraptor | grep msi) /var/www/html/velociraptor.msi
sudo chmod a+r /var/www/html/*
ls -l /var/www/html
You see a "velociraptor.msi" file in the /var/www/html directory, as shown below.

Note for Azure Users

Before packaging the Windows client, edit the client.config.yaml file and replace the IP address in the Client section with the public address of your Linux server, as shown below.

Moving the Client to the Windows Machine

On your Windows machine, in a Web browser, go to this address, replacing the IP address with the IP address of your Linux server:
http://192.168.0.36/velociraptor.msi
If you see a warning saying this file isn't commonly downloaded, click the three-dot icon and click Keep.

If you see a warning saying "Make sure you trust velociraptor.msi...", click "Show more", and then click "Keep anyway".

Open the velociraptor.msi and install the software.

If a "Windows protected your PC" box pops uo, click "More info" and click "Run anyway". If a "User Account Control" box pops up, click Yes. If you see a file should download onto your Windows machine.

Installing the Windows Client

On your Windows machine, open an Administrator Command Prompt and execute these commands, as shown below.
cd %userprofile%\Desktop
repackaged_velociraptor.exe service install

Troubleshooting Tips

Windows Defender

Windows Defender may block the velociraptor executable because it's unsigned.

To prevent that, open "Windows Defender settings" and disable Virus protection, or exclude the folder Velociraptor is in from scanning.

Another solution is to install the signed Velociraptor executable and add a configuration file, as explained here.

Client Problems

Another useful troubleshooting technique is to run the client in verbose mode instead of as a service, with these commands:
cd %userprofile%\Desktop
repackaged_velociraptor.exe service remove
repackaged_velociraptor.exe client -v

Removing the Client

To completely remove the Velociraptor client from the Windows machine, perform these steps:
  1. Delete the "C:\Program Files\Velociraptor" folder
  2. In an Administrator Command Prompt, execute this command:
    sc.exe delete velociraptor
    schtasks /delete /tn vraptor /f
    sc.exe delete velociraptor
    

Viewing the Client

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text, as shown below.

IR 371.2: Agent Name (5 pts)

The flag is covered by a green rectangle in the image below.

Using the Virtual File System

At the top left, click the VFS button.

At the top left, there are three top-level categories: auto, ntfs, and registry.

Click ntfs. In the top center, click the first folder icon to refresh this directory, outlined in red in the image below.

IR 371.3: Registry Information (5 pts)

Refresh the registry category the same way.

On the left side, click registry to expand it.

On the left side, click HKEY_CURRENT_USER. Refresh this container to see the contents.

The flag appears, covered by a green rectangle in the image below.

IR 371.4: Exploring the File System (5 pts)

In the ntfs category, refresh these items:
  • \\.\C: (You may need to refresh the browser to see the tree on the left side)
  • Users (You may need to refresh the browser to see the tree on the left side)
  • Default
The flag appears, covered by a green rectangle in the image below.

Collecting an Artifact

At the top left, click the house icon to go to the home page, which shows "Server status".

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text.

At the top center, click the Collected button.

At the top left, click the plus-sign, outlined in red in the image below.

At the top left, in the search box, type netstat.

Click Windows.Network.NetstatEnriched.

A description of this artifact appears, as shown below.

At the lower left, click the "Configure Parameters" button.

At the top left, click the wrench icon.

In the "ProcessNameRegex" field, enter velociraptor as shown below.

At the lower right, click the Launch button.

In the next screen, at the top center, click the Windows.Network.NetstatEnriched line to highlight it.

In the lower pane, click the Results tab.

You see information about the Velociraptor process, as shown below.

IR 371.5: DestPort (5 pts)

In the lower pane, click the binoculars icon, outlined in red in the image above.

The flag appears, covered by a green rectangle in the image below.

Note: the name hs changed from "DestPort" to "RPort" in version 0.73

References

Velociraptor Documentation
Velociraptor Course: Digging deeper (May 2021)

Posted 5-7-2021
Openssh install added 7-31-2021
IP address change marked as optional 8-2-2021
Azure notes added 11-4-21
Windows Defender note added 9-16-22
Version box added 10-24-22
Updated and flag 2 changed 11-21-23
Alternative method of moving the file added 3-27-24
Updated to Velociraptor version 9.72 RC 2 and video added 4-16-24
Updated to Velociraptor version v0.73.1, and flag 1 updated 11-19-24
Removed a sudo, added a client and a server troubleshooting note 11-28-24