https://github.com/Velocidex/velociraptor/releases
Identify the latest version, as shown below.
Scroll down and expand the Assets container.
We will use two of these files: the 64-bit Linux installer and the Windows 64-bit EXE installer, outlined in the image below.
Make a note of these filenames.
These commands download the Linux installer, make it executable, and run it to create a server configuration file:
cd
mkdir velociraptor
cd velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-linux-amd64
chmod +x velociraptor-v0.72-rc1-linux-amd64
./velociraptor-v0.72-rc1-linux-amd64 config generate > velociraptor.config.yaml
On your Linux server,
execute this command:
Find your server's IP address and make a note of it.
ip a
nano velociraptor.config.yaml
Press Ctrl+W, Ctrl+R.
Find localhost and replace it with
your Linux server's IP address for all occurrences
(there are two of them).
Repeat the process to replace 127.0.0.1 with your Linux server's IP address for all occurrences (there are three of them).
Save the file with Ctrl+X, Y, Enter.
./velociraptor-v0.72-rc1-linux-amd64 --config velociraptor.config.yaml user add admin --role administrator
When you are prompted to,
enter a password you can remember.
./velociraptor-v0.72-rc1-linux-amd64 --config velociraptor.config.yaml frontend -v
The server starts,
as shown below.
Leave this window open, and leave the process running.
USE PORT 8889! If you use port 8000, you'll get a 404 error.
Approve the use of an unsigned certificate.
Log in as admin with the password you chose earlier.
You see the GUI, as shown below.
Note for Azure Users
If you are using Azure cloud machines, you will need to open TCP ports 8000 and 8889 in the Azure firewall on your Linux server, and view the GUI using the public IP address of your Linux server.To reach the firewall settings, start at https://portal.azure.com/#home and click "Virtual machines", click the name of your Linux server, and click Networking.
Then click the "Add inbound port rule" and configure a rule as shown below.
IR 371.1: Server Name (5 pts)
At the top left, click the house icon to go to the home page, which shows "Server status".Scroll to the bottom of the page.
The flag is covered by a green rectangle in the image below.
cd
cd velociraptor
sudo nano velociraptor.config.yaml
Scroll down to the first END CERTIFICATE
line.
Below the "nonce: line, insert this line, as shown in the image below.
CAREFULLY INDENT the line with two spaces so it matches the lines above and below it.
use_self_signed_ssl: true
Save the file with Ctrl+X, Y, Enter.
The last commands make sure your Debian server has an SSH server running.
./velociraptor-v0.72-rc1-linux-amd64 --config velociraptor.config.yaml config client > client.config.yaml
wget https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc2-windows-amd64.exe
./velociraptor-v0.72-rc1-linux-amd64 config repack --exe velociraptor-v0.72-rc2-windows-amd64.exe client.config.yaml repackaged_velociraptor.exe
sudo apt update
sudo apt install openssh-server -y
Note for Azure Users
Before packaging the Windows client, edit the client.config.yaml file and replace the IP address in the Client section with the public address of your Linux server, as shown below.
https://winscp.net/eng/index.phpDownload and install WinSCP, as shown below.
When WinSCP launches, fill in the IP address, username, and password of your Linux server, as shown below.
Click Login. Click Yes. Click Continue.
In the right pane, double-click the velociraptor folder.
Drag the repackaged_velociraptor.exe file to your Windows desktop, as shown below.
Then close WinSCP.
Alternative Method
If you are using the Google Cloud, you cannot connect to your Linux machine with a username and password.Instead, execute these commands on your Linux machine:
Then, on your Windows machine, in a Web browser, go to this address, replacing the IP address with the IP address of your Linux server:
sudo apt update sudo apt install apache2 -y sudo cp repackaged_velociraptor.exe /var/www/html sudo chmod a+r /var/www/html/*http://10.128.0.2/repackaged_velociraptor.exeThe repackaged_velociraptor.exe file should download onto your Windows machine.
cd %userprofile%\Desktop
repackaged_velociraptor.exe service install
Troubleshooting
Windows Defender may block the velociraptor executable because it's unsigned.To prevent that, open "Windows Defender settings" and disable Virus protection, or exclude the folder Velociraptor is in from scanning.
Another solution is to install the signed Velociraptor executable and add a configuration file, as explained here.
Click your client's Client ID, which appears in green text, as shown below.
IR 371.2: Agent Name (5 pts)
The flag is covered by a green rectangle in the image below.
At the top left, there are three top-level categories: auto, ntfs, and registry.
Click ntfs. In the top center, click the first folder icon to refresh this directory, outlined in red in the image below.
IR 371.3: Registry Information (5 pts)
Refresh the registry category the same way.On the left side, click HKEY_CURRENT_USER. Refresh this container to see the contents.
The flag appears, covered by a green rectangle in the image below.
IR 371.4: Exploring the File System (5 pts)
In the ntfs category, refresh these items:The flag appears, covered by a green rectangle in the image below.
- \\.\C: (You may need to refresh the browser to see the tree on the left side)
- Users (You may need to refresh the browser to see the tree on the left side)
- Default
In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".
Click your client's Client ID, which appears in green text.
At the top center, click the Collected button.
At the top left, click the plus-sign, outlined in red in the image below.
At the top left, in the search box, type netstat.
Click Windows.Network.NetstatEnriched.
A description of this artifact appears, as shown below.
At the lower left, click the "Configure Parameters" button.
At the top left, click the wrench icon.
In the "ProcessNameRegex" field, enter velociraptor as shown below.
At the lower right, click the Launch button.
In the next screen, at the top center, click the Windows.Network.NetstatEnriched line to highlight it.
In the lower pane, click the Results tab.
You see information about the Velociraptor process, as shown below.
IR 371.5: DestPort (5 pts)
In the lower pane, click the binoculars icon, outlined in red in the image above.The flag appears, covered by a green rectangle in the image below.
Posted 5-7-2021
Openssh install added 7-31-2021
IP address change marked as optional 8-2-2021
Azure notes added 11-4-21
Windows Defender note added 9-16-22
Version box added 10-24-22
Updated and flag 2 changed 11-21-23
Alternative method of moving the file added 3-27-24
Updated to Velociraptor version 9.72 RC 2 and video added 4-16-24