Thursday, February 23, 2017

Setting up a Pentesting... I mean, a Threat Hunting Lab - Part 1

On this first post, I will show you how to set up a virtual WAN and LAN (NAT) with the help of ESXI 6.5 and PfSense. We will have our default original VM management network act as our virtual WAN and a new virtual switch and port group as our virtual LAN with PfSense as our router/Firewall. That way we can simulate real world attacks where inbound connections to non-public systems are not allowed unless there is a reverse connection initiated by a user or an infected host. Eventually we will add a Kali system to our virtual WAN to perform attacks.

Overall idea of what we want networkwise:

Figure 1. Network Layout

Requirements for this setup:

A physical server

  • Needed to host your whole virtual environment (Firewall, DC, Windows PCs and ELK )
  • ESXI 6.x installed
    • I installed version 6.5 ( I like to access my VMs from any computer in the network through a web interface and let the host alone do only what it needs to do, host my VMs). You can set up the same thing in Virtualbox or the free version of VMware Workstation. You can install older versions of ESXI and run this whole setup if you want to. I just wanted to use one of the latest versions available. Also, If you have issues with your NIC not being compatible with one of the latest ESXI versions such as 6.0 or 6.5, make sure you follow this great article that helped me fix it. Finally, if you don't know how to install ESXI on your computer, make sure you read this step-by-step article on how to do it. Oh and remember that ESXI replaces the OS of the system you are installing it on.
  • 32 GB of RAM
  • 1 TB storage 
  • Processor:  at least 6 Cores (cheap)
  • At least 1 NIC


Getting Started - Setting up our network

Default setup

Every time you set up an ESXI virtual environment, you always have two standard port groups and one virtual switch.
  • VM Network
  • Management Network

Figure 2.  Default port groups in ESXI.

Figure 3.  Default virtual switch.

As I had mentioned before, the "VM Network" will act as our Virtual WAN and it is by default bridged to our Home Local Network so any VM that you add to that port group of vswitch0 will obtain an IP address from your home router. This is a basic set up and what we are trying to accomplish here is a NAT setup with the help of a new virtual switch and PfSense.

Adding a Virtual Switch

Click on the option "Add standard virtual switch" from figure 2 above, and name it anything you want. I just followed the default naming convention and added a 1 after vswitch.

Figure 4.  Adding a virtual switch.

Adding a port group

Once you have created your virtual switch, it is time to create a new port group. Here is where we add our Virtual LAN and attach it to the virtual switch that we just created (vSwitch1).

Figure 5.  Default network port groups.

Figure 6.  New port group added and attached to the new virtual switch 1.

Now you will be able to see a new port group that you can use to host all your machines that will be part of your own domain.

Figure 7.  New port group added to the network (Virtual LAN).

Setting up our PfSense Firewall

Creating/Registering a new VM to install PfSense

Create a VM, give it a name, and select the following options

Figure 8. Creating a new VM.

Figure 9. Creating a new VM.

Figure 10. Naming VM to VPfSense, setting compatibility and Guest OS Version.

Figure 11. Select where you will be storing your VM. I set it to my 1TB HD.

Set the CD/DVD Drive to Datastore ISO file, browse to your pfSense ISO file and select it. (if you have not uploaded your ISO yet, just click on the option "upload" with the green arrow as shown in figure 13 below, and make it available in your ESXI datastore.)

Figure 12. Setting CD/DVD to Datastore ISO file.

Figure 13.  Browse to your PfSense ISO file in your data store.

Next, as you can see in figure 14 below, you only have one network adapter (Network Adapter 1). We need to add one more in order to create a gateway between your vSwitch0 (VM Network - Virtual WAN) and vSwitch1 (Virtual LAN).

Figure 14.  Adding a new network adapter to our PfSense VM.

Figure 15.  Two network adapters available. Right Port group needs to be assigned.

Now, this step is really important to understand. We have two network adapters and now we have to assign one for each Virtual switch - Port group. I assigned Network Adapter 1 to VM network and left the New Network Adapter assigned to our Virtual LAN. (Once we launch PfSense, this specific order of network adapters might be picked up differently. You will understand what I mean in a few).

Figure 16.  Assigning Network Adapter to VM network port group.

Figure 17. Network Adapters assigned to their respective Port groups.

Once you have everything configured, click Next, check your VMs configuration and you will see your new VM under virtual machines not running. (FYI - I had a test VM (Server 2012) already built in my VM network to test my network configurations. You can have a simple Ubuntu box if you want to test your virtual WAN and LAN).

Figure 18.  Checking our VMs settings before finishing.

Figure 19.  VPfSense VM has been created and showing ready to be turned on and start the installation. 

Installing PfSense

Turn on your PfSense VM and you will see that it will boot up from the PfSense ISO you assigned to your CD/DVD drive.

Figure 20. Turning on our VPfSense.

With the UP and DOWN arrows in your keyboard select "Accept These Settings" and click Enter.

Figure 21.  Initial screen after booting up our VPfSense VM. 

Figure 22. Selecting our first option to accept the default initial settings.

Now, select the following options:

Figure 23. Selecting the options "Quick/Easy Install" to start the installation.

Figure 24. Accepting the default configurations to start the quick/easy installation.

Figure 25. starting the initial automatic set up.

Figure 26. Selecting the options to install a custom kernel configuration.

Figure 27. Installing custom kernel configuration. 

When the option to reboot appears, make sure you first eject your ISO file from the CD/DVD drive before rebooting.

Figure 28. Do not reboot yet...

Go to your virtual machines, right click on your PfSense VM, and disconnect your ISO.

Figure 29. Right clicking on PfSense VM to select settings.

Figure 30. Unchecking the "connect" box of CD/DVD Drive 1 to eject ISO. 

Now you can reboot your PfSense.

Figure 31. Selecting "Reboot" and rebooting.

You will get the following message. Select yes and click "Answer".

Figure 32.  Answering message for disconnecting and overriding lock for CD-ROM.

Figure 33. Rebooting happening.

After rebooting the vm, you might get the following setup. As you can see, our WAN and LAN from PfSense's perspective are backwards. needs to be assigned to our WAN interface since our LAN interface will be configured with a custom/different subnet. This is what I meant before in figures 16 and 17 above.

Figure 34. PfSense assigning wrong adapters to WAN and LAN

The easiest fix is to swap the port groups in our VM's network adapters and reboot the PfSense VM. To do this, go to your virtual machines, right click on your PfSense VM and select settings.

Figure 35. Checking our PfSense settings.

Then, assign port group Virtual LAN to Network Adapter 1 and port group VM network to Network Adapter 2. Just like in figure 36 below. Save your settings and reboot your VM ( One way is to do Power Off & Power ON from the console)

Figure 36. Swapping port groups in pfsense VM''s network adapters.

Figure 37. Powering off our PfSense VM.

Figure 38. Powering On our PfSense VM.

After rebooting, you will see that the pfSense WAN interface makes sense now. It picked up an IP address from my home network (known as our Virtual WAN for this build).

Figure 39. Right assignment of WAN and LAN interfaces to the right network adapters.

Next, select option 2 in order to configure the LAN interface.

Figure 40. Selecting option 2 to set the Interfaces IP addresses.

Do the following:

  • Set up the network address for your LAN. In this case I decided to go with
  • Enter the subnet mask for your custom network in CIDR notation. I set it to 24
  • Press Enter to skip the upstream gateway address since we are setting up a LAN
  • Press Enter to skip the IPv6 address question
  • Type "y" to enable DHCP on your LAN interface (Virtual LAN). You might ask yourself, Why are we enabling DHCP server in our PfSense when our Windows Server will be handling this service?. I believe this is a good exercise for you to set it up this way, and then upgrade your network to build your own DHCP server with the help of our Windows Server 2012 R2.

Figure 41. Selecting configuration of our LAN interface since our WAN is already set up.

Once you click enter, PfSense will apply the configurations to the LAN interface. Press Enter at the end to continue.

Figure 42. Enabling DHCP Server in our LAN and setting up our custom subnet.

After pressing Enter, you will see that the LAN interface "em1" got updated. We can see that our WAN interface is pointing to our home network (VM network) and our LAN interface to our custom network (Virtual LAN).

Figure 43. Checking if our configurations make sense.

Next, reboot your VM

Figure 44. Selecting option 5 to reboot our VM.

After rebooting, verify if your interfaces are pointing to the right network adapters and configurations. They should. 

Figure 45. After rebooting, our configurations are still set up properly.

Now you can start testing if your virtual WAN and LAN interfaces are working as expected. As I mentioned before, I have a Windows server 2012 in my virtual machines so I used it to check its network settings.If you do not have any other VM in your environment, that's fine. I just find it convenient to have another box that I can use for simple tests. You can wait until we build our own Windows server 2012. If you have a VM, right click on it and click on "Edit settings".

Figure 46. Checking our only VM's settings.

You can see that it is set to be part of port group "VM network" which is bridged to my home network and considered part of my virtual WAN.

Figure 47. VM is by default in our VM network - Virtual WAN.

We can check its network configuration by typing ipconfig in PowerShell, and it just confirms that it is part of my 192.168.. network (Home - Virtual WAN)

Figure 48. Checking current network configurations.

We can now go back to our virtual machines, right click on our Windows Server VM and change its port group to Virtual LAN in order to test our virtual LAN setup.

Figure 49. Switching port group to our Virtual LAN to test it.

We check our network configurations by releasing and renewing our network configurations, and as you can see in figure 50 below it received an IP address from our PfSense DHCP server (network

Figure 50. Checking new network configurations.

One last test is to test our connection to the Internet from our Virtual LAN.

Figure 51. Testing our connection to the Internet from our Virtual LAN. 

Everything worked as expected. You have just configured your own virtual LAN for your lab, and it is ready to start hosting other systems that will be part of your own domain. In the next post, I will show you how to build your own Windows server 2012 and install/enable AD DS, DHCP and DNS roles.

Feedback is greatly appreciated!  Thank you.

Update 04/07/2017

  • If you are running this set up in VMware Workstation and not ESXI, disable DHCP for your LAN Network in your VMware Virtual Network Editor.