Kali Configuration with Vagrant and Ansible on Virtualbox
- By Miloslav Homer
- Fri 19 February 2021
- Updated on Fri 19 February 2021
Motivation
When beginning an attack, it is advisable to have a clean and prepared environment. Most people (including me) use kali linux virtual machines - they come with most of the tools needed and prepared. However, when hunting those bugs and vulnerabilities, you sometimes install a lot of one-shot utilities. These bloat the system over time and do not forget troubles that arise with incompatibilites and conflicting versions (not every tool is a python module that can be hidden in virtual env, sadly).
So, sometimes, you'll need to wipe the state clean. However, you have your favourite pentesting tools that just must be included. Reseting a VM is easy, now you only need to install these tools. Enter Vagrant and Ansible.
Read the same article in Slovak or Czech.
Vagrant
Vagrant is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the "works on my machine" excuse a relic of the past.
A machine is defined with it's Vagrantfile (think of it as an analogy to a Dockerfile). We'll use a simple file:
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "kalilinux/rolling"
config.vm.hostname = "attacker.lab"
config.vm.provision "ansible" do |ansible|
ansible.playbook = "kali_provision.yml"
ansible.become = true
ansible.become_user = "root"
ansible.compatibility_mode = '2.0'
ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" }
end
# Create a private network, which allows host-only access to the machine
# using a specific IP.
config.vm.network "private_network", ip: "192.168.59.66"
config.vm.synced_folder "/home/milo/kali_shared/", "/media/kali_shared", create: true, automount: true
end
Nothing too complex, choose a box, choose a fitting hostname, setup ansible. In the vagrantfile you'll need to specify which playbook to choose, how should ansible handle privileges and users, and sometimes you'll need to specify the location of your python3 interpreter. Later you can setup some networking and a shared folder via virtualbox.
Once you have this, you can "vagrant up" to start the machine (you'll have to be in the directory with the vagrantfile). If the machine doesn't exist, vagrant creates it and performs the provisioning via ansible. If you already have the machine or you just need to test changes to the playbook, you can just run the provisioning via "vagrant provision".
My favourite non-kali preinstalled tools
These tools and lists I'd like to install to the kali linux.
- asn1js - tool for parsing asn1, der and crypto related stuff. I implemented a small feature for easier copying to clipboard
- PayloadsAllTheThings - an excellent knowledgebase that includes a lot of great payload lists. Go buy them a coffee.
- SecLists - another great collection of patterns, payloads, usernames etc.
- evil-winrm - a linux client for the winrm protocol, requires ruby.
- LinEnum - classic linux enumeration script
- Linux Exploit Suggester - too lazy to copy-paste CVEs?
- PEAS - newer set of enumeration scripts, both linux and windows. Good stuff!
- PSPY - ever wondered what is running when?
We'll need some other stuff - for the asn1js we'll need a webserver, I used nginx. Other tools will be sorted to relevant directories.
Ansible playbook
We'll organize these tools into an ansible playbook. First, let's update:
- name: Intro
hosts: all
remote_user: vagrant
tasks:
- name: apt-get update
apt:
update_cache: yes
cache_valid_time: 3600
Then we'll install nginx, download asn1js to the webroot (do not forget to actually run the server!):
- name: Kali web apps
hosts: all
remote_user: vagrant
vars:
webroot: "/var/www/html/apps"
tasks:
- name: install nginx
apt:
name: nginx
state: latest
- name: run nginx
service:
name: nginx
state: started
- name: asn1js
git:
repo: https://github.com/ArcHound/asn1js
dest: "{{ webroot }}/asn1js"
force: yes
In the next step, prepare those payloads and lists, link them to the /usr/share/wordlists directory:
- name: Payloads/wordlists
hosts: all
remote_user: vagrant
tasks:
- name: PayloadsAllTheThings clone
git:
repo: https://github.com/swisskyrepo/PayloadsAllTheThings
dest: "/usr/share/PayloadsAllTheThings"
force: yes
- name: PayloadsAllTheThings link to wordlists
file:
src: "/usr/share/PayloadsAllTheThings"
dest: "/usr/share/wordlists/PayloadsAllTheThings"
state: link
- name: SecLists clone
git:
repo: https://github.com/TH3xACE/SecLists
dest: "/usr/share/SecLists"
force: yes
- name: SecLists link to wordlists
file:
src: "/usr/share/SecLists"
dest: "/usr/share/wordlists/SecLists"
state: link
Next up are the privesc tools - create a relevant dir, clone the repos (how clean this is with github):
- name: Privilege escalation tools
hosts: all
remote_user: vagrant
vars:
priv_esc_dir: "/usr/share/PrivEsc"
tasks:
- name: PrivEsc Folder
file:
path: "{{ priv_esc_dir }}"
state: directory
- name: LinEnum
git:
repo: https://github.com/rebootuser/LinEnum
dest: "{{ priv_esc_dir }}"
force: yes
- name: Lin Exploit suggester
git:
repo: https://github.com/mzet-/linux-exploit-suggester
dest: "{{ priv_esc_dir }}"
force: yes
- name: PEAS
git:
repo: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
dest: "{{ priv_esc_dir }}"
force: yes
- name: pspy
git:
repo: https://github.com/DominicBreuker/pspy
dest: "{{ priv_esc_dir }}"
force: yes
Finally, the windows tools:
- name: Windows tools
hosts: all
remote_user: vagrant
tasks:
- name: gem evil-winrm
gem:
name: evil-winrm
state: latest
Conclusion
The goal of this project was to have prepared a big reset button - a simple way to have clean and working environment. This goal was achieved using vagrant and ansible - moreover, my personal most common used tools are automatically installed. This post might be extended in the future, if I discover that I need something else. Thanks for reading.
