2021-OceanLotus-workshop
2021-OceanLotus-workshop copied to clipboard
OTRF
macos-workshops
Table of Contents
-
Network diagram
-
AWS resource limit increase requests
-
AWS pricing
-
AWS inital setup
- Create an AWS account
- Select a region
- Install/Setup AWS CLI on macOS
-
Install/Setup Terraform
-
Setup/Create management subnet
- Setup jumpbox/VPN
-
Destroy the AWS environment
-
References
Network diagram
AWS resource limit increase requests
Dedicated hosts
To run macOS on AWS you need to create AWS EC2 dedicated hosts of instance type mac1.metal. By default, you can only create 0 instances of this type. You will need to submit a request to AWS to get this increased from 0 to 3.
Virtual CPUs
By default AWS limits your account to 32 vCPUs but this environment requires 72 (see table below). You will need to submit a request to AWS to get this increased from 32 to 72.
Elastic IPs
By default you get 5 Elastic IPs per region for an account but this project needs 9 Elatic IPs. Breakdown:
- 1 Elastic IP for the VPC NAT gateway
- 1 Elastic IP for the VPC Internet gateway
- 1 Elastic IP for the jumpbox
- 2 Elastic IP for the red team boxes
- 1 Elastic IP for the Graylog SIEM
- 1 Elastic IP for the Splunk SIEM
- 1 Elastic IP for the Elastic SIEM
- 1 Elastic IP for the Arkmie/NSM box
AWS pricing
Below is a table of all the AWS compute resources needed for this workshop. Depending your target audience size you can adjsut the size allocations for each machine. The SIEM machines and NSM/Arkmie use r5 machines to provide as much memory as possible to keep search times minimal.
It should be noted at the time of this writing that if you plan on running this setup in AWS including the macOS machines even before they are turned on it's $25 per macOS instance. The macOS license states that each instance must be used at least 24 hours. Even, if you use macOS machines for 3 seconds you still end up paying for 24 hours worth of use.
Let's discuss the hour pricing listed in the table below. It should be noted that hourly price listed is only the EC2 computing, the pricing does not include:
- networking (ingress/egress) charges
- Storage which is $0.10 per GB-month = $74.88
- macOS up-front license cost which is $25 per instance = $75
- Elastic IPs
- API costs
- Etc
| # | EC2 type | vCPU | Memory | SSD | Rate per hour | Description |
|---|---|---|---|---|---|---|
| 1 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Elastic server |
| 2 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Graylog server |
| 3 | r5.2xlarge | 8 | 64GB | 100GB | $0.504 | Splunk server |
| 4 | r5.2xlarge | 4 | 16GB | 100GB | $0.1856 | NSM server |
| 5 | t2.small | 1 | 2GB | 8GB | $0.023 | Jumpbox |
| 6 | t2.small | 1 | 2GB | 20GB | $0.023 | red team box - alpha |
| 7 | t2.small | 1 | 2GB | 20GB | $0.023 | red team box - beta |
| 8 | t2.large | 2 | 8GB | 20GB | $0.0928 | Logstah ingestor server |
| 9 | t2.small | 1 | 2GB | 20GB | $0.023 | wiki server |
| 10 | t2.small | 1 | 2GB | 20GB | $0.0234 | file server |
| 11 | t2.small | 1 | 2GB | 60GB | $0.0234 | Windows server |
| 12 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - alpha |
| 13 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - beta |
| 14 | mac1.metal | 12 | 32GB | 60GB | $1.083 | macOS client - charlie |
| 15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS alpha |
| 15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS beta |
| 15 | dedicated host | - | - | - | $1.083 | Dedicate host for macOS charlie |
| Total | 72 | 320GB | 748GB | $8.426/hr |
User table
| # | Username | Pasword | account type | Description |
|---|---|---|---|---|
| 1 | [email protected] | <group_vars/corp.yml - user_list> |
mail account | e-mail account |
| 2 | [email protected] | <group_vars/corp.yml - user_list> |
mail account | e-mail account |
| 3 | [email protected] | <group_vars/corp.yml - user_list> |
mail account | e-mail admin account |
| 4 | jso-yeon | <group_vars/corp.yml - user_list> |
SMB share | smb://172.16.50.20/public |
| 5 | lmanoban | <group_vars/corp.yml - user_list> |
SMB share | smb://172.16.50.20/public |
| 6 | dengziqi | <group_vars/corp.yml - user_list> |
SMB share | smb://172.16.50.20/private - admin |
| 7 | jso-yeon | <group_vars/corp.yml - user_list> |
macos Alpha VNC | vnc://172.16.50.130 |
| 8 | lmanoban | <group_vars/corp.yml - user_list> |
macos Beta VNC | vnc://172.16.50.131 |
| 9 | dengziqi | <group_vars/corp.yml - user_list> |
macos Charlie VNC | vnc://172.16.50.132 |
| 10 | ec2-user | <group_vars/corp.yml - vnc_admin_password> |
macos Alpha VNC | vnc://172.16.50.130 |
| 11 | ec2-user | <group_vars/corp.yml - vnc_admin_password> |
macos Beta VNC | vnc://172.16.50.131 |
| 12 | ec2-user | <group_vars/corp.yml - vnc_admin_password> |
macos Charlie VNC | vnc://172.16.50.132 |
Generate SSH keys for red team exercise
-
cd macos-workshop -
ssh-keygen -t rsa -b 2048 -C "[email protected]" -f files/comp_ssh_keys/id_rsa -q -N ""
Instructions to setup AWS environment
- AWS + Terraform
- Setup management subnet
- Init Ansible playbooks
- Setup corp subnet
- Setup macOS clients
Install/Setup public subnet
The playbook instructions for these instances assume they are publicaly facing and that these instances have public DNS A records that can be used by Let's Encrypt to generate an HTTPS certificate for NGINX.
Install/Setup Elastic, Graylog, Splunk,Arkmie
- Arkmie/Moloch
- Elastic
- Graylog
- Splunk
- Logstash ingestor
Install/Setup corp subnet
The playbook instructions for these instances are to setup
Destroy the AWS environment
-
cd macos-workshop/terraform -
terraform destroy -
JSON logs
References
Ansible
- docker_stack – docker stack module
- ansible.windows.win_user – Manages local Windows user accounts
- TALES OF A RED TEAMER: DEPLOYING SHENANIGANS TO WINDOWS WITH ANSIBLE
- CptOfEvilMinions/RedTeaming-Public - windows.yml
- ansible.windows.win_file – Creates, touches or removes files or directories
- ansible.windows.win_share – Manage Windows shares
- Ansible - how to remove an item from a list?
- community.crypto.openssl_privatekey – Generate OpenSSL private keys
- Generate OpenSSL Self-Signed Certificates with Ansible
- Ansible Debug: Print Variable & List All Variables – Playbook
- Checking if a File Exists in Ansible
- Configure Network Cards by PCI Address with Ansible Facts
- ansible.builtin.expect – Executes a command and responds to prompts
- How to assign an empty value to a variable in Ansible?
- How to inspect a json response from Ansible URI call
- ansible.builtin.expect – Executes a command and responds to prompts
- ansible.builtin.lineinfile – Manage lines in text files
- ansible.builtin.uri – Interacts with webservices
- Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
- How To Acquire a Let's Encrypt Certificate Using Ansible on Ubuntu 18.04
- community.crypto.openssl_csr – Generate OpenSSL Certificate Signing Request (CSR)
- community.crypto.openssl_privatekey – Generate OpenSSL private keys
- community.crypto.acme_certificate – Create SSL/TLS certificates with the ACME protocol
- ansible.builtin.slurp – Slurps a file from remote nodes
- community.docker.docker_config – Manage docker configs.
- Install Chocolatey With Ansible On Windows Hosts
- chocolatey.chocolatey.win_chocolatey – Manage packages using chocolatey
- Ansible - Only do something if another action changed
- community.general.launchd – Manage macOS services
- ansible.posix.authorized_key – Adds or removes an SSH authorized key
- How to make Ansible run one certain task only on one host?
- ansible-playbooks/roles/new-user/tasks/create-user.yml
- ansible.builtin.fileglob – list files matching a pattern
Docker
- How To Install and Use Docker on Ubuntu 20.04
- CptOfEvilMinions/GuardiansOfTheNetwork - Install Docker with Ansible
- DockerHub - NGINX
- CptOfEvilMinions/ChooseYourSIEMAdventure - docker-compose-swarm-elastic.yml
- DockerHub - Atlassian Confluence
- Docker-compose file for the official Atlassian Confluence Server
- Setting hostname with Ansible
OTRF