virtual-machines.md 14.6 KB
Newer Older
1 2 3 4 5 6
# Virtual Machines

## Docker

#### Parrotsec/Parrot-core

7
**Official Parrot Security Base system without tools.**
8 9 10 11

Start a new instance

Public image from Docker Cloud
12
```bash
13 14 15
    docker run -ti --rm --network host parrotsec/parrot-core
```
Local image from Dockerfile
16
```bash
17 18 19
    docker run -ti --rm -network host parrot-core
```
Install/Update from Docker Cloud
20
```bash
21 22 23
    docker pull parrotsec/parrot-core
```
Install/Update from local Dockerfile
24
```bash
25 26 27 28 29 30
    git clone https://dev.parrotsec.org/parrot/docker-images && cd docker-images

    docker build -t parrot-core[:version] parrot-core
```
#### Parrotsec/Parrot

31
**Official Parrot Security image with basic security tools.**
32 33 34 35

-Start a new instance

-Public image from Docker Cloud
36
```bash
37 38 39
    docker run -ti --rm --network host parrotsec/parrot
```
Local image from Dockerfile
40
```bash
41 42 43
    docker run -ti --rm -network host parrot
```
Install/Update from Docker Cloud
44
```bash
45 46 47
    docker pull parrotsec/parrot
```
Install/Update from local Dockerfile
48
```bash
49 50 51 52 53 54 55 56 57
    git clone https://dev.parrotsec.org/parrot/docker-images && cd docker-images

    docker build -t parrot[:version] parrot
```
#### Parrotsec/Metasploit

Parrot Security Metasploit bundle.

Install/Update from Docker Cloud
58
```bash
59 60 61
    docker pull parrotsec/metasploit
```
Install/Update from local Dockerfile
62
```bash
63 64 65 66 67 68 69
    git clone https://dev.parrotsec.org/parrot/docker-images && cd docker-images

    docker build -t metasploit[:version] metasploit
```
Start a new instance

Public image from Docker Cloud
70
```bash
71 72 73
    docker run -ti --network host parrotsec/metasploit
```
Local image from Dockerfile
74
```bash
75 76 77 78 79
    docker run -ti -network host metasploit
```

## Virtual Machines 

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
### VirtualBox

Download the OVA images from parrotsec.org

1. Open VirtualBox (You can also double click on the .ova file and it will open to the import screen on VirtualBox)

2. File > Import Appliance 

3. Click the Folder icon and select your .ova file 

NOTE: in Parrot Linux the firejail profile limits the directories VirtualBox has access to.

4. Once you have your file, edit to your likeing > click import > agree/disagree with the license > import! 

5. To start Parrot, double-click on parrot-home/parrot-security. 
Parrot will boot to the login greeter with autologin enabled. 

Username: user
Password: toor

(same password for root)
To change password use `passwd` on the account you want to change the password of.

103
### QubesOS
104

s1udge's avatar
s1udge committed
105
There are three ways to install ParrotSec GNU/Linux on QUbesOS for now.
106

107
#### Option 1 - Create an HVM
108 109 110 111 112

1. Download any ParrotSec image you want.

2. Create a new HVM.

113
4. Start the HVM with attached CD/DVD.
114 115 116 117
```bash
     [user@dom0 ~]$ qvm-start <hvm-name> --cdrom <vm-name>:/home/user/Downloads/<iso-name>.iso
```

118
#### Option 2 - Build a ParrotSec TemplateVM on top of a Debian TemplateVM
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214

WARNING: This website cannot guarantee that any PGP key you download from the Internet is authentic. Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint.

This step is required since by (security) default a TemplateVM do not have a direct Internet connectivity. Users understanding the risks of enabling such access can change this configuration in firewall settings for the TemplateVM.

Note: The prompt on each line indicates where each command should be entered (@dom0, @parrotsec, @xxxx-dvm or @debian-<X>). 

1. Retrieve the official ParrotSec GPG key using a DispVM.
```bash
    [user@xxxx-dvm ~]$ gpg --keyserver hkp://keys.gnupg.net --recv-key 3B3EAB807D70721BA9C03E55C7B39D0362972489
    [user@xxxx-dvm ~]$ gpg --list-keys --with-fingerprint 3B3EAB807D70721BA9C03E55C7B39D0362972489 
    [user@xxxx-dvm ~]$ gpg --export --armor 3B3EAB807D70721BA9C03E55C7B39D0362972489 > parrot-key.asc
```

2. DO N0T TURN OFF THE DISPVM.DO NOT TURN OFF the DispVM, the parrot-key.asc file will be copied to the ParrotSec template in a further step.

3. Make sure the key is the authentic ParrotSec key.

#### Create a ParrotSec TemplateVM.

These instructions will show you how to upgrade a Debian TemplateVM to ParrotSec.

1. (Optional) Check for latest Debian stable template and install it (if not already done)
```bash
    [user@dom0 ~]$ sudo qubes-dom0-update --action="search all" qubes-template-debian
    [user@dom0 ~]$ sudo qubes-dom0-update <latest Debian template>
```

2. Start,update and close your Debian TemplateVM.
```bash
    [user@dom0 ~]$ qvm-start debian-<X>
    [user@dom0 ~]$ qvm-run -a debian-<X> gnome-terminal
    [user@debian-<X> ~]$ sudo apt-get update
    [user@debian-<X> ~]$ sudo apt-get upgrade
    [user@dom0 ~]$ qvm-shutdown debian-<X>
```

3. Clone debian-x TemplateVM
```bash 
    [user@dom0 ~]$ qvm-clone debian-<X> parrotsec
```

4. Check the name of currently used repository in /etc/apt/sources.list and current testing Debian release. Update repository list accordingly
```bash
    [user@parrotsec ~]$ sudo sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list
    [user@parrotsec ~]$ sudo sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list.d/qubes-r<X>.list
```
e.g. in this example we update stretch stable repository to buster testing repository
```bash 
    [user@parrotsec ~]$ sudo sed -i 's/stretch/buster/g' /etc/apt/sources.list
    [user@parrotsec ~]$ sudo sed -i 's/stretch/buster/g' /etc/apt/sources.list.d/qubes-r<X>.list
```
5. Upgrade parrotsec template to latest Debian testing release
```bash 
    [user@parrotsec ~]$ sudo apt-get update && sudo apt-get dist-upgrade
    [user@parrotsec ~]$ sudo apt-get autoremove
```
Note: During execution of a dist-upgrade command read carefully list of packages to be removed. If it contains qubes-* packages, terminate operation and try to resolve qubes-* packages missing dependencies first.

6. Copy the ParrotSec GPG key from the DispVM to the new template:
```bash
    [user@xxxx-dvm ~]$ qvm-copy-to-vm parrotsec parrot-key.asc
```
Turn off the DispVM.

7. Add the ParrotSec GPG key to the list of keys trusted to authenticate packages:
```bash
    [user@parrotsec ~]$ cat /home/user/QubesIncoming/dispXXX/parrot-key.asc | sudo apt-key add -
```
The above command should return OK In a single line.

8. Attempt an update on the new TemplateVM
```bash 
    [user@parrotsec ~]$ sudo cat <<EOF > /etc/apt/sources.list.d/parrot.list
     # ParrotSec repository
    deb http://deb.parrotsec.org/parrot stable main contrib non-free
    #deb-src http://deb.parrotsec.org/parrot stable main contrib non-free
    EOF
    [user@parrotsec ~]$ sudo apt-get update
    [user@parrotsec ~]$ sudo apt-get dist-upgrade
    [user@parrotsec ~]$ sudo apt-get autoremove
    [user@parrotsec ~]$ sudo apt install parrot-core parrot-archive-keyring parrot-drivers parrot-skel
```

9. Shut down and trim the new TemplateVM
```bash
    [user@dom0 ~]$ qvm-shutdown parrotsec
    [user@dom0 ~]$ qvm-trim-template parrotsec
```

10. Ensure a terminal can be opoened in the new TemplateVM
```bash 
    [user@dom0 ~]$ qvm-run -a parrotsec gnome-terminal
```


s1udge's avatar
s1udge committed
215
#### (Optional)Install the penetraton testing tools
216 217 218 219 220 221 222 223 224 225 226
At this point you should have a working template and you can install the tools you need.

1. Resize the template disk image if you plan on installing the full ParrotSec distribution. For example to install parrot-tools-full you must grow the size of the VM system from 10GB to at least 20GB.

2. Install ParrotSec penetration testing tools:
```bash
    [user@parrotsec ~]$ sudo apt-get install parrot-tools-full
```

(Optional) Customise the template’s home directory (e.g. install your licensed copy of Burp Suite Professional)

227
#### Use the TemplateVM
228 229
The template is ready to be used. You can now spin up AppVMs based on the parrotsec template.

230
### KVM
231

232
KVM is a full virtualization solution for Linux on x86 (64-bit included) hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko.
233

234
#### Installation
235

236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389
It is possible to install only QEMU and KVM for a very minimal setup, but most users will also want libvirt for a convenient configuration and management of the virtual machines (libvirt-daemon-system - libvirt, virt-manager - a GUI for libvirt).
Open your terminal and write the following command: 
```bash
   apt install qemu-kvm libvirt-clients qemu-utils libvirt-daemon-system
```

The daemon libvirt-bin daemon will start automatically at boot time and load the appropriate kvm modules, kvm-amd or kvm-intel, which are shipped with the Linux kernel Debian package. If you intend to create VMs from the command-line, install virtinst.

In order to be able to manage virtual machines as regular user, that user needs to be added to some groups. 
Type the following command:
```bash
    adduser <user> libvirt
    adduser <user> libvirt-qemu
```

You should then be able to list your domains ("domain" is a virtual machine managed by libvirt): 
```bash 
    virsh list --all
```

#### Connecting to libvirt

By default, if virsh is run as a normal user it will connect to libvirt using qemu:///session URI string. This URI allows virsh to manage only the set of VMs belonging to this particular user. To manage the system set of VMs (i.e., VMs belonging to root) virsh should be ran as root or with qemu:///system URI: 
```bash
    virsh --connect qemu:///system list --all
```

Not to specify the --connect option for every command, the URI string can be set in the LIBVIRT_DEFAULT_URI environment variable: 
```bash 
    export LIBVIRT_DEFAULT_URI='qemu:///system'
```

#### Creating a new guest 

The easiest way to create and manage VM guest is using GUI application Virtual Machine Manager virt-manager.
In alternative, you may create VM guest via command line. Below is example to create a ParrotSec guest with name parrotsec:  
```bash 
    virt-install --virt-type kvm --name parrotsec --memory 512 --cdrom ~/Downloads/Parrot/.iso --disk size=4 --os-variant debian
```

Since the guest has no network connection yet, you will need to use the GUI virt-viewer to complete the install.

You can avoid pulling the ISO by using the --location option. To obtain text console for the installation you can also provide --extra-args "console=ttyS0":
```bash 
    virt-install --virt-type kvm --name squeeze-amd64 \
    --location http://httpredir.debian.org/debian/dists/squeeze/main/installer-amd64/ \
    --extra-args "console=ttyS0" -v --os-variant debiansqueeze \
    --disk size=4 --memory 512
```

#### Setting uo bridge networking

**Between VM guests**

By default, QEMU uses macvtap in VEPA mode to provide NAT internet access or bridged access with other guest. This setup will allow guests to access Internet (if there is an internet connection on the host), but will not allow the host or other machines on the host's LAN to see and access the guests. 

**Between VM host and guest**

Libvirt default network

If you use libvirt to manage your VMs, libvirt provides a NATed bridged network named "default" that allows the host to communicate with the guests. This network is available only for the system domains (that is VMs created by root or using the qemu:///system connection URI). VMs using this network end up in 192.168.122.1/24 and DHCP is provided to them via dnsmasq. This network is not automatically started. To start it use: 
```bash 
     virsh --connect=qemu:///system net-start default
```

To make the default network start automatically use:
```bash 
    virsh --connect=qemu:///system net-autostart default
```

In order for things to work this way you need to have the recommended packages dnsmasq-base, bridge-utils and iptables installed. 

**Manual bridging**

To let communications between VM host and VM guests, you may setup a macvlan bridge on top of a dummy interface similar as below. After the configuration, you can set using interface dummy0 (macvtap) in bridged mode as the network configuration in VM guests configuration. 
```bash 
    modprobe dummy
    ip link add dummy0 type dummy
    ip link add link dummy0 macvlan0 type macvlan mode bridge
    ifconfig dummy0 up
    ifconfig macvlan0 192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0 up
```
**Between VM host.guests and the world**

In order to let communications between host, guests and outside world, you may [set up a bridge](https://wiki.debian.org/BridgeNetworkConnections)] and as described at [QEMU page](https://wiki.debian.org/QEMU#Host_and_guests_on_same_network). 

For example, you may modify network configuration file /etc/network/interfaces for setup ethernet interface eth0 to a bridge interface br0 similar as below. After the configuration, you can set using Bridge Interface br0 as the network connection in VM guests configuration. 
```bash 
auto lo
iface lo inet loopback

# The primary network interface
auto eth0

#make sure we don't get addresses on our raw device
iface eth0 inet manual
iface eth0 inet6 manual

#set up bridge and give it a static ip
auto br0
iface br0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0
        dns-nameservers 8.8.8.8

#allow autoconf for ipv6
iface br0 inet6 auto
        accept_ra 1
```

Once that is correctly configured, you should be able to use the bridge on new VM deployments with:
```bash
    virt-install --network bridge=br0 [...]
```

You can then use the virsh command to start and stop virtual machines. VMs can be generated using virtinst. For more details see the libvirt page. Virtual machines can also be controlled using the kvm command in a similar fashion to QEMU. Below are some frequently used commands: 

Start a configured VM guest "VMGUEST":
```bash 
    virsh start VMGUEST
```

Notify the VM guest "VMGUEST" to graceful shutdown:
```bash 
    virsh shutdown VMGUEST
```

Force the VM guest "VMGUEST" to shutdown in case it is hanged, i.e. graceful shutdown not work: 
```bash 
    virsh destroy VMGUEST
```
**Managing VM guests with a GUI**

On the other hand, if you want to use a graphical UI to manage the VMs, you can use the Virtual Machine Manager virt-manager.

**Automatic guest management on host shutdown/startup**

Guest behavior on host shutdown/startup is configured in /etc/default/libvirt-guests.

This file specifies whether guests should be shutdown or suspended, if they should be restarted on host startup, etc.

First parameter defines where to find running guests. For instance: 
```bash 
# URIs to check for running guests
# example: URIS='default xen:/// vbox+tcp://host/system lxc:///'
URIS=qemu:///system
```
390 391 392 393 394 395 396 397

### VMware

Under construction

### QEMU

Under construction