Ever since Fireeye annouced their new CommandoVM, the “Complete Mandiant Offensive VM”, I’d figured next time I had an occasion to target a Windows host, I would try to build a VM and give it a spin. This post is focused on getting up and running. I suspect additional posts on how it works out will follow.
So what is Commando VM? From the Fireeye release blog:
For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all. Recognizing that, we have created a Windows distribution focused on supporting penetration testers and red teamers.
Kali has been my go to for HackTheBox and CTFs because it has a lot of the tools I need already configured. But when you target a Windows host, there are times it is just more natural to use Windows.
So what is Commando-VM? It’s not actually a VM. You have to bring your own Windows VM (7 or 10, preferably 10), and then use their scripts to download and configure the VM to include the tools and resources that you might expect as a Pentester / Red Teamer / CTF participant.
I’m working out of VirtualBox, and I created a new VM, gave it 100GB harddrive and 4 GB of ram.
To start, but made a Windows 10 VM. After install, I went into Windows update and applied all updates, rebooted, repeated that cycle until Windows tells me I’m up to date:
Once I’m finally there, my
winver pop-up shows I’m running the 1809 update:
I changed the computer name to “commando”.
I also installed the VirtualBox Guest Additions, so that I could map drives and share my clipboard. After a reboot, I can verify that I can copy and paste between my linux host and the VM.
While on any other Windows VM, I would immediate now jump to pinning
powershell, and installing Firefox, I want to give Commando a chance to do it’s thing, so I’m going to leave that for later.
I’m going to make a snapshot here in case any thing breaks.
I’ll open Edge and go to the GitHub page for Commando. I’ll click on the green “Clone or download” button, and select “download zip”. I’ll tell it to save in my downloads, open Windows Explorer, right click on the file, and extract the zip there.
Set Execution Policy
Now I’ll open a PowerShell window by going to start, typing powershell, right clicking on it, and selecting “Run as administrator”.
Now I need to set PowerShell so that I can run scripts. I’ll do that by changing the execution policy:
PS C:\users\0xdf\Downloads\commando-vm-master> Set-ExecutionPolicy Unrestricted Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
cd into my downloads directory, and into the
PS C:\users\0xdf\Downloads\commando-vm-master> ls Directory: C:\users\0xdf\Downloads\commando-vm-master Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/8/2019 8:25 PM .github d----- 4/8/2019 8:25 PM commandovm.win10.config.fireeye d----- 4/8/2019 8:25 PM commandovm.win10.installer.fireeye d----- 4/8/2019 8:25 PM commandovm.win10.preconfig.fireeye d----- 4/8/2019 8:25 PM commandovm.win7.config.fireeye d----- 4/8/2019 8:25 PM commandovm.win7.installer.fireeye -a---- 4/8/2019 8:25 PM 81218 Commando.png -a---- 4/8/2019 8:25 PM 10548 install.ps1 -a---- 4/8/2019 8:25 PM 9138 License.txt -a---- 4/8/2019 8:25 PM 11801 README.md
install.ps, which takes care of the configuration and installation.
PS C:\users\0xdf\Downloads\commando-vm-master> .\install.ps1 Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\users\0xdf\Downloads\commando-vm-master\install.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R [+] Beginning install... ____________________________________________________________________________ | | | | | _________ .___ | | \_ ___ \ ____ _____ _____ _____ ____ __| _/____ | | / \ \/ / _ \ / \ / \\__ \ / \ / __ |/ _ \ | | \ \___( <_> ) Y Y \ Y Y \/ __ \| | \/ /_/ ( <_> ) | | \______ /\____/|__|_| /__|_| (____ /___| /\____ |\____/ | | \/ \/ \/ \/ \/ \/ | | C O M P L E T E M A N D I A N T | | O F F E N S I V E V M | | | | Version 1.0 | |____________________________________________________________________________| | | | Developed by | | Jake Barteaux | | Proactive Services | | Blaine Stancill | | Nhan Huynh | | FireEye Labs Advanced Reverse Engineering | |____________________________________________________________________________| [+] Checking if script is running as administrator.. phenomenal cosmic powers [+] Checking to make sure Operating System is compatible Microsoft Windows 10 Pro supported [+] Checking if host has been configured with updates updates appear to be in order [+] Checking if host has enough disk space > 60 GB hard drive. looks good [-] Do you need to take a snapshot before continuing? Y/N N Continuing... [ * ] Getting user credentials ... Windows PowerShell credential request Enter your credentials. Password for user 0xdf:
It asks for my password here, which it needs because it will reboot several times, and it wants to make this as seamless as possible, so that I can start it, walk away, and not have to enter my password periodically.
The install scripts took just under two hours for my VM (1:55). I recorded a video speed up 30 times of the entire install:
At the end, it looks like this, with the PowerShell prompt remains open waiting for you to exit (which is the expected behavior stated in the blog post):
The Fireeye blog post shows a CommandoVM desktop wallpaper, but mine didn’t get set. However, they recommend a reboot, and on reboot, the wallpaper is set:
I also pinned Firefox to the taskbar, as a matter of personal preference.
One more snapshot, and time to get to work.
I’m going to try to solve a box from HackTheBox using this VM, and I’ll follow up with additional posts.