Last month, I mentioned the possibility of setting up a second virtual firewall in a lab environment to simulate a corporate network with mock internal and external spaces. I frequently do this for CTFs, student pentesting projects, and more. Offensive security training is rapidly moving towards realistic environments. Organizations like HackTheBox which historically have focused on one-off puzzle boxes are now opening up entire interconnected environments. Unfortunately, those options come at a price that can be prohibitively expensive for some. Using free and open source software (and trial software downloads when/where available), it’s possible to create similar network environments at a fraction of the cost.
In truth, it’s no different than setting up a real corporate firewall except for the virtual networking component (and intended attack paths).
Since we started with the Proxmox/Sophos UTM 9 combination last month, I’ll continue down that path with this post.
Yet Another Virtual Firewall
I would not recommend using the lab firewall we set up in the previous post to manage your mock corporate network. Using a second firewall will help you to maintain the appropriate network segmentation we’ve already established in the lab. Moreover, I frequently use functions of the firewall as part of my exercises (an example will likely appear in my next post). And if it becomes compromised during the course of an event, the rest of my lab remains safe and isolated.
So, to get started, repeat the steps from my previous post and create a second firewall (up to the point where we start plugging in virtual networks). You’ll need to create a minimum of two new, dedicated ‘Exercise’ OVS Bridges in Proxmox. One for the ‘external’ network space (ie: ‘Exercise’) that you’ll connect to the lab firewall on a dedicated virtual NIC (‘Exercise’ with its own masquerade rule, DHCP and DNS servers, etc.) and the WAN NIC of the new firewall. The ‘internal’ network space (ie: Exercise-Internal’) will only be connected to the new firewall as its LAN. Conceptually, it will look something like Figure 1.
If You Build It…
Once the firewall is up and running, it’s time to build the network. I highly recommend diagramming it out. This is especially important if you’re running a CTF with score cards. Plan out each path of attack and document the patching levels you’ll need to achieve, etc. Note which systems, ports, and services will be exposed through the new firewall to simulate your mock corporation’s internet presence. And stick to the kinds of things one would expect to see externally (unless a particular challenge calls for something different). Email servers, WordPress, IIS and Apache, SSH, and even FTP all make perfectly solid choices. The idea is to make the environment feel like a real organization’s external footprint.
The last step in getting your mock corporate environment up and running is to port forward those chosen services through the new exercise firewall. Unless you want a single IP ‘external’ environment, you’ll need to create virtual IP addresses for the firewall. Inside the Sophos UTM 9’s Web Admin interface, go to the ‘Interfaces & Routing’ tab on the left. Then, select ‘Interfaces,’ and on the right, choose the ‘Additional Addresses’ tab. Select ‘New Additional Address…’ Name your new new virtual interface (ie: ‘OWA External’), choose the Exercise Firewall’s WAN NIC from the drop down menu (so the new interface will be accessible from the same, “Exercise’ subnet), set an IP address in the appropriate range (use an IP that makes sense given the DHCP server for the ‘Exercise’ subnet) (See Figure 2). Repeat this process for each IP you wish to expose “externally.”
To port forward in Sophos UTM 9, go to the ‘Network Protection’ tab on the left and select ‘NAT.’ Choose ‘New NAT Rule…’ and then fill out the appropriate information.
- For traffic from: This will depend on how you/your participants will be accessing the ‘external’ space (‘Exercise’ subnet). If you/they are using a VPN, for example, make sure that network space is dropped here (by default, the SSL VPN range is 10.242.2.0/24 in the UTM 9). Leaving it as ‘Any’ shouldn’t break anything, though locking it down to specific sources is ideal.
- Using service: Fill in the port you would like exposed here. It does not have to match the port on which the intended service is running.
- Going to: Find the Additional Address you created here. Note that there are probably three options (Network, Broadcast, and Address). Make sure to pick ‘Address.’
- Change the destination to: Put the IP address of the machine hosting the intended service here.
- And the service to: The port on which the service is running goes in this field.
Definitely check the ‘Automatic firewall rule box to save yourself a potential troubleshooting headache.
The final step after saving the NAT rule is to turn it on by locating it in the list and flipping the grey switch to green. Now, you and your participants should be able to hit the service from the ‘outside’ by examining the ‘Additional Address’ IP you created (without seeing every other open port/exposed service on the server) (See Figure 3). If you want to up the realism further, you can set DNS records for your ‘external’ IPs under ‘Definitions & Users’ on the left hand side of the screen (assuming you’re using the UTM 9 as your DNS server).
This is enough to get you started on your journey to build a mock corporate environment, but it’s certainly not the end. From here, you can stand up a domain (or multiple) or create a DMZ (and do NATing among LAN networks on the Exercise Firewall to simulate Jump Boxes, etc.). You might even consider modeling a fictional organization to add a bit of Open Source Intelligence gathering potential to your mock pentests. I frequently call on 80s and 90s nostalgia and build fake corporations around G.I. Joe, the Galactic Empire, and most recently, the Thundercats. That opens up additional real world attack possibilities such as password guessing. Consider planting breadcrumbs or flags in user inboxes to encourage participants to explore more of the environment. With enough time, you can stand up custom web applications to further build up the feelings of immersion. You’re really only limited by your own imagination.