Introduction
Creating a home-lab environment in my opinion is extremely educational and exciting. The purpose of creating this lab is to replicate hands-on experience virtual troubleshooting, engineering and learning in a completely customized experience. This walk-through includes everything you need to know to get up and running with your home lab using Proxmox. It is multi-part and each part includes a step by step guide on this process which will include...
Part #1: Intro to Proxmox & Installation
Part #2: Download & Upload .ISO Files
- OpnSense Installation - Windows 10/ 11 VM Installation
- Windows Server 2022 VM Installation - Kali Linux/ Kali Purple VM Installation
- Ubuntu Live Server 20.04.6 VM Installation
Part #3: SPICE Installation
Part #4: Installing FLARE on Windows VMs
Part #5: Lab Network Configuration
Part #6: Installing Active Directory on Windows Server VM
Part #7: Users, Groups & Policies Configuration on Active Directory
Part #8: Domain Controller, Domain Joining
Part #9: OpnSense Firewall/ Router Configuration
Part #10: Wazuh Server (SIEM) Installation
Part #11: Velociraptor Installation
HAVE FUN !!!
Background
Proxmox VE (Virtual Environment) is an open-source virtualization platform that combines two virtualization technologies: KVM (Kernel-based Virtual Machine) for virtual machines (VMs) and LXC (Linux Containers) for lightweight containerization. This makes Proxmox VE a Type 1 hypervisor, also known as a bare-metal hypervisor, as it runs directly on the host hardware to control the hardware and to manage guest operating systems.
1. Type of Hypervisor: Proxmox is a Type 1 hypervisor, also known as a bare-metal hypervisor, which runs directly on the host hardware without the need for a separate operating system.
2. Scope: Proxmox is designed for server virtualization and is intended for managing and running multiple virtual machines and containers on a server.
3. Management Interface: Proxmox is managed through a web-based interface that can be accessed from any web browser, making it easy to manage virtual machines and containers across multiple servers.
4. Features: Proxmox offers advanced features such as live migration, high availability clustering, and backup and restore functionality, which are essential for managing virtualized environments in a data center.
5. Support: Proxmox is backed by a commercial company, Proxmox Server Solutions GmbH, which offers professional support and services for users.
In summary, Proxmox is suitable for server virtualization and large-scale virtualization deployments compared to popular Type 2 hypervisors' like VirtualBox. If you have a hardware PC machine collecting dusts at home which is no longer being utilized and you're feeling adventurous, consider using Proxmox.
Equipment
Use what you have (an old laptop or desktop). You do not need an exceptionally powerful machine. Even if you don’t use an older system for your build, you may be able to use the memory and/or SSDs from an old system and upgrade a relatively cheap or repurposed system. For my home lab, I will be utilizing an older Lenovo Ideacentre below, with some additional upgraded specs.
- Lenovo Ideacentre 510A - 15ABR 4xAMD A12-9800 RADEON R7
- 1 TB Hard-drive (SSD) - 64GB RAM
Part #1: Download & Install Proxmox
To create a bootable USB to install Proxmox, you can use a tool like Rufus or Etcher. Here's a general guide on how to do it:
Download Proxmox .iso: Visit the Proxmox website and download the latest Proxmox VE .iso image.
- https://www.proxmox.com/en/downloads
Download to Bootable USB Tool:
At this particular step in the process, making a bootable USB drive is recommended. This makes installation a smooth process. Depending on which operating system you are using to create the bootable USB, the process will vary.
Windows OS - (Rufus, Balena Etcher)
MacOS - (Balena Etcher)
ChromeOS - (Chromebook Recovery Utility) *Google extension
Linux - (Balena Etcher)
Now you have a bootable USB with Proxmox uploaded. Before continuing, you want to insure that the hardware you are putting Proxmox onto, will boot from USB. You can do this by opening your system BIOS settings and editing the boot process there. I recommend a Youtube tutorial if you are unsure how to edit BIOS settings for your specific OS.
Install Proxmox: Follow the on-screen instructions to install Proxmox VE on your system.
1.
2.
4.5.
6.
7.
8.
Once installation is complete the server will prompt you to remove your bootable USB. The server will then restart and give the IP and port number to access the web interface.
Connect with a browser on a different computer on the same network and log in.
You will initially receive a warning prompt when you visit the web interface, you can ignore this and proceed to the site.
9.
10.
You can ignore the popup below about the subscription. It will appear everytime you restart the server; however, you have full functionality of Proxmox and there is no need to subscribe as this is expected. Proxmox is an open-source platform which improves with community support, so if you choose, you may subscribe to the default enterprise support and Proxmox will support your lab directly and I do recommend this for production Proxmox environments. For now, subscribing is outside the scope of this walk-through.
11.
If you have chosen to subscribe to the Proxmox enterprise platform, you may skip this step.
Those who want to use the 'free no-subscription' pathway, like myself, please follow along.
11a: Either 'ssh' into your PVE host system (ssh username@pveIPaddress)
OR open the 'Shell' (terminal) with your Proxmox server.
11b: Enter 'nano /etc/apt/sources.list.d/pve-enterprise.list' to edit this repository like shown below
11c: Add a '#' to comment out the existing repository in this file, don't worry, we're going to add our own.
Next, add 'deb http://download.proxmox.com/debian/PVE bookworm pve-no-subscription' as seen below.
Click: Ctrl + X, then click 'y' for yes. This saves our edit.
11d: Now we just need to edit one more repository.
Enter 'nano /etc/apt/sources.list.d/ceph.list' in your terminal.
11e: Here, same as our last repository edit. Add a '#' in front of the existing line in this file.
Next, add 'deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription' shown below.
Click: Ctrl + X, then click 'y' for yes.
11f: I promise, almost done. Enter 'apt-get update && apt-get upgrade -y' to update the Proxmox server with the latest software patches, security and upgrades.
Allow the update to finish and I recommend rebooting the server. You can do this by simply typing 'reboot' in your terminal.
*QUICK TIP
Not a fan of the Proxmox light mode screen? You can change the theme of your server display under your 'root@pam' settings, and select 'Color Theme'. I will show you with example images below.
For walk-through purposes I will keep my PVE color theme in light mode.
Part #2: Download & Upload .ISO Files
In Proxmox, we must use .ISO Images to create virtual machines (VMs). In this step, choose whichever .ISO image(s) you want to work with in your Proxmox virtual environment. I will leave the links (URLs) and list of all of the .ISOs I have chosen for my lab.
Upload .ISO Files:
Navigate to where you saved the ISOs you have chosen to download.
Repeat this process for all of the .iso files.
Once logged into your proxmox web interface and successfully updating & upgrading the server you may now create a virtual machine, follow along as shown in the image example below.
The initial installation configuration of each VM within the Proxmox virtual environment will different in regard to various reasons including your PVE server specs, specific VM operating systems, VM system requirements, disks size, CPU & memory, network configuration etc. Follow the walk-through for an understanding of each VM Installation process.
OpnSense VM Installation
General:
OS:
System:
Disks:
CPU:
Memory:
Network:
Confirm:
Windows 10/ 11 VM Installation
If you have not already done so, download the VirtIO drivers .iso. This .iso includes the drivers needed for the Windows VMs.
Windows virtIO Drivers
Upload the .iso to Proxmox in the same manner you uploaded the OS .iso files.
The setup for Windows 10 VM and Windows 11 VM are going to be slightly different. Follow my walk-through below.
Windows 10
General:
Under 'General' enter the name and VM ID#. Example image above.
OS:
Select the storage location where the .iso was uploaded.
Double check the 'Type' is 'Microsoft Windows' & the 'Version' is '10/2016/2019' as shown in the example image above.
Check off 'Add additional drive for virtIO drivers' like shown above.
System:
Under 'System', select the Qemu Agent button and Add TPM as seen in the image above.
Disks:
Under the 'Disks', select the disk size. I chose 100GB for the Windows VM. You want to choose an appropriate amount based upon the available space on your PVE machine.
CPU:
4 cores are recommended for the Windows OS in this lab.
Memory:
For RAM memory, 8096 MiB is eqaul to 8GB of RAM.
Network:
Under 'Network', un-check/ disable the 'Firewall' and leave the defaults. We will be configuring the network for this system later.
Confirm:
Double check and confirm your settings before selecting 'Finish'.
Start the VM and follow along with the setup prompt.
Windows 11
General:
Name the VM and assign an ID#
OS:
System:
Disks:
CPU:
4 cores are recommended for the Windows OS in this lab.
Memory:
Network:
Confirm:
Double check your settings before selecting Finsh.
Windows Server 2022 VM Installation
General:
OS:
Select the .iso, in this case 'SERVER_EVAL_x64FRE_en_us.iso' as seen in the example image above.
System:
Select the Qemu agent.
Disks:
CPU:
Select the # of CPU cores.
Memory:
Assign the memory size. Here I chose 8GB of RAM as seen in the example image above.
Network:
Disable the firewall and keep the defaults for now.
Confirm:
Double check and confirm the settings before selecting Finish.
Kali Linux/ Kali Purple VM Installation
The installation process for both Kali Linux and Kali Purple will be ALMOST identical in this lab.
Although, you can choose your own customized settings.
In this lab, the differences will include:
1 socket, 2 cores, 4GB RAM, 96G of HD space for Kali Linux (Attack Box)
1 socket, 4 cores, 16GB RAM, 120G of HD space for Kali Purple (SOC/ SIEM Server)
Please decide on the appropriate resources for your VMs, as different hardware specs, come different results.
General:
Under 'General', enter the name and VM ID#. Example image above.
OS:
System:
Under 'System', select and enable the Qemu Agent.
Disks:
Under 'Disk', select the disk size for this system.
CPU:
Under CPU, I chose to use 2 cores. Kali Linux (my Attack Box) initially does not need heavy resources.
For Kali Purple (my SOC/ SIEM Server) I will allocate 4 cores due to the need for more system resources.
Memory:
Here, select the amount of memory.
I recognize I have made a typo within the screenshot. If you choose to assign 4GB of RAM like myself for this machine, the proper amount of mebibytes (MiB) is 4096.
Network:
Un-select and disbale the Firewall, keep the default network settings for now.
Confirm:
Double check and confirm the settings before selecting Finish.
Start the VM and follow along with the setup prompt.
Ubuntu Live Server 20.04.6 VM Installation
General:
OS:
System:
Disks:
CPU:
Memory:
Network:
Confirm:
Part #3: SPICE Installation
This step is completely optional but recommended for more proficient performance within your Proxmox lab environment.
What is SPICE? SPICE is an open-source, open remote computing solution which provides client access to remote displays and devices (e.g. keyboard, mouse, audio). SPICEs' primary function is to provide an authenticated process to get remote access to virtual machines. SPICE also provides other use case features even in various development stages.
Depending on which OS you are using to login to the Proxmox web interface, the installer you download will vary. If you are using a Windows machine, you would select the Windows installer option as shown in the example image provided below.
SPICE for Windows
Select the 'Winx64MSI' installer. *(Windows only)
After download is complete run and install the viewer.
Then go to the VM that you want to view with SPICE. (I will do this for all my VMs except OpnSense.) Double click the Display and change the graphics card to SPICE and give it 128MB of memory.
Then go to “Machine” and select “q35” from the dropdown.
When starting the VM, go to the Console drop-down and choose SPICE.
When you do you will see a small file download. Double click it and the VM will open in a new Window.
You will now need to install the guest tools on all Windows VMs. Open the VM and open the CD (virtio).
Navigate to the bottom and install 'virtio-win-guest-tools'.
Agree with the prompt terms and select 'Install'. Example image provided below.
Once it is completed the VM will go to full screen and you will now be able to copy and paste to and from the VM. Great, right?!
SPICE for Linux
On a Linux system you can install SPICE guest tools and the QEMU agent with the commands below:
- sudo apt update
- sudo apt install spice-vdagent qemu-guest-agent
You can then start and enable them with the commands below:
- sudo systemctl start spice-vdagent
- sudo systemctl enable spice-vdagent
This completes the installation of SPICE. I recommend installing it on all of your VMs.
Part #4: Install FLARE on Windows VMs
What is FLARE?
FLARE is a specialized Windows based machine environment developed by FireEye. FLARE is an open-source (free) platform initially designed for malware analysis, reverse engineering and incident response. This tool provides a pre-configured Windows environment equipped with an extensive suite of tools commonly used by security professionals for forensic investigations and analyzing malicious software.
Key features of FLARE VM include comprehensive toolsets such as:
- Forensic utilities for memory dumps, disk images and network traffic.
- Disassemblers (e.g., IDA Free, Ghidra, x64dbg).
- Decompliers (e.g., dnSpy, JD-GUI).
- Static analysis tools (e.g., PE-bear, Detect-It-Easy).
- Dynamic analysis tools (e.g., Wireshark, Process Monitor).
The platform is provides customizable installation with modular setup allowing users to select needed tools. FLARE also has automated setup features which utilize Chocolatey, a Windows package manager, for tool installation and configuration. And last, but not least Windows-Centric Design, built on Winodws to ensure compatibility with Windows-specific malware.
Why FLARE VM and it's Benefits:
- Safe and Isloated Enviorment, operates in a virtual machine to analyze malware without risking the host system or network.
- Convenience, with pre-configured environments saves setup time. As well as ready-to-use tools reduce overhead.
- Comprehensive Coverage, which supports both static and dynamic malware analysis.
- Focus for Windows machines, ideal for analyzing malware targeting Windows systems.
- Flexibility for specific analyst and forensic needs.
* Before we install FLARE we want to install Sysmon with a PowerShell script that will automatically download Sysmon and a Sysmon configuration file and install it. *
Download it from the link below.
During the download you may be prompted to 'Keep/ Allow' or 'Delete' the file. Choose 'Keep/ Allow'.
In order to run that PowerShell script we must set the execution policy to unrestricted.
You can do that with the following commands from a PowerShell window opened as Administrator.
- Set-ExecutionPolicy
- unresticted
Select 'A' when prompted.
You can check to see if it was correctly set by running:
- Get-ExecutionPolicy
Now you can run the Install-Sysmon-m122config.ps1 file by ensuring you are in the same directory that you downloaded it to (Downloads in my case) using the command below:
- .\Install-Sysmon-m122config.ps1
Select R for Run once.
You can ignore some of the red text, the key is the message 'Sysmon is running'.
You can confirm it is working by going to 'Event Viewer' on the VM and selecting 'Applications' and 'Services-Microsoft-Windows'. Check out the example image below.
.png)
Then scroll down to 'Sysmon' and choose 'Operational'. As seen below, it is alreading logging events.
The next thing that we want to do is download some AtomicRedTeam scripts that we can emulate some attacks to test our logging and detections. The first download is the attack script and the second download is the cleanup script.
At this time we will not do anything with those scripts; however, we will use them when we configure our SIEM.
Now we want to make some Group Policy changes that we will make our testing go smoother.
Disable Windows Updates (at least until the installation is finished).
Enter 'gpedit' in the Winodws VM search.
1.
2.
3.
4.
Now we want to disable 'Tamper Protection' and any Anti-Malware solution via Group Policy.
'gpedit' again.
1.
2.
3.
4.
Make sure to click 'Apply' when making these changes if it is an option.
Next, time to disable 'Real-time Protection'.
'gpedit' once more.
1.
2.
Click 'Apply' and now restart the VM.
We are ready to install FLARE !!!
FLARE Installation
Using the PowerShell command as Administrator shown below, download the installation script
installer.ps1 to your desktop using the prompt command below:
- (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
Ensure you navigate to your Desktop and unblock the installation script:
- Unblock-File .\install.ps1
Execute the installer script as follow:
- .\install.ps1
Installer GUI
The Installer GUI will display after executing the validation checks and installing Boxstarter and Chocolatey (if they are not installed already). Using the installer GUI you may customize:
- Package selection
- Enviornment variable paths
During initial installation, install the default tools by selecting 'OK'.
The installation may take up to an hour and the system will restart multiple times.
When completed a pop-up will appear and the desktop will be changed to the FLARE VM desktop as shown below.
Part #5: Lab Network Configuartion
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
