Scribd
Upload
171 views34 pages

Architect Training Lab Guide

Uploaded by

Tecnologías De Valor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
171 views34 pages

Architect Training Lab Guide

Uploaded by

Tecnologías De Valor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 34

Architect Training

Lab Guide

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Table of Contents
LAB1: Configuring the Proxy Feature
Task 1: Prerequisites (Jump to Task 3 if you are working with our VMs)
Task 2: Installation (Jump to Task 3 if you are working with our VMs)
Task 3: Configuring the proxy
LAB2: Install Nmap and Configure Vicarius Script
Preparing Your Environment. (Jump to LAB 3 if you are working with our VMs)
LAB3: Running a Network Scan
Generating Scan Script
LAB4: Reporting Tool
Instructions for Using VickyvRxReportCLI.py Script
Task 1: Prerequisites (Jump to number 3 if you are working with our VMs)
Task 2: Getting the data
Task 3: Working with the PowerBI
LAB5: Patchless Protection – Virtual Patching
Exploiting Keepass vuln
Using Patchless Protection in Keepass CVE-2023-32784
LAB6: Using the Power of the Scripts
Task 1 (IT Configuration): Removing Apps
Task 2 (Audit): Get background activity details
Task 3 (Audit): Check the last password change
Appendix
Proxy Troubleshooting

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
LAB1: Configuring the Proxy Feature
In this LAB you will install and configure the proxy in a Virtual Machine

The proxy feature helps you connect the assets that do have no access to the internet directly and it works
as a Cache Server for the updates.

Install a Proxy/Caching server can help to reduce the bandwidth requirements by having agents check the
local proxy for packages and OS updates instead of downloading the updates from the Internet.

Here is a diagram with the proxy scheme.

Task 1: Prerequisites (Jump to Task 3 if you are working with our VMs)

The local proxy allows one of the following:

1. A direct proxy (this server needs complete internet connectivity)


2. A relay proxy (relay on an existing proxy)

The prerequisites for the server are:

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
1. Operating system:
o Ubuntu Server - Version 23.04 (LTS)
2. Hardware:

Size CPU Memory Cache Size HDD Total size

Small 2x2GHz 6GB 50GB 100GB

Medium 4x2GHz 12GB 100GB 150GB

Large 4x2GHz 16GB 200GB 200GB

3. Allow Network (Firewall configuration)


o From agents to Proxy via HTTP and HTTPS on port 3128
o From Proxy to the Internet via HTTP and HTTPS on ports 80 and 443 respectively

Task 2: Installation (Jump to Task 3 if you are working with our VMs)

1. Prepare the VM

apt install net-tools unzip


ifconfig
df -h
lsblk
lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv
df -h

2. Download the proxy installation script:

1. Copy the downloaded file to the target machine


2. From inside that folder run the installer.sh script. The installation script takes the size (in GB)
for the cache store as a parameter

unzip ubuntu_2x.zip
cd ubuntu_2x

chmod +x ./installer.sh
sudo ./installer.sh -s 100

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Task 3: Configuring the proxy

Prerequisites:

1. Install the agent version 5.x (Not necessary if you have the agent 5.x installed in your Dashboard)
a. Download the new version agent from this link
b. Modify your Dashboard to have the last version of vRx in your organization changing the
agent version from your tenant using this URL as an example:
https://xxxx.vicarius.cloud/settings/agent-deployment (please change the xxxx with your
tenant name)

c. Upload the file that you downloaded in section (a) by selecting Upload file in Windows x64,
as you can see in the picture below
d. Now, you can Install the new agent by modifying the URL in the powershell script as I am
showing below:

NOTE: You need to use your Powershell script, copy it to Notepad and edit the URL to use
the following: https://vicarius-release.s3.amazonaws.com/unified-agent/Topia_CMD_Setup_x64.exe

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Invoke-WebRequest https://vicarius-release.s3.amazonaws.com/unified-agent/Topia_CMD_Setup_x64.exe -
OutFile Topia.exe; ./Topia.exe /SecretKey=<<ENTER_SECRET_KEY>>
/Hostname=https://<<ENTER_DASHBOARD_NAME>>-api-gateway.vicarius.cloud /AgentType=LocalAgent
/ProxyAddress=192.168.0.123:3128

e. Also, you can install the new agent in your Windows machine using the following CMD script.

bitsadmin /transfer myDownloadJob /download /priority high https://vicarius-release.s3.amazonaws.com/unified-


agent/Topia_CMD_Setup_x64.exe C:\Topia_CMD_Setup_x64.exe && C:\Topia_CMD_Setup_x64.exe /S
/SecretKey=<<ENTER_SECRET_KEY>> /Hostname=https://<<ENTER_DASHBOARD_NAME>>-api-
gateway.vicarius.cloud /AgentType=LocalAgent /ProxyAddress=proxy-IP:3128

Now, after the installation, you will see your machine with the agent version 5.x.x connecting to internet via
proxy

LAB2: Install Nmap and Configure Vicarius Script


In this lab, you will cover the configuration of NMAP.

Preparing Your Environment. (Jump to LAB 3 if you are working with our VMs)

vRx network scanners rely on the NMAP Utility, an open-source network scanner utilized by security officers
all around the world.
Before starting to analyze your environment, follow these steps to prepare your environment for scanning:
NOTE: If you are using the VMs from Vicarius training, you don’t need to do the following steps

1. Download and install NMAP on your computer.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
2. Download the file linux_auto_download_nse_script.sh in the Linux machine.

curl
https://raw.githubusercontent.com/VicariusInc/vicarius-nmap/main/linux_auto_downloa
d_nse_script.sh > linux_auto_download_nse_script.sh

3. Change the permission using chmod +x linux_auto_download_nse_script.sh


4. And now is time to run the script to prepare the environment
sudo ./linux_auto_download_nse_script.sh

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Tip: The "cve.zip" file is updated monthly. It is recommended to check for new file versions every
month to have the most up-to-date results.

You are now ready to run your network scans.

Note: You can do this process also from the scripting page in vRx

LAB3: Running a Network Scan


In this lab, you will cover the basics of using vRx Network Scanner.

Generating Scan Script


To start analyzing your environment, Follow these steps:

1. Navigate to the "Network Scanner" section (available on your left side of the dashboard). At the
top right, press the "Generate NMAP Script" button.

2. Configure the following parameters:


Your Scan Name - this will be the name of the output file.
Addresses Scan Range - Select a single IP, IP range, Subnet and more from the drop menu.
(Optional) Exclude Addresses - You can skip specific addresses from being scan, if needed.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Click on the Copy button to copy your script to the Linux machine.

3. At your scanning station, open a CMD (or terminal), paste your command, and execute the script.

Note: Also, you can run the scan from Automation as you can see below
nmap -sV -sT -O --script=vicarius-vulnerability-scan.nse --top-ports 2000 -T4 -oX /home/ubuntu/scan-
demo2.xml 192.168.0.204

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
4. Once the Nmap execution is completed, locate the XML output file under the folder where you run
the script.
5. The file name will be the name you configured in section 2. In our example: scan-demo.xml or scan-
demo2.xml

6. Upload the XML file to the dashboard by clicking on the "Import XML File" button.

7. Or you can upload the file automatically using the instructions that you can find in the following link.

Note: First you need to create an API Key in the section Settings -> Integrations

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
8. Modify the script with your tenant data, you will have something similar to what you see in the
image below.

9. Run the script on the asset that is the network scanner (select the primary-proxy asset)
10. Check the logs to see if the task was executed correctly. You should have output similar to the
following

Note: An Analyze task will be initiated on the XML file.


11. Once the task is finished, now you can check within Vuln Discovery -> Network Scans, what a new
scan has

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Tip: Next versions of Topia's Network Scanner will include automation for the scanning
process and much more.

LAB4: Reporting Tool


Instructions for Using VickyvRxReportCLI.py Script

Task 1: Prerequisites (Jump to number 3 if you are working with our VMs)

1. Ensure that you have Python 3.10 and above installed on your system.

a. Open a command prompt or terminal window


b. Navigate to the directory where the scripts are saved using the cd command.
c. Install the required dependencies for the scripts by running the following commands:

pip install requests


pip install pandas
pip install tqdm

2. Download the file VickyvRxReport.zip and unzip it in C:\.

3. Create an API Key:

a. Go to -> Settings -> Integrations -> Installed Integrations -> API key and click on the Generate
a New API Key button.

Note: Copy this API Key in a notepad to use it in the following script

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Task 2: Getting the data

1. Copy your dashboard url: https://yourdashboard.vicarius.cloud

Note: Before running the script, delete all files in folder “reports”

2. Open the file state.json and set all fields to 0:

"lastEndpoints": 0,
"lastEndpointsEventTask": 0,
"minDateIncidentEventVulnerabilities": 0,
3. Run the VickyTopiaReportCLI.py script using the following command:

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
python VickyvRxReportCLI.py -k YOUR_API_KEY -d https://xxxx.vicarius.cloud --allreports

Note: Replace YOUR_API_KEY with your current vRx API key and https://xxxx.vicarius.cloud with your
dashboard URL.

ex.
python VickyvRxReportCLI.py -k gbgkN6IlMIVvgTNGYEGsnPcymCqGqA9GJV09dX
m49tS8Lxe2qx66zYRkuRniTHo4PnrRRBDIOPbukXcHs9f7BNrArgo2lIaPzTR9rOayGROBSGgqpjIYF69WRqhdD
sIOStvoepbofBVINiuHhbo3v5nBJLcZ7yyfBL71L5DjkJ9f8ceDjn4k3ljn234ni34u5f2i4unfoi4unf4iufni
ofunWWz2Nz26TWjnH2g1aMuXretertetD
-d https://vicarius-joaldir.vicarius.cloud/ --allreports

b. Press Enter to execute the command.

Additional Information

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Available Options

● -k or --api-key: Specify the Topia API key.

● -d or --dashboard: Specify the URL of the Topia dashboard.

● --allreports: Retrieve all available reports.

Run each report in the following order:

● -r or --resetstate: Trigger a reset of the state.

● -a or --assetsreport: Retrieve assets reports.

● -t or --taskreport: Retrieve task reports.

● -v or --vulnerabilitiesreport: Retrieve vulnerabilities reports.

● -p or --patchsreport: Retrieve patch versions reports.

● -i or --incidentvulnerability: Retrieve incident vulnerabilities reports.

● -mt or --mitigationtime: Retrieve the mitigation time.

● -cd or --cleandata: Clean EndpointIncidentesVulnerabilities and Vulnerabilities report

The VickyvRxReportCLI.py script will generate the following reports:

● EndpointCountPatchs.csv
● EndpointIncidentesVulnerabilities.csv
● EndpointIncidentesVulnerabilitiesND.csv
● EndpointPatchs.csv
● Endpoints.csv
● EndpointsEventTask.csv
● EndpointsGroup.csv
● MitigationTime.csv
● Vulnerabilities.csv

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
● VulnerabilitiesND.csv

Task 3: Working with the PowerBI

1. Open Power BI and locate the Power BI file (.pbix) that corresponds to your report.

2. In Power BI, go to the "Home" tab and click on "Edit Queries" or "Transform Data" (depending on
your Power BI version) to open the Power Query Editor.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
3. In the Power Query Editor, locate the Query CSVFilePath and modify it to corresponds with the path
where is the directory paths to point to the cleaned versions of the reports. To do this, follow these
steps:

4. After finish click in “Home” -> “Close and Apply”

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
5. Now, you will see the Report with your data

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Note: Please ensure that all the necessary dependencies (requests for VickyvRxReportCLI.py and pandas for
cleanData.py) are installed using pip before running the respective scripts.
Make sure that the file names mentioned above match the actual file names generated by the
VickyvRxReportCLI.py script.

LAB5: Patchless Protection – Virtual Patching


In this LAB you will Install Patchless Protection in an App and then check the logs to see how is working the protection.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Best Practice Notes:

● Use Patchless Protection only when needed. enabling patchless protection on every application
can cause extended memory and CPU usage.
● As a general rule of thumb, we do not recommend enabling patchless protection on more than 5
applications, per asset.

More information in the following link:


https://customer-portal.vicarius.io/how-do-i-deploy-topia-protection-or-monitor

Exploiting Keepass vuln


1) Run Keepass version 2.53 and type the master password: Passw0rd!

Prerequisites: (Jump to point 2 if you are working with our VMs)


If you're working in your environment, please follow the instructions
A. Download and install this file: https://dotnet.microsoft.com/es-es/download/dotnet/thank-
you/runtime-7.0.14-windows-x64-installer

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
B. Download and install the following file:
https://download.visualstudio.microsoft.com/download/pr/93961dfb-d1e0-49c8-9230-
abcba1ebab5a/811ed1eb63d7652325727720edda26a8/dotnet-sdk-8.0.100-win-x64.exe

C. Download the exploit from the following link: https://github.com/vdohney/keepass-


password-dumper
D. Save the exploit in the following path: C:\Vulnerabilities\keepass-dumper-CVE-2023-32784\
E.
Note: In the VM, you have these files installed. You don’t need to do it

2) Then dump the memory file to get the master password using the script called memory-
dump.ps1 that is in the path: C:\Vulnerabilities\keepass-dumper-CVE-2023-32784\

powershell.exe -ExecutionPolicy Bypass -file memory-dump.ps1

Note: You need to enter the process ID that references to KeePass (as you can see in the before
picture)

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
3) Now is the time to get the results from the file keepass.dmp
# dotnet.exe run .\keepass.dmp

As you can see, we obtained the master password: Passw0rd!

Using Patchless Protection in Keepass CVE-2023-32784


Now we will protect the getting credential attack against Keepass using vRx Patchless Protection technology

1) Check if the CVE is present in the asset. Vulns Discovery -> Active CVE

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
2) Click the app Keepass and Enable Patchless Protection from the dashboard
3)

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
4) Check in the asset that Patchless Protection is enabled from the Powershell terminal.
Run the following command:
powershell.exe -command "Get-Content -tail 100 'C:\Program Files\Vicarius\Topia\Trace\TopiaTrace.log'"

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
5) Now, check the logs in Event Logs

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
As you can see, our application was protected by our Patchless Protection technology

LAB6: Using the Power of the Scripts


In this LAB you will create different script rules.

Automation Script Templates can be used to Install and Uninstall software, configure a machine, and
rollback KB updates. The imagination is the limit.
Currently, we have more than 60 templates for our customers and its database is growing

Task 1 (IT Configuration): Removing Apps


1. Go to the Vulns Remediation -> Scripts, select the scripts Uninstall Chrome or Uninstall Firefox

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Note: Now is possible to filter in our Public database using Script Tags. I select #uninstall and I get the both
scripts that I need.

2. After selecting the scripts, you need to select the asset where you want to execute the scripts.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
3. The last step is to check if the script is working correctly.
You can do it by checking in the local machine if the Apps disappear and also you can run the
following script to know what is happening:

Also you can do the same from our scripting template:

And get the result in the Activity Logs

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
4. When the process finishes you’ll see the results in the Activity Logs

Task 2 (Audit): Get background activity details


1. Go to the Vulns Remediation -> Scripts and filter by Script Tags: #audit

2. Search the script: “Get background activity details” in the Public Scripts Template and select it.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
3. Select the asset where you want to execute the script and run it. The following screenshot shows
the result from the target machine

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Task 3 (Audit): Check the last password change
1. Go to the Vulns Remediation -> Scripts and filter by Script Tags: #audit

2. Search the script: “Check last password change” in the Public Scripts Template and select it.

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
4. Select the asset where you want to execute the script and run it. The following screenshot shows
the result from the target machine

Appendix

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699
Proxy Troubleshooting
Asset Proxy Configurations
(This article will assist you in configuring your assets to communicate via proxy server)

https://customer-portal.vicarius.io/asset-proxy-configurations

Disable Proxy Failback (Windows)


(By default, if the proxy is not reachable by an asset, the asset will failback to direct the internet connection.
Follow this guide to disable the failback behavior.)

https://customer-portal.vicarius.io/disable-proxy-failback-windows

Is the Proxy working?


Use ResMon - Network -
TCP connections to see if the agent is
connecting to the proxy
Check the config file.
C
:\Program Files\Vicarius\Topia\
Topia.exe.config
P
roxy server value will be encrypted.
A Proxy can be added
after the initial deployment if needed

info@vicarius.io | vicarius.io
122 Grand Street, New York, NY, 10013 | +1 605-593-5454
Derech Menachem Begin 156, Tel Aviv, Israel | +972-549139699

You might also like