jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d0035721e3ffe60b86f081ad297fcf0b9dd7ae5
seclab/MOD1_Secure_Infrastructure.md
jramos 6d0035721e initial commit
2026-05-28 18:27:41 -06:00

755 lines
20 KiB
Markdown
Raw Blame History

# FILE: MOD1_Secure_Infrastructure.md
# MODULE 1: SECURE INFRASTRUCTURE PROVISIONING
## Learning Objectives
By completing this module, you will:
- Configure VLAN-aware networking in Proxmox
- Deploy and configure pfSense as a virtual firewall/router
- Create isolated network segments using 802.1Q VLAN tagging
- Implement firewall rules to prevent malicious traffic from escaping the lab
- Validate network segmentation through connectivity testing
---
## Key Concepts
### Hypervisor Networking
**Proxmox uses Linux Bridges** (`vmbr0`, `vmbr1`, etc.) to connect virtual network interface cards (vNICs) to physical hardware. Think of a bridge as a virtual switch inside your hypervisor.
### VLAN Tagging (802.1Q)
**What is a VLAN?** A Virtual Local Area Network allows multiple isolated networks to coexist on the same physical infrastructure. Each VLAN has a unique ID (1-4094).
**Tagged vs Untagged Traffic:**
- **Untagged:** Normal traffic (like your home Wi-Fi) - no VLAN ID
- **Tagged:** Traffic with an 802.1Q header containing VLAN ID
- **Trunk Port:** Network port that carries multiple VLANs (tagged)
- **Access Port:** Network port for a single VLAN (untagged)
### The Virtual Firewall
**pfSense** will act as the default gateway for all lab VLANs, strictly controlling traffic flow between them. Without proper firewall rules, your attack traffic could leak into your home network!
---
## LAB 1.1: PROXMOX NETWORK CONFIGURATION
### Prerequisites
- Proxmox VE installed and accessible via web interface (https://PROXMOX-IP:8006)
- Physical network port connected to your home network
### Step-by-Step: Enable VLAN Awareness
```
1. Access Proxmox Web Interface:
- Open browser: https://<PROXMOX-IP>:8006
- Login with root credentials
2. Navigate to Network Configuration:
- Click on your Proxmox node (e.g., "pve")
- Click "System" > "Network"
3. Identify Your Bridge:
- You should see "vmbr0" (default bridge)
- Note which physical interface it's connected to (e.g., eno1, eth0)
4. Enable VLAN Awareness:
- Select "vmbr0"
- Click "Edit"
- Check the box: "VLAN aware"
- Comment: "VLAN-aware bridge for security lab"
- Click "OK"
5. Apply Configuration:
- Click "Apply Configuration" at the top
- WARNING: This may briefly disconnect your Proxmox web interface
- Wait 10 seconds, then refresh browser
6. Verify Configuration:
- SSH into Proxmox host (or use Shell button in web GUI)
- Run: cat /etc/network/interfaces
- Verify "bridge-vlan-aware yes" appears under vmbr0
```
**Expected Output (Proxmox Bridge Config):**
```
auto vmbr0
iface vmbr0 inet static
address 192.168.2.100/24
gateway 192.168.2.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
# Note: Your Proxmox hypervisor management remains on 192.168.2.0/24 (VLAN 2)
# Lab VMs will use VLAN tags 100-400 for the 10.10.x.0/24 networks
# pfSense will route between the lab VLANs and provide internet via WAN
```
---
## LAB 1.2: PFSENSE VM DEPLOYMENT
### pfSense VM Specifications
- **CPU:** 2 cores
- **RAM:** 2048 MB (2 GB)
- **Disk:** 16 GB (thin provision)
- **Network Adapters:** 2
- vNIC 0 (WAN): Bridged to vmbr0, VLAN Tag: 2 (connects to 192.168.2.0/24)
- vNIC 1 (LAN): Bridged to vmbr0, no VLAN tag (will create subinterfaces for VLANs 100-400)
### Step-by-Step: Create pfSense VM
```
1. Download pfSense ISO:
- Visit: https://www.pfsense.org/download/
- Select: AMD64 (64-bit), DVD Image (ISO Installer)
- Upload to Proxmox: Storage > ISO Images > Upload
2. Create Virtual Machine:
- Click "Create VM" (top right)
GENERAL TAB:
- Node: (your Proxmox node)
- VM ID: 100
- Name: pfSense-Firewall
- Click "Next"
OS TAB:
- ISO image: pfsense-CE-X.X.X-amd64.iso
- Guest OS Type: Linux
- Kernel: 6.x - 2.6 Kernel
- Click "Next"
SYSTEM TAB:
- Graphic card: Default
- Machine: Default (i440fx)
- BIOS: Default (SeaBIOS)
- Qemu Agent: Unchecked (for now)
- Click "Next"
DISKS TAB:
- Bus/Device: SCSI / 0
- Storage: local-lvm (or your storage)
- Disk size: 16 GB
- Click "Next"
CPU TAB:
- Sockets: 1
- Cores: 2
- Type: host (or kvm64)
- Click "Next"
MEMORY TAB:
- Memory (MiB): 2048
- Click "Next"
NETWORK TAB (WAN Interface):
- Bridge: vmbr0
- VLAN Tag: 2 (connects to 192.168.2.0/24 management network)
- Model: VirtIO (paravirtualized)
- Click "Next"
CONFIRM:
- Start after created: Unchecked
- Click "Finish"
3. Add Second Network Interface (LAN):
- Select pfSense VM > Hardware
- Click "Add" > "Network Device"
- Bridge: vmbr0
- VLAN Tag: <leave blank> (we'll tag inside pfSense)
- Model: VirtIO
- Click "Add"
4. Start pfSense Installation:
- Select pfSense VM > Console
- Click "Start"
- Wait for boot menu
```
### pfSense Installation Process
```
1. Boot Menu:
- Select: "1) Boot Multi User [Enter]"
- Wait for FreeBSD kernel to load
2. Welcome Screen:
- Accept: Press Enter
3. Install pfSense:
- Select: "Install" > "OK"
4. Partitioning:
- Select: "Auto (ZFS)" > "OK"
- Select: "Stripe" > "OK"
- Select: vtbd0 (your virtual disk) > Spacebar to select > "OK"
- Confirm: "YES" (will erase disk)
- Wait for installation (2-3 minutes)
5. Reboot:
- Select: "No" (to manual configuration)
- Select: "Reboot"
- When rebooting starts: VM > Hardware > CD/DVD > "Do not use any media"
- Wait for pfSense to boot
6. Interface Assignment:
- Should VLANs be set up now? n (No - we'll do this via web GUI)
- Enter WAN interface name: vtnet0
- Enter LAN interface name: vtnet1
- Do you want to proceed? y (Yes)
7. pfSense Menu:
- You should now see the pfSense menu
- Note the LAN IP address (default: 192.168.1.1)
```
---
## LAB 1.3: PFSENSE WEB INTERFACE SETUP
### Temporary Access to pfSense WebGUI
Since pfSense LAN is 192.168.1.1 but we want our management network on VLAN 100, we need temporary access:
```
OPTION A: Create Temporary VM in Proxmox
1. Create small Linux VM (Alpine or Ubuntu)
2. Set its vNIC to vmbr0, no VLAN tag
3. Configure static IP: 192.168.1.50/24
4. Open browser to: https://192.168.1.1
5. Default credentials: admin / pfsense
OPTION B: Configure via Console (Recommended)
1. In pfSense console menu, select: 2) Set interface(s) IP address
2. Select: 1 - WAN
3. Configure IPv4 address WAN interface via DHCP? n (No, static)
4. Enter new IPv4 address: 192.168.2.2
5. Enter subnet bit count: 24
6. Enter upstream gateway: 192.168.2.1
7. Configure IPv6? n (No)
8. Do you want to revert to HTTP? n (No, keep HTTPS)
9. Press Enter to complete
10. Return to menu, select: 2) Set interface(s) IP address
11. Select: 2 - LAN
12. Enter new IP: 10.10.1.1
13. Enter subnet: 24
14. No upstream gateway: <leave blank>
15. No DHCP server for now: <leave blank>
16. Do NOT configure IPv6: <leave blank>
17. Do you want to revert to HTTP? n (No, keep HTTPS)
Now access pfSense from Proxmox host (both on 192.168.2.0/24):
https://192.168.2.2 (via WAN interface)
or configure a temporary VM on VLAN 100 to access https://10.10.1.1
```
### pfSense Initial Wizard
```
1. Access WebGUI:
- Browser: https://10.10.1.1
- Accept self-signed certificate warning
- Username: admin
- Password: pfsense
2. Setup Wizard:
- Click "Next"
GENERAL INFORMATION:
- Hostname: pfsense
- Domain: apophis.local
- Primary DNS: 8.8.8.8 (Google DNS)
- Secondary DNS: 1.1.1.1 (Cloudflare DNS)
- Uncheck "Override DNS"
- Click "Next"
TIME SERVER:
- Time server hostname: pool.ntp.org
- Timezone: (Select your timezone)
- Click "Next"
WAN CONFIGURATION:
- Type: Static IP
- IP Address: 192.168.2.2
- Subnet Mask: 24 (/24)
- Upstream Gateway: 192.168.2.1
- Click "Next"
LAN CONFIGURATION:
- IP Address: 10.10.1.1
- Subnet Mask: 24 (/24)
- Click "Next"
ADMIN PASSWORD:
- Change default password from "pfsense" to strong password
- Confirm password
- Click "Next"
RELOAD:
- Click "Reload"
- Wait for pfSense to apply configuration
3. Login with New Password:
- Username: admin
- Password: (your new password)
```
---
## LAB 1.4: VLAN INTERFACE CREATION
Now we create VLANs 200, 300, 400 for Red/Blue/Victim networks.
### Step-by-Step: Create VLANs
```
1. Navigate to VLAN Configuration:
- Interfaces > Assignments > VLANs
2. Create VLAN 200 (Red Team):
- Click "+ Add"
- Parent Interface: vtnet1 (LAN interface)
- VLAN Tag: 200
- VLAN Priority: 0
- Description: RED_TEAM
- Click "Save"
3. Create VLAN 300 (Blue Team):
- Click "+ Add"
- Parent Interface: vtnet1
- VLAN Tag: 300
- Description: BLUE_TEAM
- Click "Save"
4. Create VLAN 400 (Victim Network):
- Click "+ Add"
- Parent Interface: vtnet1
- VLAN Tag: 400
- Description: VICTIM_NET
- Click "Save"
5. Verify VLANs:
- You should see: vtnet1.200, vtnet1.300, vtnet1.400
```
### Assign VLANs to Interfaces
```
1. Navigate to Interface Assignments:
- Interfaces > Assignments
2. Assign VLAN 200:
- Available network ports: Select "vtnet1.200 (RED_TEAM)"
- Click "+ Add"
- New interface appears as "OPT1"
3. Assign VLAN 300:
- Select "vtnet1.300 (BLUE_TEAM)"
- Click "+ Add" (becomes OPT2)
4. Assign VLAN 400:
- Select "vtnet1.400 (VICTIM_NET)"
- Click "+ Add" (becomes OPT3)
5. Configure OPT1 (Red Team):
- Click "OPT1"
- Check "Enable interface"
- Description: RED_TEAM
- IPv4 Configuration Type: Static IPv4
- IPv4 Address: 10.10.2.1 / 24
- Click "Save"
- Click "Apply Changes"
6. Configure OPT2 (Blue Team):
- Click "OPT2"
- Enable interface
- Description: BLUE_TEAM
- IPv4 Address: 10.10.3.1 / 24
- Click "Save" > "Apply Changes"
7. Configure OPT3 (Victim Network):
- Click "OPT3"
- Enable interface
- Description: VICTIM_NET
- IPv4 Address: 10.10.4.1 / 24
- Click "Save" > "Apply Changes"
```
---
## LAB 1.5: FIREWALL RULE CONFIGURATION
**Critical Security Principle:** Default Deny Everything, Explicitly Allow Only What's Needed
### Understanding pfSense Firewall Logic
- Rules are processed **top to bottom**
- **First match wins** (stops processing)
- Each interface has its own rule set
- Traffic is filtered on the **incoming interface**
### Step-by-Step: Configure Security Rules
```
1. Enable DHCP for Each VLAN:
- Services > DHCP Server > RED_TEAM
- Check "Enable DHCP server on RED_TEAM"
- Range: 10.10.2.100 to 10.10.2.200
- Click "Save"
- Repeat for BLUE_TEAM (10.10.3.100 - .200)
- Repeat for VICTIM_NET (10.10.4.100 - .200)
2. Configure RED_TEAM Firewall Rules:
- Firewall > Rules > RED_TEAM
DELETE DEFAULT "Allow All" RULE:
- Click trash icon on default allow rule
- Confirm deletion
ADD RULE 1: Allow Red to Victim Network
- Click "Add" (up arrow to add to top)
- Action: Pass
- Interface: RED_TEAM
- Address Family: IPv4
- Protocol: Any
- Source: RED_TEAM net
- Destination: VICTIM_NET net
- Description: Allow Red Team to attack Victim Network
- Click "Save"
ADD RULE 2: Allow Red to Internet (for tool updates)
- Click "Add"
- Action: Pass
- Interface: RED_TEAM
- Protocol: Any
- Source: RED_TEAM net
- Destination: Any
- Description: Allow Red Team internet access for tools
- Click "Save"
ADD RULE 3: Block Red to Everything Else (implicit, but good practice)
- Click "Add" (add to bottom)
- Action: Block
- Interface: RED_TEAM
- Protocol: Any
- Source: Any
- Destination: Any
- Description: Block all other Red Team traffic
- Click "Save"
- Click "Apply Changes"
3. Configure BLUE_TEAM Firewall Rules:
- Firewall > Rules > BLUE_TEAM
- Delete default allow rule
ADD RULE: Allow Blue to Monitor All Networks
- Action: Pass
- Interface: BLUE_TEAM
- Protocol: Any
- Source: BLUE_TEAM net
- Destination: Any
- Description: Allow Blue Team full network access
- Click "Save" > "Apply Changes"
4. Configure VICTIM_NET Firewall Rules:
- Firewall > Rules > VICTIM_NET
- Delete default allow rule
ADD RULE 1: Block Victim to Red Team
- Action: Block
- Interface: VICTIM_NET
- Protocol: Any
- Source: VICTIM_NET net
- Destination: RED_TEAM net
- Description: CRITICAL - Prevent victim from reaching attacker
- Log: Check "Log packets matched by this rule"
- Click "Save"
ADD RULE 2: Block Victim to Blue Team
- Action: Block
- Source: VICTIM_NET net
- Destination: BLUE_TEAM net
- Description: Isolate victims from SOC network
- Click "Save"
ADD RULE 3: Block Victim to WAN (Internet)
- Action: Block
- Source: VICTIM_NET net
- Destination: WAN net
- Description: Prevent compromised systems from calling home
- Log: Check
- Click "Save"
ADD RULE 4: Allow Victim to pfSense (for DNS, DHCP)
- Action: Pass
- Source: VICTIM_NET net
- Destination: This Firewall (self)
- Description: Allow access to pfSense services
- Click "Save"
ADD RULE 5: Block Victim Everything Else
- Action: Block
- Source: VICTIM_NET net
- Destination: Any
- Description: Default deny all victim traffic
- Log: Check
- Click "Save" > "Apply Changes"
```
---
## LAB 1.6: VALIDATION & TESTING
**CRITICAL: Do not proceed to Module 2 until all tests pass!**
### Test 1: Red Team to Victim Connectivity
```
1. Create Test VM in Proxmox:
- Create Ubuntu Server VM
- VM ID: 201
- Name: Kali-Test
- Hardware > Network > Edit: Bridge vmbr0, VLAN Tag: 200
2. Boot VM and verify network:
- Login to VM console
- Check IP: ip addr show
- Should have: 10.10.2.x (from DHCP)
3. Test gateway reachability:
- ping 10.10.2.1
- Should succeed (pfSense RED_TEAM gateway)
4. Test Victim network reachability:
- Create second VM with VLAN Tag: 400
- Note its IP (10.10.4.x)
- From Red Team VM: ping 10.10.4.x
- Should succeed (Rule allows Red → Victim)
```
### Test 2: Victim to Red Team Blocked
```
1. From Victim VM (VLAN 400):
- ping 10.10.2.1 (Red Team gateway)
- Should FAIL (timeout)
2. Verify in pfSense logs:
- Status > System Logs > Firewall
- Should see: "Block" entries from 10.10.4.x to 10.10.2.x
```
### Test 3: Victim to Internet Blocked
```
1. From Victim VM:
- ping 8.8.8.8
- Should FAIL
2. Try DNS lookup:
- nslookup google.com
- Should timeout (no WAN access)
```
### Test 4: Red Team Internet Access
```
1. From Red Team VM:
- ping 8.8.8.8
- Should succeed
2. Update package lists:
- sudo apt update
- Should work (confirms internet access)
```
### Test 5: Isolation from Home Network
```
1. Find your home network device IP (e.g., your desktop):
- Example: 192.168.1.50
2. From Red Team VM:
- ping 192.168.1.50
- Should FAIL (Red Team cannot reach home network)
3. From Victim VM:
- ping 192.168.1.50
- Should FAIL (critical security validation!)
```
---
## TROUBLESHOOTING GUIDE
### Issue: VM not getting DHCP address
```
Proxmox side:
- VM > Hardware > Network Device > Edit
- Verify: Bridge = vmbr0, VLAN Tag correct, "Connected" checked
pfSense side:
- Status > Services
- Verify DHCP service is running for that interface
- Services > DHCP Server > [Interface]
- Verify range is configured and enabled
Inside VM:
# Linux
sudo dhclient -r # Release
sudo dhclient # Renew
# Windows
ipconfig /release
ipconfig /renew
```
### Issue: Can't access pfSense WebGUI
```
1. Verify pfSense is running:
- Proxmox > VM 100 > Console
- Should see pfSense menu
2. Check which VM you're accessing from:
- Must be on same VLAN or management network
- If on VLAN 200: access https://10.10.2.1
- If on management: access https://10.10.1.1
3. Disable HTTPS redirect temporarily:
- pfSense console: Option 8 (Shell)
- pfSsh.php playback disablehttpredirect
- Try http://10.10.1.1
```
### Issue: VLAN tags not working
```
1. Verify Proxmox bridge is VLAN-aware:
- SSH to Proxmox
- grep -A5 "vmbr0" /etc/network/interfaces
- Must show: bridge-vlan-aware yes
2. Verify VM has VLAN tag set:
- Proxmox > VM > Hardware > Network Device
- VLAN Tag field must have number (200, 300, 400)
- NOT blank for tagged traffic
3. Restart networking:
- Proxmox: systemctl restart networking (CAREFUL - may lose connection)
- Or reboot VM
```
### Issue: Firewall rules not working
```
1. Check rule order:
- Firewall > Rules > [Interface]
- Remember: First match wins
- Block rules should be BEFORE allow rules for specificity
2. Verify interface is correct:
- Rule must be on the INCOMING interface
- To block Red→Victim: Rule goes on RED_TEAM interface
3. Clear states:
- Diagnostics > States > Reset States
- Click "Reset" (clears connection state table)
- Re-test
4. Enable logging:
- Edit rule > Check "Log packets matched by this rule"
- Save > Apply
- Test traffic
- Status > System Logs > Firewall (see if rule matched)
```
---
## PROFESSOR'S GUIDANCE
### Common Mistakes to Avoid
**1. Asymmetric Routing:**
- Ensure all VMs use pfSense as their gateway (10.10.X.1)
- Do NOT configure VMs with your home router as gateway
**2. Forgetting to Apply Changes:**
- pfSense requires clicking "Apply Changes" after rule modifications
- Red banner at top indicates unapplied changes
**3. Wrong VLAN Tag Placement:**
- Tags go on VM's network interface in Proxmox
- NOT on pfSense WAN interface
- pfSense LAN interface (vtnet1) should be untagged, then create VLAN subinterfaces
**4. Testing from Wrong VM:**
- If testing VLAN 200 rules, you must be in a VM with VLAN Tag 200
- Can't test from Proxmox host shell
### Why This Module is Critical
Every penetration test begins with a safe, isolated environment. If you skip proper network segmentation, you risk:
- Malware escaping to your home network
- Accidentally scanning your ISP's infrastructure (illegal)
- Bricking your personal devices with exploit tools
**Real-world parallel:** Enterprise networks use VLANs to separate:
- Guest Wi-Fi (untrusted)
- Employee workstations (medium trust)
- Server VLAN (high trust)
- Management VLAN (admin only)
Your lab mirrors this architecture. Master it here, understand it everywhere.
### Time Investment
- Initial setup: 2-4 hours
- Troubleshooting (first time): 1-3 hours
- Validation testing: 30 minutes
**Total: 4-8 hours**
### Next Steps
Once all validation tests pass:
1. Take Proxmox backup of pfSense VM: Backup > Backup Now
2. **Snapshot pfSense VM** (revert point if you misconfigure later)
3. Document your network diagram (draw VLANs, IP ranges, firewall rules)
4. Proceed to **MOD2: Reconnaissance & Network Traffic Analysis**
---
## KNOWLEDGE CHECK
Before proceeding, you should confidently answer:
1. **What is the purpose of VLAN tagging?**
- Answer: Allows multiple isolated networks to share physical infrastructure
2. **Which pfSense interface do firewall rules apply to?**
- Answer: The incoming interface (where traffic enters)
3. **Why must VICTIM_NET be blocked from reaching WAN?**
- Answer: Prevents compromised systems from communicating with attacker C2 servers
4. **If a VM in VLAN 200 can't get DHCP, what are 3 things to check?**
- Answer: (1) VLAN tag set in Proxmox, (2) DHCP enabled in pfSense, (3) VM cable "connected"
5. **What does "First match wins" mean in firewall rules?**
- Answer: Rules are processed top-to-bottom; once a rule matches, processing stops
---
**END OF MODULE 1**
**Checklist before MOD2:**
- [ ] pfSense firewall is configured and accessible
- [ ] VLANs 200, 300, 400 are created and assigned
- [ ] Red Team VM can ping Victim network
- [ ] Victim VM cannot ping Red Team network
- [ ] Victim VM cannot ping internet
- [ ] Red Team VM can access internet
- [ ] pfSense firewall logs are recording blocked traffic
- [ ] Full Proxmox backup of pfSense VM exists
Reference in New Issue View Git Blame Copy Permalink