Security Onion Lab Setup with VirtualBox

A free video tutorial from Jesse Kurrus, M.S., OSCP, CEH, Security+, Linux+, Network+, CISSP
Senior Penetration Tester and Technical Trainer
Rating: 4.3 out of 5Instructor rating
7 courses
48,572 students
Bonus Lab 1: Security Onion Lab Setup with VirtualBox

Learn more from the full course

Hands-on Penetration Testing Labs 1.0

Comprehensive walkthroughs of penetration testing labs

04:26:45 of on-demand video • Updated April 2020

Enumerate/scan systems with Netdiscover, Nmap, Dirb, Nikto, etc.
Perform remote exploitation of systems
Escalate local privileges to root level
Utilize a variety of industry standard penetration testing tools within the Kali Linux distro
Build buffer overflows manually
English [Auto]
This lab will show you how to set up and configure security on you using virtual box. First off, I'll briefly explain security onion security Onion is the leading open source operating system for network security monitoring, intrusion detection, log management and threat hunting. Some of the most important tools that we'll be using throughout these lectures are stored ideas and the useful visualization tool squirt, which will show you all of the stored alerts that are triggered as a result of specific network traffic. For more information about security, onion search for security online on the Web as there is an abundance of public information related to the project. Please note that the version of security Onion utilized in this course is the most recent one available as of November twenty eighteen. That being said, security onion is continuously evolving. Some of the commands or underlying technology may be slightly different than what is shown here. However, I update these courses as needed if sizable changes occur. If you're having issues with security onion, please feel free to reach out to me directly via messaging or the Q&A system. The first step is to download and install virtual box instructions. To do this won't be included due to its simplicity. You can download the most recent version from Virtual Boksburg. After you have downloaded and installed virtual box download security, onion from security, onion dot net. Click the download link. Click to download the ISO image. Once the download of the security onion ISO is complete open virtual box manager, we're going to be installing security on you. Now click new name your VM. I'm naming mind security onion. Twenty eighteen. Changed the type to Linux. Keep the version as you Boota, 64 bit click next. I'm going to be raising my RAM to about 16 gigs, if you don't have that much ram, raise it as high as you can because security onion is a bit resource intensive. Click next. Create virtual hard disk. Now click create. Keep it as VDI virtual box disk image. Click next. Keep it as dynamically allocated storage that will only fill up the hard disk as needed, which is more efficient, click next. Going to raise to about 20 gigs for storage. Click, create. Now, let's make sure that we have a host only network set up, because this will be important for the lab work host only is a form of networking that is completely isolated within the host computer, having no Internet connectivity. We need this so that our VMS can communicate with one another. Click file. Click host, network manager. As you see here, one is already set up, but if you do not have one, you'll have to create one, which is pretty simple. To do this, you can click create. Make sure to enable the DHS server. Click properties. Configure adapter automatically. Go to the DHC server tab, everything's OK. The server is enabled click apply. Now we're going to change some of the settings for the security onion VM, right, click the security onion VM click settings. Firstly, under the general tab, click advanced. For shared clipboard, change it to bidirectional, this is going to enable shared clipboard for convenient copying and pasting of commands. Next, we'll go to the system tab. The processor tab, I'm going to increase the number of processors to four for increased performance. Next is the storage tab, click the empty desk under control or idee. Now we're going to select the ISO that we downloaded in the beginning. This should be in the downloads folder by default. To do this, click the disk icon here, I have mine already saved in memory. Next, go to the network tab. Click adapter to. Enabled network adapter attached to host only adapter. Make sure you have selected a name for your virtual host only Ethernet adapter click advanced. Under promiscuous mode. Change it from deny to allow VMS. Now, let's begin the installation, please note that you will need Internet connectivity, highlights security until 2018 and click start. Press enter or wait, tabooed security onion. One security union has booted double click install security onion. Now, select the language, I'm going to leave it as English click continue. Do not select download updates while installing security you. This may cause complications. There's a special command used to update security on which I'll go over soon. Click, continue. iRace disk and install security onion. Could continue. Enter your location for time zone, click, continue. Choose a keyboard layout, I'm leaving it as English. Choose a username and password. Could continue. Once the installation is complete, click restart now. It says to remove the installation medium, but this happens automatically, so just hit enter. When prompted, enter the username and password that you set during the installation and click log in. The first thing we'll want to do as a best practice when using VMS is to create a snapshot. This will allow us to revert our VM to this point in time. If anything goes wrong with security onion going forward to do this click machine, take snapshot. I'm going to name it fresh installation. Click, OK. Now, for shared clipboard to work, we'll need to install guest additions to do this, go to devices. Insert guest additions, CD image. Click, Ron. Enter your password, authenticate. Once the installation has run its course, press enter to close the window. Now we're going to reboot, so just right click the desktop open terminal, typing pseudo reboot, enter your password. Now, copy and paste should work by directionally to and from host and security onion to test this, you can copy any text from your host and paste it anywhere that accepts text in security on you. For example, I have test here in notepad on my host. I'm going to highlight that copy now on Security Onion. I'm going to right click the desktop open terminal and paste it. There we go. Now, I know that copy and paste works and we can move on to setup. DoubleClick set up on the desktop. Enter your password, click, OK? Yes, continue. Select, yes, configure network interfaces, this will allow security onion to automatically configure them. The management interface should be your Nadege interface, which in this case will be ENFP zero as three. Keep in mind that ENPI zero eight is the host only interface, which will be the interface security Onion will monitor with Snort, Broo, Elk and full packet capture. This is also called a sniffing interface. The management interface will have Internet connectivity. Click OK. Select DHC for simplicity due to this being an isolated lab environment, click OK. Yes, configures sniffing interfaces as this will be a stand alone installation. As explained before, in P, zero 078 is the host only interface. Click OK. Yes, make changes to go forward. Yes, reboot. After rebooting, DoubleClick set up again. Enter your password. Yes, continue. Yes, skip network configuration, because we just did that. For our lab set up, we're going to choose evaluation mode. This will give us everything needed for completing the labs within this course, but use less computational resources if you have a lot of ram and processing power. You can also use production mode, but I recommend using evaluation mode. If this is your first time using security on you, click OK. Again, the network interface to be monitored should be ENPI zero s eight, which is the host only sniffing interface click OK. Now we're creating a user account that will allow us to authenticate into Kobana squirt and squeal, which are the visualization tools used in security on interview logs and alerts. I'm going to name my jessee click, OK? Now, choose a password for the aforementioned account. Confirm. Yes, proceed with the changes. I'm going to click through the dialog boxes, but I suggest you read through them thoroughly as there are some useful information. Now, let's make terminal accessible from the desktop, right, click desktop open, terminal type KDDI desktop. Type in geddit terminal dot desktop. Now I'm going to copy and pasted this desktop entry, it's going to be named terminal. Here's the file past the binary. This is just going to allow us to have a link to the terminal emulator. Save that. This code here is going to be included in a text file with this lecture. Close. Type in pseudo mod plus X terminal dot desktop. Enter your password. Now you can double click to start terminal from the desktop going forward. Let's change the profile to do this click, edit profile preferences. I'm going to name my Jesse. Click custom font, I'm going to raise mine to 17. Click select. Click close. Now, let's update security on how to do this type Suto soup, this will utilize a script that downloads only necessary packages for security onion and is the only way you should be updating it. Enter your password. Press enter. Please keep in mind that in this video, we will be using all of the default configurations, so when prompted, just press enter. Once updates are complete, press enter to reboot. Now, let's go over an extremely important command for troubleshooting, which is pseudo so STATT. This script will perform service checks and display results to the terminal, if anything, within security, Onion is not working, such as squirt not showing alerts. This should be your first step to troubleshoot your issue. If any services show is failing, it can help you narrow down the problem at hand. For example, if you include a bad custom snort rule with incorrect syntax, the snort engine will fail. As always, if you have trouble with security, onion or anything else related to this course, please feel free to reach out to me with a detailed and specific problem, including any errors and all information possible. Now under the command, open a terminal type in pseudo, so STATT and I'm going to pipe it to less. This is just going to make it easier to view it entering your password. Now, the most important thing to look at here is the service status section at the top. If any of these services are showing as fail, we need to run the restart command for our sensor, which I'll go over shortly. As you see here, all of the services are showing as OK. This is good and it indicates that there are no problems with any of our services, so let's close out of less by typing queue on the keyboard. Let's go over the command to restart our sensor if we have any issues such as service failures. To do this type in Souto a.m. underscore Sencer, underscore piesse hyphen restart, this will restart all of the security online services hit enter. Pay attention to the right. If it says, OK, then your service has restarted successfully, if it says fail, then you have some problems. As you can see here, all of our services are OK. The most common issue I see my students run into is that squirt is not showing snorkelers again. Squirt is a visualization tool to show logs and snorkelers. The previous troubleshooting steps should always be run to ensure that services are running properly. If your issue persists, it is prudent to reboot Security Onion and perform those troubleshooting steps again. The most common causes for squirt not showing snorkelers are bad custom rules, the squeal service failing or the sniffing interface failing to process packets. Now let's run a quick function test to make sure that squirt will show snort alerts. We're going to replay a recap with malicious traffic on it that comes with security onion using TCP replay. This will simply replay the packet as if it's occurring live over the wire to locate the Peekapoo will be using type and locate zus and hit enter. Now, type in pseudo TCP replay hyphen L 20, this will loop the command 20 times, hyphen IP and P zero s eight. That's the host only interface hyphen T for top speed. And finally the full path for the cap. Now, press enter. Please disregard the error messages as the TCP replay command will still function properly. Now, double click squirt on the desktop, enter the username and password that you created during setup, click log in. Now, you should see alerts here indicating Zus Trojan activity. If you're not seeing these alerts, something went wrong and troubleshooting is required at this point, if everything is good with the services and with skort, the security onion setup is good to go. And we can move on to the following labs again. Please let me know if you run into any issues and I'll do my best to help.