Post

Building UN1TY, a Cybersecurity Testing Lab

Posted Updated
Preview Image
By lr2t9iz 2 min read

In cybersecurity, having an efficient testing lab is crucial for understanding attack scenarios. This blog will guide you through two essential steps to build your own testing lab (Client-Server Model): server installation and collector integration.

The UN1TY will be where we can visualize and analyze the test results, while the collectors will be used to simulate adversary techniques.

image

UN1TY Server Requirements

Hardware:

  • 2 cores of CPU
  • 8 GB of RAM
  • 256 GB of Disk space

Base Operating System: Ubuntu Server

UN1TY Installation

Analysis Platform: We will use Elastic Security for our lab.

Elasticsearch as Database

  • Installing elasticsearch
    1
2
3

    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.13.4-amd64.deb
sudo dpkg -i elasticsearch-8.13.4-amd64.deb
# > The generated password for the elastic built-in superuser is : *****
  • Save or reset and save the password for elastic superuser
  • /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic for reset pass
  • Start Service
    1
2
3

    sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
  • Test
    1
2

    curl -XGET -k -uelastic 'https://localhost:9200/_cluster/health'
# > {"cluster_name":"elasticsearch","status":"green",.....

Kibana as UI Console

  • Installing kibana
    1
2

    wget https://artifacts.elastic.co/downloads/kibana/kibana-8.13.4-amd64.deb
sudo dpkg -i kibana-8.13.4-amd64.deb
  • Configure
    1
2
3
4

    # set server.host value to "0.0.0.0" in /etc/kibana/kibana.yml
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana 
/usr/share/kibana/bin/kibana-setup --enrollment-token <TOKEN>
# > Kibana configured successfully.
  • Start Service
    1
2
3

    sudo systemctl daemon-reload
sudo systemctl enable kibana.service
sudo systemctl start kibana.service
  • Test > put http://<HOST-IP>:5601 on your favorite browser, change <HOST_IP> with your host-ip
  • Fill your credentials and enter
  • And click on “Explore on my own”

Fleet Server as Collectors Management

Installing Fleet Server: After logging into kibana, follow these steps to install fleet server.

  • ☰ > Management > Fleet > Agents > Add a Fleet Server
  • Fill Name and URL
    • Name: main
    • URL: https://<HOST-IP>:8220
  • Copy Linux Tar Command and add --fleet-server-es-insecure to the end of the command
    1
2
3
4
5
6
7
8
9

    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.13.4-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.13.4-linux-x86_64.tar.gz
cd elastic-agent-8.13.4-linux-x86_64
sudo ./elastic-agent install \
--fleet-server-es=https://<HOST-IP>:9200 \
--fleet-server-service-token=***** \
--fleet-server-policy=fleet-server-policy \
--fleet-server-es-ca-trusted-fingerprint=***** \
--fleet-server-port=8220 --fleet-server-es-insecure
  • Test
    1
2

    curl -XGET -k 'https://<HOST-IP>:8220/api/status'
# > {"name":"fleet-server","status":"HEALTHY"}

Collector Integration

We will use a Windows host and a Linux host for the different scenarios.

  • Installing Elastic Agent

    For Windows

  • ☰ > Management > Fleet > Agents > Add agent
  • Collector policy - WIN for Windows and click on Create policy
  • Copy windows Command and add --insecure to the end of the command
    1
2
3
4
5
6

    $ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.13.4-windows-x86_64.zip -OutFile elastic-agent-8.13.4-windows-x86_64.zip
Expand-Archive .\elastic-agent-8.13.4-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.13.4-windows-x86_64
.\elastic-agent.exe install --url=https://<IP-HOS>:8220 --enrollment-token=***** --insecure
# > Elastic Agent has been successfully installed.

    For Linux

  • ☰ > Management > Fleet > Agents > Add agent
  • Click on Create new agent policy, Collector policy - LIN for Linux and click on Create policy
  • Copy Linux Tar Command and add --insecure to the end of the command
    1
2
3
4
5

    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.13.4-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.13.4-linux-x86_64.tar.gz
cd elastic-agent-8.13.4-linux-x86_64
sudo ./elastic-agent install --url=https://<HOST-IP>:8220 --enrollment-token=***** --insecure
# > Elastic Agent has been successfully installed.

UN1TY Results

  • Finally, we will have the following result
  • ☰ > Management > Fleet > Agents image
  • ☰ > Security > Explore > Hosts > All Hosts image
blueteam, lab
difficulty:low tools
This post is licensed under CC BY 4.0 by the author.