Windows Offensive VM from Mandiant FireEye
What is Commando VM?
Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. Commando VM can be installed on Windows 7 SP1 or Windows 10 and is made easily accessible on GitHub.
Why is this important?
Understanding what these testing platforms are, and how to use them, is important for both red and blue teamers. When working with customers, I commonly ask if they’re familiar with tools like Mimikatz or Bloodhound. Surprisingly enough, a handful of them are not. This is somewhat concerning to me, as one of the things I learned in school, is to protect yourself from an attacker, you must think like an attacker. How better to think like an attacker, than to use all of the tools that they’ll be attempting to leverage against you and the environment you’re attempting to secure. Commando VM makes it very easy to do this, as it’s packaged up with the latest and greatest tools and scripts that will assist in a blue team’s education on what they do.
What can it be used for?
Commando VM is packaged with a myriad of tools that can be used for a variety of things. Some of the categories that Commando VM can assist with are:
- Information Gathering
- Web Application Testing
All of the tools listed below are included in an installation of Commando VM.
Information gathering is a major part of assessing your own environment. Understanding what is exposed to an attacker with no privileges is key to understanding what you need to lock down and secure. If you can see it with some of these tools and scripts, so can they.
- Nmap – scanning and enumerating is key to understanding the environment. Results of Nmap scans can be used to find what hosts are available on the network, what services those hosts are running, and open ports on those hosts.
- BloodHound – scanning an Active Directory environment and understanding complex attack paths that may exist due to permission configurations is something ALL blue teamers should be doing. A tool like Bloodhound can help you identify where these paths exist, and quickly know what to prioritize in terms of remediation.
Once you’ve done some reconnaissance, the next step would be trying to exploit some of the things you’ve found. For example, if you’ve identified that sessions existed on a certain machine, or permissions existed for a certain user, there are tools you can use to try and leverage those permissions or sessions to your advantage.
- Invoke-ACLpwn – this tool leverages some of the functionality in Bloodhound to discover the permission relationships that exist in AD. Not only will it discover these permissions, but it will automatically try to exploit them in a chain to escalate privileges all the way to Domain Admin.
- Mimikatz – a tool for exploiting Windows and Active Directory, which is most commonly used for attacks like Pass-the-Hash or DCSync. Session enumeration done through information gathering may result in the identification of a target that can be leveraged for privilege escalation. If an administrative user or more privileged user has a session on a machine you have access to, you can use Mimikatz to get access to their account and escalate or move laterally throughout the environment.
Web Application Testing
If your company or environment uses internal web applications, it would be in your best interest to penetration test them. Once someone gets in your environment, if they were to find that these applications existed, it would not be hard for them to use tools found in Commando VM to try and find any vulnerabilities. Some of the easily found vulnerabilities may be able to be addressed prior to any official engagement.
- Burp Suite – this tool can assist in finding AND exploiting vulnerabilities that may exist in a web application. Simply setting up a proxy/listener while you navigate all the web pages of your application will allow you to kick off many automatic scans that will identify and explain any vulnerabilities. If a simple Burp Suite scan can find it, an experienced attacker definitely will.
Now that I’ve given a high-level overview of what Commando VM is, why it is important, and some of the tools that exist, my next topic will be on the installation and configuration of Commando VM. After that, I’ll be diving into some proof of concepts for various Active Directory attacks, and how both blue and red teams can use this tool to understand and help secure their environments.
Kevin Joyce is a Senior Technical Product Manager at STEALTHbits Technologies. He is responsible for building and delivering on the roadmap of STEALTHbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.