Added ZFS template from proof-of-concept for reference
Added external ready generator
Managing environments, per-client isolation, and retention can be hard in the pentesting world and historically has been a pretty manual or scripted process that is prone to error. This project attempts to create reproducible virtual machine environments for testing, but also generating a single-use set of home directories belonging to each engagement. This creates a single encrypted location where specific client data could resign and allows for much easier management of environments and maintanence of client retention.
Additionally, the tooling provides integration into libvirt
to automatically create a test environment and even fully maintain the domains.
nixos.qcow2
- The OS disk image containing all the tooling needed for testinguser.qcow2
- User home directory utilizing disk encryptionkeydrive.qcow2
- Key drive file. Thin wrapper that contains the decryption data for the user drive.responder
-> pretender
ecryptfs
-> gocryptfs
user
disks to allow for swapping between different OS image builds quicklyCurrently this is just a beta project and is proven to successfully build quick images when I need them for a test:
Generator:
# edit variables in genimg
$ ./genimg "$PASSWORD"
62VFY65RNHPZ6
$ export ID=62VFY65RNHPZ6
62VFY65RNHPZ6
$ virt-install --name nixos-${ID} --memory 10240 --vcpus=2 --disk path=./${ID}/nixos.qcow2,format=qcow2,boot.order=1 --disk path=./${ID}/user.qcow2,format=qcow2 --disk path=./${ID}/keydrive.qcow2,format=qcow2 --os-type=nixos-unstable --video virtio --print-xml | virsh define /dev/stdin
Domain 'nixos-62VFY65RNHPZ6' defined from /dev/stdin
The main components generated by the tooling is:
machines
- Entire virtual machines created from NixOS to create reproducible environments. Theoretically you could hand a client or other tester your build and yourtests are reproducible without fuss.homes
- An encrypted volume that is generated and represents an dataset to be used for an engagement or set of engagements.keydrive
- A very thin disk image that contains the decryption information for a home environment.The way this is structured allows interchangable host OS environments for whatever the needs are. It also allows for whole VM upgrades without changing the home environment. Just swap in and out keydrives and machines.
Additionally, this creates a interesting profile based structure that allows for more deep customization per-test need. Sometimes you don't need cross compiling, sometimes you do need wireless tools, sometimes you just miss your old desktop environment. All just knobs.
libvirtd
- Optionalvirt-install --name nixos-3AP5YK3PPKQVI --memory 10240 --vcpus=2 --disk path=./3AP5YK3PPKQVI/nixos.qcow2,format=qcow2,boot.order=1 --disk path=./3AP5YK3PPKQVI/user.qcow2,format=qcow2 -v --os-type=nixos-unstable --boot hd