Install and Setup Velociraptor on Ubuntu 18.04

0
382

Welcome to our tutorial on how to install and setup Velociraptor on Ubuntu 18.04. Velociraptor is an endpoint monitoring open source tool that allows collection of information about clients and monitor them. It is based on GRR, OSQuery and Google’s Rekall tool.

Install and Setup Velociraptor on Ubuntu 18.04

In this setup, we will cover how to install and setup Velociraptor on Ubuntu 18.04 using standalone deployment setup option which employs server-client deployment model. Agents are installed on clients systems and they communicate to the server over TLS.

Velociraptor has six main components:

  • Frontend – Frontend receives connections from clients.
  • Gui – Web UI for accessing velociraptor.
  • Client – Velociraptor endpoint agents
  • VQL Engine (VFilter) – Velociraptor Query Language used to query.
  • Data store – locations where Velociraptor is going to save its files.
  • File store – used by velociraptor for long term storage

We will as well learn how to install Velociraptor clients on both Windows and Linux endpoints.

Install and Setup Velociraptor on Ubuntu 18.04

Step 1: Get velociraptor Linux binary

Get the latest Velociraptor Linux binary from the official Velociraptor Github releases page:

mkdir velociraptor
cd velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.3/velociraptor-v0.5.3-linux-amd64

Step 2: Make the Binary executable

Once the download of the binary installer is complete, make it executable by running the command below;

chmod +x velociraptor-v0.5.3-linux-amd64 

Step 3: Generate a server Config File

Generate server configuration file using the command below:

 ./velociraptor-v0.5.3-linux-amd64 config generate > /etc/velociraptor.config.yaml

To customize the configuration file generation use the command:

 ./velociraptor-v0.5.3-linux-amd64 config generate config generate -i

Optionally edit the Configuration file once its created to suite your deployment. For instance you can change the server url and the server’s IP where the addresses are binding to;

vim /etc/velociraptor.config.yaml
...
  Client:
      server_urls:
      - https://192.168.56.102:8000/
...
API:
  bind_address: 192.168.56.102
...
GUI:
  bind_address: 192.168.56.102
...
Monitoring:
  bind_address: 192.168.56.102
...

Additionally Datastore location can be edited to change the location where Velociraptor is going to save its files.

Datastore:
  implementation: FileBaseDataStore
  location: /var/tmp/velociraptor
  filestore_directory: /var/tmp/velociraptor

Its important to note client – server communications are encrypted over HTTPS. The keys are embedded in the configuration file.

Step 4: Create GUI user

Create a user to access the GUI by running the command below;

./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml user add admin --role administrator

Enter a password for the user when prompted:

The above command adds the user admin with the administrator role. Other available roles are:

  • reader
  • analyst
  • investigator
  • artifact_writer

Step 5: Start Velociraptor Frontend

Start Velociraptor server using frontend command, -v flag is used to show verbose output on the terminal.

 ./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml frontend -v

Sample output:

[INFO] 2020-12-09T20:45:30+03:00  _    __     __           _                  __ 
[INFO] 2020-12-09T20:45:30+03:00 | |  / /__  / /___  _____(_)________ _____  / /_____  _____ 
[INFO] 2020-12-09T20:45:30+03:00 | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ 
[INFO] 2020-12-09T20:45:30+03:00 | |/ /  __/ / /_/ / /__/ / /  / /_/ / /_/ / /_/ /_/ / / 
[INFO] 2020-12-09T20:45:30+03:00 |___/\___/_/\____/\___/_/_/   \__,_/ .___/\__/\____/_/ 
[INFO] 2020-12-09T20:45:30+03:00                                   /_/ 
[INFO] 2020-12-09T20:45:30+03:00 Digging deeper!                  https://www.velocidex.com 
[INFO] 2020-12-09T20:45:30+03:00 This is Velociraptor 0.5.3 built on 2020-12-03T15:33:04+10:00 (e957bec) 
[INFO] 2020-12-09T20:45:30+03:00 Loading config from file /etc/velociraptor.config.yaml 
[INFO] 2020-12-09T20:45:30+03:00 Starting Frontend. {"build_time":"2020-12-03T15:33:04+10:00","commit":"e957bec","version":"0.5.3"}
[INFO] 2020-12-09T20:45:30+03:00 Increased open file limit to 999999 
[INFO] 2020-12-09T20:45:30+03:00 Starting Journal service. 
[INFO] 2020-12-09T20:45:30+03:00 Starting the notification service. 
[INFO] 2020-12-09T20:45:30+03:00 Starting Inventory Service 
[INFO] 2020-12-09T20:45:30+03:00 Loaded 216 built in artifacts in 49.831921ms 
[INFO] 2020-12-09T20:45:30+03:00 Starting Hunt Dispatcher Service. 
[INFO] 2020-12-09T20:45:30+03:00 Starting Label service. 
[INFO] 2020-12-09T20:45:30+03:00 Selected frontend configuration localhost:8000 
[INFO] 2020-12-09T20:45:30+03:00 Starting Client Monitoring Service 
[INFO] 2020-12-09T20:45:30+03:00 Creating default Client Monitoring Service 
...
[INFO] 2020-12-09T20:45:31+03:00 Starting the hunt manager service. 
[INFO] 2020-12-09T20:45:31+03:00 Starting Server Monitoring Service 
[INFO] 2020-12-09T20:45:31+03:00 Starting VFS writing service. 
[INFO] 2020-12-09T20:45:31+03:00 Starting Server Artifact Runner Service 
[INFO] 2020-12-09T20:45:31+03:00 Starting Enrollment service. 
[INFO] 2020-12-09T20:45:31+03:00 Collecting Server Event Artifact: Server.Monitor.Health/Prometheus 
[INFO] 2020-12-09T20:45:31+03:00 Starting gRPC API server on 192.168.56.102:8001  
[INFO] 2020-12-09T20:45:31+03:00 Launched Prometheus monitoring server on 192.168.56.102:8003  
[INFO] 2020-12-09T20:45:31+03:00 GUI is ready to handle TLS requests on https://192.168.56.102:8889/ 
[INFO] 2020-12-09T20:45:31+03:00 Frontend is ready to handle client TLS requests at https://localhost:8000/ 
...

The output indicates which port the GUI and Front-end are listening on.

Accessing Velociraptor Web Interface

Access the server on https://SERVER-IP:8889. Use the user and password created earlier. GUI communications are authenticated with basic Auth.

Step 6 (Optional) : Install Systemd Service for Verociraptor

Additionally you can create systemd service to start Velociraptor as a service. For easier management you can copy the binary to /usr/local/bin as velociraptor.

cp velociraptor-v0.5.3-linux-amd64 /usr/local/bin/velociraptor

Create the systemd service file:

 vim  /lib/systemd/system/velociraptor.service

Add the content below:

[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v

[Install]
WantedBy=multi-user.target

Reload systemd daemon:

systemctl daemon-reload

Start and enable velociraptor to start at boot time:

systemctl enable --now velociraptor 

Check the status of velociraptor.

systemctl status velociraptor
● velociraptor.service - Velociraptor linux amd64
   Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-12-09 21:10:37 EAT; 6s ago
 Main PID: 21354 (velociraptor)
    Tasks: 7 (limit: 595)
   CGroup: /system.slice/velociraptor.service
           └─21354 /usr/local/velociraptor --config /etc/velociraptor.config.yaml frontend -v

Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Starting Server Artifact Runner Service
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Starting gRPC API server on 192.168.56.102:8001
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Launched Prometheus monitoring server on 192.168.56
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 GUI is ready to handle TLS requests on https://192.
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Collecting Server Event Artifact: Server.Monitor.He
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Frontend is ready to handle client TLS requests at 
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Compiled all artifacts.

Access the GUI and login into the interface, you’ll see Velociraptor GUI dashboard.

Install and Setup Velociraptor on Ubuntu 18.04

Install and Configure Velociraptor Client

As stated before, Velociraptor server-client communication happens over an encrypted HTTPS channel. You can use self signed SSL or commercially trusted SSL certs.

In this setup, we will be using self signed SSL certs. Therefore, edit the /etc/velociraptor.config.yaml configuration file and append the directive use_self_signed_ssl: true in the block below the Frontentd URL CA certificate so as to use the self signed certificate.

vim /etc/velociraptor.config.yaml
  ...
      nonce: cNzXMcNgk0g=
      use_self_signed_ssl: true
      writeback_darwin: /etc/velociraptor.writeback.yaml
      writeback_linux: /etc/velociraptor.writeback.yaml
      writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml
      tempdir_windows: $ProgramFiles\Velociraptor\Tools
...

Save the file and generate the client configuration file

 ./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml config client > client.config.yaml

NOTE:
Client configuration file contains CA certificate that is used for authentication between the client’s machine and the Velociraptor Server.

Install Velociraptor Clients on Linux and Windows Machines

Velociraptor clients can be configured in two ways;

Using Velociraptor Binary

This method involves using Velociraptor binary and client configuration file generated from the server. The client configuration file has to be copied to the client machine. This method is ideal for testing purposes, for large deployment the second method, below, is preferred.

Using Velociraptor client packages

This method packages the client configuration file on a Linux package or Windows installer which are then distributed to the clients target machines.

Follow the link below to learn how to install and configure Velociraptor clients on Linux and Windows machines.

Install Velociraptor Client on Linux and Windows Systems

Conclusion

That brings us to the end of our guide on how to install and setup Velociraptor on Ubuntu 18.04. Velociraptor is powerful open source tool that can be used to query hosts thus providing endpoint monitoring, digital forensic investigations and Threat Hunting.

Further Reading

Velociraptor Documentation

Other Tutorials

Install Kolide Fleet Osquery Fleet Manager on Debian 10

Install Osquery on Debian 10 Buster

Install and Configure Snort 3 NIDS on Ubuntu 20.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here