In this tutorial, you will learn how to install Velociraptor Client on Linux and Windows Systems. Velociraptor endpoint agents are called clients. Clients connect to the server and wait for instructions, which mostly consist of VQL statements, then run any VQL queries and return the result to the server.
In our previous tutorial (link provided below), we covered how to install and setup Velociraptor Linux systems;
Install and Setup Velociraptor on Ubuntu 18.04
Install and Setup Velociraptor on Debian 10
Install and setup Velociraptor on Ubuntu 20.04
Velociraptors client-server communication is based on GRR’s protocol where it implements zero registration clients method. This means no a-prior knowledge of clients is required hence making the enrollment of the client from packages a simple process.
Installing Velociraptor Client on Linux and Windows
There are two ways in which you can install Velociraptor client;
Install Velociraptor client using Velociraptor Binary
This method involves using Velociraptor binary and client configuration file generated from the server. The client configuration file has to be copied to the client machine. This method is ideal for testing purposes, for large deployment the second method, below, is preferred.
Install Velociraptor using Velociraptor client packages
This method packages the client configuration file on a Linux package or Windows installer which are then distributed to the clients target machines. This type of deployment is ideal for large deployments since it only requires distribution of one package.
Install Velociraptor client Using Velociraptor Binary
Using Velociraptor binary on Linux Systems
Velociraptor binary used for Server and Client is the same, the usage is differentiated by config options.
Step 1: Get velociraptor binary on client machine
On the target Linux Velociraptor client system, create a directory where to store the binary.
mkdir velociraptorNavigate to the binary directory created above and download the Velociraptor binary for Linux systems.
cd velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.3/velociraptor-v0.5.3-linux-amd64Make the Binary executable;
chmod +x velociraptor-v0.5.3-linux-amd64 Step 2: Copy the Velociraptor client configuration file from the server to client
Login to the Velociraptor server and generate the client configuration file.
Once you have generated the configuration file, copy it to the respective client system.
scp client.config.yaml [email protected]:~/velociraptorStep 3: Start the Velociraptor client
To start the Velociraptor client in standalone mode using the client configuration file generated, run the command below
./velociraptor-v0.5.3-linux-amd64 --config client.config.yaml client -vTruncated Sample Output:
...
[INFO] 2020-12-10T10:58:28+03:00 Loading config from file client.config.yaml
Genering new private key....
[INFO] 2020-12-10T10:58:28+03:00 Starting Crypto for client C.271ab970be8f6541
[INFO] 2020-12-10T10:58:28+03:00 Starting Journal service.
[INFO] 2020-12-10T10:58:28+03:00 Starting the notification service.
[INFO] 2020-12-10T10:58:28+03:00 Installing Dummy inventory_service. Will download tools to temp directory.
[INFO] 2020-12-10T10:58:28+03:00 Loaded 216 built in artifacts in 109.595501ms
[INFO] 2020-12-10T10:58:28+03:00 Starting event query service with version 0.
[INFO] 2020-12-10T10:58:28+03:00 Starting event query service with version 0.
[INFO] 2020-12-10T10:58:28+03:00 Expecting self signed certificate for server.
[INFO] 2020-12-10T10:58:28+03:00 Ring Buffer: Creation {"filename":"/var/tmp/Velociraptor_Buffer.bin","max_size":1073741874}
[INFO] 2020-12-10T10:58:28+03:00 Starting HTTPCommunicator: HTTP Connector to [https://192.168.56.102:8000/]
[INFO] 2020-12-10T10:58:28+03:00 Received PEM for VelociraptorServer from https://192.168.56.102:8000/
[INFO] 2020-12-10T10:58:28+03:00 Receiver: Connected to https://192.168.56.102:8000/reader
[INFO] 2020-12-10T10:58:28+03:00 Enrolling
[INFO] 2020-12-10T10:58:28+03:00 Ring Buffer: Enqueue {"item_len":925,"total_length":925}
[INFO] 2020-12-10T10:58:28+03:00 Compiled all artifacts.
[INFO] 2020-12-10T10:58:29+03:00 Sender: Connected to https://192.168.56.102:8000/control
...
From the output above, the client is enrolled to the Velociraptor server.
Step 4 (Optional): Install systemd Service
Additionally you can create systemd service file for Velociraptor client:
vim /lib/systemd/system/velociraptor.serviceAdd the content below (edit ExecStart file paths with regards to your files location):
[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target
[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor-client.config.yaml client -v
[Install]
WantedBy=multi-user.target
Reload systemd daemon:
systemctl daemon-reloadStart and enable velociraptor to start at boot time:
systemctl enable --now velociraptor Check the status of velociraptor.
systemctl status velociraptor● velociraptor.service - Velociraptor linux amd64
Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-11-27 21:11:29 UTC; 59s ago
Main PID: 16544 (velociraptor-v0)
Tasks: 8 (limit: 4664)
CGroup: /system.slice/velociraptor.service
└─16544 /usr/local/velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor-client.config.yaml client -v
Nov 27 21:12:01 ubuntu velociraptor-v0.5.2-linux-amd64[16544]: [INFO] 2020-11-27T21:12:01Z Sender: Connected to https://192.168.56.102
...
Step 5: Confirm Client is Added on GUI
On the server GUI, navigate to homepage and select SHOW ALL next to the magnifying Glass to view connected clients:
Install Velociraptor client using Velociraptor binary on Windows Systems
Step 1: Create Install Folder
Create Velociraptor folder on target client system in the path specified below:
C:\Program Files\Velociraptor\Step 2: Download Velociraptor Client Windows Installer
Download the latest installer from Velociraptor releases page and save it in the folder created above.
Step 3: Copy Velociraptor Client Configuration file to Install folder
Copy client configuration file generated from the server to the client install folder created above.
IMPORTANT: Rename the client configuration file as Velociraptor.config.yaml.
Step 4: Run the Velociraptor Client on Windows:
Open Command prompt with Administrator privileges:
Change to the folder with Velociraptor Binary and client config files created earlier:
cd "C:\Program Files\Velociraptor" Run the Binary with Client config file and enroll the endpoint:
velociraptor-v0.5.3-windows-amd64.exe --config Velociraptor.config.yaml client -vThe following output is generated for a successful connection with the Fronted service of Velociraptor service:
Step 5: Running the client as a service
To run velociraptor client permanently get the msi installer from Velociraptor github releases.
Run the Installer by double clicking on the msi.
When the service is started during installation, it attempts to load the configuration file from C:\Program Files\Velociraptor\Velociraptor.config.yaml hence why we created the Folder and configuration file Velociraptor.config.yaml on the file path: C:\Program Files\Velociraptor\.
NOTE:
If there is an existing Velociraptor service that is already installed, it will be overwritten by the Velociraptor service installation. The service is set to start at boot time.
Confirm Velociraptor service is running by opening services, Win Key + R type services.msc to open services program.
On the Server GUI confirm the Windows Client has been enrolled successfully:
From the GUI you can see connected clients, the client(s) ID, hostname and OS Version. Clicking on a client gives more information about the client:
Now that clients are connected they can successfully be queried using VQL.
Install Velociraptor using Velociraptor client packages
Install Velociraptor Client on Linux using Velociraptor client packages
On the velociraptor Server create Velociraptor Linux client package by running the command below;
./velociraptor-v0.5.3-linux-amd64 -c /etc/velociraptor.config.yaml debian clientThe above command packages the client configuration file into the .deb package thus the single .deb package can be distributed to Debian based Linux clients for installation.
ls
velociraptor_0.5.3_client.deb Copy the .deb package to client machine(s) and install the package:
dpkg -i velociraptor_0.5.3_client.debSelecting previously unselected package velociraptor-client.
(Reading database ... 137978 files and directories currently installed.)
Preparing to unpack velociraptor_0.5.3_client.deb ...
Unpacking velociraptor-client (0.5.3) ...
Setting up velociraptor-client (0.5.3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/velociraptor_client.service → /etc/systemd/system/velociraptor_client.service.
Confirm the status of Velociraptor:
systemctl status velociraptor_client.service● velociraptor_client.service - Velociraptor linux client
Loaded: loaded (/etc/systemd/system/velociraptor_client.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-12-29 07:38:43 UTC; 54s ago
Main PID: 4409 (velociraptor_cl)
Tasks: 8 (limit: 2322)
CGroup: /system.slice/velociraptor_client.service
└─4409 /usr/local/bin/velociraptor_client --config /etc/velociraptor/client.config.yaml client
Dec 29 07:38:43 ubuntu systemd[1]: Started Velociraptor linux client.
...
The client enrollment can be confirmed on Velociraptor GUI.
Install Velociraptor Client on Windows using Velociraptor client packages
On the velociraptor Server get the windows binary in the same location as the Velociraptor server binary:
wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.3/velociraptor-v0.5.3-windows-amd64.exeRun the below command to embed the client’s configuration in the windows binary
./velociraptor-v0.5.3-linux-amd64 config repack --exe velociraptor-v0.5.3-windows-amd64.exe client.config.yaml repackaged_velociraptor.exeCopy the repackaged Velociraptor client to target clients machine. Launch CMD as an administrator;
Change directory to the location where the repacked client was copied to and install Velociraptor client to run as a service. This autostarts Velociraptor client service on boot
repackaged_velociraptor.exe service install
Confirm Velociraptor client service is running:
Press Win + R and type services.msc to launch Windows Services application:
Scroll down or search for the service Velociraptor;
On Velociraptor GUI, the client enrollment can be confirmed by hitting refresh button on the homepage. Click on Show All on the top panel to view connected clients.
Once the clients are connected to the server, they can successfully be queried using VQL. Velociraptor server gives visibility into the hosts (clients) enrolled to Velociraptor server hence can be used to query for info such as:
- running processes
- established network connections
- installed services
That marks the end of our tutorial on installing Velociraptor Client on Linux and Windows Systems.
Reference
Deploying Velociraptor Clients
Other Tutorials
Install FortiClient VPN Client on Ubuntu 20.04/Ubuntu 18.04
Install Gitlab with SSL/TLS Certificate on Ubuntu 20.04
Install ownCloud Desktop Client on Ubuntu 20.04
