mRr3b00t Profile picture
Mar 11, 2023 28 tweets 13 min read Read on X
#Veeam Community Edition Install on server 2022 for the #Ransomware Lab
Backup and Replication License Agreement goes brrr
I ACCEPT
Now here is the default config
Installing all the things! This installs PostgreSQL 15.1
I've been in this industry basically my whole life and I still don't know what some of these phrases actually mean but as you install it, you get Marketing :)

"ENTERPRISE GRADE".. marketing people should use a dictionary etc. this doesn't make sense as a phrase to anyone ;) but… twitter.com/i/web/status/1…
ok weeeeeeeeeeeeeeeeeee we have the product installed!
Now in a biz env. we would normally want a resource forest. We could have made this a domain controller for the lab but workgroup mode so we will be accepting the risk of sending NTLM authentication. We are however NOT… twitter.com/i/web/status/1…
ok let's go tweeps! PROTECT all teh things with @Veeam !
Ok we need to update some components quickly (this was fast)
(they aren't paying me nor did they ask me to write any of this stuff, I just like the software) but it's nice to be able to get pricing quickly, for larger deployments you will need to go through the human sales process
ok so we have one backup repo, I've just added another disk so I'm going to make a new REPO
we can now add a REPO on the new data disk (e:\)
oh ooops i'm sleepy and on autopilot, we want to use a REFS file system with 64K cluster sizes for this! (not NTFS)
now this is in the lab and i'm doing this fast. think about your storage! i'm just gonna use the new virtual disk i just made for this demo
now we need to create a protection group, we are configuring bits and bops (in a not great way on purpose) i'm also doing the DC first because it has the right ports open and i've not domain joined the members yet :D
deployment goes brrrrr
sorry forgot to NOT exclude VMs.. essentially i want to treat this like a physical
ok we have now deployed the agent from the veeam console and then rebooted the domain controller! #winning
look frens we haz a Domain Controller backed up! wooohoo!

now let's get some tea and think about what else we need to do!
so let's do a quick sketch. This is what we have simulated (so far)
I can't stress this enough, with most backup products and solutions you can fuck urself by domain joining components or by leaving management interfaces available and having keepass or whatever password storage mechanisms compromised. I know of lots of orgs who have mASSIVE XLS… twitter.com/i/web/status/1…
but it's so easy to do. take people who:
> are time constrained
> are not trained
> are not given specialist security training
> do not have good leadership and management support

and you will get a recipe for a disaster that may come in many shapes and forms!
now back to the scenario.. we want to ensure we know what can go wrong, but also what can go right! so far we have just setup a workgroup server with REFS storage, but what other options are there? A hardened LINUX repo! cloud object storage! backup copies!
OK LINUX repository is OSCAR MIKE! Let's F GO! #DefendThePlanet #Hacking #backups #Cyber #Defence
ok now we have a linux system. we can connect this to Veeam via SSH. We do however need to add some more storage!
ok so we have a VM (ubuntu) we need to do some config to add the new disk etc.
How do I list disks on Linux? I mean I look this stuff up, I can barely remember what day it is :P

lsblk

ok coo look we have a new physical DISK /dev/sdb/

(sda = disk 0)
(sdb = disk 1)
ok so there's some fun with this... I'm going fast and doing it a bit shitty so don't copy me :P

We now have a hardened linux repo:

#############
lsblk
sudo apt install zfsutils-linux
sudo zpool create pool01 /dev/sdb
df
sudo zfs create pool01/veeam
sudo zfs set quota=95GB… twitter.com/i/web/status/1…
ok we have a domain controller backing up to immutable storage!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with mRr3b00t

mRr3b00t Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @UK_Daniel_Card

Nov 4
Morning world! Slept ‘ok’ (not great not terrible)

So yesterday I was doing some mitm6 over public WiFi (in the lab) and whilst I was speeding dns responses to Microsoft Google Facebook Twitter etc.

My web clients simply did not follow the responses and went to the actual sites!

Anyone know why? (It’s probably something like dnssec etc.)Image
Now in this instance it’s not even spoofing (you would see an event)

Let’s grab a windows laptop! Image
Now to show you the server is working here We have spoofs being sent! Image
Read 34 tweets
Oct 25, 2023
twitter have rolled out audio calls on twitter using STUN.

Be warned if you call someone the recipient (and anyone in the traffic path) can see your egress IP.

Apple private relay does not cover this. Image
Microsoft teams uses STUN

basically every single P2P audio probably uses this:

Whats app
Facebook Messenger
Signal
Telegram
can you do audio calls in Snapchat?

This is the common protocol....

this IP leakage is in everything (signal has a feature to mask it) and for all the others you need to either accept how it works or use a vpn etc.

You know every time you visit a webpage your IP leaks right?

Or just use LTE/xG and CGNAT....
Image
Since I'm a cyber werido and I have an iphone tap setup...

I'll grab some of my test identities and will now do testing....

but we can probably just use google!
Read 19 tweets
Jul 31, 2023
had a request from someone.... time to deploy...

HOME EDITION! (WTF!) Image
ok what we need to do is odd.. we need to fuck with the OOBE experience...

The customer is stuck in a loop during the setup process Image
PC names? what are these CATS? :P
Image
Image
Read 13 tweets
Jun 10, 2023
ok so true OFFLINE backups are hard. but you can look at layered approaches or there's immutable backups etc.

I'm showing this because this works for more than backups.

and YES it's complex from an identity plane point of view (that's the whole point!) Image
now it gets complicated in the details. If you do this with servers/storage and locations you own Plane 4 can litterally be physically isolated at it's management/access plane. Think of a hypervisor and where the networks are physically split (outside of the requirement to have… twitter.com/i/web/status/1… Image
You could also do this and skip the remote repo and just wrap identity plane 2 in the same way 4 is working.

The point is: if you compromise plane 1 you don’t compromise plane 2. You can however affect the data on plane 2 by messing up the integrity of plane 1! (Confused yet) 😆… twitter.com/i/web/status/1…
Read 8 tweets
Jun 10, 2023
Major 🇬🇧 Bad Cybers recently:

🇬🇧 Capita Breach
🇬🇧 Manchester Uni "Cyber Incident" (probably ransomware actors!)
🇬🇧 MoveIT Breaches (Boots, BA, BBC) and more!
🇺🇸🌎 Azure Portal DDoS'd (Alegedly by AS Sudan... (i think if it was them someone gave them some kit/money to use!)
FYI AS Sudan....

Based on Intel I've seen it's probable they are ... run by..
Read 4 tweets
Jun 9, 2023
Image
Image
weeeeeeeeeeeeeeeeeeee Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(