Commando VM: An Introduction

What is Commando VM?

Commando VM is a testing platform that Mandiant FireEye created for penetration testers who are more comfortable with the Windows operating system. Windows Commando VM is essentially the sister to Kali Linux, a Linux testing and malware analysis platform widely used by the penetration testing community.

These security testing platforms are packaged with all the common solutions and scripts that a pentester would need for offensive testing. Commando VM can be installed on Windows 7 SP1 or Windows 10 and is made easily accessible on GitHub: https://github.com/mandiant/commando-vm.

Knowing how to use these testing platforms is important for both red and blue teamers. To protect against threats, an administrator must think like an attacker. How better to do that than to use the tools they'll be attempting to leverage against you? Commando VM makes it very easy to do this.

What can it be used for?

Commando VM is packaged with many tools that can be used for a variety of purposes, including the following:

• Information gathering
• Exploitation
• Web application testing

Information Gathering

Information gathering is a major part of assessing your own environment. Understanding what is exposed to an attacker with no privileges is vital to understanding what requires protection. If you can see something with these tools and scripts, so can adversaries.

• Nmap- Nmap scans can be used to find what hosts are available on the network, what services those hosts are running and what ports are open on those hosts.
• BloodHound- BloodHound maps the attack paths that exist due to the configuration of your Active Directory permissions and other factors.

Exploitation

The next step is to try to exploit the sessions, permissions or other issues you've found using these tools:

• Invoke-ACLpwn- This tool leverages some of the functionality in BloodHound to discover the permission relationships configured in your AD and then automatically tries to exploit them in a chain to escalate privileges all the way to Domain Admin.
• mimikatz- This tool for exploiting Windows-based systems is most commonly used for attacks like Pass the Hash and DCSync. If an administrator or other privileged user has a session on a machine you have access to, you can use mimikatz to get access to their account and escalate your privileges or move laterally in the environment.

Web Application Testing

An adversary who gets into your network may also attempt to identify and exploit vulnerabilities in your internal web applications using this tool in Commando VM:

• Burp Suite- This tool enables you to kick off many automatic scans that will identify and explain any vulnerabilities while you navigate all the web pages of your application.

Commando VM Installation & Configuration

Prerequisites

Commando VM can be installed on a virtual machine or a physical machine, but for ease of deployment, management and use, I'd suggest using virtual. This will allow you to take snapshots along the way and roll back from any issues you encounter.

The minimum requirements for your machine to run Commando VM are 60 GB of space and 2 GB of memory, which is what I used for my testing. The recommended specifications on their GitHub page are 80+ GB of space, 4+ GB of memory and 2 network adapters. The package can be installed on Windows 7 SP1 or Windows 10, but Windows 10 allows for more features to be installed.

In any case, make sure your system is fully patched, and take a snapshot before beginning the installation process.

Commando VM Installation

You can download Commando VM from GitHub: https://github.com/fireeye/commando-vm.

Commando VM is installed in 3 pretty simple steps:

1. Start an elevated PowerShell
2. Set the execution policy to unrestricted with the following command (by default, it is disabled):

Set-ExecutionPolicy unrestricted

1. Run the ps1installation script in the commando-vm-master package:

As you can see, as the installation script executes, it will run some checks and ask if you'd like to take a snapshot prior to installation. It will prompt you for credentials so it can log in and continue installing after each reboot. During the process, the PowerShell window will give you updates as to what it is installing, and you'll see various popups for software being installed automatically. Commando VM removes or disables a lot of the features that Windows comes prepackaged with since they aren't needed on a machine used for penetration testing.

The whole process takes roughly an hour and a half from start to finish, with 5+ reboots. It takes about 10-15 minutes before each reboot, at which point it starts back up, auto-logs in and continues to install more applications. Depending on the resources and internet speed of your virtual machine, the process may be quicker or take longer. You'll know it's complete when it logs you back in with a new background and a command prompt. Be sure to take another snapshot so you can start fresh if needed!

Overview of the Tools Included

As noted earlier, Commando VM includes a lot of tools. In fact, over 2GB of tools were installed on our hard drive. Luckily, the list of tools is broken up into categories to make it easy to find the tool you need:

Here are some of the tools I find particularly interesting:

• Active Directory Tools
  • Remote Server Administration Tools (RSAT)
  • SQL Server Command Line Utilities
  • Sysinternals
• Information Gathering
  • BloodHound
  • nmap
  • ADACLScanner
• Networking Tools
  • WireShark
• Exploitation
  • PrivExchange
  • Invoke-ACLPwn
  • metasploit
• Password Attacks
  • DSInternals
  • hashcat
  • DomainPasswordSpray
  • mimikatz
  • ASREPRoast
• Vulnerability Analysis
  • Grouper2
  • zBang
• Web Application
  • OWASP ZAP
  • BurpSuite

FAQ

What is FireEye Commando VM?

Commando VM is a testing platform created by Mandiant FireEye for penetration testers who are more comfortable with the Windows operating system.

How long does Commando VM take to install?

It takes around an hour and a half to install Commando VM.