Cannot download artifact exchange to server

[sgtrivas]

HELP! I am trying my best to learn how to better use this tool but I keep running into errors that I find hard to trouble shoot. I tried to run the Server.Import.ArtifactExchange and I received this error in the log.

2023-01-20T15:40:03Z	DEFAULT	Running query on behalf of user vagrant
2023-01-20T15:40:03Z	DEFAULT	Starting</> query execution.

2023-01-20T15:40:03Z | ERROR | Plugin http_client not found. Current Scope is: [NULL], [$cache, $device_manager, config, $acl, $uploader, Artifact, $root], [ExchangeURL, Prefix], [X], [Server_Import_ArtifactExchange_0_1], [$Query]

2023-01-20T15:40:03Z | ERROR | Plugin http_client not found. Did you mean client_delete clients?

2023-01-20T15:40:03Z | DEFAULT | Query Server.Import.ArtifactExchange: Emitted 0 rows

2023-01-20T15:40:03Z | DEBUG | Query Stats: {"RowsScanned":0,"PluginsCalled":1,"FunctionsCalled":0,"ProtocolSearch":0,"ScopeCopy":3}

[scudette]

It is likely that you selected the option Do you want to restrict VQL functionality on the server? during the config generation step. That options creates an allow list with only safe plugins allowed to run on the server.

The http client plugin is used to fetch the bundle from the exchange but it is not allowed in the default allow list. This is why the plugin is not found because it is disabled.

you can add it to the allow list temporarily or while learning the tool disable the allow list entirely

[sgtrivas]

that solved that problem! DEFAULT | http_client: Downloading https://github.com/Velocidex/velociraptor-docs/raw/gh-pages/exchange/artifact_exchange.zip into /tmp/tmp1426181718.zip

DEFAULT | Query Server.Import.ArtifactExchange: Emitted 174 rows THAT PROBLEM IS SOLVED..... HOWEVER Next question: now when I run an artifact like Windows.sysinternal.autoruns on my target system I get this error: http_client: Error Get "https://localhost:8000/public/30990d6c7411ef568f05ddecd1a7fe39e1ac3ec0209b32b1e5ba987e120355ca": dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it. while fetching https://localhost:8000/public/30990d6c7411ef568f05ddecd1a7fe39e1ac3ec0209b32b1e5ba987e120355ca

Is there something in the client config that is causing this? or is it with the windows host that the client is installed?

[scudette]

The Autoruns artifact needs to download the autoruns tool from the server. When you built your configuration in the wizard there is a question like What is the public DNS name of the Master Frontend. This is the publicly accessible host name where clients download the tools from

The default is localhost but this obviously only works in the client and server are on the same machine. You need to have a publicly routable DNS name here instead of localhost.

If you use self signed mode it is possible to put an ip address here.

[sgtrivas]

Server config: version: name: velociraptor version: 0.6.7-4 commit: c6f11a7 build_time: "2022-12-06T13:31:56Z" ci_build_url: https://github.com/Velocidex/velociraptor/actions/runs/3629952817 compiler: go1.19.3 Client: server_urls:

• https://192.168.38.105:8000/ ca_certificate: | -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIQQkJti6ITVnBwjenoII9Y+DANBgkqhkiG9w0BAQsFADAa MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjMwMTIwMTczMTM1WhcNMzMw MTE3MTczMTM1WjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+mTOnUpVzMWmChQNBEz8G4FSbOKp4NwrE tJ7wlmtzKRyyyPB/L4+wCleSFCHafVpJJxEnKpa70Ub/weRAfwYar2C17cjj4Hs1 RtVP48jba59uBigejHcEYJ09nIw1X5tSqcGiJRRv8qiJGguRxYx7du+bgn5HMLyZ SQdlS+rbPe7caqORY3Onl4+NDIvFhJ/KLX13taKmLNxM05gvjlVqATUMXFfsdFkx Leunv2tnUceX7B9HaGqRPLAMg4A7TBrIIbBiFhu+OKaLyD+hxlFZS4Xzo8Ho5Wv4 t9jyA1uZYn3ZZEJVuIhOuZ8N2rY0TGBgeU830LtGlZ9kqra67p+RAgMBAAGjgYww gYkwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQCXI+YY0TeIeQNrbmb1SmKipRd 4zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVsb2NpZGV4LmNvbTANBgkq hkiG9w0BAQsFAAOCAQEAJWjL3rxPaL/R/ECU6/XghNgQtKCbuSVRdIAVjHEVkAq6 nImSaBqLUGp69LKPR9HqlFd5/qiJpry0Gny7ubDCue8CQ1EMvyc82aUrf0hx2ffB WzIB6mTvVOSFsCU8BI7/wc8Eo8ysx9bDXYyTX2fc0RkCT5gHHEASrUu2G5Uii3XR orJBoqrfwJf7WhfxWpdAua6AAPtwwiNOdqzuhdsyVCQe34PxhOlSjZxNM2kEL6ZF Qn9HtO23XJgS2Tl3tn05cr7ndVBgtBJSjQth8ppIraShwgpGl0pBoIdkOVu33nzS /aqRMoH/sd8ylSyYfGcs5eAUfXQHVvEYon509vFxXQ== -----END CERTIFICATE----- nonce: h83JFW+DWcE= writeback_darwin: /etc/velociraptor.writeback.yaml writeback_linux: /etc/velociraptor.writeback.yaml writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml tempdir_windows: $ProgramFiles\Velociraptor\Tools max_poll: 60 nanny_max_connection_delay: 600 windows_installer: service_name: Velociraptor install_path: $ProgramFiles\Velociraptor\Velociraptor.exe service_description: Velociraptor service darwin_installer: service_name: com.velocidex.velociraptor install_path: /usr/local/sbin/velociraptor version: name: velociraptor version: 0.6.7-4 commit: c6f11a7 build_time: "2022-12-06T13:31:56Z" ci_build_url: https://github.com/Velocidex/velociraptor/actions/runs/3629952817 compiler: go1.19.3 use_self_signed_ssl: true pinned_server_name: VelociraptorServer max_upload_size: 5242880 local_buffer: memory_size: 52428800 disk_size: 1073741824 filename_linux: /var/tmp/Velociraptor_Buffer.bin filename_windows: $TEMP/Velociraptor_Buffer.bin filename_darwin: /var/tmp/Velociraptor_Buffer.bin API: hostname: 192.168.38.105 bind_address: 127.0.0.1 bind_port: 8001 bind_scheme: tcp pinned_gw_name: GRPC_GW GUI: bind_address: 0.0.0.0 bind_port: 9999 gw_certificate: | -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIRAOjU2XQtqUhDPKy7CCWslHUwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEChMPVmVsb2NpcmFwdG9yIENBMB4XDTIzMDEyMDE3MzEzNloXDTI0 MDEyMDE3MzEzNlowKTEVMBMGA1UEChMMVmVsb2NpcmFwdG9yMRAwDgYDVQQDDAdH UlBDX0dXMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9+PrbYy2a1J BP2J/+msSzV3nxOwXFkdiyqLYsZNxeaWd4OCDedEU9SJ2nq+OwhwBAc7epS1sPbu HId6WWbLowEyZQsNm5aDg3/v4YL/nUEXoXcIt8xr4OXnjssEWfiwYEiCHuRNY/3L mH0x9vCRYAazGsawggHr7x/TbBYmAm6WAQBAgsflP6N30cG61YDxENrUrlO9x1z/ iArJBELt+ejhUHE/mHO1ai/F16tNosQ/1Vv+VkPInBI4+vwEs6JdjMzJF2zIqrkE oAaAL8P7SHApHpl4TX+7f++wfAUvRL0alDaeNTSnfpWB0OB8knZU0Yp1XOHYyw55 /LvJ5FGCnQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUAlyPmGNE 3iHkDa25m9UpioqUXeMwEgYDVR0RBAswCYIHR1JQQ19HVzANBgkqhkiG9w0BAQsF AAOCAQEAaePu6ynVT1NJSkYqPenx96XYdEDyYtMXPmY6GmGkExvaHQaPEmuDN49W fnx8pEnFw44I+m4fevS7eAUNyAjIH/DELMPncoHWujC5EVM31GvcHKaA09Tas7au SVDSMEGgQijefGF2sA5AYmN9meYRmeUnslOFJscCTPdW0qinY1AypYoSp8AHSN6B gywUdXIGTquOKY4WEkxwGcgqbx0ZVC/qnvfss+PsJHMUQmtHet+IQVlcjAxbCwLs J8NwVhFpJmJ99oo5rn6ZSWcSkAhtlYA0kbSWIIGmiyjgtmvmlzgfTDrBv0xNKeb9 BAxyTiv2QG/NvbpsnypJWclpF/UXYQ== -----END CERTIFICATE----- gw_private_key: | -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAv9+PrbYy2a1JBP2J/+msSzV3nxOwXFkdiyqLYsZNxeaWd4OC DedEU9SJ2nq+OwhwBAc7epS1sPbuHId6WWbLowEyZQsNm5aDg3/v4YL/nUEXoXcI t8xr4OXnjssEWfiwYEiCHuRNY/3LmH0x9vCRYAazGsawggHr7x/TbBYmAm6WAQBA gsflP6N30cG61YDxENrUrlO9x1z/iArJBELt+ejhUHE/mHO1ai/F16tNosQ/1Vv+ VkPInBI4+vwEs6JdjMzJF2zIqrkEoAaAL8P7SHApHpl4TX+7f++wfAUvRL0alDae NTSnfpWB0OB8knZU0Yp1XOHYyw55/LvJ5FGCnQIDAQABAoIBAGFoZrHCuKgHr/VH neJ8x8pat4Lb5QHNABGhpKedkugwOx0rd0AFs4t3cBCplZ+0leGFpm2Bx4eypIl5 QeTXKfRz7Bid9ueRDu0YaziqX4h+/jcrjhJ5Rh8juF2mtWvTs/79cImsT5m+w7iD fnUmBjegzxZ93ifyP8vi9Vt/FwbOKRNaCr15vqQWl3PuDf4uLIfynsDRicVldzPL USqWnwqouNFLCURN3EN53kG/ZWBj3FYnkN/BG5VcTqg8688Su9SNgtr9QK7UuU2n MBwbldMsQAAoYwfcztJwWuxVBqg2uco2JuLB6Cifqp3/6F7hMChUK3gvkWcl2L2C UnG22wUCgYEA94JCkRL72nFy4DjS3faOUPAJgPXRdYLnDV4xlQpl1YbXfFsANyDL gI7tHZ+FrzHY7tS5OEeHtbSM6PQPQXUDFepXuJ8uLwX9RxtXn/xkuoI0hSVbOnaG sfKAaPkC28Cia0EJcsdG28aE0OmRu4MCEmNrlTcxuX3SK6iMx1e+MNcCgYEAxnSu +RFp9/iJtk07VIg/AJGX2i1C5iobCjLgrqntpCtzTUKKWdsk/1TsTB7Vx+5OHU3D 3+xy2AAPGoQdpQ9AWOIaRm01vxdoSytJMj5gnY4eAhKloyZbZ6E/EjsDWYQMJHb6 l/uHwtnaRErIyr/OIyn0GKjmbLuGZ18QIfr81asCgYEAsK2dUu3YNmCRfhlR/PwJ LyGJxzKyKE4fHN3GSvu3Ias1myFij/erDMP54xGCXkMY9bOH2/LDnyOZCpldYn5i i3xSzgli8FI4MFAGRr/mL3TOhNTbwGnnUJMossY+Ehv6VNGCKxqxLCUTngV87/te uT2bCFLz/dMg+eVBSPMLYtUCgYAOoQVQ6N6138VPAexws8ZpJVJbS+DVlJ7/pnZ3 iaEx694JAPGv4/6bL8hnaBJ8NW3erR/WPtjMYVy7qKeCxlgI9UnYjS5cEr6mY992 a7C1jIdbwcIh/67XOcSrdFwv2hMHERox3+HHFEYJqLWadH8einYq5zBtLXmf3xsS Vi0TFwKBgQCtsVgVSKuFOh1o/DD4yV9eATlc68LydK7veDnch1CoxybfazKR2nCd wffTCg08SLlcrJuDTtoEAX/kWCoqckRUG/J/m5Dri7m7Zni2dAOMFBbSDhJ6HyIO G2XbbJQKUhO9WJdE0LrdtOxHX12xbY8Q+kA+qjSLDABKyQ/ZMXJf+A== -----END RSA PRIVATE KEY----- public_url: https://192.168.38.105:9999/ links:
• text: Documentation url: https://docs.velociraptor.app/ icon_url: data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI1MyIgaGVpZ2h0PSI2MyIgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgNTMgNjMiPjxwYXRoIGQ9Ik0yNyAzYy0zIDItMTMgOC0yMyAxMGw2IDMyYTEwMyAxMDMgMCAwIDAgMTcgMTZsNi01IDExLTExIDYtMzJDMzkgMTEgMzAgNSAyNyAzeiIgZmlsbD0iI2ZmZiIgZmlsbC1ydWxlPSJldmVub2RkIi8+PHBhdGggZD0iTTI2IDBDMjMgMiAxMiA4IDAgMTBjMSA3IDUgMzIgNyAzNWExMTMgMTEzIDAgMCAwIDE5IDE4bDctNiAxMi0xMmMyLTMgNi0yOCA4LTM1QzQwIDggMjkgMiAyNiAwWm0wIDU1LTYtNC04LTktNS0yNnYtMWwyLTFjOC0xIDE2LTYgMTYtNmwxLTEgMSAxczggNSAxNyA2bDEgMXYxcy0zIDIzLTUgMjZsLTggOWMtMiAyLTQgNC02IDR6IiBmaWxsPSIjYWIwMDAwIiBmaWxsLW9wYWNpdHk9IjEiIGZpbGwtcnVsZT0iZXZlbm9kZCIvPjxwYXRoIGQ9Ik0zOSAxOWExMzQ3IDEzNDcgMCAwIDEtMTMgMjZoLTJMMTQgMTloM2wyIDEgMSAxdjFhMjUwIDI1MCAwIDAgMSA2IDE3IDUyODkgNTI4OSAwIDAgMCA5LTIwaDR6IiBmaWxsPSIjMDAwIiBmaWxsLXJ1bGU9ImV2ZW5vZGQiIHN0cm9rZT0iIzAwMCIgc3Ryb2tlLWRhc2hhcnJheT0ibm9uZSIgc3Ryb2tlLWxpbmVjYXA9ImJ1dHQiIHN0cm9rZS1saW5lam9pbj0ibWl0ZXIiIHN0cm9rZS13aWR0aD0iMSIvPjwvc3ZnPg== type: sidebar new_tab: true initial_users:
• name: vagrant password_hash: 5d166e6a2f01df15e837e5c9bb60c185331a3199e4ab2338845b8c5499b3a66c password_salt: 1f8b8a0b03261b5402951fec9c3897b26b7dee5875748da918757de16c98f2fb authenticator: type: Basic CA: private_key: | -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAvpkzp1KVczFpgoUDQRM/BuBUmziqeDcKxLSe8JZrcykcssjw fy+PsApXkhQh2n1aSScRJyqWu9FG/8HkQH8GGq9gte3I4+B7NUbVT+PI22ufbgYo Hox3BGCdPZyMNV+bUqnBoiUUb/KoiRoLkcWMe3bvm4J+RzC8mUkHZUvq2z3u3Gqj kWNzp5ePjQyLxYSfyi19d7WipizcTNOYL45VagE1DFxX7HRZMS3rp79rZ1HHl+wf R2hqkTywDIOAO0wayCGwYhYbvjimi8g/ocZRWUuF86PB6OVr+LfY8gNbmWJ92WRC VbiITrmfDdq2NExgYHlPN9C7RpWfZKq2uu6fkQIDAQABAoIBAQCDvnnJynerLBh2 M2LQdHE4W4+fy0dp2QIEfaTvP8n9zAkeO26hO0risANf4bKUx9jEf9CHdhTCtiGR X4BaZHLftyHuHvKhMOV5KgEAO772jCmjb3YDx6vsxqtpjvALZI6EUPqbDW5XAzAj tHESza4RGWD96PFIXBPBEI2gIx2vdKoqaNx8qHQIPJu86tMXtCUN54l4eWz+dpou 5He536Xn0ZTo7CmkpOi08A8rCXMMHQE2ztxuUIx1Mx7k2BY4FycuS6nqZ21II7H3 9QiGJ3mAHeE702Y8pzcz7Ct05DJFvrXAtr2JODyf2OEDi4/VdyeZB3MuPiUYqH2O m8DKb3bBAoGBANQOtaLxjY41NYxHKM3eK7uHDHIREmxsYhB1gm/jaEzRbAtzJn4b BKa1uJqLLhRhIzOqz/i0IhaCRQCFGw6pDempvHJltkq78041Mt//3xHwAScxfAPW 9AVXooY0Hg6zR9Pv9udzZuAWmxQbRSGamiWzoBZgfRFQCk1o9ivYny/9AoGBAOYY ILK99mXtzUAYE+PdlhQmfEI3t1JkXAGWRJMGPDuYePhZ18cNMGsnS8qHArEHIYzI vQLaXIiDs43ZD/8CQ81PYwDIZevpPeVqxnf1uN1O+2GTCwuU89fRDemOLca6YXzR gilP1FkUQm81g5cr6P6og4adZ9qR/SVSNOVzBnAlAoGAFPyXsVaioc5WTFnGiglQ 3rBQ5QEXh696TRK0JAqnieK4BLISvyxBW5ZkfLcFinLKnxRqnLyHGx8tYQ3LTboh bFymD9RNJDxRqg3NySlzlDzigFR/Z4nggJ7ZsNp7lwzbMPhwwRtEtSzHkEfaoabB VrXeRBisiAgZ3OtkYZaAuqkCgYBl7qBlrsP+ScfYshH1q092I8p+Z0JeTLl5toEw hN2gJR7KHrr5on0lqyXnVcI6fIc/YBpjriq6C2Y628M7XFx/EsEwMpb8WLqj7JZ5 xDCeUgQJKOQGwHj5zdIU+niLBjxz2DiKZqQSxmfb7mAaU0iHsE18EDVW3b/AjdeD Il7ixQKBgQCluRKmd8645/daVSYdc8h1rIAvFauj9MbUHA0DFSMAXr9H3gWD0tE1 /p6EbFzDVEmuhjaafCEBEC5ke3aSciTgU0y+y7fGus+P8HSV9nsIzCXq+Kp23bo2 3RpzduvGG5s0pvGerTF8xE3Uj5VMjDjZI1i2pAAzqZUF64H2qx5F5w== -----END RSA PRIVATE KEY----- Frontend: hostname: 192.168.38.105 bind_address: 0.0.0.0 bind_port: 8000 certificate: | -----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIRAJSDN2UTZbh9pRhBf4WQkWIwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEChMPVmVsb2NpcmFwdG9yIENBMB4XDTIzMDEyMDE3MzEzNVoXDTI0 MDEyMDE3MzEzNVowNDEVMBMGA1UEChMMVmVsb2NpcmFwdG9yMRswGQYDVQQDExJW ZWxvY2lyYXB0b3JTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCx4NxwN2ssk0/+TZizN3aPmcBtwVGREZUvvY/tDVnQX5xLPmwnkueDI+LgcD7o ScJiOFvb9YGWCDWN5C1NkIUiCBNR3iC4GG/6N5aHoq7FZccz7o71rVaKVxvAWTMr +wND8RLmdeGy0wUfM4Fg09wn9JnVDI6P3q9w4PrYqD/CzwylGCgRRPkim9FeoawR fspum05SC8Z1B2ljRGs2fGUluFpmRlV6vzynHfY4AumtEFslz9LUO/sssWZtbaeR 9Gw3z9YPIW2q2G9IB+v+PEeqxnxxMKAes04V2ObprmDhJGaheDWNJE1sJai4fbuP HtS4t6UXZ5L2P7IZtJvkmiYpAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSME GDAWgBQCXI+YY0TeIeQNrbmb1SmKipRd4zAdBgNVHREEFjAUghJWZWxvY2lyYXB0 b3JTZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAGyb34tGfIl/j+KhqF/DFuxeoYBE bwkwYshxOVVGhHXrQJyUzgX/mZEc1uGGX+glE1te1BeMYmPxvd2xSnFr5DHrrVI/ Hm+PzVQ1DygOzyYhP5fszoPokQCrOkD+vs4h6aTfwmTFqJRZvwKZ6LRIEhIaS9EA aIBPAl+OeKDgZaqj2k358yrr9FGfMUj73MyyBZLbLcobzdF+FGhoFuq4DZylfbZK ZqPfbMIAiUwKTCSDlbB8NyTj1e3+FrXX98Ox3RvJeo+JJS376GVEcOdGHNIX5E/F puw0M3KO5IcT7MLUlVLzlC/25F6stSc0QHJwBafwnol5Dq1iXaQkJINDI34= -----END CERTIFICATE----- private_key: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAseDccDdrLJNP/k2Yszd2j5nAbcFRkRGVL72P7Q1Z0F+cSz5s J5LngyPi4HA+6EnCYjhb2/WBlgg1jeQtTZCFIggTUd4guBhv+jeWh6KuxWXHM+6O 9a1WilcbwFkzK/sDQ/ES5nXhstMFHzOBYNPcJ/SZ1QyOj96vcOD62Kg/ws8MpRgo EUT5IpvRXqGsEX7KbptOUgvGdQdpY0RrNnxlJbhaZkZVer88px32OALprRBbJc/S 1Dv7LLFmbW2nkfRsN8/WDyFtqthvSAfr/jxHqsZ8cTCgHrNOFdjm6a5g4SRmoXg1 jSRNbCWouH27jx7UuLelF2eS9j+yGbSb5JomKQIDAQABAoIBAGtEP4rIULAb0dR4 NMp2et/UBy/osWh7Iu0cMkvwjiXTUmwpo40l0MjLfkh8R+NKf5c9h1+YqGGyZ6E+ ZXdt3GsOVaA8BJ0f138bwIHgv+Y4Hy2ZAcrzkclxCEIxSGOQRoLVQOGLWuS8zkzn gXDDsfLCVXYd0Wa/EitO8NZwd6rgsb6HHZtCsujj5OSsO8sdIcfe+2SEf/QMoSK6 pLwY2N00Xeumqxo3dMu5YzVu6VZ/zSwV1KkexwrKSmxYduBmCx1SWfmtcVbFdKuJ JjIoZKhxThZBXiY3Bx4UubkYI72QvrWpdP674Per/fkqAoM7njIL27nsPN6itxuT 5EWhegECgYEA0Jy4QnrzoqKn8mmjGEeY7RI7pG4oIKeAWfy3qd9isHHHTNqd/iMy 1ZHRMIQW5V72ICxVDJgGjRejbq0YCVywC+iiXOVv24XmG1EwwWU1eSldoky1Z3a4 +YKQ6MkagmFsOOIHq8YozkbpKKfwTL+oerukNVw7XTYVTlqc8inN2EECgYEA2kjm CJBI/mGyeYwH9dS1ntU1Mep4naGN10ogr9vkrkU0wXJqyvyc2wl4fWUW0nN4fNOD uLXZH6RFfftaMJHTWi3cSBG2AgYEfPyZqDpsop78hJBPe239UHsVAKXwThv81tKb C9UpocBkz/2I0QI+3/W3kQpL4vmAUPWo04hTk+kCgYEAgPRf8riOYrqplvA2IYwg vGvI8pwlsgnZDcdqwVeVafzrdlat06tugRbieVstzBwniTveVyqi4hT6si/N6/uf 17y2oTYzL0BWPgyyVtp5c6xedTV17b82GQbdDQlDmdUfUQpoM4cLMngjKT6nDMpt G3Fi0JlzGOuVwBnDau7skAECgYAfjh5C6qjCrVjhnU6hSQigV24DM0QQdYRNtReY lI8waizAMkwh3/bE60+RwQVVkv+9+8207AThQBwTpDxbfRkyliKcAINxM3F+p/2G hjuiHp2ehEYZL8NI2SImH9bnU8BvRa7IPR5xlaB9OMeIf2ybb6gDvZtOyoa0LW8k dTav0QKBgFN6pe5oDMXzDvWPXsKLd3OpppLdt51rF3YJftyvO36+wX9B4jguDaoP gPDaLo779uXMXNcqdB4YpjQE1c5SCDs5gOFAVWPfA16D6vXqihSu2ZQJz3u6MlfW GdJ+AIKz4Jad4ipj0ABGNsm7U5gwKmgcUVUUsE3+knjx0AYfLjLE -----END RSA PRIVATE KEY----- dyn_dns: {} default_client_monitoring_artifacts:
• Generic.Client.Stats GRPC_pool_max_size: 100 GRPC_pool_max_wait: 60 resources: connections_per_second: 100 notifications_per_second: 30 max_upload_size: 10485760 expected_clients: 30000 Datastore: implementation: FileBaseDataStore location: /opt/velociraptor filestore_directory: /opt/velociraptor Logging: output_directory: /opt/velociraptor/logs separate_logs_per_component: true debug: disabled: true info: rotation_time: 604800 max_age: 31536000 error: rotation_time: 604800 max_age: 31536000 Monitoring: bind_address: 127.0.0.1 bind_port: 8003 api_config: {} server_type: linux obfuscation_nonce: N1e1vk6Qhw8= defaults: hunt_expiry_hours: 168 notebook_cell_timeout_min: 10

=============================================== version: name: velociraptor version: 0.6.7-4 commit: c6f11a7 build_time: "2022-12-06T13:31:56Z" ci_build_url: https://github.com/Velocidex/velociraptor/actions/runs/3629952817 compiler: go1.19.3 Client: server_urls:

• https://192.168.38.105:8000/ ca_certificate: | -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIQQkJti6ITVnBwjenoII9Y+DANBgkqhkiG9w0BAQsFADAa MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjMwMTIwMTczMTM1WhcNMzMw MTE3MTczMTM1WjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+mTOnUpVzMWmChQNBEz8G4FSbOKp4NwrE tJ7wlmtzKRyyyPB/L4+wCleSFCHafVpJJxEnKpa70Ub/weRAfwYar2C17cjj4Hs1 RtVP48jba59uBigejHcEYJ09nIw1X5tSqcGiJRRv8qiJGguRxYx7du+bgn5HMLyZ SQdlS+rbPe7caqORY3Onl4+NDIvFhJ/KLX13taKmLNxM05gvjlVqATUMXFfsdFkx Leunv2tnUceX7B9HaGqRPLAMg4A7TBrIIbBiFhu+OKaLyD+hxlFZS4Xzo8Ho5Wv4 t9jyA1uZYn3ZZEJVuIhOuZ8N2rY0TGBgeU830LtGlZ9kqra67p+RAgMBAAGjgYww gYkwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQCXI+YY0TeIeQNrbmb1SmKipRd 4zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVsb2NpZGV4LmNvbTANBgkq hkiG9w0BAQsFAAOCAQEAJWjL3rxPaL/R/ECU6/XghNgQtKCbuSVRdIAVjHEVkAq6 nImSaBqLUGp69LKPR9HqlFd5/qiJpry0Gny7ubDCue8CQ1EMvyc82aUrf0hx2ffB WzIB6mTvVOSFsCU8BI7/wc8Eo8ysx9bDXYyTX2fc0RkCT5gHHEASrUu2G5Uii3XR orJBoqrfwJf7WhfxWpdAua6AAPtwwiNOdqzuhdsyVCQe34PxhOlSjZxNM2kEL6ZF Qn9HtO23XJgS2Tl3tn05cr7ndVBgtBJSjQth8ppIraShwgpGl0pBoIdkOVu33nzS /aqRMoH/sd8ylSyYfGcs5eAUfXQHVvEYon509vFxXQ== -----END CERTIFICATE----- nonce: h83JFW+DWcE= writeback_darwin: /etc/velociraptor.writeback.yaml writeback_linux: /etc/velociraptor.writeback.yaml writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml tempdir_windows: $ProgramFiles\Velociraptor\Tools max_poll: 60 nanny_max_connection_delay: 600 windows_installer: service_name: Velociraptor install_path: $ProgramFiles\Velociraptor\Velociraptor.exe service_description: Velociraptor service darwin_installer: service_name: com.velocidex.velociraptor install_path: /usr/local/sbin/velociraptor version: name: velociraptor version: 0.6.7-4 commit: c6f11a7 build_time: "2022-12-06T13:31:56Z" ci_build_url: https://github.com/Velocidex/velociraptor/actions/runs/3629952817 compiler: go1.19.3 use_self_signed_ssl: true pinned_server_name: VelociraptorServer max_upload_size: 5242880 local_buffer: memory_size: 52428800 disk_size: 1073741824 filename_linux: /var/tmp/Velociraptor_Buffer.bin filename_windows: $TEMP/Velociraptor_Buffer.bin filename_darwin: /var/tmp/Velociraptor_Buffer.bin

  I still get the same error as before when running the autoruns artifact. I redid the config 5 times. I cannot figure this out.

what do i need to change?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     # End

[sgtrivas]

P.S. if i change the "server_urls: https://192.168.38.105:8000/" to anything but the IP to the server, the client will not connect. If i add for example 8.8.8.8:" it changes nothing. i still get the "https://localhost..." error from before....

[scudette]

If you updated the server urls it might be that the old value is stored in the inventory. simply pop up the tool setup screen and redownload the tool and watch the serve_url parameter. It should take the value from the Client.server_urls in the server's config value and it should be an externally accessible URL

[sgtrivas]

I'm sorry for not getting back to you sooner, but I found something interesting. I ran the "config generate" and went thru the config process. I noticed a few things:

1. when I added the DNS IP, i.e. 8.8.8.8, it used that IP as the client-server URL, which caused the client to not connect to the server.
2. when I re-ran the config generator, I used the Server IP, and client instantly connected to the server but I was still getting the earlier error.
3. Some artifacts can upload the binary, i.e., autoruns, and override the upstream URL, but I was still getting the "http_client" error as before.
4. This changed, I changed the serve locally URL to the Servers IP, and I was able to run the artifacts that required communication with the server exchange, autoruns.exe (tho autoruns seems to timeout, probably need to extend the time) and winPMEM (which didn't return anything?)
5. Is it an issue that the server & client are deployed in a self-contained Virtualbox lab? the client.server.url is a private IP, and it is an Ubuntu server on the same Virtbox virtual NIC. I do have another NIC that is nat to the external internet that I enable when I need to download something. if the client.server.url isn't my velociraptor's server; how does it connect?

For context:

I am an intern with a university and was tasked with building a malware analysis and incident response lab for a team here. I used an amalgamation of Detection Lab and Detection Lab ELK as the lab since it uses Vagrant to build and destroy the images quickly. Velociraptor is installed as the server (Ubuntu) and client (Win10-Victim) for the team to use to perform a hunt on malware that they want to test and write reports on. I wanted to ensure that they entirely use this tool because I think it is one of the best I have come across, and it's open source, so it can remain out of the budget.

[scudette]

Using external tools with Velociraptor is documented here https://docs.velociraptor.app/docs/extending_vql/#using-external-tools

The way it works is basically - the server sends the client a URL and a hash. The client downloads from that URL and checks the hash to ensure the right tool is downloaded, then the client just runs it.

Normally it is easiest to just serve the tool from Velociraptor itself but this is not mandatory - sometimes it is better to serve it from another URL (e.g. better bandwidth etc). This can be configured in the tool setup screen.

It doesnt really matter that client and server are running on VMs - You will need to ensure there is connectivity between the client and whatever is hosting the tool.