search

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices
MIT License
4.57k stars 978 forks source link

Can't access Velociraptor #903

Open VicTee opened 11 months ago

VicTee commented 11 months ago

Get a Connection Refused error when trying to get into Velociraptor portal. No problem getting into Splunk or Fleet. I'm using http://:9999

Matthew2412 commented 9 months ago

[*] Verifying that Velociraptor is reachable... Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "Nem lehet csatlakozni a távoli kiszolgálóhoz." (Cant connect to remote service ) [!] Velociraptor was unreachable and may not have installed correctly.

Could someone have a look at the logger vm ? Fleet, Splunk , Guacamole is reachable but not velociraptor

I tried to redownload it but the issue persisted

Matthew2412 commented 9 months ago 
logger: HTTP request sent, awaiting response... 200 OK
logger: Length: 54981288 (52M) [application/octet-stream]
logger: Saving to: ‘/opt/velociraptor/velociraptor-v0.7.0-2-linux-amd64’
logger:

velociraptor-v0.7.0 100%[===================>] 52.43M 4.29MB/s in 12s logger: logger: 2023-10-15 16:05:43 (4.31 MB/s) - ‘/opt/velociraptor/velociraptor-v0.7.0-2-linux-amd64’ saved [54981288/54981288] logger: logger: [16:05:43]: Velociraptor successfully downloaded! logger: [16:05:43]: Creating Velociraptor dpkg... logger: Creating amd64 server package at velociraptor_server_0.7.0.2amd64.deb logger: [16:05:46]: Cleanup velociraptor package building leftovers... logger: [16:05:46]: Installing the dpkg... logger: dpkg: error: cannot access archive 'velociraptor*_server.deb': No such file or directory logger: [16:05:46]: Failed to install the dpkg

Skr1ptKid-0x commented 8 months ago

It's not being managed anymore. :\ not sure where you are running it on. Logger isn't loading splunk or velociraptor either for me right now. I re-ran ansible playbook and got guacamole to load correctly. You may want to re-provision the host. Got splunk up. Otherwise, we probably need to look in the logger_bootstrap.sh for something that's wrong/old. And I found it

I installed in manually, but, I think if you look at this log in the bootstrap script, the wildcards in the wrong place. Its in the wrong place in the Velociraptor documents too. Unless I am messed up?

logger: dpkg: error: cannot access archive 'velociraptor_*_server.deb': No such file or directory

It should be like 'velociraptorserver*_amd64.deb' https://docs.velociraptor.app/docs/deployment/self-signed/ I wonder about the cert used in the config too, but maybe its still ok and if not would it be easier to just make a new one with their tool or just use previous version of raptor? Not sure

Yes, the cert is expired. There are instructions at https://docs.velociraptor.app/docs/deployment/troubleshooting/

Attached is a new server.config. Remove the .txt extension and place is in your DetectionLab/Vagrant/resources/velociraptor path server.config.yaml.txt

Attached is an updated logger_bootstrap.sh. Remove the .txt extension and place it in DetectionLab/Vagrant path logger_bootstrap.sh.txt