Hello!
I’m working as a pentester/RT Operator in a cybersecurity company, which for some reason is a Windows shop, so we are mostly forced to work within VMWare VMs, WSL and similar. However, I’ve recently found out that we can in fact dualboot or reinstall our laptops, so I’m now looking for a good setup or recommended distros to use.
When I last tried switching to Fedora, my main issue was that since we are deeply integrated into O365, and our Exchange server isn’t configured to allow 3rd party apps (and we can’t create app passwords), accessing Teams, Mail or just writing reports in Office was a struggle. And another issue was the fact that our PT VPN is Checkpoint, which I did not manage to get working on Linux.
I’m of course familiar with Kali/Parrot/BlackArch, but I would not consider those fitting for a daily driver - each engagement can get pretty messy, and I think it’s better to start with a fresh VM for every customer, just to avoid any potential issues.
I’ve recently discovered QubeOS, which in theory sounds like it should be perfect for this usecase - you can easily separate data for different customers, keep them safe in a storage qube, deal with per-customer networking/different VPNs in their respective Kali VM qubes, and spin up a Windows qube for report writing and backoffice/administration/communication. And if I really understand it correctly, it should also be possible to easily test out malware in a separate disposable qube without much risk.
But I didn’t try working with QubeOS yet, so all of this is just a theory based on my understanding of it’s features and usecases.
So, my question would be - what kind of setup do you use for engagements and backoffice/administrative work? What distro would you recommend, that works well with running different VMs without it being too much of a hassle? And most importantly, is there anyone who uses QubeOS in this field of work, or will it only slow me down and make everything a lot harder than it should be?
Thank you!
I really like Qubes actually, and encourage you to play with it.
Keep in mind though, when they talk about hardware compatibility issues, they REALLY mean it. Get a machine you know for a fact is compatible, if possible.
Do you think it would be practical as a daily work driver for this kind of job? From what I’ve hears when briefly searching for user experience with Qubes, I’ve heard that while a lot of people really like the idea, it’s not practical for daily work where you expect to set up and spin new qubes and VMs regularly, because configuration can get pretty cubersome and everything takes a lot longer than it should, and you regularly run into issues.
But you are right, I’ll just get an external drive and spin up the OS there, and see if I like it or not. I’m now in the process of figuring out a best way how to handle various secrets and customer data from WIP engagements that are now mangled together on one encrypted VeraCrypt volume, which feels kind of wrong, and having it separated in a secure Qube sounds like the way to go.
Thanks for the hardware compatibility heads up, knowing myself, that would be one of the things I’d probably gloss over and then spend more time than necessary debugging.
I’ve used it as a daily work driver for almost two years now! It’s actually great for security work. You can spin up a new Qube for each project, or each subsection of your work. I’ve ditched my corporate gig and rebooted my consulting company recently and I just spin up a new Qube for each client and keep all their files in there. You can also create a separate Qube for your personal stuff or for Netflix or whatever, and then shut it down when you’re supposed to be working (creates an extra barrier against distractions).
However, I’ve been a Linux user for 23 years and I’ve used Qubes before (not for work). You DO regularly run into issues, just at this point, they’re all issues I know how to solve pretty quickly. I also dual boot my system between Qubes and Linux Mint. If I have an issue with Qubes I can’t solve quickly, or I break it (both of which have happened several times in recent memory), I can switch to Mint (which isn’t the most secure OS, but it is incredibly stable) so I can just get back to work and then I can fix Qubes when I have the time and bandwidth.
I’m now in the process of figuring out a best way how to handle various secrets and customer data from WIP engagements that are now mangled together on one encrypted VeraCrypt volume
Stop that. :) Your system should be using FDE (which VeraCrypt can do if you’re stuck with Windows). When only part of your system is encrypted it’s EXTREMELY likely that, for the sake of expedience and convenience you’re going to end up parking some sensitive data somewhere NOT encrypted… and then forget you did that… and then…?
Thank you, that sounds like exactly what I imagined QubeOS would be good for, so I’ll give it a go.
Stop that. :) Your system should be using FDE (which VeraCrypt can do if you’re stuck with Windows).
I’m using Bitlocker for the whole drive, but the main point of separate volume is for it to have adittional password protection, that I auto dismount when not working with it, just in case my laptop got compromised. I’m still mostly figuring out best practices, since I don’t work in the field for that long, and few months ago I was running Snaffler on my PC to test it out for one engagement, and was horrified when I realized how much did it manage to find, so I at least promptly moved it to separate password protected volume, and am now figuring out a better secrets and sensitive data management workflow.
Slackware ¯\ˍ(ツ)ˍ/¯ I mean, almost any Linux distro is going to be good for that.
linux from scratch /s
i have tried out qube os yesterday but it has to be a problem with my cpu because every time my screen loads something new it is like a slideshow from top to bottom. it seels like an awesome concept bit it’s not working for me. there is one github issue but no solution. and i have freezes every 2 seconds. it’s a brandnew lenovo laptop
I used to use Qubes for pentesting for quite a while and it worked rather well. As you wrote, one set of netVM-firewallVM-appVM stack per customer to ensure nothing nasty can cross, separate netVMs for separate network zones back at the company, separate color-coded VMs for random web browsing, general office stuff and accessing sensitive data. The cons: no hardware video acceleration (video conferences or youtube will spin the CPU like it’s 2005), Windows (you can run Windows VMs and they are usable but not nearly as polished as the Linux ones) and hypervisors (there is no nested virtualization so if you want to e.g. hack KVM, you’re out of luck). Also regarding hardware compatibility: if Qubes runs on something that doesn’t mean it runs securely because it will try to partition the PCI devices across VMs and what can be partitioned where depends on the exact architecture of the mainboard. Expect some deep-dive into the wonderful world of VT-d domains and PCI BARs.
Thank you! Is the lack of nested virtualization a problem? I mean, if I wanted a Kali VM, I can just run a Kali Qube directly, or not? Or is there some kind of use-case that would require nested virtualisation I’m missing?
Linux with Microsoft is more of a pain than a benefit. What are you hoping to get out of it over simply using a VM?
I had Linux (Fedora) for some time but found it unreliable and unprofessional in meetings with customers (or even just colleagues) when Teams started fucking around or my headphones had issues. Since I switched back to Windows and found it easier to just use a Kali VM with a mounted folder for all the projects and a clean but completely set up snapshot. You can do every type of engagement like that (though if you do iOS pentesting you’ll need to live boot some Linux or have a Mac to jailbreak) without the added headache of compatibility.
Assuming of course any password cracking etc. is done on a dedicated server.
I’ve always found VMs to be awkward to work with, in VMWare. Getting networking to work was never straightforward, even though it should be in theory, any new VPN broke something, and usually even the performance left a lot to be desired. My hope was that there’s a linux distro that has virtualization support more deeply integrated into the OS, but now that I think about it there probably won’t be much of a difference (although, the xen-based QubeOS may help?).
Maybe just switching it around, and have backoffice Windows VM, and tools with work on host OS, since that’s what I spend most of my time working with anyway?