Merge pull request clong#890 from xx4h/fix-current-problems

Fix current problems

Author: clong

Vagrant/Vagrantfile

@@ -65,6 +65,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "file", source: "files/choco-winpcap", destination: "choco-winpcap"
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -137,6 +138,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-evtx-attack-samples.ps1", privileged: false
+    cfg.vm.provision "file", source: "files/choco-winpcap", destination: "choco-winpcap"
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -196,6 +198,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "file", source: "files/choco-winpcap", destination: "choco-winpcap"
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false

Vagrant/files/choco-winpcap/WinPcap.nuspec

@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
+  <metadata>
+    <id>WinPcap</id>
+    <version>4.1.3.20161116</version>
+    <title>WinPcap</title>
+    <authors>NetGroup, CACE Technologies</authors>
+    <owners>chocolatey</owners>
+    <licenseUrl>http://www.winpcap.org/misc/copyright.htm</licenseUrl>
+    <projectUrl>http://www.winpcap.org/</projectUrl>
+    <iconUrl>https://cdn.rawgit.com/chocolatey/chocolatey-coreteampackages/b689d60fd7922e46e600536569805cc1785b6bf1/icons/winpcap.png</iconUrl>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <description>WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
+
+## Notes
+
+- This package uses an Autohotkey script for unattended as vendor removed silent installation options.</description>
+    <releaseNotes>https://www.winpcap.org/misc/changelog.htm</releaseNotes>
+    <copyright>NetGroup, Politecnico di Torino (Italy). CACE Technologies, Davis (California).</copyright>
+    <tags>driver foss packet capture network admin</tags>
+    <packageSourceUrl>https://github.com/chocolatey/chocolatey-coreteampackages/tree/master/automatic/winpcap</packageSourceUrl>
+    <docsUrl>https://www.winpcap.org/docs/default.htm</docsUrl>
+    <dependencies>
+      <dependency id="autohotkey.portable" version="[1.1.36.02,2.0)" />
+      <dependency id="chocolatey-core.extension" version="1.0" />
+    </dependencies>
+  </metadata>
+</package>

Vagrant/files/choco-winpcap/[Content_Types].xml

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml" /><Default Extension="nuspec" ContentType="application/octet" /><Default Extension="ps1" ContentType="application/octet" /><Default Extension="ahk" ContentType="application/octet" /><Default Extension="psmdcp" ContentType="application/vnd.openxmlformats-package.core-properties+xml" /></Types>

Vagrant/files/choco-winpcap/package/services/metadata/core-properties/eb12050403774758bdcc07d14dbc947a.psmdcp

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?><coreProperties xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"><dc:creator>NetGroup, CACE Technologies</dc:creator><dc:description>WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
+
+## Notes
+
+- This package uses an Autohotkey script for unattended as vendor removed silent installation options.</dc:description><dc:identifier>WinPcap</dc:identifier><version>4.1.3.20161116</version><keywords>driver foss packet capture network admin</keywords><dc:title>WinPcap</dc:title><lastModifiedBy>choco, Version=0.9.10.3, Culture=neutral, PublicKeyToken=79d02ea9cad655eb;Microsoft Windows NT 6.3.9600.0;.NET Framework 4</lastModifiedBy></coreProperties>

Vagrant/files/choco-winpcap/tools/chocolateyInstall.ps1

@@ -0,0 +1,15 @@
+$ErrorActionPreference = 'Stop'
+
+$packageArgs = @{
+  packageName    = 'WinPcap'
+  fileFullPath   = "$(Get-PackageCacheLocation)\WinPcapInstall.exe"
+  url            = 'https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe'
+  checksum       = 'fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de'
+  checksumType   = 'sha256'
+}
+Get-ChocolateyWebFile @packageArgs
+
+Write-Output "Running Autohotkey installer"
+$toolsPath = Split-Path $MyInvocation.MyCommand.Definition
+$ahkScript = "$toolsPath\winpcapInstall.ahk"
+AutoHotkey $ahkScript $packageArgs.fileFullPath

Vagrant/files/choco-winpcap/tools/chocolateyUninstall.ps1

@@ -0,0 +1,4 @@
+Write-Output "Running Autohotkey uninstaller"
+$toolsPath = Split-Path $MyInvocation.MyCommand.Definition
+$ahkScript = "$toolsPath\winpcapInstall.ahk"
+AutoHotkey $ahkScript $packageArgs.fileFullPath

Vagrant/files/choco-winpcap/tools/winpcapInstall.ahk

@@ -0,0 +1,80 @@
+#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
+; #Warn  ; Enable warnings to assist with detecting common errors.
+SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
+SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
+SetTitleMatchMode, RegEx
+
+; uninstalling part
+
+ProgramFilesX86 := A_ProgramFiles . (A_PtrSize=8 ? " (x86)" : "")
+
+winpcapUninstaller = %A_ProgramFiles%\WinPcap\Uninstall.exe
+winpcapUninstallerx86 = %ProgramFilesX86%\WinPcap\Uninstall.exe
+
+IfExist, %winpcapUninstaller%
+{
+	Run, %winpcapUninstaller%
+	installed = 1
+}
+IfExist, %winpcapUninstallerx86%
+{
+	Run, %winpcapUninstallerx86%
+	installed = 1
+}
+if (installed = 1)
+{
+	WinWait, WinPcap [\d\.]+ Uninstall,, 30
+	IfWinExist
+	{
+		BlockInput, On
+		Sleep, 250
+		WinActivate
+		Send, {Enter}
+		BlockInput, Off
+	}
+
+	WinWait, WinPcap [\d\.]+ Uninstall, has been uninstalled, 30
+		IfWinExist
+		{
+			BlockInput, On
+			Sleep, 250
+			WinActivate
+			Send, {Enter}
+			BlockInput, Off
+		}
+    exit
+}
+
+; installing part
+winpcapInstaller = %1%
+Run, %winpcapInstaller%
+
+WinWait, WinPcap [\d\.]+ Setup,, 30
+
+Loop, 3
+{
+	gosub, setupForward
+}
+
+WinWait, WinPcap [\d\.]+ Setup, has been installed, 30
+	IfWinExist
+	{
+		BlockInput, On
+		Sleep, 250
+		WinActivate
+		Send, {Enter}
+		BlockInput, Off
+	}
+
+ExitApp
+
+setupForward:
+	IfWinExist
+	{
+		BlockInput, On
+		Sleep, 250
+		WinActivate
+		Send, {Enter}
+		BlockInput, Off
+	}
+return

Vagrant/logger_bootstrap.sh

@@ -94,15 +94,9 @@ fix_eth1_static_ip() {
       return 0
     fi
   fi
-  # There's a fun issue where dhclient keeps messing with eth1 despite the fact
-  # that eth1 has a static IP set. We workaround this by setting a static DHCP lease.
-  if ! grep 'interface "eth1"' /etc/dhcp/dhclient.conf; then
-    echo -e 'interface "eth1" {
-      send host-name = gethostname();
-      send dhcp-requested-address 192.168.56.105;
-    }' >>/etc/dhcp/dhclient.conf
-    netplan apply
-  fi
+  # TODO: try to set correctly directly through vagrant net config
+  netplan set ethernets.eth1.dhcp4=false
+  netplan apply
 
   # Fix eth1 if the IP isn't set correctly
   ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1)
@@ -381,7 +375,7 @@ install_zeek() {
   # Update APT repositories
   apt-get -qq -ym update
   # Install tools to build and configure Zeek
-  apt-get -qq -ym install zeek crudini
+  apt-get -qq -ym install zeek-lts crudini
   export PATH=$PATH:/opt/zeek/bin
   pip3 install zkg==2.1.1
   zkg refresh

Vagrant/scripts/install-choco-extras.ps1

@@ -10,6 +10,11 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) {
 }
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Chocolatey extras..."
-choco install -y --limit-output --no-progress wireshark winpcap
+choco install -y --limit-output --no-progress wireshark
+choco install -y --limit-output --no-progress --version "1.1.36.02" autohotkey.portable
+
+cd choco-winpcap
+choco pack WinPcap.nuspec
+choco install -y --limit-output --no-progress winpcap --source .
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Choco addons complete!"