Setting up SIFT Workstation in Proxmox

Intro


I recently decided to set up a Proxmox server in my house for running VM farms (this thing is fantastic by the way). The initial set up for Proxmox was simple and setting up most VMs is also easy but today I ran into a very strange problem. How do I get my SIFT workstation running in Proxmox?


The SIFT website links to this Github page which gives you instructors to download files here so that you can run the sift install command to set up SIFT on a Ubuntu 16.04 machine. Should be easy, except it doesn't work. If you check the SIFT issues page you'll see countless people reporting the same error. "Error: Update exit code not zero", and every single one of these issues has a different solution. Here's the most recent one at the time of this writing.

I ran into this same issue on my VM and despite multiple solutions on the git hub issues page it didn't work.


I Googled around but didn't find anyone talking about importing SIFT to Proxmox so I figured I'd give it a try myself. Oh boy was this hacky. The big issue with importing SIFT is that proxmox does not recognize ova files so we have to make some changes

Download the OVA

This part isn't very difficult. Just go to the SIFT website above and download the OVA file.

SCP the OVA to proxmox

scp SIFT-Workstation.ova root@[proxmoxip]:/root/

The command above will copy the OVA file over to the workstation. From there you'll need to ssh into the workstation

ssh root@[proxmoxip]

You could also use the shell in the proxmox gui


Unzip the OVA

An OVA file is technically just a form of archive file containing a virtual harddrive and another file listing details of the machine (OVF). So we'll use tar to unzip the ova

tar vxf SIFT-Workstation.ova

This should put out three tiles for you

Import the OVF file to Proxmox

This is where Proxmox earns its money in this process. Using the OVF file we can tell Proxmox to create a VM as defined in the OVF..

qm importovf 150 sift-2020.2.0-ovf local-lvm

The 150 here is the VM number that I'm assigning to this new VM. Use whatever you want here. You should see a VM appear on the left hand side as Proxmox creates the VM defined in the OVF file.


We'll need to make some changes before we try to use this machine.


Configure SIFT VM


You may notice that the machine it created is missing a NIC so go ahead and add that. Trust me, you'll be needing internet connection for the nest part. If you have the resources to spare then I recommend adding some extra memory and cores but that's optional.


Go ahead and boot up the VM.


bpfilter


When you first boot the VM it's going to display bpfilter and get stuck.

This appears to be a bug in Ubuntu 18.04 except the fix there doesn't fix it. We need to get a shell and install a new UI.

Gettings shell

The bpfilter comment will never go away so you need to bypass it and get a shell.

ctrl + alt + F2

Hitting these buttons in combination will move you to a different TTY and give you a shell.


This screen will flash interrupting text input for about a minute but if you power through the interrupts or wait a minute you'll be able to actually login using the username:password combination of

sansforensics:forensics


Add user and Install UI

While we have a shell we need to make a few configuration changes to the system. One issue we'll encounter later is that the sansforensics user is not able to login to the system through the gui so we'll need to make a new user.

sudo adduser forensics

Give them a password and then add them to the sudo group

sudo usermod -aG sudo [new user]

After this user is created we need to install a new UI as the current one (gdm3) doesn't load.

sudo apt install lightdm

sudo dpkg-reconfigure lightdm (This is only necessary if the system does not give you a windows to switch the UI from gdm3 to lightdm

sudo reboot

Conclusion

The system should now reboot and get you to a login page. The sansforensics user didn't log in for me so I had to log in with my newly created account. The background is just stock Ubuntu but all of the tools appear to still be installed and configured


This was a really hacky way to get SIFT working on Proxmox but until SANS fixes the installer this is the only way I've found to get it working.