Secure a virtual machine during a lab exercise

Question

I recently started the Offensive Security AWAE course. On their connectivity guide page, they warn about the hazards of connecting to their labs:

you will be exposing your computers' VPN IP to other students taking the course with you. Due to the nature of the course (and its participants!), your computer may be subjected to attacks originating from the VPN network. This is true even if you are located behind a NAT device.

I contacted them and asked what I could do to secure my PC (Windows 10 with the VMware VM, running Kali Linux), and their answer was, that I could "separate the IP segment of my VM with the host machine", but they couldn't help me regarding how to achieve that.

Can someone please help me finding information how to achieve that with the VMware VM?

How realistic is the risk that someone 'hacks' into my machine?

Are there other measures I can take to reduce any risks?

How to set up networking in VMWare is not a security concern. So, we can't help with that config, either. — schroeder, Jul 19 '20 at 07:17
@schroeder Yes thank you, I am aware that setting up networking in VMWare is not a security concern. But my concern is that I don't fully understand their reply altogether. Maybe it's just because of bad grammar. I'm not sure. I have taken the question to superuser. Hopefully they can help. I'll also contact their support again. — Martin Fürholz, Jul 20 '20 at 01:05

score 1 · Answer 1 · answered Jul 19 '20 at 07:57

It seems you have ignored the very best advice by cutting your citation just before it:

Kali users, please change the default root password!

If there's no known vulnerabilities in the Kali version you are using, it's relatively safe to use – unless you gave access to everyone by using default (or otherwise guessable) credentials. If someone gets into the Kali, it's possible to move laterally to every computer the Kali machine sees, and it also has all the tools required already installed.

So, securing your computer/network from the Offensive Security AWAE course VPN has two sides:

Securing your Kali Linux.
- From the Kali's Default Credentials documentation you can see that:
  - Kali changed to a non-root user policy meaning the installation is asking to create a user with a password and sudo is used instead of the former root:toor default.
  - Pre-created VMware images use default user kali:kali which should be changed!
  - If you are using a Vagrant image, the default is vagrant:vagrant and should be changed!
- Use strong passwords that can't be easily brute-forced.
- Disable SSH logins and use the Kali from the VM console.
Securing your network from the Kali.
- If possible, you could dedicate an old computer for your Kali. It's not necessary to use Kali in a VM, if you are afraid someone might break out from the VM and compromise the host.
- Use the Kali machine (whether it's a VM or dedicated hardware) on an isolated network segment that won't see other devices on your network at all. Configuring the network like this is out of scope on Information Security SE.

>"It seems you have ignored the very best advice" No, of course I have not ignored that advice. I have been using Kali for a long time. But I usually use a dedicated machine for that. But in this instance, they strongly recommend to use the virtual machine for the course. — Martin Fürholz, Jul 20 '20 at 01:02

score 0 · Answer 2 · answered Jul 19 '20 at 04:30

While it's probable that bridging your VM network as an entirely different subnet from your host Windows laptop will be sufficient, it's not guaranteed.

Standard practice when taking a laptop into a hostile environment is to assume that it will be compromised and plan accordingly.

Use a clean machine with no sensitive content in the first place
Expect to at least wipe the host system afterward
- A really hostile environment calls for physical destruction afterward

Using a machine that you need to preserve is not recommended!

Secure a virtual machine during a lab exercise

2 Answers2