# A Disposable Threat Intelligence Droplet with Remote Browser
This notebooks explains how to use a python script to provision a Digital Ocean (DO) droplets using the pythone-digitalocean library. The Droplet will host a desktop with Firefox that can be accessed via VNC over and SSH tunnel. 

## Requirements
When performing incident reponse and threat intelligence activities, I frequently need an disposable environment to run Firefox or other tools. I need this environment to be isolated from my own: I want to interact with potentially malicious content that could adversely impact my local system. I need this environment to be disposable, not persistent: I do not want any artifacts from my use today to pollute artificats during future use. It is also helpful if the environment uses IP addresses not easily attributable to me: I don't want threat actors blocking me.

A few things to consider that won't work:
- A proxy or VPN: code still executes in my environment
- A Virtual Machine on my desktop: the malicious environment can still access my network

I do have another solution that I use that combines local VMs and a wireguard VPN. It's a little more complicated because I have not automated it yet. This solution is an alternative that is just a touch simpler. I may combine them someday.

## Proposed Solution
A Digital Ocen Droplet is ideal for my purpose. To make it work we need the following:
- A script to automatically create and destroy a Digital Ocean Droplet
 - I can update this script as needed to add new tools if want them (MITM, BurpSuite etc)
- A recipe to configure a Digital Ocean Droplet with 
 - Firefox and Chromium Browser
 - TigerVNC Server for fast remote desktop, bound to localhost only
 - A script to launch tigervnc with my desired configuration
 - SSH will listen on a non-standard port listening on IPv6 only (to prevent brute forcing/discovery)
 - SSH will be configured with my SSH keys automatically
 - I will connect to the remote desktop using TigerVNC client OVER SSH
  - VNC is secured by SSH... no need for additional authentication/encryption of VNC

## Python Modules
We need several python modules: 
- "os"
- "time"
- "getpass"
- "digitalocean"

We use "os" to read environment variables from the computer where we execute this script. Primarily, we want to read our API token from an environment variable so we can avoid hard coding it into our script (better security for our secret Token).

We use "time" so we can call "sleep()".

If we are unable to get our API TOKEN from an OS environment variable, we will prompt the user to provide it. We use "getpass" for this. "getpass" can mask out the password so it handled securely in jupyter notebook output.

The "digitalocean" library makes its easier to authenticate and use the Digital Ocean (DO) APIs.

### Is python-digitalocean the best choice for interacting with the DO API?
I don't know. I found there were at least 3 python libraries for using the DO API. I choose this one because it was the first I found a well documented set of examples.

Did I choose badly? Is there a better way? I'd love for someone to copy this notebook and re-implement it using one of the other libraries.

In [1]:
import os
from random import randint
from time import sleep
import getpass
import digitalocean as do

### Common Errors
There are some common errors you might encounter while using the digitalocean library.

If your connection has timeout or you have a connection problem you will get output shown below. It starts with "RemoteDisconnected". If this happens a lot, you should add some error checking to any invokation of your "manager" object.

`---------------------------------------------------------------------------
RemoteDisconnected                        Traceback (most recent call last)
File ~\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-  packages\urllib3\connectionpool.py:703, in HTTPConnectionPool.urlopen(self, method, url, body, headers, retries, redirect,   assert_same_host, timeout, pool_timeout, release_conn, chunked, body_pos, **response_kw)
    702 # Make the request on the httplib connection object.
--> 703 httplib_response = self._make_request(`

## Authenticate to the DO API

docs go here

In [2]:
# Get the DO API Token securely
if 'DO_TOKEN' in os.environ.keys():
    token = os.getenv('DO_TOKEN')
else:
    token = getpass.getpass('Enter your Digital Ocean Token:')

# Create a DO API manager object, used to get information about our account and droplets
try:
    manager = do.Manager(token=token)
except Exception as e:
    print(f'Err: {e}')

Enter your Digital Ocean Token:········


## List our existing droplets

In [5]:
# you can add 'tag_name="tagname"' in the paramaters to search
try:
    droplets = manager.get_all_droplets()
except Exception as e:
    print(f'Err: {e}')

In [6]:
print(f'Number of existing droplets: {len(droplets)}')
# list the droplets
for droplet in droplets:
#     print(droplet)
#     print(dir(droplet))
    print(f'{droplet.id}, {droplet.name}, {droplet.status}, {droplet.size["slug"]}, {droplet.region["name"]}')


Number of existing droplets: 0


# Configure and Create a new Droplet for Firefox

## Droplet Specifications
In this section we will specify the requirements for the droplet and ensure we have all the configuration data we need including:
- The size of the droplet
- The region to create the droplet in
- The name of the droplet
- The SSH keys we will use to access the droplet
- "cloud-config" or "user_data" to configure the droplet after it is created

### Size and Region

In [7]:
# For firefox this should be a good size, but it would cost a lot if we didn't destroy it after using it.
size='s-4vcpu-8gb' # the drive for this size is 160GB... overkill but we need at least 40-50GB
image='ubuntu-20-04-x64'

### Find an available regions for droplets
Not all regions will be available to you. Some regions have limited capacity and are only available to accounts with existing resources in those regions.

So, we will use the size we choose, to find a region that is available. We will pick the first available region. Random would be interesting as well.

In [8]:
try:
    regions = manager.get_all_regions()
except Exception as e:
    print(f'Err: {e}')

for region in regions:
    if size in region.sizes:
        region_slug = region.slug

if region_slug:
    print(f'First region offering {size} is {region_slug}')
else:
    print('No region found. Selecting nyc1.')
    region_slug='nyc1'    

First region offering s-4vcpu-8gb is sfo3


### Name the droplet
I am going to name my droplet based off the size, region, and a random component.

In [9]:
#name = f'srv{randint(100,999)}-{size}-{region_slug}'
name = f'srv{randint(100,999)}'

In [10]:
print(name)

srv435


### Get our available SSH keys
We will need these later when we create our droplet.

In [11]:
try:
    keys = manager.get_all_sshkeys()
except Exception as e:
    print(f'Err: {e}')

In [26]:
# list the keys
for key in keys:
    print(f'{key.id}, {key.fingerprint}, {key.name}')
#    print(f'{key.public_key}')

21315052, DigitalOcean
21314546, labpc


#### Add a new SSH key
If we wanted to, we could add a new SSH key to DO, or simply create a key object to use when we create the droplet later.

In [13]:
# read a key from a file
# user_ssh_key = open('/home/<$USER>/.ssh/id_rsa.pub').read()
# key = do.SSHKey(token='secretspecialuniquesnowflake',
#                 name='uniquehostname',
#                 public_key=user_ssh_key)
# key.create()

## Configure the Droplet
We will use a method DO calls "cloud-config" to provide a script that will configure the droplet when it is created. We need to create this first, before we create the droplet. This will be run when the droplet is created.

https://www.digitalocean.com/community/tutorials/how-to-use-cloud-config-for-your-initial-server-setup
https://www.digitalocean.com/community/tutorials/an-introduction-to-cloud-config-scripting

When using the DO API, this is provided in the "user_data" parameter when the Droplet is being configured.

### Configuring a remote firefox droplet
I want to make a droplet that can be used to run an isolated, remote copy of firefox. I want this so I can interact with potentially malicious content and for OPSEC (to ensure my identify is not revealed to the infrastructure I am investigating).

In order to run Firefox graphically remotely, I just need firefox, Xwindows, and a VNC server. I will connect over SSH, and tunnel my VNC connection from my desktop to this machine over that SSH connection.

I will need the following packages installed:
- Firefox ESR
- Chrome (what the heck, I don't use it but some attack target it exclusively)
- tigervncserver
- (optional) torbrowser or a tor proxy
- MITM proxy for logging
- (git) stalkphish

I also need to reconfigure the machine for security:
- Run ssh on a non-standard port
- Setup a user I will use for firefox (called "user")
- Add something to my .login so tigervnc starts automatically when I login on a display and port I specify
- Configure security updates to run automatically
- Start MITM proxy automatically

#### cloud-config file
The approach we are taking installs a lot of packages for the X11 environment. Anything we can do speed that up would shorten the provisioning time. We could use a custom Droplet from the Marketplace. We could try to reduce the dependencies that get installed by being more specific with our setup.

Another approach would be to configure the base system for network, SSH, etc. Then write a script to executed after reboot that installs our packages. Then we could reboot much more quickly and make the droplet available for non-remote Firefox ealier. The package install would occur in the background and still take 5-10 minutes. But we could work with it faster.

In [14]:
cloud_config_script ="""
#cloud-config
write_files:
  - path: /usr/local/bin/tiger
    content: |
      #!/bin/bash
      tigervncserver -useold -fg -localhost yes -autokill -depth 16 -securitytype None -xstartup lxsession 
runcmd:
  - sed -i -e 's/^#Port.*$/Port 39022/' /etc/ssh/sshd_config
  - sed -i -e 's/^#ListenAddress 0.0.0.0$/ListenAddress 127.0.0.1/' /etc/ssh/sshd_config
  - sed -i -e 's/^#ListenAddress ::$/ListenAddress ::/' /etc/ssh/sshd_config
  - systemctl restart ssh
  - chmod +x /usr/local/bin/tiger
packages:
  - lxde-core
  - firefox
  - chromium-browser
  - tigervnc-standalone-server
  - git
  - net-tools
power_state:
  timeout: 120
  delay: "+1"
  message: Rebooting in one minute
  mode: poweroff
"""

## Create the Droplet
To create our droplet we have to specify several things:
- Name: this can be anything we want
- Region: This has to be from the list of regions above
- Size: You can get a list of sizes available in each region in advance (see above)
- Image: This is the operating system/Linux Distro you want to use
- SSH Keys: The SSH Keys you want to access the droplet with (see above)
- Backups: Backups cost extra money, but they are usually a good thing!
- Token: You authentication token for the API.
- User Data: a "cloud-config" script to configure the droplet OS
- IPV6: Set to "True" because we definately prefer this

Why IPv6? Well, it's a smart move to only listen for SSH on IPv6 and on a non-standard port. You'll few attacks if any.

When you you invoke the "Droplet" method, it will not create the droplet. It will creat a Droplet object that is ready to be used. You can modify it before calling the "droplet.create()" method.

In [15]:
droplet = do.Droplet(token=token, 
                     name=name,
                     region=region_slug, 
                     size=size,
                     image=image,
                     ssh_keys=keys,
                     ipv6=True,
                     backups=False,
                     user_data=cloud_config_script
                    )

try:
    droplet.create()
except Exception as e:
    print(f'Err: {e}')

### Wait for the create action to complete

In [16]:
# Let's do a quick check to see if the droplet has been created
actions = droplet.get_actions()
# we assume that the first action is the create action; TODO maybe check for sure
actions[0].load()
actions[0].wait(5) # wait until it is created, checking every 5 seconds
print(actions[0])

<Action: 1426742587 create completed>


### Get our droplet's IP address
This could be improved

In [17]:
# The droplet will take a while to provision, after it is created. 
# Our cloud-config script reboots at the end, so we can wait for the
# status to be "off" instead active.
droplet.load()
print(f'Droplet status is: "{droplet.status}"')
print('Waiting for the droplet to poweroff')
while droplet.status != 'off':
    sleep(30)
    droplet.load()
    print(f'Droplet status is: "{droplet.status}"')

print("Configuration is complete. Powering on droplet.")
droplet.power_on()

droplet.load()
actions = droplet.get_actions()
actions[0].load()
actions[0].wait(5)
print(actions[0])

while droplet.status == 'off':
    sleep(30)
    droplet.load()
    print(f'Droplet status is: "{droplet.status}"')

Droplet status is: "new"
Waiting for the droplet to poweroff
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "active"
Droplet status is: "off"
Configuration is complete. Powering on droplet.
<Action: 1426749511 power_on completed>
Droplet status is: "active"


In [18]:
droplet.load()
actions = droplet.get_actions()
for action in actions:
    action.load()
    print(action)

<Action: 1426749511 power_on completed>
<Action: 1426742587 create completed>


In [19]:
while droplet.status != 'active':
    sleep(30)
    droplet.load()
    print(f'Droplet status is: "{droplet.status}"')

droplet.load()
print(f'{droplet.id}, {droplet.name}, {droplet.status}, {droplet.ip_address}, {droplet.ip_v6_address}')

288801965, srv435, active, 144.126.210.101, 2604:a880:4:1d0::2ad:8000


# Use Firefox with VNC over SSH

+ SSH to the Droplet, using IPv6 on port 39022
+ Forword port 5901 to 127.0.0.1:5901
+ Launch your VNC viewer and connect to 127.0.0.1:5901 (no password required)
+ Launch firefox!

Now you can use the droplet to run Firefox over VNC over SSH.

To do this, you should start a copy of Putty and connect to the droplet using the IPv6 address in the output above. You need to create a tunnel from local port 5901 to remote 127.0.0.1:5901.

When you login run this command: "tiger". That's a script we put in /usr/local/bin when we provisioned the droplet. It runs a command like this one:

tigervncserver -useold -fg -localhost yes -autokill -depth 16 -securitytype None -xstartup xfce4-session

Then use tigervncviewer to connect to 127.0.0.1:5901.

The way we configured VNC you do not need a password. It is bound to localhost only, and we are tunneling over SSH using key authentication. Adding another layer of VNC authentication or security is pointless.

When you are done, you need to destroy the droplet using the commands below. If your jupyter times out, you can destroy it via GUI or write your own script to destroy it.

## Destroy the droplet when we are done
For this section, we rely on the droplet object we created originally. However if you killed your API session, you might want to either save the ID above, and change below to destroy by specifying the ID. Or add code to list all droplets, find yours and destroy it by name etc.

In [20]:
try:
    droplet.destroy()
except Exception as e:
    print(f'Err: {e}')

In [21]:
# Let's do a quick check to see if the droplet has been destroyed
actions = droplet.get_actions()
actions[0].wait(5) # wait for the droplet destroy to complete, checking every 5 seconds
print(actions)

[<Action: 1426750324 destroy completed>, <Action: 1426749511 power_on completed>, <Action: 1426742587 create completed>]


In [24]:
# you can add 'tag_name="tagname"' in the paramaters to search
try:
    droplets = manager.get_all_droplets()
except Exception as e:
    print(f'Err: {e}')

In [25]:
print(f'Number of existing droplets: {len(droplets)}')
# list the droplets
for droplet in droplets:
#     print(droplet)
#     print(dir(droplet))
    print(f'{droplet.id}, {droplet.name}, {droplet.status}, {droplet.size["slug"]}, {droplet.region["name"]}')


Number of existing droplets: 0


Your droplet should be destroyed by now, but be sure to double-check. This droplet is cost-effective if you destroy it when you are done. But it will cost $40/month if you leave it running.