MI-LXC uses LXC to simulate an internet-like environment. I use this environment for (infosec) practical work (intrusion, firewall, IDS, etc.). The small memory footprint of LXC combined with differential images allows to run it on modest hardware.
It is based on the infrastructure-as-code principle: these scripts programmatically generate the target environment.
Since version 2.0, MI-LXC uses SNSTER under the hood. Compared to previous monolithic versions, the framework (python code, templates, masters) has been splitted to SNSTER and configuration format has changed (YAML instead of JSON and different organization). This MI-LXC repository now only contains a topology configuration (topology/ subfolder) simulating a mini-internet on top of SNSTER. The vagrant subdirectory creates a ready-to-use VM with both SNSTER and MI-LXC. The releases link to such VMs.
Example practical work using this environment (in french) (note that commands and internals have changed between v1.4.x and v2.x) :
- Intrusion scenario (adapted to MI-LXC v1.4.0)
- Firewall / Network segmentation (adapted to MI-LXC v2.0.0)
- IDS (adapted to MI-LXC v1.4.0)
- CA / HTTPS (adapted to MI-LXC v1.4.0)
- DNS (adapted to MI-LXC v1.4.2)
- Mail (adapted to MI-LXC v1.4.2)
- LDAP (adapted to MI-LXC v1.4.1)
- HTTP / Apache (adapted to MI-LXC v2.0.0)
- MI-LXC walkthrough (adapted to MI-LXC v2.0.0)
- MitM / ARP spoofing (by Sébastien Mériot)
- Crypto (by Sébastien Mériot)
- HTTP Proxy (by Sébastien Mériot)
- DFIR 1 / DFIR 2 (by Sébastien Mériot)
There is also a walkthrough tutorial and a video (the video is related to v1).
Features :
- Containers run up-to-date Debian Bullseye or Alpine Linux
- The infrastructure-as-code principle allows for easy management, deployment and evolution along time
- The infrastructure is built by final users on their own PC
- Every container also have access to the real internet (for software installation)
- Containers provide shell access as well as X11 interface
The example network is composed of :
- some transit/ISP routed through BGP to simulate a core network
- an alternative DNS root, allowing to resolve real TLDs + a custom ".milxc" TLD (the .milxc registry is maintained inside MI-LXC)
- some residential ISP clients (hacker and a random PC), using mail adresses @isp-a.milxc
- a target organization, owning its own AS number, running classical services (HTTP, mail, DNS, filer, NIS, clients, etc.) for target.milxc domain
- a certification authority (MICA) ready for ACME (Let's Encrypt-style)
A few things you can do and observe :
- You can http
dmz.target.milxcfromisp-a-hacker. Packets will go through the core BGP network, where you should be able to observe them or alter the routes - You can query the DNS entry
smtp.target.milxcfromisp-a-hacker.isp-a-hackerwill ask the resolver atisp-a-infra, which will recursively resolve from the DNS rootns-root-o, then fromreg-milxcand finally fromtarget-dmz - You can send an email from
hacker@isp-a.milxc(or another forged address...), using claws-mail onisp-a-hacker, tosales@target.milxc, which can be read using claws-mail ontarget-sales(with X11 sessions in both containers)
The "IANA-type" numbering (AS numbers, IP space, TLDs) is described in doc/MI-IANA.txt. There is currently no cryptography deployed anywhere (no HTTPS, no IMAPS, no DNSSEC, etc.). This will probably be added at some point but in the meantime, deploying this is part of the expected work from students.
More precise details on what is installed and configured on hosts is in doc/DETAILS.md.
You can either:
- Download the latest ready-to-run VirtualBox VM. Login with root/root, then MI-LXC is already installed and provisionned in
/root/mi-lxc/(i.e., you can directlysnster start, no need tosnster create) - Create a VirtualBox VM using Vagrant. Login with root/root, then MI-LXC is already installed and provisionned in
/root/mi-lxc/(i.e., you can directlysnster start, no need tosnster create) - Install directly on your Linux host system
The snster script generates and uses containers (as root, since it manipulates bridges and lxc commands, more on this here). It is used as snster <command>, with the following commands:
| Command | Description |
|---|---|
create [name] |
Creates the [name] container, defaults to create all containers |
renet |
Renets all the containers |
destroy [name] |
Destroys the [name] container, defaults to destroy all containers |
destroymaster |
Destroys all the master containers |
updatemaster |
Updates all the master containers |
start |
Starts the created infrastructure |
stop |
Stops the created infrastructure |
attach [user@]<name> [command] |
Attaches a term on <name> as [user](defaults to root) and executes [command](defaults to interactive shell) |
display [user@]<name> |
Displays a graphical desktop on <name> as [user](defaults to debian) |
print |
Graphically displays the defined architecture |
| (<arguments> are mandatory and [arguments] are optional) |
There is also a walkthrough tutorial.
The address space is explained in MI-IANA.txt and the global topology is defined in topology/. It describes:
- the global configuration in topology/main.yml
- groups of hosts, typically AS interconnected with BGP, in the subfolders of topology/
Each group of hosts is described through a group.yml file in its subfolder.
Finally, hosts are described and provisonned through:
- host templates in SNSTER, which typically provide templates for BGP routers, mail servers, mail clients, ...
- specific scripts for a given host in
topology/<groupname>/<hostname>/provision.sh
To extend it, you can either extend an existing AS (typically, Target) or create a new AS. In this second case, you can duplicate Target and then connect it to some transit operator under a new AS number.
This process is described in the walkthrough tutorial.
This software is licensed under AGPLv3 : you can freely reuse it as long as you write you use it and you redistribute your modifications. Special licenses with (even) more liberties for public teaching activities can be discussed.