SpecterInsight VM

Overview

The SpecterInsight Virtual Machine (VM) is a pre-configured Kali Linux system with SpecterInsight already installed and configured as a service that runs on startup. This is a turn-key solution that just works out-of-the-box. No need to install dependencies, configure services, or troubleshoot configuration files. Just run the SpecterInsight client from the desktop and get to work!

Features

  • 21.8GB OVA file containing Kali Linux compressed with 7z
  • Kali configured with the full feature set
  • Docker containers running Elasticsearch and Kibana with docker-compose
  • Containers configured to only listen on the loopback interface
  • Containers have built-in health monitoring and automatic restarts
  • Containers are configured to start on boot
  • SpecterInsight is installed as a service called specter-insight
  • The SpecterInsight service is configured to start on boot
  • SpecterInsight dashboards pre-loaded into Kibana
  • Icons and links to start the SpecterInsight client
  • Secrets, keys, and crypto for remote services are generated on first boot

Installation Instructions

VMware Workstation

NOTE: There is a known issue with VMware Workstation. Ensure that 3D Acceleration is turned off prior to running SpecterInsight.

  1. Download the latest version from here
  2. Extract the OVA using 7z
  3. Open VMware Workstation.
  4. Go to the File Menu.
  5. Click on File in the top menu bar.
  6. Select Open…
  7. In the file dialog, navigate to the location where the OVA file is saved.
  8. Select the .ova file and click Open.
  9. VMware will start converting the OVA file into a format it can use. You will be asked where to store the new VM.
  10. Choose a directory where you want the VM files to be stored and click Import.
  11. Once the import is complete, you can modify the virtual machine settings (e.g., increase RAM or CPU cores) by right-clicking on the VM and selecting Settings.
  12. After the import and any configuration changes, you can start the virtual machine by clicking Power On.

VirtualBox

  1. Download the latest version from here
  2. Extract the OVA using 7z
  3. Launch VirtualBox on your machine.
  4. Go to the File Menu:
  5. Click on File in the top menu bar.
  6. Select Import Appliance….
  7. Select the OVA File:
  8. In the Appliance to Import dialog, click the folder icon and navigate to the OVA file’s location.
  9. Select the .ova file and click Next.
  10. VirtualBox will display the appliance settings (CPU, RAM, network, etc.). You can modify these settings before importing the VM if needed.
  11. After reviewing the settings, click Import.
  12. VirtualBox will import the OVA file, which may take some time depending on the size of the OVA and system performance.
  13. Once the import is complete, the new virtual machine will appear in the list of available VMs.
  14. Select the VM and click Start to power it on.

Logging In

This VM is provided with default credentials, which we highly recommend you update on first login.

  • VM
    • Username: kali
    • Password: kali
  • SpecterInsight
    • Username: admin
    • Password: specter
  • Elasticsearch
    • Username: elastic
    • Password: elastic

Boot Order

The SpecterInsight VM uses the following boot order for various services:

  1. Elasticsearch container
  2. Kibana container
  3. PostreSQL container
  4. specter-insight.service

Note: it may take a second for Elasticsearch, Kibana, and PostgreSQL to fully initialize, depending upon available resources. The specter-insight.service will wait 20 seconds after boot before starting. If you can’t login right away, try waiting a few minutes. All of the services are configured to restart on failure, so once dependencies are running, the dependent service should start.

Troubleshooting

If SpecterInsight doesn’t work or you can’t login through the client, don’t panic and remain calm!

Run through the following services to see if the services are healthy:

  1. Containers
    • Elasticsearch
    • Kibana
    • PostgreSQL
  2. specter-insight.service

Containers

Check the health of the containers first with the following command:

sudo docker ps

If the containers are healthy, you should see output similar to what is shown below. Only one container should be stopped. There should be three containers running in a healthy state:

  • Elasticsearch
  • Kibana
  • PostgreSQL
CONTAINER ID   IMAGE                                                  COMMAND                  CREATED        STATUS                 PORTS                                NAMES
67fc398b7a06   postgres:16.4                                          "docker-entrypoint.s…"   11 hours ago   Up 5 hours (healthy)   127.0.0.1:5432->5432/tcp             postgres
d1595dd364f1   docker.elastic.co/kibana/kibana:8.15.1                 "/bin/tini -- /usr/l…"   3 days ago     Up 5 hours (healthy)   127.0.0.1:5601->5601/tcp             vm_kibana_1
9568ed2e6cd7   docker.elastic.co/elasticsearch/elasticsearch:8.15.1   "/bin/tini -- /usr/l…"   3 days ago     Up 5 hours (healthy)   127.0.0.1:9200->9200/tcp, 9300/tcp   vm_es01_1

If one of those containers is in a unhealthy or stopped state, you can run the following command to check the logs:

sudo docker logs 67fc

Try restarting the containers with one or more of the following commands depending upon which container is broken:

cd /home/kali/SpecterInsight/vm
sudo docker-compose restart kibana

To rebuild a container using docker-compose, run the following commands:

cd /home/kali/SpecterInsight/vm
sudo docker-compose down es01
sudo docker-compose —detach —no-deps up es01

To rebuild Kibana, the commands would be:

cd /home/kali/SpecterInsight/vm
sudo docker-compose down kibana
sudo docker-compose —detach —no-deps up kibana

To rebuild PostgreSQL, the commands would be:

cd /home/kali/SpecterInsight/vm
sudo docker-compose down postgres
sudo docker-compose —detach —no-deps up postgres

SpecterInsight Service

The SpecterInsight command and control server is running as a service called “specter-insight” under systemd. You can run the following command to check if the service is running:

sudo systemctl status specter-insight

If the service is healthy, you should see output similar to what’s shown below:

● specter-insight.service - SpecterInsight Service
     Loaded: loaded (/etc/systemd/system/specter-insight.service; enabled; preset: disabled)
     Active: active (running) since Fri 2024-09-13 16:14:38 PDT; 4h 36min ago
   Main PID: 1903 (dotnet)
      Tasks: 25 (limit: 9395)
     Memory: 978.6M (peak: 1.3G)
        CPU: 3min 12.348s
     CGroup: /system.slice/specter-insight.service
             └─1903 dotnet /home/kali/SpecterInsight/server/SpecterInsight.Server.Host.dll

Sep 13 20:51:34 kali dotnet[1903]:       WHERE session.SessionId = $1 AND ImplantTasks.Status=$2
Sep 13 20:51:34 kali dotnet[1903]: info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
Sep 13 20:51:34 kali dotnet[1903]:       Executed endpoint 'HTTP: GET /threads/{sessionId}/messages => GetImplantTasks'
Sep 13 20:51:34 kali dotnet[1903]: info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Sep 13 20:51:34 kali dotnet[1903]:       Request finished HTTP/1.1 GET https://192.168.1.102/threads/ccbbd343328847b987e3246bc0e1fec4/messages?filter=6091 ->
Sep 13 20:51:34 kali dotnet[1903]: info: Npgsql.Command[2001]
Sep 13 20:51:34 kali dotnet[1903]:       Command execution completed (duration=3ms): INSERT INTO session(BuildId, SessionId, MachineId, FQDN, IP, Path, PID,>
Sep 13 20:51:34 kali dotnet[1903]:       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16)
Sep 13 20:51:34 kali dotnet[1903]:       ON CONFLICT (SessionId)
Sep 13 20:51:34 kali dotnet[1903]:       DO UPDATE SET BuildId=$1, MachineId=$3, FQDN=$4, IP=$5, OS=$9, LastCheckin=$11, NextCheckin=$12, Interval=$13, "Win>
lines 1-20/20 (END)

Screenshots

The screenshot below shows SpecterInsight running along with Kibana open to keep track of infrastructure health, callbacks, implants, credentials, network analysis, and all other commands issued by the operator.

On the left, Kibana is currently showing the Command and Control dashboard which highlights the most common tactics being used along with a stacked bar graph of tactics employed over time. From this dashboard, you can quickly surmise that the operator was conducting an initial enumeration of the host and network.

On the right, an interactive session is open to an active Specter running in red space. The results of one of the previous commands is displayed in the bottom-right hand panel while the operator is building a new command to process inject into explorer.

Bug Reporting

If you run into any issues with the SpecterInsight-VM, please send us your feedback using the Product Feedback page located here.

Scroll to Top