Creating a Collaborative Reverse Engineering Server

 

How To Build a Remote Reverse‑Engineering Workstation with SSH Tunneling + TigerVNC

I found the easiest way to setup a reverse engineering server! Well.. sort of. I chose to use TigerVNC as the Virtual Network Computing (VNC) service because it is well documented online, but certainly every Linux box comes with it's quirks. Hopefully I can demystify the process, and show you an example of what worked for me, when trying to find a solution for a collaborative platform for the researchers on my team. This article requires the user to have a basic understanding of linux commands, systemd services, and networking. 

Step 1. Install & Test TigerVNC (server side) 

Install the dependencies for this project:

sudo apt install tigervnc-standalone-server tigervnc-common xfce4 xfce4-goodies dbus-x11 xterm

For each VNC user (as the user or within the users $HOME directory):

vncpasswd
mkdir -p $HOME/.vnc
cat > $HOME/.vnc/xstartup <<'EOF'
#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec startxfce4
EOF
chmod +x $HOME/.vnc/xstartup

The commands above will need to be done for each user on the server. It's important to note that the .vnc directory must be owned by the respective user, and the .vnc/xstartup script must be executable. 

"Maybe try something simple first, e.g. tigervncserver -xstartup /usr/bin/xterm." - As quoted by the tigervnc people (tigervncserver is the same as vncserver in this case).

After running vncserver -xstartup /usr/bin/xterm, I can run "vncserver --list" to view the list of running vncservers:

I can then connect to that X11-forwarded terminal via "vncviewer -passwd $HOME/.config/tigervnc/passwd :3". 

 

Let's go ahead and kill the server now:

Each VNC session uses a display number like :1 or :2 to map to ports 5900 + N. So, :0 maps to port 5900 and :1 maps to port 5901. This is handy when using nmap to debug your ports as such: "nmap x.x.x.x -p 5900,5901,5902". Obviously each vncsession eats up memory and resouces, so it's important to consider what hardware you run this server on. I would recommend > 32 GB of RAM for a team of 5, > 64 GB for a team of 10, and so forth.

Step 2. Create Systemd Services

Now that we have confirmed the vncserver backend works properly, let's automate the connections for each user. For now, I'll show you what I use as an example:

[Unit]
Description=TigerVNC server for user sbeer on :1
After=network.target

[Service]
Type=simple
User=sbeer
PAMName=login
ExecStartPre=-/usr/bin/vncserver -kill :1
ExecStart=/usr/bin/vncserver -verbose -fg -localhost no :1 -xstartup /home/sbeer/.vnc/xstartup
ExecStop=/usr/bin/vncserver -kill :1
Restart=on-failure

[Install]
WantedBy=multi-user.target

 

 

Option	Meaning
-verbose	Enables verbose logging (more debug info in logs)
-fg	Run in the foreground (important for Type=simple or Type=exec services)
-localhost no	Allow remote connections, not just from localhost
:1	Use display number :1 (corresponds to TCP port 5901)
-xstartup /home/sbeer/.vnc/xstartup	Specify the exact startup script for the user session (usually launches the desktop environment like GNOME or XFCE in our case)

Now that we know how to provision one user, it becomes a menial task to provision the other users of the group so that each user gains access to the server.  

Step 3. Connecting and Securing the VNC server

 

Using RealVNC viewer, or any vncviewer you prefer, you can connect up to the server using the hostname.local, or the ip address with the corresponding port number. One thing to mention is that vnc server is insecure and doesn't encrypt the connection by default. An easy way I found to secure this connection, is to use ssh tunneling, given the user (you) has access to the intermediary router terminal. 

An example of my setup looks like this:

  

Although this blog post isn't completely informative, hopefully it gives you a head start towards collaboration with your cybersecurity team. I found tigervnc to be extremely fast and reliable once setup properly :)