_________ .___
\_ ___ \ ____ _____ _____ _____ ____ __| _/____
/ \ \/ / _ \ / \ / \\__ \ / \ / __ |/ _ \
\ \___( <_> ) Y Y \ Y Y \/ __ \| | \/ /_/ ( <_> )
\______ /\____/|__|_| /__|_| (____ /___| /\____ |\____/
\/ \/ \/ \/ \/ \/
C O M P L E T E M A N D I A N T
O F F E N S I V E V M
Version 2021.2
commandovm@fireeye.com
_____________________________________________________
Created by
Jake Barteaux @day1player
Mandiant Red Team
Blaine Stancill @MalwareMechanic
Nhan Huynh
FireEye Labs Advanced Reverse Engineering
Welcome to CommandoVM - a fully customizable, Windows-based security distribution for penetration testing and red teaming.
For detailed install instructions or more information please see our blog
- Windows 10 1803, 1809, 1903, 1909, 2004, 20H2, or 21H1
Insider Preview editions of Windows are not supported
- 60 GB Hard Drive
- 2 GB RAM
- Windows 10 21H1
- 80+ GB Hard Drive
- 4+ GB RAM
- 2 network adapters
You MUST disable Windows Defender for a smooth install. The best way to accomplish this is through Group Policy
In Windows versions 1909 and higher, Tamper Protection was added. Tamper Protection must be disabled, otherwise Group Policy settings are ignored.
- Open Windows Security (type
Windows Security
in the search box) - Virus & threat protection > Virus & threat protection settings > Manage settings
- Switch
Tamper Protection
toOff
It is not necessary to change any other setting (
Real Time Protection
, etc.)
Important. Tamper Protection must be disabled before changing Group Policy settings.
To permanently disable Real Time Protection
- Open Local Group Policy Editor (type
gpedit
in the search box) - Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
- Enable
Turn off real-time protection
- Reboot
Make sure to reboot before making the next change
To permanently disable Microsoft Defender:
- Open Local Group Policy Editor (type
gpedit
in the search box) - Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
- Enable
Turn off Microsoft Defender Antivirus
- Reboot
- Create and configure a new Windows Virtual Machine
Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
- Take a snapshot of your machine!
- Download and copy
install.ps1
on your newly configured machine. - Open PowerShell as an Administrator
- Unblock the install file by running
Unblock-File .\install.ps1
- Enable script execution by running
Set-ExecutionPolicy Unrestricted -f
- Finally, execute the installer script as follows:
.\install.ps1
- You can also pass your password as an argument:
.\install.ps1 -password <password>
The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.
Please see our custom profiles for more custom install options or create your own following the instructions below.
- Download the zip from https://github.com/fireeye/commando-vm into your Downloads folder.
- Decompress the zip and edit the
${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\profile.json
file by removing tools or adding tools in the “packages” section. You can add any package listed in our package list or any package from the chocolatey repository. - Open an administrative PowerShell window and enable script execution.
Set-ExecutionPolicy Unrestricted -f
- Change to the unzipped project directory.
cd ${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\
- Unblock the install file by running
Unblock-File .\install.ps1
- Take a snapshot of your machine!
- Execute the install with the
-profile_file
argument..\install.ps1 -profile_file .\profile.json
For more detailed instructions about custom installations, see our blog
Commando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:
cinst github
You can find packages to install from our package list, which hosts more than just pentesting tools, or from the chocolatey repository.
Type the following command to update all of the packages to the most recent version:
cup all
- Remote Server Administration Tools (RSAT)
- SQL Server Command Line Utilities
- Sysinternals
- Covenant
- WMImplant
- WMIOps
- Dep
- Git
- Go
- Java
- Python 2
- Python 3 (default)
- Ruby
- Ruby Devkit
- Visual Studio 2017 Build Tools (Windows 10)
- Visual Studio Code
- Amass
- SpiderFoot
- CheckPlease
- Demiguise
- DefenderCheck
- DotNetToJScript
- Invoke-CradleCrafter
- Invoke-DOSfuscation
- Invoke-Obfuscation
- Invoke-Phant0m
- Not PowerShell (nps)
- PS>Attack
- PSAmsi
- Pafishmacro
- PowerLessShell
- PowerShdll
- StarFighters
- SysWhispers
- ADAPE-Script
- API Monitor
- CrackMapExec
- CrackMapExecWin
- DAMP
- Dumpert
- EvilClippy
- Exchange-AD-Privesc
- FuzzySec's PowerShell-Suite
- FuzzySec's Sharp-Suite
- GadgetToJScript
- Generate-Macro
- GhostPack
- Rubeus
- SafetyKatz
- Seatbelt
- SharpDPAPI
- SharpDump
- SharpRoast
- SharpUp
- SharpWMI
- GoFetch
- Impacket
- Invoke-ACLPwn
- Invoke-DCOM
- Invoke-PSImage
- Invoke-PowerThIEf
- Juicy Potato
- Kali Binaries for Windows
- LuckyStrike
- MetaTwin
- Metasploit
- Mr. Unikod3r's RedTeamPowershellScripts
- NetshHelperBeacon
- Nishang
- Orca
- PSBits
- PSReflect
- PowerLurk
- PowerPriv
- PowerSploit
- PowerUpSQL
- PrivExchange
- RottenPotatoNG
- Ruler
- SharpClipHistory
- SharpExchangePriv
- SharpExec
- SpoolSample
- SharpSploit
- ThreadContinue
- TikiTorch
- UACME
- impacket-examples-windows
- vssown
- Vulcan
- ADACLScanner
- ADExplorer
- ADOffline
- ADRecon
- BeRoot
- BloodHound
- BloodHound-Custom-Queries (Hausec)
- dnsrecon
- FOCA
- Get-ReconInfo
- GoBuster
- GoWitness
- Net-GPPPassword
- NetRipper
- Nmap
- PowerView
- Dev branch included
- Privesc (enjoiz)
- Recon-AD
- SharpHound
- SharpView
- SpoolerScanner
- Watson
- kali-linux-default
- kali-linux-xfce
- VcXsrv
- Citrix Receiver
- OpenVPN
- Powercat
- Proxycap
- PuTTY
- Telnet
- VMWare Horizon Client
- VMWare vSphere Client
- VNC-Viewer
- WinSCP
- Windump
- Wireshark
- ASREPRoast
- CredNinja
- DomainPasswordSpray
- DSInternals
- Get-LAPSPasswords
- Hashcat
- Internal-Monologue
- Inveigh
- Invoke-TheHash
- KeeFarce
- KeeThief
- LAPSToolkit
- MailSniper
- Mimikatz
- Mimikittenz
- RiskySPN
- SessionGopher
- DNSpy
- Flare-Floss
- ILSpy
- PEview
- Windbg
- x64dbg
- 7zip
- Adobe Reader
- AutoIT
- Cmder
- CyberChef
- Explorer Suite
- Gimp
- Greenshot
- Hashcheck
- HeidiSQL
- Hexchat
- HTTP File Server (hfs)
- HxD
- Keepass
- MobaXterm
- Mozilla Thunderbird
- Neo4j Community Edition
- NirLauncher
- Notepad++
- Pidgin
- Process Hacker 2
- qBittorrent
- SQLite DB Browser
- Screentogif
- Shellcode Launcher
- SimpleDNSCrypt
- SQLite DB Browser
- Sublime Text 3
- Tor Browser
- TortoiseSVN
- VLC Media Player
- yEd Graph Tool
- AD Control Paths
- Egress-Assess
- Grouper2
- NtdsAudit
- PwnedPasswordsNTLM
- zBang
- Burp Suite
- Fiddler
- Firefox
- OWASP Zap
- Subdomain-Bruteforce
- Wfuzz
- FuzzDB
- PayloadsAllTheThings
- SecLists
- Probable-Wordlists
- RobotsDisallowed
This download configuration script is provided to assist penetration testers in creating handy and versatile toolboxes for offensive engagements. It provides a convenient interface for them to obtain a useful set of pentesting Tools directly from their original sources. Installation and use of this script is subject to the Apache 2.0 License. You as a user of this script must review, accept and comply with the license terms of each downloaded/installed package listed below. By proceeding with the installation, you are accepting the license terms of each package, and acknowledging that your use of each package will be subject to its respective license terms. Licenses for each package can be found in the packages.csv file for this repository.