1) Deploy an Attack Vector
This component runs the events. It is deployed on your network to execute offensive actions (events) according to the chosen scenario and based on the configured campaign technical settings.
You need to have at least one operational Attack Vector to execute a simulation. Follow those steps to setup one.
A) Prepare the Attack Vector installation
You need a computer with Docker to run a BlackNoise Attack Vector. This computer will be the host.
Computer specs
CPU: x86_64 or ARM architecture
RAM: 2 GB
Storage: 16 GB
Software specs
Linux OS (such as Debian, Ubuntu, RedHat, or Fedora; whether on a physical or virtual machine like VirtualBox)
Docker (Docker engine v27.0.0 and +)
Note: The Attack Vector can run on Windows using Docker Desktop (with WSL), but the source IP will be different from the host operating system's IP. You will see the IP address of the Docker eth0 network interface (usually 192.168.65.3). The events will work, but the source IP will not be correct. That's why we recommend using a Linux host.
Follow these steps to set up your environment:
Prepare a native Linux OS or install it within a virtual machine. This will enable you to effectively deploy an Attack Vector on a Windows computer, for example.
The Attack Vector will use the IP address of the host operating system it is installed on. You can choose to use DHCP or a static address based on your needs for the host.
For a virtual machine, the network interface must be in bridge mode.
If the host OS has several network interfaces, make sure the default route is set for just one. Otherwise, this mistake stops the Attack Vector BlackNoise from working.
How to prepare a Linux Virtual machine to install the Attack Vector?
How to prepare a Linux Virtual machine to install the Attack Vector?Download and install VirtualBox ( https://www.oracle.com/virtualization/technologies/vm/downloads/virtualbox-downloads.html )
Download a Linux OS install image, for example Ubuntu, either Desktop or Server ( https://ubuntu.com/download )
Create a virtual machine with this OS
Configure the VM's network interface in
bridge mode ( https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/network_bridged.html )Install Docker using the
apt repository ( https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository ). If you don't have Internet access for such installation, switch the VM network configuration to NAT mode.
Network flows
Open the following flows to allow connection between the Attack Vector and the BlackNoise app:
- Protocol: HTTPS (TCP/443)
- Domains: in.blacknoise.co , *.in.blacknoise.co, and registry.blacknoise.co
- Direction: outgoing flows
Important: No protocol interruption.
To successfully establish a secure connection between the Attack Vector and the BlackNoise platform, it is essential that the HTTPS connections remain intact without any protocol breaks. Specifically, intermediate devices must not decrypt TLS traffic from HTTPS connections, as this would hinder the secure end-to-end communication necessary for optimal operation.
Once the host is ready, you can go to step B).
B) Install the Attack Vector
From from the Resources > Attack Vectors page, click the
Create attack vector button in the top right
Provide a name (alias) for this Attack Vector.
You can set up a proxy for the Attack Vector's connection to the BlackNoise web application:
Attack vector --HTTP or HTTPS --> Proxy --HTTPS--> Web app- The Attack Vector does NOT support proxy authentication. Unauthenticated connections to the BlackNoise web app must be allowed by the proxy to allow the Attack Vector to connect to it.
- The Attack Vector does NOT support TLS decryption at the proxy level. As such, the proxy must be configured to not decrypt communications between the Attack Vector and the BlackNoise web app.
Copy the docker command from the screen and paste it into the terminal of the previously deployed computer (the host) to execute it. You can also provide a DNS server to be used by Attack Vector. Please refer to the FAQ to add this option within the following command ( https://doc.blacknoise.co/p/ps6ZTNIhewUzS9/Untitled#5yRgILGUh2OIg1 ).
The host must be connected to the network and have an IP address before launching the docker command; otherwise, the Attack Vector won't initialize.
If you want to install the Attack Vector from a Windows host OS using Docker Desktop, you need to split the command into 2 parts (
docker login and then docker run) because the separator && is not recognized by Windows.
The attack Vector shows up in the web app list. The container image is downloaded and started. Once the authentication between the Docker container and the BlackNoise web app is done, the Attack Vector is ready to use (ie.
operational). This is shown by a green dot. It can now be used in an attack campaign.
This sketch cannot currently be displayed in exports
The deployment of the virtual Attack Vector (docker) is not working on Linux
The deployment of the virtual Attack Vector (docker) is not working on LinuxIf you have an error message such as:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
Your user does not have the rights to execute some Docker commands. Add your user to the
docker group: sudo usermod -aG docker your-username
Please refer to our FAQ for technical details to ensure communication between Attack Vector and Target Systems