Commando VM – Using Windows for pen testing and red teaming

Pierluigi Paganini March 29, 2019

Commando VM — Turn Your Windows Computer Into A Hacking Machine

FireEye released Commando VM, a Windows-based security distribution designed for penetration testers that intend to use the Microsoft OS.

FireEye released Commando VM, the Windows-based security distribution designed for penetration testing and red teaming.

FireEye today released an automated installer called Commando VM (Complete Mandiant Offensive  VM), it is an automated installation script that turns a Windows operating system into a hacking system. The installation script works on systems running on a virtual machine (VM) or even on the base system.

“Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests.” reads the post published by FireEye. “The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as PowerView and BloodHound without having to worry about placing output files on client assets.”

Commando VM uses Boxstarter, Chocolatey, and MyGet packages to install all software packages, users need at least 60 GB of free hard drive space and 2GB of RAM to use it.

Commando VM automatically installs more than 140 hacking tools, including Nmap, Wireshark, Remote Server Administration Tools, Mimikatz, Burp-Suite, x64db, Metasploit, PowerSploit, Hashcat, and Owasp ZAP.

Commando VM

Experts that want to use Windows OS in penetration testing activities have to manually install hacking tools on Windows, a task that could hide many difficulties for most users.

Commando VM allows downloading additional offensive and red team tools on Windows bypassing security features implemented by Microsoft that flag them as malicious. The installer disables many Windows security features, its execution will leave a system vulnerable for this reason FireEye strongly encourage installing it on a virtual machine.

Commando VM could be installed on Windows 7 Service Pack 1, or Windows 10, in the latter OS it allows to install more features.

One of the authors of the Commando VM explained on Reddit that it top three features are:

  • Native Windows protocol support (SMB, PowerShell, RSAT, Sysinternals, etc.)
  • Organized toolsets (Tools folder on the desktop with Info Gathering, Exploitation, Password Attacks, etc.)
  • Windows-based C2 frameworks like Covenant (dotnet) and PoshC2 (PowerShell)

“With such versatility, Commando VM aims to be the de facto Windows machine for every penetration tester and red teamer,” continues FireEye.

“The versatile tool sets included in Commando VM provide blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends.”

Commando VM is available for download on Github, below step by step guide to install it:

  1. Create and configure a new Windows Virtual Machine
  • Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
  • Take a snapshot of your machine!
  • Download and copy install.ps1 on your newly configured machine.
  • Open PowerShell as an Administrator
  • Enable script execution by running the following command:
    • Set-ExecutionPolicy Unrestricted
  • Finally, execute the installer script as follows:
    • .\install.ps1
    • You can also pass your password as an argument:.\install.ps1 -password 2

“We believe this distribution will become the standard tool for penetration testers and look forward to continued improvement and development of the Windows attack platform.” concluded FireEye.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Commando VM, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment