{"id":7468,"date":"2021-01-08T19:38:49","date_gmt":"2021-01-08T16:38:49","guid":{"rendered":"https:\/\/kifarunix.com\/?p=7468"},"modified":"2024-03-19T21:03:49","modified_gmt":"2024-03-19T18:03:49","slug":"install-velociraptor-client-on-linux-and-windows-systems","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-velociraptor-client-on-linux-and-windows-systems\/","title":{"rendered":"Install Velociraptor Client on Linux and Windows Systems"},"content":{"rendered":"\n

In this tutorial, you will learn how to install Velociraptor Client on Linux and Windows Systems. Velociraptor endpoint agents<\/a> are called clients<\/code>. Clients connect to the server and wait for instructions, which mostly consist of VQL statements, then run any VQL queries and return the result to the server.<\/p>\n\n\n\n

In our previous tutorial (link provided below), we covered how to install and setup Velociraptor Linux systems;<\/p>\n\n\n\n

Install and Setup Velociraptor on Ubuntu 18.04<\/a><\/p>\n\n\n\n

Install and Setup Velociraptor on Debian 10<\/a><\/p>\n\n\n\n

Install and setup Velociraptor on Ubuntu 20.04<\/a><\/p>\n\n\n\n

Velociraptors client-server<\/em> communication is based on GRR\u2019s protocol where it implements zero registration clients<\/em> method. This means no a-prior knowledge of clients is required hence making the enrollment of the client from packages a simple process.<\/p>\n\n\n\n

Installing Velociraptor Client on Linux and Windows<\/h2>\n\n\n\n

There are two ways in which you can install Velociraptor client;<\/p>\n\n\n\n

Install Velociraptor client using Velociraptor Binary<\/strong><\/a><\/h4>\n\n\n\n

This method involves using Velociraptor binary and client configuration file generated from the server. The client configuration file has to be copied to the client machine. This method is ideal for testing purposes, for large deployment the second method, below, is preferred.<\/p>\n\n\n\n

Install Velociraptor using Velociraptor client packages<\/strong><\/a><\/h4>\n\n\n\n

This method packages the client configuration file on a Linux package or Windows installer which are then distributed to the clients target machines. This type of deployment is ideal for large deployments since it only requires distribution of one package.<\/p>\n\n\n\n

Install Velociraptor client Using Velociraptor Binary<\/h3>\n\n\n\n

Using Velociraptor binary<\/strong> on Linux Systems<\/h4>\n\n\n\n

Velociraptor binary used for Server and Client is the same, the usage is differentiated by config options.<\/p>\n\n\n\n

Step 1: Get velociraptor binary on client machine<\/strong><\/h5>\n\n\n\n

On the target Linux Velociraptor client system, create a directory where to store the binary.<\/p>\n\n\n\n

mkdir velociraptor<\/code><\/pre>\n\n\n\n
Navigate to the binary directory created above and download the Velociraptor binary for Linux systems.<\/p>\n\n\n\n
cd velociraptor
wget https:\/\/github.com\/Velocidex\/velociraptor\/releases\/download\/v0.5.3\/velociraptor-v0.5.3-linux-amd64<\/code><\/pre>\n\n\n\n
Make the Binary executable;<\/p>\n\n\n\n
chmod +x velociraptor-v0.5.3-linux-amd64 <\/code><\/pre>\n\n\n\n
Step 2: Copy the Velociraptor client configuration file from the server to client<\/strong><\/h5>\n\n\n\n
Login to the Velociraptor server and generate the client configuration file.<\/p>\n\n\n\n
Once you have generated the configuration file, copy it to the respective client system.<\/p>\n\n\n\n
scp client.config.yaml user@192.168.56.103:~\/velociraptor<\/code><\/pre>\n\n\n\n
Step 3: Start the Velociraptor client<\/strong><\/h5>\n\n\n\n
To start the Velociraptor client in standalone mode using the client configuration file generated, run the command below<\/p>\n\n\n\n
 .\/velociraptor-v0.5.3-linux-amd64 --config client.config.yaml client -v<\/code><\/pre>\n\n\n\n
Truncated Sample Output:<\/p>\n\n\n\n
...\n[INFO] 2020-12-10T10:58:28+03:00 Loading config from file client.config.yaml \nGenering new private key....\n[INFO] 2020-12-10T10:58:28+03:00 Starting Crypto for client C.271ab970be8f6541 \n[INFO] 2020-12-10T10:58:28+03:00 Starting Journal service. \n[INFO] 2020-12-10T10:58:28+03:00 Starting the notification service. \n[INFO] 2020-12-10T10:58:28+03:00 Installing Dummy inventory_service. Will download tools to temp directory. \n[INFO] 2020-12-10T10:58:28+03:00 Loaded 216 built in artifacts in 109.595501ms \n[INFO] 2020-12-10T10:58:28+03:00 Starting event query service with version 0. \n[INFO] 2020-12-10T10:58:28+03:00 Starting event query service with version 0. \n[INFO] 2020-12-10T10:58:28+03:00 Expecting self signed certificate for server. \n[INFO] 2020-12-10T10:58:28+03:00 Ring Buffer: Creation {\"filename\":\"\/var\/tmp\/Velociraptor_Buffer.bin\",\"max_size\":1073741874}\n[INFO] 2020-12-10T10:58:28+03:00 Starting HTTPCommunicator: HTTP Connector to [https:\/\/192.168.56.102:8000\/] \n[INFO] 2020-12-10T10:58:28+03:00 Received PEM for VelociraptorServer from https:\/\/192.168.56.102:8000\/ \n[INFO] 2020-12-10T10:58:28+03:00 Receiver: Connected to https:\/\/192.168.56.102:8000\/reader \n[INFO] 2020-12-10T10:58:28+03:00 Enrolling \n[INFO] 2020-12-10T10:58:28+03:00 Ring Buffer: Enqueue {\"item_len\":925,\"total_length\":925}\n[INFO] 2020-12-10T10:58:28+03:00 Compiled all artifacts. \n[INFO] 2020-12-10T10:58:29+03:00 Sender: Connected to https:\/\/192.168.56.102:8000\/control \n...\n<\/code><\/pre>\n\n\n\n
From the output above, the client is enrolled to the Velociraptor server.<\/p>\n\n\n\n
Step 4 (Optional): Install systemd Service<\/strong><\/h5>\n\n\n\n
Additionally you can create systemd service file for Velociraptor client:<\/p>\n\n\n\n
 vim  \/lib\/systemd\/system\/velociraptor.service<\/code><\/pre>\n\n\n\n
Add the content below (edit ExecStart<\/em> file paths with regards to your files location<\/strong>):<\/p>\n\n\n\n
[Unit]\nDescription=Velociraptor linux amd64\nAfter=syslog.target network.target\n\n[Service]\nType=simple\nRestart=always\nRestartSec=120\nLimitNOFILE=20000\nEnvironment=LANG=en_US.UTF-8\nExecStart=\/usr\/local\/bin\/velociraptor --config \/etc\/velociraptor-client.config.yaml client -v\n\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n\n\n\n
Reload systemd daemon:<\/p>\n\n\n\n
systemctl daemon-reload<\/code><\/pre>\n\n\n\n
Start and enable velociraptor to start at boot time:<\/p>\n\n\n\n
systemctl enable --now velociraptor <\/code><\/pre>\n\n\n\n
Check the status of velociraptor.<\/p>\n\n\n\n
systemctl status velociraptor<\/code><\/pre>\n\n\n\n
\u25cf velociraptor.service - Velociraptor linux amd64\n   Loaded: loaded (\/lib\/systemd\/system\/velociraptor.service; enabled; vendor preset: enabled)\n   Active: active (running) since Fri 2020-11-27 21:11:29 UTC; 59s ago\n Main PID: 16544 (velociraptor-v0)\n    Tasks: 8 (limit: 4664)\n   CGroup: \/system.slice\/velociraptor.service\n           \u2514\u250016544 \/usr\/local\/velociraptor-v0.5.3-linux-amd64 --config \/etc\/velociraptor-client.config.yaml client -v\n\nNov 27 21:12:01 ubuntu velociraptor-v0.5.2-linux-amd64[16544]: [INFO] 2020-11-27T21:12:01Z Sender: Connected to https:\/\/192.168.56.102\n...\n<\/code><\/pre>\n\n\n\n
Step 5: Confirm Client is Added on GUI<\/strong><\/h5>\n\n\n\n
On the server GUI, navigate to homepage and select SHOW ALL<\/code> next to the magnifying Glass to view connected clients:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Install Velociraptor client using Velociraptor binary<\/strong> on Windows Systems<\/h4>\n\n\n\n
Step 1: Create Install Folder<\/strong><\/h5>\n\n\n\n
Create Velociraptor folder on target client system in the path specified below:<\/p>\n\n\n\n
C:\\Program Files\\Velociraptor\\<\/code><\/pre>\n\n\n\n
Step 2: Download Velociraptor Client Windows Installer<\/h5>\n\n\n\n
Download the latest installer from Velociraptor releases<\/a> page and save it in the folder created above.
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 3: Copy Velociraptor Client Configuration file to Install folder<\/strong><\/h5>\n\n\n\n
Copy client configuration file generated from the server to the client install folder created above.<\/p>\n\n\n\n
IMPORTANT: Rename the client configuration file as Velociraptor.config.yaml<\/em><\/strong>.<\/p>\n\n\n\n
\"Install<\/figure>\n\n\n\n
Step 4: Run the Velociraptor Client on Windows:<\/strong><\/h5>\n\n\n\n
Open Command prompt<\/em> with Administrator privileges:<\/p>\n\n\n\n
Change to the folder with Velociraptor Binary and client config files created earlier:<\/p>\n\n\n\n
cd \"C:\\Program Files\\Velociraptor\" <\/code><\/pre>\n\n\n\n
Run the Binary with Client config file and enroll the endpoint:<\/p>\n\n\n\n
velociraptor-v0.5.3-windows-amd64.exe --config Velociraptor.config.yaml client -v<\/code><\/pre>\n\n\n\n
The following output is generated for a successful connection with the Fronted service of Velociraptor service:
<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Step 5: Running the client as a service<\/h5>\n\n\n\n
To run velociraptor client permanently get the msi installer from Velociraptor github releases<\/a>.
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Run the Installer by double clicking on the msi.<\/p>\n\n\n\n
When the service is started during installation, it attempts to load the configuration file from C:\\Program Files\\Velociraptor\\Velociraptor.config.yaml<\/code> hence why we created the Folder and configuration file Velociraptor.config.yaml<\/em> on the file path: C:\\Program Files\\Velociraptor\\<\/code>.<\/p>\n\n\n\n
\n
NOTE:<\/em><\/strong>
If there is an existing Velociraptor service that is already installed, it will be overwritten by the Velociraptor service installation. The service is set to start at boot time.<\/em><\/p>\n<\/blockquote>\n\n\n\n
Confirm Velociraptor service is running by opening services, Win Key + R<\/code> type services.msc<\/em> to open services program.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\"\"<\/figure>\n\n\n\n
On the Server GUI confirm the Windows Client has been enrolled successfully:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n


From the GUI you can see connected clients, the client(s) ID, hostname and OS Version. Clicking on a client gives more information about the client:
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now that clients are connected they can successfully be queried using VQL.<\/p>\n\n\n\n
Install Velociraptor using Velociraptor client packages<\/strong><\/h3>\n\n\n\n
Install Velociraptor Client on Linux using Velociraptor client packages<\/strong><\/h4>\n\n\n\n
On the velociraptor Server create Velociraptor Linux client package by running the command below;<\/p>\n\n\n\n
.\/velociraptor-v0.5.3-linux-amd64 -c \/etc\/velociraptor.config.yaml debian client<\/code><\/pre>\n\n\n\n
The above command packages the client configuration file into the .deb<\/em> package thus the single .deb<\/em> package can be distributed to Debian based Linux clients for installation.<\/p>\n\n\n\n
ls\nvelociraptor_0.5.3_client.deb  <\/code><\/pre>\n\n\n\n
Copy the .de<\/em>b package to client machine(s) and install the package: <\/p>\n\n\n\n
dpkg -i velociraptor_0.5.3_client.deb<\/code><\/code><\/pre>\n\n\n\n
Selecting previously unselected package velociraptor-client.\n(Reading database ... 137978 files and directories currently installed.)\nPreparing to unpack velociraptor_0.5.3_client.deb ...\nUnpacking velociraptor-client (0.5.3) ...\nSetting up velociraptor-client (0.5.3) ...\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/velociraptor_client.service \u2192 \/etc\/systemd\/system\/velociraptor_client.service.\n<\/code><\/pre>\n\n\n\n
Confirm the status of Velociraptor:<\/p>\n\n\n\n
systemctl status velociraptor_client.service<\/code><\/code><\/pre>\n\n\n\n
\u25cf velociraptor_client.service - Velociraptor linux client\n   Loaded: loaded (\/etc\/systemd\/system\/velociraptor_client.service; enabled; vendor preset: enabled)\n   Active: active (running) since Tue 2020-12-29 07:38:43 UTC; 54s ago\n Main PID: 4409 (velociraptor_cl)\n    Tasks: 8 (limit: 2322)\n   CGroup: \/system.slice\/velociraptor_client.service\n           \u2514\u25004409 \/usr\/local\/bin\/velociraptor_client --config \/etc\/velociraptor\/client.config.yaml client\n\nDec 29 07:38:43 ubuntu systemd[1]: Started Velociraptor linux client.\n...\n<\/code><\/pre>\n\n\n\n
The client enrollment can be confirmed on Velociraptor GUI.<\/p>\n\n\n\n
Install Velociraptor Client on Windows using Velociraptor client packages<\/strong><\/h4>\n\n\n\n
On the velociraptor Server get the windows binary in the same location as the Velociraptor server binary:<\/p>\n\n\n\n
 wget https:\/\/github.com\/Velocidex\/velociraptor\/releases\/download\/v0.5.3\/velociraptor-v0.5.3-windows-amd64.exe<\/code><\/pre>\n\n\n\n
Run the below command to embed the client\u2019s configuration in the windows binary<\/p>\n\n\n\n
.\/velociraptor-v0.5.3-linux-amd64 config repack --exe velociraptor-v0.5.3-windows-amd64.exe client.config.yaml repackaged_velociraptor.exe<\/code><\/pre>\n\n\n\n
Copy the repackaged Velociraptor client to target clients machine. Launch CMD as an administrator;<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Change directory to the location where the repacked client was copied to and install Velociraptor client to run as a service. This autostarts Velociraptor client service on boot<\/p>\n\n\n\n
repackaged_velociraptor.exe service install<\/code><\/pre>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Confirm Velociraptor client service is running:<\/p>\n\n\n\n
Press Win + R<\/strong> and type services.msc<\/em> to launch Windows Services application:
<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Scroll down or search for the service Velociraptor;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
On Velociraptor GUI, the client enrollment can be confirmed by hitting refresh button on the homepage. Click on Show All<\/strong> on the top panel to view connected clients.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once the clients are connected to the server, they can successfully be queried using VQL. Velociraptor server gives visibility into the hosts (clients) enrolled to Velociraptor server hence can be used to query for info such as:<\/p>\n\n\n\n