Setting Up a Pentesting Environment based on Qubes OS – Step by Step

Qubes OS is a hypervisor based operating system. Qubes OS can host various operating systems such as Linux, Unix or Windows and run them in parallel. Qubes OS can therefore be used to host your own “hacking” laboratory. (source)


Due to its virtualization-based architecture, Qubes OS seemed to be the perfect OS in order to set up a pentesting lab that is a) easy to use and b) is separated from your daily-use VMs in a secure way. Additionally, with Qubes OS you can easily import VMs from or any other sources for testing purposes.

Within this article, we will discuss a step-by-step guidance on how to set this environment up. Preliminary conditions: Running Qubes OS (tested with Qubes OS 3.2), Internet connection, enough space on disk.

Architecture Setup

Simple Architecture Diagram for Pentesting Environment based on Qubes OS

We will set up a virtualized pentesting lab within an existing Qubes OS environment which will consist of a Kali Linux machine, a vulnerable server (pick one!) and a firewall used to separate the 2 machines from the rest of your Qubes installation and to enable networking between both VMs.

First Step – Installing Kali Linux

You can basically follow the steps on for installing a Kali VM in your environment.

Within an existing VM (e.g. Disp1), download the Kali ISO:

Let’s assume the VM name you used for downloading the ISO is called “Disp1” and the internal file path to the ISO is: /home/user/download/kali-linux-2017.2-amd64.iso

Within Dom0, create the VM via:
qvm-create --label=purple --hvm kali-test

and then load the ISO from the VM and start the installation:
qvm-start kali-test --cdrom=Disp1:/home/user/download/kali-linux-2017.2-amd64.iso

Networking setup:
Unless you changed the networking environment to DHCP, you need to manually assign the IP address to Kali – so check the assigned one in the Qubes VM Manager and assign it manually to the Kali VM via ifconfig.

Second Step – Installing Pentesting Firewall

In Qubes, the sys-firewall VM is a core part of your compartmentalization concept and should be treated as a very sensitive machine. Therefore, you want to create an additional firewall VM which is only managing the compartmentalization within your pentesting lab. We call this firewall Pentesting-FW.

Within Dom0, create the VM:
qvm-create --proxy --label=purple --template fedora-25-minimal Pentesting-FW

Your sys-firewall is normally connected to your sys-net VM – you don’t want to do this for your Pentesting-FW since you should not fully trust it. Therefore, we will connect the Pentesting-FW to your sys-firewall instead:
qvm-prefs -s Pentesting-FW netvm sys-firewall

Within your sys-firewall, you can now treat the Pentesting-FW as an ordinary client, fully separated (network level) and disconnected from the rest of your normal environment. An additional advantage of this setup is that you can now easily torify / VPN your complete VM-based network traffic with a few clicks by simply connecting your Pentesting-FW machine to the right networking component within your VM landscape (sys-whonix etc.)

Before we move on to the third step, make sure you connect your Kali VM to your Pentesting-FW via Dom0:
qvm-prefs -s kali-test netvm Pentesting-FW

Also verify within the existing Kali instance from step 1 that you have a working network connection to your Pentesting-FW instance – e.g. ping

Third Step – Installing a Vulnerable Server VM

On you can find plenty of free, vulnerable server VMs available for download. Alternatively, you can install metasploitable which is available for download here.

As an example, we pick the XVWA (Extreme Vulnerable Web Application) VM and download it. The benefit in this case is that the VM is already in an iso format – so no need in this case to convert the image file. In case the VM you download only exists in .ova or .vmdk format, you need to convert it via:
qemu-img convert file.vmdk -O raw image.img

As a next step, we create the VM via Dom0:
qvm-create --label=purple --hvm vuln-server

and then load the ISO from the VM and start the installation (where Disp1 is the VM we used to download the iso to):
qvm-start vuln-server --cdrom=Disp1:/home/user/Downloads/xvwa.iso

Now run the installer which is based on Ubuntu 14. It will automatically search via DHCP for a network configuration which will normally fail.
Next, make sure that the VM connects to your Pentesting-FW:
qvm-prefs -s vuln-server netvm Pentesting-FW

Now, within the VM, configure the network appropriately and verify via ping that the connection to the Pentesting-FW actually works.

Fourth Step – Connecting the VMs

Now, you have both VMs set up, configured and connected to your Pentesting-FW VM. The Kali instance runs on IP whereas the vuln-server VM runs on Pentesting-FW acts under as the gateway to the outside world if needed. I recommend to DISABLE the connection to the outside world via sys-firewall – you can easily do this by not assigning a NetVM to your Pentesting-FW via Dom0:
qvm-prefs -s Pentesting-FW netvm none

The only things which is still not working is the connection between the Kali VM and the vuln-server VM since Qubes-OS Firewalls do not allow VMs to talk to each other by default. This needs to be enabled in the Pentesting-FW VM via:
sudo iptables -I FORWARD 2 -s -d -j ACCEPT
sudo iptables -I FORWARD 2 -s -d -j ACCEPT

You will now be able to connect from your Kali VM to the vuln-server VM and the other way round. Keep in mind that this iptables rule does not survive a reboot of your VM – read more about how to fix this here. I can recommend the “old” article about playing with Qubes Networking from 2011 – most of the concepts are still valid in 2017.

One Comment on “Setting Up a Pentesting Environment based on Qubes OS – Step by Step

  1. Pingback: Qubes OS as a day-to-day OS? Discussion | Dominik Birk

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s