Lab Hardware / Layout

2 Unmanaged trednet gigabit switches
2 Poweredge T300 Server

1 Intel Core 2 Duo E6305 @ 1.86GHz
24GB Ram
4 250GB HDD's > Raid 0

1 Poweredge T605 Server

2 Quad-Core AMD Opteron 2350
32GB Ram
4 250GB HDD's > Raid 0

Lab Hardware / Layout Image

Lab Software / Layout

Each Poweredge server is running ESX 6.0
A virtual Vcenter Server Appliance is running on the T605
A virtual Debian DHCP/Apache2 server is running DNSMASQ
The rest of the VM's are VM's from www.Vulnhub.com

Configuration detials

Each ESX host has 3 scripts running on it:
Revert_Snapshots.sh, Create_Snapshots.sh, Script.sh
All 3 are stored in the /root directory of the ESX host.
The DHCP/Apache2 server has 2 scripts on it:
IP_TO_MAC.sh and Order.sh
Both are stored in the /root directory of the VM.

Scripts

ESX

Revert_Snapshots.sh

#Get all vmid's where not the vcenter or the DHCP server
VMIDS=$(vim-cmd vmsvc/getallvms | grep -v 01_Vcenter | grep -v 02_DNS_DHCP | awk '{print $1 }' | grep -v Vmid)
#loop though VMID's and check if there is a snapshot by the name of fresh install. If so, revert the vm to that snapshot and then power on the VM
for VMID in $VMIDS
do
        case $VMID in
                ''|*[!0-9]*);;
                *)
                vim-cmd vmsvc/get.snapshot $VMID | grep "Fresh Install" > /dev/null
                if [ $? -eq 0 ]; then
                        echo $(vim-cmd vmsvc/get.summary $VMID | grep name)
                        SnapShotID=$(vim-cmd vmsvc/snapshot.get $VMID | grep "Fresh Install" -A 1 | grep "Id" | awk '{print $4}')
                        vim-cmd vmsvc/snapshot.revert $VMID $SnapShotID 0 > /dev/null
                        vim-cmd vmsvc/power.on $VMID
                fi
                ;;
        esac
done

Create_Snapshots.sh

#Get all vmid's where not the vcenter or the DHCP server
VMIDS=$(vim-cmd vmsvc/getallvms | grep -v 01_Vcenter | grep -v 02_DNS_DHCP | awk '{print $1 }' | grep -v Vmid)
#loop though VMID's and check if there is a snapshot by the name of fresh install. If not, take a snapshot called fresh install.
for VMID in $VMIDS
do
        case $VMID in
                ''|*[!0-9]*);;
                *)
                vim-cmd vmsvc/get.snapshot $VMID | grep "Fresh Install" > /dev/null
                if [ ! $? -eq 0 ]; then
                        vim-cmd vmsvc/snapshot.create $VMID "Fresh Install"
                fi
                ;;
        esac
done

Script.sh

#Get all vmid's
VMIDS=$(vim-cmd vmsvc/getallvms | awk '{print $1 }' | grep -v Vmid)
echo "" > MAC_ADDRESSES
#loop though VMID's and get the mac address and name of the vm. Add them to a file.
for VMID in $VMIDS
do
        case $VMID in
                ''|*[!0-9]*);;
                *)
                MacAddress=$(vim-cmd vmsvc/device.getdevices $VMID | grep macAddress | sed 's/macAddress = "//' | sed 's/",//' | sed -r 's/\s+//g')
                VmName=$(vim-cmd vmsvc/get.summary $VMID | grep name | sed 's/name = "//' | sed 's/",//' | sed -r 's/\s+//g')
                echo $MacAddress        $VmName >> MAC_ADDRESSES
                ;;
        esac
done

crontab (/var/spool/cron/crontabs/root)

#Run every 5 minutes
*/5 * * * * /root/script.sh
#Run every Saturday at 5am
* 5 * * 6/root/Create_Snapshots.sh
#Run every Sunday at 5am
* 5 * * 7/root/Revert_Snapshots.sh

After configuring crontab you should run the following commands to restart crontab

kill $(cat /var/run/crond.pid)
/usr/lib/vmware/busybox/bin/busybox crond

DHCP/Apache2

IP_TO_MAC.sh

#This script creates the HTML page to show the IP addresses and VMnames
#make sure file is empty
echo "" > /root/iptomac
#add the title html to file
echo "<title>CyberSaints Vurnable IP's</title>" >> /root/iptomac
#add the text to file
echo "<i>This webpage is updated every minute. If there are any issues, check the /root/order.log file. The scripts that create this page are in /root</i><br><br>" >> /root/iptomac
echo "If you are trying to pentest one of these IP's and are struggling, try a walkthough at www.vulnhub.com" >> /root/iptomac
#Add table start to file
echo "<table>" >> /root/iptomac
#Add table headers to file
echo "<tr><th>VMname</th><th>Ipaddress</th></tr>" >> /root/iptomac
#loop through the DHCP file, compare the macs to the files in MAC. If they match, add a new row to the html file of IP/VMname
while read line; do
    MAC=$(echo $line | awk '{print $1}')
    if grep -Rq $MAC /root/MAC
    then
        echo "<tr><td>" >> /root/iptomac
        echo $(grep -R $MAC /root/MAC | awk '{print $2}' >> /root/iptomac
        echo "</td><td>" >> /root/iptomac
        echo $line | awk '{print $2}') >> /root/iptomac
        echo "</td></tr>" >> /root/iptomac
    fi
done </root/DHCP
echo "</table>" >>/root/iptomac
#Copy the file to the index.html file to be displayed to website
cp /root/iptomac /var/www/html/index.html

Order.sh

#Gets all of the IP's and Mac addresses that have been leased
cat /var/lib/misc/dnsmasq.leases | awk '{print $2 " " $3}' > /root/DHCP
#obtains the Mac addresses from ESX4
scp root@192.168.1.10:/MAC_ADDRESSES /root/MAC_ESX4
#obtains the Mac addresses from ESX3
scp root@192.168.1.9:/MAC_ADDRESSES /root/MAC_ESX3
#obtains the Mac addresses from ESX2
scp root@192.168.1.8:/MAC_ADDRESSES /root/MAC_ESX2
#Combines all of the individual Mac Address files into one
cat /root/MAC_ESX* > /root/MAC
#Runs the IP_TO_MAC script
/root/IP_TO_MAC.sh

In order for the scp to work via crontab I did some sshkey-gen stuff that I will add later. crontab

#Runs every minute
*/1 * * * * /root/order.sh >> /root/order.log