This article is going to take you through on how to Install Velociraptor agents on Ubuntu 22.04. Velociraptor clients are endpoints that are running the Velociraptor agent. Each endpoint is immediately available to interact with since Velociraptor maintains a persistent connection to the server. For Velociraptor client to communicate with Velociraptor server, it must be installed. Check out our article on how to Install Velociraptor on Ubuntu 22.04.
How to Install Velociraptor agents on Ubuntu 22.04
- Start by downloading Velociraptor binary package.
wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.3/velociraptor-v0.6.3-1-linux-amd64
- Next make the binary file executable using the following command.
chmod +x velociraptor-v0.6.3-1-linux-amd64
- In our previous post on how to Install Velociraptor on Ubuntu 22.04, the client config file is stored on
/etc/client.config.yaml
location. We need to copy it to the home location. Replace kigz with your account user name.
sudo cp /etc/client.config.yaml /home/kigz
- Then start Velociraptor client using the following command.
sudo ./velociraptor-v0.6.3-1-linux-amd64 --config client.config.yaml client -v
Sample output
[INFO] 2022-03-19T12:49:56+03:00 _ __ __ _ __ [INFO] 2022-03-19T12:49:56+03:00 | | / /__ / /___ _____(_)________ _____ / /_____ _____ [INFO] 2022-03-19T12:49:56+03:00 | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/ [INFO] 2022-03-19T12:49:56+03:00 | |/ / __/ / /_/ / /__/ / / / /_/ / /_/ / /_/ /_/ / / [INFO] 2022-03-19T12:49:56+03:00 |___/\___/_/\____/\___/_/_/ \__,_/ .___/\__/\____/_/ [INFO] 2022-03-19T12:49:56+03:00 /_/ [INFO] 2022-03-19T12:49:56+03:00 Digging deeper! https://www.velocidex.com [INFO] 2022-03-19T12:49:56+03:00 This is Velociraptor 0.6.3-1 built on 2022-03-02T14:03:42+10:00 (c795a57d) [INFO] 2022-03-19T12:49:56+03:00 Loading config from file client.config.yaml [INFO] 2022-03-19T12:49:56+03:00 Loading writeback from /etc/velociraptor.writeback.yaml Generating new private key.... [INFO] 2022-03-19T12:49:56+03:00 Starting Crypto for client C.42b7f79f39d9f9c1 [INFO] 2022-03-19T12:49:56+03:00 Starting Journal service. [INFO] 2022-03-19T12:49:56+03:00 Starting the notification service. [INFO] 2022-03-19T12:49:56+03:00 Installing Dummy inventory_service. Will download tools to temp directory. [INFO] 2022-03-19T12:49:56+03:00 Loaded 308 built in artifacts in 241.208442ms [INFO] 2022-03-19T12:49:56+03:00 Starting event query service with version 0. [INFO] 2022-03-19T12:49:56+03:00 Starting event query service with version 0. [INFO] 2022-03-19T12:49:56+03:00 Expecting self signed certificate for server. [INFO] 2022-03-19T12:49:56+03:00 Ring Buffer: Creation {"filename":"/var/tmp/Velociraptor_Buffer.bin","max_size":1073741874} [INFO] 2022-03-19T12:49:56+03:00 Starting HTTPCommunicator: HTTP Connector to [https://localhost:8000/] [INFO] 2022-03-19T12:49:56+03:00 Received PEM for VelociraptorServer from https://localhost:8000/ [INFO] 2022-03-19T12:49:56+03:00 Receiver: Connected to https://localhost:8000/reader [DEBUG] 2022-03-19T12:49:56+03:00 Connection Info {"IdleTime":4807554,"LocalAddr":{"IP":"127.0.0.1","Port":48872,"Zone":""},"Reused":true,"WasIdle":true} [INFO] 2022-03-19T12:49:56+03:00 Receiver: sent 674 bytes, response with status: 406 Not Acceptable [INFO] 2022-03-19T12:49:56+03:00 Enrolling [INFO] 2022-03-19T12:49:56+03:00 Ring Buffer: Enqueue {"item_len":925,"total_length":925} [INFO] 2022-03-19T12:49:57+03:00 Compiled all artifacts. [INFO] 2022-03-19T12:49:57+03:00 Ring Buffer: Leased {"leased_length":925,"total_length":925} [INFO] 2022-03-19T12:49:57+03:00 Sender: Connected to https://localhost:8000/control [DEBUG] 2022-03-19T12:49:57+03:00 Connection Info {"IdleTime":0,"LocalAddr":{"IP":"127.0.0.1","Port":48874,"Zone":""},"Reused":false,"WasIdle":false} [INFO] 2022-03-19T12:49:57+03:00 Sender: sent 1411 bytes, response with status: 406 Not Acceptable [INFO] 2022-03-19T12:49:57+03:00 Ring Buffer: Commit {"leased_length":925,"total_length":925} [INFO] 2022-03-19T12:49:57+03:00 Ring Buffer: Truncate {"total_length":0} [INFO] 2022-03-19T12:49:57+03:00 Receiver: Connected to https://localhost:8000/reader [DEBUG] 2022-03-19T12:49:57+03:00 Connection Info {"IdleTime":0,"LocalAddr":{"IP":"127.0.0.1","Port":48876,"Zone":""},"Reused":false,"WasIdle":false} [INFO] 2022-03-19T12:49:57+03:00 Receiver: sent 674 bytes, response with status: 200 OK [INFO] 2022-03-19T12:49:57+03:00 Receiver: received 5155 bytes [DEBUG] 2022-03-19T12:49:57+03:00 Received request: session_id:"F.C8QQEHAJB9HQ8" request_id:1 source:"VelociraptorServer" auth_state:AUTHENTICATED task_id:1647683397757960193 VQLClientAction:{Query:{VQL:"LET Generic_Client_Info_BasicInformation_0_0=SELECT config.Version.Name AS Name, config.Version.BuildTime AS BuildTime, config.Version.Version AS Version, config.Version.ci_build_url AS build_url, config.Labels AS Labels, Hostname, OS, Architecture, Platform, PlatformVersion, KernelVersion, Fqdn FROM info()"} Query:{Name:"$96886d40237019507603273fbc3e2d83a947d024059ccb58830fa54f38909e652a14dbe022c24899973045c7202c478d" VQL:"SELECT * FROM Generic_Client_Info_BasicInformation_0_0"} max_row:1000} [DEBUG] 2022-03-19T12:49:57+03:00 Received request: session_id:"F.C8QQEHAJB9HQ8" query_id:1 request_id:1 source:"VelociraptorServer" auth_state:AUTHENTICATED task_id:1647683397758287874 VQLClientAction:{precondition:"SELECT OS From info() where OS = 'windows'" Query:{VQL:"LET precondition_Generic_Client_Info_WindowsInfo_0=SELECT OS FROM info() WHERE OS = 'windows'"} Query:{VQL:"LET Generic_Client_Info_WindowsInfo_0_0=SELECT { SELECT DNSHostName,
- Reload systemd daemon using the command below.
systemctl daemon-reload
- Check status if its running.
systemctl status velociraptor
Sample output
● velociraptor.service - Velociraptor linux amd64 Loaded: loaded (/lib/systemd/system/velocirap> Active: active (running) since Sat 2022-03-19> Main PID: 1078 (velociraptor) Tasks: 17 (limit: 4583) Memory: 54.9M CGroup: /system.slice/velociraptor.service ├─1078 /usr/local/bin/velociraptor --> └─1848 /usr/local/bin/velociraptor --> Mar 19 12:07:35 chat.itnixpro.com velociraptor[107> Mar 19 12:17:35 chat.itnixpro.com velociraptor[107> Mar 19 12:27:35 chat.itnixpro.com velociraptor[107> Mar 19 12:37:35 chat.itnixpro.com velociraptor[107> Mar 19 12:47:35 chat.itnixpro.com velociraptor[107> Mar 19 12:49:57 chat.itnixpro.com velociraptor[107> Mar 19 12:49:57 chat.itnixpro.com velociraptor[107> Mar 19 12:49:57 chat.itnixpro.com velociraptor[107> Mar 19 12:49:58 chat.itnixpro.com velociraptor[107> Mar 19 12:49:59 chat.itnixpro.com velociraptor[107>
- Open your browser and navigate to
https://localhost:8889
orhttps://server-IP:8889
, click the drop down menu and select Show All to view connected clients.
- The following window will open, connected clients will be displayed as shown below.
- You have reached the end of the article, Congratulations. You have learned how to Install Install Velociraptor agents on Ubuntu 22.04.
Read more on Velociraptor Documentation
Other Tutorials
Synchronize Files between multiple devices using Syncthing