OPFORGE Docs

OPF-SRV-ML01 Setup Guide Last updated: 2025-06-28 This guide documents the deployment and configuration of opf-srv-ml01, the machine learning and detection engineering node in the OPFORGE lab. This node supports AI-based threat detection, anomaly modeling, and visual explainability for Red Team emulation exercises. 🧠 Purpose opf-srv-ml01 enables the OPFORGE lab to: Run JupyterLab for ML prototyping Ingest structured logs from opf-srv-log01 or enclave nodes Build and test anomaly detection models (e.g. PyCaret, scikit-learn) Visualize detection performance, event sequences, and feature importance Experiment with XAI techniques (e.g., SHAP, LIME) 📍 Network Placement Parameter Value Hostname opf-srv-ml01 IP Address 192.168.60.11 Subnet 192.168.60.0/24 Gateway 192.168.60.1 DNS 192.168.60.5, 8.8.8.8 The VM resides in the INTERNAL_NET segment and should be able to reach both enclave nodes and the log collector (opf-srv-log01). ...

“Luck is what happens when preparation meets opportunity.” — Seneca 🧭 OPFORGE Lab Companion Sheet This companion sheet is a quick-reference guide for building and navigating the OPFORGE segmented lab environment. It aligns with blog posts 1 through 7 and supports realistic threat emulation, detection validation, and cyber-AI experimentation. 🧱 Lab Zones & Addressing Zone CIDR Description Gateway RED_NET 192.168.50.0/24 Offensive tools, implants, C2s 192.168.50.1 INTERNAL_NET 192.168.60.0/24 Clients, Domain Controller, Blue Team infra 192.168.60.1 DMZ_NET 192.168.20.0/24 Public-facing services 192.168.20.1 LAN_WORKSTATIONS 192.168.30.0/24 User workstations 192.168.30.1 EXT_NET (Transit) 192.168.41.0/24 Between DMZ and InternetSim 192.168.41.1 InternetSim 192.168.40.0/24 Simulated public Internet 192.168.40.1 📦 Core Systems Hostname Role IP Address Notes OPF-DC01 Windows AD/DNS Controller 192.168.60.5 Authoritative for opforge.local OPF-FW-DMZ pfSense Firewall 192.168.20.5 Routes/filters between DMZ + EXT_NET OPF-RT-RED VyOS Router for RED_NET 192.168.50.1 Static route → EXT_NET via 192.168.50.2 OPF-RT-EXT VyOS Router between DMZ & RED 192.168.20.2 Dual NIC on DMZ + EXT OPF-RT-INET VyOS Router for simulated Internet 192.168.40.1 Outbound only OPF-RT-INT VyOS Router for Internal Network 192.168.60.1 Connected to Domain + workstations OPF-RT-DMZ Trunk router with VLAN 41 192.168.41.2 Connected to pfSense DMZ transit 📡 DNS Role Assignment Device Interface Role Primary DNS Fallback DNS Notes opf-rt-int Internal network 192.168.60.5 1.1.1.1, 8.8.8.8 Uses AD DNS opf-rt-inet Internet gateway 1.1.1.1 8.8.8.8 Strict external only opf-rt-red Red team network 192.168.50.1 1.1.1.1 pfSense for monitoring opf-rt-ext External/DMZ router 192.168.50.1 1.1.1.1 No internal lookup opf-fw-dmz DMZ Firewall 1.1.1.1 8.8.8.8 Forwards to internal or external 🔐 Firewall Rule Logic (pfSense) Allow DNS (TCP/UDP 53) from INTERNAL_NET to opf-dc01 Allow ICMP selectively (ping, traceroute validation) Allow NTP (UDP 123) Allow HTTP/HTTPS only to specific zones Deny all else explicitly with logging 📑 DNS Resolver Config (pfSense) Enabled DNS Resolver Domain override: opforge.local → 192.168.60.5 General DNS: 1.1.1.1, 8.8.8.8 Outgoing Interface: DMZ_TRANSIT_VLAN41 🔄 VyOS Routing Sample (per router) configure set protocols static route 192.168.30.0/24 next-hop 192.168.20.2 set protocols static route 192.168.60.0/24 next-hop 192.168.30.1 commit; save 🧪 Validation Commands Windows ping opf-dc01 nslookup google.com tracert opf-dc01.opforge.local Linux cat /etc/resolv.conf ping opf-dc01.opforge.local systemd-resolve --status 🗺 Timeline Snapshot (Posts 1–7) Post # Milestone 1 Lab Design + Purpose Defined 2 Static Routing and Interfaces Set 3 Subnet Segmentation (Red, Blue, DMZ) 4 (Deprecated – merged into 5 & 7) 5 DNS Resolver, Domain Controller Setup 6 Cross-zone DNS + Routing Fully Validated 7 VLAN 41 Added, pfSense Transit Config Completed 🧠 Tips & Notes Always snapshot before making routing/firewall changes Use tcpdump or Packet Capture in pfSense for flow debugging Keep /etc/hosts clean and prefer DNS testing via resolvers Maintain NAT boundaries only where necessary (egress control) 🧩 Next Companion Add-ons Network diagram (SVG/PNG) Credential vault structure (how secrets are handled) Integration plans for Zeek and detection engines Stay methodical. Document everything. Grow forward. ...

🎯 Goal Enforce logical traffic flow through each security zone in OPFORGE using a clearly segmented and rhymed IP scheme. RED_NET → RTR_RED → RTR_INET → RTR_EXT → FW_DMZ → RTR_INT → INTERNAL_NET 🔐 Subnet Allocation by Zone Zone/Link Subnet Mnemonic External Internet 192.168.1.0/24 1 = Origin RED_NET 192.168.10.0/24 10 = Tension RED ↔ INET Transit 192.168.20.0/24 20 = Handoff INET ↔ EXT Transit 192.168.30.0/24 30 = Throttle EXT ↔ DMZ Transit 192.168.40.0/24 40 = Border DMZ ↔ INTERNAL Transit 192.168.50.0/24 50 = Core Door INTERNAL_NET 192.168.60.0/24 60 = Fix-it Net 🚦 Expected IP Assignments Device Interface IP Address Connected To opf-rt-red eth0 192.168.10.1/24 RED_NET opf-rt-red eth1 192.168.20.1/24 opf-rt-inet opf-rt-inet eth0 192.168.20.2/24 opf-rt-red opf-rt-inet eth1 192.168.30.1/24 opf-rt-ext opf-rt-ext eth0 192.168.30.2/24 opf-rt-inet opf-rt-ext eth1 192.168.40.1/24 opf-fw-dmz (em0) opf-fw-dmz em0 192.168.40.2/24 opf-rt-ext opf-fw-dmz em1 192.168.50.1/24 opf-rt-int opf-rt-int eth0 192.168.50.2/24 opf-fw-dmz opf-rt-int eth1 192.168.60.1/24 INTERNAL_NET 🧭 Route Propagation (Examples) On opf-rt-red set protocols static route 192.168.60.0/24 next-hop 192.168.20.2 On opf-rt-inet set protocols static route 192.168.60.0/24 next-hop 192.168.30.2 On opf-rt-ext set protocols static route 192.168.60.0/24 next-hop 192.168.40.2 On opf-fw-dmz (pfSense CLI) route add -net 192.168.60.0/24 192.168.50.2 To persist: ...

OPFORGE Infrastructure Overview Overview OPFORGE began as a minimal cyber range with SOF-ELK and basic telemetry ingest, and has evolved into a segmented, multi-role portfolio lab for red team emulation, detection engineering, and AI-enhanced threat analysis. Evolution Timeline Phase 1: Initial Sandbox Single VM (SOF-ELK) Flat network, no segmentation Manual log ingestion Phase 2: Tactical Expansion Added pfSense (opf-fw01) Introduced segmentation: CSOCINFRA, DMZRED, LANWORKSTATIONS, ADINFRA First red team emulation with opf-red01 Winlogbeat and Sysmon on endpoints Phase 3: Professionalization Cloned base templates (base-ubuntu-2204-template, base-windows10-template) VM-specific roles: opf-ai01, opf-log01, opf-mbr01, etc. AI and ML integration via Jupyter (opf-ai01) Multi-tiered ingest pipeline (Zeek → Logstash → OpenSearch) Lessons Learned Legacy OS images break modern tools Cloning base templates improves consistency Network segmentation is essential for realistic detection engineering

OPFORGE Network Layout Segments CSOCINFRA (192.168.20.0/24): Houses opf-log01 (SIEM) and opf-ai01 (ML detection) LANWORKSTATIONS (192.168.30.0/24): Contains opf-mbr01 and future endpoints DMZRED (192.168.22.0/24): Hosts attacker targets like opf-cloud01 ADINFRA (192.168.40.0/24): Supports opf-dc01 and GPO testing Example Host Assignments Host IP Address Segment opf-fw01 192.168.1.24 (WAN) pfSense router opf-dc01 192.168.40.100 ADINFRA opf-mbr01 192.168.30.101 LANWORKSTATIONS opf-red01 192.168.22.50 DMZRED opf-log01 192.168.20.12 CSOCINFRA