Ever look at plethora of browser tabs staring back at you with “I’ll check this out later” vibes and feel the urge to mercy-close the ones that just wont get done anytime soon? Browser tabs are now another subtle, nagging to-do list that gets neglected or ignored. I’m specifically referring to the tabs in the middle of your window that you pinky-promised you would revisit. They are reminders of things that you might do without making an actual to-do list.

I had one of those purge moments last week and remembered I had a tab open to check out Kasm Workspaces. This was an instance where I was glad I left that nagging to-do item waiting for me to revisit it.

Kasm is a disposable desktop infrastructure platform that is available for you on-demand when you need to perform tasks that you may not want on your primary, persistent machines. If you are a technology or security person, think of it as a way to spin up a containerized Linux distribution to run a few tests or an isolated Chrome to detonate a suspicious link. There are commercial and community versions available for use. You can test it out right on the website with a five minute timer to see how it works. The sheer number of tools you can provision with just a click is impressive!

Here’s a screenshot of my installation of Kasm Workspaces and the available tiles I provisioned.

I’ll leave some technical notes for those of you who want to try this in your own lab below documenting some minor issues I ran into and solved so you can get going faster.

The first thing I did once I got mine up and running was hit the Firefox Browser tile and detonate a phishing link that was reported to me. I was able to safely interact with the malicious webpage, see exactly what it was attempting to do (standard cred/token theft), download the malicious javascript (and subsequently beautifying it because you know it was all on one line with no spaces), and get the nitty-gritty of where things were being sent. It took less than a minute to do all of that.

After that, I started playing around with some of the tiles. Parrot OS was one of my new favorites and after a small configuration adjustment (noted below) I was able to launch a few scans against targets I was interested in without having to fire up a separate VM on my machine using these on-demand containers. The Alpine experience is super snappy, and even trying out other browsers like Vivaldi in a low-risk way was a good use of time.

Kasm has a ton of practical uses as well. On-demand desktops or jump hosts if you deploy it in a secured area, browser isolation (as I did above) to visit sites that may cause your machine harm, research, compliance, exploit testing, and even threat hunting (again, as I did above). If you are a security or technology professional, Kasm is a tool that should be deployed and ready for use in your toolbox.

If you are convinced and ready to get started, keep reading to get some tips and tricks that will speed your way to using Kasm!

The Technical Mumbo-Jumbo

Ski Mask, by Dave Wasson

Here are some tips and tricks that I used to get things going.

Base OS Choice: If you are ready to move from the cloud version to something on-prem, you need a new machine for the Kasm installer to set up your environment. My first failed try was with Ubuntu Noble Numbat (24.04). I have a faint memory of discovering that Kasm was only compatible up to Jammy Jellyfish (22.04), so that was completely on me for doing that. I switched to installing a minimalist Debian 12 (bookworm) server that was super stripped down and the installer worked perfectly.

When you are putting hardware specs on the machine, pay close attention to the amount of storage you will need. These containers are not small, so a 20G footprint won’t get you very far. You will also need to ensure you have enough memory for the number of simultaneous users who will be launching workloads.

If you are running Debian, you will need to ensure you have curl, tar, and sudo (properly configured for your account to elevate its privileges) before you run the four commands in the installation instructions at the link above.

Elevated Privileges: One thing you will notice quickly if you deploy a linux distribution, such as Alma or Parrot, is that you are running the OS as a user called kasm-user. This is intentional. The kasm-user (and root user) does not have a password, so if you want to elevate to root to run nmap as an example, you need to do a couple of things.

Most modern Linux operating systems that would have a desktop element have sudo pre-installed, but by default the kasm-user is not in the /etc/sudoers file. In the Kasm admin portal, go to your installed workspace list and select the tile you want to modify (Alma in my case). Select the pencil icon to edit, and scroll down to “Docker Exec Config.” In that box, you want to drop in some JSON configuration that will add kasm-user to the /etc/sudoers file.

{
 "first_launch":{
      "user":"root",
      "cmd":"bash -c 'echo \"kasm-user  ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers'"
  }
}

Click Save. Now for most *NIX workspaces you deploy, this will be sufficient (provided sudo is installed) to allow kasm-user elevate to root. Keep in mind, this may break some of the isolation controls (I have not tested all of this) so do this with care. You could also add commands here to create a password for the kasm-user account, and then you could remove the NOPASSWD: ALL section of the JSON above for a traditional sudo experience.

Running Privileged Workloads: Parrot OS requires additional config to be passed to the Docker subsystem to allow tools like nmap to run—even without root privileges. All you need to do is edit the workspace again like above, and go to the Docker Run Config Override section. You will want to add the following there and click Save.

{
  "privileged": true
}

If you also want to elevate to root, you will need to make the Docker Exec Config update above as well.

Problems with Tiles: As of this writing, the default Kali tile will not install. I’ve filed a bug on this but I’m guessing this will work itself out based on the errors I am getting. Be sure to check the logs when things are not working, and refer to this Troubleshooting Guide to get things resolved.

Edit, Jan 26: If you look at that bug report above, one user suggested just using the rolling-weekly image until the normal one is fixed. This works fine for me in what I’m doing, so that’s how I solved that one tile. If you are in a similar situation and don’t mind a little bit of volatility, do that to get your tiles working (Kali is up and running nicely!).

Additional Kasm Registries: There are third party registries you can add to your Kasm setup to bring in other tools. I was able to get a Kali tile to work by doing that, but be intentional about adding those registries and do your due diligence.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: