Did some tests yesterday for a multi-machine setup with the Vagrantfile built by the spin command. There are some challenges around the networking setup since Vagrant insists on being on network adapter 0 and to use NAT which we want to remove in order to detonate samples.
I also attempted to use the linked_clone feature and it works really well. We should make it the default.
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
# TODO try linked clones
# TODO post-provisioning: disable adapter 1 (2nd one)
config.vm.define "dirtybox" do |dirty|
dirty.vm.box = "win10_64_analyst"
dirty.vm.provider "virtualbox" do |vb|
vb.name = "maldoc"
vb.gui = true
vb.customize ['modifyvm', :id, '--nic1', 'intnet', '--nic2', 'nat'] # swap the networks around
vb.customize ['modifyvm', :id, '--intnet1', 'dirty'] # swap the networks around
# FIXME seems to be required only when created
vb.customize ['modifyvm', :id, '--natpf2', "winrm,tcp,127.0.0.1,55985,,5985" ] #port forward
vb.customize ['modifyvm', :id, '--natpf2', "winrm-ssl,tcp,127.0.0.1,55986,,5986" ] #port forward
vb.linked_clone = true
end
dirty.vm.network "forwarded_port", id: 'winrm', guest: 5985, host_ip: '127.0.0.1', host: 55985, auto_correct: false, adapter: 1
dirty.vm.network "forwarded_port", id: 'winrm-ssl', guest: 5986, host_ip: '127.0.0.1', host: 55986, auto_correct: false, adapter: 1
dirty.vm.network "private_network", type: "dhcp",
virtualbox__intnet: "dirty"
# Host files are shared on the Desktop
dirty.vm.synced_folder ".", "/Users/malboxes/Desktop/host"
end
config.vm.define "gateway" do |gw|
gw.vm.box = "ubuntu/trusty64"
gw.vm.provider "virtualbox" do |vb|
vb.name = "gateway"
vb.gui = true
vb.memory = 512
# vb.customize ["modifyvm", :id, "--nic2", "bridged","--bridgeadapter2", "Intel(R) Ethernet Connection I219-LM", "--cableconnected2", "off"]
end
gw.vm.network "private_network", ip: "192.168.13.1",
virtualbox__intnet: "dirty"
end
end
The gateway requires some provisioning. This hasn't been automated yet:
# provisioning
apt install dnsmasq wireshark-common
sudo service dnsmasq stop
# in /etc/dnsmasq.conf, add:
#interface=eth1
#dhcp-range=192.168.13.100,192.168.13.250,72h
sudo service dnsmasq start
# run on every boot
iptables -A FORWARD -o eth0 -i eth1 -s 192.168.13.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Once everything is up. Cut the NAT on the dirtybox and with the following command you are sniffing on the LAN side of the gateway:
Did some tests yesterday for a multi-machine setup with the
Vagrantfile
built by the spin command. There are some challenges around the networking setup since Vagrant insists on being on network adapter 0 and to use NAT which we want to remove in order to detonate samples.I also attempted to use the
linked_clone
feature and it works really well. We should make it the default.The gateway requires some provisioning. This hasn't been automated yet:
Once everything is up. Cut the NAT on the dirtybox and with the following command you are sniffing on the LAN side of the gateway:
We should integrate this in a malboxes command like
malboxes capture
or something.