search

mandiant / flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Apache License 2.0
6.56k stars 917 forks source link

NAT resolution on VMware not working - DNS_PROBE_FINISHED_BAD_CONFIG #619

Closed Nexxsys closed 1 month ago

Nexxsys commented 1 month ago

What's the problem?

After the installation script is completed (Network Adapter in VMWare Workstation set to NAT pre, during, and post installation script execution) the VM can not longer resolve domains. Error: DNS_PROBE_FINISHED_BAD_CONFIG I the network adapter is switched to Bridged all is good. I have also created a Mandiant Commando VM with no issues, same base windows VM for both installation scripts.

Steps to Reproduce

Set Network Adapter to NAT Try to resolve any web address or ping in terminal/powershell or command prompt.

Environment

VMWare Workstation Pro 17.5.2 build-23775571

Additional Information

Error: DNS_PROBE_FINISHED_BAD_CONFIG

emtuls commented 1 month ago

Hi @Nexxsys!

Could you please provide some of the logs that were created during the install as well as what OS version you are using?

I will try to look into this and see if I run into the same issue on a fresh install with a new Windows 11 VM on VMWare, but this seems to be an issue that is not uncommon outside of FlareVM so I'm unsure if our installer is causing this, though I will certainly take a look. :)

emtuls commented 1 month ago

@Nexxsys Unfortunately, I was unable to reproduce this issue on a new Windows 11 VM in VMWare Workstation.

I can attempt to look at your logs when you post them to see if I may be able to determine what the issue is, or this may just be a Windows issue. Fortunately, it seems that it can be resolved easily by one of the following commands in a command prompt (followed by a restart): netsh int ip reset or ipconfig /flushdns

Nexxsys commented 1 month ago

My apologies for the delayed response. Here is some information: 

FLARE-VM 2024-09-25 14:16:13.60
C:\Users\nexxsys\Desktop>netsh int ip reset
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.

And

FLARE-VM 2024-09-25 14:16:25.83
C:\Users\nexxsys\Desktop>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

FLARE-VM 2024-09-25 14:17:42.08
C:\Users\nexxsys\Desktop>ipconfig /renew

Windows IP Configuration

No operation can be performed on Bluetooth Network Connection while it has its media disconnected.

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::e41a:feb2:1442:496b%5
   IPv4 Address. . . . . . . . . . . : 192.168.10.137
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.2

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

FLARE-VM 2024-09-25 14:17:56.56
C:\Users\nexxsys\Desktop>ping www.google.ca
Ping request could not find host www.google.ca. Please check the name and try again.

FLARE-VM 2024-09-25 14:18:09.31
C:\Users\nexxsys\Desktop>

What logs would you like to see?

Nexxsys commented 1 month ago

Windows version: 

FLARE-VM 09/25/2024 14:21:06
PS C:\Users\nexxsys > $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      19041  3803

On my Command VM (based on the same windows image) there is no issues with internet or network access.

From Command VM:

Commando VM 09/25/2024 14:23:29
PS C:\Users\nexxsys > ipconfig

Windows IP Configuration

Unknown adapter OpenVPN Wintun:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::7ffb:3e34:e3c0:15e9%6
   IPv4 Address. . . . . . . . . . . : 192.168.10.138
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.2

Commando VM 09/25/2024 14:23:34
PS C:\Users\nexxsys > $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      19041  3803
Ana06 commented 1 month ago

Our bug template ask for information about the environment and log files that could be useful (as they include information such as the installed packages and a package could be causing the issue here):

https://github.com/mandiant/flare-vm/issues/new?assignees=&labels=%3Abug%3A+bug&projects=&template=bug.yml

I can't think of anything in our installer that is different to the commando VM as I think we do not change anything related to the network settings (at least not directly). I recommend you to re-try the installation of both using the same base VM and provide all the required information about every of the installations if the error persists.

Nexxsys commented 1 month ago

Thanks. I have recreated the VM with no issues.