diff --git a/ObsidianVault/CS-501/MalwareLab/Sandbox.md b/ObsidianVault/CS-501/MalwareLab/Sandbox.md index 9104a2d..3c1035f 100644 --- a/ObsidianVault/CS-501/MalwareLab/Sandbox.md +++ b/ObsidianVault/CS-501/MalwareLab/Sandbox.md @@ -53,7 +53,7 @@ To do this, you need to 5) Allow network connections from your Windows sandbox, thus, positioning the Remnux VM as a gateway. - If your host OS is Mac OS or Linux, feel free to download the Virtualbox OVA file https://docs.remnux.org/install-distro/get-virtual-appliance and follow the directions to import the appliance into Virtualbox manually. - - Alternatively, you can run ``` VBoxManage import --dry-run remnux-v7-focal.ova``` and then based on those options import import the appliance. See https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/vboxmanage-import.html for more. I ended up running `BoxManage import remnux-v7-focal.ova --vsys 0 --ostype "Ubuntu_64" -vmname "Remnux"` + - Alternatively, you can run ``` VBoxManage import --dry-run remnux-v7-focal.ova``` and then based on those options import import the appliance. See https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/vboxmanage-import.html for more. I ended up running `VBoxManage import remnux-v7-focal.ova --vsys 0 --ostype "Ubuntu_64" -vmname "Remnux"` - If your Host OS is Windows, you can still import the Remnux OVA into Virtualbox, but you will have to disable Hyper-V on your host OS. I personally don't like doing this because it prevents you from using WSL and disables virtualization based security/isolation on your host os. I.e., lsass no longer gets virtualization based security. - If you want to keep Hyper-V enabled, you have two options: manual install, or containerized installation. - For container insulation, please see https://docs.remnux.org/run-tools-in-containers/remnux-containers @@ -64,7 +64,7 @@ To do this, you need to - After importing your VM into Virtualbox, click settings, and go to Network. Click on adapter 2 and enable. Then set "Attached to" -> Internal Network Choose a name (I chose PrivateNetwork because I am creative) and click save. - For the Vagrant, I chose `ch0nky` -- Alternatively, use the CLI to add a network `VBoxManage modifyvm "Remnux" --nic2 intnet --intnet2 "ch0nk"` +- Alternatively, use the CLI to add a network `VBoxManage modifyvm "Remnux" --nic2 intnet --intnet2 "ch0nky"` - here we modify the vm named Remnux to modify its second Network adapter to be internal and named ch0nky. For more on how internal networks work, see https://www.nakivo.com/blog/virtualbox-network-setting-guide/ - Once installed, boot up your vm. You can do this from a shell with `VBoxManage startvm "Remnux" ` or use the GUI and click the green start button. Now login. (the password is malware for the OVF, whatever you set it as for ubuntu, and vagrant/vagrant if you automated the process) @@ -120,9 +120,9 @@ EOL sudo netplan apply ``` -Again: make sure to replace `enp0s8` with whatever your new interface is called.. +Again: make sure to replace `enp0s8` with whatever your new interface is called. -Finally, run n `accept-all-ips start enp0s8` to allow traffic to the specified interface. +Finally, run `accept-all-ips start enp0s8` to allow traffic to the specified interface. - *Bonus*: look at how accept-all-ips works. Can you figure out how to perform the same action, except only allow traffic from `10.10.10.3` (the static IP of the Windows malware sandbox)? The configuration above is used to set a static IP address for our machine on the internal network. @@ -134,12 +134,11 @@ Inetsim, as the name suggests, is a collection of tools to run simulated networ - You can name it whatever you want, and place it anywhere you want. Start up your favorite text editor and modify the following: -- enable the DNS server by un-commenting `start_service dns` +- enable the DNS server by un-commenting `start_service dns` and `start_service dummy_tcp` - eg![[inetsim_service_dns.png]] - In service bind address, set `service_bind_address 10.10.10.2` - eg ![[inetsim_bind_addr.png]] - In dns_default_ip set `dns_default_ip 10.10.10.2` -- Add `start_service dummy_tcp` in the `# start_service` section - To modify the port that dummy_tcp runs on, set `dummy_bind_port 1234` in the `# Service Dummy` section - Finally, to run with our new configuration, run `sudo inetsim --config=/path/to//my_inetsim.conf` @@ -220,7 +219,7 @@ Once all of the tools are installed, create a shared folder to perform developme Once setup, **TAKE A SNAPSHOT** # Setup Flag -- Now that your vms are setup, create a shared folder on your Remnux box, and host a simple python server with `python3 -m http.server --bind 10.10.10.2 --directory /tmp/jail/ 1234 +- Now that your vms are setup, create a shared folder on your Remnux box, and host a simple python server with `python3 -m http.server --bind 10.10.10.2 --directory /tmp/jail/ 1337 ` to host a static file server on port 1337. To download files, simply visit `http://remnux:1337/` and download files there. Note this server will server will serve files from whatever directory you run the - If you do directly mount the folder on your guest Windows vm, make sure that it is read only! Think about what happens if the malware you detonate is ransomware - To add a shared folder, select your VM and click settings @@ -262,4 +261,4 @@ There is also a bug with the Remnux box that is installed from scratch on some H For a more involved setup using KVM, see https://c3rb3ru5d3d53c.github.io/documents/kvm-malware-lab/ - \ No newline at end of file +