Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions ObsidianVault/CS-501/MalwareLab/Sandbox.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ To do this, you need to
5) Allow network connections from your Windows sandbox, thus, positioning the Remnux VM as a gateway.

- If your host OS is Mac OS or Linux, feel free to download the Virtualbox OVA file https://docs.remnux.org/install-distro/get-virtual-appliance and follow the directions to import the appliance into Virtualbox manually.
- Alternatively, you can run ``` VBoxManage import --dry-run remnux-v7-focal.ova``` and then based on those options import import the appliance. See https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/vboxmanage-import.html for more. I ended up running `BoxManage import remnux-v7-focal.ova --vsys 0 --ostype "Ubuntu_64" -vmname "Remnux"`
- Alternatively, you can run ``` VBoxManage import --dry-run remnux-v7-focal.ova``` and then based on those options import import the appliance. See https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/vboxmanage-import.html for more. I ended up running `VBoxManage import remnux-v7-focal.ova --vsys 0 --ostype "Ubuntu_64" -vmname "Remnux"`
- If your Host OS is Windows, you can still import the Remnux OVA into Virtualbox, but you will have to disable Hyper-V on your host OS. I personally don't like doing this because it prevents you from using WSL and disables virtualization based security/isolation on your host os. I.e., lsass no longer gets virtualization based security.
- If you want to keep Hyper-V enabled, you have two options: manual install, or containerized installation.
- For container insulation, please see https://docs.remnux.org/run-tools-in-containers/remnux-containers
Expand All @@ -64,7 +64,7 @@ To do this, you need to
- After importing your VM into Virtualbox, click settings, and go to Network. Click on adapter 2 and enable. Then set "Attached to" -> Internal Network
Choose a name (I chose PrivateNetwork because I am creative) and click save.
- For the Vagrant, I chose `ch0nky`
- Alternatively, use the CLI to add a network `VBoxManage modifyvm "Remnux" --nic2 intnet --intnet2 "ch0nk"`
- Alternatively, use the CLI to add a network `VBoxManage modifyvm "Remnux" --nic2 intnet --intnet2 "ch0nky"`
- here we modify the vm named Remnux to modify its second Network adapter to be internal and named ch0nky. For more on how internal networks work, see https://www.nakivo.com/blog/virtualbox-network-setting-guide/
- Once installed, boot up your vm. You can do this from a shell with `VBoxManage startvm "Remnux" ` or use the GUI and click the green start button. Now login. (the password is malware for the OVF, whatever you set it as for ubuntu, and vagrant/vagrant if you automated the process)

Expand Down Expand Up @@ -120,9 +120,9 @@ EOL
sudo netplan apply
```

Again: make sure to replace `enp0s8` with whatever your new interface is called..
Again: make sure to replace `enp0s8` with whatever your new interface is called.

Finally, run n `accept-all-ips start enp0s8` to allow traffic to the specified interface.
Finally, run `accept-all-ips start enp0s8` to allow traffic to the specified interface.
- *Bonus*: look at how accept-all-ips works. Can you figure out how to perform the same action, except only allow traffic from `10.10.10.3` (the static IP of the Windows malware sandbox)?

The configuration above is used to set a static IP address for our machine on the internal network.
Expand All @@ -134,12 +134,11 @@ Inetsim, as the name suggests, is a collection of tools to run simulated networ
- You can name it whatever you want, and place it anywhere you want.
Start up your favorite text editor and modify the following:

- enable the DNS server by un-commenting `start_service dns`
- enable the DNS server by un-commenting `start_service dns` and `start_service dummy_tcp`
- eg![[inetsim_service_dns.png]]
- In service bind address, set `service_bind_address 10.10.10.2`
- eg ![[inetsim_bind_addr.png]]
- In dns_default_ip set `dns_default_ip 10.10.10.2`
- Add `start_service dummy_tcp` in the `# start_service` section
- To modify the port that dummy_tcp runs on, set `dummy_bind_port 1234` in the `# Service Dummy` section
- Finally, to run with our new configuration, run `sudo inetsim --config=/path/to//my_inetsim.conf`

Expand Down Expand Up @@ -220,7 +219,7 @@ Once all of the tools are installed, create a shared folder to perform developme
Once setup, **TAKE A SNAPSHOT**

# Setup Flag
- Now that your vms are setup, create a shared folder on your Remnux box, and host a simple python server with `python3 -m http.server --bind 10.10.10.2 --directory /tmp/jail/ 1234
- Now that your vms are setup, create a shared folder on your Remnux box, and host a simple python server with `python3 -m http.server --bind 10.10.10.2 --directory /tmp/jail/ 1337
` to host a static file server on port 1337. To download files, simply visit `http://remnux:1337/` and download files there. Note this server will server will serve files from whatever directory you run the
- If you do directly mount the folder on your guest Windows vm, make sure that it is read only! Think about what happens if the malware you detonate is ransomware
- To add a shared folder, select your VM and click settings
Expand Down Expand Up @@ -262,4 +261,4 @@ There is also a bug with the Remnux box that is installed from scratch on some H
For a more involved setup using KVM, see
https://c3rb3ru5d3d53c.github.io/documents/kvm-malware-lab/