Hello guys,
So I want to test some live malwares, including network worms, in my Windows virtual machine.
The problem I am facing is that I am not sure which network settings I should use.
Many of the guides I have stumbled on are telling me to turn of the network of the virtual machine, however there are some malwares that will need a working internet connection otherwise the malware will not work.
Is there a way to make it so my virtual machine can not communicate with other devices in my network, but at the same time have a internet connection?
Network Settings for Malware analysis
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Network Settings for Malware analysis
NAT mode should do that for you.
Re: Network Settings for Malware analysis
Thank you for your reply, however I am still struggling to understands how this works.mpack wrote:NAT mode should do that for you.
If I test a malware on my VM and I have the network settings on NAT, which means it has access to all my LAN devices, how is it going to prevent a network worm to infect every other computer it finds on my LAN network?
I can still see my ICMP traffic (vm to host) in WireShark, which means that any packet (including network worms) should be able to reach my host pc?
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Network Settings for Malware analysis
How NAT works is shown here: Virtualbox Networks: In Pictures: NAT
NAT acts like a router, which does allow access via IP address to the LAN.
To completely block the LAN but allow internet, you'll need a router/firewall VM between your malware VM and the host. See Virtualbox Networks: In Pictures: "Sandbox"
NAT acts like a router, which does allow access via IP address to the LAN.
To completely block the LAN but allow internet, you'll need a router/firewall VM between your malware VM and the host. See Virtualbox Networks: In Pictures: "Sandbox"
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Network Settings for Malware analysis
Are you sure about that?scottgus1 wrote: NAT acts like a router, which does allow access via IP address to the LAN.
The NAT network (not to be confused with the "NAT network" network) is separate from the host LAN, it has completely separate addressing. I don't see how it's possible to access host LAN devices if you can't address them.
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Network Settings for Malware analysis
Fairly, though I may be overrating what I have seen.mpack wrote:Are you sure about that?
Just to test again I spun up a Windows 7 VM set to NAT on my Windows 10 host. I got the typical 10.0.2.15 IP address in the VM. My host is at 192.168.0.116, and my file server is at 192.168.0.117.
Inside the VM I was able to ping both the 192.168.0.1 LAN router and my .116 host and .117 file server. Then in File Explorer I entered in the address bar \\192.168.0.116 and after entering credentials * got write access to the host's shared folders. Same worked for the file server at \\192.168.0.117.
I also tried a quick webserver on each computer and could get the web page in the VM by entering the computer's LAN IP address.
* The credentials part might be the official block to passing "virused" files, but I am not sure if WannaCry required credentials to be in place. NAT did not prevent the connection, though.
Re: Network Settings for Malware analysis
mpack wrote:Are you sure about that?scottgus1 wrote: NAT acts like a router, which does allow access via IP address to the LAN.
The NAT network (not to be confused with the "NAT network" network) is separate from the host LAN, it has completely separate addressing. I don't see how it's possible to access host LAN devices if you can't address them.
Yea, I am able to ping my phone and other devices from my VM.
@scottgus1 thanks for you answer.
Re: Network Settings for Malware analysis
Wowza! I didn't realize this. Does this mean computers on the LAN could talk to a NAT-ed VM? Or is it one way only?scottgus1 wrote:Fairly, though I may be overrating what I have seen.mpack wrote:Are you sure about that?
Just to test again I spun up a Windows 7 VM set to NAT on my Windows 10 host. I got the typical 10.0.2.15 IP address in the VM. My host is at 192.168.0.116, and my file server is at 192.168.0.117.
Inside the VM I was able to ping both the 192.168.0.1 LAN router and my .116 host and .117 file server. Then in File Explorer I entered in the address bar \\192.168.0.116 and after entering credentials * got write access to the host's shared folders. Same worked for the file server at \\192.168.0.117.
Thanks for sharing!
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Network Settings for Malware analysis
NAT acts like a router. The way I have seen things behave, the NAT-connected VM has full access to internet and the LAN. For all intents and purposes, the LAN is part of the VM's internet.
Internet and LAN can access the VM through opened ports. See the link above.
Internet and LAN can access the VM through opened ports. See the link above.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Network Settings for Malware analysis
Apparantly the VM has access to a gateway that I was unaware of. That means that the VM will receive replies from locations (on the other side of the gateway) it has recently addressed. Unsolicited packets will be unroutable, so they won't reach the VM.JustinH wrote: Wowza! I didn't realize this. Does this mean computers on the LAN could talk to a NAT-ed VM? Or is it one way only?