Hi,
I am looking to build a malware analysis lab. I am currently running Virtualbox on a Linux host and came here for some tips on how to best design given my use case.
Physical Hardware
PC tower with 3 physical NICs and 16GB RAM
Linux MINT 18.1 host OS
Guest Environment
- Security Onion
- Windows 7
- Kali Linux
Requirements
- Isolation from my LAN
- Internet Access for Security Onion and Kali VM's
- The ability to sniff traffic from my capture interface on the Security Onion VM. (Promiscuous mode)
My main concern so far from what I've read is what network configuration supports promiscuous mode for sniffing. I've read some threads that say it requires Bridged Mode but it is not clear. Would I be able to use my Security Onion VM to sniff on an Internal or Host-Only network?
Suggestions appreciated.
Malware analysis lab
-
mpack
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Mostly XP
Re: Malware analysis lab
Absolutely. But all it would see is other VMs on the internal network, or VM<->host traffic on the host-only network. Is that your intention? You can't sniff internet traffic that way, at least not for longer than it takes for a guest app to detect that it has no internet. If you want a VM to sniff traffic on a physical network then it needs to be connected to the physical network, i.e. using bridging.Heisenberg wrote:Would I be able to use my Security Onion VM to sniff on an Internal or Host-Only network?
-
Heisenberg
- Posts: 5
- Joined: 13. Jul 2017, 16:21
Re: Malware analysis lab
Yes that is my intention. I am going to be executing malware on the Windows VM and capturing the traffic with the SO VM.
I did a quick setup initially using host-only and tried a ping test between the Kali and Win7 VM while running tcpdump on my capture interface. I could see ICMP traffic from Kali --> Win7, but did not see any ICMP traffic when I initiated the ping from the Win7 --> Kali.
I did a quick setup initially using host-only and tried a ping test between the Kali and Win7 VM while running tcpdump on my capture interface. I could see ICMP traffic from Kali --> Win7, but did not see any ICMP traffic when I initiated the ping from the Win7 --> Kali.
-
mpack
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Mostly XP
Re: Malware analysis lab
Are you sure you have that the right way round? As I understand it, Win7 defaults to ignoring ICMP polls.
ISTM that if you see traffic at all then the concept is proved: VirtualBox isn't preventing what you want to do. Then it's just a matter of configuring the guest OSs properly.
ISTM that if you see traffic at all then the concept is proved: VirtualBox isn't preventing what you want to do. Then it's just a matter of configuring the guest OSs properly.