virtualbox.org

Hi,

I am looking to build a malware analysis lab. I am currently running Virtualbox on a Linux host and came here for some tips on how to best design given my use case.

Physical Hardware
PC tower with 3 physical NICs and 16GB RAM
Linux MINT 18.1 host OS

Guest Environment
- Security Onion
- Windows 7
- Kali Linux

Requirements
- Isolation from my LAN
- Internet Access for Security Onion and Kali VM's
- The ability to sniff traffic from my capture interface on the Security Onion VM. (Promiscuous mode)

My main concern so far from what I've read is what network configuration supports promiscuous mode for sniffing. I've read some threads that say it requires Bridged Mode but it is not clear. Would I be able to use my Security Onion VM to sniff on an Internal or Host-Only network?

Suggestions appreciated.

Heisenberg wrote:Would I be able to use my Security Onion VM to sniff on an Internal or Host-Only network?

Absolutely. But all it would see is other VMs on the internal network, or VM<->host traffic on the host-only network. Is that your intention? You can't sniff internet traffic that way, at least not for longer than it takes for a guest app to detect that it has no internet. If you want a VM to sniff traffic on a physical network then it needs to be connected to the physical network, i.e. using bridging.

Yes that is my intention. I am going to be executing malware on the Windows VM and capturing the traffic with the SO VM.

I did a quick setup initially using host-only and tried a ping test between the Kali and Win7 VM while running tcpdump on my capture interface. I could see ICMP traffic from Kali --> Win7, but did not see any ICMP traffic when I initiated the ping from the Win7 --> Kali.

Are you sure you have that the right way round? As I understand it, Win7 defaults to ignoring ICMP polls.

ISTM that if you see traffic at all then the concept is proved: VirtualBox isn't preventing what you want to do. Then it's just a matter of configuring the guest OSs properly.