Malware Analysis Classes: Need help to setup Linux Virtual Machine networkMalware Analysis / Reverse Engineering Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Courses Malware Analysis / Reverse Engineering Course Malware Analysis Classes: Need help to setup Linux Virtual Machine network

This topic contains 14 replies, has 4 voices, and was last updated by  jayster 2 years ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #38121

    FrancescoPlli
    Participant

    Hi all,
    i’m trying to set up the network of the virtual machine with linux kali installed on but i’m seriously in trouble. I don’t know linux at all and i’m trying to follow the videos but some commands don’t seem to work.

    I’m using
    virtual box Version 5.0.10 r104061
    Kali Linux kali-linux-2.0-i386

    In the second video of lab setup at 21:22 is setted the network by using a shell and using: vim etc/network/interfaces
    when i’m typing this on my kali shell it doesn’t appear anything.

    Can someone please redirect me to a very basic steps to set up the lab with virtual box and kali version that I have?

    thanking you in advance
    have a very nice day

    • This topic was modified 3 years, 11 months ago by  FrancescoPlli.
    #38128

    FrancescoPlli
    Participant

    In the virtual box settings for the kali linux machine i’ve setted 2 adapters

    Adapter 1 http://snag.gy/clG3C.jpg

    Adapter 2 http://snag.gy/9FIc4.jpg

    Then I turned on my kali linux machines and I opened a shell

    but when I typed vim etc/network/interfaces

    That’s what i’ve got: IT’s empty: http://snag.gy/ZPsLd.jpg

    This is instead a screenshot of my ifconfig http://snag.gy/twJcr.jpg

    #38387

    coypu76
    Participant

    Your ifconfig result is only showing IPv6 addresses bound.
    Your Kali VM should be turned off for the following procedure.
    It looks like you have configured Adapter 1 to the internal network. Instead this should be configured as the Host network. This will be the network seen by each VBox guest VM.
    If adapter 2 is set as NAT, you will need to set up the NAT network in the global settings:

    1. On the main VirtualBox control panel page using File, Preferences, Network.
    2. On the NAT Networks tab, add the network by clicking the NIC icon with the plus sign on it.
    3. Choose the third icon down (diagonal paintbrush or pen) and set up the parameters of the NAT network. Here is where you would choose to set up an internal DHCP server for the NAT network.
    4. To simplify, turn off Supports IPv6.
    5. If you choose to support DHCP, check that option. Otherwise you can add a static address for each interface.

    After setting up the NAT network in global settings and DHCP enabled, look and see if you get an IPv4 address. Also look at the listing of your /etc/interfaces directory. Is the size of interfaces 0 bytes?

    After making these config changes see what happens – post another note here and let us know.

    Hope this helps – good luck!

    Coypu

    • This reply was modified 3 years, 11 months ago by  coypu76.
    #38389

    coypu76
    Participant

    I think the issue proceeds from your VirtualBox network configuration.
    This page will help.
    https://www.thomas-krenn.com/en/wiki/Network_Configuration_in_VirtualBox

    I’m trying to answer as best I can. I’ve got lots of experience with VMWare, Xenserver and Hyper-V, but VirtualBox is still fairly new to me. Its controls are similar to those of other hypervisors, however. I’m setting up a VM with the same parameters as you to help answer your questions.
    Once more, good luck!

    • This reply was modified 3 years, 11 months ago by  coypu76.
    #38391

    coypu76
    Participant

    Also Francesco, thanks for posting this note. I think that a lot of students will benefit from your (our) mistakes and the experience from finding solutions to them!
    I’m glad you chose to use VirtualBox and to post your experiences here. Sean, the instructor of the course, has his own tools that he is accustomed to, and prefers VMWare workstation, which is probably what he uses in his corporate environment. But this is Cybrary and one reason most of us are studying here is that it’s free and we may not have budgets dedicated to instruction and learning.
    VirtualBox, being a free, Open Source product, is a little better suited to the needs of the average CybraryIT student.

    #38415

    FrancescoPlli
    Participant

    Hi Mitchell,

    first of all thank you so much for the advices and for your availability. Many hours of testing and googleing are going to make me crazy.

    I like very much this course so I’m trying to do my best to learn as much as I can from Sean. His videos are very clear and “step-by-step” based so it’s easy (also for me) to follow.

    I’m in trouble because networking stuff it’s not my cup of tea… I don’t know linux at all and… (as it wasn’t enough) english is not my native language.

    By the way….

    I’ve tried to set machines as Host-only network but something doesn’t work because my virtual machines don’t start at all.

    So I’ve researched for “internal network” and I’ve find a very clear video on youtube: https://www.youtube.com/watch?v=nsbxw_jx1wQ

    This is the point I’m at now:

    – In the network settings of WindowsXP MV I’ve set this: http://i67.tinypic.com/2bbigi.jpg
    – I started the machine and I set a static IP (Sean settings): http://i63.tinypic.com/b3n52q.jpg – sorry my WinXP it’s not in english.
    – I’ve rebooted the machine
    – I’ve launched an ipconfig line and that’s what I’ve got http://i67.tinypic.com/5yusfb.jpg

    I believe that everything it’s ok till now.

    And now…. my troubles come…

    Sean configures on his Linux VM 2 adapters.

    If I’ve understood well:
    – Adapter 1 – NAT (this is the “normal external” internet that VM will use to go on the web
    – Adapter 2 – a sort of trusted internal network by which only VMs can talk to each others

    Then Sean configures the network by console editing interfaces file.

    I’m not sure but…eth0 refers to Adapter 1 (NAT) and eth1 refers Adapter 2. (in some way)

    Then he turns off and on both eth0 and eth1 and simply making a ping the Two VMs are able to see each other.

    What I’ve done on Virtual Box?

    This is my last attempt:

    In the Machine Network settings I’ve turned on 2 Adapters:
    – Adapter 1 (NAT) http://i68.tinypic.com/j9sozt.jpg
    – Adapter 2 (Internal Network) http://i68.tinypic.com/24yz42g.jpg

    NOTE: in your opinion for “Promiscuous Mode” what should I select? (I’ve found different things on google so I don’t know) http://i65.tinypic.com/1onb83.jpg

    – I’ve edited interfaces file and now It looks like this http://i63.tinypic.com/2drrhw3.jpg

    But…. everytime I reboot the machine if I launch an ifconfig command I get this: http://i63.tinypic.com/rrmvlu.jpg

    Where is eth0???????????? Everything always disappears… 🙁

    If I try to do a ping from Linux VM to Windows VM I get: Network is unreachable

    If I do again ifconfig down and up I get this: http://i66.tinypic.com/5x2b2c.jpg

    No IPs??????

    Obviously I’m doing the wrong things….. Any idea???

    I’m so sorry for the long post and lots of screenshot but I’m trying to be very detailed.
    I also hope it’s clear enough to understand. Again, I’m still practicing my english skills.

    Thank You again for your help.

    Have a very best day.
    Francesco

    • This reply was modified 3 years, 11 months ago by  FrancescoPlli.
    • This reply was modified 3 years, 11 months ago by  FrancescoPlli.
    • This reply was modified 3 years, 11 months ago by  FrancescoPlli.
    #38428

    coypu76
    Participant

    Francesco – I have the configuration working and I have screenshots to tell you what to do, but I can’t post them right now because of family duties – my middle daughter is acting in a play and has two performances; My wife has gone to pick her up from the theater, and I need to get dinner ready for her and the family before her second performance this evening.
    Quick notes:
    1. XP machine set VBox network Adapter 1 to host only and choose the first hardware choice, which is built into XP’s drivers. This is the only connection.
    2. Kali machine set VBox network Adapter 1 to host only. Set Adapter 2 to NAT or Bridge so it will be able to see the network. In my case the network it’s on has no important hosts, so I went with Bridge, but NAT will work fine.
    3. On my machine I did not have to edit the /etc/network/interfaces file since both of the addresses are automatically assigned. The host-only network gets a DHCP address from VirtualBox, and the Bridged NIC gets one from the network’s DHCP server. If you choose NAT, you need to set up your DHCP server in the VBox global settings, or at least set up the address scheme. If you choose not to have a DHCP server, set the network address only and you can set a static address in /etc/network/interfaces.

    I have the very same setup and I have screenshots to post later – I will post them as an Open article and link from here. Sorry to have to keep you waiting, but family duties take priority.

    We’ll talk soon,
    Coypu

    • This reply was modified 3 years, 11 months ago by  coypu76.
    #38556

    FrancescoPlli
    Participant

    Hi Coypu,
    I understand that family has priority, so no worries 😀 (and good luck to your daughter 🙂 )

    Waiting for screenshots and article I tried to adjust VM settings as desribed… I don’t know if I’ve played too much with the options… but…

    Theese are WindowsXP VM Adapter Settings http://i64.tinypic.com/33omdtj.jpg
    And this is what happens if I try to start the machine http://i65.tinypic.com/2en9375.jpg

    Theese are Linux VM Adapters settings http://i63.tinypic.com/29p2kag.jpg and http://i64.tinypic.com/f1bnt.jpg
    And this is what happens if I try to start the machine http://i64.tinypic.com/4gi77r.jpg

    I thought that my virtualbox installation was a mess so I tried to reinstall everything again but nothing has changed.

    I think I’ll wait for your screens and article to find out my mistakes 🙂

    Thank you again for your help.
    Francesco

    #38584

    coypu76
    Participant

    My analytical workstation looks like it has an issue, but I had it set up and it was working fine. After a round of Windows updates it would no longer respond or even boot. I have Vbox set up on another PC and will use that to make screen shots, but the main things are these:
    1. In the VBox control panel, set the global network settings in File, Preferences, Network.

    The host only network is set up automatically. You can keep the automatic settings, but have a look at the DHCP scope. You can put a static IP on the WindowsXP VM that is in the host-only VLAN as long as it is outside the DHCP scope.

    Also on the Global network, set up a NAT Network – it will have its own VLAN and DHCP scope. Just record its parameters or set them as you wish. I left my host only network on 192.168.56.x and the NAT Network was on 10.0.2.x I set them both up with Class C subnet mask because it’s a small network.

    When you set up each VM, on the VBox settings for each VM:
    WinXP – Adapter 1: set on Host Only network
    Kali – Adapter 1 on Host Only network, Adapter 2 on NAT Network
    On the Kali machine, take note of the checkbox to “Allow promiscuous mode”. By default it is unchecked but you will want to allow promiscuous mode to use Wireshark on the Kali box.

    Parameters on the XP machine: [don’t use these same settings – use them from the Host only VLAN in your VBox setup!]
    Address 192.168.56.10
    Subnet Mask 255.255.255.0
    Gateway 192.168.56.20 (the Kali box)
    DNS 192.168.56.20 (the Kali box)

    On the Kali machine, you don’t need to edit /etc/network/interfaces if you are using Kali 2.0. Kali’s Network Manager has a GUI you can use to set network parameters on both of the Ethernet Interfaces.

    eth0 (Host Only) I set to Static address, so that the Kali machine can be found by the Windows XP machine:
    address 192.168.56.20
    subnet mask 255.255.255.0
    gateway 192.168.56.20

    eth1 (NAT Network) I left at dynamic so it would simply pull a DHCP address. It doesn’t matter what this address is as long as it can get to the Internet.

    Both of these were set up in the Network Manager applet in Kali. I did not edit /etc/interfaces. After setting the interfaces I had to restart anyway for Windows updates on the host, so I shut down both VMs and let the whole system reboot. When it came back up:

    Did ipconfig at a command prompt on WinXP. Address was correct.
    Did a ping to 192.168.56.20 – got responses. WinXP can see Kali box.
    Did a tracert to google.com – no resolution of the address, as expected and planned. We don’t want XP to see the Internet – the Kali box will pretend to be any Internet host needed.

    Went to the Kali box.
    Did ifconfig at a terminal shell.
    eth0 had the correct static address of 192.168.56.20.
    eth1 had an address on the NAT network
    Successfully pinged back to 192.168.56.10
    Pinged Google. It was visible.
    Tracerouted to Google – successful.

    This is all that was needed on the network setup. I will try to post some screen shots from another PC I have that has VBox. Fortunately I have a small IT company with a few spare systems, and I already have VBox on my field notebook.

    Once I have the analytical workstation rebuilt I will post a full setup using VBox. Alternatively, if you get yours working, you could do so as well. This is important for Cybrary students, since Sean used his licensed VMWare workstation “industry standard”. I think “industry standard” just means that corporate types like paid support with someone they can call and insist on helping when they need it. VBox is community support – and that’s what we’re doing here!

    Hope this helps!
    Let me know if this is enough – sorry I don’t have screenshots.
    I’ll find out what happened with the setup I had – I think the old hard drive may the issue, but I have a newer one (not brand new, but less than a year old!) I’m rebuilding on.

    Good luck!

    #38693

    coypu76
    Participant

    I’m having a very full schedule at work and taking the kids to their activities (karate practice, play rehearsals, etc.) but I was able to reproduce one problem on one machine.
    When I installed VBox on this machine, a Windows 2012 R2 Server, it did not have any NAT or Host-only network installed in the Global preferences (File, Preferences, Networks):
    VBox No Network 1
    VBox No Network 2
    After this when I tried to add the networks I got an error that the NDIS driver was missing.

    I uninstalled VirtualBox and re-installed from the same source but ran the executable as Administrator. After re-installation, the networks would add properly, as shown here:
    HostOnly1
    HostOnly2
    HostOnly3
    NAT1
    NAT2

    These screenshots are all from the Global Network settings. The VirtualBox forums had some other people with the same problems where the HostOnly and NAT networks were missing. This was addressed as an install bug in earlier builds – but it definitely wants to be installed as administrator on a Windows host.

    I note with interest that the interface looks like different code segments are used to instantiate the NATNetwork and HostOnly networks. The HostOnly network has a configurable VLAN address, subnet mask, and has a configurable DHCP server scope which by default is 192.168.100-254, where the NATNetwork has the VLAN address and subnet in CIDR notation and simply has a check box for DHCP without any way to configure the scope. That’s interesting, but it should not affect the outcome.
    More on the VM network configs in a subsequent post to come – I have to rebuild because my old host machine failed. It was old hardware, so this is not really a big surprise.

    • This reply was modified 3 years, 11 months ago by  coypu76.
    #39221

    FrancescoPlli
    Participant

    Hi coypu76 I’ll try as soon as possible. So curious to see what will happen. Fingers corossed.

    Thank you

    #39843

    FrancescoPlli
    Participant

    Hi coypu76 tried everithing. I’m starting to think that it is only my pc issue.

    Everytime I set Host-only my machines (all of them) don’t start at all

    Error

    http://i65.tinypic.com/2416s01.jpg

    I really don’t know what to do :-D, Thank you so much for your time

    Francesco

    • This reply was modified 3 years, 11 months ago by  FrancescoPlli.
    #40754

    coypu76
    Participant

    Francesco – I was really busy at work, and on top of that my malware analysis workstation died. It turns out it was not the hard drive, but the system board. As luck would have it I inherited a nice system with an Intel i5 quad core CPU, and also was able to put together 16GB of DDR3 RAM from my boneyard. The new system is up and running and I was able to import the VMs from the working setup I had before.
    Both of their networks are running. They can see each other and the Kali box can see the Internet, so I’m back in business.
    I did not have to edit the Interfaces file on either VM – the XP VM is on the host only network and gets a DHCP address. The Kali box has eth0 on the host-only network and eth1 on the NatNetwork.
    The clue that something was misconfigured about the networking for the second set of VMs I configured was that the Network Manager icon is working in the imported Kali system. It got an IP address on the NATNetwork and I only had to add a DNS address for it to be able to access the Internet, so something was definitely wrong in the second VBox, and I think it is because of a hardware problem on the host affecting VBox.
    On better hardware my VMs are running normally, so I think you are probably correct in your last post.
    Good luck with the course!

    #41613

    zayud05
    Participant

    You are a passionate learner 😀 and i like that type …but first .
    if you dont know linux at all . .i think you should learn it first ? ..it could be an advantage ..

    #103337

    jayster
    Participant

    Hey there Francesco !
    i too had a similar situation like you where sean from dynamic malware analysis course instructor told the same stuff but it didn’t work out for me and i spend 2 days on internet looking for solution [indeed i failed], later i used “netstat -nr” to check the ip rounting table and it was empty ? how ?
    first thing, while we manipulated the changes in etc/network/interfaces it override the eth0 [ethernet connection] and cause of it, it got flooded and you lost your internet as well as you cannot communicate with windows xp.
    second thing, hence i was unable to find any solution to that problem, so i tried an alternate way !
    there is always HOPE

    first of all Virtual box is free and previously i faced alot of problems with it, like kali linux space partitioning [ and i used gpart to later create partitioning, that was so hectic ], so i would suggest you to try VMWARE.

    Solution :-
    after installing vmware > kali linux 2016.2 (which is latest) > windows xp !
    go to kali linux vmware setting and by default the network adapter setting will be set to NAT (thats totally cool, by which you will have internet access in kali linux and it will not affect your main computer network) then select > add > network adapter > HOST ONLY (listen in vmware when sean selected custom vmware option, pls dont do that cuz in vmware, vmware#8 is NAT by default and vmware#1 is HOST ONLY) so dont select custom option vmware#n where n = 2,3,4,5,6,7 to whatever) now your eth0 and eth1 will be set by default.
    Now go to windows xp > vmware settings > network adapter > and select HOST ONLY ( dont select custom vmware#2, pls avoid that ) and then save it !
    YOU ARE GOOD TO GO, TRY TO PING FROM KALI LINUX (CHECK WINDOWS XP IP ADDRESS CMD:IPCONFIG) AND PING TO IT

    CONCLUSION :- As kali linux is primary set to NAT you will have internet and your malware will not be able to flood the actual NET, and if malware wants to infect then the primary adapter should be in BRIDGE mode but it ain’t right ? so you are good to go and Windows xp primarily doesn’t have internet connection as it is only connected to VMware#1 (host only) and kali linux (vmware#8 + vmware#1) so you are good now.
    Tip :- always use VPN at kali linux while doing any malware analysis and even try to use VPN in your actual OS also if you are dealing with Ransomwares or dropper/backdoor related stuff
    I HOPE I COULD HELP YOU AFTER A LONG TIME !

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel