WAZUH Lab: phpvirtualbox

Saturday, January 26, 2013

Setting up a Windows Guest on VirtualBox

I recently installed VirtualBox on Ubuntu LTS as described in my previous post. Now I am going to install a Windows XP Guest on it, so it can later be used as a platform to run malware for automatic analysis with Cuckoo sandbox.

In this case, instead of using Phpvirtualbox web interface, I will choose to use the command line so it will be easier in the future to automate the virtual machine creation process by using a bash script.

These are the specs I am going to use for the Windows XP:

1GB RAM memory
20GB of Hard Disk space
VDI format for the virtual disk
Dynamically allocated storage

1.- Creating the virtual machine

The command vboxmanage can be used to create the virtual machine, using settings above, and to attach a DVD drive with the ISO image of the Windows XP. In my case I decided to name it WindowsXPVM1.

 $ vboxmanage createvm --name "WindowsXPVM1" --ostype WindowsXP --register  
 $ vboxmanage modifyvm "WindowsXPVM1" --memory 1000 --acpi on --boot1 dvd --nic1 nat  
 $ vboxmanage createhd --filename "WinXP.vdi" --size 20000  
 $ vboxmanage storagectl "WindowsXPVM1" --name "IDE Controller" --add ide --controller PIIX4  
 $ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP.vdi"  
 $ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /pathtoyouriso/windowsxp.iso

At this point we can start the virtual machine to start the Windows installation procedure.

 $ VBoxHeadless --startvm "WindowsXPVM1"

In order to connect to the system we can both use Phpvirtualbox console or directly connect through Remote Desktop Protocol (RDP) to the host.

2.- Installing guest additions in our virtual machine

 $ wget http://dlc.sun.com.edgesuite.net/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso

Once downloaded we need to mount the ISO file at the Windows XP and follow the installation wizard.

3.- Adding a shared folder and recording the network traffic

 $ vboxmanage controlvm "WindowsXPVM1" poweroff  
 $ mkdir -p /home/santiago/cuckoo/shares/WindowsXPVM1  
 $ vboxmanage sharedfolder add "WindowsXPVM1" --name "WindowsXPVM1" --hostpath /home/santiago/cuckoo/shares/WindowsXPVM1 --automount  
 $ vboxmanage sharedfolder add "WindowsXPVM1" --name setup --hostpath /home/santiago/cuckoo/shares/setup --automount --readonly  
 $ vboxmanage modifyvm "WindowsXPVM1" --nictrace1 on --nictracefile1 /home/santiago/cuckoo/shares/WindowsXPVM1/dump.pcap  
 $ vboxheadless --startvm "WindowsXPVM1"

4.- Configuring virtual machine to use a host-only adapter

 $ lsmod | grep vboxnetadp # module needed to add a new host-only interface at the host  
 $ vboxmanage list hostonlyifs # checks host-only interfaces at the host  
 $ vboxmanage hostonlyif create # leaving default IP 192.168.56.1/24  
 $ vboxmanage list dhcpservers # checks dhcp servers  
 $ vboxmanage list vms # checks virtual machines  
 $ vboxmanage showvminfo "WindowsXPVM1" # checks NICs information  
 $ vboxmanage controlvm "WindowsXPVM1" poweroff   
 $ vboxmanage modifyvm "WindowsXPVM1" --nic1 hostonly  
 $ vboxmanage modifyvm "WindowsXPVM1" --hostonlyadapter1 vboxnet0  
 $ vboxheadless --startvm WindowsXPVM1

The gateway (192.168.56.1) and DNS Server (in this case I will use Google's 8.8.8.8) need to be configured manually at the Guest using Windows settings.

5.- Configuring the Host IP forwarding and firewall filters

 $ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT  
 $ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
 $ iptables -A POSTROUTING -t nat -j MASQUERADE  
 $ sysctl -w net.ipv4.ip_forward=1

We can add these commands to our /etc/rc.local file if we want those to be executed every time the server wakes up or restarts.

6.- Starting and stopping the virtual machine

To start VirtualBox web service and the virtual machine we need to run the following commands:

 $ vboxwebsrv -b  
 $ vboxmanage list vms # Optional to list virtual machines  
 $ vboxheadless --startvm "WindowsXPVM1"

And this is how we can stop it:

 $ vboxmanage controlvm "WindowsXPVM1" poweroff

And we are done. We should now be able to use our fresh installation of our virtual Windows XP.

References

http://www.virtualbox.org/manual/
http://blog.michaelboman.org/

Installing VirtualBox on Ubuntu Server LTS

I decided to install VirtualBox on Ubuntu server so I can use it later with Cuckoo Sandbox for malware analysis.

The steps followed for this installation are:

Download and installation of Ubuntu Server LTS (current version 12.04.1)
VirtualBox and dependencies installation (current stable version 4.1.12)
Phpvirtualbox installation for headless servers (version 4.1-11)
VirtualBox extension pack installation for VRDP support
Starting VirtualBox and connecting to Phpvirtualbox web user interface

1.- Download and installation of Ubuntu Server LTS

I decided to use Ubuntu Server LTS as it is stable and does not require the installation of a Desktop environment, which I won't use for my purposes. The server used has a 64 bits CPU, 12GB RAM, and 514GB of hard disk space, what is more than enough to run several virtual machines in parallel.

A fresh Ubuntu Server image can be downloaded from: http://www.ubuntu.com/download/server

Then you can choose to run the ISO from a USB stick or CD-ROM drive. My recommendation is to install only the base system, so we keep the server clean from packages that we won't use. The only extra package I installed was the SSH server so I can access it remotely.

Once finished the installation processes lets also upgrade the Debian packages to the latest version by
running these commands:

 $ apt-get update  
 $ apt-get dist-upgrade

As well I setup the hostname and network settings at /etc/hostname and /etc/network/interfaces.

2.- VirtualBox and dependencies installation

Installing Virtualbox with apt-get:

 $ apt-get install virtualbox

Checking installed packages:

 $ dpkg -l | grep -i virtualbox  
 ii virtualbox             4.1.12-dfsg-2ubuntu0.2    x86 virtualization solution - base binaries  
 ii virtualbox-dkms          4.1.12-dfsg-2ubuntu0.2    x86 virtualization solution - kernel module sources for dkms  
 ii virtualbox-qt           4.1.12-dfsg-2ubuntu0.2    x86 virtualization solution - Qt based user interface

3.- Installing Phpvirtualbox

First we need to install apache2 and php:

 $ apt-get install apache2  
 $ apt-get install php5

Then we can install Phpvirtualbox, setting the permissions of the directory to your own username (mine is santiago):

 $ cd /var/www/  
 $ wget http://phpvirtualbox.googlecode.com/files/phpvirtualbox-4.1-11.zip  
 $ unzip phpvirtualbox-4.1-11.zip  
 $ chown -R santiago:santiago /var/www/phpvirtualbox/  
 $ cp /var/www/phpvirtualbox/config.php-example /var/www/phpvirtualbox/config.php

Then edit /var/www/phpvirtualbox/config.php and set the username and password for the system user that runs VirtualBox:

 var $username = 'santiago';  
 var $password = 'yourpassword';

4.- VirtualBox extension pack installation for VRDP support

Installing the extension pack will allow us to control the virtual machines desktop remotely.

 wget http://download.virtualbox.org/virtualbox/4.1.12/Oracle_VM_VirtualBox_Extension_Pack-4.1.12.vbox-extpack  
 vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.12.vbox-extpack

5.- Starting VirtualBox and connecting to Phpvirtualbox user interface

The following command is used to start VirtualBox web services

 $ vboxwebsrv -b

Then we can connect to the user interface from our browser at http://yourserverip/phpvirtualbox
user: admin
password: admin

We should be know able to use our fresh installation of VirtualBox.

References

http://www.virtualbox.org/manual/
http://codesupply.net/content/setup-ubuntu-1110-64bit-server-headless-virtualbox-host