Multi-machine Vagrant Setup with Gateway

[obilodeau]

Did some tests yesterday for a multi-machine setup with the Vagrantfile built by the spin command. There are some challenges around the networking setup since Vagrant insists on being on network adapter 0 and to use NAT which we want to remove in order to detonate samples.

I also attempted to use the linked_clone feature and it works really well. We should make it the default.

# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|

        # TODO try linked clones
        # TODO post-provisioning: disable adapter 1 (2nd one)
        config.vm.define "dirtybox" do |dirty|
                dirty.vm.box = "win10_64_analyst"
                dirty.vm.provider "virtualbox" do |vb|
                        vb.name = "maldoc"
                        vb.gui = true
                        vb.customize ['modifyvm', :id, '--nic1', 'intnet', '--nic2', 'nat'] # swap the networks around
                        vb.customize ['modifyvm', :id, '--intnet1', 'dirty'] # swap the networks around
                        # FIXME seems to be required only when created
                        vb.customize ['modifyvm', :id, '--natpf2', "winrm,tcp,127.0.0.1,55985,,5985" ] #port forward
                        vb.customize ['modifyvm', :id, '--natpf2', "winrm-ssl,tcp,127.0.0.1,55986,,5986" ] #port forward
                        vb.linked_clone = true
                end
                dirty.vm.network "forwarded_port", id: 'winrm', guest: 5985, host_ip: '127.0.0.1', host: 55985, auto_correct: false, adapter: 1
                dirty.vm.network "forwarded_port", id: 'winrm-ssl', guest: 5986, host_ip: '127.0.0.1', host: 55986, auto_correct: false, adapter: 1
                dirty.vm.network "private_network", type: "dhcp",
                        virtualbox__intnet: "dirty"
                # Host files are shared on the Desktop
                dirty.vm.synced_folder ".", "/Users/malboxes/Desktop/host"
        end

        config.vm.define "gateway" do |gw|
                gw.vm.box = "ubuntu/trusty64"
                gw.vm.provider "virtualbox" do |vb|
                        vb.name = "gateway"
                        vb.gui = true
                        vb.memory = 512
#                       vb.customize ["modifyvm", :id, "--nic2", "bridged","--bridgeadapter2", "Intel(R) Ethernet Connection I219-LM", "--cableconnected2", "off"]
                end
                gw.vm.network "private_network", ip: "192.168.13.1",
                        virtualbox__intnet: "dirty"
        end
end

The gateway requires some provisioning. This hasn't been automated yet:

# provisioning
apt install dnsmasq wireshark-common
sudo service dnsmasq stop
# in /etc/dnsmasq.conf, add:
#interface=eth1
#dhcp-range=192.168.13.100,192.168.13.250,72h
sudo service dnsmasq start

# run on every boot
iptables -A FORWARD -o eth0 -i eth1 -s 192.168.13.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Once everything is up. Cut the NAT on the dirtybox and with the following command you are sniffing on the LAN side of the gateway:

wireshark -k -i <(vagrant ssh gateway -c "sudo dumpcap -P -i eth1 -w - " -- -ntt)

We should integrate this in a malboxes command like malboxes capture or something.