Just this past week I started migrating my honeynet to VirtualBox after struggling with some performance issues using VMWare workstation 6. My honeynet is currently housing around 20 virtual machines running on an Ubuntu 7.10 x64 Server distribution.
VirtualBox has a pretty solid set of documentation available and they build for Ubuntu and a few other distributions so installation is pretty easy.
I added the following to my sources.list:
deb http://www.virtualbox.org/debian gutsy non-free
First I wanted to see what packages were available.
hogfly@maluminse:~$ sudo apt-cache search virtualbox
virtualbox-ose - PC virtualization solution
virtualbox-ose-modules-2.6.22-14-generic - virtualbox-ose modules for linux-image-2.6.22-14-generic
virtualbox-ose-modules-2.6.22-14-server - virtualbox-ose modules for linux-image-2.6.22-14-server
virtualbox-ose-source - Source for the VirtualBox module
virtualbox - innotek VirtualBox
Ok..so speaking from hindsight, don't install the -ose packages. You'll end up being short some VBox commands that came in to play for me (VBoxAddIF for instance).
Install was as simple as issuing the apt-get install virtualbox command.
Once installed I created a Windows XP virtual machine and initially left it configured to use NAT. Eventually I moved this to a Bridged interface setup giving the virtual machine direct network access.
To accomplish this I installed bridge-utils and set up a bridge.
hogfly@maluminse:~$ sudo brctl addbr vboxbr0
hogfly@maluminse:~$ sudo brctl addif vboxbr0 eth2
To add the virtual machine to the bridge I first needed to create the virtual host interface.
hogfly@maluminse:~$ sudo VBoxAddIF vbox0 hogfly vboxbr0
VirtualBox host networking interface creation utility, version 1.5.4
(C) 2005-2007 innotek GmbH
All rights reserved.
Creating the permanent host networking interface "vbox0" for user hogfly.
Now that I had the virtual host interface set up I simply added it to the bridge.
hogfly@maluminse:~$ sudo brctl addif vboxbr0 vbox0
After doing this I just gave the XP system an IP address, installed some software, shut it down and started cloning it.
Cloning a VM in VirtualBox is pretty easy. The command line utility is called VBoxManage. I've found this to be far superior to Vmware's vmrun command line utility.
To clone my XP base image I simply issued the following command:
VBoxManage clonevdi XPBASE.vdi /mnt/honeypots/vbox1/Hpot1.vdi After a few minutes, the disk image was copied and I was ready to do some configuration. First though I had to "create" the virtual machine. This is basically just a registration of the VM existence.
To do so I issued the following command:
hogfly@maluminse:~$ VBoxManage createvm -name gumby -register -basefolder /mnt/honeypots/vbox1/
VirtualBox Command Line Management Interface Version 1.5.4
(C) 2005-2007 innotek GmbH
All rights reserved.
Virtual machine 'gumby' is created and registered.
UUID: cd07351b-8428-4829-62b0-1e42d86dd5d9
Settings file: '/mnt/honeypots/vbox1/gumby/gumby.xml'
Now I can start it up if I so choose:
hogfly@maluminse:~$ VBoxManage startvm gumby
So far I'm happy with VirtualBox but we'll see how things progress.
Saturday, January 12, 2008
Subscribe to:
Post Comments (Atom)
2 comments:
I've also been playing about with Vbox. It is proving to be very versatile. I spent some time this weekend configuring usb (again I'm using Ubuntu Gutsy). I've managed to get EnCase HASP security dongle working :-) Unfortunately though I couldn't get it working over vrdp.
Now that I have my old forensic workstation installed with Ubuntu Gutsy Gibbon I will be looking forward to utilizing both Linux tools and EnCase when the need arises.
Normally I use Gentoo for most of my machines but have started to use Ubuntu in light of the fact that Andy Rosen has moved over to using it with SMART.
btw hogfly, unfortunately your method for mounting VDI images doesn't work with dynamic disks, no surprise there I guess :-(
Yeah, I'm going to have to spend a little time with dynamic disks as I suspect that's what many people will use. The vditool should work to convert it however. So I guess all is not lost.
Post a Comment