diff --git a/docs/devel.adoc b/docs/devel.adoc index 7634e6f..62aa2ff 100644 --- a/docs/devel.adoc +++ b/docs/devel.adoc @@ -14,6 +14,7 @@ branch to test in the following command: pip3 install --upgrade git+https://github.com/GoSecure/malboxes.git@branchname#egg=malboxes + == Making a release . Update the version in `malboxes/_version.py` @@ -34,3 +35,36 @@ branch to test in the following command: . Update version in `malboxes/_version.py` (+1 feature, append 'dev') and commit ** commit msg: Begin development on next release + + +== VirtualBox Management Commands + +Useful commands: + + VBoxManage list vms + + VBoxManage showvminfo + + VBoxManage controlvm packer-virtualbox-iso-1488033522 poweroff + +If that doesn't work, kill the VBoxHeadless process. + + VBoxManage unregistervm --delete + + +== How to View Errors from Scripts Called from Autounattend.xml + +=== PowerShell + +Add this to the end of PowerShell scripts: + + Write-Host "Press any key to continue ..." + $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp") + +This will pause scripts allowing you to see the output. + +=== Command (cmd.exe) + + PAUSE + +Will stop a batch script execution until a key is pressed. diff --git a/malboxes/installconfig/windows7/Autounattend.xml b/malboxes/installconfig/windows7/Autounattend.xml index fd0d4e6..d0aa481 100644 --- a/malboxes/installconfig/windows7/Autounattend.xml +++ b/malboxes/installconfig/windows7/Autounattend.xml @@ -80,26 +80,6 @@ true {{ username }} - - - 1 - Set Unrestricted Execution Policy - cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force" - true - - - 2 - cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE - Disable password expiration for user {{ username }} - true - - - 3 - cmd.exe /c powershell -File "A:\enablewinrm.ps1" - Enable WinRM for Packer/Vagrant communicator - true - - true true @@ -123,8 +103,40 @@ - {{ username }} + {{ username }} Eastern Standard Time + + + 1 + Set Unrestricted Execution Policy + cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force" + true + + + 2 + Disable Network Prompt + cmd.exe /c reg add "HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" + true + + + 3 + Mark all networks as private + cmd.exe /c powershell -File a:\fixnetworks.ps1 + true + + + 4 + cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE + Disable password expiration for user {{ username }} + true + + + 5 + cmd.exe /c powershell -File "A:\enablewinrm.ps1" + Enable WinRM for Packer/Vagrant communicator + true + + diff --git a/malboxes/installconfig/windows7/enablewinrm.ps1 b/malboxes/installconfig/windows7/enablewinrm.ps1 index fa92dfb..edb9f5c 100644 --- a/malboxes/installconfig/windows7/enablewinrm.ps1 +++ b/malboxes/installconfig/windows7/enablewinrm.ps1 @@ -1,5 +1,3 @@ -Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private - winrm quickconfig -q -transport:http winrm set winrm/config/client '@{AllowUnencrypted="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}' @@ -7,5 +5,5 @@ winrm set winrm/config/service/auth '@{Basic="true"}' net stop winrm netsh advfirewall firewall set rule group="remote administration" new enable=yes netsh firewall add portopening TCP 5985 "Port 5985" -sc.exe config winrm start=auto +sc.exe config winrm start= auto net start winrm diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index 6c58f33..575b982 100755 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -55,7 +55,8 @@ def init_parser(): "and config generator for malware analysis.") parser.add_argument('-V', '--version', action='version', version='%(prog)s ' + __version__) - parser.add_argument('-d', '--debug', action='store_true', help="Debug mode") + parser.add_argument('-d', '--debug', action='store_true', + help="Debug mode. Leaves built VMs running on failure!") subparsers = parser.add_subparsers() # list command diff --git a/malboxes/profiles/win7_32_analyst.json b/malboxes/profiles/win7_32_analyst.json index 97133b5..0e977d8 100644 --- a/malboxes/profiles/win7_32_analyst.json +++ b/malboxes/profiles/win7_32_analyst.json @@ -9,7 +9,8 @@ "floppy_files": [ "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows7/enablewinrm.ps1" + "{{ dir }}/installconfig/windows7/enablewinrm.ps1", + "{{ dir }}/scripts/windows/fixnetworks.ps1" ] }], diff --git a/malboxes/scripts/windows/fixnetworks.ps1 b/malboxes/scripts/windows/fixnetworks.ps1 new file mode 100644 index 0000000..7259b8c --- /dev/null +++ b/malboxes/scripts/windows/fixnetworks.ps1 @@ -0,0 +1,28 @@ +# From packer-windows project +# https://github.com/joefitzgerald/packer-windows/blob/a2b9d6fdd91a857d605fb1d7ec822f3fdfa71db4/scripts/fixnetwork.ps1 +# Licensed under the MIT License +# Copyright (c) 2014 Joe Fitzgerald + +# You cannot enable Windows PowerShell Remoting on network connections that are set to Public +# Spin through all the network locations and if they are set to Public, set them to Private +# using the INetwork interface: +# http://msdn.microsoft.com/en-us/library/windows/desktop/aa370750(v=vs.85).aspx +# For more info, see: +# http://blogs.msdn.com/b/powershell/archive/2009/04/03/setting-network-location-to-private.aspx + +# Network location feature was only introduced in Windows Vista - no need to bother with this +# if the operating system is older than Vista +if([environment]::OSVersion.version.Major -lt 6) { return } + +# You cannot change the network location if you are joined to a domain, so abort +if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return } + +# Get network connections +$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")) +$connections = $networkListManager.GetNetworkConnections() + +$connections |foreach { + Write-Host $_.GetNetwork().GetName()"category was previously set to"$_.GetNetwork().GetCategory() + $_.GetNetwork().SetCategory(1) + Write-Host $_.GetNetwork().GetName()"changed to category"$_.GetNetwork().GetCategory() +}