From 5682c9962ecf089ba86aef510312edcdcec17529 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 23 Feb 2017 23:02:49 -0500 Subject: [PATCH 1/5] Trying new code to set the network location (#33) Since Get-NetConnectionProfile and Set-NetConnectionProfile doesn't exist on Windows 7 --- .../installconfig/windows7/enablewinrm.ps1 | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/malboxes/installconfig/windows7/enablewinrm.ps1 b/malboxes/installconfig/windows7/enablewinrm.ps1 index fa92dfb..5a6691c 100644 --- a/malboxes/installconfig/windows7/enablewinrm.ps1 +++ b/malboxes/installconfig/windows7/enablewinrm.ps1 @@ -1,4 +1,25 @@ -Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private +// ChangeCategory.ps1 +// +$NLMType = [Type]::GetTypeFromCLSID('DCB00C01-570F-4A9B-8D69-199FDBA5723B') +$INetworkListManager = [Activator]::CreateInstance($NLMType) + +$NLM_ENUM_NETWORK_CONNECTED = 1 +$NLM_NETWORK_CATEGORY_PUBLIC = 0x00 +$NLM_NETWORK_CATEGORY_PRIVATE = 0x01 +$UNIDENTIFIED = "Unidentified network" + +$INetworks = $INetworkListManager.GetNetworks($NLM_ENUM_NETWORK_CONNECTED) + +foreach ($INetwork in $INetworks) +{ + $Name = $INetwork.GetName() + $Category = $INetwork.GetCategory() + + if ($INetwork.IsConnected -and ($Category -eq $NLM_NETWORK_CATEGORY_PUBLIC) -and ($Name -eq $UNIDENTIFIED)) + { + $INetwork.SetCategory($NLM_NETWORK_CATEGORY_PRIVATE) + } +} winrm quickconfig -q -transport:http winrm set winrm/config/client '@{AllowUnencrypted="true"}' From 5c17ae22bf97ad52b4e7b22f859f3bd4402c19e0 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Thu, 23 Feb 2017 23:04:24 -0500 Subject: [PATCH 2/5] Windows7: sc.exe arguments needs a space after the = --- malboxes/installconfig/windows7/enablewinrm.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/installconfig/windows7/enablewinrm.ps1 b/malboxes/installconfig/windows7/enablewinrm.ps1 index 5a6691c..6a58983 100644 --- a/malboxes/installconfig/windows7/enablewinrm.ps1 +++ b/malboxes/installconfig/windows7/enablewinrm.ps1 @@ -28,5 +28,5 @@ winrm set winrm/config/service/auth '@{Basic="true"}' net stop winrm netsh advfirewall firewall set rule group="remote administration" new enable=yes netsh firewall add portopening TCP 5985 "Port 5985" -sc.exe config winrm start=auto +sc.exe config winrm start= auto net start winrm From 1ef3f1291bc7a6bfc571bd3825c5a8f77673f54d Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Sun, 26 Feb 2017 10:50:29 -0500 Subject: [PATCH 3/5] Set all local networks to private (#33) Another attempt at #33. This time we set all network location regardless of the name and I made the script global since I think that it might be required on other OS also (and the code should work on more recent OSes). Borrowed from the packer-windows project. --- .../installconfig/windows7/Autounattend.xml | 14 +++++++++- .../installconfig/windows7/enablewinrm.ps1 | 23 --------------- malboxes/profiles/win7_32_analyst.json | 3 +- malboxes/scripts/windows/fixnetworks.ps1 | 28 +++++++++++++++++++ 4 files changed, 43 insertions(+), 25 deletions(-) create mode 100644 malboxes/scripts/windows/fixnetworks.ps1 diff --git a/malboxes/installconfig/windows7/Autounattend.xml b/malboxes/installconfig/windows7/Autounattend.xml index fd0d4e6..6160853 100644 --- a/malboxes/installconfig/windows7/Autounattend.xml +++ b/malboxes/installconfig/windows7/Autounattend.xml @@ -89,12 +89,24 @@ 2 + Disable Network Prompt + cmd.exe /c reg add "HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" + true + + + 3 + Mark all networks as private + cmd.exe /c powershell -File a:\fixnetworks.ps1 + true + + + 4 cmd.exe /c wmic useraccount where "name='{{ username }}'" set PasswordExpires=FALSE Disable password expiration for user {{ username }} true - 3 + 5 cmd.exe /c powershell -File "A:\enablewinrm.ps1" Enable WinRM for Packer/Vagrant communicator true diff --git a/malboxes/installconfig/windows7/enablewinrm.ps1 b/malboxes/installconfig/windows7/enablewinrm.ps1 index 6a58983..edb9f5c 100644 --- a/malboxes/installconfig/windows7/enablewinrm.ps1 +++ b/malboxes/installconfig/windows7/enablewinrm.ps1 @@ -1,26 +1,3 @@ -// ChangeCategory.ps1 -// -$NLMType = [Type]::GetTypeFromCLSID('DCB00C01-570F-4A9B-8D69-199FDBA5723B') -$INetworkListManager = [Activator]::CreateInstance($NLMType) - -$NLM_ENUM_NETWORK_CONNECTED = 1 -$NLM_NETWORK_CATEGORY_PUBLIC = 0x00 -$NLM_NETWORK_CATEGORY_PRIVATE = 0x01 -$UNIDENTIFIED = "Unidentified network" - -$INetworks = $INetworkListManager.GetNetworks($NLM_ENUM_NETWORK_CONNECTED) - -foreach ($INetwork in $INetworks) -{ - $Name = $INetwork.GetName() - $Category = $INetwork.GetCategory() - - if ($INetwork.IsConnected -and ($Category -eq $NLM_NETWORK_CATEGORY_PUBLIC) -and ($Name -eq $UNIDENTIFIED)) - { - $INetwork.SetCategory($NLM_NETWORK_CATEGORY_PRIVATE) - } -} - winrm quickconfig -q -transport:http winrm set winrm/config/client '@{AllowUnencrypted="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}' diff --git a/malboxes/profiles/win7_32_analyst.json b/malboxes/profiles/win7_32_analyst.json index 97133b5..0e977d8 100644 --- a/malboxes/profiles/win7_32_analyst.json +++ b/malboxes/profiles/win7_32_analyst.json @@ -9,7 +9,8 @@ "floppy_files": [ "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows7/enablewinrm.ps1" + "{{ dir }}/installconfig/windows7/enablewinrm.ps1", + "{{ dir }}/scripts/windows/fixnetworks.ps1" ] }], diff --git a/malboxes/scripts/windows/fixnetworks.ps1 b/malboxes/scripts/windows/fixnetworks.ps1 new file mode 100644 index 0000000..7259b8c --- /dev/null +++ b/malboxes/scripts/windows/fixnetworks.ps1 @@ -0,0 +1,28 @@ +# From packer-windows project +# https://github.com/joefitzgerald/packer-windows/blob/a2b9d6fdd91a857d605fb1d7ec822f3fdfa71db4/scripts/fixnetwork.ps1 +# Licensed under the MIT License +# Copyright (c) 2014 Joe Fitzgerald + +# You cannot enable Windows PowerShell Remoting on network connections that are set to Public +# Spin through all the network locations and if they are set to Public, set them to Private +# using the INetwork interface: +# http://msdn.microsoft.com/en-us/library/windows/desktop/aa370750(v=vs.85).aspx +# For more info, see: +# http://blogs.msdn.com/b/powershell/archive/2009/04/03/setting-network-location-to-private.aspx + +# Network location feature was only introduced in Windows Vista - no need to bother with this +# if the operating system is older than Vista +if([environment]::OSVersion.version.Major -lt 6) { return } + +# You cannot change the network location if you are joined to a domain, so abort +if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return } + +# Get network connections +$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")) +$connections = $networkListManager.GetNetworkConnections() + +$connections |foreach { + Write-Host $_.GetNetwork().GetName()"category was previously set to"$_.GetNetwork().GetCategory() + $_.GetNetwork().SetCategory(1) + Write-Host $_.GetNetwork().GetName()"changed to category"$_.GetNetwork().GetCategory() +} From a862fbd7997c87aaebe9fd6c314c22162fbcc448 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau Date: Sun, 26 Feb 2017 21:27:22 -0500 Subject: [PATCH 4/5] Re-ordered Autounattend.xml sections for Windows 7 Not sure if it helped or not but it works now. --- .../installconfig/windows7/Autounattend.xml | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/malboxes/installconfig/windows7/Autounattend.xml b/malboxes/installconfig/windows7/Autounattend.xml index 6160853..d0aa481 100644 --- a/malboxes/installconfig/windows7/Autounattend.xml +++ b/malboxes/installconfig/windows7/Autounattend.xml @@ -80,6 +80,31 @@ true {{ username }} + + true + true + 3 + Home + + + + {{ password }} + true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>{{ password }}</Value> + <PlainText>true</PlainText> + </Password> + <DisplayName>{{ username }}</DisplayName> + <Group>Administrators</Group> + <Name>{{ username }}</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner>{{ username }}</RegisteredOwner> + <TimeZone>Eastern Standard Time</TimeZone> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> @@ -112,31 +137,6 @@ <RequiresUserInput>true</RequiresUserInput> </SynchronousCommand> </FirstLogonCommands> - <OOBE> - <HideEULAPage>true</HideEULAPage> - <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> - <ProtectYourPC>3</ProtectYourPC> - <NetworkLocation>Home</NetworkLocation> - </OOBE> - <UserAccounts> - <AdministratorPassword> - <Value>{{ password }}</Value> - <PlainText>true</PlainText> - </AdministratorPassword> - <LocalAccounts> - <LocalAccount wcm:action="add"> - <Password> - <Value>{{ password }}</Value> - <PlainText>true</PlainText> - </Password> - <DisplayName>{{ username }}</DisplayName> - <Group>Administrators</Group> - <Name>{{ username }}</Name> - </LocalAccount> - </LocalAccounts> - </UserAccounts> - <RegisteredOwner>{{ username }}</RegisteredOwner> - <TimeZone>Eastern Standard Time</TimeZone> </component> </settings> <settings pass="specialize"> From 83207111cda1272155f45b8eb82d2af9eb7e6b77 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Sun, 26 Feb 2017 21:29:13 -0500 Subject: [PATCH 5/5] --debug: added a note that VMs that failed to build will still run --- docs/devel.adoc | 34 ++++++++++++++++++++++++++++++++++ malboxes/malboxes.py | 3 ++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/docs/devel.adoc b/docs/devel.adoc index 7634e6f..62aa2ff 100644 --- a/docs/devel.adoc +++ b/docs/devel.adoc @@ -14,6 +14,7 @@ branch to test in the following command: pip3 install --upgrade git+https://github.com/GoSecure/malboxes.git@branchname#egg=malboxes + == Making a release . Update the version in `malboxes/_version.py` @@ -34,3 +35,36 @@ branch to test in the following command: . Update version in `malboxes/_version.py` (+1 feature, append 'dev') and commit ** commit msg: Begin development on next release + + +== VirtualBox Management Commands + +Useful commands: + + VBoxManage list vms + + VBoxManage showvminfo <vm> + + VBoxManage controlvm packer-virtualbox-iso-1488033522 poweroff + +If that doesn't work, kill the VBoxHeadless process. + + VBoxManage unregistervm --delete <vm> + + +== How to View Errors from Scripts Called from Autounattend.xml + +=== PowerShell + +Add this to the end of PowerShell scripts: + + Write-Host "Press any key to continue ..." + $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp") + +This will pause scripts allowing you to see the output. + +=== Command (cmd.exe) + + PAUSE + +Will stop a batch script execution until a key is pressed. diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index 6c58f33..575b982 100755 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -55,7 +55,8 @@ def init_parser(): "and config generator for malware analysis.") parser.add_argument('-V', '--version', action='version', version='%(prog)s ' + __version__) - parser.add_argument('-d', '--debug', action='store_true', help="Debug mode") + parser.add_argument('-d', '--debug', action='store_true', + help="Debug mode. Leaves built VMs running on failure!") subparsers = parser.add_subparsers() # list command