From 2277dc9dd84c8a72c0065b48139d0cb738fcb7ba Mon Sep 17 00:00:00 2001 From: GL Date: Mon, 27 Feb 2017 20:36:08 -0500 Subject: [PATCH 01/17] First working pass. See https://github.com/GoSecure/malboxes/issues/30 for more details. --- malboxes/config-example.js | 22 ++++++- .../windows10_64/Autounattend.xml | 47 +++++++------- malboxes/malboxes.py | 22 ++++--- .../snippets/postprocessor_vagrant.json | 2 +- .../snippets/provision_powershell.json | 1 - malboxes/profiles/win10_32_analyst.json | 63 ++++++++++--------- malboxes/profiles/win10_64_analyst.json | 56 +++++++++-------- malboxes/vagrantfiles/analyst_vsphere.rb | 22 +++++++ malboxes/vagrantfiles/box_win.rb | 6 -- 9 files changed, 142 insertions(+), 99 deletions(-) mode change 100755 => 100644 malboxes/malboxes.py create mode 100644 malboxes/vagrantfiles/analyst_vsphere.rb diff --git a/malboxes/config-example.js b/malboxes/config-example.js index b88b70a..7ad894b 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -3,9 +3,9 @@ * Malboxes Example Configuration File * * Uncomment a specific section of the file to trigger a particular feature. - * - * Paths should be written using forward slashes even on Windows. - * For ex: C:/Tools + * + * Paths should be written using forward slashes even on Windows. + * For ex: C:/Tools */ // This allows you to use a local filestore for ISOs. @@ -26,6 +26,22 @@ // disk size is in megabytes "disk_size": "16384", + //Provision settings + //Which Hypervisor for privisoning and deployment? (Options are: "virtualbox" and "vsphere") Default is "virtualbox" + "hypervisor": "vsphere", + //If vsphere, the following configuration options are mandatory + "remote_host": "", + "remote_datastore": "", + "remote_username": "", + "remote_password": "", + "vsphere_host": "", + "vsphere_clone_from_vm": "packer-test", + "vsphere_name": "malboxestest", + "vsphere_user": "", + "vsphere_password": "", + "vsphere_insecure": "true", + + // Windows Defender: true means enabled, false means disabled. Default is false. //"windows_defender": "false", // Windows Updates: true means enabled, false means disabled. Default is false. diff --git a/malboxes/installconfig/windows10_64/Autounattend.xml b/malboxes/installconfig/windows10_64/Autounattend.xml index b4186da..8788d5b 100644 --- a/malboxes/installconfig/windows10_64/Autounattend.xml +++ b/malboxes/installconfig/windows10_64/Autounattend.xml @@ -2,29 +2,30 @@ - - - - - true - 1 - Primary - - - - - true - NTFS - C - 1 - 1 - - - 0 - true - - OnError - + + + + + 1 + Primary + true + + + + + false + NTFS + C + 1 + 1 + + + + 0 + true + + OnError + true {{ username }} diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py old mode 100755 new mode 100644 index 6c58f33..5c5b235 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -224,13 +224,11 @@ def prepare_config(profile): config_file) config = load_config(config_file, profile) - packer_tmpl = prepare_packer_template(config, profile) # merge/update with profile config with open(packer_tmpl, 'r') as f: config.update(json.loads(f.read())) - return config, packer_tmpl @@ -317,14 +315,13 @@ def run_packer(packer_tmpl, args): f.write(jsmin(config.read())) f.close() - flags = ['-var-file={}'.format(f.name)] - if DEBUG: special_env = {'PACKER_LOG': '1'} - flags.append('-on-error=abort') else: special_env = None + flags = ['-var-file={}'.format(f.name)] + cmd = [binary, 'build'] cmd.extend(flags) cmd.append(packer_tmpl) @@ -427,11 +424,18 @@ def spin(parser, args): config['profile'] = args.profile config['name'] = args.name + print("Creating a Vagrantfile") - with open("Vagrantfile", 'w') as f: - _prepare_vagrantfile(config, "analyst_single.rb", f) - print("Vagrantfile generated. You can move it in your analysis directory " - "and issue a `vagrant up` to get started with your VM.") + if not config['hypervisor']: + with open("Vagrantfile", 'w') as f: + _prepare_vagrantfile(config, "analyst_single.rb", f) + print("Vagrantfile generated. You can move it in your analysis directory " + "and issue a `vagrant up` to get started with your VM.") + elif config['hypervisor']: + with open("Vagrantfile", 'w') as f: + _prepare_vagrantfile(config, "analyst_vsphere.rb", f) + print("Vagrantfile generated. You can move it in your analysis directory " + "and issue a `vagrant up` to get started with your VM.") def append_to_script(filename, line): diff --git a/malboxes/profiles/snippets/postprocessor_vagrant.json b/malboxes/profiles/snippets/postprocessor_vagrant.json index 68f8749..3eae5f4 100644 --- a/malboxes/profiles/snippets/postprocessor_vagrant.json +++ b/malboxes/profiles/snippets/postprocessor_vagrant.json @@ -1,5 +1,5 @@ "post-processors": [{ "type": "vagrant", "output": "boxes/{{ profile_name }}.box", - "vagrantfile_template": "{{ cache_dir }}/box_win.rb" + "keep_input_artifact": false }] diff --git a/malboxes/profiles/snippets/provision_powershell.json b/malboxes/profiles/snippets/provision_powershell.json index fa27dbb..d8e6fe4 100644 --- a/malboxes/profiles/snippets/provision_powershell.json +++ b/malboxes/profiles/snippets/provision_powershell.json @@ -3,7 +3,6 @@ "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} - "{{ dir }}/scripts/windows/vmtools.ps1", "{{ dir }}/scripts/windows/malware_analysis.ps1", "{{ dir }}/scripts/windows/installtools.ps1" ] diff --git a/malboxes/profiles/win10_32_analyst.json b/malboxes/profiles/win10_32_analyst.json index f789c84..e4442cd 100644 --- a/malboxes/profiles/win10_32_analyst.json +++ b/malboxes/profiles/win10_32_analyst.json @@ -1,35 +1,38 @@ { - "builders": [{ - "guest_os_type": "Windows10", - - {% include 'snippets/builder_virtualbox_windows.json' %}, - - "iso_urls": [ + "builders": [{ + {% if hypervisor %} + {% include 'snippets/builder_vsphere_windows.json' %}, + {% else %} + {% include 'snippets/builder_virtualbox_windows.json' %}, + {% endif %} + + "iso_urls": [ "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO", "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO" ], - "iso_checksum": "0b8e56772c71dc7bb73654c61e53998a997e1e4d", - "iso_checksum_type": "sha1", - - - "floppy_files": [ - "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows10/enablewinrm.ps1" - ] - }], - - {% include 'snippets/postprocessor_vagrant.json' %}, - - "provisioners": [ - - {% include 'snippets/provision_powershell.json' %} - - {% if tools_path %}, - {% include 'snippets/tools.json' %} - {% endif %} - {% if ida_path %}, - {% include 'snippets/ida_remote_32.json' %} - {% endif %} - - ] + "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", + "iso_checksum_type": "sha1", + + "floppy_files": [ + "{{ cache_dir }}/Autounattend.xml", + "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" + ] + }], + + {% if hypervisor is not defined %} + {% include 'snippets/postprocessor_vagrant.json' %}, + {% endif %} + + "provisioners": [ + + {% include 'snippets/provision_powershell.json' %} + + {% if tools_path %}, + {% include 'snippets/tools.json' %} + {% endif %} + {% if ida_path %}, + {% include 'snippets/ida_remote_64.json' %}, + {% include 'snippets/ida_remote_32.json' %} + {% endif %} + ] } diff --git a/malboxes/profiles/win10_64_analyst.json b/malboxes/profiles/win10_64_analyst.json index aca73ac..a380cba 100644 --- a/malboxes/profiles/win10_64_analyst.json +++ b/malboxes/profiles/win10_64_analyst.json @@ -1,34 +1,38 @@ { - "builders": [{ - "guest_os_type": "Windows10_64", - {% include 'snippets/builder_virtualbox_windows.json' %}, + "builders": [{ + {% if hypervisor %} + {% include 'snippets/builder_vsphere_windows.json' %}, + {% else %} + {% include 'snippets/builder_virtualbox_windows.json' %}, + {% endif %} - "iso_urls": [ - "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", - "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" - ], - "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", - "iso_checksum_type": "sha1", + "iso_urls": [ + "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", + "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" + ], + "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", + "iso_checksum_type": "sha1", - "floppy_files": [ - "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" - ] - }], + "floppy_files": [ + "{{ cache_dir }}/Autounattend.xml", + "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" + ] + }], - {% include 'snippets/postprocessor_vagrant.json' %}, + {% if hypervisor is not defined %} + {% include 'snippets/postprocessor_vagrant.json' %}, + {% endif %} - "provisioners": [ + "provisioners": [ - {% include 'snippets/provision_powershell.json' %} + {% include 'snippets/provision_powershell.json' %} - {% if tools_path %}, - {% include 'snippets/tools.json' %} - {% endif %} - {% if ida_path %}, - {% include 'snippets/ida_remote_64.json' %}, - {% include 'snippets/ida_remote_32.json' %} - {% endif %} - - ] + {% if tools_path %}, + {% include 'snippets/tools.json' %} + {% endif %} + {% if ida_path %}, + {% include 'snippets/ida_remote_64.json' %}, + {% include 'snippets/ida_remote_32.json' %} + {% endif %} + ] } diff --git a/malboxes/vagrantfiles/analyst_vsphere.rb b/malboxes/vagrantfiles/analyst_vsphere.rb new file mode 100644 index 0000000..2283f32 --- /dev/null +++ b/malboxes/vagrantfiles/analyst_vsphere.rb @@ -0,0 +1,22 @@ +-*- mode: ruby -*- +# vi: set ft=ruby : +Vagrant.configure(2) do |config| + # config.vm.box = "win10_64_analyst" + config.vm.box = 'dummy' + config.vm.box_url = 'vsphere-dummy.box' + config.vm.provider :vsphere do |vsphere| + # The vSphere host we're going to connect to + vsphere.host = {{ vsphere_host }} + vsphere.compute_resource_name = {{ remote_host }} + vsphere.clone_from_vm = {{ vsphere_clone_from_vm }} + vsphere.name = {{ vsphere_name }} + vsphere.user = {{ vsphere_user}} + vsphere.password = {{ vsphere_password }} + vsphere.insecure = {{ vsphere_insecure }} +end + + # Host files are shared on the Desktop + config.vm.synced_folder ".", "/Users/malboxes/Desktop/host" +end +~ +~ diff --git a/malboxes/vagrantfiles/box_win.rb b/malboxes/vagrantfiles/box_win.rb index be60bd4..fd5e35d 100644 --- a/malboxes/vagrantfiles/box_win.rb +++ b/malboxes/vagrantfiles/box_win.rb @@ -7,10 +7,4 @@ # Giving plenty of times for updates config.vm.boot_timeout = 600 config.vm.graceful_halt_timeout = 600 - - config.vm.provider "virtualbox" do |vb| - vb.gui = true - vb.customize ["modifyvm", :id, "--vram", "128"] - vb.customize ["modifyvm", :id, "--draganddrop", "hosttoguest"] - end end From 286f709256557bde5a048716db0788a09237e263 Mon Sep 17 00:00:00 2001 From: GL Date: Mon, 27 Feb 2017 20:39:37 -0500 Subject: [PATCH 02/17] First working pass. See https://github.com/GoSecure/malboxes/issues/30 for more details. --- .../windows8srv-64/Autounattend.xml | 127 ++++++++++++++++++ .../windows8srv-64/enablewinrm.ps1 | 9 ++ .../snippets/builder_vsphere_windows.json | 25 ++++ 3 files changed, 161 insertions(+) create mode 100644 malboxes/installconfig/windows8srv-64/Autounattend.xml create mode 100644 malboxes/installconfig/windows8srv-64/enablewinrm.ps1 create mode 100644 malboxes/profiles/snippets/builder_vsphere_windows.json diff --git a/malboxes/installconfig/windows8srv-64/Autounattend.xml b/malboxes/installconfig/windows8srv-64/Autounattend.xml new file mode 100644 index 0000000..b4186da --- /dev/null +++ b/malboxes/installconfig/windows8srv-64/Autounattend.xml @@ -0,0 +1,127 @@ + + + + + + + + + true + 1 + Primary + + + + + true + NTFS + C + 1 + 1 + + + 0 + true + + OnError + + + true + {{ username }} + + + + + + /IMAGE/NAME + Windows 10 Enterprise Evaluation + + + + 0 + 1 + + + + + + + en-US + Never + + en-US + en-US + en-US + en-US + en-US + + + + + false + + + + + + + {{ password }} + true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>{{ username }}</Username> + </AutoLogon> + <RegisteredOwner>{{ username }}</RegisteredOwner> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <ProtectYourPC>3</ProtectYourPC> + </OOBE> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <Order>1</Order> + <CommandLine>cmd.exe /c powershell -Command &quot;Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force&quot;</CommandLine> + <Description>Set Unrestricted Execution Policy</Description> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <Order>2</Order> + <CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;{{ username }}&apos;&quot; set PasswordExpires=FALSE</CommandLine> + <Description>Disable password expiration for user {{ username }}</Description> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <Order>3</Order> + <CommandLine>cmd.exe /c powershell -File &quot;A:\enablewinrm.ps1&quot;</CommandLine> + <RequiresUserInput>true</RequiresUserInput> + <Description>Enable WinRM for Packer/Vagrant communicator</Description> + </SynchronousCommand> + </FirstLogonCommands> + <UserAccounts> + <AdministratorPassword> + <Value>{{ password }}</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>{{ password }}</Value> + <PlainText>true</PlainText> + </Password> + <DisplayName>{{ username }}</DisplayName> + <Group>Administrators</Group> + <Name>{{ username }}</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <ComputerName>{{ computername }}</ComputerName> + <RegisteredOwner>{{ username }}</RegisteredOwner> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x64/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 b/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 new file mode 100644 index 0000000..a6d0bef --- /dev/null +++ b/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 @@ -0,0 +1,9 @@ +Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private + +winrm quickconfig -q -transport:http +winrm set winrm/config/client '@{AllowUnencrypted="true"}' +winrm set winrm/config/service '@{AllowUnencrypted="true"}' +winrm set winrm/config/service/auth '@{Basic="true"}' +net stop winrm +sc.exe config winrm start=auto +net start winrm diff --git a/malboxes/profiles/snippets/builder_vsphere_windows.json b/malboxes/profiles/snippets/builder_vsphere_windows.json new file mode 100644 index 0000000..f82781d --- /dev/null +++ b/malboxes/profiles/snippets/builder_vsphere_windows.json @@ -0,0 +1,25 @@ +"type": "vmware-iso", +"guest_os_type": "windows8srv-64", +"format": "ova", +"remote_type": "esx5", +"remote_host": "{{ remote_host }}", +"remote_datastore": "{{ remote_datastore }}", +"remote_username": "{{ remote_username }}", +"remote_password": "{{ remote_password }}", +"keep_registered": true, +"communicator": "winrm", +"winrm_username": "{{ username }}", +"winrm_password": "{{ password }}", +"winrm_timeout": "30m", +"shutdown_command": "shutdown /s /f /t 10", +"boot_wait": "10s", +"disk_size": "{{ disk_size }}", +"output_directory": "builds", +"vm_name": "malboxes", +"vmdk_name": "malboxes-vmdk", +"vmx_data": { + "ethernet0.networkName": "VM Network", + "scsi0.virtualDev": "lsisas1068", + "memsize": "4096", + "numvcpus": "4" +} From 873f3e1896a87f4805e272e36e0a8fdf4447aa1e Mon Sep 17 00:00:00 2001 From: GL <greg@glsec.us> Date: Mon, 27 Feb 2017 21:05:36 -0500 Subject: [PATCH 03/17] Few more updates and fixes. See https://github.com/GoSecure/malboxes/issues/30 --- malboxes/profiles/snippets/postprocessor_vagrant.json | 2 +- malboxes/vagrantfiles/box_win.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/malboxes/profiles/snippets/postprocessor_vagrant.json b/malboxes/profiles/snippets/postprocessor_vagrant.json index 3eae5f4..3844c29 100644 --- a/malboxes/profiles/snippets/postprocessor_vagrant.json +++ b/malboxes/profiles/snippets/postprocessor_vagrant.json @@ -1,5 +1,5 @@ "post-processors": [{ "type": "vagrant", "output": "boxes/{{ profile_name }}.box", - "keep_input_artifact": false + "vagrantfile_template": "{{ cache_dir }}/box_win.rb" }] diff --git a/malboxes/vagrantfiles/box_win.rb b/malboxes/vagrantfiles/box_win.rb index fd5e35d..fe5610d 100644 --- a/malboxes/vagrantfiles/box_win.rb +++ b/malboxes/vagrantfiles/box_win.rb @@ -7,4 +7,9 @@ # Giving plenty of times for updates config.vm.boot_timeout = 600 config.vm.graceful_halt_timeout = 600 + config.vm.provider "virtualbox" do |vb| + vb.gui = true + vb.customize ["modifyvm", :id, "--vram", "128"] + vb.customize ["modifyvm", :id, "--draganddrop", "hosttoguest"] + end end From c277b58498745520920e350ac593a2c5e2e26808 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Tue, 18 Jul 2017 16:50:39 -0400 Subject: [PATCH 04/17] Removed whitespace noise from patch --- malboxes/config-example.js | 7 +++---- malboxes/malboxes.py | 3 ++- malboxes/profiles/snippets/postprocessor_vagrant.json | 2 +- malboxes/vagrantfiles/box_win.rb | 10 +++++----- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index 5bd667a..c18f19a 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -3,9 +3,9 @@ * Malboxes Example Configuration File * * Uncomment a specific section of the file to trigger a particular feature. - * - * Paths should be written using forward slashes even on Windows. - * For ex: C:/Tools + * + * Paths should be written using forward slashes even on Windows. + * For ex: C:/Tools */ // This allows you to use a local filestore for ISOs. @@ -41,7 +41,6 @@ "vsphere_password": "", "vsphere_insecure": "true", - // Windows Defender: true means enabled, false means disabled. Default is false. //"windows_defender": "false", // Windows Updates: true means enabled, false means disabled. Default is false. diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index 84d6bbc..f720e12 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -228,11 +228,13 @@ def prepare_config(profile): config_file) config = load_config(config_file, profile) + packer_tmpl = prepare_packer_template(config, profile) # merge/update with profile config with open(packer_tmpl, 'r') as f: config.update(json.loads(f.read())) + return config, packer_tmpl @@ -439,7 +441,6 @@ def spin(parser, args): config['profile'] = args.profile config['name'] = args.name - print("Creating a Vagrantfile") if not config['hypervisor']: with open("Vagrantfile", 'w') as f: diff --git a/malboxes/profiles/snippets/postprocessor_vagrant.json b/malboxes/profiles/snippets/postprocessor_vagrant.json index 3844c29..68f8749 100644 --- a/malboxes/profiles/snippets/postprocessor_vagrant.json +++ b/malboxes/profiles/snippets/postprocessor_vagrant.json @@ -1,5 +1,5 @@ "post-processors": [{ "type": "vagrant", "output": "boxes/{{ profile_name }}.box", - "vagrantfile_template": "{{ cache_dir }}/box_win.rb" + "vagrantfile_template": "{{ cache_dir }}/box_win.rb" }] diff --git a/malboxes/vagrantfiles/box_win.rb b/malboxes/vagrantfiles/box_win.rb index fe5610d..32f4bbe 100644 --- a/malboxes/vagrantfiles/box_win.rb +++ b/malboxes/vagrantfiles/box_win.rb @@ -7,9 +7,9 @@ # Giving plenty of times for updates config.vm.boot_timeout = 600 config.vm.graceful_halt_timeout = 600 - config.vm.provider "virtualbox" do |vb| - vb.gui = true - vb.customize ["modifyvm", :id, "--vram", "128"] - vb.customize ["modifyvm", :id, "--draganddrop", "hosttoguest"] - end + config.vm.provider "virtualbox" do |vb| + vb.gui = true + vb.customize ["modifyvm", :id, "--vram", "128"] + vb.customize ["modifyvm", :id, "--draganddrop", "hosttoguest"] + end end From 8fd8ccd5a0a0caa1cc4093ad733171d24228d162 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Tue, 18 Jul 2017 16:52:44 -0400 Subject: [PATCH 05/17] Minor fixes to the hypervisor file loading --- malboxes/malboxes.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index f720e12..d653097 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -445,13 +445,11 @@ def spin(parser, args): if not config['hypervisor']: with open("Vagrantfile", 'w') as f: _prepare_vagrantfile(config, "analyst_single.rb", f) - print("Vagrantfile generated. You can move it in your analysis directory " - "and issue a `vagrant up` to get started with your VM.") - elif config['hypervisor']: + elif config['hypervisor'] == 'vsphere': with open("Vagrantfile", 'w') as f: _prepare_vagrantfile(config, "analyst_vsphere.rb", f) - print("Vagrantfile generated. You can move it in your analysis directory " - "and issue a `vagrant up` to get started with your VM.") + print("Vagrantfile generated. You can move it in your analysis directory " + "and issue a `vagrant up` to get started with your VM.") def append_to_script(filename, line): From f37a804d85ce7b9cb7d0126aa05d263009943cbb Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Tue, 18 Jul 2017 16:53:25 -0400 Subject: [PATCH 06/17] config: virtualbox is the default again --- malboxes/config-example.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/malboxes/config-example.js b/malboxes/config-example.js index c18f19a..73edda3 100644 --- a/malboxes/config-example.js +++ b/malboxes/config-example.js @@ -26,9 +26,9 @@ // disk size is in megabytes "disk_size": "20480", - //Provision settings - //Which Hypervisor for privisoning and deployment? (Options are: "virtualbox" and "vsphere") Default is "virtualbox" - "hypervisor": "vsphere", + // Provision settings + // Which Hypervisor for privisoning and deployment? (Options are: "virtualbox" and "vsphere") Default is "virtualbox" + "hypervisor": "virtualbox", //If vsphere, the following configuration options are mandatory "remote_host": "", "remote_datastore": "", From 4ffaa804cd56210e101138bce0affba7f9d3d60d Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Tue, 18 Jul 2017 16:56:21 -0400 Subject: [PATCH 07/17] Revert unnecessary Windows 10 Autounattend changes --- .../windows10_64/Autounattend.xml | 47 +++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/malboxes/installconfig/windows10_64/Autounattend.xml b/malboxes/installconfig/windows10_64/Autounattend.xml index 8788d5b..b4186da 100644 --- a/malboxes/installconfig/windows10_64/Autounattend.xml +++ b/malboxes/installconfig/windows10_64/Autounattend.xml @@ -2,30 +2,29 @@ <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="windowsPE"> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <DiskConfiguration> - <Disk wcm:action="add"> - <CreatePartitions> - <CreatePartition wcm:action="add"> - <Order>1</Order> - <Type>Primary</Type> - <Extend>true</Extend> - </CreatePartition> - </CreatePartitions> - <ModifyPartitions> - <ModifyPartition wcm:action="add"> - <Extend>false</Extend> - <Format>NTFS</Format> - <Letter>C</Letter> - <Order>1</Order> - <PartitionID>1</PartitionID> - <Label>Windows 10</Label> - </ModifyPartition> - </ModifyPartitions> - <DiskID>0</DiskID> - <WillWipeDisk>true</WillWipeDisk> - </Disk> - <WillShowUI>OnError</WillShowUI> - </DiskConfiguration> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Extend>true</Extend> + <Order>1</Order> + <Type>Primary</Type> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Letter>C</Letter> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + <WillShowUI>OnError</WillShowUI> + </DiskConfiguration> <UserData> <AcceptEula>true</AcceptEula> <FullName>{{ username }}</FullName> From 5c46d1a5a3b691fa5f11afe1064250875d93c7a6 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Wed, 19 Jul 2017 10:22:31 -0400 Subject: [PATCH 08/17] Fixes to packer template - extracted out guest OS version into profile - ident fixes - explicit hypervisor tests instead of empty vs non-empty since we provide a default config which provides it --- .../snippets/builder_vsphere_windows.json | 2 +- malboxes/profiles/win10_32_analyst.json | 71 +++++++++-------- malboxes/profiles/win10_64_analyst.json | 76 ++++++++++--------- 3 files changed, 79 insertions(+), 70 deletions(-) diff --git a/malboxes/profiles/snippets/builder_vsphere_windows.json b/malboxes/profiles/snippets/builder_vsphere_windows.json index f82781d..d380d64 100644 --- a/malboxes/profiles/snippets/builder_vsphere_windows.json +++ b/malboxes/profiles/snippets/builder_vsphere_windows.json @@ -1,5 +1,4 @@ "type": "vmware-iso", -"guest_os_type": "windows8srv-64", "format": "ova", "remote_type": "esx5", "remote_host": "{{ remote_host }}", @@ -15,6 +14,7 @@ "boot_wait": "10s", "disk_size": "{{ disk_size }}", "output_directory": "builds", +// TODO Remove hardcoded references? "vm_name": "malboxes", "vmdk_name": "malboxes-vmdk", "vmx_data": { diff --git a/malboxes/profiles/win10_32_analyst.json b/malboxes/profiles/win10_32_analyst.json index e4442cd..e480946 100644 --- a/malboxes/profiles/win10_32_analyst.json +++ b/malboxes/profiles/win10_32_analyst.json @@ -1,38 +1,43 @@ { - "builders": [{ - {% if hypervisor %} - {% include 'snippets/builder_vsphere_windows.json' %}, - {% else %} - {% include 'snippets/builder_virtualbox_windows.json' %}, - {% endif %} - - "iso_urls": [ + "builders": [{ + + {% if hypervisor == "virtualbox" %} + "guest_os_type": "Windows10", + {% include 'snippets/builder_virtualbox_windows.json' %}, + {% elif hypervisor == "vsphere" %} + "guest_os_type": "windows8srv", + {% include 'snippets/builder_vsphere_windows.json' %}, + {% endif %} + + "iso_urls": [ "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO", "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO" ], - "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", - "iso_checksum_type": "sha1", - - "floppy_files": [ - "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" - ] - }], - - {% if hypervisor is not defined %} - {% include 'snippets/postprocessor_vagrant.json' %}, - {% endif %} - - "provisioners": [ - - {% include 'snippets/provision_powershell.json' %} - - {% if tools_path %}, - {% include 'snippets/tools.json' %} - {% endif %} - {% if ida_path %}, - {% include 'snippets/ida_remote_64.json' %}, - {% include 'snippets/ida_remote_32.json' %} - {% endif %} - ] + "iso_checksum": "0b8e56772c71dc7bb73654c61e53998a997e1e4d", + "iso_checksum_type": "sha1", + + "floppy_files": [ + "{{ cache_dir }}/Autounattend.xml", + "{{ dir }}/installconfig/windows10/enablewinrm.ps1" + ] + }], + + {% include 'snippets/postprocessor_vagrant.json' %}, + + {% if hypervisor == 'virtualbox' %} + {% include 'snippets/postprocessor_vagrant.json' %}, + {% endif %} + + "provisioners": [ + + {% include 'snippets/provision_powershell.json' %} + + {% if tools_path %}, + {% include 'snippets/tools.json' %} + {% endif %} + {% if ida_path %}, + {% include 'snippets/ida_remote_32.json' %} + {% endif %} + + ] } diff --git a/malboxes/profiles/win10_64_analyst.json b/malboxes/profiles/win10_64_analyst.json index a380cba..888812e 100644 --- a/malboxes/profiles/win10_64_analyst.json +++ b/malboxes/profiles/win10_64_analyst.json @@ -1,38 +1,42 @@ { - "builders": [{ - {% if hypervisor %} - {% include 'snippets/builder_vsphere_windows.json' %}, - {% else %} - {% include 'snippets/builder_virtualbox_windows.json' %}, - {% endif %} - - "iso_urls": [ - "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", - "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" - ], - "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", - "iso_checksum_type": "sha1", - - "floppy_files": [ - "{{ cache_dir }}/Autounattend.xml", - "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" - ] - }], - - {% if hypervisor is not defined %} - {% include 'snippets/postprocessor_vagrant.json' %}, - {% endif %} - - "provisioners": [ - - {% include 'snippets/provision_powershell.json' %} - - {% if tools_path %}, - {% include 'snippets/tools.json' %} - {% endif %} - {% if ida_path %}, - {% include 'snippets/ida_remote_64.json' %}, - {% include 'snippets/ida_remote_32.json' %} - {% endif %} - ] + "builders": [{ + + {% if hypervisor == "virtualbox" %} + "guest_os_type": "Windows10_64", + {% include 'snippets/builder_virtualbox_windows.json' %}, + {% elif hypervisor == "vsphere" %} + "guest_os_type": "windows8srv-64", + {% include 'snippets/builder_vsphere_windows.json' %}, + {% endif %} + + "iso_urls": [ + "file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", + "http://care.dlservice.microsoft.com/dl/download/2/5/4/254230E8-AEA5-43C5-94F6-88CE222A5846/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO" + ], + "iso_checksum": "a86ae3d664553cd0ee9a6bcd83a5dbe92e3dc41a", + "iso_checksum_type": "sha1", + + "floppy_files": [ + "{{ cache_dir }}/Autounattend.xml", + "{{ dir }}/installconfig/windows10_64/enablewinrm.ps1" + ] + }], + + {% if hypervisor == 'virtualbox' %} + {% include 'snippets/postprocessor_vagrant.json' %}, + {% endif %} + + "provisioners": [ + + {% include 'snippets/provision_powershell.json' %} + + {% if tools_path %}, + {% include 'snippets/tools.json' %} + {% endif %} + {% if ida_path %}, + {% include 'snippets/ida_remote_64.json' %}, + {% include 'snippets/ida_remote_32.json' %} + {% endif %} + + ] } From d92857c62622449f92fb646f63066807414ae5aa Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Wed, 19 Jul 2017 10:24:33 -0400 Subject: [PATCH 09/17] Provide default config values in core Should enable people to upgrade to a new version without config breakage --- malboxes/malboxes.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index d653097..e9ab0c4 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -250,6 +250,14 @@ def load_config(config_file, profile): config['cache_dir'] = DIRS.user_cache_dir.replace('\\', '/') config['dir'] = resource_filename(__name__, "").replace('\\', '/') config['profile_name'] = profile + + # add default values + # for users upgrading from versions where those values weren't defined + # I don't want default to override the config so I reversed the merge logic + default = {'hypervisor': 'virtualbox'} + default.update(config) + config = default + return config @@ -442,7 +450,7 @@ def spin(parser, args): config['name'] = args.name print("Creating a Vagrantfile") - if not config['hypervisor']: + if config['hypervisor'] == 'virtualbox': with open("Vagrantfile", 'w') as f: _prepare_vagrantfile(config, "analyst_single.rb", f) elif config['hypervisor'] == 'vsphere': From 8300777e041751c06522a8f60857b7a7ffacf3d8 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Wed, 19 Jul 2017 10:41:14 -0400 Subject: [PATCH 10/17] Avoid Autounattend.xml fragmentation --- .../windows8srv-64/Autounattend.xml | 127 ------------------ .../windows8srv-64/enablewinrm.ps1 | 9 -- malboxes/malboxes.py | 13 +- 3 files changed, 11 insertions(+), 138 deletions(-) delete mode 100644 malboxes/installconfig/windows8srv-64/Autounattend.xml delete mode 100644 malboxes/installconfig/windows8srv-64/enablewinrm.ps1 diff --git a/malboxes/installconfig/windows8srv-64/Autounattend.xml b/malboxes/installconfig/windows8srv-64/Autounattend.xml deleted file mode 100644 index b4186da..0000000 --- a/malboxes/installconfig/windows8srv-64/Autounattend.xml +++ /dev/null @@ -1,127 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<unattend xmlns="urn:schemas-microsoft-com:unattend"> - <settings pass="windowsPE"> - <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <DiskConfiguration> - <Disk wcm:action="add"> - <CreatePartitions> - <CreatePartition wcm:action="add"> - <Extend>true</Extend> - <Order>1</Order> - <Type>Primary</Type> - </CreatePartition> - </CreatePartitions> - <ModifyPartitions> - <ModifyPartition wcm:action="add"> - <Active>true</Active> - <Format>NTFS</Format> - <Letter>C</Letter> - <Order>1</Order> - <PartitionID>1</PartitionID> - </ModifyPartition> - </ModifyPartitions> - <DiskID>0</DiskID> - <WillWipeDisk>true</WillWipeDisk> - </Disk> - <WillShowUI>OnError</WillShowUI> - </DiskConfiguration> - <UserData> - <AcceptEula>true</AcceptEula> - <FullName>{{ username }}</FullName> - </UserData> - <ImageInstall> - <OSImage> - <InstallFrom> - <MetaData wcm:action="add"> - <Key>/IMAGE/NAME</Key> - <Value>Windows 10 Enterprise Evaluation</Value> - </MetaData> - </InstallFrom> - <InstallTo> - <DiskID>0</DiskID> - <PartitionID>1</PartitionID> - </InstallTo> - </OSImage> - </ImageInstall> - </component> - <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <SetupUILanguage> - <UILanguage>en-US</UILanguage> - <WillShowUI>Never</WillShowUI> - </SetupUILanguage> - <InputLocale>en-US</InputLocale> - <SystemLocale>en-US</SystemLocale> - <UILanguage>en-US</UILanguage> - <UILanguageFallback>en-US</UILanguageFallback> - <UserLocale>en-US</UserLocale> - </component> - </settings> - <settings pass="offlineServicing"> - <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <EnableLUA>false</EnableLUA> - </component> - </settings> - <settings pass="oobeSystem"> - <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <AutoLogon> - <Password> - <Value>{{ password }}</Value> - <PlainText>true</PlainText> - </Password> - <Enabled>true</Enabled> - <Username>{{ username }}</Username> - </AutoLogon> - <RegisteredOwner>{{ username }}</RegisteredOwner> - <OOBE> - <HideEULAPage>true</HideEULAPage> - <HideOnlineAccountScreens>true</HideOnlineAccountScreens> - <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> - <ProtectYourPC>3</ProtectYourPC> - </OOBE> - <FirstLogonCommands> - <SynchronousCommand wcm:action="add"> - <Order>1</Order> - <CommandLine>cmd.exe /c powershell -Command &quot;Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force&quot;</CommandLine> - <Description>Set Unrestricted Execution Policy</Description> - <RequiresUserInput>true</RequiresUserInput> - </SynchronousCommand> - <SynchronousCommand wcm:action="add"> - <Order>2</Order> - <CommandLine>cmd.exe /c wmic useraccount where &quot;name=&apos;{{ username }}&apos;&quot; set PasswordExpires=FALSE</CommandLine> - <Description>Disable password expiration for user {{ username }}</Description> - <RequiresUserInput>true</RequiresUserInput> - </SynchronousCommand> - <SynchronousCommand wcm:action="add"> - <Order>3</Order> - <CommandLine>cmd.exe /c powershell -File &quot;A:\enablewinrm.ps1&quot;</CommandLine> - <RequiresUserInput>true</RequiresUserInput> - <Description>Enable WinRM for Packer/Vagrant communicator</Description> - </SynchronousCommand> - </FirstLogonCommands> - <UserAccounts> - <AdministratorPassword> - <Value>{{ password }}</Value> - <PlainText>true</PlainText> - </AdministratorPassword> - <LocalAccounts> - <LocalAccount wcm:action="add"> - <Password> - <Value>{{ password }}</Value> - <PlainText>true</PlainText> - </Password> - <DisplayName>{{ username }}</DisplayName> - <Group>Administrators</Group> - <Name>{{ username }}</Name> - </LocalAccount> - </LocalAccounts> - </UserAccounts> - </component> - </settings> - <settings pass="specialize"> - <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <ComputerName>{{ computername }}</ComputerName> - <RegisteredOwner>{{ username }}</RegisteredOwner> - </component> - </settings> - <cpi:offlineImage cpi:source="wim:c:/users/vagrant/documents/malboxes/autounattend/win10_x64/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> -</unattend> diff --git a/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 b/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 deleted file mode 100644 index a6d0bef..0000000 --- a/malboxes/installconfig/windows8srv-64/enablewinrm.ps1 +++ /dev/null @@ -1,9 +0,0 @@ -Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private - -winrm quickconfig -q -transport:http -winrm set winrm/config/client '@{AllowUnencrypted="true"}' -winrm set winrm/config/service '@{AllowUnencrypted="true"}' -winrm set winrm/config/service/auth '@{Basic="true"}' -net stop winrm -sc.exe config winrm start=auto -net start winrm diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index e9ab0c4..5e94c99 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -262,8 +262,17 @@ def load_config(config_file, profile): def _get_os_type(config): - """OS Type is extracted from profile json config""" - return config['builders'][0]['guest_os_type'].lower() + """OS Type is extracted from profile json config. + For older hypervisor compatibility, some values needs to be updated here. + """ + _os_type = config['builders'][0]['guest_os_type'].lower() + if config['hypervisor'] == 'vsphere': + if _os_type == 'windows8srv': + _os_type = 'windows10' + elif _os_type == 'windows8srv-64': + _os_type = 'windows10_64' + + return _os_type tempfiles = [] From 96a98fa24ccd008fd76ff9632b7a3531a8bcecc7 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Wed, 19 Jul 2017 10:45:44 -0400 Subject: [PATCH 11/17] Conditional vmtools (virtualbox) installation --- malboxes/profiles/snippets/provision_powershell.json | 3 +++ malboxes/profiles/snippets/provision_powershell_win7.json | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/malboxes/profiles/snippets/provision_powershell.json b/malboxes/profiles/snippets/provision_powershell.json index d8e6fe4..6f22310 100644 --- a/malboxes/profiles/snippets/provision_powershell.json +++ b/malboxes/profiles/snippets/provision_powershell.json @@ -3,6 +3,9 @@ "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} + {% if hypervisor == "virtualbox" %} + "{{ dir }}/scripts/windows/vmtools.ps1", + {% endif %} "{{ dir }}/scripts/windows/malware_analysis.ps1", "{{ dir }}/scripts/windows/installtools.ps1" ] diff --git a/malboxes/profiles/snippets/provision_powershell_win7.json b/malboxes/profiles/snippets/provision_powershell_win7.json index 1346a1b..106b48b 100644 --- a/malboxes/profiles/snippets/provision_powershell_win7.json +++ b/malboxes/profiles/snippets/provision_powershell_win7.json @@ -4,7 +4,9 @@ "scripts": [ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} - "{{ dir }}/scripts/windows/vmtools.ps1", + {% if hypervisor == "virtualbox" %} + "{{ dir }}/scripts/windows/vmtools.ps1", + {% endif %} "{{ dir }}/scripts/windows/malware_analysis.ps1" ] }, From a281c97ecabd5a6439df14ad5e90a83fb7f6533a Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Wed, 19 Jul 2017 10:58:40 -0400 Subject: [PATCH 12/17] Fixed wrong comment type in the vsphere builder --- malboxes/profiles/snippets/builder_vsphere_windows.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malboxes/profiles/snippets/builder_vsphere_windows.json b/malboxes/profiles/snippets/builder_vsphere_windows.json index d380d64..bb63eea 100644 --- a/malboxes/profiles/snippets/builder_vsphere_windows.json +++ b/malboxes/profiles/snippets/builder_vsphere_windows.json @@ -14,7 +14,7 @@ "boot_wait": "10s", "disk_size": "{{ disk_size }}", "output_directory": "builds", -// TODO Remove hardcoded references? +{# TODO Remove hardcoded references? #} "vm_name": "malboxes", "vmdk_name": "malboxes-vmdk", "vmx_data": { From 8fcf198aaff4cac833cbee3e4b6b89c325001016 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Thu, 20 Jul 2017 21:57:21 -0400 Subject: [PATCH 13/17] Fixed Guest OS Types. Were invalid for my ESXi version. --- malboxes/malboxes.py | 4 ++-- malboxes/profiles/win10_32_analyst.json | 2 +- malboxes/profiles/win10_64_analyst.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/malboxes/malboxes.py b/malboxes/malboxes.py index 5e94c99..e8ddd85 100644 --- a/malboxes/malboxes.py +++ b/malboxes/malboxes.py @@ -267,9 +267,9 @@ def _get_os_type(config): """ _os_type = config['builders'][0]['guest_os_type'].lower() if config['hypervisor'] == 'vsphere': - if _os_type == 'windows8srv': + if _os_type == 'windows8': _os_type = 'windows10' - elif _os_type == 'windows8srv-64': + elif _os_type == 'windows8-64': _os_type = 'windows10_64' return _os_type diff --git a/malboxes/profiles/win10_32_analyst.json b/malboxes/profiles/win10_32_analyst.json index e480946..90449dc 100644 --- a/malboxes/profiles/win10_32_analyst.json +++ b/malboxes/profiles/win10_32_analyst.json @@ -5,7 +5,7 @@ "guest_os_type": "Windows10", {% include 'snippets/builder_virtualbox_windows.json' %}, {% elif hypervisor == "vsphere" %} - "guest_os_type": "windows8srv", + "guest_os_type": "windows8", {% include 'snippets/builder_vsphere_windows.json' %}, {% endif %} diff --git a/malboxes/profiles/win10_64_analyst.json b/malboxes/profiles/win10_64_analyst.json index 888812e..57b3f67 100644 --- a/malboxes/profiles/win10_64_analyst.json +++ b/malboxes/profiles/win10_64_analyst.json @@ -5,7 +5,7 @@ "guest_os_type": "Windows10_64", {% include 'snippets/builder_virtualbox_windows.json' %}, {% elif hypervisor == "vsphere" %} - "guest_os_type": "windows8srv-64", + "guest_os_type": "windows8-64", {% include 'snippets/builder_vsphere_windows.json' %}, {% endif %} From 1c895fb3baa960481f0a833d981473ee1fc4115c Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Thu, 20 Jul 2017 22:01:26 -0400 Subject: [PATCH 14/17] Tests and notes --- malboxes/profiles/snippets/builder_vsphere_windows.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/malboxes/profiles/snippets/builder_vsphere_windows.json b/malboxes/profiles/snippets/builder_vsphere_windows.json index bb63eea..ae45856 100644 --- a/malboxes/profiles/snippets/builder_vsphere_windows.json +++ b/malboxes/profiles/snippets/builder_vsphere_windows.json @@ -5,7 +5,9 @@ "remote_datastore": "{{ remote_datastore }}", "remote_username": "{{ remote_username }}", "remote_password": "{{ remote_password }}", -"keep_registered": true, +{# TODO avoiding ovftools doesn't seem to work #} +"keep_registered": "true", +"vnc_disable_password": "true", "communicator": "winrm", "winrm_username": "{{ username }}", "winrm_password": "{{ password }}", @@ -22,4 +24,6 @@ "scsi0.virtualDev": "lsisas1068", "memsize": "4096", "numvcpus": "4" -} +}, +{# TODO validate if they are automatically installed #} +"tools_upload_flavor": "windows" From 4b8d790186cae033cb6f51ab0f651d7fcb8008f0 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Thu, 20 Jul 2017 22:01:45 -0400 Subject: [PATCH 15/17] Using profile name for built image name --- malboxes/profiles/snippets/builder_vsphere_windows.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/malboxes/profiles/snippets/builder_vsphere_windows.json b/malboxes/profiles/snippets/builder_vsphere_windows.json index ae45856..709b857 100644 --- a/malboxes/profiles/snippets/builder_vsphere_windows.json +++ b/malboxes/profiles/snippets/builder_vsphere_windows.json @@ -16,9 +16,8 @@ "boot_wait": "10s", "disk_size": "{{ disk_size }}", "output_directory": "builds", -{# TODO Remove hardcoded references? #} -"vm_name": "malboxes", -"vmdk_name": "malboxes-vmdk", +"vm_name": "{{ profile_name }}", +"vmdk_name": "{{ profile_name }}-vmdk", "vmx_data": { "ethernet0.networkName": "VM Network", "scsi0.virtualDev": "lsisas1068", From 59b02842de1239a454c374bc29c9afc25582f7ff Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Thu, 20 Jul 2017 21:56:13 -0400 Subject: [PATCH 16/17] doc: some notes of things I needed to adjust --- docs/esx-setup.adoc | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs/esx-setup.adoc diff --git a/docs/esx-setup.adoc b/docs/esx-setup.adoc new file mode 100644 index 0000000..6879de5 --- /dev/null +++ b/docs/esx-setup.adoc @@ -0,0 +1,34 @@ += ESXi / vSphere Setup + +== Firewall rules required + +From your machine (where malboxes is installed) to the ESXi server + +* SSH (22) +* VNC (packer will try allocating 5900 upwards until it finds a working port) + +From your machine to the running guest for provisioning + +* WinRM (5985) + +== VNC Access + +Opening the ESX firewall is necessary. On version 6.5 this works: + + esxcli network firewall ruleset set -e true -r gdbserver + +Otherwise look at implementing the advice in here: https://gist.github.com/jasonberanek/4670943 + +== Troubleshooting + +=== No IP Address on guest + +You need a DHCP server on the same network segment. ESXi doesn't seem to +provide his own. You can create a simple DHCP server on an Ubuntu server with +isc-dhcp-server. + +=== Misc. + +Something packer said I needed to do: + + esxcli system settings advanced set -o /Net/GuestIPHack -i 1 From 2a00194f59ad3f593406c0526d0a339f25ba5bd9 Mon Sep 17 00:00:00 2001 From: Olivier Bilodeau <obilodeau@gosecure.ca> Date: Mon, 24 Jul 2017 21:10:10 -0400 Subject: [PATCH 17/17] bugfix: profiles script must run after chocolatey is installed (cherry picked from commit c1f3ebb36edcdd9ec77c94959179a13666f5aadd) --- .../snippets/provision_powershell_win7.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/malboxes/templates/snippets/provision_powershell_win7.json b/malboxes/templates/snippets/provision_powershell_win7.json index 8adcd5f..100880d 100644 --- a/malboxes/templates/snippets/provision_powershell_win7.json +++ b/malboxes/templates/snippets/provision_powershell_win7.json @@ -5,10 +5,8 @@ {% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %} {% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %} {% if hypervisor == "virtualbox" %} - "{{ dir }}/scripts/windows/vmtools.ps1", + "{{ dir }}/scripts/windows/vmtools.ps1" {% endif %} - {% if profile is defined %}"{{ cache_dir }}/profile-{{ profile }}.ps1",{% endif %} - "{{ dir }}/scripts/windows/malware_analysis.ps1" ] }, { @@ -23,6 +21,15 @@ { "type": "windows-restart" } +{% if profile is defined %}, + { + "type": "powershell", + "scripts": [ + "{{ cache_dir }}/profile-{{ profile }}.ps1", + "{{ dir }}/scripts/windows/malware_analysis.ps1" + ] + } +{% endif %} {% if choco_packages %}, { "type": "windows-shell",