-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2ae1ee9
commit 985352b
Showing
1 changed file
with
55 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,11 +15,11 @@ This is my guide for setting up your very own malware lab using KVM. | |
|
|
||
| Before you start, this guide assumes you have an [AirVPN](https://airvpn.org/) subscription or another equivalent one, which provides a __.ovpn__ file. | ||
|
|
||
| *NOTE: I like to have internet enabled on my analysis VMs and this comes with extra security considerations and potential risk if you do not perform the setup correctly. It is recommended that you have your KVM host machine on a DMZ. Most home routers do have DMZ settings, just consult your manual. This guide is not intended for beginners.* | ||
| > NOTE: I like to have internet enabled on my analysis VMs and this comes with extra security considerations and potential risk if you do not perform the setup correctly. It is recommended that you have your KVM host machine on a DMZ. Most home routers do have DMZ settings, just consult your manual. This guide is not intended for beginners. | ||
| If you have used VirtualBox or VMWare Workstation in the past, Spice is just like the guest tools for these but for KVM, which allows you to copy/paste and copy samples to your VMs from your host machine. | ||
|
|
||
| *NOTE: This is not a very stealthy setup as of yet, so do expect some malware to detect your VMs. I will continue to update this guide for stealth once I have a server or workstation. This requires forking the qemu code and modifying it.* | ||
| > NOTE: This is not a very stealthy setup as of yet, so do expect some malware to detect your VMs. I will continue to update this guide for stealth once I have a server or workstation. This requires forking the qemu code and modifying it. | ||
| Once this guide is completed, you should have networking that looks like this: | ||
|
|
||
|
|
@@ -381,6 +381,59 @@ sudo mount -t virtiofs hostfs hostfs/ | |
| sudo umount hostfs/ | ||
| ``` | ||
|
|
||
| ## Forwarding Ports | ||
|
|
||
| Using `virt-manager` you can edit XML by enabling `Edit->Preferences->General->Enable XML editing`. | ||
|
|
||
| Using this, ensure the `<domain>` XML is `<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>`. | ||
|
|
||
| ### Host to Guest | ||
|
|
||
| To forward ports from your host machine to your guest machine, you can use QEMU command-line with `-netdev` and `-device`. | ||
|
|
||
| The `id` and `netdev` options must be the same unique string. | ||
|
|
||
| The `guestfwd` option by default uses the `net` option of `10.0.2.0/24` for the subnet. | ||
|
|
||
| To change this we set our own `net` option to `10.0.3.0/24`, using the IP address `10.0.3.1`. | ||
|
|
||
| We are forwarding, in this case, 11434 from the host machine, to `10.0.3.1:11434` on a guest interface. | ||
|
|
||
| The XML for this is provided below. | ||
|
|
||
| ```xml | ||
| <qemu:commandline> | ||
| <qemu:arg value='-netdev'/> | ||
| <qemu:arg value='user,id=hosttoguest,net=10.0.3.0/24,guestfwd=tcp:10.0.3.1:11434-tcp:127.0.0.1:11434'/> | ||
| <qemu:arg value='-device'/> | ||
| <qemu:arg value='rtl8139,netdev=hosttoguest'/> | ||
| </qemu:commandline> | ||
| ``` | ||
|
|
||
| This example, uses the `ollama` port for working with LLMs, now we can access the port by doing `curl http://10.0.3.1:11434`. | ||
|
|
||
| This usecase is for those who may want to use LLMs for static reversing but do not have two available graphics cards for PCI passthrough. | ||
|
|
||
| > NOTE: It is important to know that forwarding ports to your host machine can pose additional risks | ||
| ### Guest to Host | ||
|
|
||
| Similar to forwarding ports from the host machine to the guest machine, we use the `netdev` option. | ||
|
|
||
| However, this time we are forwarding port `2222` on the host to `22` on the guest. | ||
|
|
||
| If SSH is enabled on the guest machine, from your host machine you can do `ssh -p 2222 [email protected]` to get a shell. | ||
|
|
||
| ```xml | ||
| <qemu:commandline> | ||
| <qemu:arg value='-netdev'/> | ||
| <qemu:arg value='user,id=guesttohost,net=10.0.3.0/24,hostfwd=tcp::2222-:22'/> | ||
| <qemu:arg value='-device'/> | ||
| <qemu:arg value='rtl8139,netdev=guesttohost,mac=88:88:88:88:88:88'/> | ||
| </qemu:commandline> | ||
| ``` | ||
|
|
||
| > NOTE: It is important to note that accessing your guest machines directly using additional applications on your host can pose additional risks. | ||
| ## Workflow | ||
| When working with malware it is important to establish a general workflow, please refer to my guide [here](/documents/malware-analysis-reversing-workflow/). | ||
|
|
||