for public benefit and so I can do it easier then next N times
Here's how I have built a quick and dirty dynamic analysis environment from free (for personal education) stuff. Other people do this better and have documented it extensively, eg in fine books like PMA, MAC and online classes like OST's MDA and of course FOR610 {FIXME add some links to prior work}.
I've done this on Windows, (Ubuntu) Linux and Mac machines with VirtualBox with little trouble. You can use other host OSes if you known them well enough and can use another VM if you have it, but the setup is a little different.
There are dozens of greats tools and hundreds of useful ones. Once you know what you like, need you can expand the build, but for now keep it simple (KISS) and get to work learning a thing.
Major components:
- a computer : anything 64bit with at least 4GB of RAM that you have admin/root access to
- a virtualization application: VirtualBox
- Victim host : Microsoft provided test VM (only free for testing & personal education)
- Network Trap : SecurityOnion (+ optionally REMnux)
Analysis tools:
- OllyDbg
- IDA Freeware (only free for personal education)
- Sysinternals
- Regshot
- FileInsight and/or Notepad++
- a lab notebook ( this should be paper or really hard to lose, like a public Gist ;) )
- optionally Python for everyone
- Read the license and then start downloading a Windows testing VM from http://modern.ie/
- Read the license and then start downloading Security Onion ISO : https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
- Download and install Virtualbox onto your "real" computer, the hypervisor. Use the GPL version: http://virtualbox.org
- Get the zips and installers for the tools you want to have on the victim system(s):
- OllyDbg 1 and/or 2: http://ollydbg.de/
- the SysInternals Suite from Microsoft: https://technet.microsoft.com/en-us/sysinternals/
- RegShot : https://sourceforge.net/projects/regshot/
- FileInsight: http://www.mcafee.com/us/downloads/free-tools/fileinsight.aspx
- Notepad++: https://notepad-plus-plus.org/
- 7zip for the victim (and your hyper if you don't have it): http://www.7-zip.org/
- Python : https://www.python.org/downloads/ (2.7.x 32bit is easiest choice)
- Optional, strongly recommended: Check some hashes and signatures to see what your downloaded...
My KISS setup blocks all access from the victim system to any outside network. The trap box will answer any request.
To do this in VirtualBox I create a host only network, give the .1 address to the monitoring (2nd) interface of the trap system and then let the victim system DHCP an IP in that range (static it if you need to). Ref: https://www.virtualbox.org/manual/ch06.html#network_hostonly
Write down your network setup and create any network configuration before you start installing machines.
- Install SecurityOnion in VirtualBox. Make sure it gets at least 2 NICs.
- Unzip the Windows VM package and open (import) the OVF with VirtualBox.
Using your lab network plan and the SecurityOnion setup wizard, configure your trap system interfaces. This will reboot your filter vm. While you are at it, make sure it can reach the Internet and sudo soup up to current. And reboot again.
You can optionally install REMnux atop SecurityOnion to get nice things like InetSim : https://remnux.org/docs/distro/get/#install-remnux-on-an-existing-system
InetSim docs are here: http://www.inetsim.org/documentation.html
- mkdir c:\malware\
- Exclude c:\malware\ from hypervisor system's security software!
- Share malware folder to victim system in VirtualBox: ReadOnly is a good plan
- Put the installers/archives for your analysis tools into c:\malware so the victim system can see them.
- Start with non-malware while you are configuring and testing your lab build.
- Plenty of sources for samples online ...
- Use the shared folder or Python web servers to transfer files in.
- ... FIXME do cool stuff ...
- filter$ sudo tcpdump -nn -i eth1 -v -X 'host 192.168.LAB.VICTIM'
- End state: all DNS and IP traffic from victim system should hit and stop at the filter system.
- Unzip and or install your toolset. Might need to reboot.
- Start up the selected tools and fuss with the configuration:
- Run ProcExp and ProcMon
- Run RegShot and take a snapshot
- Filter out your anlaysis tools and background system from ProcMon...
- Verify network configurationa and trap: ping, surf, etc.
- Snapshot a "readied" victim machine
- Snap back to a Ready snapshot.
- Run some code, see what happens ...