ESX back-end support

[grleblanc]

I love this! I tend to use my own ESX server for malware analysis. I am thinking about integrating ESX into malboxes with the Vagrant ESX plugin.

Any interest?

[Svieg]

That would be really cool! If I were you, I would check for Packer templates as it is the main tool we wrap around. You could check this for example: https://github.com/tsugliani/packer-vsphere-templates. Don't hesitate if you have any questions!

[grleblanc]

So I pretty much have it working. I'm trying to go through and figure out the past way to do this, if we want to merge this in with the current malboxes code.

I currently only implemented it on the win10_64_analyst.json profile, it requires pretty much a complete change. Also, the Autounattended.xml need a small change in the DiskConfiguration section. Lastly I had to change box_win.rb file, but that shouldn't be a big deal because we can add logic in there to do the vmware piece of it only if the provider is vmware-iso.

Here's my proposal:

• Make a change to the config-example.js file to offer up a "provider" (doesn't have to use that name) section
• If it's set to "esx" - we can ensure they have all of the ESX server host information in there.
• Then we'd have to edit malboxes.py to ensure the right profiles and Autounattended.xml are called.

Does that make sense? Would love any sort of discussion on possible other ideas or options. In reality malboxes should work with VirtualBox, VMWare Workstation, ESX - which are probably the 3 most popular.

[Svieg]

I agree with the additionnal provider option in config.js ! Can you make your fork available, I don't see on your profile? Everything sounds good for me.

[grleblanc]

Really? It should be here: https://github.com/gleblanc1783/malboxes

I will commit my changes once I am done testing tonight. Then will work on making the other changes to the other profiles and any edits to malboxes.py.

[Svieg]

Yeah, my bad, I should buy glasses I think eheh. Cool! I look forward to review that!

[obilodeau]

Your proposal sounds great @gleblanc1783!

I would also be interested in hearing performance numbers. How fast is using ESX versus VirtualBox?

[grleblanc]

Okay a solid first pass at this is done. You can view the changes here, and I will have a PR submitted sometime this week after we review.

Sorry it took me so long, between the time it took to consistently try and create the windows images and working through some non-specific bugs and gotchas with Packer and Vagrant it's working now.

Description
As mentioned above, because of how you originally developed the program, not too many changes had to have been made.

1. Config changes

• I added a "provision settings" area in the example-config.js where all of the required settings will be added

	//Provision settings
	//Which Hypervisor for privisoning and deployment? (Options are: "virtualbox" and "vsphere") Default is "virtualbox"
	"hypervisor": "vsphere",
	//If vsphere, the following configuration options are mandatory
	"remote_host": "",
	"remote_datastore": "",
	"remote_username": "",
	"remote_password": "",
	"vsphere_host": "",
	"vsphere_clone_from_vm" = "",
	"vsphere_name" = "malboxestest",
	"vsphere_user" = "",
	"vsphere_password" = "",
	"vsphere_insecure" = "true"

• You can either choose vsphere or virtualbox for now and I think that leaves us with more room to expand on the number of hypervisors that are supported

2. New builder

• I created "builder_vsphere_windows.json" as an addition to the virtualbox builder. This has all of the vSphere specific configuration options. The variables in here are taken from the config file
• Note: Until I can find some other way to do this, I needed to create a new "installconfig" directory named "windows8srv-64" as vSphere doesn't have a Windows10 default os type (the recommended name is windows8srv-64.

3. Vagrant

• I created an "analyst_vsphere.rb" file which has all of the required Vagrant vsphere information it it. It also takes in information from the config file

Requirements

• OVFTool (https://www.vmware.com/support/developer/ovf/)
  -This has one specific external plugin requirement for vSphere.
• Note: If you have the paid/commercial version of vSphere, then you will need this plugin. If you only have the free version, you can still get this to work, just without utilizing the malboxes spin command (more information below)
• To obtain the plugin simply run the following command
  vagrant plugin install vagrant-vsphere
• I also used this tutorial to help with the initial configuration of the "dummy" box (http://blog.broez.com/vagrant-vsphere-centos-7/)

Usage

1. Make any required changes to your config.js, filling in all of the required fields
2. Run malboxes build {profile}
3. If you're using the Vagrant plugin, now you would run malboxes spin {profile} {name}
   3a. This will clone your current VM that was built on the vSphere server and name it the {name} value, and you should be all set to use it.
   3b. Note: This currently is not set to delete the original VM (as designed), see TODO section for more information. This VM will the original one that will be cloned for that profile
4. Run vagrant up --provider=vsphere
5. Once done using the VM, run vagrant halt

Note: If you're not using paid/commercial version of vSphere, you can still use this. Just log into your ESXi server, and clone the VM yourself OR use the base image created by malboxes build

TODO

1. Implement Windows7x64
2. Add/Implement the other features of malboxes like registry, directory, document
3. Figure out what the, hopefully eventual, official name for Windows 10 will be as a guest-os

Please let me know if this works for you and any bugs/concerns!

[obilodeau]

Everything you say sounds fine. Send the pull-request! Let me know if you need a hand in doing that.

[treed593]

Was this pulled in? @obilodeau @gleblanc1783

[Svieg]

No PR was made and no commits have been done after February 27th on his fork so I don't know what is the status of this.

[obilodeau]

Even if @gleblanc1783 is no longer interested, I am. I will get back to it and merge his stuff.

I now have access to an ESX server with enough resources to do some tests.

[grleblanc]

Sorry, all. I've been busy with work and sidetracked with fixing my ESX Server to test this again.

@obilodeau -- feel free to take my code and run with it. I was pretty close.

Will be following this thread to see how it makes out.

[treed593]

I got it working today, for the most part. Couldn't get winrm to connect though

…

On May 31, 2017 2:56 PM, "Gregory LeBlanc" ***@***.***> wrote: Sorry, all. I've been busy with work and sidetracked with fixing my ESX Server to test this again. @obilodeau <https://github.com/obilodeau> -- feel free to take my code and run with it. I was pretty close. Will be following this thread to see how it makes out. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#30 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGffqsPoOX2U-PxygEwLE4YRZo4oL5nBks5r_bfVgaJpZM4MDgXD> .

[Svieg]

@treed593 have you tried increasing the timeout limit?

[treed593]

Not yet, that's the next thing I plan on trying in the morning. It didn't look like the script to enable winrm had run either

…

On May 31, 2017 10:58 PM, "Hugo Genesse" ***@***.***> wrote: @treed593 <https://github.com/treed593> have you tried increasing the timeout limit <https://github.com/GoSecure/malboxes/blob/master/malboxes/profiles/snippets/builder_virtualbox_windows.json#L8> ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#30 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGffqph78HnLC203mjfTx6BqfB5j49LXks5r_ijxgaJpZM4MDgXD> .