ESX support

docs/esx-setup.adoc

@@ -0,0 +1,34 @@
+= ESXi / vSphere Setup
+
+== Firewall rules required
+
+From your machine (where malboxes is installed) to the ESXi server
+
+* SSH (22)
+* VNC (packer will try allocating 5900 upwards until it finds a working port)
+
+From your machine to the running guest for provisioning
+
+* WinRM (5985)
+
+== VNC Access
+
+Opening the ESX firewall is necessary. On version 6.5 this works:
+
+    esxcli network firewall ruleset set -e true -r gdbserver
+
+Otherwise look at implementing the advice in here: https://gist.github.com/jasonberanek/4670943
+
+== Troubleshooting
+
+=== No IP Address on guest
+
+You need a DHCP server on the same network segment. ESXi doesn't seem to
+provide his own. You can create a simple DHCP server on an Ubuntu server with
+isc-dhcp-server.
+
+=== Misc.
+
+Something packer said I needed to do:
+
+    esxcli system settings advanced set -o /Net/GuestIPHack -i 1

malboxes/config-example.js

@@ -30,6 +30,21 @@
 	// https://github.com/GoSecure/malboxes/blob/master/malboxes/profile-example.js
 	//"profile": "maldoc",
 
+	// Provision settings
+	// Which Hypervisor for privisoning and deployment? (Options are: "virtualbox" and "vsphere") Default is "virtualbox"
+	"hypervisor": "virtualbox",
+	//If vsphere, the following configuration options are mandatory
+	"remote_host": "",
+	"remote_datastore": "",
+	"remote_username": "",
+	"remote_password": "",
+	"vsphere_host": "",
+	"vsphere_clone_from_vm": "packer-test",
+	"vsphere_name": "malboxestest",
+	"vsphere_user": "",
+	"vsphere_password": "",
+	"vsphere_insecure": "true",
+
 	// Windows Defender: true means enabled, false means disabled. Default is false.
 	//"windows_defender": "false",
 	// Windows Updates: true means enabled, false means disabled. Default is false.

malboxes/malboxes.py

@@ -221,6 +221,14 @@ def load_config(config_filename, template):
     config['dir'] = resource_filename(__name__, "").replace('\\', '/')
     config['template_name'] = template
     config['config_dir'] = DIRS.user_config_dir.replace('\\', '/')
+
+    # add default values
+    # for users upgrading from versions where those values weren't defined
+    # I don't want default to override the config so I reversed the merge logic
+    default = {'hypervisor': 'virtualbox'}
+    default.update(config)
+    config = default
+
     return config
 
 
@@ -237,8 +245,17 @@ def load_profile(profile_name):
 
 
 def _get_os_type(config):
-    """OS Type is extracted from template json config"""
-    return config['builders'][0]['guest_os_type'].lower()
+    """OS Type is extracted from template json config.
+       For older hypervisor compatibility, some values needs to be updated here.
+    """
+    _os_type = config['builders'][0]['guest_os_type'].lower()
+    if config['hypervisor'] == 'vsphere':
+        if _os_type == 'windows8':
+            _os_type = 'windows10'
+        elif _os_type == 'windows8-64':
+            _os_type = 'windows10_64'
+
+    return _os_type
 
 
 tempfiles = []
@@ -425,8 +442,12 @@ def spin(parser, args):
     config['name'] = args.name
 
     print("Creating a Vagrantfile")
-    with open("Vagrantfile", 'w') as f:
-        _prepare_vagrantfile(config, "analyst_single.rb", f)
+    if config['hypervisor'] == 'virtualbox':
+        with open("Vagrantfile", 'w') as f:
+            _prepare_vagrantfile(config, "analyst_single.rb", f)
+    elif config['hypervisor'] == 'vsphere':
+        with open("Vagrantfile", 'w') as f:
+            _prepare_vagrantfile(config, "analyst_vsphere.rb", f)
     print("Vagrantfile generated. You can move it in your analysis directory "
           "and issue a `vagrant up` to get started with your VM.")
 

malboxes/profiles/snippets/builder_vsphere_windows.json

@@ -0,0 +1,28 @@
+"type": "vmware-iso",
+"format": "ova",
+"remote_type": "esx5",
+"remote_host": "{{ remote_host }}",
+"remote_datastore": "{{ remote_datastore }}",
+"remote_username": "{{ remote_username }}",
+"remote_password": "{{ remote_password }}",
+{# TODO avoiding ovftools doesn't seem to work #}
+"keep_registered": "true",
+"vnc_disable_password": "true",
+"communicator": "winrm",
+"winrm_username": "{{ username }}",
+"winrm_password": "{{ password }}",
+"winrm_timeout": "30m",
+"shutdown_command": "shutdown /s /f /t 10",
+"boot_wait": "10s",
+"disk_size": "{{ disk_size }}",
+"output_directory": "builds",
+"vm_name": "{{ profile_name }}",
+"vmdk_name": "{{ profile_name }}-vmdk",
+"vmx_data": {
+  "ethernet0.networkName": "VM Network",
+  "scsi0.virtualDev": "lsisas1068",
+  "memsize": "4096",
+  "numvcpus": "4"
+},
+{# TODO validate if they are automatically installed #}
+"tools_upload_flavor": "windows"

malboxes/templates/snippets/provision_powershell.json

@@ -3,7 +3,9 @@
 		"scripts": [
 			{% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %}
 			{% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %}
-			"{{ dir }}/scripts/windows/vmtools.ps1",
+			{% if hypervisor == "virtualbox" %}
+				"{{ dir }}/scripts/windows/vmtools.ps1",
+			{% endif %}
 			"{{ dir }}/scripts/windows/installtools.ps1",
 			{% if profile is defined %}"{{ cache_dir }}/profile-{{ profile }}.ps1",{% endif %}
 			"{{ dir }}/scripts/windows/malware_analysis.ps1"

malboxes/templates/snippets/provision_powershell_win7.json

@@ -4,7 +4,9 @@
 		"scripts": [
 			{% if not windows_updates == "true" %}"{{ dir }}/scripts/windows/disable_auto-updates.ps1",{% endif %}
 			{% if not windows_defender == "true" %}"{{ dir }}/scripts/windows/disable_defender.ps1",{% endif %}
-			"{{ dir }}/scripts/windows/vmtools.ps1"
+			{% if hypervisor == "virtualbox" %}
+				"{{ dir }}/scripts/windows/vmtools.ps1"
+			{% endif %}
 		]
 	},
 	{

malboxes/templates/win10_32_analyst.json

@@ -1,8 +1,13 @@
 {
 	"builders": [{
-		"guest_os_type": "Windows10",
 
-		{% include 'snippets/builder_virtualbox_windows.json' %},
+		{% if hypervisor == "virtualbox" %}
+			"guest_os_type": "Windows10",
+			{% include 'snippets/builder_virtualbox_windows.json' %},
+		{% elif hypervisor == "vsphere" %}
+			"guest_os_type": "windows8",
+			{% include 'snippets/builder_vsphere_windows.json' %},
+		{% endif %}
 
 		"iso_urls": [
 			"file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X86FRE_EN-US.ISO",
@@ -11,7 +16,6 @@
 		"iso_checksum": "0b8e56772c71dc7bb73654c61e53998a997e1e4d",
 		"iso_checksum_type": "sha1",
 
-
 		"floppy_files": [
 			"{{ cache_dir }}/Autounattend.xml",
 			"{{ dir }}/installconfig/windows10/enablewinrm.ps1"
@@ -20,16 +24,20 @@
 
 	{% include 'snippets/postprocessor_vagrant.json' %},
 
+	{% if hypervisor == 'virtualbox' %}
+		{% include 'snippets/postprocessor_vagrant.json' %},
+	{% endif %}
+
 	"provisioners": [
 
-	{% include 'snippets/provision_powershell.json' %}
+		{% include 'snippets/provision_powershell.json' %}
 
-	{% if tools_path %},
-		{% include 'snippets/tools.json' %}
-	{% endif %}
-	{% if ida_path %},
-		{% include 'snippets/ida_remote_32.json' %}
-	{% endif %}
+		{% if tools_path %},
+			{% include 'snippets/tools.json' %}
+		{% endif %}
+		{% if ida_path %},
+			{% include 'snippets/ida_remote_32.json' %}
+		{% endif %}
 
 	]
 }

malboxes/templates/win10_64_analyst.json

@@ -1,7 +1,13 @@
 {
 	"builders": [{
-		"guest_os_type": "Windows10_64",
-		{% include 'snippets/builder_virtualbox_windows.json' %},
+
+		{% if hypervisor == "virtualbox" %}
+			"guest_os_type": "Windows10_64",
+			{% include 'snippets/builder_virtualbox_windows.json' %},
+		{% elif hypervisor == "vsphere" %}
+			"guest_os_type": "windows8-64",
+			{% include 'snippets/builder_vsphere_windows.json' %},
+		{% endif %}
 
 		"iso_urls": [
 			"file://{{ iso_path }}/14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO",
@@ -16,19 +22,21 @@
 		]
 	}],
 
-	{% include 'snippets/postprocessor_vagrant.json' %},
+	{% if hypervisor == 'virtualbox' %}
+		{% include 'snippets/postprocessor_vagrant.json' %},
+	{% endif %}
 
 	"provisioners": [
 
-	{% include 'snippets/provision_powershell.json' %}
+		{% include 'snippets/provision_powershell.json' %}
 
-	{% if tools_path %},
-		{% include 'snippets/tools.json' %}
-	{% endif %}
-	{% if ida_path %},
-		{% include 'snippets/ida_remote_64.json' %},
-		{% include 'snippets/ida_remote_32.json' %}
-	{% endif %}
+		{% if tools_path %},
+			{% include 'snippets/tools.json' %}
+		{% endif %}
+		{% if ida_path %},
+			{% include 'snippets/ida_remote_64.json' %},
+			{% include 'snippets/ida_remote_32.json' %}
+		{% endif %}
 
 	]
 }

malboxes/vagrantfiles/analyst_vsphere.rb

@@ -0,0 +1,22 @@
+-*- mode: ruby -*-
+# vi: set ft=ruby :
+Vagrant.configure(2) do |config|
+       # config.vm.box = "win10_64_analyst"
+       config.vm.box = 'dummy'
+       config.vm.box_url = 'vsphere-dummy.box'
+       config.vm.provider :vsphere do |vsphere|
+       # The vSphere host we're going to connect to
+       vsphere.host = {{ vsphere_host }}
+       vsphere.compute_resource_name = {{ remote_host }}
+       vsphere.clone_from_vm = {{ vsphere_clone_from_vm }}
+       vsphere.name =  {{ vsphere_name }}
+       vsphere.user = {{ vsphere_user}}
+       vsphere.password = {{ vsphere_password }}
+       vsphere.insecure = {{ vsphere_insecure }}
+end
+
+       # Host files are shared on the Desktop
+       config.vm.synced_folder ".", "/Users/malboxes/Desktop/host"
+end
+~
+~

malboxes/vagrantfiles/box_win.rb

@@ -7,7 +7,6 @@
 	# Giving plenty of times for updates
 	config.vm.boot_timeout = 600
 	config.vm.graceful_halt_timeout = 600
-
 	config.vm.provider "virtualbox" do |vb|
 		vb.gui = true
 		vb.customize ["modifyvm", :id, "--vram", "128"]