This is a follow-up to the Tool Talk #1 post.
When building a virtual network in VMware’s Workstation, I don’t want the host to have a virtual network connection to the guest that I use to test. This is a security issue as a sample could contain worm-like functionality that could potentially exploit this connection to break out of the test environment and compromise the host.I accomplish this isolation by building a custom network with the VMware Virtual Network Editor:
I just hijack what is normally the host only network in a default VMware Workstation install and modify it.
Make sure the check box for “Connect a host virtual adapter to this network” is unchecked.
This will prevent the host from connecting to the virtual network (note, when it is connected, the host is usually given the IP address of the network with the last octet being assigned 1 so 192.168.111.1 would be the host on this network). Note that I leave the host running DHCP. (DHCP will appear to be served by a responder spoofed by VMware with the last octet of 254, so you may traffic from this spoofed address on your isolated network when machines make DHCP requests). This is a function of the VMware application and not a true virtual network connection. I then put a REMnux VM appliance in this isolated virtual network and connect. So it ends up looking like this:
Now, I have less worry about a sample being able to compromise the host. It could still have an exploit for VMware’s Workstation product, but I don’t have to worry about a worm exploiting something that the host is vulnerable to across the host only network. The host is just not connected to the same virtual network as the guest.
To move files in or out of the machines on this network, I will move the REMnux appliance off of this virtual network and onto the bridged network so that it can access my full network. (Executing the ‘renew-dhcp’ in REMnux). I can then use PSCP on the guest to pull files in from the REMnux appliance once it is returned to this isolated network.
I will also admit to cheating on this many times by just enabling copy a password protected zip file with the malware directly from the host and pasting it into the test machine. This does require VMware tools running on the guest.
I guess I am less worried about VMware Workstation being vulnerable than I am the network connection to the host.
Ultimately, I get to snapshot and analyze the sample in the guest machine, using the REMnux appliance for network sniffing and service spoofing.