logo

Watch & Learn

Debugwar Blog

Step in or Step over, this is a problem ...

[NOTE] Build a virus debug environment with ESXi

2021-09-06 @ UTC+0
en-USzh-CN

In the process of daily virus sample analysis, we often encounter the need to debug worms. Considering that machines in the intranet are generally not patched frequently, we must pay attention to network isolation in this situation, otherwise, there may be a risk of worms spreading throughout the network.

As the number of people in our department and the business increase, there are many people’s debugging virtual machines in the public debugging environment. This leads to situations where person A’s debugging of worms or ransomware spreads laterally to person B’s virtual machine, thereby affecting B’s work progress. Therefore, network isolation of our department’s public virtual machines has become a requirement that needs to be put on the agenda.

Network Topology

First, let’s look at the network topology. ESXi is running on a Dell R710 server. The software router OpenWrt connects to the gateway (which ultimately connects to the Internet) through vSwitch0. vSwitch1 is specifically used to connect various debugging virtual machines.


A few necessary concepts to know

VLAN: In this article, it refers to VLANs that comply with the 802.1q or 802.1ad specifications. The function of VLAN is to isolate different networks. You can understand that VLAN can divide different RJ45 ports on a physical switch into different subnets. Different subnets need to communicate through Trunk ports. If Trunk ports are not configured, different subnets cannot communicate with each other.

Port Group: PortGroup is a concept used to manage the network of virtual machines. It can be understood as a virtual network card. The difference is that this virtual network card can be used by different virtual machines, and virtual machines that use the same virtual network card belong to same VLAN. The following figure shows the port group configuration used by the core router in this tutorial. The router connects two network cards, TrunkPG0 is used to access the public network, and TrunkPG1 is used to analyze the communication between various analysis virtual machines in the network.


OpenWRT network configuration: The following configuration shows that two VLANs have been configured using the eth1 network card, and their VLAN IDs are 100 and 200 respectively. It should be noted that although these two subnets use the same physical network card, these two subnets are isolated by default. The meaning of specific parameters can be referred to reference 1 at the end of the text.


ESXi Configuration

1. Create a Virtual Switch

For ease of management, this article establishes a separate virtual switch for the analysis network. Of course, you can also do the configuration described in this article on the default switch, the steps are similar.

First, enter the network tab of ESXi, then select ‘Add Standard Virtual Switch’ in the ‘Virtual Switch’ tab. Apart from changing the name to ‘vSwitch1’ (you can actually name it anything), all other parameters can use the default values.


2. Create Port Group (PortGroup)

Next, select the ‘Port Group’ tab and click the ‘Add Port Group’ button. Fill in the information in the pop-up menu as shown in the figure below:


Note: Enter 200 for the VLAN ID. You can enter any integer for this value, but it must be consistent with the router configuration in the following text, i.e., the 200 entered here corresponds to ethX.200 in the router configuration below.

We have specifically divided a VLAN 200 subnet for the virtual machines in the analysis environment. If the virtual machines in the VLAN 200 environment need to connect to the Internet, they need to go online through the ‘router’. Since the router does not belong to the VLAN 200 network, we need to create two Trunk ports to connect to the VLAN 200 virtual switch vSwitch1 and the ‘router’ virtual switch vSwitch0, respectively. These two port groups are named TrunkPG0 and TrunkPG1:



Note: The common point of TrunkPG0 and TrunkPG1 in the figure above is that the VLAN ID is 4095 (must be this value). The difference is that the virtual switch of TrunkPG0 is vSwitch0, and the virtual switch of TrunkPG1 is vSwitch1 (for details, refer to the topology diagram in the first section).

Since it is a pure virtual environment, there is no need to bind a physical network card to vSwitch1. So far, we have opened the ‘physical link’, and the next step is the configuration of OpenWRT and virtual machines.

Analysis virtual machine configuration

This is the simplest. In one sentence, when creating a virtual machine, pay attention to selecting the PortGroup1 we just created.


OpenWrt virtual machine configuration

1. Physical link configuration

In fact, OpenWrt is also a virtual machine, but this virtual machine is more important. This virtual machine is essentially a software router, responsible for controlling the VLAN under vSwitch1 and the network communication of machines under each VLAN. The specific network topology structure can refer to the first section of the previous text.

It should be noted that this virtual machine needs to allocate two network cards, corresponding to the TrunkPG0 and TrunkPG1 created above:


2. OpenWrt configuration

First of all, if you cannot access the OpenWrt Web configuration interface for various reasons, you can refer to the configuration file at the end of this article, the effect is the same. Here, the Web interface is used for explanation just for intuitiveness.

First, let’s take a look at the current network configuration in our analysis environment:


Among them, the WAN port corresponds to the TrunkPG0 port group in the previous text. This network card can obtain an ipv4 address that can access the Internet by appropriately configuring the gateway and its own IP address.

IF_VM_GROUP1 and IF_VM_SERVERS (not mentioned in the previous text) correspond to the TrunkPG1 port group.

Here is a concept that is easy to confuse. TrunkPG0 corresponds to network card eth0, and TrunkPG1 corresponds to network card eth1. And eth1.200 (that is, VLAN 200) corresponds to the VLAN network where the PortGroup1 port group is located. Because we allocate this ‘network card’ of PortGroup1 to the debugging virtual machine in the above section, the OpenWrt in this section does not allocate this network card.

The reason for this is because the facilities such as vSwitch1 where PortGroup1 is located are all hardware-level configurations. In OpenWrt, there needs to be a software-level configuration corresponding to it, and the form of ethX.Y is OpenWrt’s support for VLAN at the software level Reference 1.

Next, we configure the network port of VLAN 200, that is, IF_VM_GROUP1:


You can configure the subnet address of this interface as needed. For example, the author in the figure above just allocated the subnet pool of 192.168.2.1/24. If you need DHCP, remember to enable the DHCP service below, and the configuration can be done as needed, as shown below:


Next, you need to configure the VLAN ID. You can enter eth1.200 in the Custom Interface input box. Here, you only need to note that the value of 200 must be exactly the same as the VLAN ID of PortGroup1 configured in the first section:


Finally, in order to allow the VLAN eth1.200 to access the Internet, you need to configure the firewall rules from eth1.200 (IF_VM_GROUP1) to eth0 (WAN).

First, assign a ZONE to IF_VM_GROUP1:


Similarly, WAN may also need a ZONE:


Finally, configure these two ZONEs to be connected in the Firewall rules:


Configuration file

/etc/config/network

  1. config interface 'if_vm_group1'    
  2.         option ifname 'eth1.200'    
  3.         option proto 'static'    
  4.         option ipaddr '192.168.2.1'    
  5.         option netmask '255.255.255.0'    
  6.         option gateway '192.168.2.1'    
  7.         option metric '10'    
  8.         option dns '114.114.114.114 8.8.8.8'    

/etc/config/dhcp

  1. config dhcp 'dhcp_vm_group1'    
  2.         option leasetime '12h'    
  3.         option interface 'if_vm_group1'    
  4.         option start '100'    
  5.         option limit '100'    

/etc/config/firewall

  1. config defaults    
  2.         option input 'REJECT'    
  3.         option output 'REJECT'    
  4.         option forward 'REJECT'    
  5.     
  6. config zone    
  7.         option name 'WAN'    
  8.         option input 'ACCEPT'    
  9.         option output 'ACCEPT'    
  10.         option forward 'ACCEPT'    
  11.         option masq '1'    
  12.         option network 'wan'    
  13.     
  14. config zone    
  15.         option forward 'REJECT'    
  16.         option name 'Group1'    
  17.         option input 'ACCEPT'    
  18.         option output 'ACCEPT'    
  19.         option network 'if_vm_group1'    
  20.     
  21. config zone    
  22.         option forward 'REJECT'    
  23.         option name 'Servers'    
  24.         option input 'ACCEPT'    
  25.         option output 'ACCEPT'    
  26.         option network 'if_vm_servers'    
  27.     
  28. config forwarding    
  29.         option dest 'WAN'    
  30.         option src 'Group1'    
  31.     
  32. config forwarding    
  33.         option dest 'Group1'    
  34.         option src 'WAN'    
  35.     
  36. config forwarding    
  37.         option dest 'Servers'    
  38.         option src 'Group1'    

References

  1. OpenWrt关于驱动级Vlan的介绍
  2. ESXi中配置VLAN的Trunk Port
Catalog
Network Topology
A few necessary concepts to know
ESXi Configuration
1. Create a Virtual Switch
2. Create Port Group (PortGroup)
Analysis virtual machine configuration
OpenWrt virtual machine configuration
1. Physical link configuration
2. OpenWrt configuration
Configuration file
/etc/config/network
/etc/config/dhcp
/etc/config/firewall
References

CopyRight (c) 2020 - 2025 Debugwar.com

Designed by Hacksign