{"id":6919,"date":"2017-03-09T11:10:22","date_gmt":"2017-03-09T19:10:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/09\/news-710\/"},"modified":"2017-03-09T11:10:22","modified_gmt":"2017-03-09T19:10:22","slug":"news-710","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/09\/news-710\/","title":{"rendered":"Torify and analyze traffic for your VM"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Boursier| Date: Thu, 09 Mar 2017 18:00:58 +0000<\/strong><\/p>\n

Virtual machines are a great tool to run untrusted piece of software and analyzing the network activity. Most of the time, the default networking configuration uses a bridge<\/a> to allow VMs to communicate. One caveat about this approach is that both the VM and the host will access the same network (like a personal trusted LAN for instance\u2026), something definitely not desirable.<\/p>\n

Multiple solutions exist to isolate the untrusted VMs from the host LAN. A few years ago we spoke about JanusVM<\/a> which is no longer maintained and not so easy to set up. A more recent solution uses VirtualBox<\/a>, Tor<\/a>, and Whonix<\/a> alongside Wireshark<\/a> and is pretty quick to set up without bothering with DHCP or other network protocols.<\/p>\n

Whonix<\/strong> is an\u00a0 OS designed to run as a set of VMs with pre-installed and configured applications. Among other features, it uses Tor<\/a> for all network connection thanks to Whonix-Gateway<\/strong>, a VM dedicated to be used as a gateway between Whonix VMs to the Tor network.<\/p>\n

However, please note that UDP traffic won\u2019t work due to Tor limitations<\/a>. DNS queries will use Tor DnsPort<\/em> on the Whonix Gateway to avoid leaks.<\/p>\n

    \n
  1. Download Whonix-Gateway<\/strong><\/a> (look for Download Whonix-Gateway<\/em> link),<\/li>\n
  2. Download the associated signature, and the SHA512 file (also provided with its signature),<\/li>\n
  3. Check them both<\/strong><\/a>,<\/li>\n
  4. On VirtualBox, simply import the .ova<\/em> downloaded above with File<\/em> > Import Appliance<\/em>,<\/li>\n
  5. Leave the default settings untouched, read and agree the agreement,<\/li>\n
  6. Start Whonix-Gateway<\/em> VM and follow the initial instructions,<\/li>\n
  7. You may want to activate the auto-update when prompted,<\/li>\n
  8. For the VMs you want to redirect the traffic, go to Settings<\/em>, Network<\/em> and select Internal Network<\/em>. Set Whonix<\/em> as name.<\/li>\n<\/ol>\n

    Once Whonix-Gateway<\/em> has been configured, you get the following network configuration:<\/p>\n

    auto eth1  iface eth1 inet static  address 10.152.152.10  netmask 255.255.192.0  <\/code><\/pre>\n
    Thus, you can assign your VMs in the range 10.152.152.10 \/18<\/em>. For instance, the following static IP configuration is used for a first VM:<\/p>\n
    IP: 10.152.152.11  Mask: 255.255.192.0  Gateway: 10.152.152.10  Primary DNS server: 10.152.152.10  <\/code><\/pre>\n
    All the traffic will now be isolated from your host LAN, and will only use Tor (including DNS queries). In order for this setup to work, whenever you want to connect one of your VM, the Whonix-Gateway has to be up.<\/p>\n
    \"check.torproject.org<\/a><\/p>\n
    check.torproject.org status page<\/p>\n<\/div>\n
    A visit on check.torproject.org<\/a> from inside a VM using Whonix-Gateway<\/em> should confir that the setups is working as expected.<\/p>\n
    Please keep in mind that this setup should not be trusted to provide serious anonymity guarantees<\/strong>.<\/p>\n
    Once the VMs are setup, simply install Wireshark<\/em> or tshark<\/em>. Configure them to listen on eth1… and profit!<\/p>\n
    \"Wireshark<\/a><\/p>\n
    Wireshark listening on eth1 on the Whonix Gateway.<\/p>\n<\/div>\n
    The post Torify and analyze traffic for your VM<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
    https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Credit to Author: J\u00e9r\u00f4me Boursier| Date: Thu, 09 Mar 2017 18:00:58 +0000<\/strong><\/p>\n\n\n\n
    <\/a><\/td>\n<\/tr>\n
    Several solutions to isolate and analyze a VM network traffic for malware analysis purpose exist. Whonix, Tor and Virtual makes this process painless and efficient.<\/p>\n
    Categories: <\/p>\n