Networking

Deprecated since version 0.3: Since Cuckoo Sandbox 2.0-RC1 better options exist to handle per-analysis network routing. Please refer to Cuckoo’s official documentation to learn more about this.

By default, and at the moment this is necessary for VMCloak to work, every generated Virtual Machine will have a hostonly network adapter. This adapter is used to talk to Cuckoo. However, as it is host-only, this does not allow the Virtual Machine to reach the internet.

In case you’d like the Virtual Machine to be able to have full access to the internet then that’s also possible of course. However, do take into account that this indirectly allows malware to abuse your internet connection.

There are multiple approaches to getting networking inside the Virtual Machines working - following is the easiest approach. (Other approaches include, but are not limited to, a bridged network adapter, a NAT network, etc.)

Full-internet access

In order to setup full internet access for Virtual Machines the following two steps will be taken. Note that these steps can also be taken after generating the Virtual Machines hence magically giving them internet access.

  • Setup hostonly network interface
  • Run a bash script around iptables(8)

To start off setup a hostonly interface for VirtualBox. Then run the following bash script as root. For your convenience it can be found on your system by running vmcloak-iptables (the name of this script is subject to change in the future, though.)

#!/bin/sh
# Copyright (C) 2014-2015 Jurriaan Bremer.
# This file is part of VMCloak - http://www.vmcloak.org/.
# See the file 'docs/LICENSE.txt' for copying permission.

# Credits to Mark Schloesser, https://github.com/rep/cuckoo-contrib

if [ "$1" = "-h" ]; then
    echo "Usage: $0 [ip_range/cidr] [interfaces..]"
    echo "  $0 192.168.57.0/24 eth0 eth1"
    echo
    echo "Defaults to:"
    echo "  $0 192.168.56.0/24 eth0 wlan0"
    exit
fi

# Fetch the IP range and CIDR.
if [ "$#" -ne 0 ]; then
    VBOXNET="$1"
    shift
else
    VBOXNET="192.168.56.0/24"
fi

# Fetch the interfaces.
if [ "$#" -ne 0 ]; then
    INTERFACES="$*"
else
    INTERFACES="eth0 wlan0"
fi

iptables -F
iptables -t nat -F

for i in $INTERFACES; do
    iptables -t nat -A POSTROUTING -o $i -s "$VBOXNET" -j MASQUERADE
done

# Default drop.
iptables -P FORWARD DROP

# Existing connections.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept connections from vboxnet to the whole internet.
iptables -A FORWARD -s "$VBOXNET" -j ACCEPT

# Internal traffic.
iptables -A FORWARD -s $VBOXNET -d $VBOXNET -j ACCEPT

# Log stuff that reaches this point, could be noisy though.
iptables -A FORWARD -j LOG

# Actually enable forwarding of packets. This is Debian/Ubuntu specific.
echo 1 > /proc/sys/net/ipv4/ip_forward

That being said setting up full internet access for your Virtual Machines boils down to running the following commands:

VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
sudo vmcloak-iptables