LibVirt

Intro

This page contains the instruction to build DetectionLab for Qemu/LibVirt. This is the provider for you if: * You are familiar with LibVirt, virt-manager and Qemu and prefer this software stack instead of VirtualBox * You are willing to spend a bit more time thinkering with the build process as it is more hands-on than the official DetectionLab build process

A step-by-step guide is available at https://selorasec.wordpress.com/2019/12/03/ad-in-a-box-for-pocs-and-iocs-on-the-cheap-detectionlab-on-libvirt/#Setting_Up_Vagrant.

A big thank you to @Selora for adding this in PR #254

I do not officially support or troubleshoot DetectionLab issues using the LibVirt provider. You’re welcome to open issues for community support, but I will not personally be able to assist with them.

Prerequisites

LibVirt

The libvirt and virt-manager installation walkthrough and documentation is out of scope of this project. To follow along, you need an already working installation of libvirt, virt-manager, and QEMU+kvm.

Packer

  1. The Virtio drivers ISO needs to be location in the DetectionLab/Packer directory.
  1. Edit the windows_X.json files in the Packer folder

  2. Make sure the following user-defined variables are pointing to the right thing:

    • virtio_win_iso : The ISO containing the lastest VirtIO drivers
    • packer_build_dir : Where to output the QCOW2 images. It’s a temporary directory, the .box files will still be in DetectionLab/Packer

  3. Build the images

    env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_2016.json
env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_10.json

Vagrant

  1. Install the necessary plugins:
  2. vagrant plugin install vagrant-reload vagrant-libvirt vagrant-winrm-syncedfolders
  3. See the guide for Ubuntu as the vagrant packages comes with a ton on unofficial & outdated plugins that will cause problems.
  4. Add the previously built windows .box files
  5. vagrant box add windows_10_libvirt.box --name windows_10_libvirt
  6. vagrant box add windows_2016_libvirt.box --name windows_2016_libvirt
  7. Build: vagrant up --provider libvirt --no-parallel --provision

Notes:

The libvirt builder is highly experimental. This sections describes the trade-offs and the differences between the vanilla DetectionLab.

  • The boxes will have two network adapters The vagrant-libvirt provider works by binding to a “management” network adapter IP addresses. The way vagrant finds the VM’s IP address is by probing the dnsmasq lease file of libvirt’s host. There’s probably a better way, but this is the best I could do that just works ™ so far. Here’s what the configuration looks like:

  • Management Network: Isolated network, no NAT, no internet access, with DHCP.

  • Detectionlab Network: 192.168.56.0/24, with NAT, with internet access, with DHCP.

  • The synced folder is using an old, slow and buggy plugin. While this barely works, it’s enough to push the provisioning scripts to the Windows instances. Any modifications to the vm.synced_folder in the VagrantFile libvirt provider will likely break the provisionning process

  • The graphical and input settings assume the use of virt-manager with the SPICE viewer on Windows and the VNC viewer on Linux (logger). The spice agent for copy/pasting and other quality of life improvement, like auto-resolution changes is NOT installed on the Windows hosts. Guacamole is a better way to access your VMs.