Nested Virtualization (Malware Lab)

archiba · May 27, 2020, 10:40pm

Hello
I got super hooked on XCP-NG after watching the Youtube stuff ! great content, very educational.
Im currently writing and experimenting with malware and are having issues getting nested virtualization to work wich is perfect for this !

My setup right now is XCP-NG baremetal installed making it my LVL0 hypervisor.

Via pool menu in XO i add a VM and installed XCP-NG again, but this time i checked nested virtualization under advanced. So far so good.

The issue is the following:
How do i get VMs on the nested LVL1 hypervisor, when i go to pool and create VM i can only select the baremetal hypervisor LVL 0. Under advanced theirs an option for start on but, i cant choose the lvl1 hypervisor it just allows me to install on the baremetal one.

Have i missed something or am i on the right path. My understanding is that i need to run the VMs inside the nested hypervisor LVL1 to get lvl 2 guests ?

Best regards
archiba.

LTS_Tom · May 28, 2020, 1:41am

The way I would set this up is not by double nesting. Just run a firewall, such as pfsense, virtually. From there the WAN on pfsense connects to your normal network and then you can connect a private network to your “Host Only” / GRE / VXLAN in XCP-NG. Then attach VM to that same “Host Only” / GRE / VXLAN which will put them together, but behind pfsense. You can control each VM’s ability to egress to the greater network from withing the virtual pfsense.

archiba · May 28, 2020, 3:39am

Hi LTS_Tom

I will give that a try, thank you. Would you happen to know if i could put multiple VMS like so in Xen Orchestra ? Then allow for a vpn in on the network, i really like xen orchestra for training and wanna setup most of my labs within it.

Best regards
archiba

LTS_Tom · May 28, 2020, 10:28am

I don’t understand your question.

anon31769429 · May 28, 2020, 2:43pm

I recently came across this project from the Polish cert , I’ve not had a chance to test but it may be useful for your malware project.

. drakvuf-sandbox/README.md at master · CERT-Polska/drakvuf-sandbox · GitHub

https://drakvuf.com/

Or

archiba · May 28, 2020, 7:32pm

Hi Tom
Sorry English is my second language. Thank you for your suggestion, i tried it and it works great for malware analysis.

I wasn’t clear enough in my second question, i apologies. My wish scenario in Xen orchestra is the following:

-I want to have a private network (vlan) only accessible with VPN connection to a VPN Server on that network

-no Host/VPN Server on that network or host connected to VPN Server is allowed to interact with my homelab/network.

-I’m unclear if this setup in Xen orchestra is possible, right now all my VMs are on the pool wide assc eth0 NIC except for the malware machines which is configured to what you suggested.

Thank you for your time
Archiba

archiba · May 28, 2020, 7:33pm

Thanks ! ive been using FlareVm before but havnt heard of drakvuf.

anon31769429 · June 1, 2020, 6:29pm

No prob, let me know pros and cons of each if you use it.

David · June 2, 2020, 1:04pm

This is the recommended answer.