Pablo Guides

# Course #479: QEMU for Penetration Testing

## Introduction

In this section, we will explore QEMU, a versatile virtualization tool that plays a crucial role in penetration testing and security assessments. We will cover its installation, configuration, and practical usage in real-world scenarios. By the end of this section, you will have a deep understanding of how to utilize QEMU effectively for your pentesting needs.

## 1. Installation and Configuration on Kali Linux

### Prerequisites

Kali Linux comes pre-installed with many tools useful for penetration testing, but QEMU may not be installed by default. Before we dive into the installation, ensure your system is up-to-date by running:

"`bash
sudo apt update && sudo apt upgrade -y
"`

### Installing QEMU

To install QEMU on Kali Linux, you can use the following command:

"`bash
sudo apt install qemu qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils -y
"`

– **qemu**: The main package that provides QEMU virtualization.
– **qemu-kvm**: Kernel-based Virtual Machine support.
– **libvirt-daemon-system** and **libvirt-clients**: For managing the virtual machines.
– **bridge-utils**: Useful for networking in a virtualized environment.

### Configuration

After installation, check that your system supports virtualization. You can verify this by running:

"`bash
egrep -c '(vmx|svm)' /proc/cpuinfo
"`

A return value greater than `0` indicates that your CPU supports virtualization.

Next, start the libvirt service, which manages the virtualization:

"`bash
sudo systemctl start libvirtd
sudo systemctl enable libvirtd
"`

Verify that the service is running:

"`bash
sudo systemctl status libvirtd
"`

You should see the service status as “active (running).”

## 2. Step-by-Step Usage and Real-World Use Cases

QEMU is capable of running various operating systems in a virtual environment. Below are detailed instructions for creating and running a virtual machine, along with use cases relevant to penetration testing.

### Creating a Basic Virtual Machine

#### Step 1: Download an ISO Image

For demonstration purposes, let’s use the Kali Linux ISO image. You can download it from the Kali Linux official website:

[Download Kali Linux ISO](https://www.kali.org/downloads/)

#### Step 2: Create a Virtual Disk Image

Create a virtual disk image that will act as the hard drive for your virtual machine. For example, to create a 20GB disk image, run:

"`bash
qemu-img create -f qcow2 kali.qcow2 20G
"`

#### Step 3: Launch the Virtual Machine

You can launch the virtual machine using the following command:

"`bash
qemu-system-x86_64 -hda kali.qcow2 -cdrom /path/to/kali.iso -boot d -m 2048 -enable-kvm -smp 2
"`

– `-hda kali.qcow2`: Specifies the virtual hard drive.
– `-cdrom /path/to/kali.iso`: Specifies the ISO image you downloaded.
– `-boot d`: Boot from the CD-ROM.
– `-m 2048`: Allocate 2048MB of RAM to the VM.
– `-enable-kvm`: Enables KVM for better performance.
– `-smp 2`: Allocates 2 CPU cores to the VM.

### Use Case 1: Vulnerability Testing

Once you have Kali Linux running in QEMU, you can utilize its pre-installed tools for vulnerability assessments and penetration testing. For example:

1. **Nmap**: Use it to scan your network for open ports.

   nmap -sS -p- 192.168.1.1

 

2. **Metasploit**: Start the Metasploit Framework to exploit vulnerabilities on a target.

   msfconsole

 

### Use Case 2: Testing Exploits in a Safe Environment

QEMU provides an isolated environment to test exploits without affecting your physical machine or network. You can create multiple virtual machines to simulate attacks and defenses.

1. Set up a vulnerable application in one VM (e.g., DVWA).
2. Use another VM with penetration testing tools to launch attacks against the first VM.

### Use Case 3: Reverse Engineering and Malware Analysis

QEMU can also be utilized for analyzing malware by running it in a controlled environment.

1. Create a virtual machine that mimics a target operating system.
2. Run the suspected malware within QEMU to study its behavior without risking your host machine.

## 3. Detailed Technical Explanations

### Networking in QEMU

Networking can significantly affect your penetration testing scenarios. QEMU supports various networking modes, including user mode, bridge mode, and tap mode.

– **User Mode Networking**: This is the simplest mode where your VM can connect to the host but not directly to other VMs or the outside world. Suitable for basic scenarios:

– **Bridge Mode**: This allows VMs to connect to the same network as the host. You’ll need to configure a bridge on your host system (often called `br0`).

### Advanced Features

QEMU offers several advanced features that can be beneficial for penetration testing:

– **Snapshotting**: You can take snapshots of your VM at various stages. This feature allows you to revert to a previous state if an exploit fails or if you need to start over.

– **Virtual CPUs**: You can allocate multiple virtual CPUs to improve performance during testing.

### Useful Commands Reference

| Command | Description |
|—————————————————|——————————————————|
| `qemu-img create -f qcow2 .qcow2 ` | Create a new virtual disk image |
| `qemu-system-x86_64 -m ` | Launch a QEMU VM with specified RAM |
| `-enable-kvm` | Use KVM for hardware virtualization |
| `-snapshot` | Start the VM in snapshot mode |

### External References

For further reading and in-depth understanding of QEMU, consider the following resources:

– [QEMU Official Documentation](https://www.qemu.org/docs/master/)
– [Kali Linux QEMU Tool](https://www.kali.org/tools/qemu)
– [Advanced QEMU Networking](https://wiki.qemu.org/Documentation/Networking)

## Conclusion

In this section, we covered the installation, usage, and various real-world applications of QEMU in penetration testing. With its rich feature set and flexibility, QEMU is an invaluable tool for pentesters looking to simulate attacks, test exploits, and analyze malware.

By mastering QEMU, you can greatly enhance your capabilities in the field of cybersecurity. Make sure to experiment with different configurations, networking setups, and advanced features to get the most out of this powerful virtualization tool.

—

Made by pablo rotem / פבלו רותם