-3

Some background:

I'm attempting to set up a pentesting network with a handful of virtual machines for the SANS 560 (Network Penetration Testing and Ethical Hacking) course, but I'm having an issue with the network configuration.

To paint a picture of the network (at least how it's intended to be):

  • My home router (connected to the internet, also the gateway for all other machines on the network) IP is 192.168.0.1/24, with all other machines on the network in the 255.255.255.0 subnet

  • As per the course notes, I should be setting up all my virtual machines with bridged adapters on the 10.10.X.X/16 subnet - with Linux machines on 10.10.75.X/16, Windows guest machines on 10.10.76.X/16, and my "host" (also a VM running Windows) machine on 10.10.78.1/16

My question:

How (assuming it's possible) do I configure my host machine (with new new IP 10.10.78.1/16) to be able to talk to the other guest machines (Virtual machines) while also being able to connect to the internet?

I've tried setting up a static route to use the new IP as the gateway (seeing as the router is on a different subnet): route ADD 192.168.0.0 MASK 255.255.255.0 10.10.78.1 (192.168.0.0 is the destination, obviously the mask is 255.255.255.0, and the gateway is 10.10.78.1) - it didn't work (all I get is Destination Host Unreachable)

Do I need to have two interfaces on this Windows machine (i.e. one configured as 10.10.78.1/16 to talk to the other VMs, and another configured as 192.168.0.X/24 to access the internet) to make this configuration possible?

I understand it's not how a network would be set up typically, so please let me know if you need me to clarify or provide more information.

rst-2cv
  • 1,130
  • 1
  • 15
  • 31
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Dec 19 '17 at 13:25

2 Answers2

0

I found a solution that seems to work.

Again, for context, below is a list of the machines on the network:

Name         |  Adapter type  | IP                  |     Static routes?
============================================================================
Windows VM1  |    Bridged     | 192.168.0.11/24     |     Nil
             |    Bridged     | 10.10.78.1/16       |     Yes, see below
-------------|----------------|---------------------|----------------------- 
Windows VM2  |    Bridged     | 10.10.76.1/16       |     Yes, see below
-------------|----------------|---------------------|-----------------------
Linux   VM3  |    Bridged     | 10.10.75.1/16       |     Nil

Static routes:

Static routes for VM1:

  • Note: In the adapter settings for 192.168.0.11/24, I set the default gateway as the IP for my internet router (192.168.0.1), and the netmask as 255.255.255.0
  • Note: In the adapter settings for 10.10.78.1/16, I left the default gateway blank (as it gets set when adding the static route), and the netmask as 255.255.0.0
  • route -P ADD 10.10.0.0 MASK 255.255.0.0 192.168.0.11 (must use -P so that the route persists between reboots)

Static routes for VM2:

  • route -P ADD 10.10.0.0 MASK 255.255.0.0 10.10.76.1 (must use -P so that the route persists between reboots)
  • Note: you must run netsh advfirewall set allprofiles state off to allow the other VMs (including other Windows machines) on the 10.10.0.0/16 subnet to talk to this machine.

This configuration allows the following behaviour:

  • VM1 can initiate a connection with VM2 and VM3
  • Neither VM2 nor VM3 can initiate a connection with VM1
  • VM2 and VM3 can inter-communicate (i.e. can initiate connections with each other, in either direction)

Furthermore, this configuration should allow all of the VMs to communicate to the VPN that is setup for labs later on in the course, since they all have an adapter configured on the 10.10.x.x/16 network.

rst-2cv
  • 1,130
  • 1
  • 15
  • 31
-1

There are two solutions:

  1. Add 10.10.0.0/16 to your router as a secondary IP subnet - if possible - or change the 192.168.0.0/24 range to 10.10.0.0/16.
  2. Use another router to create the 10.10.0.0/16 subnet and connect it to 192.168.0.0/24 through on of its interfaces. On your Internet router, add a static route to 10.10.0.0/16. The router can be anything, a hardware router, a layer-3 switch, or a Windows/Linux machine with routing enabled.

A third approach - running both subnets in the same layer-2 segment connected by a router-on-a-stick - doesn't really cut it for the purpose.

Edit: The route in your question is the wrong way - assuming your inter-subnet router uses 192.168.0.99 and 10.10.78.1, on your Internet router, add route 10.10.0.0/16 -> 192.168.0.99 and on the new subnet use 10.10.78.1 as the default gateway.

Zac67
  • 2,761
  • 1
  • 10
  • 21
  • Seeing as nothing can even get out of the VM itself, changing my router's config won't help me as far I know, which rules out all three options. I believe my issue lies with connectivity between my VM and my host machine (seeing as the host box has internet access, once packets can be sent through the actual, physical interface, I should have no further issues) – rst-2cv Dec 19 '17 at 12:00
  • Correct me if I'm wrong but if I configure the interfaces correctly, I shouldn't need to set up static routes anywhere - I only tried it as a catch-all solution in case it worked. I also don't know what you mean by my `inter-subnet router` - I never mentioned anything like that in my OP so I'm not sure why you think I have one on my network. `10.10.78.1` is the IP I'm trying to assign to the interface on a VM hosted on `192.168.0.10` with gateway `192.168.0.1`, while still being able to talk between `10.10.78.1` and `192.168.0.10` (bi-directional) – rst-2cv Dec 19 '17 at 12:14
  • You need a route to 10.10.0.0/16 on your Internet router to find the subnet - otherwise it follows the default route to WAN. If you don't tell us what you're doing we can't help you. **10.10.78.1 and 192.168.0.1 can't talk to each other directly.** – Zac67 Dec 19 '17 at 14:21
  • I'm not sure you understand exactly what my problem is. The VM can't even talk to the IP of the computer that is hosting the VM (`192.168.0.10`). To get to the router (from the VM), all traffic *must* to go through the physical interface of my host computer (`192.168.0.10` is a non-virtualised machine - it's real). Thus, how does setting up a route on my internet router help solve the connectivity issue between my VM and my host machine? – rst-2cv Dec 19 '17 at 20:30
  • As said above, you need a router for 10.10.0.0/16 and 192.168.0.0/24 to communicate with each other. It won't work when you just try to set a route. You need to set routes on the far sides, ie. on 192.168.0.1 to find 10.10.0.0/16. Downvoting the answer does not encourage helping you. – Zac67 Dec 19 '17 at 21:22
  • First, I didn't downvote you, I'm not sure what makes you think I did. Second, I simply don't understand how you think I can have a router between a physical machine and a VM hosted on that machine. My immediate issue is that the VM (`10.10.78.1`) cannot ping the physical machine (`192.168.0.10`). For me to be able to ping my router (`192.168.0.1`), the packet **must** pass through the `192.168.0.10` interface, correct?. So how do I configure the `10.10.78.1` interface to be able to communicate with `192.168.0.10` **without** a router? – rst-2cv Dec 20 '17 at 07:09
  • See the bold face above - without a router they can't communicate. – Zac67 Dec 20 '17 at 07:28
  • Ok, then how would you suggest getting a router in-between a VM and a physical machine? On a different note, I tried setting the VM's IP to `192.168.0.11` (bridged adapter) and they still can't communicate. What gives? – rst-2cv Dec 20 '17 at 07:45
  • For a router, you can either use another VM or if you run both subnets on the same switch (with or without VLANs) you can use a router on a stick. – Zac67 Dec 20 '17 at 18:13