INetSim

From aldeid
Jump to: navigation, search
VoirAussi.png
You might also see: Honeytrap

Description

INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.

INetSim is able to simulate following services:

  • time (37/udp)
  • chargen (19/tcp)
  • discard (9/tcp)
  • syslog (514/udp)
  • finger (79/tcp)
  • echo (7/udp)
  • echo (7/tcp)
  • time (37/tcp)
  • dummy (1/tcp)
  • discard (9/udp)
  • daytime (13/tcp)
  • irc (6667/tcp)
  • ident (113/tcp)
  • dns (53/tcp, 53/udp)
  • quotd (17/udp)
  • quotd (17/tcp)
  • chargen (19/udp)
  • ntp (123/udp)
  • daytime (13/udp)
  • dummy (1/udp)
  • ftps (990/tcp)
  • tftp (69/udp)
  • smtps (465/tcp)
  • https (443/tcp)
  • pop3s (995/tcp)
  • ftp (21/tcp)
  • pop3 (110/tcp)
  • smtp (25/tcp)
  • http (80/tcp)

In addition, there is a dummy service that will log every data sent by the client, whatever port it uses.

Installation

Pre-requisites

Install following perl dependencies:

# apt-get install libipc-shareable-perl libnet-server-perl libnet-dns-perl \
  libdigest-sha-perl libio-socket-ssl-perl libiptables-ipv4-ipqueue-perl

Also ensure you remove exim4 (SMTP server) to free port 25/tcp:

# apt-get remove exim4*

Installation from sources

It's possible to install inetsim on your own system. However, if you have already services running on inetsim ports, you're likely to meet some problems. I would recommend that you install inetsim in a dedicated virtual machine (tested on Debian 6).

# groupadd inetsim
# cd ~/src/
# wget http://www.inetsim.org/downloads/inetsim-1.2.4.tar.gz
# tar xzvf inetsim-1.2.4.tar.gz
# mv inetsim-1.2.4/ /opt/inetsim/
# cd /opt/inetsim/
# ./setup.sh

Configuration

Main configuration file

By default, INetSIM is configured to bind all services to localhost (127.0.0.1). If you run it inside a virtual machine, edit the configuration file (/opt/inetsim/conf/inetsim.conf) and change following line:

# service_bind_address
# IP address to bind services to
# Syntax: service_bind_address <IP address>
service_bind_address   192.168.102.128
Info.png
Note
Notice that you can also use the --bind-address option when you start inetsim, if you prefer.

You would maybe also change the dns_default_ip:

# dns_default_ip
# Default IP address to return with DNS replies
#  Syntax: dns_default_ip <IP address>
# Default: 127.0.0.1
dns_default_ip		192.168.102.128

All services are configurable. Refer to the configuration files for more information.

Services configuration

All services are customizable. To configure each service, go to the appropriate files in the ./data/ directory.

data/
├── certs
│   ├── default_cert.pem
│   └── default_key.pem
├── finger
│   └── example.finger
├── ftp
│   ├── ftproot
│   │   └── sample.txt
│   └── upload
├── http
│   ├── fakefiles
│   │   ├── favicon.ico
│   │   ├── sample.bmp
│   │   ├── sample.gif
│   │   ├── sample_gui.exe
│   │   ├── sample.html
│   │   ├── sample.jpg
│   │   ├── sample.png
│   │   └── sample.txt
│   ├── mime.types
│   ├── postdata
│   └── wwwroot
│       ├── index.html
│       └── internet.gif
├── pop3
│   ├── sample.mbox
│   └── spam.mbox
├── quotd
│   └── quotd.txt
├── smtp
└── tftp
    ├── tftproot
    │   └── sample.txt
    └── upload

Usage

Command line options

Syntax

Usage: ./inetsim [options]

Available options

--help
Print this help message.
--version
Show version information.
--config=<filename>
Configuration file to use.
--log-dir=<directory>
Directory logfiles are written to.
--data-dir=<directory>
Directory containing service data.
--report-dir=<directory>
Directory reports are written to.
--bind-address=<IP address>
Default IP address to bind services to.
Overrides configuration option 'default_bind_address'.
--max-childs=<num>
Default maximum number of child processes per service.
Overrides configuration option 'default_max_childs'.
--user=<username>
Default user to run services.
Overrides configuration option 'default_run_as_user'.
--faketime-init-delta=<secs>
Initial faketime delta (seconds).
Overrides configuration option 'faketime_init_delta'.
--faketime-auto-delay=<secs>
Delay for auto incrementing faketime (seconds).
Overrides configuration option 'faketime_auto_delay'.
--faketime-auto-incr=<secs>
Delta for auto incrementing faketime (seconds).
Overrides configuration option 'faketime_auto_increment'.
--session=<id>
Session id to use. Defaults to main process id.
--pidfile=<filename>
Pid file to use. Defaults to '/var/run/inetsim.pid'.

Start services

To start INetSIM, go to the installation directory and start the script as follows:

# cd /opt/inetsim/
# ./inetsim
INetSim 1.2.3 (2012-10-01) by Matthias Eckert & Thomas Hungenberg
Using log directory:      /opt/inetsim/log/
Using data directory:     /opt/inetsim/data/
Using report directory:   /opt/inetsim/report/
Using configuration file: /opt/inetsim/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 2725) ===
Session ID:     2725
Listening on:   172.16.75.129
Real Date/Time: Sun Jun 30 10:53:46 2013
Fake Date/Time: Sun Jun 30 10:53:46 2013 (Delta: 0 seconds)
 Forking services...
  * time_37_udp - started (PID 2743)
  * chargen_19_tcp - started (PID 2752)
  * discard_9_tcp - started (PID 2748)
  * syslog_514_udp - started (PID 2741)
  * finger_79_tcp - started (PID 2739)
  * echo_7_udp - started (PID 2747)
  * echo_7_tcp - started (PID 2746)
  * time_37_tcp - started (PID 2742)
  * dummy_1_tcp - started (PID 2754)
  * discard_9_udp - started (PID 2749)
  * daytime_13_tcp - started (PID 2744)
  * irc_6667_tcp - started (PID 2737)
  * ident_113_tcp - started (PID 2740)
  * dns_53_tcp_udp - started (PID 2727)
  * quotd_17_udp - started (PID 2751)
  * quotd_17_tcp - started (PID 2750)
  * chargen_19_udp - started (PID 2753)
  * ntp_123_udp - started (PID 2738)
  * daytime_13_udp - started (PID 2745)
  * dummy_1_udp - started (PID 2755)
  * ftps_990_tcp - started (PID 2735)
  * tftp_69_udp - started (PID 2736)
  * smtps_465_tcp - started (PID 2731)
  * https_443_tcp - started (PID 2729)
  * pop3s_995_tcp - started (PID 2733)
  * ftp_21_tcp - started (PID 2734)
  * pop3_110_tcp - started (PID 2732)
  * smtp_25_tcp - started (PID 2730)
  * http_80_tcp - started (PID 2728)
 done.
Simulation running.

Cleanup

To clean up logs and files (e.g. start a new investigation), run the cleanup.sh script at the root of the installation directory:

# ./cleanup.sh

Logs

Log files

Log files are stored in the ./log/ directory:

  • debug.log: debug information in case inetsim is run in debug mode
  • main.log: information logs (services started, stopped, ...)
  • service.log: when connections are made against the services, logs are added to this file (see below examples).

example: FTP connection

Here is an example of logs available following a FTP connection:

[2013-06-30 11:00:31] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] connect
[2013-06-30 11:00:31] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 220 INetSim FTP Service ready.
[2013-06-30 11:00:34] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: USER test
[2013-06-30 11:00:34] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 331 Please specify the password.
[2013-06-30 11:00:36] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: PASS pass
[2013-06-30 11:00:36] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 230 Login successful.
[2013-06-30 11:00:36] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: SYST
[2013-06-30 11:00:36] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 215 UNIX Type: L8
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: PORT 172,16,75,1,154,179
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 200 PORT command successful.
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: LIST
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 150 Opening ASCII mode data connection for file list.
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] info: Data connection to 172.16.75.1:39603 established.
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: <(DATA)>
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] info: Data connection to 172.16.75.1:39603 closed.
[2013-06-30 11:00:39] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 226 Transfer complete.
[2013-06-30 11:00:44] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] recv: QUIT
[2013-06-30 11:00:44] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] send: 221 Goodbye.
[2013-06-30 11:00:44] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] disconnect
[2013-06-30 11:00:44] [2725] [ftp_21_tcp 2778] [172.16.75.1:58890] stat: 1 created=0 deleted=0 retrieved=0 creds=test:pass
[snip]

Example: HTTP connection

Here is an example of logs available following a HTTP connection:

[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] connect
[2013-06-30 11:14:40] [2725] [http_80_tcp 2857] [172.16.75.1:54318] connect
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: GET / HTTP/1.1
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: Host: 172.16.75.129
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: Connection: keep-alive
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: Accept-Encoding: gzip,deflate,sdch
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] recv: Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] info: Request URL: http://172.16.75.129/
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] info: No matching file extension configured. Sending default fake file.
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: HTTP/1.1 200 OK
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: Server: INetSim HTTP Server
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: Connection: Close
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: Content-Length: 258
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: Content-Type: text/html
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] send: Date: Sun, 30 Jun 2013 09:14:40 GMT
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] info: Sending file: /opt/inetsim/data/http/fakefiles/sample.html
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] stat: 1 method=GET url=http://172.16.75.129/ sent=/opt/inetsim/data/http/fakefiles/sample.html postdata=
[2013-06-30 11:14:40] [2725] [http_80_tcp 2856] [172.16.75.1:54317] disconnect
[2013-06-30 11:14:56] [2725] [http_80_tcp 2857] [172.16.75.1:54318] info: Client sent no data
[2013-06-30 11:14:56] [2725] [http_80_tcp 2857] [172.16.75.1:54318] disconnect

Reports

When you stop InetSim, a report is generated. Here is what it looks like:

$ sudo cat report.1585.txt
[sudo] password for remnux: 
=== Report for session '1585' ===

Real start date            : 2013-11-20 14:30:39
Simulated start date       : 2013-11-20 14:30:39
Time difference on startup : none

2013-11-20 14:30:50  First simulated date in log file
2013-11-20 14:30:50  DNS connection, type: A, class: IN, requested name: brb.3dtuts.by
2013-11-20 14:30:50  HTTP connection, method: GET, URL: http://brb.3dtuts.by/ads.php?i=192.168.102.129&c=MALWARE-418EE9F&
p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a
2828753e233e602d363a382f33372b753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334
282f753e233e60282d383334282f753e233e603e232b3734293e29753e233e60282b343437282d753e233e602d362f343437283f753e233e6039293939
342f753e233e60312a28753e233e60282a37283e292d29753e233e602d362f343437283f753e233e600f0b1a2e2f3418343535082d38753e233e603a37
3c753e233e602c2838352f3d22753e233e600f0b1a2e2f34183435353e382f753e233e, file name: /var/lib/inetsim/http/fakefiles/sample.html
2013-11-20 14:31:04  HTTP connection, method: GET, URL: http://brb.3dtuts.by/ads.php?i=192.168.102.129&c=MALWARE-418EE9F&
p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a
2828753e233e602d363a382f33372b753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334
282f753e233e60282d383334282f753e233e603e232b3734293e29753e233e60282b343437282d753e233e602d362f343437283f753e233e6039293939
342f753e233e60312a28753e233e60282a37283e292d29753e233e602d362f343437283f753e233e600f0b1a2e2f3418343535082d38753e233e603a37
3c753e233e602c2838352f3d22753e233e600f0b1a2e2f34183435353e382f753e233e6039293939342f753e233e, file name: /var/lib/inetsim/http/fakefiles/sample.html
2013-11-20 14:31:04  Last simulated date in log file

===

Example

Architecture

Inetsim-apatedns-example.png

  1. The Windows machine has been configured to use a DNS server IP 127.0.0.1.
  2. As ApateDNS is running on the machine, it captures every DNS requests on port 53/udp and redirects the traffic to INetSIM.
  3. As a result, INetSIM is reponding with a content

Run the malware

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Collect the data

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Analyze the data

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

blog comments powered by Disqus