This is a tutorial on how to set up an environment for dynamic malware analysis,which can be used to analyze otherwise encrypted HTTPS and SMTPS traffic without allowing the malware to connectto the Internet.Dynamic malware analysis (or behavioral analysis) is performed by observing the behavior of a malware while it is running.The victim machine, which executes the malware,is usually a virtual machine that can be rolled back to a clean state when the analysis is complete.The safest way to prevent the malware from infecting other machines, or doing other bad things like sending SPAMor taking part in DDoS attacks, is to run the victim machine in an offline environment.However, network traffic analysis of malware is a central part of dynamic malware analysis,which is is why a fake Internet is needed in most malware labs.
INetSim and PolarProxy
INetSim is a software suite that simulates common internet services like HTTP, DNS and SMTP,which useful when analyzing the network behavior of malware samples without connecting them to the Internet.INetSim also has basic support for TLS encrypted protocols, like HTTPS, SMTPS, POP3S and FTPS,but requires a pre-defined X.509-certificate to be loaded at startup. This can cause malware to terminate because theCommon Names (CN)in the presented certificates dont match the requested server names.The victim machine will actually get the exact same certificate regardless of which web site it visits.INetSims TLS encryption also inhibits analysis of the network traffic captured in the malware lab,such as C2 traffic or SPAM runs, because the application layer traffic is encrypted.PolarProxy can solve both these issues because it generates certificates on the fly,where the CN value is dynamically set to the requested host name, and saves the network trafficin decrypted form to PCAP files. It is therefore a good idea to replace the TLS services in INetSim with PolarProxy,which will be used as aTLS termination proxy that forwards the decrypted trafficto INetSims cleartext services.
Install Linux
The first step is to install a Linux VM, which will act as a fake Internet to the victim machine(s).Im using Ubuntu Server 18.04.3 LTS in this tutorial,but you can use any 64-bit linux distro. Im adding two network interfaces to the Linux VM,one interface with Internet access and one that connects to an isolated offline network to which the victim VMs will be connected.The offline interface is configured to use the static IP 192.168.53.19.
Important: Do not bridge, bond or enable IP forwarding between the two interfaces!
Install INetSim
INetSim is available in Ubuntus repo, so it is possible to install it with apt install inetsim.However, I recommend installing INetSim as described in the official documentation to get the latest packaged version of INetSim.
sudo -s
echo deb http://www.inetsim.org/debian/ binary/ > /etc/apt/sources.list.d/inetsim.list
curl https://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add
apt update
apt install inetsim
exit
INetSim listens on 127.0.0.1 by default,change this to INetSims offline IP address by un-commenting and editing theservice_bind_address variable in /etc/inetsim/inetsim.conf.
service_bind_address192.168.53.19
Also configure INetSims fake DNS server to resolve all domain names to the IP of INetSim with the dns_default_ip setting:
dns_default_ip192.168.53.19
Finally, disable the start_service https and start_service smtps lines,because these services will be replaced with PolarProxy:
start_service dnsstart_service http#start_service httpsstart_service smtp#start_service smtps
Restart the INetSim service after changing the config.
sudo systemctl restart inetsim.service
Verify that you can access INetSims HTTP server with curl:
curl http://192.168.53.19
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
It looks like INetSims web server can be accessed alright.
Install PolarProxy
Next step is to install PolarProxy as a systemd service (as instructed here):
sudo adduser system shell /bin/bash proxyuser
sudo mkdir /var/log/PolarProxy
sudo chown proxyuser:root /var/log/PolarProxy/
sudo chmod 0775 /var/log/PolarProxy/
sudo su proxyuser
mkdir ~/PolarProxy
cd ~/PolarProxy/
curl https://www.netresec.com/?download=PolarProxy | tar -xzvf
exit
sudo cp /home/proxyuser/PolarProxy/PolarProxy.service /etc/systemd/system/PolarProxy.service
We will need to modify the PolarProxy service config file a bit before we start it.Edit the ExecStart setting in /etc/systemd/system/PolarProxy.service to configure PolarProxy to terminate the TLS encryption for HTTPS and SMTPS (implicitly encrypted email submission).The HTTPS traffic should be redirected to INetSims web server on tcp/80 and the SMTPS to tcp/25.
ExecStart=/home/proxyuser/PolarProxy/PolarProxy -v -p 10443,80,80 -p 10465,25,25 -x /var/log/PolarProxy/polarproxy.cer -f /var/log/PolarProxy/proxyflows.log -o /var/log/PolarProxy/ certhttp 10080 connect 192.168.53.19 terminate connect 192.168.53.19 nosni nosni.inetsim.org
Heres a break-down of the arguments sent to PolarProxy through the ExecStart setting above:
Finally, start the PolarProxy systemd service:
sudo systemctl start PolarProxy.service
Verify that you can reach INetSim through PolarProxys TLS termination proxy using curl:
curl insecure connect-to example.com:443:192.168.53.19:10443 https://example.com
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
Yay, it is working!Do the same thing again, but also verify the certificate against PolarProxys root CA this time.The root certificate is downloaded from PolarProxy via the HTTP service running on tcp/10080 and then converted from DER to PEM format using openssl, so that it can be used with curls cacert option.
curl http://192.168.53.19:10080/polarproxy.cer > polarproxy.cer
openssl x509 -inform DER -in polarproxy.cer -out polarproxy-pem.crt
curl cacert polarproxy-pem.crt connect-to example.com:443:192.168.53.19:10443 https://example.com
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
Yay #2!
Now lets set up routing to forward all HTTPS traffic to PolarProxys service on tcp/10443 and SMTPS traffic to tcp/10465.Im also adding a firewall rule to redirect ALL other incoming traffic to INetSim, regardless of which IP it is destined to, with the final REDIRECT rule.Make sure to replace enp0s8 with the name of your interface.
sudo iptables -t nat -A PREROUTING -i enp0s8 -p tcp dport 443 -j REDIRECT to 10443
sudo iptables -t nat -A PREROUTING -i enp0s8 -p tcp dport 465 -j REDIRECT to 10465
sudo iptables -t nat -A PREROUTING -i enp0s8 -j REDIRECT
Verify that the iptables port redirection rule is working from another machine connected to the offline 192.168.53.0/24 network:
curl insecure resolve example.com:443:192.168.53.19 https://example.com
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
Yay #3!
214-Commands supported:214- HELO MAIL RCPT DATA214- RSET NOOP QUIT EXPN214- HELP VRFY EHLO AUTH214- ETRN STARTTLS214 For more info use HELP
Yay #4!
It is now time to save the firewall rules, so that they will survive reboots.
sudo apt-get install iptables-persistent
Install the Victim Windows PC
Configure a static IP address on the victim Windows host by manually setting the IP address.Set the INetSim machine (192.168.53.19) as the default gateway and DNS server.
Download the X.509 root CA certificate from your PolarProxy installation here:http://192.168.53.19:10080/polarproxy.cer
You might also want to install the PolarProxy certificate in your browser.This is how you install it to Firefox:
Now, open a browser and try visiting some websites over HTTP or HTTPS.
If you get the following message regardless of what domain you try to visit, then youve managed to set everything up correctly:
This is the default HTML page for INetSim HTTP server fake mode.
This file is an HTML document.
Accessing the Decrypted Traffic
PCAP files with decrypted HTTPS and SMTPS traffic are now available in /var/log/PolarProxy/
PolarProxy will start writing to a new capture file every 60 minutes.However, the captured packets are not written to disk instantly because PolarProxy uses buffered file writing in order to improve performance.You can restart the proxy service if you wish to flush the buffered packets to disk and have PolarProxy rotate to a new capture file.
sudo systemctl restart PolarProxy
I also recommend capturing all network traffic sent to INetSim with a sniffer likenetsniff-ng.This way youll get PCAP files with traffic from INetSims cleartext services (like DNS and HTTP) as well.
PCAP or it didnt happen!
Credits
Id like to thank Thomas Hungenberg and Patrick Desnoyers for providing valuable feedback for this blog post!
Share on FacebookTweetSubmit to reddit.com
Recent Articles By Author
*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: http://www.netresec.com/?page=Blog&month=2019-12&post=Installing-a-Fake-Internet-with-INetSim-and-PolarProxy
See the rest here:
Installing a Fake Internet with INetSim and PolarProxy - Security Boulevard