In this post, we will talk about how to build a Lab that will allow us to do several tests and obtain information about how a malware uses different services to fulfill its mission. We will configure a private network, which will be made up of 3 virtual machines. 2 machines will work as victims and one device as Monitor. For the Monitor machine, we will use INetSim that allows us to configure internet services (HTTP, https, DNS, SSH, etc..) directly and so we can analyze the traffic between the victims since they will connect to our server and not to the internet directly. Because INetSim has quite limited SSL support, we will use BurpSuite for that purpose, and since we want to see the operation of a malware that encrypts the traffic with SSL certificates, BurpSuite is a great help to simulate the process.
Setup Ubuntu Monitor Machine
https://www.inetsim.org say that INetSim is a software suite for simulating common internet services in a lab environment, e.g., for analyzing the network behavior of unknown malware samples. This tool allows us to configure a set of functions such as a WEB server, a DNS server, very quickly and easily, which is very useful for testing, monitoring and analyzing since it is designed for that purpose.
Add INetSim to our repository:
Echo “deb http://www.inetsim.org/debian/ binary” > /etc/apt/sources.list.d/inetsim.list
wget -O – http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add –
apt-get install inetsim
After installing the configuration file /etc/inetsim/inetsim.conf will be created, although we could modify this file, it is best to create your own, so we will create the inetsimfolder/test directory into /home/infosecaddicts, then copy the configuration file and an example type located in the /var/lib/inetsim/ directory.
Now, let’s modify several options of our inetsim. Conf file:
Enabling access from any site.
It allows the DNS resolution to be from IP 192.168.122.131.
As already mentioned above, INetSim does not have many options to configure SSL so that Burp will use the port 443, and our INetSim will use port 5443 to avoid conflicts.
Before running INetSim, we must disable the local Ubuntu Monitor DNS resolver:
sudo systemctl disable systemd-resolved.service
In this way we can run INetSim with the command
sudo inetsim –data data –conf inetsim.conf
We see that several services have been started, although most of these we do not need it, they can be disabled one by one.
1.2 Burp Suite
https://en.wikipedia.org/wiki/Burp_suite say that Burp or Burp Suite is a graphical tool for testing Web application security. The device is written in Java and developed by PortSwigger Security. For our laboratory, it allows us to configure SSL, so when a victim tries to establish a secure connection, all traffic will first go through burp (transparent proxy) and then to INetSIM.
Download Burp suite from the official site
Before installing, we must be sure that we have installed JAVA in our system. Running java -version, if not installed, we can install running:
$sudo apt-get install default-jdk
Now, we can install ( not root)
After installing burp suite it will appear on our menu:
Setup Burp Suite
We created a temporary project:
Select: Use Burp defaults and click on start Burp:
Go to Proxy> Options, edit the available row and go to the Binding tab, where we leave port 8080 and click on all Interface:
Now we go to the Request Handling tab, in Redirect-Host we place Localhost, since it is our INetSIM in port 5443, we also select the option support Invisible Proxy:
Since we can not run Burp Suite as root, we can create an iptable rule in such a way that all the traffic arriving through port 443 is redirected to port 8080, which is the one we have previously configured.
Note: if we want the burp suite to listen for port 443 we must run it as root, this can bring us many problems since by default burp suite cannot be executed with administrator permissions, so one option is to use iptables to forward the traffic from port 443 to another of our preference.
sudo iptables -t nat -A PREROUTING -i ens3 -p tcp –dport 443 -j -REDIRECT –to-port 8080
By default, Burp has an Intercept option that prevents traffic from flowing automatically, so it must be deactivated:
1.3 Configuring Ubuntu Victim and W7 Victim
Now, we can setup or Ubuntu Victim, go to Wired Settings to config a Static Addressing:
Pinging to INetSim:
Setup W7 Victim go to IPv4 Properties to config Static Addressing:
Pinging our INetSim
1.4 Gathering Information Whit INetSim
After configuring INetSim and Burp our LAB is ready to test:
Using Ubuntu Victim, we can navigate through any site via HTTP for example to google.com we will see that INetSim will respond instead since it has been configured as Gateway and DNS Server. Every time we try to navigate, INetSim generates a log that contains a lot of data associated with connection attempts, especially information about the resolution of domain names, that we can analyze and understand the attempts of connection of some malicious program.
Try to connect to google.com, will see a message from INetSim
To generate the log we must stop INetSim by pressing Ctrl + C:
In our LAB the Log /var/log/inetsim/report/report.21196.txt was created.
Furthermore, we can see the attempt to access the domain http://google.com. Now, if a Trojan horse, ransomware or other malicious program tries to connect to a WEB site as part of its operation, INetSim creates a Log that we can analyze and take actions to correct some vulnerability in our network.
For W7 Victim we can simulate a Ransomware attack using TeslaCrypt and see what we can get:
Download TeslaCrypt from:
https://www.malware-traffic-analysis.net/2016/04/19/2016-04-19-TeslaCrypt-malspam-attachments-malware-etc.zip, rename to tesla.zip and put this into /home/infosecaddicts/inetsimfolder/test/data/HTTP/fakefiles/
Next, Edit /home/infosecaddicts/inetsimfolder/tett/inetsim.conf in the seccion http_fakeFiles and add tesla.zip file.
Restart inetsim to take the change.
Then from W7 Victim go to http://google.com/tesla.zip, inetsim will receive the request and send the file that we have previously loaded.
Unzip using the “infected” password
Now we can run TeslaCrypt
After a few minutes we will see how TeslaCrypt begins to encrypt the directories of our system
Then TeslaCrypt opens the browser and shows some messages. As we have INetSim active, we can go and see what information has.
Stop INetSIm; this action will create a Log.
After analyzing we see that since W7 victim has tried to connect to the site 4tuka.com.
The website 4turka.com is related to attacks ransomware type, likewise the other sites that we see in the Log. It is at this point that with INetSim we can perform analysis and forensic tasks that in real situations are very useful to understand how a malicious program works.
1.5 SSL/TLS with Burp
It only remains to know how Burp can help if you need to analyze secure connections. When you want to establish a connection with a web server using TLS / SSL, the server must be able to issue the corresponding certificates and keys, INetSim not fulfills this function at all, and that is when Burp is a great help.
So far, we have configured two ports in Burp, the 8080 that will be responsible for receiving HTTPS connections and port 8081 that has been set for convenience. Also, port 8081 was configured only to obtain the Burp SSL certificate in such a way that it can be installed in the browser and avoid errors of certificates.
If we try to enter https://google.com, we will get a certificate error:
Enter 192.168.122.131:8081 and click on CA Certificated:
Download the cert:
Next, convert the certificate to the appropriate format (.crt):
openssl x509 -in cacert.der -inform DER -out burp.crt
Load the cert to the browser:
In addition to that, enter again to https://google.com and we see the message INetSim
We have seen how fast and easy it can be to configure a LAB using tools such as INetSim and Burp; both can be of great help. Also, if we want to obtain information about the connections that establish malware, this will be a helpful starter. Furthermore, this post will allow us to understand its functioning and thus generally a method of defense against this type of attack.