Add MiTM capability for malware analysis environment
Just follow the steps and everything will work as shown
Enter following commands to install INetSim:
sudo -s
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
curl https://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
apt update
apt install inetsim
- Uncomment service_bind_address and key in interface address (host-only):
vi /etc/inetsim/inetsim.conf
service_bind_address <Remnux IP>
- Configure fake DNS server:
vi /etc/inetsim/inetsim.conf
dns_default_ip <Remnux IP>
- Disable https and smtps service start as it will be superseded by PolarProxy:
vi /etc/inetsim/inetsim.conf
#start_service https
#start_service smtps
- Restart INetSim service:
systemctl restart inetsim.service
- Test INetSim:
curl http://<Remnux IP>
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
Enter the following commands to install PolarProxy as systemd service:
sudo adduser --system --shell /bin/bash proxyuser
sudo mkdir /var/log/PolarProxy
sudo chown proxyuser:root /var/log/PolarProxy/
sudo chmod 0775 /var/log/PolarProxy/
sudo su - proxyuser
mkdir ~/PolarProxy
cd ~/PolarProxy/
curl https://www.netresec.com/?download=PolarProxy | tar -xzvf -
exit
sudo cp /home/proxyuser/PolarProxy/PolarProxy.service /etc/systemd/system/PolarProxy.service
- Modify service config to configure PolarProxy to terminate TLS encryption for HTTPS and SMTPS as it should redirected to INetSim's server on tcp/80 and tcp/25 respectively:
sudo vi /etc/systemd/system/PolarProxy.service
ExecStart=/home/proxyuser/PolarProxy -v -p 10443,80,80 -p 10465,25,25 -x /var/log/PolarProxy/polarproxy.cer -f /var/log/PolarProxy/proxyflows.log -o /var/log/PolarProxy/ --certhttp 10080 --terminate --connect <Remnux IP> --nosni nosni.inetsim.org
Arguments break-down list:
-v : verbose output in syslog (not required)
-p 10443,80,80 : listen for TLS connections on tcp/10443, save decrypted traffic in PCAP as tcp/80, forward traffic to tcp/80
-p 10465,25,25 : listen for TLS connections on tcp/10465, save decrypted traffic in PCAP as tcp/25, forward traffic to tcp/25
-x /var/log/PolarProxy/polarproxy.cer : Save certificate to be imported to clients in /var/log/PolarProxy/polarproxy.cer (not required)
-f /var/log/PolarProxy/proxyflows.log : Log flow meta data in /var/log/PolarProxy/proxyflows.log (not required)
-o /var/log/PolarProxy/ : Save PCAP files with decrypted traffic in /var/log/PolarProxy/
--certhttp 10080 : Make the X.509 certificate available to clients over http on tcp/10080
--terminate : Run PolarProxy as a TLS termination proxy, i.e. data forwarded from the proxy is decrypted
--connect 192.168.53.19 : forward all connections to the IP of INetSim
--nosni nosni.inetsim.org : Accept incoming TLS connections without SNI, behave as if server name was "nosni.inetsim.org".
- Restart PolarProxy service:
sudo systemctl enable PolarProxy.service
sudo systemctl start PolarProxy.service
- Test PolarProxy:
curl --insecure --connect-to example.com:443:<Remnux IP>:10443 https://example.com
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
Download root certificate via HTTP service on tcp/10080 and convert from DER to PEM format through openssl for use with --cacert switch:
curl http://<Remnux IP>:10080/polarproxy.cer > polarproxy.cer
openssl x509 -inform DER -in polarproxy.cer -out polarproxy-pem.crt
curl --cacert polarproxy-pem.crt --connect-to example.com:443:<Remnux IP>:10443 https://example.com
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
- Configure firewall:
sudo iptables -t nat -A PREROUTING -i <host-only interface> -p tcp --dport 443 -j REDIRECT --to 10443
sudo iptables -t nat -A PREROUTING -i <host-only interface> -p tcp --dport 465 -j REDIRECT --to 10465
sudo iptables -t nat -A PREROUTING -i <host-only interface> -j REDIRECT
- Test firewall rule - HTTPS:
curl --insecure --resolve example.com:443:<Remnux IP> https://example.com
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
- Test firewall rule - SMTPS:
curl --insecure --resolve example.com:465:<Remnux IP> smtps://example.com
214-Commands supported:
214- HELO MAIL RCPT DATA
214- RSET NOOP QUIT EXPN
214- HELP VRFY EHLO AUTH
214- ETRN STARTTLS
214 For more info use "HELP <topic>".
- Install iptables-persistent:
sudo apt install iptables-persistent
- Save iptables rules:
sudo iptables-save > iptables.bak
- Create startup file for restoring iptables rules [optional]:
vi /home/remnux/Documents/startup.sh
#!/bin/sh
iptables-restore < /home/remnux/Documents/iptables.bak
inetsim
- Create systemd for restoring iptables rules [optional]:
sudo vi /etc/systemd/system/malwareanalysis.service
[Unit]
Description="This service will restore iptables and run INetSim properly"
[Service]
User=root
WorkingDirectory=/home/remnux/Documents/
ExecStart=/home/remnux/Documents/startup.sh
[Install]
WantedBy=multi-user.target
Certificate must be installed on Windows machine
- Start python HTTP server in directory where polarproxy.cer is located:
python3 -m http.server 8080
- From Windows machine, download the certificate:
Invoke-WebRequest -Uri "http://<Remnux IP>:8080/polarproxy.cer" -OutFile "<C:\directory\to\store\file>"
- Install certificate:
1. Double-click on "polarproxy.cer"
2. Click [Install Certificate...]
3. Select Local Machine and press [Next]
4. Select Place all certificates in the following store and press [Browse...]
5. Choose "Trusted Root Certification Authorities" and press [OK], then [Next]
6. Press [Finish]
- Test secure connection:
1. Open browser and visit random sites over HTTPS
Not recommeded to follow the command. But it will show you everything you want to see:
tail -f /var/log/PolarProxy/*.pcap