Giter Club home page Giter Club logo

polarproxy-x-inetsim's Introduction

PolarProxy-x-INetSim

Add MiTM capability for malware analysis environment

Configuration Steps

Just follow the steps and everything will work as shown

Install INetSim

Enter following commands to install INetSim:

sudo -s
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
curl https://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
apt update
apt install inetsim

Configure INetSim

  1. Uncomment service_bind_address and key in interface address (host-only):
vi /etc/inetsim/inetsim.conf
service_bind_address    <Remnux IP>
  1. Configure fake DNS server:
vi /etc/inetsim/inetsim.conf
dns_default_ip  <Remnux IP>
  1. Disable https and smtps service start as it will be superseded by PolarProxy:
vi /etc/inetsim/inetsim.conf
#start_service https
#start_service smtps
  1. Restart INetSim service:
systemctl restart inetsim.service
  1. Test INetSim:
curl http://<Remnux IP>

<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>

Install PolarProxy

Enter the following commands to install PolarProxy as systemd service:

sudo adduser --system --shell /bin/bash proxyuser
sudo mkdir /var/log/PolarProxy
sudo chown proxyuser:root /var/log/PolarProxy/
sudo chmod 0775 /var/log/PolarProxy/
sudo su - proxyuser
mkdir ~/PolarProxy
cd ~/PolarProxy/
curl https://www.netresec.com/?download=PolarProxy | tar -xzvf -
exit
sudo cp /home/proxyuser/PolarProxy/PolarProxy.service /etc/systemd/system/PolarProxy.service

Configure PolarProxy

  1. Modify service config to configure PolarProxy to terminate TLS encryption for HTTPS and SMTPS as it should redirected to INetSim's server on tcp/80 and tcp/25 respectively:
sudo vi /etc/systemd/system/PolarProxy.service

ExecStart=/home/proxyuser/PolarProxy -v -p 10443,80,80 -p 10465,25,25 -x /var/log/PolarProxy/polarproxy.cer -f /var/log/PolarProxy/proxyflows.log -o /var/log/PolarProxy/ --certhttp 10080 --terminate --connect <Remnux IP> --nosni nosni.inetsim.org

Arguments break-down list:
-v : verbose output in syslog (not required)
-p 10443,80,80 : listen for TLS connections on tcp/10443, save decrypted traffic in PCAP as tcp/80, forward traffic to tcp/80
-p 10465,25,25 : listen for TLS connections on tcp/10465, save decrypted traffic in PCAP as tcp/25, forward traffic to tcp/25
-x /var/log/PolarProxy/polarproxy.cer : Save certificate to be imported to clients in /var/log/PolarProxy/polarproxy.cer (not required)
-f /var/log/PolarProxy/proxyflows.log : Log flow meta data in /var/log/PolarProxy/proxyflows.log (not required)
-o /var/log/PolarProxy/ : Save PCAP files with decrypted traffic in /var/log/PolarProxy/
--certhttp 10080 : Make the X.509 certificate available to clients over http on tcp/10080
--terminate : Run PolarProxy as a TLS termination proxy, i.e. data forwarded from the proxy is decrypted
--connect 192.168.53.19 : forward all connections to the IP of INetSim
--nosni nosni.inetsim.org : Accept incoming TLS connections without SNI, behave as if server name was "nosni.inetsim.org".

  1. Restart PolarProxy service:
sudo systemctl enable PolarProxy.service
sudo systemctl start PolarProxy.service
  1. Test PolarProxy:
curl --insecure --connect-to example.com:443:<Remnux IP>:10443 https://example.com

<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>

Verify certificate against PolarProxy root CA

Download root certificate via HTTP service on tcp/10080 and convert from DER to PEM format through openssl for use with --cacert switch:

curl http://<Remnux IP>:10080/polarproxy.cer > polarproxy.cer
openssl x509 -inform DER -in polarproxy.cer -out polarproxy-pem.crt
curl --cacert polarproxy-pem.crt --connect-to example.com:443:<Remnux IP>:10443 https://example.com

<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>

Set up routing

  1. Configure firewall:
sudo iptables -t nat -A PREROUTING -i <host-only interface> -p tcp --dport 443 -j REDIRECT --to 10443
sudo iptables -t nat -A PREROUTING -i <host-only interface> -p tcp --dport 465 -j REDIRECT --to 10465
sudo iptables -t nat -A PREROUTING -i <host-only interface> -j REDIRECT
  1. Test firewall rule - HTTPS:
curl --insecure --resolve example.com:443:<Remnux IP> https://example.com

<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>
  1. Test firewall rule - SMTPS:
curl --insecure --resolve example.com:465:<Remnux IP> smtps://example.com

214-Commands supported:
214- HELO MAIL RCPT DATA
214- RSET NOOP QUIT EXPN
214- HELP VRFY EHLO AUTH
214- ETRN STARTTLS
214 For more info use "HELP <topic>".

Persistent firewall rules

  1. Install iptables-persistent:
sudo apt install iptables-persistent
  1. Save iptables rules:
sudo iptables-save > iptables.bak
  1. Create startup file for restoring iptables rules [optional]:
vi /home/remnux/Documents/startup.sh

#!/bin/sh

iptables-restore < /home/remnux/Documents/iptables.bak
inetsim
  1. Create systemd for restoring iptables rules [optional]:
sudo vi /etc/systemd/system/malwareanalysis.service

[Unit]
Description="This service will restore iptables and run INetSim properly"

[Service]
User=root
WorkingDirectory=/home/remnux/Documents/
ExecStart=/home/remnux/Documents/startup.sh

[Install]
WantedBy=multi-user.target

Install Certificate on Windows Machine

Certificate must be installed on Windows machine

Transfer certificate

  1. Start python HTTP server in directory where polarproxy.cer is located:
python3 -m http.server 8080
  1. From Windows machine, download the certificate:
Invoke-WebRequest -Uri "http://<Remnux IP>:8080/polarproxy.cer" -OutFile "<C:\directory\to\store\file>"
  1. Install certificate:
1. Double-click on "polarproxy.cer"
2. Click [Install Certificate...]
3. Select Local Machine and press [Next]
4. Select Place all certificates in the following store and press [Browse...]
5. Choose "Trusted Root Certification Authorities" and press [OK], then [Next]
6. Press [Finish]
  1. Test secure connection:
1. Open browser and visit random sites over HTTPS

Access Decrypted Traffic

Not recommeded to follow the command. But it will show you everything you want to see:

tail -f /var/log/PolarProxy/*.pcap

polarproxy-x-inetsim's People

Contributors

0x4f776c avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.