Wednesday, November 04, 2009

Sandnetting With INetSim & Metasploit

I've been looking for something that might work well in a situation where I might want to redirect malicious domains to a an IP hosting numerous faux services. I've used the scripts from TRUMAN in the past but they've left a little to be desired (no reflection on Joe Stewart...the guy rocks!). I looked at Glastopf but it wasn't what I was looking for. I caught a reference to INetSim and it looked to be exactly what I wanted.

INetSim emulates about a dozen different services and can do cool things like serve up pretty much any file that is requested. For example, if a Zeus bot-infected host is looking for a new .cfg file, it will respond with a file. Now, it's not the right file, but it doesn't return a 404, either. The significant thing here is that it records all requests and can emulate the services well. Check the features page for more info.

Using VMware Fusion 3, I setup a Ubuntu 9.10 Server for my testing. The following apt-get command installed the necessary pre-requisites.
sudo apt-get install libnet-server-perl libnet-dns-perl libdigest-sha1-perl libiptables-ipv4-ipqueue-perl libipc-shareable-perl
I made a few small changes to the config file to fit my environment and was ready to go. Running "sudo ./inetsim" gets the following:
INetSim 1.1.1 (2009-09-09) by Matthias Eckert & Thomas Hungenberg
Using log directory: /home/jsawyer/downloads/inetsim-1.1.1/log/
Using data directory: /home/jsawyer/downloads/inetsim-1.1.1/data/
Using report directory: /home/jsawyer/downloads/inetsim-1.1.1/report/
Using configuration file: /home/jsawyer/downloads/inetsim-1.1.1/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 10323) ===
Session ID is : 10323
Real Date/Time is : Tue Nov 3 22:02:21 2009
Fake Date/Time is : Tue Nov 3 22:02:21 2009 (Delta: 0 seconds)
Forking services...
* dns 53/udp/tcp - started (PID 10325)
* http 80/tcp - started (PID 10326)
* pop3 110/tcp - started (PID 10328)
* smtp 25/tcp - started (PID 10327)
* tftp 69/udp - started (PID 10329)
* ntp 123/udp - started (PID 10331)
* time 37/tcp - started (PID 10332)
* ftp 21/tcp - started (PID 10330)
* daytime 13/tcp - started (PID 10334)
* time 37/udp - started (PID 10333)
* echo 7/tcp - started (PID 10336)
* echo 7/udp - started (PID 10337)
* daytime 13/udp - started (PID 10335)
* discard 9/tcp - started (PID 10338)
* discard 9/udp - started (PID 10339)
* quotd 17/tcp - started (PID 10340)
* quotd 17/udp - started (PID 10341)
* chargen 19/tcp - started (PID 10342)
* finger 79/tcp - started (PID 10344)
* chargen 19/udp - started (PID 10343)
* syslog 514/udp - started (PID 10346)
* ident 113/tcp - started (PID 10345)
* dummy 1/tcp - started (PID 10347)
* dummy 1/udp - started (PID 10348)
Simulation running.
As you can see, setup is easy. Now, how do you get the bad guys to end up at INetSim? I mentioned redirection of malicious domains earlier, but from the sandnet perspective, we can do a couple of things. The DNS dummy service within INetSim can be configured to return the same IP for all queries by configuring #dns_default_ip. But, that's too easy. Things are more fun when you use the Metasploit Framework.

We could run msfconsole from either the same host or another host and have it respond to all DNS queries with the address of the host running INetSim. First, create a file and call it anything (like fakedns.rc). In fakedns.rc, you need the following:
use auxiliary/server/fakedns
set SRVPORT 53
Then, run Metasploit like this:
sudo ./msfconsole -r fakedns.rc
And, there you go. Like I said, you could use the dummy DNS within INetSim but I just felt like scripting it with Metasploit since I'd done a few custom configs lately for wireless hijacking demos.

While I've got them in front of me, here's an example of the logs of DNS queries against INetSim.
=== Report for session '10413': ===

Real start date : Tue Nov 3 22:10:15 2009
Simulated start date : Tue Nov 3 22:10:15 2009
Time difference on startup : none

2009-11-03 at 22:10:44 => First simulated date in log file
2009-11-03 at 22:10:44 => DNS connection, type: A, class: IN, requested name:
2009-11-03 at 22:10:51 => DNS connection, type: A, class: IN, requested name:
2009-11-03 at 22:10:51 => Last simulated date in log file

I mentioned above that INetSim can answer pretty much any request. It responds based on the extension of the file being requested. You request a JPG, it give you back a JPG. This is all defined in the config. I'd recommend changing out the default files for something unique so that a malware author couldn't finger print your host as running INetSim because of the sample files.

http_fakefile txt sample.txt text/plain
http_fakefile htm sample.html text/html
http_fakefile html sample.html text/html
http_fakefile php sample.html text/html
http_fakefile gif sample.gif image/gif
http_fakefile jpg sample.jpg image/jpeg
http_fakefile jpeg sample.jpg image/jpeg
http_fakefile png sample.png image/png
http_fakefile bmp sample.bmp image/x-ms-bmp
http_fakefile ico favicon.ico image/x-icon
http_fakefile exe sample_gui.exe x-msdos-program
http_fakefile com sample_gui.exe x-msdos-program
Here's a couple of requests via curl showing that a JPG is being served up no matter the path requested.
jsawyer$ curl -s | hexdump -C | head -1
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |######JFIF.....H|
jsawyer$ curl -s | hexdump -C | head -1
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |######JFIF.....H|
Have fun!!

1 comment:

Minyen said...

Nice article! But why don't you just set the victim's dns server to the ip of inetsim?