In one of my recent lab assignments, I got to use an INetSim internet simulator. I used the INetSim internet simulator to provide a malware analysis lab with simulated Internet services. INetSim is an application that provides resources that simulate various Internet services. (Hungenberg & Eckert, 2020) This allowed me to analyze various items including HTTP GET requests, DNS calls, and much more. I found this useful when performing dynamic analysis on malicious samples.
You can obtain a copy of the INetSim source code here: https://www.inetsim.org/downloads.html
The INetSim generates pretty thorough logs. Once the system is stopped, it generates a report file in a plain text format which can easily be parsed. In this instance, I chose to parse the report file generated by INetSim with grep.
INetSim was not the only security tool I was using to monitor the malware analysis lab hosted on VMnet2, I had also configured a Security Onion appliance to monitor VMnet2's traffic.
The INetSim application I used in my lab was configured on an Ubuntu Linux VM. The INetSim was connected to a Virtual Network which was created using the VMware PRO 15 hypervisor. This hypervisor was used to host three VMs connected to a virtual network. To start the INetSim application, I simply ran the INetSim executable. you can see me running the INetSim executable below.
The virtual network was configured as the following:
VMnet2 was configured to use the 192.168.209.0/24 subnet which was configured to use a host-only network adapter. Additionally, the host virtual adapter was not connected to this network. This is an important option, selecting to connect the virtual network to a host adapter could result in data leakage. DHCP is not necessary, but I prefer to use it over manually assigning IP addresses.
The victim VM was a Windows XP machine. The Windows XP VM's network adapter was attached to VMnet2. VMnet2 does have DHCP running so it is not usually necessary to manually configure the network configuration for the machine. But, in this case, since we are using an INetSim, we will need to manually specify the INetSim system as both the default gateway and DNS server for the victim machine.
To demonstrate that the INetSim is providing the internet services, and not the host systems network adapter, I attempted to navigate to briancarr.org using the browser on the Windows XP VM. You can see below that the webpage returned was the INetSim's default HTML page and not briancarr.org.
I then stopped the INetSim by hitting ctrl-C on the terminal window running INetSim. When INetSim was stopped, it generated a report file in the report directory. I grepped the report file for briancarr.org and was returned with the results below.
Since I was able to locate the URL I searched in the report file, I wanted to try to see what other domains had been contacted by the systems on VMnet2. To do this, I grepped all the report files for a regular expression that matches URLs using HTTP and HTTPS protocols. If I had run malware looking for DNS Or HTTP GET requests, I would likely be able to find them here!
Here are the Grep and subsequent RegEx I used to locate domain names in the report file.
grep -Eo '(http|https)://[^/"]+' report.* | sort | uniq -c
I got the RegEx from one of the replies on this stack exchange thread: https://unix.stackexchange.com/questions/181254/how-to-use-grep-and-cut-in-script-to-obtain-website-urls-from-an-html-file
Since I had a Security Onion VM monitoring the traffic on VMnet2, I was able to apply snort signatures. Several Snort signatures matched the NetFlow data on VMnet2, those signatures can be seen below. One cool thing I noticed is that in the first signature show in the image below, the signature is specifically for INetSim sinkholes. This helped me to confirm that all of the systems on VMnet2 are communicating properly and the Snort IDS was applied to the related NetFlow data.
Just to recap. VMnet2 was comprised of three VMs and configured to not communicate with the host NAT. You can read more about configuring a virtual network for malware analysis at https://www.briancarr.org/post/creating-a-virtual-network. The three VMs were an INetSim used to simulate internet services, a Windows XP VM which would serve as the victim during dynamic analysis, and a Security Onion which allowed Snort IDS to be applied to the virtual networks NetFlow data. I found INetSim to be very easy to use and perfect for virtualized malware analysis networks.
Thanks for reading, Hope you find INetSim useful in your analysis adventures!