Having a small set of systems for malware analysis is a must hve of course, I have most of my envirenment in different VMs but sometimes you need to access IPs in the normal office LAN.
Here is a setup-example before:
Notebook eth0 192.168.1.22
- Remnux (watcher)
---- eth0 NAT 10.0.3.3 <--- sitting in the "good network"
---- eth1 VM malnet 192.168.99.99
---- inetsim listening on 192.168.99.99 offering various services
- Windows victim system (malho)
---- eth0 VM malnet 192.168.99.98 default gw 192.168.99.99
That is pretty simple, if malware running on the "malho" system and trying to connect to anything, it get's catched by inetsim and packetsniffers.
But now the interesting aspect: e.g. if you have a system:
SSH server
---- eth0 192.168.1.33
That you want to access from malho (could be any other service as well)
Use the following inetsim settings:
#############################################################
# Redirect
#############################################################
#########################################
# redirect_enabled
#
# Turn connection redirection on or off.
#
# Syntax: redirect_enabled [yes|no]
#
# Default: no
#
redirect_enabled yes
#########################################
# redirect_unknown_services
#
# Redirect connection attempts to unbound ports
# to dummy service
#
# Syntax: redirect_unknown_services [yes|no]
#
# Default: yes
#
redirect_unknown_services yes
#########################################
# redirect_external_address
#
# IP address used as source address if INetSim
# acts as a router for redirecting packets to
# external networks.
# This option only takes effect if static rules
# for redirecting packets to external networks
# are defined (see 'redirect_static_rule' below).
#
# Syntax: redirect_external_address
#
# Default: none
#
redirect_external_address 10.0.3.3
#########################################
# redirect_static_rule
#
# Static mappings for connection redirection.
# Note: Currently only protocols tcp, udp and icmp are supported.
#
# Syntax: redirect_static_rule tcp|udp
# redirect_static_rule tcp|udp
# redirect_static_rule tcp|udp <:port>
# redirect_static_rule tcp|udp <:port> <:port>
# redirect_static_rule icmp
# redirect_static_rule icmp
# redirect_static_rule icmp <:icmp-type>
#
# Default: none
#
# Examples:
#
# WWW caching service
#redirect_static_rule tcp :8080 :80
#
# Submission [RFC4409]
#redirect_static_rule tcp :587 :25
#
# Echo-Request [RFC792]
#redirect_static_rule icmp 10.10.10.20:echo-request 10.1.0.25
#
# Redirection based on IP address and/or port:
#redirect_static_rule tcp 10.10.10.55:88 10.10.10.1:80
#redirect_static_rule tcp :99 192.168.1.1:25
#redirect_static_rule tcp 10.10.10.20: 172.16.1.2:
redirect_static_rule tcp 192.168.1.33: 192.168.1.33:
redirect_static_rule icmp 192.168.1.33:echo-request 192.168.1.33
#########################################
# redirect_change_ttl
#
# Change the time-to-live header field to a random value
# in outgoing IP packets.
#
# Syntax: redirect_change_ttl [yes|no]
#
# Default: no
#
#redirect_change_ttl yes
#########################################
# redirect_exclude_port
#
# Connections to on this port
# are not redirected
#
# Syntax: redirect_exclude_port
#
# Default: none
#
#redirect_exclude_port tcp:22
#redirect_exclude_port udp:111
#########################################
# redirect_ignore_bootp
#
# If set to 'yes', BOOTP (DHCP) broadcasts will not be redirected
# (UDP packets with source address 0.0.0.0, port 68 and
# destination address 255.255.255.255, port 67 or vice versa)
#
# Syntax: redirect_ignore_bootp [yes|no]
#
# Default: no
#
#redirect_ignore_bootp yes
#########################################
# redirect_ignore_netbios
#
# If set to 'yes', NetBIOS broadcasts will not be redirected
# (UDP packets with source/destination port 137/138
# and destination address x.x.x.255 on the local network)
#
# Syntax: redirect_ignore_netbios [yes|no]
#
# Default: no
#
#redirect_ignore_netbios yes
#########################################
# redirect_icmp_timestamp
#
# If set to 'ms', ICMP Timestamp requests will be answered
# with number of milliseconds since midnight UTC according
# to faketime.
# If set to 'sec', ICMP Timestamp requests will be answered
# with number of seconds since epoch (high order bit of the
# timestamp will be set to indicate non-standard value).
# Setting to 'no' disables manipulation of ICMP Timestamp
# requests.
#
# Syntax: redirect_icmp_timestamp [ms|sec|no]
#
# Default: ms
#
#redirect_icmp_timestamp sec
--> you can now ping and ssh from malho to 192.168.1.
Another handy thing is you can also hide your local ip:
redirect_static_rule icmp 1.2.3.4:echo-request 192.168.1.33
--> you can now ping and whatever from malho using 1.2.3.4 and the malho will not get the actual IP.