Using INetSim to redirect a particular IP

Having a small set of systems for malware analysis is a must hve of course, I have most of my envirenment in different VMs but sometimes you need to access IPs in the normal office LAN.

Here is a setup-example before:

Notebook eth0 192.168.1.22
- Remnux (watcher)
---- eth0 NAT 10.0.3.3 <--- sitting in the "good network"
---- eth1 VM malnet 192.168.99.99
---- inetsim listening on 192.168.99.99 offering various services

- Windows victim system (malho)
---- eth0 VM malnet 192.168.99.98 default gw 192.168.99.99

That is pretty simple, if malware running on the "malho" system and trying to connect to anything, it get's catched by inetsim and packetsniffers.

But now the interesting aspect: e.g. if you have a system:

SSH server
---- eth0 192.168.1.33

That you want to access from malho (could be any other service as well)

Use the following inetsim settings:


#############################################################
# Redirect
#############################################################

#########################################
# redirect_enabled
#
# Turn connection redirection on or off.
#
# Syntax: redirect_enabled [yes|no]
#
# Default: no
#
redirect_enabled	yes


#########################################
# redirect_unknown_services
#
# Redirect connection attempts to unbound ports
# to dummy service
#
# Syntax: redirect_unknown_services [yes|no]
#
# Default: yes
#
redirect_unknown_services yes	


#########################################
# redirect_external_address
#
# IP address used as source address if INetSim
# acts as a router for redirecting packets to
# external networks.
# This option only takes effect if static rules
# for redirecting packets to external networks
# are defined (see 'redirect_static_rule' below).
#
# Syntax: redirect_external_address 
#
# Default: none
#
redirect_external_address  10.0.3.3

#########################################
# redirect_static_rule
#
# Static mappings for connection redirection.
# Note: Currently only protocols tcp, udp and icmp are supported.
#
# Syntax: redirect_static_rule tcp|udp       
#         redirect_static_rule tcp|udp           
#         redirect_static_rule tcp|udp <:port>                
#         redirect_static_rule tcp|udp <:port>                <:port>
#         redirect_static_rule icmp     
#         redirect_static_rule icmp              
#         redirect_static_rule icmp    <:icmp-type>           
#
# Default: none 
#
# Examples:
#
# WWW caching service
#redirect_static_rule	tcp             :8080			:80
#
# Submission [RFC4409]
#redirect_static_rule	tcp             :587			:25
#
# Echo-Request [RFC792]
#redirect_static_rule	icmp 10.10.10.20:echo-request	10.1.0.25
#
# Redirection based on IP address and/or port:
#redirect_static_rule	tcp	10.10.10.55:88  	 10.10.10.1:80
#redirect_static_rule	tcp	           :99  	192.168.1.1:25
#redirect_static_rule	tcp	10.10.10.20:    	 172.16.1.2:
redirect_static_rule tcp 192.168.1.33: 192.168.1.33:
redirect_static_rule icmp 192.168.1.33:echo-request 192.168.1.33

#########################################
# redirect_change_ttl
#
# Change the time-to-live header field to a random value
# in outgoing IP packets.
#
# Syntax: redirect_change_ttl [yes|no]
#
# Default: no
#
#redirect_change_ttl	yes


#########################################
# redirect_exclude_port
#
# Connections to  on this port
# are not redirected
#
# Syntax: redirect_exclude_port 
#
# Default: none
#
#redirect_exclude_port		tcp:22
#redirect_exclude_port		udp:111


#########################################
# redirect_ignore_bootp
#
# If set to 'yes', BOOTP (DHCP) broadcasts will not be redirected
# (UDP packets with source address 0.0.0.0, port 68 and
# destination address 255.255.255.255, port 67 or vice versa)
#
# Syntax: redirect_ignore_bootp [yes|no]
#
# Default: no
#
#redirect_ignore_bootp		yes


#########################################
# redirect_ignore_netbios
#
# If set to 'yes', NetBIOS broadcasts will not be redirected
# (UDP packets with source/destination port 137/138
# and destination address x.x.x.255 on the local network)
#
# Syntax: redirect_ignore_netbios [yes|no]
#
# Default: no
#
#redirect_ignore_netbios	yes


#########################################
# redirect_icmp_timestamp
#
# If set to 'ms', ICMP Timestamp requests will be answered
# with number of milliseconds since midnight UTC according
# to faketime.
# If set to 'sec', ICMP Timestamp requests will be answered
# with number of seconds since epoch (high order bit of the
# timestamp will be set to indicate non-standard value).
# Setting to 'no' disables manipulation of ICMP Timestamp
# requests.
#
# Syntax: redirect_icmp_timestamp [ms|sec|no]
#
# Default: ms
#
#redirect_icmp_timestamp	sec

--> you can now ping and ssh from malho to 192.168.1.

Another handy thing is you can also hide your local ip:

 redirect_static_rule icmp 1.2.3.4:echo-request 192.168.1.33

--> you can now ping and whatever from malho using 1.2.3.4 and the malho will not get the actual IP.

REMNux set time

REMNux, an awesome Unix distribution built by Lenny Zeltser for reverse engineering malware. It is build for out of the box reversing.

The documentation is almost complete, but one point I was missing while using it is quite important: correct time settings!
In order to check certain logs, contain evidence etc you want to have an accurate time setting on the system.

First: set the right timezone:

sudo dpkg-reconfigure tzdata

The first shot then would be NTP by:
sudo ntpdate ntp.ubuntu.com #or your prefered NTP server (maybe in your lab envirenment)

Because of the content running in the system, you might want to limit network access so NTP might not be available.
To set the date manually use:

sudo date $newdatetimestring
Format:
nnddhhmmyyyy.ss

To print this string on another unix system use the following command:
date "+%m%d%I%M%Y.%S"
040211422014.48

Copy this string and modify it according to the difference between copy paste process.
Check your correct date settings with:
date

Now happy reversing

Reference: Install REMNUX as virtual instance