Once you get the too installed and working, it has a default set of files it will respond with as well. For example, if your malware requests an executable mybadsite.com/new_malware.exe, inetsim has a default executable that it will serve up in response.
In my environment, I have an Ubuntu 9 VM that I will use for this.
Step 1: get all the perl libraries
> perl -MCPAN -e shell
cpan> install Net::Server
cpan> install IO::Select
cpan> install IO::Socket
cpan> install Digest::SHA1
I tried to use cpan to install Net::DNS and IPC::Shareable, but kept getting errors
Installing by hand:
download the libraries Net::DNS and IPC::Shareable
> tar zxvf IPC-Shareable-0.60.tar.gz
> cd IPC-Shareable-0.60
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
> tar zxvf Net-DNS-0.65.tar.gz
> cd Net-DNS-0.65
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
downloaded inetsim (i put it in /usr/local)
> cd /usr/local/
> tar zxvf inetsim-1.1.tar.gz
> mv inetsim-1.1 inetsim
> cd inetsim
> groupadd inetsim
> sh setup.sh
that's it for the install!
I had to make a few minor changes to the conf/inetsim.conf file:
service_bind_address
dns_default_ip
finally, I changed my victim VMs DNS server address to the machine running inetsim.
After that, it's done. Very cool stuff -- this should cut down on the time it takes to get info from malware.
No comments:
Post a Comment