I use InetSim in my lab to simulate the internet and to provide controlled responses to the malware. If you haven’t read it already see the Installation and Configuration post.
This is fine if the malware is using DNS because we are running the DNS service and making sure all out traffic goes that way.
This doesn’t help if the malware is using hard coded IP’s. There are a couple of ways we could deal with this.
We can use ARP spoofing and HoneyD to do the intercept and service emulation, we could map our network to match the expected IP’s and many more methods im sure but i prefer to stick with InetSim.
My solution was to use Route / IP Tables to redirect the traffic to my InetSim machine.
This is achieved in two steps.
- On the Windows Machine we set a route for all IP’s and direct it.
route ADD 0.0.0.0 MASK 255.255.255.255 <InetSim IP>
on my host it looks like this:
route ADD 0.0.0.0 MASK 255.255.255.255 192.168.0.130
- On our InetSim Machine we configure it to redirect incoming requests to its own interface.
iptables -t nat -A PREROUTING -i eth0 -j REDIRECT
With both of these commands in place any malware communication will be successfully redirected to our Sim.
Once your done if you want to remove these entries just enter the following.
route DELETE 0.0.0.0
iptables -t nat -D PREROUTING -i eth0 -j REDIRECT
As usual questions queries comments below.