Wednesday, February 11, 2009

InetSim Installation

For a project I'm working on*, I've been looking at network simulation software to use in malware analysis. The most common one out there is Truman, written by Joe Stewart. However, Truman has some shortcomings - the biggest being it doesn't have an HTTP server and it hasn't been updated since it was released. So, I wanted to try a different one and that let me to InetSim.

InetSim has a number of software packages that need to be installed before it works. For my benefit, and I guess others as well, I'm documenting the process I took to install it on my Gentoo Linux system.
  1. InetSim has the capability to do connection redirection, but some options have to be compiled into the kernel first. Specifically, the Netfilter NQUEUE over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_QUEUE) and IP Userspace queueing via NETLINK (CONFIG_IP_NF_QUEUE) need to be compiled in. I compiled them directly into the kernel, but they could be modules as well.

    Obviously, after re-compiling and installing your kernel (if needed), you should make sure that iptables is installed.

  2. A number of Perl modules need to be installed. Fortunately, most of these are in the Portage repository and can just be emerged:
    # emerge -av perl-Getopt-Long perl-libnet perl-Digest-SHA perl-digest-base perl-Digest-MD5 MIME-Base64 Net-DNS net-server
  3. There were two Perl libraries which were not in Portage that needed to be installed from source. The first was IPC::Sharable which is located in CPAN here. Once downloaded, installation was easy:
    # tar zxvf IPC-Shareable-0.60.tar.gz
    # cd IPC-Shareable-0.60
    # perl Makefile.PL
    # make
    # make test
    # make install
  4. The next required Perl library, Perlipq, took a little longer. This is a library used to interface with the packet queueing on the system for redirection. Initially, it could not find the libipq.h file in the correct location but a manual edit of the Makefile (shown below) fixed that. Perlipq is downloaded from here.
    # tar zxvf perlipq-1.25.tar.gz
    # cd perlipq-1.25
    # perl Makefile.PL
    At this point, the Makefile.PL prompts you for the location of the iptables development components. Specifically, its looking for libipq.h. It doesn't matter what we enter here as the Makefile will not find it in the correct place. Enter in some text and let the script finish.

    Once the script is finished, edit the Makefile. On line 145 is the following include line:
    INC = -I
    This is the directory which will find libipq.h. Change it to the following:
    INC = -I/usr/include/libipq
    /usr/include/libipq is where libipq.h should be located. If you are unsure, run 'locate libipq.h' to see where its at. After saving the Makefile, installation can continue.
    # make
    # make install
  5. Optional: If you want to make sure you have all of the necessary Perl modules loaded, run the following Perl script:
    use Getopt::Long;
    use Net::Server;
    use Net::DNS;
    use IO::Socket;
    use IO::Select;
    use IPC::Shareable;
    use Digest::SHA1;
    If there are no failures, you're good to go.

  6. At this point, all of the pre-requisites should be installed and InetSim installation can proceed. The latest version of InetSim at the time of this writing is 1.1 and is located here. Download it an untar it into a central location - I chose /usr/local.
    # tar zxvf inetsim-1.1.tar.gz
    # mv inetsim-1.1 inetsim
    # cd inetsim
    Note: I renamed the default directory for my own benefit, this is not necessary.

  7. InetSim uses the nobody user to run its servers. Nobody should be installed by default - but you better make sure.

  8. A group named inetsim is also required by InetSim to run. This should be created as follows:
    # groupadd inetsim
  9. InetSim comes with a script which modifies permissions of all the files as needed.
    # sh
  10. If you plan on running InetSim from a script, chances are you will need to modify a small piece of the inetsim program. On line 12 of the inetsim script is the use lib Perl code which tells the script where to find the InetSim modules. In its original form, it is a relative path to the lib directory. It should be changed to an absolute path similar to the following:
    use lib "/usr/local/inetsim/lib";
At this point, InetSim should be installed and ready to run. The default configuation file is located in conf/inetsim.conf and I highly recommend reading and modifying it to fit your environment. However, you should be able to use the default configuration file to test out your installation.
# /usr/local/inetsim/inetsim --session test
A number of messages of servers starting will stream by. If you don't see any errors, you are good to go!

* My new project - thanks ax0n!:

Thursday, February 5, 2009

Strings and update

Its been a while since I posted anything so I wanted to get something up here.

First, in my last post I mentioned how I use the strings utility when analyzing binaries. The utility will allow you to view embedded strings within a binary. By default, it only shows ASCII strings. The problem with this is that in Windows binaries, there are usually embedded strings encoded in UNICODE, and by default, strings will not show them. To get around this, I was using SysInternal's strings utility with wine on my Linux system.

However, in a comment craigb stated that you can change the encoding strings looks for with the -e option. Here is a snippet from the strings man page:
-e encoding
Select the character encoding of the strings that are to be found.
Possible values for encoding are: s = single-7-bit-byte characters
(ASCII, ISO 8859, etc., default), S = single-8-bit-byte characters,
b = 16-bit bigendian, l = 16-bit littleendian, B = 32-bit bigen-
dian, L = 32-bit littleendian. Useful for finding wide character
By running strings using different encodings both ASCII and UNICODE strings in a Windows binary can be found. To do so, I whipped up a little Bash script which I now use whenever I want to pull strings from a binary:


(strings -a -t x $1; strings -a -e l -t x $1) | sort
The script, which I named mystrings, takes the file to scan as a command line option. It then runs strings against it two times - the first time looking for ASCII strings and the second looking for UNICODE (16-bit little endian actually) strings. The -t x options prints the hex offset of the string within the file. After the strings commands run, they are run through the sort program and displayed.

My concern with this was the Linux strings would miss something that the SysInternal's strings would pick up. So, I ran a test where both programs were run against the same file. The output was the same! Woohoo!

In other news, I'd like to announce I got a new job starting at the beginning of the year (which is pretty much the reason I have not been posting). Those who know me know where I went to, so I won't go into details here. However, I've gotten into my groove and should be posting more soon.