Wednesday, February 11, 2009

InetSim Installation

For a project I'm working on*, I've been looking at network simulation software to use in malware analysis. The most common one out there is Truman, written by Joe Stewart. However, Truman has some shortcomings - the biggest being it doesn't have an HTTP server and it hasn't been updated since it was released. So, I wanted to try a different one and that let me to InetSim.

InetSim has a number of software packages that need to be installed before it works. For my benefit, and I guess others as well, I'm documenting the process I took to install it on my Gentoo Linux system.
  1. InetSim has the capability to do connection redirection, but some options have to be compiled into the kernel first. Specifically, the Netfilter NQUEUE over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_QUEUE) and IP Userspace queueing via NETLINK (CONFIG_IP_NF_QUEUE) need to be compiled in. I compiled them directly into the kernel, but they could be modules as well.

    Obviously, after re-compiling and installing your kernel (if needed), you should make sure that iptables is installed.

  2. A number of Perl modules need to be installed. Fortunately, most of these are in the Portage repository and can just be emerged:
    # emerge -av perl-Getopt-Long perl-libnet perl-Digest-SHA perl-digest-base perl-Digest-MD5 MIME-Base64 Net-DNS net-server
  3. There were two Perl libraries which were not in Portage that needed to be installed from source. The first was IPC::Sharable which is located in CPAN here. Once downloaded, installation was easy:
    # tar zxvf IPC-Shareable-0.60.tar.gz
    # cd IPC-Shareable-0.60
    # perl Makefile.PL
    # make
    # make test
    # make install
  4. The next required Perl library, Perlipq, took a little longer. This is a library used to interface with the packet queueing on the system for redirection. Initially, it could not find the libipq.h file in the correct location but a manual edit of the Makefile (shown below) fixed that. Perlipq is downloaded from here.
    # tar zxvf perlipq-1.25.tar.gz
    # cd perlipq-1.25
    # perl Makefile.PL
    At this point, the Makefile.PL prompts you for the location of the iptables development components. Specifically, its looking for libipq.h. It doesn't matter what we enter here as the Makefile will not find it in the correct place. Enter in some text and let the script finish.

    Once the script is finished, edit the Makefile. On line 145 is the following include line:
    INC = -I
    This is the directory which will find libipq.h. Change it to the following:
    INC = -I/usr/include/libipq
    /usr/include/libipq is where libipq.h should be located. If you are unsure, run 'locate libipq.h' to see where its at. After saving the Makefile, installation can continue.
    # make
    # make install
  5. Optional: If you want to make sure you have all of the necessary Perl modules loaded, run the following Perl script:
    use Getopt::Long;
    use Net::Server;
    use Net::DNS;
    use IO::Socket;
    use IO::Select;
    use IPC::Shareable;
    use Digest::SHA1;
    If there are no failures, you're good to go.

  6. At this point, all of the pre-requisites should be installed and InetSim installation can proceed. The latest version of InetSim at the time of this writing is 1.1 and is located here. Download it an untar it into a central location - I chose /usr/local.
    # tar zxvf inetsim-1.1.tar.gz
    # mv inetsim-1.1 inetsim
    # cd inetsim
    Note: I renamed the default directory for my own benefit, this is not necessary.

  7. InetSim uses the nobody user to run its servers. Nobody should be installed by default - but you better make sure.

  8. A group named inetsim is also required by InetSim to run. This should be created as follows:
    # groupadd inetsim
  9. InetSim comes with a script which modifies permissions of all the files as needed.
    # sh
  10. If you plan on running InetSim from a script, chances are you will need to modify a small piece of the inetsim program. On line 12 of the inetsim script is the use lib Perl code which tells the script where to find the InetSim modules. In its original form, it is a relative path to the lib directory. It should be changed to an absolute path similar to the following:
    use lib "/usr/local/inetsim/lib";
At this point, InetSim should be installed and ready to run. The default configuation file is located in conf/inetsim.conf and I highly recommend reading and modifying it to fit your environment. However, you should be able to use the default configuration file to test out your installation.
# /usr/local/inetsim/inetsim --session test
A number of messages of servers starting will stream by. If you don't see any errors, you are good to go!

* My new project - thanks ax0n!:


d1ss said...

Tyler - Sadly, I have just come across your posts on automated analysis and your use of INetSim. In your trials, did you test the use of Honeytrap? If so, what were your thoughts? If not, what steered you to INetSim, which appears to be less maintained?

Thanks - Ryan

Tyler said...

The reason I used InetSim was because, at that time, it was the only software suite of its type I knew of other than Truman.

I just downloaded Honeytrap and will be checking it out. It looks very promising. I have to admit I like InetSim, but I am disappointed at the lack of updates it has.