Configuring Simple Victim and Sniffer Virtual Machines Using VMware's Workstation Pro

17 Sep 2017

Introduction

This post will show you how to create a victim and sniffer virtual machine pair which you can use to analyse malware or general application network traffic. This post was mainly inspired by Malware Unicorn’s Reverse Engineering 101 which provides one of the best introductions to malware reverse engineering.

I did have a few issues importing and configuring the Virtual Box images into VMware’s Workstation Pro, so I deployed the configuration from scratch using Workstation Pro as the base. I also had trouble finding a central guide on how to configure INetSim and Wireshark, so I figured I’d make a post not only as a reference for myself but to aid others in configuring this setup.

Required Components

Below are the recommended components:

VMware Workstation Pro
Ubuntu 16.4 Virtual Machine
Windows 7 Virtual Machine (Windows XP or Windows 10 can also be used)
INetSim
Wireshark

Virtual Machine Setup

Firstly deploy your virtual machines and name appropriately, I currently use Workstations Snapshots to preserve various virtual machine configurations, this saves me from having multiple deployments of the same OS and also reduces disk space. Make sure you at least have a “Vanilla” snapshot before beginning incase anything goes wrong. I recommend that both virtual machines have at least 2GB of RAM and 2 Processors, this can be changed under Edit virtual machine settings by changing Memory and Processors.

Virtual Network Configuration

Next you will need to configure a network for your victim and sniffer to run in.

Open the Virtual Network Editor in VMware Workstation by selecting Edit and Virtual Network Editor.
Select Change Settings and enter your credentials if required.
Select Add Network.
Choose a network to add, I usually select the last available network VMnet19.
Once the network has been configured confirm that the network is using Host-only.

You can change the subnet to suit your needs but for this post I will leave it as the ‘default’ configuration which is 192.168.150.0.

Note: Do not assign this network to your victim and sniffer machines until you have configured INetSim and Wireshark.

Ubuntu Configuration

Once you have a “Vanilla” snapshot you can launch Ubuntu, this will be used as the Sniffer and will require INetSim and Wireshark to be installed.

INetSim

INetSim is a tool that simulates common internet services in a lab environment and is mainly used to analyse network behavior, this provides additional benefits such as allowing execution in an isolated environment while allowing malware samples to make “real” communications to the internet that can lead to retrieval of important indicators.

Setting up INetSim isn’t too difficult but some of the information to set it up correctly is spread out over multiple sites.

Launch Terminal.
Enter sudo -i and type in your virtual machines password to launch as root and make this process a little quicker.
Enter echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list to add the Debian Archive repository for INetSim to your sources list.
Enter wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - to add the Signing Key to your trusted keys.
Enter apt update to issue an update to your cache of available packages.
Enter apt install inetsim -y to install INetSim.

Once this is done you have installed INetSim, however you will need to do some more configuration to get it operational.

Enter nano /etc/default/inetsim and set ENABLED from 0 to 1, use Ctrl + x to exit and type y or yes to save your changes. This will set INetSim to launch on boot.
Enter nano /etc/inetsim/inetsim.conf to open the configuration file.
Set service_bind_address to XXX.XXX.XXX.1 of your subnet, in this case 192.168.150.1 and delete the #, this will act as the internet gateway for your victim virtual machine.
Set dns_default_ip to the same address as your gateway, remember to delete the # and save the configuration.
Start INetSim by entering service inetsim start.
Check that INetSim is running service inetsim status.
Ensure the correct services are running by entering ps -ef | grep inetsim. You should see a list of services such as inetsim 4404 4394 0 17:59 ? 00:00:00 inetsim_ftp_21_tcp.

You have now setup INetSim.

Wireshark

Wireshark is an amazing tool for capturing network traffic that can then be analysed to determine where malware is communicating, it can also be used to troubleshoot a broad variety of network issues.

Yet again Wireshark is “easy” to install but the instructions are outlined here for the sake of completion.

Launch Terminal.
Enter sudo -i and type in your virtual machines password.
Enter sudo add-apt-repository ppa:wireshark-dev/stable -y to add the repository.
Enter sudo apt-get update to update your available packages.
Enter sudo apt-get install wireshark -y to install Wireshark.
When prompted with the configuring wireshark-common window select Yes, this will allow non-super users to capture packets.
Exit the root account by entering exit, this is so you assigned the correct user to the wireshark group.
Enter sudo adduser $USER wireshark, this will add the terminal user to the wireshark group.
Test that you can launch Wireshark by entering sudo wireshark, you will see an error message relating to running the application as a super-user but this shouldn’t effect functionality.

Final Configurations

Once you have configured your virtual machines, custom network, installed and configured INetSim and Wireshark you will need to complete a few final steps.

Virtual Machine Virtual Network

Set your victim and sniffer to the network you configured. This can be done by performing the following on each virtual machine.

Select VM.
Select Settings.
Select Network Adapter
Check Custom: Specific virtual network under Network connection and choose your network, in this case it’s VMnet19.

Set Ubuntu Static IP Address

Since your Ubuntu machine is acting as your internet gateway you’ll want to give it a static IP.

Launch Network.
Select Options for the Wired connection.
Select IPv4 Settings.
Under Method select Manual.
Select Add and enter your address from before in this case 192.168.150.1, use Tab to switch to the Netmask, leave this as default Tab again to switch to Gateway then entre the same number as before.
Select Save.

Disable and re-enable the network interface to update to your changes, confirm you address is correct by using ifconfig and checking the IP under ens33.

Set Windows Domain Name System

Once you have configured your Ubuntu machine to have a static IP you need to configure your Windows machines DNS so it knows to use the Ubuntu machine as it’s reference to the ‘internet’.

Open the Start Menu and select Control Panel.
Select Network and Internet.
Select Network and Sharing Center.
Select Change adapter settings.
Right click Local Area Connection and select Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and select Properties.
Check Use the following DNS Server Addresses and enter the static IP of your Ubuntu machine in Preferred DNS server in this case 192.168.150.1.
Select OK

Alternatively this can also be achieved by entering the following in an elevated Command Prompt netsh interface ip add dns name="Local Area Connection" addr=192.168.150.1 index=1.

Once this is done you can move onto testing.

Testing

Finally to test this setup.

Launch both virtual machines, usually I launch the Ubuntu machine first and allow it to load before launching the victim.
Once Ubuntu has loaded check that INetSim is running correctly with ps -ef | grep inetsim.
Launch Wireshark.
Select the interface ens33 and start capturing by selecting Capture, Start.
In the Windows 7 machine ping the Ubuntu machine, if everything is configured correctly you should see ‘ICMP’ packets in the Wireshark capture trail.
Open Internet Explorer and browse to www.google.com, the page should load and return the following in HTML ‘This is the default HTML page for INetSim HTTP server fake mode.’
Confirm you can download fake files, enter a URL with an .exe included such as www.evil.com/malware.exe. You should be promoted with a download window, select Save and confirm that malware.exe is download.
Confirm you can open the downloaded executable, you should see the message prompt This is the INetSim default binary.

You now have a fully functioning basic sniffer setup, just remember to snapshot your finished configurations so you can restore them after use.

Closing

You’re now free to detonate malware samples with relative safety while having the added benefit of simulating internet connectivity. I’m thinking the next post will be about what to deploy to a victim or malware analysis machine as well as what you should run and capture while analysing samples.

I hope you found this post informative. If you have any questions, noticed inaccurate information or spelling mistakes in this post you can contact me via the About section.

Tips

If you’re using this setup from multiple machines, you will need to configure the same VMware Workstation network settings for each machines instance of VMware Workstation.
If you receive the message “Could not get lock /var/lib/dpkg/lock” or “E: Could not get lock /var/cache/apt/archives/lock” while trying to install an application you can clear it but deleting the “lock” folder using the following: rm /var/lib/dpkg/lock -r or rm /var/cache/apt/archives/lock -r.
If you want to remove the super-user warning message when opening Wireshark, you can do so by editing Wireshark’s init.lua file by entering sudo nano /usr/share/wireshark/init.lua and setting disable_lua from false to true.

4A616D6573 About Archive Feed