4A616D6573

Configuring Simple Victim and Sniffer Virtual Machines Using VMware's Workstation Pro

2017-09-17T00:00:00+00:00

Introduction

This post will show you how to create a victim and sniffer virtual machine pair which you can use to analyse malware or general application network traffic. This post was mainly inspired by Malware Unicorn’s Reverse Engineering 101 which provides one of the best introductions to malware reverse engineering.

I did have a few issues importing and configuring the Virtual Box images into VMware’s Workstation Pro, so I deployed the configuration from scratch using Workstation Pro as the base. I also had trouble finding a central guide on how to configure INetSim and Wireshark, so I figured I’d make a post not only as a reference for myself but to aid others in configuring this setup.

Required Components

Below are the recommended components:

VMware Workstation Pro
Ubuntu 16.4 Virtual Machine
Windows 7 Virtual Machine (Windows XP or Windows 10 can also be used)
INetSim
Wireshark

Virtual Machine Setup

Firstly deploy your virtual machines and name appropriately, I currently use Workstations Snapshots to preserve various virtual machine configurations, this saves me from having multiple deployments of the same OS and also reduces disk space. Make sure you at least have a “Vanilla” snapshot before beginning incase anything goes wrong. I recommend that both virtual machines have at least 2GB of RAM and 2 Processors, this can be changed under Edit virtual machine settings by changing Memory and Processors.

Virtual Network Configuration

Next you will need to configure a network for your victim and sniffer to run in.

Open the Virtual Network Editor in VMware Workstation by selecting Edit and Virtual Network Editor.
Select Change Settings and enter your credentials if required.
Select Add Network.
Choose a network to add, I usually select the last available network VMnet19.
Once the network has been configured confirm that the network is using Host-only.

You can change the subnet to suit your needs but for this post I will leave it as the ‘default’ configuration which is 192.168.150.0.

Note: Do not assign this network to your victim and sniffer machines until you have configured INetSim and Wireshark.

Ubuntu Configuration

Once you have a “Vanilla” snapshot you can launch Ubuntu, this will be used as the Sniffer and will require INetSim and Wireshark to be installed.

INetSim

INetSim is a tool that simulates common internet services in a lab environment and is mainly used to analyse network behavior, this provides additional benefits such as allowing execution in an isolated environment while allowing malware samples to make “real” communications to the internet that can lead to retrieval of important indicators.

Setting up INetSim isn’t too difficult but some of the information to set it up correctly is spread out over multiple sites.

Launch Terminal.
Enter sudo -i and type in your virtual machines password to launch as root and make this process a little quicker.
Enter echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list to add the Debian Archive repository for INetSim to your sources list.
Enter wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - to add the Signing Key to your trusted keys.
Enter apt update to issue an update to your cache of available packages.
Enter apt install inetsim -y to install INetSim.

Once this is done you have installed INetSim, however you will need to do some more configuration to get it operational.

Enter nano /etc/default/inetsim and set ENABLED from 0 to 1, use Ctrl + x to exit and type y or yes to save your changes. This will set INetSim to launch on boot.
Enter nano /etc/inetsim/inetsim.conf to open the configuration file.
Set service_bind_address to XXX.XXX.XXX.1 of your subnet, in this case 192.168.150.1 and delete the #, this will act as the internet gateway for your victim virtual machine.
Set dns_default_ip to the same address as your gateway, remember to delete the # and save the configuration.
Start INetSim by entering service inetsim start.
Check that INetSim is running service inetsim status.
Ensure the correct services are running by entering ps -ef | grep inetsim. You should see a list of services such as inetsim 4404 4394 0 17:59 ? 00:00:00 inetsim_ftp_21_tcp.

You have now setup INetSim.

Wireshark

Wireshark is an amazing tool for capturing network traffic that can then be analysed to determine where malware is communicating, it can also be used to troubleshoot a broad variety of network issues.

Yet again Wireshark is “easy” to install but the instructions are outlined here for the sake of completion.

Launch Terminal.
Enter sudo -i and type in your virtual machines password.
Enter sudo add-apt-repository ppa:wireshark-dev/stable -y to add the repository.
Enter sudo apt-get update to update your available packages.
Enter sudo apt-get install wireshark -y to install Wireshark.
When prompted with the configuring wireshark-common window select Yes, this will allow non-super users to capture packets.
Exit the root account by entering exit, this is so you assigned the correct user to the wireshark group.
Enter sudo adduser $USER wireshark, this will add the terminal user to the wireshark group.
Test that you can launch Wireshark by entering sudo wireshark, you will see an error message relating to running the application as a super-user but this shouldn’t effect functionality.

Final Configurations

Once you have configured your virtual machines, custom network, installed and configured INetSim and Wireshark you will need to complete a few final steps.

Virtual Machine Virtual Network

Set your victim and sniffer to the network you configured. This can be done by performing the following on each virtual machine.

Select VM.
Select Settings.
Select Network Adapter
Check Custom: Specific virtual network under Network connection and choose your network, in this case it’s VMnet19.

Set Ubuntu Static IP Address

Since your Ubuntu machine is acting as your internet gateway you’ll want to give it a static IP.

Launch Network.
Select Options for the Wired connection.
Select IPv4 Settings.
Under Method select Manual.
Select Add and enter your address from before in this case 192.168.150.1, use Tab to switch to the Netmask, leave this as default Tab again to switch to Gateway then entre the same number as before.
Select Save.

Disable and re-enable the network interface to update to your changes, confirm you address is correct by using ifconfig and checking the IP under ens33.

Set Windows Domain Name System

Once you have configured your Ubuntu machine to have a static IP you need to configure your Windows machines DNS so it knows to use the Ubuntu machine as it’s reference to the ‘internet’.

Open the Start Menu and select Control Panel.
Select Network and Internet.
Select Network and Sharing Center.
Select Change adapter settings.
Right click Local Area Connection and select Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and select Properties.
Check Use the following DNS Server Addresses and enter the static IP of your Ubuntu machine in Preferred DNS server in this case 192.168.150.1.
Select OK

Alternatively this can also be achieved by entering the following in an elevated Command Prompt netsh interface ip add dns name="Local Area Connection" addr=192.168.150.1 index=1.

Once this is done you can move onto testing.

Testing

Finally to test this setup.

Launch both virtual machines, usually I launch the Ubuntu machine first and allow it to load before launching the victim.
Once Ubuntu has loaded check that INetSim is running correctly with ps -ef | grep inetsim.
Launch Wireshark.
Select the interface ens33 and start capturing by selecting Capture, Start.
In the Windows 7 machine ping the Ubuntu machine, if everything is configured correctly you should see ‘ICMP’ packets in the Wireshark capture trail.
Open Internet Explorer and browse to www.google.com, the page should load and return the following in HTML ‘This is the default HTML page for INetSim HTTP server fake mode.’
Confirm you can download fake files, enter a URL with an .exe included such as www.evil.com/malware.exe. You should be promoted with a download window, select Save and confirm that malware.exe is download.
Confirm you can open the downloaded executable, you should see the message prompt This is the INetSim default binary.

You now have a fully functioning basic sniffer setup, just remember to snapshot your finished configurations so you can restore them after use.

Closing

You’re now free to detonate malware samples with relative safety while having the added benefit of simulating internet connectivity. I’m thinking the next post will be about what to deploy to a victim or malware analysis machine as well as what you should run and capture while analysing samples.

I hope you found this post informative. If you have any questions, noticed inaccurate information or spelling mistakes in this post you can contact me via the About section.

Tips

If you’re using this setup from multiple machines, you will need to configure the same VMware Workstation network settings for each machines instance of VMware Workstation.
If you receive the message “Could not get lock /var/lib/dpkg/lock” or “E: Could not get lock /var/cache/apt/archives/lock” while trying to install an application you can clear it but deleting the “lock” folder using the following: rm /var/lib/dpkg/lock -r or rm /var/cache/apt/archives/lock -r.
If you want to remove the super-user warning message when opening Wireshark, you can do so by editing Wireshark’s init.lua file by entering sudo nano /usr/share/wireshark/init.lua and setting disable_lua from false to true.

References

Track Log Sources Using Windows Events

2017-06-08T00:00:00+00:00

Introduction

This post will show you how to alert or report on the creation and deletion of computer accounts within an environment by utilising Windows Events.

Use Case

While most System Information and Event Management (SIEM) software today offers automatic detection and integration of log sources, it can be useful to have a secondary process in place to keep it in check or just have an analysts eyes cover the events to gain a better understanding of what exists within the environment.

Alternatively you may have processes in place to notify you when new endpoints and servers are added or removed in a network but again having a secondary process in place might be useful.

The proverb “Trust, but verify” defines this process nicely.

Required Components

Below are the recommended components to integrate this use case:

Domain Controller(s) (Configured with Active Directory Users and Computers)
Windows Security Event 4741 (A computer account was created)
Windows Security Event 4743 (A computer account was deleted)

If you have devices that are pre Windows 2003 use the following Windows Events:

Setup

Setup is really quite easy, using your tool of choice create a query or alert that will detect the above security events.

This can easily be done by monitoring for the Windows Event IDs 4741 or 4743 and summarising by the Account Name field under New Computer Account or Target Computer sections.

You can then output that query to an alert or report.

Here are some basic Splunk searches:

source="WinEventLog:Security" "EventCode=4741" | eval Account_Name=mvindex(Account_Name, -1) | top Account_Name

source="WinEventLog:Security" "EventCode=4743" | eval Account_Name=mvindex(Account_Name, -1) | top Account_Name

Note: The section eval Account_Name=mvindex(Account_Name, -1) is used to ignore the first extracted value under Account_Name because it will always be the creator of the computer account.

I have two reports setup to run weekly to provide a summary of all computers accounts created and all computers accounts deleted in an environment from the previous week.

Considerations

These events can occur multiple times per creation or removal so either use the report to provide you a summary or apply a threshold to your alert if possible.

You may only need to track log sources of a certain type i.e. Windows Server, so attempt to filter out all unwanted results.

Closing

Knowing what is in your environment is extremely important, hopefully this post can help you achieve better visibility in your network or at least provide you with a secondary process for comparison purposes.

I hope you found this post informative. If you have any questions you can contact me via the About section.

Building A Portable Lab

2017-04-01T00:00:00+00:00

Introduction

This post will show you how to setup a portable lab that can house all your day to day security tools.

For quite a while I maintained two labs, one for work and one for home. Both had sets of tools that would expand apart from one another and after a while it became too cumbersome.

I had the bright spark idea loading a Windows XP virtual machine onto a USB drive and attempting to run it. It works but as soon as you do anything that required the transfer for data. The virtual machine ground to halt, as expected.

I wondered if results would be better with a Solid State Drive (SSD) and E-Sata or USB 3.0.

A co-worker finally pulled the trigger on the idea and turns out it works well so I decided to build my own.

Required Components

Here are the recommended parts for a basic portable lab.

Solid State Drive
Sata to USB 3.0 Adapter/E-Sata
Protect Drive Case

For my build I used the following components, these cost a total of $156 AUD.

Samsung 850 Evo 250GB = $120
StarTech USB 3.0 to 2.5” SATA HDD Adapter Cable = $26
J. Burrows Portable Hard Drive Case Black = $10

I would recommend getting a 500GB+ capacity hard drive. At the time of writing this I have only 83GB free.

Setup

Once you’ve pulled apart all the packaging and assembled the portable lab you can get down to the fun stuff.

Encryption

Having a lab that is portable increase it’s risk profile, it’s much more prone to loss or theft. So you should consider deploying the same protections to it as you would a workstation.

Generally I would tell you not to keep anything confidential on a portable lab. My lab only has free tools, virtual machines and a few malware samples. So I could go without encryption but that would be against best practice.

VeryCrypt

The tool I decided to use was VeraCrypt. I attempted to use BitLocker-To-Go but it turned out to have incompatibility issues.

VeraCrypt offers a Portable Mode. This allows you to run the executable without installation.

Partitioning

To keep things simple I decided to create two partitions on the SSD.

Public NTFS Volume (1GB)
Private NTFS VeraCrypt volume (231GB)

This allows you to house the portable tools needed to mount the drive. You don’t have to worry about having them available on any machines you decide to use the lab on.

Partitioning can all done via Disk Management.

Encrypting

Once partitioned you can move to encrypting your drive. I installed VeraCrypt using the ‘Extract’ method as I won’t be needing it on my workstations.

Follow the below steps to encrypt your partition.

Select Create Volume.
Select Encrypt a non-system partition/drive.
Leave radio button checked on Standard VeryCrypt Volume.
Select Device and select your partition.
Leave radio button checked on Create encrypted volume and format it.
Leave AES selected under Encryption Algorithm, under Hash Algorithm select SHA-256.
Confirm your volume size.
Input your password, be sure to store it somewhere safe.
Optional, select Use keyfiles and select a keyfile on your choosing.
Under Options change Filesystem to NTFS.
Generate a random pool by moving your mouse and select Format.

Encrypting can take quite a while, around 1-4 hours depending on your system.

Traveler Disk Setup

Once your volume is encrypted you can deploy VeraCrypt’s Traveler Disk to your public NTFS partition with the following instructions.

Select Tools and then Traveler Disk Setup.
Select Browse and select your partition.
Optional, adjust AutoRun Configuration settings to your requirements.
Select Create.

This will deploy a lighter version of VeraCrypt to your public volume.

Mounting

Once encrypted and your portable files loaded. You can mount the partition with the following instructions.

Plug in your portable drive.
Execute VeraCrypt.exe.
Select which drive letter you want to mount your lab on.
Under Volume select Select Device and select your encrypted partition.
Select Mount.
Enter your password.
Optional, select Mount Options and adjust settings to your requirements.
Select OK.

Wait for your volume to mount, this can take a few minutes.

Closing

Congratulations! You’ve now got a portable lab, you can now begin moving over all your tools.

I’ve found a portable lab to be an indispensable tool for my day to day work. Being able to have a ever changing tool set on hands at all times is a real game changer. Best of all your spend more time doing the interesting stuff and less on maintenance.

I hope you found this post informative. If you have any questions you can contact me via the About section.

Tips

Here are some general tips I’ve come across after using a portable lab.

If you have issues mounting the drive. Check Mount volume and removal able medium under Mount Options.
Always be sure to use VeraCrypt to dismount your drives when finished.
You might use tools that get flagged as malicious. Putting them in a password protected zip file fixes this issue.

Why?

2017-03-18T00:00:00+00:00

Why? What is this for?

To quote Cave Johnson from Valves Portal 2.

“Science isn’t about why, it’s about why not!”

I spend a good part of my work day reading other peoples security blogs. I gain a huge amount of knowledge through doing so. I figure why can’t I can contribute and help others learn as well?

Every once in a while I could come up with something decent.

I gained inspiration from www.malware-traffic-analysis.net by “Brad Duncan”.

Malware Traffic Analysis provides great write ups on malware campaigns. This site helped me understand EI Test and Rig-EK which was very useful at the time I came across it.

Since that day I have had Malware Traffic Analysis as part of my daily news digest. It continues to provide great information on current trends.

My goal for this site is the attempt Malware Traffic Analysis investigations. I will also throw up some other posts when I come across anything interesting.

I aim to publish at least one post a ~~week~~ fortnight but that might vary depending on how busy I am :).

You can find out more about me and what is used to build this site in the About section.