Setting up a Simple Network Simulation Machine

Setting up a Simple Network Simulation Machine

Sometimes when you’re trying to reverse engineer malware you need to analyze the network traffic. Now you can connect your analysis machine to the internet and use a tap or span/mirror port to capture, but this potentially exposes your analysis machine to the malware operators. There are a few good options for network simulation; including inetsim and fakenet-ng. These are both great tools but you don’t always need a full blown solution for every situation, or maybe you don’t have access to install these tools.

You can setup a simple network simulation on a linux host with just a few of the built in commands. First you’ll want to set the gateway on your analysis machine to the IP address of the linux host you’ll be using. With the gateway set as the linux host the analysis machine will direct all of its traffic to the linux host. This traffic will need to be intercepted so we can capture it and interact with it if needed. iptables can allow us to redirect all of the traffic to a single port for collection:

iptables -t nat -A PREROUTING -p tcp --dport 1:65535 -j REDIRECT --to-ports 4444
iptables -t nat -A PREROUTING -p udp --dport 1:65535 -j REDIRECT --to-ports 4444

Now the the above assumes that you have console access. If you are connecting via ssh then leave the last port off of the dport range and bind your ssh process to it (aka 65535).

Next you want to setup a packet capture so you have it to review later:

tcpdump -s 0 -i eth0 -w /tmp/dump.pcap -C 1000 -W 10 &

If you are connected via ssh be sure to exclude your ssh traffic by adding not port 65535 to the end of the above command (but before the &).

The last step is to use ncat to accept and establish any connection on the collection port that was setup previously with tcpdump:

ncat -klvp 4444 -o /tmp/ncat.log

And we’re off to the races. While tools like inetsim and fakenet-ng are great tools and have a huge number of features, if you are in a bind or just need something simple you can quickly and easily setup a network simulation machine with just the a few commands using tools that are normally installed on linux by default.