INetSim
Overview
Abschnitt betitelt „Overview“INetSim is a comprehensive internet services simulation suite designed for malware analysis. It allows security researchers to run suspicious samples in an isolated network environment where all network traffic is intercepted and handled by simulated services, preventing actual external communication.
Installation
Abschnitt betitelt „Installation“Linux (Debian/Ubuntu)
Abschnitt betitelt „Linux (Debian/Ubuntu)“sudo apt-get update
sudo apt-get install inetsimLinux (Arch)
Abschnitt betitelt „Linux (Arch)“sudo pacman -S inetsimLinux (Manual Installation)
Abschnitt betitelt „Linux (Manual Installation)“wget http://www.inetsim.org/download/inetsim-1.3.3.tar.gz
tar -xzf inetsim-1.3.3.tar.gz
cd inetsim-1.3.3
sudo ./install.shDocker Container
Abschnitt betitelt „Docker Container“FROM ubuntu:22.04
RUN apt-get update && apt-get install -y inetsim
EXPOSE 21 25 53 80 110 143 443 445 3306 8080
CMD ["/usr/bin/inetsim"]Configuration File Location
Abschnitt betitelt „Configuration File Location“/etc/inetsim/inetsim.conf # Main configuration
/etc/inetsim/inetsim.services # Service definitions
/var/log/inetsim/ # Log directory
/var/lib/inetsim/ # Data directoryBasic Usage
Abschnitt betitelt „Basic Usage“| Command | Description |
|---|---|
sudo inetsim | Start INetSim with default config |
sudo inetsim -c /path/to/config | Start with custom config |
sudo inetsim -v | Verbose logging |
sudo inetsim --help | Display help information |
sudo systemctl start inetsim | Start as service |
sudo systemctl stop inetsim | Stop service |
Configuration Basics
Abschnitt betitelt „Configuration Basics“Main Configuration File
Abschnitt betitelt „Main Configuration File“sudo nano /etc/inetsim/inetsim.confKey Configuration Parameters
Abschnitt betitelt „Key Configuration Parameters“Network Settings
Abschnitt betitelt „Network Settings“# Listen interface
listen_address 0.0.0.0
bind_interface eth0
# Enable/disable services
service_dns on
service_http on
service_https on
service_ftp on
service_smtp on
service_smtps on
service_pop3 on
service_imap on
service_mysql on
service_ntp on
service_tftp on
# Port configuration
dns_port 53
http_port 80
https_port 443
ftp_port 21Logging Configuration
Abschnitt betitelt „Logging Configuration“# Log level: 0=debug, 1=info, 2=notice, 3=warning, 4=error
log_level 1
# Log directory
logdir /var/log/inetsim
# Log format options
log_format syslogDNS Configuration
Abschnitt betitelt „DNS Configuration“service_dns on
dns_port 53
dns_default_ip 127.0.0.1
# Return same IP for all queries
dns_fake_domains on
dns_ip_lookup 192.168.1.100HTTP/HTTPS Configuration
Abschnitt betitelt „HTTP/HTTPS Configuration“service_http on
http_port 80
http_keepalive on
http_default_port 80
service_https on
https_port 443
https_certfile /etc/inetsim/certs/cert.pem
https_keyfile /etc/inetsim/certs/key.pemFTP Configuration
Abschnitt betitelt „FTP Configuration“service_ftp on
ftp_port 21
ftp_banner "220 Welcome to INetSim FTP"
ftp_default_user anonymous
ftp_default_pass passwordService Configuration
Abschnitt betitelt „Service Configuration“DNS Service
Abschnitt betitelt „DNS Service“Return IP for All Domains
Abschnitt betitelt „Return IP for All Domains“service_dns on
dns_port 53
dns_default_ip 192.168.1.100
# Enable DNS spoofing
dns_spoof_all onCreate DNS Cheatsheet Service Examples
Abschnitt betitelt „Create DNS Cheatsheet Service Examples“# Query INetSim DNS
nslookup example.com localhost
dig example.com @localhost
host example.com localhost
# Test with malware sample
./malware_sample.exe
# Traffic will resolve to localhostHTTP/HTTPS Service
Abschnitt betitelt „HTTP/HTTPS Service“Default HTTP Responses
Abschnitt betitelt „Default HTTP Responses“service_http on
http_port 80
http_default_file /var/lib/inetsim/http/default.html
# Serve specific files by URL
http_fakefile_dir /var/lib/inetsim/http/fakefileHTTP Response Customization
Abschnitt betitelt „HTTP Response Customization“# Create directory for fake files
sudo mkdir -p /var/lib/inetsim/http/fakefile
# Create fake response files
echo "malicious content" | sudo tee /var/lib/inetsim/http/fakefile/malware.exe
# Restart INetSim to apply changes
sudo systemctl restart inetsimFTP Service
Abschnitt betitelt „FTP Service“FTP Configuration
Abschnitt betitelt „FTP Configuration“service_ftp on
ftp_port 21
ftp_banner "220 Welcome"
ftp_max_connections 10
# Enable anonymous login
ftp_default_user anonymous
ftp_default_pass email@example.comFTP File Serving
Abschnitt betitelt „FTP File Serving“# Create FTP root directory
sudo mkdir -p /var/lib/inetsim/ftp
# Add files to serve
sudo cp malware_sample.bin /var/lib/inetsim/ftp/
# Set permissions
sudo chmod 755 /var/lib/inetsim/ftpSMTP/POP3/IMAP Services
Abschnitt betitelt „SMTP/POP3/IMAP Services“Email Service Configuration
Abschnitt betitelt „Email Service Configuration“# SMTP Configuration
service_smtp on
smtp_port 25
smtp_max_connections 10
smtp_banner "220 mail.inetsim.local ESMTP"
# POP3 Configuration
service_pop3 on
pop3_port 110
pop3_max_connections 10
# IMAP Configuration
service_imap on
imap_port 143
imap_max_connections 10Email Testing
Abschnitt betitelt „Email Testing“# Test SMTP connection
telnet localhost 25
# Response: 220 mail.inetsim.local ESMTP
# Send test email
echo "test message" | sendmail -v test@example.comTFTP Service
Abschnitt betitelt „TFTP Service“TFTP Configuration
Abschnitt betitelt „TFTP Configuration“service_tftp on
tftp_port 69
tftp_root /var/lib/inetsim/tftp
# Allow write operations
tftp_allow_write onNetwork Isolation Setup
Abschnitt betitelt „Network Isolation Setup“Using iptables for Traffic Redirection
Abschnitt betitelt „Using iptables for Traffic Redirection“Redirect DNS to INetSim
Abschnitt betitelt „Redirect DNS to INetSim“# Redirect UDP 53 to INetSim DNS
sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT \
--to-destination 127.0.0.1:53
# Redirect TCP 53 for DNS over TCP
sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT \
--to-destination 127.0.0.1:53Redirect HTTP/HTTPS
Abschnitt betitelt „Redirect HTTP/HTTPS“# Redirect HTTP
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT \
--to-destination 127.0.0.1:80
# Redirect HTTPS
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT \
--to-destination 127.0.0.1:443Save Rules Permanently
Abschnitt betitelt „Save Rules Permanently“# Install iptables-persistent
sudo apt-get install iptables-persistent
# Save current rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
# Restore rules
sudo iptables-restore < /etc/iptables/rules.v4VM Network Configuration
Abschnitt betitelt „VM Network Configuration“Isolated Network Setup
Abschnitt betitelt „Isolated Network Setup“# Create isolated bridge interface
sudo brctl addbr br-isolated
sudo ip addr add 192.168.122.1/24 dev br-isolated
sudo ip link set dev br-isolated up
# Configure VM to use isolated bridge
# In VM: Set gateway to 192.168.122.1
# In VM: Set DNS to 192.168.122.1Malware Analysis Workflow
Abschnitt betitelt „Malware Analysis Workflow“Pre-Analysis Setup
Abschnitt betitelt „Pre-Analysis Setup“# 1. Start INetSim
sudo systemctl start inetsim
# 2. Configure DNS redirects
sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT \
--to-destination 127.0.0.1:53
# 3. Verify services running
sudo netstat -tulpn | grep inetsim
# 4. Check logs
sudo tail -f /var/log/inetsim/inetsim.logRunning Malware Sample
Abschnitt betitelt „Running Malware Sample“# 1. Copy sample to analysis VM
scp malware.exe user@analysis-vm:/tmp/
# 2. Execute sample
./malware.exe
# 3. Monitor network activity
sudo tcpdump -i any -n | grep -E "(DNS|HTTP|FTP)"
# 4. Review INetSim logs
grep "Connection from" /var/log/inetsim/inetsim.logPost-Analysis
Abschnitt betitelt „Post-Analysis“Review Network Behavior
Abschnitt betitelt „Review Network Behavior“# Check DNS queries
grep "DNS query" /var/log/inetsim/inetsim.log
# Check HTTP requests
grep "GET\|POST" /var/log/inetsim/inetsim.log
# Check FTP connections
grep "FTP" /var/log/inetsim/inetsim.logLog Analysis Example
Abschnitt betitelt „Log Analysis Example“# Extract all external hosts contacted
grep "Connection" /var/log/inetsim/inetsim.log | \
awk '{print $NF}' | sort | uniq
# Find attempted downloads
grep "GET\|POST" /var/log/inetsim/inetsim.log
# Identify port scanning
grep "port" /var/log/inetsim/inetsim.logAdvanced Configuration
Abschnitt betitelt „Advanced Configuration“Custom SSL Certificates
Abschnitt betitelt „Custom SSL Certificates“Generate Self-Signed Certificate
Abschnitt betitelt „Generate Self-Signed Certificate“# Generate private key
openssl genrsa -out /tmp/key.pem 2048
# Generate certificate (10 year validity)
openssl req -new -x509 -key /tmp/key.pem \
-out /tmp/cert.pem -days 3650 \
-subj "/CN=inetsim.local/O=INetSim/C=US"
# Copy to INetSim directory
sudo cp /tmp/cert.pem /etc/inetsim/certs/
sudo cp /tmp/key.pem /etc/inetsim/certs/
sudo chown root:root /etc/inetsim/certs/*.pem
sudo chmod 600 /etc/inetsim/certs/*.pemFake File Responses
Abschnitt betitelt „Fake File Responses“HTTP File Serving
Abschnitt betitelt „HTTP File Serving“# Create fake executable
sudo mkdir -p /var/lib/inetsim/http/fakefile
# Add Windows executable stub
sudo cp /usr/share/windows-binaries/nc.exe \
/var/lib/inetsim/http/fakefile/payload.exe
# Configure in inetsim.conf
echo "http_fakefile_dir /var/lib/inetsim/http/fakefile" | \
sudo tee -a /etc/inetsim/inetsim.confMultiple Instance Configuration
Abschnitt betitelt „Multiple Instance Configuration“Run Multiple INetSim Instances
Abschnitt betitelt „Run Multiple INetSim Instances“# Create config copies
sudo cp /etc/inetsim/inetsim.conf \
/etc/inetsim/inetsim-instance2.conf
# Modify port bindings in instance2
sudo sed -i 's/dns_port 53/dns_port 5353/g' \
/etc/inetsim/inetsim-instance2.conf
# Start instances
sudo inetsim -c /etc/inetsim/inetsim.conf &
sudo inetsim -c /etc/inetsim/inetsim-instance2.conf &Log Analysis
Abschnitt betitelt „Log Analysis“Log File Locations
Abschnitt betitelt „Log File Locations“/var/log/inetsim/inetsim.log # Main log
/var/log/inetsim/dns.log # DNS queries
/var/log/inetsim/http.log # HTTP requests
/var/log/inetsim/ftp.log # FTP activity
/var/log/inetsim/smtp.log # SMTP activity
/var/log/inetsim/pop3.log # POP3 activity
/var/log/inetsim/imap.log # IMAP activityLog Parsing Examples
Abschnitt betitelt „Log Parsing Examples“Extract DNS Queries
Abschnitt betitelt „Extract DNS Queries“grep "^2" /var/log/inetsim/dns.log | \
awk '{print $NF}' | sort | uniq -c | sort -rnExtract HTTP User-Agents
Abschnitt betitelt „Extract HTTP User-Agents“grep "User-Agent:" /var/log/inetsim/http.log | \
sed 's/.*User-Agent: //' | sort | uniqFind C2 Communication Patterns
Abschnitt betitelt „Find C2 Communication Patterns“# Look for regular polling
grep "GET\|POST" /var/log/inetsim/http.log | \
grep -i "php\|asp\|cgi"
# Extract suspicious domains
grep "Connection from" /var/log/inetsim/inetsim.log | \
grep -v "127.0.0.1"Docker Integration
Abschnitt betitelt „Docker Integration“Docker Compose Configuration
Abschnitt betitelt „Docker Compose Configuration“version: '3.8'
services:
inetsim:
image: ubuntu:22.04
container_name: inetsim-sandbox
ports:
- "53:53/udp"
- "21:21"
- "25:25"
- "80:80"
- "110:110"
- "143:143"
- "443:443"
volumes:
- ./inetsim.conf:/etc/inetsim/inetsim.conf:ro
- ./logs:/var/log/inetsim
- ./fakefile:/var/lib/inetsim/http/fakefile:ro
command: /usr/bin/inetsim
cap_add:
- NET_ADMIN
networks:
- analysis-net
networks:
analysis-net:
driver: bridgeRunning with Docker
Abschnitt betitelt „Running with Docker“# Build and start
docker-compose up -d
# View logs
docker-compose logs -f inetsim
# Stop services
docker-compose downTroubleshooting
Abschnitt betitelt „Troubleshooting“Port Already in Use
Abschnitt betitelt „Port Already in Use“# Check what's using port 80
sudo lsof -i :80
# Kill process if needed
sudo kill -9 <PID>
# Restart INetSim
sudo systemctl restart inetsimDNS Not Resolving
Abschnitt betitelt „DNS Not Resolving“# Test DNS from malware VM
nslookup example.com <host-ip>
# Check DNS service is running
sudo netstat -tulpn | grep :53
# Review DNS logs
grep "query" /var/log/inetsim/dns.log | tail -20SSL Certificate Issues
Abschnitt betitelt „SSL Certificate Issues“# Verify certificate validity
openssl x509 -in /etc/inetsim/certs/cert.pem -text -noout
# Regenerate if expired
sudo rm /etc/inetsim/certs/cert.pem /etc/inetsim/certs/key.pem
# Follow custom SSL section abovePermission Denied Errors
Abschnitt betitelt „Permission Denied Errors“# Check INetSim service user
ps aux | grep inetsim
# Fix log directory permissions
sudo chown -R root:root /var/log/inetsim
sudo chmod 755 /var/log/inetsim
# Restart service
sudo systemctl restart inetsimBest Practices
Abschnitt betitelt „Best Practices“Security Isolation
Abschnitt betitelt „Security Isolation“- Run INetSim in isolated VM environment
- Use separate network interface for malware analysis
- Implement iptables rules to prevent outbound traffic
- Regularly reset analysis VM to clean state
- Keep INetSim updated with latest patches
Analysis Optimization
Abschnitt betitelt „Analysis Optimization“- Configure only needed services to reduce noise
- Use custom SSL certificates for HTTPS analysis
- Maintain clean log files between analyses
- Document network behavior patterns
- Create baseline logs for comparison
Log Management
Abschnitt betitelt „Log Management“- Archive logs regularly
- Use log rotation to prevent disk fill
- Parse logs with scripts for automated analysis
- Compare logs across samples for patterns
- Maintain malware analysis database
Resources
Abschnitt betitelt „Resources“- Official Website: http://www.inetsim.org/
- Configuration Guide: http://www.inetsim.org/documentation.html
- Community Forum: Active user community
- GitHub Mirror: Mirror of latest releases
- Man Pages:
man inetsimandman inetsim.conf
Version Information
Abschnitt betitelt „Version Information“Current stable: INetSim 1.3.3 Cross-platform: Linux, Windows (with Cygwin) Architecture: x86_64 Language: C/Perl License: GPL-3.0 Dependencies: Perl, OpenSSL, libssl-dev