Lab 1 – Setting Up The Lab Environment

Lab Objectives

 Setting Up and configuring Linux VM

 Setting Up and configuring Windows VM
Lab Topology

Setting Up and configuring Linux VM

Step 1: Download Ubuntu 16.04.2 LTS and install it it in VMware Workstation/Fusion or VirtualBox.

Step 2:

 For VMware: Install the Virtualization Tools on Ubuntu. Once installed, reboot the system.

 For VirtualBox: You must install Guest Additions software. To accomplish this, from the VirtualBox menu,
select Devices | Insert guest additions CD image. This will bring up the Guest Additions Dialog Window.
Then click on Run to invoke the installer from the virtual CD. Authenticate with your password when
prompted and reboot.
Step 3: Once the Ubuntu operating system and the virtualization tools are installed, start the Ubuntu VM and install
the following tools and packages.

Step 4: Install pip; pip is a package management system used to install and manage packages written in Python. In
this book, I will be running a few Python scripts; some of them rely on third-party libraries. To automate the
installation of thirdparty packages, you need to install pip. Run the following command in the terminal to install
and upgrade pip:

$ sudo apt-get update

$ sudo apt-get install python-pip

pip install --upgrade pip

The following are some of the tools and Python packages that will be used in this book. To install these tools and
Python packages, run these commands in the terminal:

$ sudo apt-get install python3-magic

$ sudo apt-get install upx
$ sudo pip install pefile
$ sudo apt-get install yara
$ sudo pip install yara-python
$ sudo apt-get install ssdeep
$ sudo apt-get install build-essential libffi-dev python python-dev libfuzzy-dev
$ sudo pip install ssdeep
$ sudo apt-get install wireshark
$ sudo apt-get install tshark
Step 5: INetSim (http://www.inetsim.org/index.html) is a powerful utility that allows simulating various Internet
services (such as DNS, and HTTP) that malware frequently expects to interact with. Later, you will understand how
to configure INetSim to simulate services. To install INetSim, use the following commands. The use of INetSim
will be covered in detail in Chapter 3, Dynamic Analysis. If you have difficulties installing INetSim, refer to the
documentation (http://www.inetsim.org/packages.html):

$ sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
 apt update

apt-get install inetsim

Step 6: You can now isolate Ubuntu VM within your lab by configuring the virtual appliance to use Host-only
network mode. On VMware, bring up the Network Adapter Settings and choose Host-only mode as shown in the
following Figure. Save the settings and reboot.

In VirtualBox, shut down Ubuntu VM and then bring up Settings. Select Network and change the adapter settings
to Host-only Adapter as shown in the following diagram; click on OK.

On VirtualBox, sometimes when you choose the Host-only adapter option, the interface name might appear as
Not selected. In that case, you need to first create at least one host-only interface by navigating to File| Preferences
| Network | Host-only networks | Add host-only network.

Click on OK; then bring up the Settings. Select Network and change the adapter settings to Host-only Adapter,
as shown in the following screenshot. Click on OK.
Step 7: Now we will assign a static IP address of 192.168.1.100 to the Ubuntu Linux 8. VM. To do that, power on
the Linux VM, open the terminal window, type the command ifconfig, and note down the interface name. In my
case, the interface name is ens33. In your case, the interface name might be different. If it is different, you need to
make changes to the following steps accordingly. Open the file /etc/network/interfaces using the following
command:

$ sudo gedit /etc/network/interfaces

Add the following entries at the end of the file (make sure you replace ens33 with the interface name on your
system) and save it:

auto ens33
iface ens33 inet static
address 192.168.1.100
netmask 255.255.255.0

The /etc/network/interfaces file should now look like the one shown here. Newly added entries are highlighted
here:
 # interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto ens33
iface ens33 inet static
address 192.168.1.100
netmask 255.255.255.0

Then restart the Ubuntu Linux VM. At this point, the IP address of the Ubuntu VM should be set to 192.168.1.100.
You can verify that by running the following command:

$ ifconfig
ens33 Link encap:Ethernet HWaddr 00:0c:29:a8:28:0d
inet addr: 192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea8:280d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5187 (5.1 KB) TX bytes:5590 (5.5 KB)
Step 8: The next step is to configure INetSim so that it can listen to and simulate all the services on the configured
IP address 192.168.1.100. By default, it listens on the local interface (127.0.0.1), which needs to be changed to
192.168.1.100. To do that, open the configuration file located at /etc/inetsim/inetsim.conf using the following
command:

$ sudo gedit /etc/inetsim/inetsim.conf

Go to the service_bind_address section in the configuration file and add the

entry shown here:

service_bind_address 192.168.1.100

The added entry (highlighted) in the configuration file should look like this:

# service_bind_address
#
# IP address to bind services to
#
# Syntax: service_bind_address <IP address>
#
# Default: 127.0.0.1
#
#service_bind_address 10.10.10.1
service_bind_address 192.168.1.100
By default, INetSim's DNS server will resolve all the domain names to 127.0.0.1. Instead of that, we want the
domain name to resolve to 192.168.1.100 (the IP address of Linux VM). To do that, go to the dns_default_ip
section in the configuration file and add an entry as shown here:

dns_default_ip 192.168.1.100

The added entry (highlighted in the following code) in the configuration file should look like this:

# dns_default_ip
#
# Default IP address to return with DNS replies
#
# Syntax: dns_default_ip <IP address>
#
# Default: 127.0.0.1
#
#dns_default_ip 10.10.10.1
dns_default_ip 192.168.1.100

Once the configuration changes are done, Save the configuration file and launch the INetSim main program. Verify
that all the services are running and also check whether the inetsim is listening on 192.168.1.100, as highlighted in
the following code. You can stop the service by pressing CTRL+C:

$ sudo inetsim
 INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas Hungenberg
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
=== INetSim main process started (PID 2640) ===
Session ID: 2640
Listening on: 192.168.1.100
Real Date/Time: 2017-07-08 07:26:02
Fake Date/Time: 2017-07-08 07:26:02 (Delta: 0 seconds)
Forking services...
* irc_6667_tcp - started (PID 2652)
* ntp_123_udp - started (PID 2653)
* ident_113_tcp - started (PID 2655)
* time_37_tcp - started (PID 2657)
* daytime_13_tcp - started (PID 2659)
* discard_9_tcp - started (PID 2663)
* echo_7_tcp - started (PID 2661)
* dns_53_tcp_udp - started (PID 2642)
[..........REMOVED.............]
* http_80_tcp - started (PID 2643)
* https_443_tcp - started (PID 2644)
done.
Simulation running.

Step 9: At some point, you need the ability to transfer files between the host and the virtual machine. To enable that
on VMware, power off the virtual machine and bring up the Settings. Select Options | Guest Isolation and check
both Enable drag and drop and Enable copy and paste. Save the settings.

On Virtualbox, while the virtual machine is powered off, bring up Settings | General | Advanced and make sure
that both Shared Clipboard and Drag 'n' Drop are set to Bidirectional. Click on OK.
Step 10: At this point, the Linux VM is configured to use Host-only mode, and INetSim is set up to simulate all
the services. The last step is to take a snapshot (clean snapshot) and give it a name of your choice so that you can
revert it back to the clean state when required. To take a snapshot on VMware workstation, click on VM |
Snapshot | Take Snapshot. On Virtualbox, the same can be done by clicking on Machine | Take Snapshot.

Setting Up and configuring Windows VM

Before setting up the Windows VM, you first need to install a Windows operating system (Windows 7, Window 8,
and so on) of your choice in the virtualization software (such as VMware or VirtualBox). Once you have Windows
installed, follow these steps:

Step 1: Download Python from https:// www.python.org/downloads/. Be sure to download Python 2.7.x (such as
2.7.13); most of the scripts used in this book are written to run on the Python 2.7 version and may not run correctly
on Python 3. After you've downloaded the file, run the installer. Make sure you check the option to install pip and
Add python.exe to Path, as shown in the following screenshot. Installing pip will make it easier to install any
third-party Python libraries, and adding Python to the path will make it easier to run Python from any location.
Step 2: Configure your Windows VM to run in Host-only network configuration mode. To do that in VMware or
VirtualBox, bring up the Network Settings and choose the Host-only mode; save the settings and reboot (this step
is similar to the one covered in the Setting Up and Configuring Linux VM section).

Step 3: Configure the IP address of the Windows VM to 192.168.1.x (choose any IP address except 192.168.1.100
because the Linux VM is set to use that IP) and set up your Default gateway and the DNS server to the IP address
of Linux VM (that is, 192.168.1.100), as shown in the following screenshot. This configuration is required so that
when we execute the hostile program on the Windows VM, all of the network traffic will be routed through the
Linux VM.
Step 4: Power on both the Linux VM and the Window VM, and make sure they can communicate with each other.
You can check for the connectivity by running the ping command, as shown in this screenshot:
Step 5: Windows Defender Service needs to be disabled on your Windows VM as it may interfere when you are
executing the malware sample. To do that, pressthe Windows key + R to open the Run menu, enter gpedit.msc, and
hit Enter to launch the Local Group Policy Editor. In the left-hand pane of Local Group Policy Editor, navigate
to Computer Configuration | Administrative Templates | Windows Components | Windows Defender. In the
right-hand pane, double- click on the Turn off Windows Defender policy to edit it; then select Enabled and click
on OK:

Step 6: To be able to transfer files (drag and drop) and to copy clipboard content between the host machine and the
Windows VM, follow the instructions as mentioned in Step 7 of the Setting Up and Configuring Linux VM section.

Step 7: Take a clean snapshot so that you can revert to the pristine/clean state after every analysis. The procedure to
take a snapshot was covered in Step 10 of the Setting Up and Configuring Linux VM section.

At this point, your lab environment should be ready. The Linux and Windows VMs in your clean snapshot should
be in Host-only network mode and should be able to communicate with each other. Throughout this book, I will be
covering various malware analysis tools; if you wish to use those tools, you can copy them to the clean snapshot on
the virtual machines. To keep your clean snapshot up to date, just transfer/install those tools on the virtual machines
and take a new clean snapshot.