Network Sinkhole for Isolated Malware Analysis
Network sinkhole for isolated malware analysis.
netsink is a network daemon that will bind to any number of configured IP ports and provide fake services in an attempt to convince running malware that it has an active Internet connection.
Install using pip:
pip install netsink
Start the netsink listeners with the default configuration (you will need administrator/root access to bind to privilleged ports):
You should see output similar to the following, showing the bound ports:
2013-03-03 21:01:02,710 [netsink] INFO: Listener 'http' awaiting TCP activity on port/s [80, 8000, 8080, 8090] 2013-03-03 21:01:02,717 [netsink] INFO: Listener 'https' awaiting SSL activity on port/s [443, 8443] 2013-03-03 21:01:02,726 [netsink] INFO: Listener 'dns' awaiting UDP activity on port/s  2013-03-03 21:01:02,726 [netsink] INFO: Waiting...
To test, open a browser on the same host and navigate to https://127.0.0.1/testing and you should see a netsink response page.
To be useful a client machine must be forced to redirect their traffic to the services on the netsink host. This can be achieved in several ways.
Static DNS Configuration
netsink includes a DNS server that will advertise itself as the destination for any client DNS requests (or as otherwise configured). Change the client’s network interface to use the netsink host’s address as its DNS server. Also set the Default Gateway to the netsink host if using iptables redirection, to capture direct IP address communication attempts.
Not currently provided by the netsink package, however, if installing on a unix/linux platform, using the operating system’s DHCP server package can be effective (for example isc-dhcp-server on ubuntu). Set the netsink host as the address to be returned for DNS and Default Gateway to the clients. Set the client’s network interface to obtain an address automatically.
To test, ensure that any changes have been applied to the client’s network interface. On Windows, in a command window:
The netsink host’s address should be listed as the DNS server on the applicable network interface. Now open a web browser on the client and navigate to www.google.com you should instead see the netsink response page and the DNS/HTTP requests logged on the server.
The primary project goals are:
|File Name & Checksum SHA256 Checksum Help||Version||File Type||Upload Date|
|netsink-0.5-py2-none-any.whl (33.8 kB) Copy SHA256 Checksum SHA256||2.7||Wheel||Dec 7, 2014|
|netsink-0.5.tar.gz (32.3 kB) Copy SHA256 Checksum SHA256||–||Source||Dec 7, 2014|