This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Network sinkhole for isolated malware analysis.

Overview

netsink is a network daemon that will bind to any number of configured IP ports and provide fake services in an attempt to convince running malware that it has an active Internet connection.

Getting Started

Install using pip:

pip install netsink

Start the netsink listeners with the default configuration (you will need administrator/root access to bind to privilleged ports):

sudo netsink

You should see output similar to the following, showing the bound ports:

2013-03-03 21:01:02,710 [netsink] INFO: Listener 'http' awaiting TCP activity on port/s [80, 8000, 8080, 8090]
2013-03-03 21:01:02,717 [netsink] INFO: Listener 'https' awaiting SSL activity on port/s [443, 8443]
2013-03-03 21:01:02,726 [netsink] INFO: Listener 'dns' awaiting UDP activity on port/s [53]
2013-03-03 21:01:02,726 [netsink] INFO: Waiting...

To test, open a browser on the same host and navigate to https://127.0.0.1/testing and you should see a netsink response page.

Client Setup

To be useful a client machine must be forced to redirect their traffic to the services on the netsink host. This can be achieved in several ways.

Static DNS Configuration

netsink includes a DNS server that will advertise itself as the destination for any client DNS requests (or as otherwise configured). Change the client’s network interface to use the netsink host’s address as its DNS server. Also set the Default Gateway to the netsink host if using iptables redirection, to capture direct IP address communication attempts.

DHCP Configuration

Not currently provided by the netsink package, however, if installing on a unix/linux platform, using the operating system’s DHCP server package can be effective (for example isc-dhcp-server on ubuntu). Set the netsink host as the address to be returned for DNS and Default Gateway to the clients. Set the client’s network interface to obtain an address automatically.

To test, ensure that any changes have been applied to the client’s network interface. On Windows, in a command window:

ipconfig /all

The netsink host’s address should be listed as the DNS server on the applicable network interface. Now open a web browser on the client and navigate to www.google.com you should instead see the netsink response page and the DNS/HTTP requests logged on the server.

Goals

The primary project goals are:

  • Provide malware with communication end points to assist execution and elicit network traffic.
  • Straight-forward installation. Should work out-of-the-box, with minimal configuration, for most scenarios.
  • Easy configuration and extension. Adding custom services and response handling should be as simple as possible.

Features

  • DNS redirection based on simple config file
  • HTTP/HTTPS serving of static files based on url regexes
  • Imitate known external IP address lookup sites (thanks to ipgetter for the compiled list)
  • IRC service to capture connect and channel joins, etc.
  • SMTP/ESMTP server including AUTH and STARTTLS support
  • FTP server support
  • Listening port ranges easily configurable and separate from the modules that handle the traffic.
  • Automatic connection redirection for platforms that support iptables
  • Generic port listener that can dispatch to other modules via packet inspection

Planned Additions:

  • Internal DHCP server to auto configure clients
  • Expand available fake services to include POP3, IMAP, TFTP, etc.
  • Pluggable fake C2 servers
  • Better documentation

Issues

Source code for netsink is hosted on GitHub. Any bug reports or feature requests can be made using GitHub’s issues system.

Release History

Release History

0.5

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.4

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
netsink-0.5-py2-none-any.whl (33.8 kB) Copy SHA256 Checksum SHA256 2.7 Wheel Dec 7, 2014
netsink-0.5.tar.gz (32.3 kB) Copy SHA256 Checksum SHA256 Source Dec 7, 2014

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting