Let's say you have an exploit, and you're not sure what it does. Many exploits do something on the network. It would be nice to be able to observe these network operations, without actually being connected to the internet. Running an unknown exploit on an internet-connected machine is a bad idea. As it turns out, we can simulate an internet-connected machine by turning our CERT Tapioca VM into something that responds to everything (both DNS-addressed, and IP-addressed).
Disable systemd-resolved. It gets greedy with what it uses are DNS resolvers, and ends up picking up our wildcard DNS. This breaks DNS lookups on the wildcard VM itself, which we don't want.
sudo systemctl disable systemd-resolved.service sudo service systemd-resolved stop |
Put the following line in the {main]
section of your /etc/NetworkManager/NetworkManager.conf
:
dns=default |
Delete the symlink /etc/resolv.conf
sudo rm /etc/resolv.conf |
Restart network-manager
sudo service network-manager restart |
Install tinydns
sudo apt install tinydns |
Note that Ubuntu 18.04 and newer systems do not include a tinydns
package. On these systems, you can install both the daemontools
and daemontools-run
packages, and manually install tinydns, which is included in the djbdns tarball.
Configure tinydns
sudo adduser --no-create-home --disabled-login --shell /bin/false dnslog sudo adduser --no-create-home --disabled-login --shell /bin/false tinydns sudo tinydns-conf tinydns dnslog /etc/tinydns/ 10.0.0.1 sudo mkdir -p /etc/service ; cd /etc/service ; sudo ln -sf /etc/tinydns/ |
Edit /etc/tinydns/root/data to resolve everything to 10.0.0.1:
.local:10.0.0.1:a:259200 .0.0.10.in-addr.arpa:10.0.0.1:a:259200 .:10.0.0.1 +*:10.0.0.1:86400 +*.local:10.0.0.1:86400 |
build the tinydns configuration in the /etc/tinydns/root/
directory:
sudo make |
Stop dnsmasq and restart tinydns:
sudo service dnsmasq stop sudo svc -h /etc/service/tinydns |
Confirm your dns lookups:
tapioca@ubuntu:~/tapioca$ nslookup asdf 10.0.0.1 Server: 10.0.0.1 Address: 10.0.0.1#53 Name: asdf.localdomain Address: 10.0.0.1 |
Edit the ~/tapioca/iptables_noproxy.sh
file, wiping out the NAT magic
part at the end, replacing it through the end of the file with:
# NAT magic iptables -t nat -F PREROUTING iptables -t nat -A PREROUTING -i $internal_net -j DNAT --to-destination 10.0.0.1 |
The iptables DNAT line will rewrite the target of traffic arriving on the LAN-side adapter to be handled by 10.0.0.1
Edit the ~/tapioca/iptables_mitmproxy.sh
file, wiping out the mitmproxy interception
part, replacing it through the end of the file with:
# mitmproxy interception iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -i $internal_net -j DNAT --to-destination 10.0.0.1 iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1 iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 10.0.0.1 |
Create a ~/tapioca/wildcard.sh
script to start mitmproxy HTTP(S) interception automatically on boot:
#!/bin/bash echo Setting network redirection rules... cd /home/tapioca/tapioca /home/tapioca/tapioca/proxy.sh |
Ensure that the ~/tapioca/wildcard.sh is executable
chmod +x ~/tapioca/wildcard.sh |
Configure the script to start automatically on X starting.
mkdir -p ~/.config/autostart nano -w ~/.config/autostart/.desktop |
Edit the .desktop
file to look like this:
[Desktop Entry] Encoding=UTF-8 Name=Wildcard Comment=Wildcard network redirection Exec=/home/tapioca/tapioca/wildcard.sh Terminal=false |
Click the Red 'X' in the wildcard VM to run the new wildcard rules (or just reboot).
Connect a testing VM to the same vmnet network as the LAN adapter of your new wildcard VM, and try some network stuff.
(optional) configure wildcard VM to automatically log in the tapioca user
sudo apt install mingetty systemctl edit getty@tty1 |
Configure it to look like this:
[Service] ExecStart= ExecStart=-/sbin/mingetty --autologin tapioca --noclear %I |
Install apache and php, as you'll likely at least want a web server to simulate
sudo apt-get install apache2 sudo apt-get install php libapache2-mod-php sudo a2enmod ssl sudo a2ensite default-ssl sudo systemctl reload apache2 |
Add a new empty item
Note: In newer XFCE versions, the above four steps may be combined into:Name
field. e.g. "Apache log tailer"Command
field, enter: sudo tail -F /var/log/apache2/access.log
logviewer
Run in terminal
checkboxTrusted Root Certification Authorities
For other platforms, refer to the mitmproxy guidance for installing the CA certificate./var/www/html
If you wish to not perform HTTP and HTTPS interception with mitmproxy, you can click the red 'X' on the far right of the icon list at the bottom of the screen. Click the Apache log tail icon to keep an eye on HTTP requests only. HTTPS requests will not be visible using this technique, as the HTTPS certificate will not be valid for the requests being made by the client.