Malware Analysis Firewall

I came across a tool called Polar Proxy. That allows you to decipher https. This is very handy in analyzing newer strains of malware, since they are lately using https encryption. Of course most of the time I see initial communication being un-encrypted such as http. However once the staging is done by the malware, command and control traffic is encrypted.

Polar Proxy allows us to decipher these malicious communications. They have a very handy guide on setting up a Raspberry Pi https://www.netresec.com/?page=Blog&month=2019-09&post=Raspberry-PI-WiFi-Access-Point-with-TLS-Inspection .

I wasn’t looking to setup a wifi access point. In my situation I have a dell server that will host a Windows AD environment. What I needed was a way to route anything connected to the ethernet on Raspberry Pi, out through the Wi-Fi.

I used a Raspberry Pi 3 Model B. I used Raspbian as the OS, since Ubuntu has issues with the Wireless card. 32-bit Raspbian was used as Polar Proxy doesn’t support 64-bit. Once I installed Raspbian. It was time to install dnsmasq which would run as a dhcp server. Run the command below to install dnsmasq. Next connect to the Wi-Fi network. I used raspi-config to setup Wi-Fi, Raspberry Pi website goes over the steps.

Initial Setup

sudo apt-get install dnsmasq

Once dnsmasq is installed edit /etc/dhcpd.conf to have a static IP on your ethernet interface eth0.

# Example static IP configuration:
interface eth0
static ip_address=192.168.5.10/24

Next we can edit /etc/dnsmasq.d/dhcp.conf to setup the DHCP server. port=0 disables DNS on our Linux firewall. I left it enabled, as I need to be able to resolve domain names on the Pi. DNS option is given to use googles 8.8.8.8. Also we set DHCP clients to use us as the default gateway.

#Set the interface on which dnsmasq operates.
# If not set, all the interfaces is used.
interface=eth0
# To disable dnsmasq's DNS server functionality.
#port=0
# To enable dnsmasq's DHCP server functionality.
dhcp-range=192.168.5.11,192.168.5.20,255.255.255.0,12h
#dhcp-range=192.168.0.50,192.168.0.150,12h
# Set static IPs of other PCs and the Router.
#dhcp-host=90:9f:44:d8:16:fc,iptime,192.168.0.1,infinite  # Router
#dhcp-host=31:25:99:36:c2:bb,server-right,192.168.0.3,infinite   # PC1
#dhcp-host=ac:97:0e:f2:6f:ab,yul-x230,192.168.0.13,infinite  # PC2
# Set gateway as Router. Following two lines are identical.
#dhcp-option=option:router,192.168.0.1
dhcp-option=3,192.168.5.10
 
# Set DNS server as Router.
dhcp-option=6,8.8.8.8
 
# Logging.
log-facility=/var/log/dnsmasq.log   # logfile path.
log-async
log-queries # log queries.
log-dhcp    # log dhcp related messages.

Once done we can need to run sudo raspi-config and then go into interfaces and disable predictable names. Next reboot your Raspberry Pi. Once it reboots you should receive a DHCP address from the Pi. You can check out this guide on setting up dnsmasq for more info https://yulistic.gitlab.io/2018/03/configuring-dnsmasq-only-for-dhcp-server-in-ubuntu-pc/

Routing and IpTables

Next step is to enable routing to route all traffic from the ethernet side out through the Wifi side. We will follow Raspberry Pi’s guide https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md and PolarProxy’s guide https://www.netresec.com/?page=Blog&month=2019-09&post=Raspberry-PI-WiFi-Access-Point-with-TLS-Inspection . Go to the routing and masquerade part of Raspberry Pi guide. First step is to enable ip forwarding. Next we will replace eth0 with wlan0, since we will be routing traffic from ethernet out the wifi adapter. Now Polar proxy shows the NAT rules in their guide under step-2. What we need to do is take their rules and reverse it.

Final step is to save the nat rules so they will be launched on reboot. You should now be able to access the web. Below is the config steps.

Edit /etc/sysctl.conf and uncomment this line
net.ipv4.ip_forward=1 

Add iptables rules as shown below
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p tcp --dport 10443 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to 10443 

Save iptables rule
sudo sh -c "iptables-save >  /etc/iptables.ipv4.nat" 

Edit /etc/rc.local adding line below above "exit 0"
iptables-restore <  /etc/iptables.ipv4.nat 

Installing Polar Proxy

Follow Step-1 on the Polar Proxy guide https://www.netresec.com/?page=Blog&month=2019-09&post=Raspberry-PI-WiFi-Access-Point-with-TLS-Inspection . Skip Step-2 since we did that earlier. Go to Step-3 to setup your client with a certificate. Once this is done the Polar Proxy will start making pcap dumps, showing https traffic decrypted.

Of course read Polar Proxy’s other guides to see various other ways of pulling the pcap files. We can also use Polar Proxy to decipher on other ports. This is handy if the malware uses other encrypted ports to communicate. https://www.netresec.com/?page=PolarProxy

Leave a Reply

Your email address will not be published. Required fields are marked *