search

alphasoc / flightsim

A utility to safely generate malicious network traffic patterns and evaluate controls.
https://alphasoc.com
Other
1.21k stars 129 forks source link

simulator: don't bind to external IP during DNS simulations #40

Closed kmroz closed 2 years ago

kmroz commented 2 years ago

Should help with DNS queries where the nameserver is not reachable via the external IP (ie. systemd's 127.0.0.53, etc). Also report an error if resolve fails due to dial errors.

Addresses: https://github.com/alphasoc/flightsim/issues/39

kmroz commented 2 years ago

Added iface handling, etc.

Sample output/errors:

Default iface

./flightsim run
AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:16:45

08:16:45 [c2] Preparing a random sample of C2 domains
08:16:45 [c2] Resolving livdecor.pt
08:16:46 [c2] Resolving matixx.xyz
...
08:16:50 [c2] Done (5/5)
...
08:16:55 [dga] Generating a list of DGA domains
08:16:55 [dga] Resolving uonemmjxkx.net
08:16:56 [dga] Resolving ymswtzhopm.net
...
08:17:10 [dga] Done (15/15)
...
08:17:16 [scan] Preparing a random sample of RFC 5737 destinations
08:17:16 [scan] Port scanning 203.0.113.4
08:17:19 [scan] Port scanning 203.0.113.7
...
08:17:46 [scan] Done (10/10)
...
08:18:06 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:18:16 [tunnel-dns] Done (1/1)

iface set by user (ubuntu, with 127.0.0.53 in /etc/resolv.conf

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:12:33

08:12:33 [c2] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:12:33 [c2] Preparing a random sample of C2 domains
08:12:33 [c2] Resolving xeibzs12.top
08:12:34 [c2] ERROR: xeibzs12.top: lookup xeibzs12.top. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:38 [c2] Done (0/5)
...
08:12:43 [dga] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:12:43 [dga] Generating a list of DGA domains
08:12:43 [dga] Resolving wdzowbbvuo.biz
08:12:44 [dga] ERROR: wdzowbbvuo.biz: lookup wdzowbbvuo.biz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:58 [dga] Done (0/15)
...
08:13:03 [scan] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:13:03 [scan] Preparing a random sample of RFC 5737 destinations
08:13:03 [scan] Port scanning 203.0.113.39
08:13:06 [scan] Port scanning 203.0.113.43
08:13:09 [scan] Port scanning 203.0.113.50
...
08:13:33 [scan] Done (10/10)
...
08:13:54 [tunnel-dns] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:13:54 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:13:54 [tunnel-dns] ERROR: sandbox.alphasoc.xyz: lookup pvnxjanknktrudzahtallgpgrmlptm.sandbox.alphasoc.xyz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
08:14:04 [tunnel-dns] Done (0/1)
kmroz commented 2 years ago

Something like this... let me know what you guys think. As discussed, we can hold off on this until the next release, in which case I'll prep a release tomorrow.

ubuntu:~$ ./flightsim run c2

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 10.186.0.4
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:17:33

15:17:33 [c2] Preparing a random sample of C2 domains
15:17:33 [c2] Resolving astro--pacific.com
15:17:34 [c2] Resolving boundertime.ru
15:17:35 [c2] Resolving boldchat.website
15:17:36 [c2] Resolving premieruandcsystems.com
15:17:37 [c2] Resolving officeworkzone.xyz
15:17:38 [c2] Done (5/5)

15:17:38 [c2] Preparing a random sample of C2 IP:port pairs
15:17:38 [c2] Connecting to 3.17.7.232:19832
15:17:39 [c2] Connecting to 192.34.109.104:443
15:17:40 [c2] Connecting to 81.213.59.22:443
15:17:41 [c2] ERROR: 81.213.59.22:443: dial tcp 10.186.0.4:0->81.213.59.22:443: i/o timeout
15:17:41 [c2] Connecting to 136.144.41.168:59666
15:17:42 [c2] Connecting to 178.128.94.170:443
15:17:43 [c2] ERROR: 178.128.94.170:443: dial tcp 10.186.0.4:0->178.128.94.170:443: i/o timeout
15:17:43 [c2] Done (3/5)

All done! Check your SIEM for alerts using the timestamps and details above.
ubuntu:~$ ./flightsim run -iface lo c2

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 127.0.0.1
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:21:21

15:21:21 [c2] Preparing a random sample of C2 domains
15:21:21 [c2] Resolving service-mp2sc0gc-1301679103.gz.apigw.tencentcs.com
15:21:22 [c2] Resolving service-azhuvd2i-1305517013.gz.apigw.tencentcs.com
15:21:23 [c2] Resolving mywatchidea.com
15:21:24 [c2] Resolving sec.qaxcn.cf
15:21:25 [c2] Resolving boldchat.website
15:21:26 [c2] Done (5/5)

15:21:26 [c2] Preparing a random sample of C2 IP:port pairs
15:21:26 [c2] Connecting to 47.92.163.5:8443
15:21:26 [c2] ERROR: 47.92.163.5:8443: dial tcp 127.0.0.1:0->47.92.163.5:8443: connect: invalid argument
...
15:21:30 [c2] Done (0/5)

All done! Check your SIEM for alerts using the timestamps and details above.
tg commented 2 years ago

🦭