Module: INTRODUCTION TO MALWARE ANALYSIS - Debugging

I’m having problems trying to open inetsim on the parrot and connect with the mandiant windows. i tried configure like this:

service_bind_address <Our machine's/VM's TUN IP>
dns_default_ip <Our machine's/VM's TUN IP>
dns_default_hostname www
dns_default_domainname iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

But the HTTP on port 80 never comes up. Does anyone know how to fix this?

Can you post the outcome of this command?

INetSim 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg
Main logfile ‘/var/log/inetsim/main.log’ does not exist. Trying to create it…
Main logfile ‘/var/log/inetsim/main.log’ successfully created.
Sub logfile ‘/var/log/inetsim/service.log’ does not exist. Trying to create it…
Sub logfile ‘/var/log/inetsim/service.log’ successfully created.
Debug logfile ‘/var/log/inetsim/debug.log’ does not exist. Trying to create it…
Debug logfile ‘/var/log/inetsim/debug.log’ successfully created.
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 2703) ===
Session ID: 2703
Listening on: 10.10.15.179
Real Date/Time: 2024-01-23 15:49:56
Fake Date/Time: 2024-01-23 15:49:56 (Delta: 0 seconds)
Forking services…

  • dns_53_tcp_udp - started (PID 2707)
  • echo_7_tcp - started (PID 2726)
  • ntp_123_udp - started (PID 2718)
  • time_37_tcp - started (PID 2722)
  • http_80_tcp - failed!
  • time_37_udp - started (PID 2723)
  • discard_9_udp - started (PID 2729)
  • daytime_13_tcp - started (PID 2724)
  • finger_79_tcp - started (PID 2719)
  • dummy_1_udp - started (PID 2735)
  • echo_7_udp - started (PID 2727)
  • dummy_1_tcp - started (PID 2734)
  • quotd_17_udp - started (PID 2731)
  • smtp_25_tcp - started (PID 2710)
  • irc_6667_tcp - started (PID 2717)
  • chargen_19_tcp - started (PID 2732)
  • ftps_990_tcp - started (PID 2715)
  • smtps_465_tcp - started (PID 2711)
  • daytime_13_udp - started (PID 2725)
  • quotd_17_tcp - started (PID 2730)
  • pop3s_995_tcp - started (PID 2713)
  • syslog_514_udp - started (PID 2721)
  • https_443_tcp - started (PID 2709)
  • ftp_21_tcp - started (PID 2714)
  • ident_113_tcp - started (PID 2720)
  • discard_9_tcp - started (PID 2728)
  • chargen_19_udp - started (PID 2733)
  • tftp_69_udp - started (PID 2716)
  • pop3_110_tcp - started (PID 2712)
    done.
    Simulation running.

Is ti possible that you already running something on port 80?

I just opened the HTB configure parrot and ran sudo inetsim there is something on port 80 by default???

To be honest I am not using HTB parrot machine so I dont know. But you can check, read this article How to check if port is in use on Linux or Unix - nixCraft and try to search is there is a service already running. Otherwise you can set up your own kali machine and everything will work fine.

Is it just me or this part to follow the exercise is kind of confusing?

Do we have to do the changes on all 3 “SandBox Detected” message?

yes we need to make changes on the 3 SandBox Detexted

Got C2 message trying to get notepad.exe to work

VirtualAllocEx , WriteProcessMemory , and CreateRemoteThread

I made changes only to two out of three “Sandbox Detected” messages. It took me a while to understand that, I used multiple breakpoints and actually got a feeling of how they work.