恶意代码分析实战——使用Apatedns和Inetsim模拟网络环境

注：本次实验主要是《恶意代码分析实战》一书中进入动态恶意代码分析篇章的开始，主要通过Apatedns以及Inetsim来模拟为恶意代码提供其需要的网络环境，本次实验以Lab01-03.exe为例。

一、实验环境及工具。
Vmware虚拟机：win10（win7）、kali（本次实验不涉及物理机，以下win10均为win10虚拟机）
主要工具：Apatedns、Inetsim
二、工具的安装下载
1、Apatedns：需安装至windows虚拟机客户端（win10，win7均可）
下载地址：https://www.fireeye.com/services/freeware/apatedns.html
2、Inetsim：kali自带该工具
三、工具介绍
1、Apatedns：ApateDNS是一个用于控制DNS响应的工具，主要用在本地系统上的DNS服务器。 ApateDNS可以欺骗由恶意软件生成的DNS请求至UDP端口53上的指定IP地址。
2、Inetsim：INetSim是一个基于Linux的工具，主要用于恶意软件分析，它可以模拟最常见的互联网服务，如http、https、DNS、FTP以及其他的。在Windows机器上执行动态恶意软件分析时，你可以使用和恶意软件分析机器在同一网络中的虚拟机来运行INetSim。 INetSim能够伪造恶意软件可能使用的常见的互联网服务，并回答相应的请求。（需要配置/etc/inetsim文件夹下的inetsim.conf 文件来启动相应服务，本次实验主要使用dns服务）
四、虚拟机网络环境配置
注：利用VMware的自定义网络配置模式，可以让多个虚拟机互连构成虚拟局域网，一个虚拟机运行恶意代码，另一个虚拟机则提供必要的网络服务。但虚拟局域网和宿主机并不互连，宿主机仍然连接到Internet上，不受恶意代码的影响。
1、win10虚拟机：编辑→虚拟网络编辑器→更改设置→添加网络→设置虚拟网络的IP地址

在子网IP处修改网络地址，注意修改完后要在DHCP设置中将DHCP获得地址范围也要修改一下，且接下来的ip配置均要在此范围内。

保存后将win10虚拟机添加到Vmnet2中

之后我们可以看到成果给win10分配了192.168.40.128的地址（也可以在win10中自己设置静态ip地址）

2、kali虚拟机：
直接将kali加入到Vmnet2中，这在里我们需要配置kali虚拟机将DNS地址设置为自己的ip地址，所以需要配置静态ip

之后再相互ping一下，看看是否能连通，注意要将win10的防火墙关闭，否则kali虚拟机ping不通win10，若均能ping通，则两个虚拟机之间的网络配置已经完成，且这两个虚拟机已形成封闭的网络（类似沙盒），为恶意代码分析提供了封闭环境。
五、实验操作
1、kali自带Inetsim工具，所以我们不需要再下载，只需要进入到/etc/inetsim文件夹修改inetsim.conf文件即可

cd /etc/inetsim
vi inetsim.conf

在vi编辑器中修改inetsim.conf文件的以下内容即可启动DNS服务
service_bind_address： 192.168.40.130（Kali虚拟机IP）
dns_default_ip： 192.168.40.130
redirect_enabled yes
redirect_exclude_port tcp:22
redirect_external_address 192.168.40.130

以下是配置好的文件内容

#############################################################
#
# INetSim configuration file
#
#############################################################
 
 
#############################################################
# Main configuration
#############################################################
 
#########################################
# start_service
#
# The services to start
#
# Syntax: start_service 
#
# Default: none
#
# Available service names are:
# dns, http, smtp, pop3, tftp, ftp, ntp, time_tcp,
# time_udp, daytime_tcp, daytime_udp, echo_tcp,
# echo_udp, discard_tcp, discard_udp, quotd_tcp,
# quotd_udp, chargen_tcp, chargen_udp, finger,
# ident, syslog, dummy_tcp, dummy_udp, smtps, pop3s,
# ftps, irc, https
#
start_service dns
start_service http
start_service https
start_service smtp
start_service smtps
start_service pop3
start_service pop3s
start_service ftp
start_service ftps
start_service tftp
start_service irc
start_service ntp
start_service finger
start_service ident
start_service syslog
start_service time_tcp
start_service time_udp
start_service daytime_tcp
start_service daytime_udp
start_service echo_tcp
start_service echo_udp
start_service discard_tcp
start_service discard_udp
start_service quotd_tcp
start_service quotd_udp
start_service chargen_tcp
start_service chargen_udp
start_service dummy_tcp
start_service dummy_udp
#########################################
# service_bind_address
#
# IP address to bind services to
#
# Syntax: service_bind_address 
#
# Default: 127.0.0.1
#
service_bind_address    xx.xx.xx.xx
 
 
#########################################
# service_run_as_user
#
# User to run services
#
# Syntax: service_run_as_user 
#
# Default: nobody
#
#service_run_as_user    inetsim
#########################################
# service_max_childs
#
# Maximum number of child processes (parallel connections)
# for each service
#
# Syntax: service_max_childs [1..30]
#
# Default: 10
#
#service_max_childs 15
 
 
#########################################
# service_timeout
#
# If a client does not send any data for the number of seconds
# given here, the corresponding connection will be closed.
#
# Syntax: service_timeout [1..600]
#
# Default: 120
#
#service_timeout    60
#########################################
# create_reports
#
# Create report with a summary of connections
# for the session on shutdown
#
# Syntax: create_reports [yes|no]
#
# Default: yes
#
#create_reports     no
 
 
#########################################
# report_language
#
# Set language for reports
# Note: Currently only languages 'en' and 'de' are supported
#
# Syntax: report_language 
#
# Default: en
#
#report_language    de
#############################################################
# Faketime
#############################################################
#########################################
# faketime_init_delta
#
# Initial number of seconds (positive or negative)
# relative to current date/time for fake time used by all services 
#
# Syntax: faketime_init_delta 
#
# Default: 0  (use current date/time) 
#
#faketime_init_delta    1000
 
 
#########################################
# faketime_auto_delay
#
# Number of seconds to wait before incrementing fake time
# by value specified with 'faketime_auto_increment'.
# Setting to '0' disables this option.
#
# Syntax: faketime_auto_delay [0..86400]
#
# Default: 0  (disabled)
#
#faketime_auto_delay    1000
#########################################
# faketime_auto_increment
#
# Number of seconds by which fake time is incremented at
# regular intervals specified by 'faketime_auto_delay'.
# This option only takes effect if 'faketime_auto_delay'
# is enabled (not set to '0').
#
# Syntax: faketime_auto_increment [-31536000..31536000]
#
# Default: 3600
#
#faketime_auto_increment    86400
 
 
#############################################################
# Service DNS
#############################################################
 
#########################################
# dns_bind_port
#
# Port number to bind DNS service to
#
# Syntax: dns_bind_port 
#
# Default: 53
#
#dns_bind_port      53
#########################################
# dns_default_ip
#
# Default IP address to return with DNS replies
#
# Syntax: dns_default_ip 
#
# Default: 127.0.0.1
#
dns_default_ip      xx.xx.xx.xx
 
 
#########################################
# dns_default_hostname
#
# Default hostname to return with DNS replies
#
# Syntax: dns_default_hostname 
#
# Default: www
#
#dns_default_hostname       somehost
#########################################
# dns_default_domainname
#
# Default domain name to return with DNS replies
#
# Syntax: dns_default_domainname 
#
# Default: inetsim.org
#
#dns_default_domainname     some.domain
 
 
#########################################
# dns_static
#
# Static mappings for DNS
#
# Syntax: dns_static  
#
# Default: none
#
#dns_static www.foo.com 10.10.10.10
#dns_static ns1.foo.com 10.70.50.30
#dns_static ftp.bar.net 10.10.20.30
#########################################
# dns_version
#
# DNS version
#
# Syntax: dns_version 
#
# Default: "INetSim DNS Server"
#
#dns_version "9.2.4"
 
 
#############################################################
# Service HTTP
#############################################################
 
#########################################
# http_bind_port
#
# Port number to bind HTTP service to
#
# Syntax: http_bind_port 
#
# Default: 80
#
#http_bind_port     80
#########################################
# http_version
#
# Version string to return in HTTP replies
#
# Syntax: http_version 
#
# Default: "INetSim HTTP server"
#
#http_version       "Microsoft-IIS/4.0"
 
 
#########################################
# http_fakemode
#
# Turn HTTP fake mode on or off
#
# Syntax: http_fakemode [yes|no]
#
# Default: yes
#
#http_fakemode      no
#########################################
# http_fakefile
#
# Fake files returned in fake mode based on the file extension
# in the HTTP request.
# The fake files must be placed in /http/fakefiles
#
# Syntax: http_fakefile   
#
# Default: none
#
http_fakefile       txt sample.txt  text/plain
http_fakefile       htm sample.html text/html
http_fakefile       html    sample.html text/html
http_fakefile       php sample.html text/html
http_fakefile       gif sample.gif  image/gif
http_fakefile       jpg sample.jpg  image/jpeg
http_fakefile       jpeg    sample.jpg  image/jpeg
http_fakefile       png sample.png  image/png
http_fakefile       bmp sample.bmp  image/x-ms-bmp
http_fakefile       ico favicon.ico image/x-icon
http_fakefile       exe sample_gui.exe  x-msdos-program
http_fakefile       com sample_gui.exe  x-msdos-program
 
 
#########################################
# http_default_fakefile
#
# The default fake file returned in fake mode if the file extension
# in the HTTP request does not match any of the extensions
# defined above.
#
# The default fake file must be placed in /http/fakefiles
#
# Syntax: http_default_fakefile  
#
# Default: none
#
http_default_fakefile   sample.html text/html
#########################################
# http_static_fakefile
#
# Fake files returned in fake mode based on static path.
# The fake files must be placed in /http/fakefiles
#
# Syntax: http_static_fakefile   
#
# Default: none
#
#http_static_fakefile   /path/          sample_gui.exe  x-msdos-program
#http_static_fakefile   /path/to/file.exe   sample_gui.exe  x-msdos-program
 
 
#############################################################
# Service HTTPS
#############################################################
 
#########################################
# https_bind_port
#
# Port number to bind HTTPS service to
#
# Syntax: https_bind_port 
#
# Default: 443
#
#https_bind_port        443
#########################################
# https_version
#
# Version string to return in HTTPS replies
#
# Syntax: https_version 
#
# Default: "INetSim HTTPs server"
#
#https_version      "Microsoft-IIS/4.0"
 
 
#########################################
# https_fakemode
#
# Turn HTTPS fake mode on or off
#
# Syntax: https_fakemode [yes|no]
#
# Default: yes
#
#https_fakemode     no
#########################################
# https_fakefile
#
# Fake files returned in fake mode based on the file extension
# in the HTTPS request.
# The fake files must be placed in /http/fakefiles
#
# Syntax: https_fakefile   
#
# Default: none
#
https_fakefile      txt sample.txt  text/plain
https_fakefile      htm sample.html text/html
https_fakefile      html    sample.html text/html
https_fakefile      php sample.html text/html
https_fakefile      gif sample.gif  image/gif
https_fakefile      jpg sample.jpg  image/jpeg
https_fakefile      jpeg    sample.jpg  image/jpeg
https_fakefile      png sample.png  image/png
https_fakefile      bmp sample.bmp  image/x-ms-bmp
https_fakefile      ico favicon.ico image/x-icon
https_fakefile      exe sample_gui.exe  x-msdos-program
https_fakefile      com sample_gui.exe  x-msdos-program
 
 
#########################################
# https_default_fakefile
#
# The default fake file returned in fake mode if the file extension
# in the HTTPS request does not match any of the extensions
# defined above.
#
# The default fake file must be placed in /http/fakefiles
#
# Syntax: https_default_fakefile  
#
# Default: none
#
https_default_fakefile  sample.html text/html
#########################################
# https_static_fakefile
#
# Fake files returned in fake mode based on static path.
# The fake files must be placed in /http/fakefiles
#
# Syntax: https_static_fakefile   
#
# Default: none
#
#https_static_fakefile  /path/          sample_gui.exe  x-msdos-program
#https_static_fakefile  /path/to/file.exe   sample_gui.exe  x-msdos-program
 
 
#########################################
# https_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# The file must be placed in /certs/
#
# Syntax: https_ssl_keyfile 
#
# Default: default_key.pem
#
#https_ssl_keyfile  https_key.pem
#########################################
# https_ssl_certfile
#
# Name of the SSL certificate file.
#
# The file must be placed in /certs/
#
# Syntax: https_ssl_certfile 
#
# Default: default_cert.pem
#
#https_ssl_certfile https_cert.pem
 
 
#########################################
# https_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: https_ssl_dhfile 
#
# Default: none
#
#https_ssl_dhfile   https_dh1024.pem
#############################################################
# Service SMTP
#############################################################
#########################################
# smtp_bind_port
#
# Port number to bind SMTP service to
#
# Syntax: smtp_bind_port 
#
# Default: 25
#
#smtp_bind_port     25
 
 
#########################################
# smtp_fqdn_hostname
#
# The FQDN hostname used for SMTP
#
# Syntax: smtp_fqdn_hostname 
#
# Default: mail.inetsim.org
#
#smtp_fqdn_hostname foo.bar.org
#########################################
# smtp_banner
#
# The banner string used in SMTP greeting message
#
# Syntax: smtp_banner 
#
# Default: "INetSim Mail Service ready."
#
#smtp_banner        "SMTP Mailer ready."
 
 
#########################################
# smtp_helo_required
#
# Client has to send HELO/EHLO before any other command
#
# Syntax: smtp_helo_required [yes|no]
#
# Default: no
#
#smtp_helo_required yes
#########################################
# smtp_extended_smtp
#
# Turn support for extended smtp (ESMTP) on or off
#
# Syntax: smtp_extended_smtp [yes|no]
#
# Default: yes
#
#smtp_extended_smtp no
 
 
#########################################
# smtp_service_extension
#
# SMTP service extensions offered to client.
# For more information, see
# 
#
# Syntax: smtp_service_extension 
#
# Supported extensions and parameters:
# VRFY
# EXPN
# HELP
# 8BITMIME
# SIZE          # one optional parameter
# ENHANCEDSTATUSCODES
# AUTH          # one or more of [PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1]
# DSN
# SEND
# SAML
# SOML
# TURN
# ETRN
# ATRN
# VERP
# MTRK
# CHUNKING
# STARTTLS
# DELIVERBY     # one optional parameter
# SUBMITTER
# CHECKPOINT
# BINARYMIME
# NO-SOLICITING     # one optional parameter
# FUTURERELEASE     # two required parameters
#
# Default: none
#
smtp_service_extension      VRFY
smtp_service_extension      EXPN
smtp_service_extension      HELP
smtp_service_extension      8BITMIME
smtp_service_extension      SIZE 102400000
smtp_service_extension      ENHANCEDSTATUSCODES
smtp_service_extension      AUTH PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1
smtp_service_extension      DSN
smtp_service_extension      ETRN
smtp_service_extension      STARTTLS
#
#########################################
# smtp_auth_reversibleonly
#
# only offer authentication mechanisms which allow reversing
# the authentication information sent by a client
# to clear text username/password.
# This option only takes effect if 'smtp_extended_smtp' is
# enabled and 'smtp_service_extension AUTH' is configured.
#
# Syntax: smtp_auth_reversibleonly [yes|no]
#
# Default: no
#
#smtp_auth_reversibleonly   yes
 
 
#########################################
# smtp_auth_required
#
# Force the client to authenticate.
# This option only takes effect if 'smtp_extended_smtp' is
# enabled and 'smtp_service_extension AUTH' is configured.
#
# Syntax: smtp_auth_required [yes|no]
#
# Default: no
#
#smtp_auth_required yes
#########################################
# smtp_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# This option only takes effect if 'smtp_extended_smtp' is
# enabled and 'smtp_service_extension STARTTLS' is configured.
#
# The file must be placed in /certs/
#
# Note: If no key file is specified, the extension STARTTLS
# will be disabled.
#
# Syntax: smtp_ssl_keyfile 
#
# Default: default_key.pem
#
#smtp_ssl_keyfile   smtp_key.pem
 
 
#########################################
# smtp_ssl_certfile
#
# Name of the SSL certificate PEM file.
#
# This option only takes effect if 'smtp_extended_smtp' is
# enabled and 'smtp_service_extension STARTTLS' is configured.
#
# The file must be placed in /certs/
#
# Note: If no cert file is specified, the extension STARTTLS
# will be disabled.
#
# Syntax: smtp_ssl_certfile 
#
# Default: default_cert.pem
#
#smtp_ssl_certfile  smtp_cert.pem
#########################################
# smtp_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: smtp_ssl_dhfile 
#
# Default: none
#
#smtp_ssl_dhfile    smtp_dh1024.pem
 
 
 
#############################################################
# Service SMTPS
#############################################################
 
#########################################
# smtps_bind_port
#
# Port number to bind SMTPS service to
#
# Syntax: smtps_bind_port 
#
# Default: 465
#
#smtps_bind_port    465
#########################################
# smtps_fqdn_hostname
#
# The FQDN hostname used for SMTPS
#
# Syntax: smtps_fqdn_hostname 
#
# Default: mail.inetsim.org
#
#smtps_fqdn_hostname    foo.bar.org
 
 
#########################################
# smtps_banner
#
# The banner string used in SMTPS greeting message
#
# Syntax: smtps_banner 
#
# Default: "INetSim Mail Service ready."
#
#smtps_banner       "SMTPS Mailer ready."
#########################################
# smtps_helo_required
#
# Client has to send HELO/EHLO before any other command
#
# Syntax: smtps_helo_required [yes|no]
#
# Default: no
#
#smtps_helo_required    yes
 
 
#########################################
# smtps_extended_smtp
#
# Turn support for extended smtp (ESMTP) on or off
#
# Syntax: smtps_extended_smtp [yes|no]
#
# Default: yes
#
#smtps_extended_smtp    no
#########################################
# smtps_service_extension
#
# SMTP service extensions offered to client.
# For more information, see
# 
#
# Syntax: smtp_service_extension 
#
# Supported extensions and parameters:
# VRFY
# EXPN
# HELP
# 8BITMIME
# SIZE          # one optional parameter
# ENHANCEDSTATUSCODES
# AUTH          # one or more of [PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1]
# DSN
# SEND
# SAML
# SOML
# TURN
# ETRN
# ATRN
# VERP
# MTRK
# CHUNKING
# DELIVERBY     # one optional parameter
# SUBMITTER
# CHECKPOINT
# BINARYMIME
# NO-SOLICITING     # one optional parameter
# FUTURERELEASE     # two required parameters
#
# Default: none
#
smtps_service_extension     VRFY
smtps_service_extension     EXPN
smtps_service_extension     HELP
smtps_service_extension     8BITMIME
smtps_service_extension     SIZE 102400000
smtps_service_extension     ENHANCEDSTATUSCODES
smtps_service_extension     AUTH PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1
smtps_service_extension     DSN
smtps_service_extension     ETRN
#
 
 
#########################################
# smtps_auth_reversibleonly
#
# only offer authentication mechanisms which allow reversing
# the authentication information sent by a client
# to clear text username/password.
# This option only takes effect if 'smtps_extended_smtp' is
# enabled and 'smtps_service_extension AUTH' is configured.
#
# Syntax: smtps_auth_reversibleonly [yes|no]
#
# Default: no
#
#smtps_auth_reversibleonly  yes
#########################################
# smtps_auth_required
#
# Force the client to authenticate.
# This option only takes effect if 'smtps_extended_smtp' is
# enabled and 'smtp_service_extension AUTH' is configured.
#
# Syntax: smtps_auth_required [yes|no]
#
# Default: no
#
#smtps_auth_required    yes
 
 
#########################################
# smtps_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# The file must be placed in /certs/
#
# Syntax: smtps_ssl_keyfile 
#
# Default: default_key.pem
#
#smtps_ssl_keyfile  smtps_key.pem
#########################################
# smtps_ssl_certfile
#
# Name of the SSL certificate PEM file.
#
# The file must be placed in /certs/
#
# Syntax: smtps_ssl_certfile 
#
# Default: default_cert.pem
#
#smtps_ssl_certfile smtps_cert.pem
 
 
#########################################
# smtps_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: smtps_ssl_dhfile 
#
# Default: none
#
#smtps_ssl_dhfile   smtps_dh1024.pem
#############################################################
# Service POP3
#############################################################
#########################################
# pop3_bind_port
#
# Port number to bind POP3 service to
#
# Syntax: pop3_bind_port 
#
# Default: 110
#
#pop3_bind_port     110
 
 
#########################################
# pop3_banner
#
# The banner string used in POP3 greeting message
#
# Syntax: pop3_banner 
#
# Default: "INetSim POP3 Server ready"
#
#pop3_banner        "POP3 Server ready"
#########################################
# pop3_hostname
#
# The hostname used in POP3 greeting message
#
# Syntax: pop3_hostname 
#
# Default: pop3host
#
#pop3_hostname      pop3server
 
 
#########################################
# pop3_mbox_maxmails
#
# Maximum number of e-mails to select from supplied mbox files
# for creation of random POP3 mailbox
#
# Syntax: pop3_mbox_maxmails 
#
# Default: 10
#
#pop3_mbox_maxmails 20
#########################################
# pop3_mbox_reread
#
# Re-read supplied mbox files if POP3 service was inactive
# for  seconds
#
# Syntax: pop3_mbox_reread 
#
# Default: 180
#
#pop3_mbox_reread   300
 
 
#########################################
# pop3_mbox_rebuild
#
# Rebuild random POP3 mailbox if POP3 service was inactive
# for  seconds
#
# Syntax: pop3_mbox_rebuild 
#
# Default: 60
#
#pop3_mbox_rebuild  120
#########################################
# pop3_enable_apop
#
# Turn APOP on or off
#
# Syntax: pop3_enable_apop [yes|no]
#
# Default: yes
#
#pop3_enable_apop   no
 
 
#########################################
# pop3_auth_reversibleonly
#
# only offer authentication mechanisms which allow reversing
# the authentication information sent by a client
# to clear text username/password
#
# Syntax: pop3_auth_reversibleonly [yes|no]
#
# Default: no
#
#pop3_auth_reversibleonly   yes
#########################################
# pop3_enable_capabilities
#
# Turn support for pop3 capabilities on or off
#
# Syntax: pop3_enable_capabilities [yes|no]
#
# Default: yes
#
#pop3_enable_capabilities   no
 
 
#########################################
# pop3_capability
#
# POP3 capabilities offered to client.
# For more information, see
# 
#
# Syntax: pop3_capability 
#
# Supported capabilities and parameters:
# TOP
# USER
# UIDL
# SASL          # one or more of [PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1]
# RESP-CODES
# EXPIRE        # one required parameter and one optional parameter
# LOGIN-DELAY       # one required parameter and one optional parameter
# IMPLEMENTATION    # one required parameter
# AUTH-RESP-CODE
# STLS
#
# Default: none
#
pop3_capability     TOP
pop3_capability     USER
pop3_capability     SASL PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1
pop3_capability     UIDL
pop3_capability     IMPLEMENTATION "INetSim POP3 server"
pop3_capability     STLS
#
#########################################
# pop3_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# This option only takes effect if 'pop3_enable_capabilities' is
# true and 'pop3_capability STLS' is configured.
#
# The file must be placed in /certs/
#
# Note: If no key file is specified, capability STLS will be disabled.
#
# Syntax: pop3_ssl_keyfile 
#
# Default: default_key.pem
#
#pop3_ssl_keyfile   pop3_key.pem
 
 
#########################################
# pop3_ssl_certfile
#
# Name of the SSL certificate PEM file.
#
# This option only takes effect if 'pop3_enable_capabilities' is
# true and 'pop3_capability STLS' is configured.
#
# The file must be placed in /certs/
#
# Note: If no cert file is specified, capability STLS will be disabled.
#
# Syntax: pop3_ssl_certfile 
#
# Default: default_cert.pem
#
#pop3_ssl_certfile  pop3_cert.pem
#########################################
# pop3_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: pop3_ssl_dhfile 
#
# Default: none
#
#pop3_ssl_dhfile    pop3_dh1024.pem
 
 
#############################################################
# Service POP3S
#############################################################
 
#########################################
# pop3s_bind_port
#
# Port number to bind POP3S service to
#
# Syntax: pop3s_bind_port 
#
# Default: 995
#
#pop3s_bind_port        995
#########################################
# pop3s_banner
#
# The banner string used in POP3 greeting message
#
# Syntax: pop3s_banner 
#
# Default: "INetSim POP3 Server ready"
#
#pop3s_banner       "POP3 Server ready"
 
 
#########################################
# pop3s_hostname
#
# The hostname used in POP3 greeting message
#
# Syntax: pop3s_hostname 
#
# Default: pop3host
#
#pop3s_hostname     pop3server
#########################################
# pop3s_mbox_maxmails
#
# Maximum number of e-mails to select from supplied mbox files
# for creation of random POP3 mailbox
#
# Syntax: pop3s_mbox_maxmails 
#
# Default: 10
#
#pop3s_mbox_maxmails    20
 
 
#########################################
# pop3s_mbox_reread
#
# Re-read supplied mbox files if POP3S service was inactive
# for  seconds
#
# Syntax: pop3s_mbox_reread 
#
# Default: 180
#
#pop3s_mbox_reread  300
#########################################
# pop3s_mbox_rebuild
#
# Rebuild random POP3 mailbox if POP3S service was inactive
# for  seconds
#
# Syntax: pop3s_mbox_rebuild 
#
# Default: 60
#
#pop3s_mbox_rebuild 120
 
 
#########################################
# pop3s_enable_apop
#
# Turn APOP on or off
#
# Syntax: pop3s_enable_apop [yes|no]
#
# Default: yes
#
#pop3s_enable_apop  no
#########################################
# pop3s_auth_reversibleonly
#
# only offer authentication mechanisms which allow reversing
# the authentication information sent by a client
# to clear text username/password
#
# Syntax: pop3s_auth_reversibleonly [yes|no]
#
# Default: no
#
#pop3s_auth_reversibleonly  yes
 
 
#########################################
# pop3s_enable_capabilities
#
# Turn support for pop3 capabilities on or off
#
# Syntax: pop3s_enable_capabilities [yes|no]
#
# Default: yes
#
#pop3s_enable_capabilities  no
#########################################
# pop3s_capability
#
# POP3 capabilities offered to client.
# For more information, see
# 
#
# Syntax: pop3s_capability 
#
# Supported capabilities and parameters:
# TOP
# USER
# UIDL
# SASL          # one or more of [PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1]
# RESP-CODES
# EXPIRE        # one required parameter and one optional parameter
# LOGIN-DELAY       # one required parameter and one optional parameter
# IMPLEMENTATION    # one required parameter
# AUTH-RESP-CODE
#
# Default: none
#
pop3s_capability    TOP
pop3s_capability    USER
pop3s_capability    SASL PLAIN LOGIN ANonYMOUS CRAM-MD5 CRAM-SHA1
pop3s_capability    UIDL
pop3s_capability    IMPLEMENTATION "INetSim POP3s server"
#
 
 
#########################################
# pop3s_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# The file must be placed in /certs/
#
# Syntax: pop3s_ssl_keyfile 
#
# Default: default_key.pem
#
#pop3s_ssl_keyfile  pop3s_key.pem
#########################################
# pop3s_ssl_certfile
#
# Name of the SSL certificate PEM file.
#
# The file must be placed in /certs/
#
# Syntax: pop3s_ssl_certfile 
#
# Default: default_cert.pem
#
#pop3s_ssl_certfile pop3s_cert.pem
 
 
#########################################
# pop3s_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: pop3s_ssl_dhfile 
#
# Default: none
#
#pop3s_ssl_dhfile   pop3s_dh1024.pem
#############################################################
# Service TFTP
#############################################################
#########################################
# tftp_bind_port
#
# Port number to bind TFTP service to
#
# Syntax: tftp_bind_port 
#
# Default: 69
#
#tftp_bind_port     69
 
 
#########################################
# tftp_allow_overwrite
#
# Allow overwriting of existing files
#
# Syntax: tftp_allow_overwrite [yes|no]
#
# Default: no
#
#tftp_allow_overwrite   yes
#########################################
# tftp_enable_options
#
# Turn support for tftp options on or off
#
# Syntax: tftp_enable_options [yes|no]
#
# Default: yes
#
#tftp_enable_options    no
 
 
#########################################
# tftp_option
#
# TFTP extensions offered to client.
# For more information, see RFC 2347
#
# Syntax: tftp_option 
#
# Supported extensions and parameters:
# BLKSIZE       # two optional parameters
# TIMEOUT       # two optional parameters
# TSIZE         # one optional parameter
#
# Default: none
#
tftp_option     BLKSIZE 512 65464
tftp_option     TIMEOUT 5 60
tftp_option     TSIZE 10485760
#
#############################################################
# Service FTP
#############################################################
#########################################
# ftp_bind_port
#
# Port number to bind FTP service to
#
# Syntax: ftp_bind_port 
#
# Default: 21
#
#ftp_bind_port      21
 
 
#########################################
# ftp_version
#
# Version string to return in replies to the STAT command
#
# Syntax: ftp_version 
#
# Default: "INetSim FTP Server"
#
#ftp_version        "vsFTPd 2.0.4 - secure, fast, stable"
#########################################
# ftp_banner
#
# The banner string used in FTP greeting message
#
# Syntax: ftp_banner 
#
# Default: "INetSim FTP Service ready."
#
#ftp_banner     "FTP Server ready"
 
 
#########################################
# ftp_recursive_delete
#
# Allow recursive deletion of directories,
# even if they are not empty
#
# Syntax: ftp_recursive_delete [yes|no]
#
# Default: no
#
#ftp_recursive_delete   yes
#############################################################
# Service FTPS
#############################################################
#########################################
# ftps_bind_port
#
# Port number to bind FTP service to
#
# Syntax: ftp_bind_port 
#
# Default: 990
#
#ftps_bind_port     990
 
 
#########################################
# ftps_version
#
# Version string to return in replies to the STAT command
#
# Syntax: ftps_version 
#
# Default: "INetSim FTPs Server"
#
#ftps_version       "vsFTPd 2.0.4 - secure, fast, stable"
#########################################
# ftps_banner
#
# The banner string used in FTP greeting message
#
# Syntax: ftps_banner 
#
# Default: "INetSim FTP Service ready."
#
#ftps_banner        "FTP Server ready"
 
 
#########################################
# ftps_recursive_delete
#
# Allow recursive deletion of directories,
# even if they are not empty
#
# Syntax: ftps_recursive_delete [yes|no]
#
# Default: no
#
#ftps_recursive_delete  yes
#########################################
# ftps_ssl_keyfile
#
# Name of the SSL private key PEM file.
# The key MUST NOT be encrypted!
#
# The file must be placed in /certs/
#
# Syntax: ftps_ssl_keyfile 
#
# Default: default_key.pem
#
#ftps_ssl_keyfile   ftps_key.pem
 
 
#########################################
# ftps_ssl_certfile
#
# Name of the SSL certificate PEM file.
#
# The file must be placed in /certs/
#
# Syntax: ftps_ssl_certfile 
#
# Default: default_cert.pem
#
#ftps_ssl_certfile  ftps_cert.pem
#########################################
# ftps_ssl_dhfile
#
# Name of the Diffie-Hellman parameter PEM file.
#
# The file must be placed in /certs/
#
# Syntax: ftps_ssl_dhfile 
#
# Default: none
#
#ftps_ssl_dhfile    ftps_dh1024.pem
 
 
#############################################################
# Service NTP
#############################################################
 
#########################################
# ntp_bind_port
#
# Port number to bind NTP service to
#
# Syntax: ntp_bind_port 
#
# Default: 123
#
#ntp_bind_port      123
#########################################
# ntp_server_ip
#
# The IP address to return in NTP replies
#
# Syntax: ntp_server_ip 
#
# Default: 127.0.0.1
#
#ntp_server_ip      10.15.20.30
 
 
#########################################
# ntp_strict_checks
#
# Turn strict checks for client packets on or off
#
# Syntax: ntp_strict_checks [yes|no]
#
# Default: yes
#
#ntp_strict_checks  no
#############################################################
# Service IRC
#############################################################
#########################################
# irc_bind_port
#
# Port number to bind IRC service to
#
# Syntax: irc_bind_port 
#
# Default: 6667
#
#irc_bind_port      6667
 
 
#########################################
# irc_fqdn_hostname
#
# The FQDN hostname used for IRC
#
# Syntax: irc_fqdn_hostname 
#
# Default: irc.inetsim.org
#
#irc_fqdn_hostname  foo.bar.org
#########################################
# irc_version
#
# Version string to return
#
# Syntax: irc_version 
#
# Default: "INetSim IRC Server"
#
#irc_version        "Unreal3.2.7"
 
 
#############################################################
# Service Time
#############################################################
 
#########################################
# time_bind_port
#
# Port number to bind time service to
#
# Syntax: time_bind_port 
#
# Default: 37
#
#time_bind_port     37
#############################################################
# Service Daytime
#############################################################
#########################################
# daytime_bind_port
#
# Port number to bind daytime service to
#
# Syntax: daytime_bind_port 
#
# Default: 13
#
#daytime_bind_port  13
 
 
#############################################################
# Service Echo
#############################################################
 
#########################################
# echo_bind_port
#
# Port number to bind echo service to
#
# Syntax: echo_bind_port 
#
# Default: 7
#
#echo_bind_port     7
#############################################################
# Service Discard
#############################################################
#########################################
# discard_bind_port
#
# Port number to bind discard service to
#
# Syntax: discard_bind_port 
#
# Default: 9
#
#discard_bind_port  9
 
 
#############################################################
# Service Quotd
#############################################################
 
#########################################
# quotd_bind_port
#
# Port number to bind quotd service to
#
# Syntax: quotd_bind_port 
#
# Default: 17
#
#quotd_bind_port    17
#############################################################
# Service Chargen
#############################################################
#########################################
# chargen_bind_port
#
# Port number to bind chargen service to
#
# Syntax: chargen_bind_port 
#
# Default: 19
#
#chargen_bind_port  19
 
 
#############################################################
# Service Finger
#############################################################
 
#########################################
# finger_bind_port
#
# Port number to bind finger service to
#
# Syntax: finger_bind_port 
#
# Default: 79
#
#finger_bind_port   79
#############################################################
# Service Ident
#############################################################
#########################################
# ident_bind_port
#
# Port number to bind ident service to
#
# Syntax: ident_bind_port 
#
# Default: 113
#
#ident_bind_port    113
 
 
#############################################################
# Service Syslog
#############################################################
 
#########################################
# syslog_bind_port
#
# Port number to bind syslog service to
#
# Syntax: syslog_bind_port 
#
# Default: 514
#
#syslog_bind_port   514
#########################################
# syslog_trim_maxlength
#
# Chop syslog messages at 1024 bytes.
#
# Syntax: syslog_trim_maxlength [yes|no]
#
# Default: no
#
#syslog_trim_maxlength      yes
 
 
#########################################
# syslog_accept_invalid
#
# Accept invalid syslog messages.
#
# Syntax: syslog_accept_invalid [yes|no]
#
# Default: no
#
#syslog_accept_invalid      yes
#############################################################
# Service Dummy
#############################################################
#########################################
# dummy_bind_port
#
# Port number to bind dummy service to
#
# Syntax: dummy_bind_port 
#
# Default: 1
#
#dummy_bind_port    1
 
 
#########################################
# dummy_banner
#
# Banner string sent to client if no data has been
# received for 'dummy_banner_wait' seconds since
# the client has established the connection.
# If set to an empty string (""), only CRLF will be sent.
# This option only takes effect if 'dummy_banner_wait'
# is not set to '0'.
#
# Syntax: dummy_banner 
#
# Default: "220 ESMTP FTP +OK POP3 200 OK"
#
#dummy_banner       ""
#########################################
# dummy_banner_wait
#
# Number of seconds to wait for client sending any data
# after establishing a new connection.
# If no data has been received within this amount of time,
# 'dummy_banner' will be sent to the client.
# Setting to '0' disables sending of a banner string.
#
# Syntax: dummy_banner_wait [0..600]
#
# Default: 5
#
#dummy_banner_wait  3
 
 
#############################################################
# Redirect
#############################################################
 
#########################################
# redirect_enabled
#
# Turn connection redirection on or off.
#
# Syntax: redirect_enabled [yes|no]
#
# Default: no
#
redirect_enabled    yes
#########################################
# redirect_unknown_services
#
# Redirect connection attempts to unbound ports
# to dummy service
#
# Syntax: redirect_unknown_services [yes|no]
#
# Default: yes
#
#redirect_unknown_services  no
 
 
#########################################
# redirect_external_address
#
# IP address used as source address if INetSim
# acts as a router for redirecting packets to
# external networks.
# This option only takes effect if static rules
# for redirecting packets to external networks
# are defined (see 'redirect_static_rule' below).
#
# Syntax: redirect_external_address 
#
# Default: none
#
redirect_external_address   xx.xx.xx.xx
#########################################
# redirect_static_rule
#
# Static mappings for connection redirection.
# Note: Currently only protocols tcp, udp and icmp are supported.
#
# Syntax: redirect_static_rule tcp|udp       
#         redirect_static_rule tcp|udp           
#         redirect_static_rule tcp|udp <:port>                
#         redirect_static_rule tcp|udp <:port>                <:port>
#         redirect_static_rule icmp     
#         redirect_static_rule icmp              
#         redirect_static_rule icmp    <:icmp-type>           
#
# Default: none 
#
# Examples:
#
# WWW caching service
#redirect_static_rule   tcp             :8080           :80
#
# Submission [RFC4409]
#redirect_static_rule   tcp             :587            :25
#
# Echo-Request [RFC792]
#redirect_static_rule   icmp 10.10.10.20:echo-request   10.1.0.25
#
# Redirection based on IP address and/or port:
#redirect_static_rule   tcp 10.10.10.55:88       10.10.10.1:80
#redirect_static_rule   tcp            :99      192.168.1.1:25
#redirect_static_rule   tcp 10.10.10.20:         172.16.1.2:
 
 
#########################################
# redirect_change_ttl
#
# Change the time-to-live header field to a random value
# in outgoing IP packets.
#
# Syntax: redirect_change_ttl [yes|no]
#
# Default: no
#
#redirect_change_ttl    yes
#########################################
# redirect_exclude_port
#
# Connections to  on this port
# are not redirected
#
# Syntax: redirect_exclude_port 
#
# Default: none
#
redirect_exclude_port       tcp:22
#redirect_exclude_port      udp:111
 
 
#########################################
# redirect_ignore_bootp
#
# If set to 'yes', BOOTP (DHCP) broadcasts will not be redirected
# (UDP packets with source address 0.0.0.0, port 68 and
# destination address 255.255.255.255, port 67 or vice versa)
#
# Syntax: redirect_ignore_bootp [yes|no]
#
# Default: no
#
#redirect_ignore_bootp      yes
#########################################
# redirect_ignore_netbios
#
# If set to 'yes', NetBIOS broadcasts will not be redirected
# (UDP packets with source/destination port 137/138
# and destination address x.x.x.255 on the local network)
#
# Syntax: redirect_ignore_netbios [yes|no]
#
# Default: no
#
#redirect_ignore_netbios    yes
 
 
#########################################
# redirect_icmp_timestamp
#
# If set to 'ms', ICMP Timestamp requests will be answered
# with number of milliseconds since midnight UTC according
# to faketime.
# If set to 'sec', ICMP Timestamp requests will be answered
# with number of seconds since epoch (high order bit of the
# timestamp will be set to indicate non-standard value).
# Setting to 'no' disables manipulation of ICMP Timestamp
# requests.
#
# Syntax: redirect_icmp_timestamp [ms|sec|no]
#
# Default: ms
#
#redirect_icmp_timestamp    sec
#############################################################
# End of INetSim configuration file
#############################################################

然后输入命令inetsim启动服务（注意有些Linux中需要在根目录下才能启动）
结尾处出现Simulation running即成功启动，在上面会报一个错误，这是inetsim缺少另一个服务导致，不影响实验，因此先不用理会。

2、在win10中下载安装Apatedns后打开，在DNS Reply IP处添加需要将请求包欺骗至的IP地址，即kali dns服务器的ip地址，然后点击Start Server开启工具。

3、在win10中双击运行Lab01-03.exe，若出现的页面如下，则实验成功

我们也可以从ApateDNS中看到该恶意代码请求访问了www.malwarenalysisbook.com这个网址