本頁將說明 TWMAN 的安裝以及操作方法

Open Foundary 專案位址 : http://of.openfoundry.org/projects/1543

SourceForge 專案網址 : :http://sourceforge.net/projects/twman/

安裝方法
本系統安裝可分為Server與Client端兩方面，Server端的安裝是用來儲存以及還原Client端映象檔，並且針對感染惡意程式後的Client端映象檔進行分析動作，並產出分析報告；Client端則僅需安裝Windows系統，會自動自Server端下載惡意程式感染400秒，並重新開機進行下一次分析；其安裝過程茲詳述如下

Client端安裝
安裝好乾淨的Windows XP作業系統，請將Client端主機之開機順序透過BIOS調整第一優先開機裝置為Lan，將套件裡的client資料夾中的檔案拷貝覆蓋至C:\目錄下

Server端安裝
安裝好一乾淨之Cent OS 5.X 版，建議套件全部安裝，依序將套件裡的etc、fauxservers、forensics、tftpboot、Tools、usr、www、mnt、images等資料夾直接拷貝放置在系統根目錄

PS : 注意 如果您使用的硬碟是 IDE 請自行將 tftpboot裡的 TWMAN-IDE.img 替換 TWMAN.img,

以及 /tftpboot 裡的 custom-ocs-Save-IDE 和 custom-ocs-Restore-IDE 來替換 custom-ocs-Save 和 custom-ocs-Restore

以下為上述安裝操作指令說明 ( 含安裝 InetSim )

啟動必需服務
#chkconfig httpd on
#chkconfig dhcpd on
#chkconfig tftp on
--------------------------------------------------------------------------------------

設定 IP (192.168.0.100)確認防火牆設定
#vi /usr/local/virus/iptables/iptables.rule
--------------------------------------------------------------------------------------

確認DHCP以及NFS設定
#vi /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
allow booting;
allow bootp;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.100;
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.0.100;   #本地IP
option time-offset -18000; # Eastern Standard Time
range dynamic-bootp 192.168.0.101 192.168.0.110;  #要分配的IP
default-lease-time 21600;
max-lease-time 43200;
# Group the PXE bootable hosts together
# PXE-specific configuration directives...
next-server 192.168.0.100;
filename "pxelinux.0";   #方便查找配置文件
}
--------------------------------------------------------------------------------------

設定 Clonezilla-live 需使用之 NFS 還原空間
#vi /etc/exports
/Partclone  192.168.0.0/24(rw)
--------------------------------------------------------------------------------------

確認相關資料夾權限
#chmod -R 777 /fauxservers /images /tftpboot/pxelinux.cfg /var/www/cgi-bin /Tools/Parse-Win32Registry-0.30/bin/
--------------------------------------------------------------------------------------

確認 AIDE 等套件是否已安裝
#yum install -y tcpdump wireshark libpcap-devel aide
--------------------------------------------------------------------------------------

編輯 dd save 以及 dd restore 所需使用之 port
#vi /etc/services
ddsave          45611/tcp            # Malware Analysis  save requests
ddrestore       45612/tcp            # Malware Analysis  restore requests
--------------------------------------------------------------------------------------

確認 httpd 設定檔是否正確
#vi  /etc/httpd/conf/httpd.conf
AddHandler cgi-script .cgi
<Directory "/var/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
--------------------------------------------------------------------------------------

確認 tftp 設定檔是否正確
#vi /etc/xinetd.d/tftp
service tftp
{
disable =no
socket_type             = dgram
protocol                = udp
wait                    = yes
user                    = root
server                  = /usr/sbin/in.tftpd
server_args             = -s /tftpboot
per_source              = 11
cps                     = 100 2
flags                   = IPv4
} 
--------------------------------------------------------------------------------------

修改 visudo 使 Apache 可以執行 cgi
# visudo
註解掉下面這行 (約在第57行)
#Defaults     requiretty
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL (約在第84行)
新增下面這行讓apache有權限執行程式
apache ALL=(ALL) NOPASSWD: ALL
--------------------------------------------------------------------------------------

確認 tcpdump 等軟體安裝
#cd /Tools/ && rpm -ivh ngrep-1.45-1.rf.i386.rpm

--------------------------------------------------------------------------------------

安裝相關套件
#cd /Tools/Python-2.7/
#./configure
#make
#make install

#cd /Tools/ssdeep-2.6/
#./configure
#make
#make install

#  cd /Tools/libpcap-1.0.0
#./configure
#make
#make install

#  cd /Tools/Parse-Win32Registry-0.30
# perl Makefile.PL

#cd /Tools/tcptrace-6.6.7
#./configure
#make
#make install

#cd /Tools/ipaudit-0.95
# make

#cd /Tools/fuse-2.7.4
#./configure
#make
#make install

#file /lib/modules/2.6.18-164.11.1.el5/kernel/fs/fuse/fuse.ko   
/lib/modules/2.6.18-164.11.1.el5/kernel/fs/fuse/fuse.ko: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped
#modprobe fuse
#lsmod | grep fuse
fuse                   49237  0

#cd /Tools/ntfs-3g-2009.4.4
#./configure
# make
# make install
--------------------------------------------------------------------------------------

安裝Perl 相關函式
#cpan

/usr/lib/perl5/5.8.8/CPAN/Config.pm initialized.

CPAN is the world-wide archive of perl resources. It consists of about
100 sites that all replicate the same contents all around the globe.
Many countries have at least one CPAN site already. The resources
found on CPAN are easily accessible with the CPAN.pm module. If you
want to use CPAN.pm, you have to configure it properly.

If you do not want to enter a dialog now, you can answer 'no' to this
question and I'll try to autoconfigure. (Note: you can revisit this
dialog anytime later by typing 'o conf init' at the cpan prompt.)

cpan> install strict
cpan> install IO::Socket
cpan> install Parse::Win32Registry
cpan> install Getopt::Long
cpan> install File::Basename
cpan> install CGI
cpan> install Net::DNS::opcodesbyname
cpan> install Net::Server
cpan> install Net::DNS
cpan> install IO::Select
cpan> install IPC::Shareable
cpan> install Digest::SHA1
--------------------------------------------------------------------------------------

安裝 INetSim
#rpm -ivh /Tools/iptables-devel-1.3.5-1.2.1.fc6.mpls.1.957.i386.rpm
--------------------------------------------------------------------------------------

確認在 /usr/include 裡有 libipq.h 這個檔案
# ls /usr/include/ | grep libipq.h
libipq.h
--------------------------------------------------------------------------------------

安裝IPC-Shareable-0.60
#cd /Tools/IPC-Shareable-0.60
#perl Makefile.PL
#make
#make install
--------------------------------------------------------------------------------------

安裝 Perlipq-1.25
#cd /Tools/perlipq-1.25
#perl Makefile.PL
#vi Makefile

修改第 145 行左右的 INC = -I 為 INC = -I/usr/include/libipq

#make
#make install

設定 inetsim
#groupadd inetsim
#cd /Tools/inetsim
#sh setup.sh

測試

#/Tools/inetsim/inetsim --session test
INetSim 1.2 (2010-04-25) by Matthias Eckert & Thomas Hungenberg
Main logfile '/Tools/inetsim-1.2/log/main.log' does not exist. Trying to create it...
Main logfile '/Tools/inetsim-1.2/log/main.log' successfully created.
Sub logfile '/Tools/inetsim-1.2/log/service.log' does not exist. Trying to create it...
Sub logfile '/Tools/inetsim-1.2/log/service.log' successfully created.
Debug logfile '/Tools/inetsim-1.2/log/debug.log' does not exist. Trying to create it...
Debug logfile '/Tools/inetsim-1.2/log/debug.log' successfully created.
Using log directory: /Tools/inetsim-1.2/log/
Using data directory: /Tools/inetsim-1.2/data/
Using report directory: /Tools/inetsim-1.2/report/
Using configuration file: /Tools/inetsim-1.2/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 23097) ===
Session ID: test
Listening on: 127.0.0.1
Real Date/Time: Tue May 11 18:14:20 2010
Fake Date/Time: Tue May 11 18:14:20 2010 (Delta: 0 seconds)
Forking services...
* dns 53/udp/tcp - started (PID 23099)
* http 80/tcp - failed!
* smtp 25/tcp - failed!
* smtps 465/tcp - started (PID 23103)
* https 443/tcp - failed!
* pop3 110/tcp - started (PID 23104)
* pop3s 995/tcp - started (PID 23105)
* irc 6667/tcp - started (PID 23109)
* finger 79/tcp - started (PID 23111)
* ntp 123/udp - started (PID 23110)
* ftps 990/tcp - started (PID 23107)
* syslog 514/udp - started (PID 23113)
* tftp 69/udp - failed! 位址已經有在使用
* ftp 21/tcp - started (PID 23106)
* ident 113/tcp - started (PID 23112)
* time 37/tcp - started (PID 23114)
* time 37/udp - started (PID 23115)
* daytime 13/tcp - started (PID 23116)
* daytime 13/udp - started (PID 23117)
* echo 7/tcp - started (PID 23118)
* echo 7/udp - started (PID 23119)
* discard 9/udp - started (PID 23121)
* chargen 19/tcp - started (PID 23124)
* quotd 17/tcp - started (PID 23122)
* quotd 17/udp - started (PID 23123)
* chargen 19/udp - started (PID 23125)
* dummy 1/tcp - started (PID 23126)
* dummy 1/udp - started (PID 23127)
* discard 9/tcp - failed!
done.
Simulation running