What are the best ways to fake a web server
I always like netcat for this kind of thing. In this instance you could create a copy of the real response from the C&C server using
nc candcserver.com 80
submit the headers you want to pass on the command line, press enter twice, and save it to a text file, and then serve up the file you just created using
while true; do sudo nc -l 80 < capturedpage.txt; done
and point the app your testing at 127.0.0.1
There might be some products which are capable of doing this, but I've written similar proxy myself where I wanted to serve local contents rather than remote for some uri's.
Here is a modification of my code written in python. It is based on the twisted library, so you might want to get it from here.
It will match for URL's with the netloc part equal to "security.stackexchange.com" and replace it with "www.xkcd.org".
I hope you are familiar with python, so you can add more functionality in this code. It should be easy to add logging, dynamically rewrite uri's and such.
Also, if you want to modify content in-transit from the malware and the C&C, take a look at my contribution for a content rewriting proxy: https://stackoverflow.com/questions/6491932/need-help-writing-a-twisted-proxy/6521024#6521024
from twisted.web import proxy, http
from twisted.internet import reactor
from urlparse import urlparse, urlunparse
fakeweb_netloc = "www.xkcd.org"
cc_netloc = "security.stackexchange.com"
class ProxyRequest(proxy.ProxyRequest):
def process(self):
res = urlparse(self.uri)
netloc = res.netloc
print self.uri
if netloc == cc_netloc:
netloc = fakeweb_netloc
self.uri = urlunparse((res.scheme, netloc, res.path, res.params, res.query, res.fragment))
proxy.ProxyRequest.process(self)
class MyProxy(http.HTTPChannel):
requestFactory = ProxyRequest
class ProxyFactory(http.HTTPFactory):
protocol = MyProxy
if __name__ == "__main__":
factory = ProxyFactory()
reactor.listenTCP(8080,factory)
reactor.run()
Consider looking at Meddler:
Meddler is a HTTP(S) Generation tool based around a simple but powerful JScript.NET event-based scripting subsystem.
This is from the excellent Fiddler family of HTTP proxy tools.