============================================================
  Network Traffic Interception
============================================================

  Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception.

  Related FOR610 Labs: 1.3, 1.7, 1.8

────────────────────────────────────────────────────────────

  Step 1: DNS Interception
  Tools: fakedns
  Start fakedns to resolve ALL domains to REMnux IP.
  Verify: nslookup any-domain.com should return your
  REMnux IP.

    $ fakedns

  Step 2: Service Emulation
  Tools: inetsim, fakenet-ng, httpd
  Choose emulator based on needed protocols. INetSim:
  HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-
  NG: similar but different engine. httpd: simple HTTP
  only.

    $ inetsim
    $ fakenet
    $ httpd

  Step 3: TLS/HTTPS Interception (if needed)
  Tools: mitmproxy, polarproxy
  For HTTPS C2: mitmproxy as transparent proxy, or
  PolarProxy for TLS decryption. Install proxy CA cert
  on analysis machine if needed.

    $ mitmproxy
    $ PolarProxy -p 443,80 -w captured.pcap

  Step 4: Packet Capture
  Tools: wireshark, tcpdump
  Start capture before executing malware. Filter: not
  arp and not broadcast. Save to PCAP for later
  analysis.

    $ wireshark
    $ tcpdump -i eth0 -w capture.pcap

  Step 5: Execute & Observe
  Run malware on analysis VM. Watch for: DNS queries
  (domain names), HTTP requests (URLs, user-agents), raw
  TCP connections (IP:port).

  Step 6: Traffic Analysis
  Tools: wireshark, tshark, ngrep, tcpflow
  Follow TCP streams for full request/response. Use
  ngrep for pattern search across packets. Use tcpflow
  to extract individual streams. Identify beaconing
  (regular intervals).

    $ wireshark
    $ tshark -r capture.pcap
    $ ngrep -I <capture.pcap> 'password'
    $ tcpflow -r <capture.pcap> -o output/

  Step 7: File Extraction
  Tools: tcpxtract, networkminer
  Carve files from PCAP: downloaded payloads,
  exfiltrated data, second-stage malware. NetworkMiner
  does this automatically.

    $ tcpxtract -f <capture.pcap> -o output/
    $ NetworkMiner --pcap <capture.pcap>

  Step 8: IP-Based Redirection (if needed)
  Tools: iptables
  If malware uses hardcoded IPs (no DNS): iptables -t
  nat -A PREROUTING -i eth0 -j REDIRECT. This redirects
  ALL traffic to local services.

    $ iptables -t nat -A PREROUTING -i ens32 -j REDIRECT

  Step 9: Document Network IOCs
  Record: C2 domains/IPs, URI paths, user-agent strings,
  beacon intervals, downloaded file hashes, TLS
  certificate details.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser