______ _ ________ _ _ ______ _______ _ _ _____
| ____/\ | |/ / ____| \ | | ____|__ __| | \ | |/ ____|
| |__ / \ | ' /| |__ | \| | |__ | |______| \| | | __
| __/ /\ \ | < | __| | . ` | __| | |______| . ` | | |_ |
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|
D O C U M E N T A T I O N
FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows. FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware's functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG's configurable interception engine and modular framework highly useful when testing application's specific functionality and prototyping PoCs.
You can install FakeNet-NG in a few different ways.
It is easiest to simply download the compiled version which can be obtained from the releases page:
https://www.github.com/fireeye/flare-fakenet-ng/releases
Execute FakeNet-NG by running 'fakenet64.exe' or 'fakenet32.exe' for 64-bit or 32-bit version of Windows respectively.
This is the preferred method as it does not require you to install any additional modules, which is ideal for a malware analysis machine.
Alternatively you can install FakeNet-NG as a python module using pip:
pip install https://github.com/fireeye/flare-fakenet-ng/zipball/master
Or by obtaining the latest source code and installing it manually:
git clone https://www.github.com/fireeye/flare-fakenet-ng/
Change directory to the downloaded flare-fakenet-ng and run:
python setup.py install
Execute FakeNet-NG by running 'fakenet' in any directory.
Finally if you would like to avoid installing FakeNet-NG and just want to run it as is (e.g. for development), then you would need to obtain the source code and install dependencies as follows:
-
Install 64-bit or 32-bit Python 2.7.x for the 64-bit or 32-bit versions of Windows respectively.
-
Install Python dependencies:
pip install pydivert pip install dnslib pip install dpkt
NOTE: pydivert will also download and install WinDivert library and driver in the
%PYTHONHOME%\DLLsdirectory. FakeNet-NG bundles those files so they are not necessary for normal use.
2b) Optionally, you can install the following module used for testing:
pip install requests
-
Download the FakeNet-NG source code:
Execute FakeNet-NG by running it with a Python interpreter:
python fakenet.py
The easiest way to run FakeNet-NG is to simply execute the provided
executable as an Administrator. You can provide --help command-line
parameter to get simple help:
C:\tools\fakenet-ng>fakenet.exe --help
______ _ ________ _ _ ______ _______ _ _ _____
| ____/\ | |/ / ____| \ | | ____|__ __| | \ | |/ ____|
| |__ / \ | ' /| |__ | \| | |__ | |______| \| | | __
| __/ /\ \ | < | __| | . ` | __| | |______| . ` | | |_ |
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|
Version 1.0
_____________________________________________________________
Developed by
Peter Kacherginsky
FLARE (FireEye Labs Advanced Reversing Engineering)
_____________________________________________________________
Usage: fakenet.py [options]:
Options:
-h, --help show this help message and exit
-c FILE, --config-file=FILE
configuration filename
-v, --verbose print more verbose messages.
-l LOG_FILE, --log-file=LOG_FILE
As you can see from the simple help above it is possible to configure the
configuration file used to start FakeNet-NG. By default, the tool uses
configs\default.ini; however, it can be changed with the -c parameter.
There are several example configuration files in the configs directory.
Due to the large number of different settings, FakeNet-NG relies on the
configuration files to control its functionality.
NOTE: FakeNet-NG will attempt to locate the specified configuration file, first
by using the provided absolute or relative path in case you want to store all of
your configurations. If the specified configuration file is not found,
then it will try to look in its configs directory.
The rest of the command-line options allow you to control the amount of logging output displayed as well as redirecting it to a file as opposed to dumping it on the screen.
Before we dive in and run FakeNet-NG let's go over a few basic concepts. The tool consists of several modules working together. One such important module is the diverter which is responsible for redirecting traffic to a collection of listeners. The diverter forces applications to interact with FakeNet-NG as opposed to real servers. Listeners are individual services handling incoming connections and allowing us to examine application's traffic (e.g. malware signatures).
Let's launch FakeNet-NG using default settings by running the following command:
C:\tools\fakenet-ng>fakenet.exe
Below is the annotated output log illustrating a sample intercepted DNS request and an HTTP connection:
______ _ ________ _ _ ______ _______ _ _ _____
| ____/\ | |/ / ____| \ | | ____|__ __| | \ | |/ ____|
| |__ / \ | ' /| |__ | \| | |__ | |______| \| | | __
| __/ /\ \ | < | __| | . ` | __| | |______| . ` | | |_ |
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|
Version 1.0
_____________________________________________________________
Developed by
Peter Kacherginsky
FLARE (FireEye Labs Advanced Reverse Engineering)
_____________________________________________________________
07/06/16 10:20:52 PM [ FakeNet] Loaded configuration file: configs/default.ini
/
default configuration file /
07/06/16 10:20:52 PM [ Diverter] Capturing traffic to packets_20160706_222052.pcap
/
PCAP output file /
07/06/16 10:20:52 PM [ FakeNet] Anonymous Forwarder listener on TCP port 8080...
\
\ Anonymous Listener rule
07/06/16 10:20:52 PM [ RawTCPListener] Starting...
07/06/16 10:20:52 PM [ RawUDPListener] Starting...
07/06/16 10:20:52 PM [ FilteredListener] Starting...
07/06/16 10:20:52 PM [ DNS Server] Starting...
07/06/16 10:20:52 PM [ HTTPListener80] Starting...
07/06/16 10:20:52 PM [ HTTPListener443] Starting...
07/06/16 10:20:52 PM [ SMTPListener] Starting...
07/06/16 10:20:52 PM [ Diverter] Starting...
\
\ Listeners starting up
07/06/16 10:20:52 PM [ Diverter] Diverting ports:
07/06/16 10:20:52 PM [ Diverter] TCP: 1337, 80, 443, 25
07/06/16 10:20:52 PM [ Diverter] UDP: 1337, 53
/
Summary of diverted ports /
07/06/16 10:21:03 PM [ Diverter] Modifying outbound external UDP request packet:
07/06/16 10:21:03 PM [ Diverter] from: 192.168.250.140:49383 -> 4.2.2.1:53
07/06/16 10:21:03 PM [ Diverter] to: 192.168.250.140:49383 -> 192.168.250.140:53
07/06/16 10:21:03 PM [ Diverter] pid: 456 name: malware.exe
/
Intercepted traffic to the DNS server from malware.exe /
07/06/16 10:21:03 PM [ DNS Server] Received A request for domain 'evil.com'.
\
\ Fake DNS Listener handling the above request
07/06/16 10:21:04 PM [ Diverter] Modifying outbound external TCP request packet:
07/06/16 10:21:04 PM [ Diverter] from: 192.168.250.140:2179 -> 192.0.2.123:80
07/06/16 10:21:04 PM [ Diverter] to: 192.168.250.140:2179 -> 192.168.250.140:80
07/06/16 10:21:04 PM [ Diverter] pid: 456 name: malware.exe
/
Intercepted traffic to the web server from malware.exe /
07/06/16 10:21:08 PM [ HTTPListener80] Received a GET request.
07/06/16 10:21:08 PM [ HTTPListener80] --------------------------------------------------------------------------------
07/06/16 10:21:08 PM [ HTTPListener80] GET / HTTP/1.0
07/06/16 10:21:08 PM [ HTTPListener80]
07/06/16 10:21:08 PM [ HTTPListener80] --------------------------------------------------------------------------------
\
\ Fake HTTP Listener handling the above request
Notice that each log line has a name of the currently running FakeNet-NG
modules. For example, when it is diverting traffic, the logs will be prefixed
with the Diverter label:
07/06/16 10:21:03 PM [ Diverter] Modifying outbound external UDP request packet:
07/06/16 10:21:03 PM [ Diverter] from: 192.168.250.140:49383 -> 4.2.2.1:53
07/06/16 10:21:03 PM [ Diverter] to: 192.168.250.140:49383 -> 192.168.250.140:53
07/06/16 10:21:03 PM [ Diverter] pid: 456 name: malware.exe
At the same time, whenever individual listeners are handling diverted traffic, logs will be labeled with the name set in the configuration file:
07/06/16 10:21:03 PM [ DNS Server] Received A request for domain 'evil.com'.
To stop FakeNet-NG and close out the generated PCAP file simply press CTRL-C:
07/06/16 10:21:41 PM [ FakeNet] Stopping...
07/06/16 10:21:42 PM [ HTTPListener80] Stopping...
07/06/16 10:21:42 PM [ HTTPListener443] Stopping...
07/06/16 10:21:42 PM [ SMTPListener] Stopping...
07/06/16 10:21:43 PM [ Diverter] Stopping...
In order to take full advantage of FakeNet-NG's capabilities we must understand its configuration file structure and settings. Below is a sample configuration file:
###############################################################################
# Fakenet Configuration
[FakeNet]
DivertTraffic: Yes
###############################################################################
# Diverter Configuration
[Diverter]
DumpPackets: Yes
DumpPacketsFilePrefix: packets
ModifyLocalDNS: No
StopDNSService: Yes
###############################################################################
# Listener Configuration
[DNS Server]
Enabled: True
Port: 53
Protocol: UDP
Listener: DNSListener
DNSResponse: 192.0.2.123
NXDomains: 0
[RawTCPListener]
Enabled: True
Port: 1337
Protocol: TCP
Listener: RawListener
UseSSL: No
Timeout: 10
The configuration file is broken up into several sections.
-
[FakeNet] - Controls the behavior of the application itself. The only valid option at this point is
DivertTraffic. When enabled, it instructs the tool to launch the appropriate diverter plugin and intercept traffic. If this option is disabled, FakeNet-NG will still launch listeners, but will rely on another method to direct traffic to them (e.g. manually change DNS server). -
[Diverter] - Settings for redirecting traffic. Covered in detail below.
-
[Listener Name] - A collection of listener configurations. Each listener has a set of default settings (e.g. port, protocol) as well as listener specific configurations (e.g. DumpHTTPPosts for the HTTPListener).
Considering you have enabled the DivertTraffic setting in the [FakeNet]
configuration block, the tool will enable its traffic redirection engine to
which we will call diverter from now on as a reference to the excellent
WinDiverter library used to perform the magic behind the scenes.
The diverter will examine all of the outgoing packets and match them against a list of protocols, ports of enabled listeners. If there is a listener listening on the packet's port and protocol, then the destination address will be changed to the local machine's IP address where the listener will handle the request. At the same time, responses coming from the listener will be changed so that the source IP address would appear as if the packet is coming from the originally requested host.
You can optionally enable the DumpPackets setting to store all traffic
observed by FakeNet-NG (redirected or forwarded) to a PCAP file. It is possible
to decrypt SSL traffic between an intercepted application and one of the
listeners with SSL support. Use the instructions at the following page:
https://wiki.wireshark.org/SSL
The keys privkey.pem and server.pem used by FakeNet-NG's servers are in the
application's root directory.
Last but not least, the Windows diverter supports two DNS related settings:
- ModifyLocalDNS - modify local machine's DNS service.
- StopDNSService - stops Windows DNS client (Dnscache). This allows FakeNet to see the actual processes resolving domains as opposed to the generic 'svchost.exe' process.
By default the diverter will only intercept traffic that has a dedicated
listener created for it. However, by enabling RedirectAllTraffic setting
and configuring the default TCP and UDP handlers with the DefaultTCPListener
and DefaultUDPListener settings it is possible to dynamically handle traffic
going to ports not explicitly defined in one of the listeners. For example,
let's look at a sample configuration which redirects all traffic to
local TCP and UDP listeners on ports 1234:
RedirectAllTraffic: Yes
DefaultTCPListener: TCPListener1234
DefaultUDPListener: UDPListener1234
NOTE: We are jumping a bit ahead with listener definitions, but just
consider that TCPListener1234 and UDPListener1234 will be defined in
the section below.
With the RedirectAllTraffic setting, FakeNet-NG will modify not only the
destination address, but also the destination port so it can be handled
by one of the default listeners. Below is a sample log of traffic destined to
an external host IP address 1.1.1.1 on port 4444 which was redirected to the
default listener on port 1234 instead:
07/06/16 01:13:47 AM [ Diverter] Modifying outbound external TCP request packet:
07/06/16 01:13:47 AM [ Diverter] from: 192.168.66.129:1650 -> 1.1.1.1:4444
07/06/16 01:13:47 AM [ Diverter] to: 192.168.66.129:1650 -> 192.168.66.129:1234
07/06/16 01:13:47 AM [ Diverter] pid: 3716 name: malware.exe
It is important to note that traffic destined to the port from one of the explicitly defined listeners will still be handled by that listener and not the default listener. For example, default UDP listener will not handle DNS traffic if a separate UDP port 53 DNS listener is defined.
One issue when enabling the RedirectAllTraffic options is that you may
still want to let some traffic through to ensure normal operation of the
machine. Consider a scenario where you are trying to analyze an application
that still needs to connect to an external DNS server. You can utilize the
BlackListPortsTCP and BlackListPortsUDP settings to define a list of
ports to which traffic will be ignored and forwarded unaltered:
BlackListPortsUDP: 53
Some other diverter settings that you may consider are ProcessBlackList
and HostBlackList which allow diverter to ignore and forward traffic
coming from a specific process name or destined for a specific host
respectively.
Listener configurations define the behavior of individual listeners. Let's look at a sample listener configuration:
[TCPListener1234]
Enabled: True
Port: 1234
Protocol: TCP
Listener: RawListener
UseSSL: Yes
Timeout: 10
The configuration above consists of the listener name TCPListener1234. It
will be used for logging purposes so you can distinguish between different
listeners handling connections even if they are handling the same protocol.
The following settings are generic for all listeners:
- Enabled - specify whether or not the listener is enabled.
- Port - TCP or UDP port to listen on.
- Protocol - TCP or UDP
- Listener - Listener name to handle traffic.
- ProcessWhiteList - Only traffic from these processes will be modified and the rest will simply be forwarded.
- ProcessBlackList - Traffic from all but these processes will be simply forwarded and the rest will be modified as needed.
- HostWhiteList - Only traffic to these hosts will be modified and the rest will be simply forwarded.
- HostBlackList - Traffic to these hosts will be simply forwarded and the rest will be modified as needed.
- ExecuteCmd - Execute command on the first connection packet. This feature is useful for extending FakeNet-NG's functionality (e.g. launch a debugger on the connecting pid to help with unpacking and decoding.)
The Port and Protocol settings are necessary for the listeners to know to
which ports to bind and, if they support multiple protocol (e.g RawListener),
decide which protocol to use. They are also used by the diverter to figure out
which ports and protocols to redirect.
The Listener setting defines one of the available listener plugins to handle
redirected traffic. The current version of FakeNet-NG comes with the following
listeners:
- DNSListener - supports DNS protocol and replies to A records with either
a local machine's IP address or a configurable address in
the
DNSResponsesetting. You can also set theNXDomainsattribute to the number of requests the listener should ignore. This way you may be able to get the malware to request all of its backup C2 controller names. The listener supports both TCP and UDP protocols. - RawListener - supports basic TCP and UDP binary protocols. The default behavior is to simply echo the received packets back to the client. Supports SSL connections.
- HTTPListener - supports HTTP and HTTPS protocols. Responds with different
files in the configurable
Webrootdirectory based on the requested file extension. Optionally dumps POST requests to a configurable file which can be specified usingDumpHTTPPostsandDumpHTTPPostsFilePrefixsettings. - SMTPListener - supports SMTP protocol.
NOTE: FakeNet-NG will attempt to locate the webroot directory, first by using
the provided absolute or relative paths. If the specified webroot path is not
found, then it will try to look in its defaultFiles directory.
As a special case, FakeNet-NG automatically responds to all ICMP requests while running. So in case a malware attempts to ping a host to test connectivity it will get a valid response.
FakeNet-NG supports several filtering rules consisting of process and host blacklists and whitelists. The whitelists are treated as the rules that allow connections to the listeners while the blacklists are used to ignore the incoming connections and let them to be simply forwarded.
For example, consider the configuration below with process and host filters:
[FilteredListener]
Enabled: True
Port: 31337
Protocol: TCP
Listener: RawListener
UseSSL: No
Timeout: 10
ProcessWhiteList: malware.exe, ncat.exe
HostBlackList: 5.5.5.5
The FilteredListener above will only handle connection coming from the
processes malware.exe and ncat.exe, but will ignore any connections
destined for the host 5.5.5.5. Meaning that if a process called test.exe
attempted to connect on port 31337 it will not be redirected to the listener
and will be forwarded to wherever it was originally intended if the route
is available.
At the same time of the process malware.exe attempted to connect to port 31337
on any host other than 5.5.5.5 it will be diverted
to the FilteredListener. Any connections from the process malware.exe
destined to 5.5.5.5 would be allowed through.
Another powerful configuration setting is ExecuteCmd. It essentially
allows you to execute an arbitrary command on the first detected packet
of the connection. The value of ExecuteCmd can use several format string
variables:
{pid}- process id{procname}- process executable name{src_addr}- source address{src_port}- source port{dst_addr}- destination address{dst_port}- destination port
Consider a scenario of a packed malware sample which connects to a configured
C2 server on port 8443 (Use RedirectAllTraffic if the port is not known). In
many cases the malware would unpack itself by the time it makes the connection
making that point in execution ideal to attach to the process with a debugger
and dump an unpacked version of it for further analysis.
Let's see how this can be used to automatically launch a debugger on the first connection:
[C2Listener]
Enabled: True
Port: 8443
Protocol: TCP
Listener: RawListener
UseSSL: Yes
Timeout: 300
ProcessWhiteList: malware.exe
ExecuteCmd: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe -p {pid}
Once FakeNet-NG detects a new connection coming from the whitelisted process
malware.exe (this setting is optional), it will automatically launch windbg
and attach it to the connecting process.
NOTE: You might want to extend the normal Timeout setting in case the malware
needs to further interact with the listener.
There is a special use case where you can create a new listener configuration without defining the actual listener to handle it:
[Forwarder]
Enabled: True
Port: 8080
Protocol: TCP
ProcessWhiteList: chrome.exe
Without a listener defined, FakeNet-NG will still divert traffic to the local machine, but a separate listener must be launched by the user. For example, you could have an HTTP proxy listening for connections on port 8080 and let FakeNet-NG intercept all the traffic from applications which do not use system's proxy server settings or use hard-coded IP addresses. Using anonymous listeners you can bring FakeNet-NG's advanced traffic and process filtering capabilities to 3rd party tools.
You may also want to enable diverter's ProcessBlackList setting to allow
the external tool to communicate out to the Internet. For example, to allow
an HTTP proxy to forward proxied traffic add its process name to the process
blacklist. For example, add the following process to let Burp Proxy to
communicate out to the Internet:
ProcessBlackList: java.exe
In the scenario where application communicates on an unknown port, but you still want to redirect it to the anonymous listener on port 8080 you can define the default listener as follows:
RedirectAllTraffic: Yes
DefaultTCPListener: ForwarderTCP
DefaultUDPListener: RawUDPListener
Finally, to allow DNS traffic to still go to the default DNS server on the Internet, while redirecting all other traffic, add port 53 to the diverter's UDP port blacklist as follows:
BlackListPortsUDP: 53
FakeNet-NG is developed in Python which allows you to rapidly develop new plugins and extend existing functionality.
All listeners must implement just two methods: start() and stop(). Below is a sample listener template:
import logging
import sys
import threading
import socket
class MyListener():
def __init__(self, config, name = 'MyListener', logging_level = logging.INFO):
self.logger = logging.getLogger(name)
self.logger.setLevel(logging_level)
self.config = config
self.name = name
self.logger.info('Starting...')
self.logger.debug('Initialized with config:')
for key, value in config.iteritems():
self.logger.debug(' %10s: %s', key, value)
def start(self):
# Start listener
# ...
def stop(self):
# Stop listener
# ...
The main listener class MyListener() will be provided with a parsed
configuration dictionary containing information such as port to listen on,
protocol, etc. The main listener class will also receive the current listener
instance name and the logging info set by the user.
The only requirement for listener implementation is that you use threading so
that when FakeNet-NG calls the start() method, the listener will not block
but spawn a new thread that handles incoming connections.
Another requirement is to ensure that the listener can reliably shutdown when
the stop() method is called. For example, make use of connection timeouts to
ensure that the listener does not block on some connection for too long.
The logging convention used by FakeNet-NG's listeners is to use the self.logger object for the output. That way the logging is uniform across the application. For example to display an error or warning you would use the following:
self.logger.error("This is an error")
self.logger.warning("This is a warning")
Finally, after you finish developing the listener, copy it to the listeners\
directory and append you module name to __all__ varialbe in the listeners\__init__:
__all__ = ['RawListener', 'HTTPListener', 'DNSListener', 'SMTPListener', 'MyListener']
At this point you can let the application use the newly created listener by adding it to the configuration file:
[MyAwesomeListener]
Enabled: True
Port: 1337
Protocol: TCP
Listener: MyListener
FakeNet-NG uses the open source WinDivert library in order to perform the
traffic redirection on Windows Vista+ operating systems. The implementation of
the windows diverter is located in diverters\windows.py.
It is important to note that a lot of the Windows specific functionality is
actually implemented in the diverters\winutil.py file using ctypes to call
many of the Windows API functions directly.
It is planned to expand the support for traffic divertion
If you would like to generate a stand-alone executable you would need to install the PyInstaller module:
pip install pyinstaller
To generate the exe file run the pyinstaller as follows:
pyinstaller fakenet-ng.spec
The standalone executable will be available in the dist/ directory.
See "Not Intercepting Traffic" below.
In order to for FakeNet-NG to intercept and modify the packet, there must exist a valid network route for the packet to reach its destination.
There is an easy way to check whether or not you have routes set up correctly. Without the tool running attempt to ping the destination host. You should observe either a valid response or a timeout message. If you receive a destination not reachable error instead, then you do not have a valid route.
This is usually caused by your gateway being either not set or not reachable. For example, on a VMWare machine with host-only mode your machine will not have the gateway configured thus preventing FakeNet-NG from seeing any traffic.
To correct this issue, manually configure your primary interface to the gateway in the same subnet. First check the interface name:
C:\>netsh interface show interface
Admin State State Type Interface Name
-------------------------------------------------------------------------
Enabled Connected Dedicated Local Area Connection
In this case the interface name is "Local Area Connection" so we will use it for the rest of the commands.
Manually configure the interface IP address and gateway as follows:
C:\>netsh interface ip set address name="Local Area Connection" static 192.168.249.123 255.255.255.0 192.168.249.254
Manually set the DNS server IP address
C:\>netsh interface ip set dns name="Local Area Connection" static 4.2.2.2
If you are still having issue ensure that the gateway IP address itself is routable.
Please ensure that FakeNet-NG is extracted to the local C: drive to make sure the WinDivert driver is loaded correctly.
-
Only Windows Vista+ is supported. Please use the original Fakenet for Windows XP/2003 operating systems.
-
Local machine only traffic is not intercepted (e.g. if you tried to connect directly to one of the listeners).
-
Only traffic using TCP, UDP, and ICMP protocols are intercepted.
- FakeNet-NG was designed and developed by Peter Kacherginsky.
- Special thanks to Andrew Honig, Michael Sikorski and others for the original FakeNet which was the inspiration to develop this tool.
For bugs, crashes, or other comments please contact peter.kacherginsky@fireeye.com