FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs.
- Supports DNS, HTTP, and SSL
- HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc. The files being served are user configurable.
- Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
- Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
- Built-in ability to create a capture file (.pcap) for packets on localhost.
- Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.
How it works
FakeNet uses a variety of Windows and third party libraries. It uses a custom HTTP and DNS server to respond to those request. It uses OpenSSL to wrap any connection with SSL. It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports. It uses python 2.7 for the python extensions. And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.
You can install FakeNet-NG in a few different ways.
It is easiest to simply download the compiled version which can be obtained from the releases page:
Execute FakeNet-NG by running ‘fakenet.exe’.
This is the preferred method for using FakeNet-NG on Windows as it does not require you to install any additional modules, which is ideal for a malware analysis machine.
Alternatively you can install FakeNet-NG as a python module using pip:
pip install https://github.com/fireeye/flare-fakenet-ng/zipball/master
Or by obtaining the latest source code and installing it manually:
git clone https://github.com/fireeye/flare-fakenet-ng/
Change directory to the downloaded flare-fakenet-ng and run:
python setup.py install
Installation on Windows requires the following pre-requisite:
Installation on Linux requires the following pre-requisites:
- Python pip package manager (e.g. python-pip for Ubuntu).
- Python development files (e.g. python-dev for Ubuntu).
- OpenSSL development files (e.g. libssl-dev for Ubuntu).
- libffi development files (e.g. libffi-dev for Ubuntu).
- libnetfilterqueue development files (e.g. libnetfilter-queue-dev for Ubuntu).
Execute FakeNet-NG by running ‘fakenet’ in any directory.
Finally if you would like to avoid installing FakeNet-NG and just want to run it as-is (e.g. for development), then you would need to obtain the source code and install dependencies as follows:
- Install 64-bit or 32-bit Python 2.7.x for the 64-bit or 32-bit versions of Windows respectively.
- Install Python dependencies:
pip install pydivert dnslib dpkt pyopenssl pyftpdlib netifaces
NOTE: pydivert will also download and install WinDivert library and driver in the
%PYTHONHOME%\DLLsdirectory. FakeNet-NG bundles those files so they are not necessary for normal use.
2b) Optionally, you can install the following module used for testing:
pip install requests
- Download the FakeNet-NG source code:
Execute FakeNet-NG by running it with a Python interpreter in a privileged shell:
The easiest way to run FakeNet-NG is to simply execute the provided executable as an Administrator. You can provide
--help command-line parameter to get simple help:
C:\tools\fakenet-ng>fakenet.exe --help ______ _ ________ _ _ ______ _______ _ _ _____ | ____/\ | |/ / ____| \ | | ____|__ __| | \ | |/ ____| | |__ / \ | ' /| |__ | \| | |__ | |______| \| | | __ | __/ /\ \ | < | __| | . ` | __| | |______| . ` | | |_ | | | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| | |_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____| Version 1.0 _____________________________________________________________ Developed by FLARE Team _____________________________________________________________ Usage: fakenet.py [options]: Options: -h, --help show this help message and exit -c FILE, --config-file=FILE configuration filename -v, --verbose print more verbose messages. -l LOG_FILE, --log-file=LOG_FILE
As you can see from the simple help above it is possible to configure the configuration file used to start FakeNet-NG. By default, the tool uses
configs\default.ini; however, it can be changed with the
-c parameter. There are several example configuration files in the
configs directory. Due to the large number of different settings, FakeNet-NG relies on the configuration files to control its functionality.
NOTE: FakeNet-NG will attempt to locate the specified configuration file, first by using the provided absolute or relative path in case you want to store all of your configurations. If the specified configuration file is not found, then it will try to look in its
The rest of the command-line options allow you to control the amount of logging output displayed as well as redirecting it to a file as opposed to dumping it on the screen.