Skip to content

Commit

Permalink
Make default gateway IP '.1' instead of '.254' (#175)
Browse files Browse the repository at this point in the history
* Make default gateway IP '.1' instead of '.254'

* Use .1 for default gateway instead of .254

* Updates to documentation:
Update documentation to use new year
Update documentation links to current working links
Update documentation to use Mandiant instead of FireEye

* Fix filepath of HTML report template

* Minor code cleanup

* Update CHANGELOG

---------

Co-authored-by: Tina Johnson <[email protected]>
  • Loading branch information
emtuls and tinajohnson authored Apr 11, 2024
1 parent 7a68d00 commit 2e3e99e
Show file tree
Hide file tree
Showing 13 changed files with 53 additions and 41 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
Version 3.2
-----------
* Use .1 for default gateway instead of .254 because this is the default Virtual
Adapter address for VMWare and VirtualBox.
* Update documentation to use new year
* Update documentation links to current working links
* Update documentation to use Mandiant instead of FireEye
* Fix the filepath of HTML report template to work in all methods of installations
including Pyinstaller bundles.

Version 3.1
-----------
* HTML and text NBI after-reporting courtesy of @3V3RYONE and @tinajohnson
Expand Down
2 changes: 1 addition & 1 deletion LICENSE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@

END OF TERMS AND CONDITIONS

Copyright (C) 2018 FireEye, Inc.
Copyright (C) 2024 Mandiant, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

D O C U M E N T A T I O N

FakeNet-NG 3.0 (alpha) is a next generation dynamic network analysis tool for malware
FakeNet-NG 3.2 is a next generation dynamic network analysis tool for malware
analysts and penetration testers. It is open source and designed for the latest
versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is
based on the excellent Fakenet tool developed by Andrew Honig and Michael
Expand Down Expand Up @@ -116,10 +116,10 @@ parameter to get simple help:
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|

Version 3.0 (alpha)
Version 3.2
_____________________________________________________________
Developed by FLARE Team
Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved.
Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
_____________________________________________________________
Usage: python -m fakenet.fakenet [options]:

Expand Down Expand Up @@ -171,10 +171,10 @@ and an HTTP connection:
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|

Version 3.0 (alpha)
Version 3.2
_____________________________________________________________
Developed by FLARE Team
Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
_____________________________________________________________

07/06/16 10:20:52 PM [ FakeNet] Loaded configuration file: configs/default.ini
Expand Down
4 changes: 2 additions & 2 deletions docs/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ directly (if they are not hidden behind the ProxyListener) or through the
ProxyListener. This architecture is in contrast to tools like PyNetSim (can't
find an authoritative hyperlink to cite this reference) that effectively
integrate all services into a bus. The benefit of this additional complexity in
FakeNet-NGs architecture is that it can incorporate Listeners based on generic
FakeNet-NG's architecture is that it can incorporate Listeners based on generic
code that expects to directly bind to ports and manage its own sockets. The
FakeNet-NG architecture is diagrammed subsequently.

![FakeNet-NG Architecture](https://github.com/fireeye/flare-fakenet-ng/raw/master/docs/fakenet_architecture.png "FakeNet-NG Architecture")
![FakeNet-NG Architecture](https://github.com/mandiant/flare-fakenet-ng/blob/master/docs/fakenet_architecture.png "FakeNet-NG Architecture")

# Diverters

Expand Down
6 changes: 3 additions & 3 deletions docs/contributors.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ malware analysis on Windows XP.
## Windows

Peter Kacherginsky [implemented
FakeNet-NG](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html)
FakeNet-NG](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen)
targeting modern versions of Windows.

## Linux and Core

Michael Bailey [implemented FakeNet-NG on
Linux](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html),
Linux](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool),
and later refactored FakeNet-NG to use this as the unified packet processing
logic for both Windows and Linux.

Expand All @@ -32,7 +32,7 @@ Haigh, Michael Bailey, and Peter Kacherginsky conceptualized the Proxy Listener
and Hidden Listener mechanisms for introducing both of these content-based
protocol detection features to FakeNet-NG. Matthew Haigh then [implemented
Content-Based Protocol
Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).

## HTML- and Text-Based NBI After-Reporting

Expand Down
10 changes: 5 additions & 5 deletions docs/srs.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@ Analysis](https://nostarch.com/malware).
## History
FakeNet-NG was initially released August 3, 2016 by Peter Kacherginsky with
support for Windows: [FakeNet-NG: Next Generation Dynamic Network Analysis
Tool](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html).
Tool](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen).

On July 5, 2017 FakeNet-NG was updated by Michael Bailey to add support for
Linux: [Introducing Linux Support for FakeNet-NG: FLARE's Next Generation
Dynamic Network Analysis
Tool](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html).
Tool](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool).

The next significant FakeNet-NG release was by Matthew Haigh on October 23,
2017 to introduce a proxy listener to sample, identify, and route traffic to
the most appropriate listener: [New FakeNet-NG Feature: Content-Based Protocol
Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).

FireEye's [flare-fakenet-ng](https://github.com/fireeye/flare-fakenet-ng)
Mandiant's [flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng)
repository contains `README.md` which documents usage and configuration; and
`docs/internals.md` which describes Diverter internals for Linux.

Expand Down Expand Up @@ -157,7 +157,7 @@ The Configuration Logic for parsing and validating the configuration file is
spread throughout the Application, Diverter, and Listeners.

The configuration file is a
[ConfigParser](https://docs.python.org/2/library/configparser.html)-compatible
[ConfigParser](https://docs.python.org/3/library/configparser.html)-compatible
file at an operator-specified location detailing how FakeNet-NG is to behave.

Proposed: it may be beneficial to better encapsulate and centralize the
Expand Down
2 changes: 1 addition & 1 deletion fakenet/defaultFiles/FakeNet.html
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@
<h3>Contact</h3>

For bugs, crashes, or other comments please contact <b>The FLARE Team</b> by email
<b>FakeNet@fireeye.com</b>.
<b>FakeNet@mandiant.com</b>.
</body>
</html>
2 changes: 1 addition & 1 deletion fakenet/defaultFiles/FakeNet.txt
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and

Contact

For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@fireeye.com
For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@mandiant.com
27 changes: 14 additions & 13 deletions fakenet/diverters/diverterbase.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
from .debuglevels import *
from collections import namedtuple
from collections import OrderedDict
from pathlib import Path


class DivertParms(object):
Expand Down Expand Up @@ -1259,21 +1260,15 @@ def formatPkt(self, pkt, pid, comm):
Returns:
A str containing the log line
"""
if pid == None:
pid = 'None'

if comm == None:
comm = 'None'

logline = ''

if pkt.proto == 'UDP':
fmt = '| {label} {proto} | {pid:>6} | {comm:<8} | {src:>15}:{sport:<5} | {dst:>15}:{dport:<5} | {length:>5} | {flags:<11} | {seqack:<35} |'
logline = fmt.format(
label=pkt.label,
proto=pkt.proto,
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=pkt.src_ip,
sport=pkt.sport,
dst=pkt.dst_ip,
Expand Down Expand Up @@ -1304,8 +1299,8 @@ def formatPkt(self, pkt, pid, comm):
logline = fmt.format(
label=pkt.label,
proto=pkt.proto,
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=pkt.src_ip,
sport=pkt.sport,
dst=pkt.dst_ip,
Expand All @@ -1319,8 +1314,8 @@ def formatPkt(self, pkt, pid, comm):
logline = fmt.format(
label=pkt.label,
proto='UNK',
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=str(pkt.src_ip),
sport=str(pkt.sport),
dst=str(pkt.dst_ip),
Expand Down Expand Up @@ -1959,7 +1954,13 @@ def generate_html_report(self):
to the main working directory of flare-fakenet-ng. Called by stop() method
of diverter.
"""
template_file = os.path.join("fakenet", "configs", "html_report_template.html")
if getattr(sys, 'frozen', False) and hasattr(sys, '_MEIPASS'):
# Inside a Pyinstaller bundle
fakenet_dir_path = os.getcwd()
else:
fakenet_dir_path = os.fspath(Path(__file__).parents[1])

template_file = os.path.join(fakenet_dir_path, "configs", "html_report_template.html")
template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(template_file))
template_env = jinja2.Environment(loader=template_loader)
template = template_env.get_template(os.path.basename(template_file))
Expand Down
7 changes: 4 additions & 3 deletions fakenet/diverters/winutil.py
Original file line number Diff line number Diff line change
Expand Up @@ -361,9 +361,10 @@ def fix_gateway(self):
# (Host-Only)
if self.check_ipaddresses_interface(adapter) and adapter.DhcpEnabled:

(ip_address, netmask) = next(
self.get_ipaddresses_netmask(adapter))
gw_address = ip_address[:ip_address.rfind('.')] + '.254'
(ip_address, netmask) = next(self.get_ipaddresses_netmask(adapter))
# set the gateway ip address to be that of the virtual network adapter
# https://docs.vmware.com/en/VMware-Workstation-Pro/17/com.vmware.ws.using.doc/GUID-9831F49E-1A83-4881-BB8A-D4573F2C6D91.html
gw_address = ip_address[:ip_address.rfind('.')] + '.1'

interface_name = self.get_adapter_friendlyname(adapter.Index)

Expand Down
4 changes: 2 additions & 2 deletions fakenet/fakenet.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# analysts and penetration testers.
#
# Original developer: Peter Kacherginsky
# Current developer: FireEye FLARE Team (FakeNet@fireeye.com)
# Current developer: Mandiant FLARE Team (FakeNet@mandiant.com)

import logging
import logging.handlers
Expand Down Expand Up @@ -349,7 +349,7 @@ def main():
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|
Version 3.1
Version 3.2
_____________________________________________________________
Developed by FLARE Team
Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
Expand Down
8 changes: 4 additions & 4 deletions setup.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved.
# Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.

import os
import platform
Expand Down Expand Up @@ -26,7 +26,7 @@

setup(
name='FakeNet NG',
version='3.1',
version='3.2',
description="",
long_description="",
author="Mandiant FLARE Team with credit to Peter Kacherginsky as the original developer",
Expand All @@ -37,8 +37,8 @@
],
package_dir={'fakenet': 'fakenet'},
package_data={'fakenet': ['*.pem','diverters/*.py', 'listeners/*.py',
'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini', 'defaultFiles/*',
'lib/64/*', 'lib/32/*']},
'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini',
'configs/html_report_template.html', 'defaultFiles/*', 'lib/64/*', 'lib/32/*']},
entry_points={
"console_scripts": [
"fakenet=fakenet.fakenet:main",
Expand Down
2 changes: 1 addition & 1 deletion test/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -905,7 +905,7 @@ def __init__(self, startingpath, singlehost=True):
self.listener_host_white = 8083 # HTTP listener with host whitelists
self.localhost = '127.0.0.1'
self.dns_expected = '192.0.2.123'
self.domain_dne = 'does-not-exist-amirite.fireeye.com'
self.domain_dne = 'does-not-exist-amirite.mandiant.com'
self.sender = '[email protected]'
self.recipient = '[email protected]'
self.smtpmsg = 'FakeNet-NG SMTP test email'
Expand Down

0 comments on commit 2e3e99e

Please sign in to comment.