Cookie Consent by Free Privacy Policy Generator 📌 FakeNet-NG:A tool to intercept and redirect all or specific network traffic in kali linux 2.0

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 FakeNet-NG:A tool to intercept and redirect all or specific network traffic in kali linux 2.0


💡 Newskategorie: IT Security Nachrichten
🔗 Quelle: kalilinuxdojo.com

FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows. FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.

The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware's functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG's configurable interception engine and modular framework highly useful when testing application's specific functionality and prototyping PoCs.

By default, FakeNet-NG is configured to start several most commonly used services: 


  • DNS Listener on UDP port 53
  • HTTP Listener on TCP port 80
  • HTTPS Listener on TCP port 443
  • SMTP Listener on TCP port 25
  • Raw Binary Listener on both TCP and UDP ports 1337. 

This service is also used as a default listener to handle all communications.


Download the FakeNet-NG source code in kali linux 2.0 using below command

git clone https://github.com/fireeye/flare-fakenet-ng
Now Execute FakeNet-NG by running it with a Python interpreter
python fakenet.py

Simple run

Before we dive in and run FakeNet-NG let's go over a few basic concepts. The tool consists of several modules working together. One such important module is the diverter which is responsible for redirecting traffic to a collection of listeners. The diverter forces applications to interact with FakeNet-NG as opposed to real servers. Listeners are individual services handling incoming connections and allowing us to examine application's traffic (e.g. malware signatures).

Let's launch FakeNet-NG using default settings by running the following command:
C:\tools\fakenet-ng>fakenet.exe
Below is the annotated output log illustrating a sample intercepted DNS request and an HTTP connection:
  ______      _  ________ _   _ ______ _______     _   _  _____
| ____/\ | |/ / ____| \ | | ____|__ __| | \ | |/ ____|
| |__ / \ | ' /| |__ | \| | |__ | |______| \| | | __
| __/ /\ \ | < | __| | . ` | __| | |______| . ` | | |_ |
| | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| |
|_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____|

Version 1.0
_____________________________________________________________
Developed by
Peter Kacherginsky
FLARE (FireEye Labs Advanced Reverse Engineering)
_____________________________________________________________

07/06/16 10:20:52 PM [ FakeNet] Loaded configuration file: configs/default.ini
/
default configuration file /

07/06/16 10:20:52 PM [ Diverter] Capturing traffic to packets_20160706_222052.pcap
/
PCAP output file /

07/06/16 10:20:52 PM [ FakeNet] Anonymous Forwarder listener on TCP port 8080...
\
\ Anonymous Listener rule

07/06/16 10:20:52 PM [ RawTCPListener] Starting...
07/06/16 10:20:52 PM [ RawUDPListener] Starting...
07/06/16 10:20:52 PM [ FilteredListener] Starting...
07/06/16 10:20:52 PM [ DNS Server] Starting...
07/06/16 10:20:52 PM [ HTTPListener80] Starting...
07/06/16 10:20:52 PM [ HTTPListener443] Starting...
07/06/16 10:20:52 PM [ SMTPListener] Starting...
07/06/16 10:20:52 PM [ Diverter] Starting...
\
\ Listeners starting up

07/06/16 10:20:52 PM [ Diverter] Diverting ports:
07/06/16 10:20:52 PM [ Diverter] TCP: 1337, 80, 443, 25
07/06/16 10:20:52 PM [ Diverter] UDP: 1337, 53
/
Summary of diverted ports /

07/06/16 10:21:03 PM [ Diverter] Modifying outbound external UDP request packet:
07/06/16 10:21:03 PM [ Diverter] from: 192.168.250.140:49383 -> 4.2.2.1:53
07/06/16 10:21:03 PM [ Diverter] to: 192.168.250.140:49383 -> 192.168.250.140:53
07/06/16 10:21:03 PM [ Diverter] pid: 456 name: malware.exe
/
Intercepted traffic to the DNS server from malware.exe /

07/06/16 10:21:03 PM [ DNS Server] Received A request for domain 'evil.com'.
\
\ Fake DNS Listener handling the above request

07/06/16 10:21:04 PM [ Diverter] Modifying outbound external TCP request packet:
07/06/16 10:21:04 PM [ Diverter] from: 192.168.250.140:2179 -> 192.0.2.123:80
07/06/16 10:21:04 PM [ Diverter] to: 192.168.250.140:2179 -> 192.168.250.140:80
07/06/16 10:21:04 PM [ Diverter] pid: 456 name: malware.exe
/
Intercepted traffic to the web server from malware.exe /

07/06/16 10:21:08 PM [ HTTPListener80] Received a GET request.
07/06/16 10:21:08 PM [ HTTPListener80] --------------------------------------------------------------------------------
07/06/16 10:21:08 PM [ HTTPListener80] GET / HTTP/1.0
07/06/16 10:21:08 PM [ HTTPListener80]
07/06/16 10:21:08 PM [ HTTPListener80] --------------------------------------------------------------------------------
\
\ Fake HTTP Listener handling the above request
 
Notice that each log line has a name of the currently running FakeNet-NG modules. For example, when it is diverting traffic, the logs will be prefixed with the Diverter label:

07/06/16 10:21:03 PM [          Diverter] Modifying outbound external UDP request packet:
07/06/16 10:21:03 PM [ Diverter] from: 192.168.250.140:49383 -> 4.2.2.1:53
07/06/16 10:21:03 PM [ Diverter] to: 192.168.250.140:49383 -> 192.168.250.140:53
07/06/16 10:21:03 PM [ Diverter] pid: 456 name: malware.exe
 
At the same time, whenever individual listeners are handling diverted traffic, logs will be labeled with the name set in the configuration file:
 
07/06/16 10:21:03 PM [        DNS Server] Received A request for domain 'evil.com'.

To stop FakeNet-NG and close out the generated PCAP file simply press  

CTRL-C:
 
07/06/16 10:21:41 PM [           FakeNet] Stopping...
07/06/16 10:21:42 PM [ HTTPListener80] Stopping...
07/06/16 10:21:42 PM [ HTTPListener443] Stopping...
07/06/16 10:21:42 PM [ SMTPListener] Stopping...
07/06/16 10:21:43 PM [ Diverter] Stopping...

Configuration

In order to take full advantage of FakeNet-NG's capabilities we must understand its configuration file structure and settings. Below is a sample configuration file:

###############################################################################
# Fakenet Configuration

[FakeNet]

DivertTraffic: Yes

###############################################################################
# Diverter Configuration

[Diverter]

DumpPackets: Yes
DumpPacketsFilePrefix: packets

ModifyLocalDNS: No
StopDNSService: Yes

###############################################################################
# Listener Configuration

[DNS Server]
 
 Enabled:     True
Port: 53
Protocol: UDP
Listener: DNSListener
DNSResponse: 192.0.2.123
NXDomains: 0

[RawTCPListener]
 
 Enabled:     True
Port: 1337
Protocol: TCP
Listener: RawListener
UseSSL: No
Timeout: 10
 
The configuration file is broken up into several sections.
  • [FakeNet] - Controls the behavior of the application itself. The only valid option at this point is DivertTraffic. When enabled, it instructs the tool to launch the appropriate diverter plugin and intercept traffic. If this option is disabled, FakeNet-NG will still launch listeners, but will rely on another method to direct traffic to them (e.g. manually change DNS server).
  • [Diverter] - Settings for redirecting traffic. Covered in detail below.
  • [Listener Name] - A collection of listener configurations. Each listener has a set of default settings (e.g. port, protocol) as well as listener specific configurations (e.g. DumpHTTPPosts for the HTTPListener).
...













matomo