From 2e3e99e1c604bfaa2e5240d414713a9620d1c911 Mon Sep 17 00:00:00 2001 From: Elliot Chernofsky <35854880+emtuls@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:00:23 -0400 Subject: [PATCH] Make default gateway IP '.1' instead of '.254' (#175) * Make default gateway IP '.1' instead of '.254' * Use .1 for default gateway instead of .254 * Updates to documentation: Update documentation to use new year Update documentation links to current working links Update documentation to use Mandiant instead of FireEye * Fix filepath of HTML report template * Minor code cleanup * Update CHANGELOG --------- Co-authored-by: Tina Johnson --- CHANGELOG.txt | 10 ++++++++++ LICENSE.txt | 2 +- README.md | 10 +++++----- docs/architecture.md | 4 ++-- docs/contributors.md | 6 +++--- docs/srs.md | 10 +++++----- fakenet/defaultFiles/FakeNet.html | 2 +- fakenet/defaultFiles/FakeNet.txt | 2 +- fakenet/diverters/diverterbase.py | 27 ++++++++++++++------------- fakenet/diverters/winutil.py | 7 ++++--- fakenet/fakenet.py | 4 ++-- setup.py | 8 ++++---- test/test.py | 2 +- 13 files changed, 53 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 6b3fcafb..216900c8 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,13 @@ +Version 3.2 +----------- +* Use .1 for default gateway instead of .254 because this is the default Virtual + Adapter address for VMWare and VirtualBox. +* Update documentation to use new year +* Update documentation links to current working links +* Update documentation to use Mandiant instead of FireEye +* Fix the filepath of HTML report template to work in all methods of installations + including Pyinstaller bundles. + Version 3.1 ----------- * HTML and text NBI after-reporting courtesy of @3V3RYONE and @tinajohnson diff --git a/LICENSE.txt b/LICENSE.txt index ec2449b5..dc91de02 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -175,7 +175,7 @@ END OF TERMS AND CONDITIONS - Copyright (C) 2018 FireEye, Inc. + Copyright (C) 2024 Mandiant, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 0780afc8..e083ea88 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ D O C U M E N T A T I O N -FakeNet-NG 3.0 (alpha) is a next generation dynamic network analysis tool for malware +FakeNet-NG 3.2 is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael @@ -116,10 +116,10 @@ parameter to get simple help: | | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| | |_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____| - Version 3.0 (alpha) + Version 3.2 _____________________________________________________________ Developed by FLARE Team - Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved. + Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved. _____________________________________________________________ Usage: python -m fakenet.fakenet [options]: @@ -171,10 +171,10 @@ and an HTTP connection: | | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| | |_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____| - Version 3.0 (alpha) + Version 3.2 _____________________________________________________________ Developed by FLARE Team - Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved. + Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved. _____________________________________________________________ 07/06/16 10:20:52 PM [ FakeNet] Loaded configuration file: configs/default.ini diff --git a/docs/architecture.md b/docs/architecture.md index 9b0c7a2d..3d90e725 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -12,11 +12,11 @@ directly (if they are not hidden behind the ProxyListener) or through the ProxyListener. This architecture is in contrast to tools like PyNetSim (can't find an authoritative hyperlink to cite this reference) that effectively integrate all services into a bus. The benefit of this additional complexity in -FakeNet-NG’s architecture is that it can incorporate Listeners based on generic +FakeNet-NG's architecture is that it can incorporate Listeners based on generic code that expects to directly bind to ports and manage its own sockets. The FakeNet-NG architecture is diagrammed subsequently. -![FakeNet-NG Architecture](https://github.com/fireeye/flare-fakenet-ng/raw/master/docs/fakenet_architecture.png "FakeNet-NG Architecture") +![FakeNet-NG Architecture](https://github.com/mandiant/flare-fakenet-ng/blob/master/docs/fakenet_architecture.png "FakeNet-NG Architecture") # Diverters diff --git a/docs/contributors.md b/docs/contributors.md index 9185aefc..09fe09a6 100644 --- a/docs/contributors.md +++ b/docs/contributors.md @@ -13,13 +13,13 @@ malware analysis on Windows XP. ## Windows Peter Kacherginsky [implemented -FakeNet-NG](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html) +FakeNet-NG](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen) targeting modern versions of Windows. ## Linux and Core Michael Bailey [implemented FakeNet-NG on -Linux](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html), +Linux](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool), and later refactored FakeNet-NG to use this as the unified packet processing logic for both Windows and Linux. @@ -32,7 +32,7 @@ Haigh, Michael Bailey, and Peter Kacherginsky conceptualized the Proxy Listener and Hidden Listener mechanisms for introducing both of these content-based protocol detection features to FakeNet-NG. Matthew Haigh then [implemented Content-Based Protocol -Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html). +Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html). ## HTML- and Text-Based NBI After-Reporting diff --git a/docs/srs.md b/docs/srs.md index 89333cdf..29c49447 100644 --- a/docs/srs.md +++ b/docs/srs.md @@ -24,19 +24,19 @@ Analysis](https://nostarch.com/malware). ## History FakeNet-NG was initially released August 3, 2016 by Peter Kacherginsky with support for Windows: [FakeNet-NG: Next Generation Dynamic Network Analysis -Tool](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html). +Tool](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen). On July 5, 2017 FakeNet-NG was updated by Michael Bailey to add support for Linux: [Introducing Linux Support for FakeNet-NG: FLARE's Next Generation Dynamic Network Analysis -Tool](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html). +Tool](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool). The next significant FakeNet-NG release was by Matthew Haigh on October 23, 2017 to introduce a proxy listener to sample, identify, and route traffic to the most appropriate listener: [New FakeNet-NG Feature: Content-Based Protocol -Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html). +Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html). -FireEye's [flare-fakenet-ng](https://github.com/fireeye/flare-fakenet-ng) +Mandiant's [flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng) repository contains `README.md` which documents usage and configuration; and `docs/internals.md` which describes Diverter internals for Linux. @@ -157,7 +157,7 @@ The Configuration Logic for parsing and validating the configuration file is spread throughout the Application, Diverter, and Listeners. The configuration file is a -[ConfigParser](https://docs.python.org/2/library/configparser.html)-compatible +[ConfigParser](https://docs.python.org/3/library/configparser.html)-compatible file at an operator-specified location detailing how FakeNet-NG is to behave. Proposed: it may be beneficial to better encapsulate and centralize the diff --git a/fakenet/defaultFiles/FakeNet.html b/fakenet/defaultFiles/FakeNet.html index 418c0dd4..e7746792 100644 --- a/fakenet/defaultFiles/FakeNet.html +++ b/fakenet/defaultFiles/FakeNet.html @@ -32,6 +32,6 @@

Contact

For bugs, crashes, or other comments please contact The FLARE Team by email -FakeNet@fireeye.com. +FakeNet@mandiant.com. \ No newline at end of file diff --git a/fakenet/defaultFiles/FakeNet.txt b/fakenet/defaultFiles/FakeNet.txt index 10c24c8d..b4b0c326 100644 --- a/fakenet/defaultFiles/FakeNet.txt +++ b/fakenet/defaultFiles/FakeNet.txt @@ -14,4 +14,4 @@ FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Contact -For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@fireeye.com \ No newline at end of file +For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@mandiant.com \ No newline at end of file diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index 2aadfa19..7ebe8bdf 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -16,6 +16,7 @@ from .debuglevels import * from collections import namedtuple from collections import OrderedDict +from pathlib import Path class DivertParms(object): @@ -1259,12 +1260,6 @@ def formatPkt(self, pkt, pid, comm): Returns: A str containing the log line """ - if pid == None: - pid = 'None' - - if comm == None: - comm = 'None' - logline = '' if pkt.proto == 'UDP': @@ -1272,8 +1267,8 @@ def formatPkt(self, pkt, pid, comm): logline = fmt.format( label=pkt.label, proto=pkt.proto, - pid=pid, - comm=comm, + pid=str(pid), + comm=str(comm), src=pkt.src_ip, sport=pkt.sport, dst=pkt.dst_ip, @@ -1304,8 +1299,8 @@ def formatPkt(self, pkt, pid, comm): logline = fmt.format( label=pkt.label, proto=pkt.proto, - pid=pid, - comm=comm, + pid=str(pid), + comm=str(comm), src=pkt.src_ip, sport=pkt.sport, dst=pkt.dst_ip, @@ -1319,8 +1314,8 @@ def formatPkt(self, pkt, pid, comm): logline = fmt.format( label=pkt.label, proto='UNK', - pid=pid, - comm=comm, + pid=str(pid), + comm=str(comm), src=str(pkt.src_ip), sport=str(pkt.sport), dst=str(pkt.dst_ip), @@ -1959,7 +1954,13 @@ def generate_html_report(self): to the main working directory of flare-fakenet-ng. Called by stop() method of diverter. """ - template_file = os.path.join("fakenet", "configs", "html_report_template.html") + if getattr(sys, 'frozen', False) and hasattr(sys, '_MEIPASS'): + # Inside a Pyinstaller bundle + fakenet_dir_path = os.getcwd() + else: + fakenet_dir_path = os.fspath(Path(__file__).parents[1]) + + template_file = os.path.join(fakenet_dir_path, "configs", "html_report_template.html") template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(template_file)) template_env = jinja2.Environment(loader=template_loader) template = template_env.get_template(os.path.basename(template_file)) diff --git a/fakenet/diverters/winutil.py b/fakenet/diverters/winutil.py index ab83fe50..6b613f56 100644 --- a/fakenet/diverters/winutil.py +++ b/fakenet/diverters/winutil.py @@ -361,9 +361,10 @@ def fix_gateway(self): # (Host-Only) if self.check_ipaddresses_interface(adapter) and adapter.DhcpEnabled: - (ip_address, netmask) = next( - self.get_ipaddresses_netmask(adapter)) - gw_address = ip_address[:ip_address.rfind('.')] + '.254' + (ip_address, netmask) = next(self.get_ipaddresses_netmask(adapter)) + # set the gateway ip address to be that of the virtual network adapter + # https://docs.vmware.com/en/VMware-Workstation-Pro/17/com.vmware.ws.using.doc/GUID-9831F49E-1A83-4881-BB8A-D4573F2C6D91.html + gw_address = ip_address[:ip_address.rfind('.')] + '.1' interface_name = self.get_adapter_friendlyname(adapter.Index) diff --git a/fakenet/fakenet.py b/fakenet/fakenet.py index ad423bdb..850d1c8d 100644 --- a/fakenet/fakenet.py +++ b/fakenet/fakenet.py @@ -6,7 +6,7 @@ # analysts and penetration testers. # # Original developer: Peter Kacherginsky -# Current developer: FireEye FLARE Team (FakeNet@fireeye.com) +# Current developer: Mandiant FLARE Team (FakeNet@mandiant.com) import logging import logging.handlers @@ -349,7 +349,7 @@ def main(): | | / ____ \| . \| |____| |\ | |____ | | | |\ | |__| | |_|/_/ \_\_|\_\______|_| \_|______| |_| |_| \_|\_____| - Version 3.1 + Version 3.2 _____________________________________________________________ Developed by FLARE Team Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved. diff --git a/setup.py b/setup.py index 5d721eda..3641d571 100644 --- a/setup.py +++ b/setup.py @@ -1,4 +1,4 @@ -# Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved. +# Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved. import os import platform @@ -26,7 +26,7 @@ setup( name='FakeNet NG', - version='3.1', + version='3.2', description="", long_description="", author="Mandiant FLARE Team with credit to Peter Kacherginsky as the original developer", @@ -37,8 +37,8 @@ ], package_dir={'fakenet': 'fakenet'}, package_data={'fakenet': ['*.pem','diverters/*.py', 'listeners/*.py', - 'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini', 'defaultFiles/*', - 'lib/64/*', 'lib/32/*']}, + 'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini', + 'configs/html_report_template.html', 'defaultFiles/*', 'lib/64/*', 'lib/32/*']}, entry_points={ "console_scripts": [ "fakenet=fakenet.fakenet:main", diff --git a/test/test.py b/test/test.py index fa433516..a39b68b0 100644 --- a/test/test.py +++ b/test/test.py @@ -905,7 +905,7 @@ def __init__(self, startingpath, singlehost=True): self.listener_host_white = 8083 # HTTP listener with host whitelists self.localhost = '127.0.0.1' self.dns_expected = '192.0.2.123' - self.domain_dne = 'does-not-exist-amirite.fireeye.com' + self.domain_dne = 'does-not-exist-amirite.mandiant.com' self.sender = 'from-fakenet@example.org' self.recipient = 'to-fakenet@example.org' self.smtpmsg = 'FakeNet-NG SMTP test email'