What is FakeNet-NG?
A dynamic network analysis tool called FakeNet-NG mimics network services and records network requests to help in malware research. The FLARE team is dedicated to improving and maintaining the tool to increase its functionality and usability. Though highly configurable and platform-neutral, FakeNet needed a more user-friendly and intuitive presentation of the network data it collected so you could find pertinent Network-Based Indicators (NBIs) more quickly. Google expanded FakeNet-NG to provide HTML-based output that allows you to examine, explore, and share collected network data in order to solve this problem and further improve usability.
In order to overcome this difficulty and improve usability even further, they expanded the functionality of FakeNet-NG to provide HTML-based output, which lets you see, investigate, and share network data that has been gathered.
Engaging HTML-Based Results
An HTML page with inline CSS and Javascript supports the new interactive output of FakeNet-NG. FakeNet-NG’s current text-based output and the new HTML-based output.
Using a Jinja2 template that it fills with the network data it has collected, FakeNet-NG creates each report. Your preferred browser can be used to view the final report once it has been saved to the current working directory. To analyse the recorded network activity together, you may also distribute this file to other people.
- Captured network data can be chosen, filtered, and copied using the HTML interface.
- Network data that has been gathered can be chosen, filtered, and copied using the HTML interface.
- Creation and Execution
- Planning and Execution
- Insides of FakeNet-NG
FakeNet-NG Tutorial
The three main components that make up FakeNet-NG’s modular architecture are as follows:
- Diverter: The target system’s main component intercepts all incoming and outgoing network traffic. It sends these packets to the Proxy Listener by default so that it can process them further.
- Between the Diverter and the protocol-specific Listeners lies a component known as the Proxy Listener. Based on variables including port, protocol, and data content, it examines application layer data to determine which Listener is best for every network packet.
- Protocol-specific Listeners: These specialized Listeners process requests unique to their particular protocols and produce responses that resemble authentic server behavior. Examples of these specialized Listeners are HTTP, FTP, and DNS.
Extending NBI Analysis Using FakeNet-NG
It was necessary to enhance essential components in order to record, store, and associate network data with the source activities in order to enable FakeNet-NG to provide thorough and informative reports.
FakeNet-NG Comprised:
- Improving data storage: The Diverter keeps track of extra data, such as process IDs, names, and linkages between source ports that were started by the proxy and those that were started by the original.
- Presenting NBI mapping: The Diverter allows for the unambiguous attribution of network activity by mapping network data to source processes.
- Encouraging information exchange: To ensure precise data monitoring, the Proxy Listener sends pertinent packet metadata to the Diverter.
The interactive HTML-based output is created by combining the data that is captured by each component using FakeNet-NG
- NetworkMode: Choose the network mode that FakeNet-NG should operate in.
- NetworkMode: Choose which network mode to use while launching FakeNet-NG.
- Acceptable configurations.
- Suitable configurations.
- SingleHost: control traffic coming from nearby processes.
- Manipulate traffic from other systems with MultiHost.
- Auto: Select the NetworkMode that works best for the platform right now.
- Presently, not every platform supports every NetworkMode configuration.
This is how support is currently standing:
- Only Windows supports OneHost
- With the exception of process, port, and host blacklisting and whitelisting, Linux supports both MultiHost and, in an experimental state, SingleHost mode.
- To access Linux’s MultiHost mode and Windows’ SingleHost mode, leave this set to Auto for the time being.
DNS-related setting and Windows implementation:
- ModifyLocalDNS – direct the local machine’s DNS service to the DNS listener of FakeNet-NG.
- Cease DNS Service: This command ends the DNS client service (Dnscache) on Windows. In contrast to the standard’svchost.exe’ process, this enables FakeNet-NG to observe the real processes that resolve domains.
Linux version
The following settings are supported by the Linux version of Diverter:
- LinuxRedirectNonlocal – This tells you which externally facing network interfaces to reroute to FakeNet-NG when you use it to mimic Internet connectivity for a separate host.
- Before adding rules for FakeNet-NG, use LinuxFlushIptables to flush all iptables rules.
- As long as the Linux Diverter’s termination sequence remains unbroken, the previous rules will be reinstated.
- LinuxFlushDnsCommand: If necessary, enter the appropriate command here to clear the DNS resolver cache for your Linux distribution.
- Select which detailed debug events to show with the DebugLevel option.
Upcoming projects
However think there is still room to improve the HTML-based output from FakeNet-NG so that analysts can benefit even more. A communication graph, network behavior graphically would be a crucial contribution. With edges connecting process nodes to other nodes like IP addresses or domain names, this widely used approach maps processes to the corresponding network requests. You might quickly and easily grasp a program’s communication patterns by using FakeNet-NG with this kind of visualization.
Get rid of unnecessary network traffic: Reduce noise produced by safe Windows services and apps so that the most important network information is highlighted.
Make sure the HTML report includes ICMP traffic: Present a more thorough overview of network activity by showcasing network data based on ICMP.
Add pre-set filters and filtering options: Provide pre-set filters and easy-to-use filtering tools to omit typical Microsoft network traffic.
Enhance the usability of exported network data by giving the user the option to select the information that should be included in the exported Markdown data. This will improve the formatting of the Markdown data.
In conclusion
As the go-to tool for dynamic network analysis in malware research, FakeNet-NG keeps getting better. It intend to improve its usefulness by providing interactive HTML-based output, which will enable you to traverse and analyses even the largest and most intricate network data grabs in a clear, simple, and aesthetically pleasing manner.
To make your analysis of dynamic network data more efficient, they invite you to investigate the new HTML-based output and take advantage of its filtering, selection, and copying features. For the most recent version of FakeNet-NG, download it from our Github repository, make contributions to the project, or leave comments.