Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for SNI and dynamic certificate #98

Open
wants to merge 35 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
abca316
Support for SNI and dynamic certificate
Sep 14, 2018
03ed32d
De-couple SSL support from HTTPListener
htnhan Jan 18, 2019
ac6a865
ProxyListener to support SSL and handle SSL traffic
htnhan Jan 18, 2019
772902e
certutil should only run on windows
htnhan Jan 18, 2019
5ca752b
Fix issue: ssl_remote_sock is undefined on Non-SSL sockets
htnhan Mar 8, 2019
f49a91b
make_socket() now has a fallback in case SSLContext() fails
htnhan Mar 23, 2019
63c1c58
rename make_socket() to wrap_socket()
htnhan Mar 23, 2019
71da060
SSLWrapper now initialize everything in __init__()
htnhan Mar 23, 2019
fcf6b5e
Use proper logging levels
htnhan Mar 23, 2019
1987f43
Clean up logic
htnhan Mar 23, 2019
a9e6005
Fix: failed logic to check make sure both certfile and keyfile exist
htnhan Mar 23, 2019
ed762b4
Fix missing :
htnhan Mar 23, 2019
d648c8d
Fix: Invalid syntax -- random back ticks
htnhan Mar 23, 2019
b923868
Various renames
htnhan Mar 23, 2019
430c5be
We now use traceback.format_exc() output
htnhan Mar 23, 2019
19b027d
More cleanup regarding ssl_utils and __init__.py
htnhan Mar 23, 2019
f477c5d
Pass network mode config to the listners
htnhan Mar 27, 2019
51d5f32
Remove old code
htnhan Mar 27, 2019
88a4b7f
Various fixes to add a fallback when failing to generate a cert
htnhan Mar 27, 2019
45ccd7f
Merge branch 'master' into feature-sni-and-dynamic-cert
strictlymike Mar 29, 2019
b53c91e
Exceptions and logging
strictlymike Mar 29, 2019
01be068
Exceptions and logging
strictlymike Mar 29, 2019
472fe25
Fix: Handling case https://<ipaddress>
htnhan Mar 31, 2019
675a65d
SSLWrapper should only be initialized once per listener
htnhan Apr 3, 2019
4a13e66
Listeners now create the SSLWrapper once per startup
htnhan Apr 9, 2019
e2395b3
Use ignore_errors instead of catch all except
htnhan Apr 9, 2019
f34814f
New template for HTTPS tests
htnhan Apr 9, 2019
054389e
New test cases for HTTPS
htnhan Apr 9, 2019
52b5b9f
ProxyListener does not use UseSSL config keyword
htnhan Apr 25, 2019
81ef1df
Merge branch 'master' into feature-sni-and-dynamic-cert
tinajohnson Dec 11, 2023
22a6f6c
Update SNI branch to Python 3
tinajohnson Dec 15, 2023
c5327ef
Fix to avoid use of TLSv1 or TLSv1_1
tinajohnson Dec 15, 2023
5567d85
Documentation update and Python 3.12 related modifications
tinajohnson Dec 28, 2023
acb0d96
Fix exception error message syntax
tinajohnson Dec 28, 2023
65ab931
Revert filemd5 change in test.py
tinajohnson Dec 29, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion LICENSE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@

END OF TERMS AND CONDITIONS

Copyright (C) 2018 FireEye, Inc.
Copyright (C) 2016-2024 Mandiant, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
26 changes: 15 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,20 +52,23 @@ Installation on Linux requires the following dependencies:
* libnetfilterqueue development files (e.g. libnetfilter-queue-dev for
Ubuntu).

Install these dependencies using the following command:
To install these dependencies, use the following command:

sudo apt-get install build-essential python-dev libnetfilter-queue-dev

Install FakeNet-NG as a Python module using pip:
Either install FakeNet-NG as a Python module using pip:

pip install https://github.com/mandiant/flare-fakenet-ng/zipball/master

Or by obtaining the latest source code and installing it manually:
Or, by obtaining the latest source code and installing it manually:

git clone https://github.com/mandiant/flare-fakenet-ng/

Next, install Microsoft C++ Build Tools from [here](https://visualstudio.microsoft.com/visual-cpp-build-tools/).

Change directory to the downloaded flare-fakenet-ng and run:

pip install setuptools
python setup.py install

Execute FakeNet-NG by running 'fakenet' in any directory.
Expand All @@ -77,30 +80,31 @@ Finally if you would like to avoid installing FakeNet-NG and just want to run it
as-is (e.g. for development), then you would need to obtain the source code and
install dependencies as follows:

1) Install 64-bit or 32-bit Python 3.7.x for the 64-bit or 32-bit versions
1) Install 64-bit or 32-bit Python 3.12 for the 64-bit or 32-bit versions
of Windows respectively.

2) Install Python dependencies:

```
pip install pydivert dnslib dpkt pyopenssl pyftpdlib netifaces

```
*NOTE*: pydivert will also download and install WinDivert library and
driver in the `%PYTHONHOME%\DLLs` directory. FakeNet-NG bundles those
files so they are not necessary for normal use.
2b) Optionally, you can install the following module used for testing:

Optionally, you can install the following module used for testing:
```
pip install requests
```
3) Download the FakeNet-NG source code:
git clone https://github.com/mandiant/flare-fakenet-ng
Execute FakeNet-NG by running it with a Python interpreter in a privileged
4) Execute FakeNet-NG by running it with a Python interpreter in a privileged
shell:

```
python -m fakenet.fakenet

```
Usage
=====
Expand Down
9 changes: 4 additions & 5 deletions docs/contributors.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ malware analysis on Windows XP.
## Windows

Peter Kacherginsky [implemented
FakeNet-NG](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html)
FakeNet-NG](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen)
targeting modern versions of Windows.

## Linux and Core

Michael Bailey [implemented FakeNet-NG on
Linux](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html),
Linux](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool),
and later refactored FakeNet-NG to use this as the unified packet processing
logic for both Windows and Linux.

Expand All @@ -30,6 +30,5 @@ Homan developed the original concept of using a protocol "taste" callback to
sample traffic and direct clients to the appropriate server ports. Matthew
Haigh, Michael Bailey, and Peter Kacherginsky conceptualized the Proxy Listener
and Hidden Listener mechanisms for introducing both of these content-based
protocol detection features to FakeNet-NG. Matthew Haigh then [implemented
Content-Based Protocol
Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
protocol detection features to FakeNet-NG. Matthew Haigh then implemented
Content-Based Protocol Detection.
13 changes: 5 additions & 8 deletions docs/developing.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,9 +181,8 @@ utilities (i.e. `pip`). Use an administrative command prompt where applicable
for installing Python modules for all users.

Pre-requisites:
* Python 2.7 x86 with `pip`
* Visual C++ for Python 2.7 development, available at:
<https://aka.ms/vcpython27>
* Python 3.12 x86 with `pip`
* Microsoft C++ [Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/)

Before installing `pyinstaller`, you may wish to take the following steps to
prevent the error `ImportError: No module named PyInstaller`:
Expand All @@ -199,11 +198,10 @@ Install FakeNet-NG to acquire most modules:
python setup.py install
```

Obtain PyDivert 2.0.9, the only version known to work with FakeNet-NG releases
prepared with PyInstaller:
Obtain PyDivert:

```
pip install pydivert==2.0.9
pip install pydivert
```

Install `pyinstaller`:
Expand Down Expand Up @@ -245,7 +243,6 @@ fakenet1.4.3\
| +-- CustomProviderExample.py
|   +-- sample_custom_response.ini
| +-- sample_raw_response.txt
| +-- sample_raw_tcp_response.txt
|
+-- defaultFiles\
| +-- FakeNet.gif
Expand All @@ -260,7 +257,7 @@ fakenet1.4.3\
|
+-- listeners\
   +-- ssl_utils
+-- __init__.pyc
+-- __init__.py
+-- privkey.pem
+-- server.pem
+-- ssl_detector.py
Expand Down
9 changes: 4 additions & 5 deletions docs/srs.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,18 @@ Analysis](https://nostarch.com/malware).
## History
FakeNet-NG was initially released August 3, 2016 by Peter Kacherginsky with
support for Windows: [FakeNet-NG: Next Generation Dynamic Network Analysis
Tool](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html).
Tool](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen).

On July 5, 2017 FakeNet-NG was updated by Michael Bailey to add support for
Linux: [Introducing Linux Support for FakeNet-NG: FLARE's Next Generation
Dynamic Network Analysis
Tool](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html).
Tool](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool).

The next significant FakeNet-NG release was by Matthew Haigh on October 23,
2017 to introduce a proxy listener to sample, identify, and route traffic to
the most appropriate listener: [New FakeNet-NG Feature: Content-Based Protocol
Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
the most appropriate listener by implementing Content-Based Protocol Detection.

FireEye's [flare-fakenet-ng](https://github.com/fireeye/flare-fakenet-ng)
Mandiant's [flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng)
repository contains `README.md` which documents usage and configuration; and
`docs/internals.md` which describes Diverter internals for Linux.

Expand Down
20 changes: 14 additions & 6 deletions fakenet/configs/default.ini
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ NetworkMode: Auto
# DebugLevel: specify fine-grained debug print flags to enable. Enabling all
# logging when verbose mode is selected results in overwhelming output, hence
# this setting. Valid values (comma-separated) are:
#
#
# GENPKT Generic packet information
# GENPKTV Packet analysis, displays IP, TCP, UDP fields, very wide output
# CB Diverter packet handler callback start/finish logging
Expand Down Expand Up @@ -88,7 +88,7 @@ FixDNS: Yes
# ephemeral change.
ModifyLocalDNS: Yes

# Enable 'StopDNSService' to stop Windows DNS client to see the actual
# Enable 'StopDNSService' to stop Windows DNS client to see the actual
# processes resolving domains. This is a no-op on Linux, until such time as DNS
# caching is observed to interfere with finding the pid associated with a DNS
# request.
Expand All @@ -99,16 +99,16 @@ StopDNSService: Yes
# 'DefaultUDPListener' will handle TCP and UDP traffic going to unspecified ports.
#
# NOTE: Setting default UDP listener will intercept all DNS traffic unless you
# enable a dedicated UDP port 53 DNS listener or add UDP port 53 to the
# enable a dedicated UDP port 53 DNS listener or add UDP port 53 to the
# 'BlackListPortsUDP' below so that system's default DNS server is used instead.

RedirectAllTraffic: Yes
DefaultTCPListener: ProxyTCPListener
DefaultUDPListener: ProxyUDPListener

# Specify TCP and UDP ports to ignore when diverting packets.
# Specify TCP and UDP ports to ignore when diverting packets.
# For example, you may want to avoid diverting UDP port 53 (DNS) traffic
# when trying to intercept a specific process while allowing the rest to
# when trying to intercept a specific process while allowing the rest to
# function normally
#
# NOTE: This setting is only honored when 'RedirectAllTraffic' is enabled.
Expand All @@ -131,7 +131,7 @@ BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355
# Listener Configuration
#
# Listener configuration consists of generic settings used by the diverter which
# are the same for all listeners and listener specific settings.
# are the same for all listeners and listener specific settings.
#
# NOTE: Listener section names will be used for logging.
#
Expand Down Expand Up @@ -199,6 +199,11 @@ BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355
# hostname string, !hostname to insert the actual hostname
# of the system, or !random to generate a random hostname
# between 1 and 15 characters (inclusive).
# * Static_CA - Set FakeNet to use user provided CA certificate to sign generated certificates.
# * CA_Cert - CA certificate in PEM format to be used when Static_CA config is set. Manually
# add this certificate to Windows trust store before executing FakeNet.
# * CA_Key - CA private key in PEM format to be used when Static_CA config is set.


[ProxyTCPListener]
Enabled: True
Expand All @@ -207,6 +212,9 @@ Listener: ProxyListener
Port: 38926
Listeners: HTTPListener, RawListener, FTPListener, DNSListener, POPListener, SMTPListener, TFTPListener, IRCListener
Hidden: False
Static_CA: No
CA_Cert: configs/fakenet_ca.crt
CA_Key: configs/fakenet_ca.key

[ProxyUDPListener]
Enabled: True
Expand Down
19 changes: 19 additions & 0 deletions fakenet/configs/fakenet_ca.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIUdwSkHdOM2mMDw094Kha+9Z9/w60wDQYJKoZIhvcNAQEL
BQAwHzELMAkGA1UEBhMCVVMxEDAOBgNVBAMMB2Zha2VuZXQwHhcNMjMxMjE0MDAx
NDUxWhcNMjQwMTEzMDAxNDUxWjAfMQswCQYDVQQGEwJVUzEQMA4GA1UEAwwHZmFr
ZW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7pGzS8bX8M3SSQ
mk79puvqGBHwWVpDK82T44N/8mXHJ1R/7jMDq2wpkSjliiAE0mxPpkzMbr9mkeP/
/31GKAszbJYnurrxxYbLyOdRst2VqoXkWTia61lrsRIGcjwzKe2zyMCcuiyRTLcP
BmYd/ie5AzyHxitlS49cub+QkIODUAKTiZT3mPu6Yw2XvYkg+up69NzC0a/XexUv
PvgbBizquKj/YzMSp5X7ieYGv0xHf8Dhf3mqh9oLk35X/qV3LqdnVPjweCR8X9ze
yhfBbDr1VoBnOe2Nb5hlU9MB//A0hgDYj5TrHa4JrbNkv3lYMd4uv/CBW6o18Ba+
/zjEvyECAwEAAaNTMFEwHQYDVR0OBBYEFD3wRGMPQdWtBCKRy5c9N5YWnki2MB8G
A1UdIwQYMBaAFD3wRGMPQdWtBCKRy5c9N5YWnki2MA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAGT5rmafrlv8VIXAgc0iazNd7A6rT7xNLkuF2JGK
7NV3yvsWM6SA+DlG7y70om+eKjd+qxzinxnSt6uFJhcdCqot1LU1u3OZDifTTJmk
31yEYp/+A93qjwe1Ag2rsVcztRl88KtsKrKNohv24iiWfIVDnHo0joerXoaGQwo6
zXl4GVJBEEAhf2GQRgyXcoWkSrsq8UKtVV9dI5QgIS6vZ65oNQEeoAXH56ihFUBX
hS+4Ko2FfUtxbfbw7tpDaNtqhAzJ+LE4RoDUepyCDXPha0Wb4giGOd5EEubYrFKi
DOdAMiiQT1WLK3/UnMlCOV4lne+g9JwBCXL8C0F0W1fFZY8=
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions fakenet/configs/fakenet_ca.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDO6Rs0vG1/DN0k
kJpO/abr6hgR8FlaQyvNk+ODf/JlxydUf+4zA6tsKZEo5YogBNJsT6ZMzG6/ZpHj
//99RigLM2yWJ7q68cWGy8jnUbLdlaqF5Fk4mutZa7ESBnI8Mynts8jAnLoskUy3
DwZmHf4nuQM8h8YrZUuPXLm/kJCDg1ACk4mU95j7umMNl72JIPrqevTcwtGv13sV
Lz74GwYs6rio/2MzEqeV+4nmBr9MR3/A4X95qofaC5N+V/6ldy6nZ1T48HgkfF/c
3soXwWw69VaAZzntjW+YZVPTAf/wNIYA2I+U6x2uCa2zZL95WDHeLr/wgVuqNfAW
vv84xL8hAgMBAAECggEAAyp6KDPcHCjH5XU4hXGPeGYvkhldQtxqsw2Rr7xpVWrl
dw1q8/dR2kVGVFSlBWe7tIPk0Ew8fD14+xtXG4xhmECAoElTHY+b7VgxkVJPem9h
RD4XOLsP4ba4rlNes+DiUCHKbyHTOox1RXytQZxNbgbVr7tOVNU1nf0rVmzt9Zbw
uPltpCcL+yvnaWmBUgdCLIhIT/HDrp4+uZP+zW7pVm/KMQL0I9OMnm6dCimP88pU
meepDRdxHkHVb347jx0+nWSH2V63wxH6WR8lAb4oAXeQXUgS8Q0lXh70EW/x0Ut3
neB/mfuaXLVrBcBTbhPTU7PKd/Sc+dkkqhEpNRR3dQKBgQDyLNPyWEJVXwQ6iOom
xxyqm61DZw8IpBYVmfYrOisTUWVC+oNlpsNPzWsgwmWzpcJ8s6ykupWFcWZeJv2h
XPlq+Ai6Ky0v+yESiUtNb+lKuXGvHqTpTxvPgL/20ZMfRIkWs9YBLA+aTh5RC8Vs
i12fRW9JTZTKgyf7PEkj+DjCCwKBgQDauOszqtFs6d36AMVJJ7OlmZnEWaELv9bW
ns7kdeBgr35gzGbDOkyQGBII5SCwpgWbXyxT39T9xuNoWCWXSZdHDco/UlAG47qI
Pq/KmtbrKxvg6yKsPIDV+cexuBrLIvzsaz8qPbfE/W7nxf+FtvDhvnGyqoiYd3DS
XSD5HcwLAwKBgQDdQpG+mF66qx4s8Myl80NAqQ1LSMyWg3xd7hXYdsPGWZaf9Eu6
wvstXSvkeVf8I5Um4+33bzWO/wWdPhh6pnyG++jVVv9pGBOmYOP48yd9iyLP8bqQ
IyPwmNxKgD3f0nlB0brTxVLYE0llmNCelFJMY18C5SvtPpl31COrBm2s8wKBgG8D
zN28pe+SBIkQOxKWhChZfiKbG5LLHFBy6rAq5GguqwaWuNH+lT3N+dlp8t22ZsIl
3Gn2AjWM7X/Yvbu8LnxyE2Vwcg4NKHBe4PsE/HEAwHW44zBoxTvWO/WIbJEOgTG+
faEDEnN57wDVDozf/gOWlj8JL6uzdCBSBJps9VPhAoGAWQUkdpxRxEARhL7wYR7g
EidDWKnULiULjlrP7VPMJ5hrZf5PmWyZLWW3SkEUhcf25CnJoUoq1OOB1GjL9lBL
0+tXalLnA/mRxO5ILzwJivHyJKnljuPKyXmpKt8H4KRUXV3Uk2may58Jwn8InuRE
aW956i0O1tgrDOj3tSAT8KI=
-----END PRIVATE KEY-----
2 changes: 1 addition & 1 deletion fakenet/defaultFiles/FakeNet.html
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@
<h3>Contact</h3>

For bugs, crashes, or other comments please contact <b>The FLARE Team</b> by email
<b>FakeNet@fireeye.com</b>.
<b>FakeNet@mandiant.com</b>.
</body>
</html>
2 changes: 1 addition & 1 deletion fakenet/defaultFiles/FakeNet.txt
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and

Contact

For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@fireeye.com
For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@mandiant.com
22 changes: 8 additions & 14 deletions fakenet/diverters/diverterbase.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved.
# Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.

import os
import abc
Expand Down Expand Up @@ -937,7 +937,7 @@ def _build_cmd(self, tmpl, pid, comm, src_ip, sport, dst_ip, dport):
except KeyError as e:
self.logger.error(('Failed to build ExecuteCmd for port %d due ' +
'to erroneous format key: %s') %
(dport, e.message))
(dport, e))

return cmd

Expand Down Expand Up @@ -1239,21 +1239,15 @@ def formatPkt(self, pkt, pid, comm):
Returns:
A str containing the log line
"""
if pid == None:
pid = 'None'

if comm == None:
comm = 'None'

logline = ''

if pkt.proto == 'UDP':
fmt = '| {label} {proto} | {pid:>6} | {comm:<8} | {src:>15}:{sport:<5} | {dst:>15}:{dport:<5} | {length:>5} | {flags:<11} | {seqack:<35} |'
logline = fmt.format(
label=pkt.label,
proto=pkt.proto,
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=pkt.src_ip,
sport=pkt.sport,
dst=pkt.dst_ip,
Expand Down Expand Up @@ -1284,8 +1278,8 @@ def formatPkt(self, pkt, pid, comm):
logline = fmt.format(
label=pkt.label,
proto=pkt.proto,
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=pkt.src_ip,
sport=pkt.sport,
dst=pkt.dst_ip,
Expand All @@ -1299,8 +1293,8 @@ def formatPkt(self, pkt, pid, comm):
logline = fmt.format(
label=pkt.label,
proto='UNK',
pid=pid,
comm=comm,
pid=str(pid),
comm=str(comm),
src=str(pkt.src_ip),
sport=str(pkt.sport),
dst=str(pkt.dst_ip),
Expand Down
Loading