GSoC'23 Project: Implement an Interactive GUI for presenting Network-Based Indicators summary

[3V3RYONE]

Idea

Currently, FakeNet-NG displays its output by either printing it to the console or writing it to a log file. However, Malware with a lot of activity can generate long FakeNet logs. To save analysts from having to read or grep long FakeNet logs, this project aims in providing a user-friendly interface for viewing the output of FakeNet-NG in a more organized and detailed manner.

Implementation

We started by identifying the potential attributes contributing to network-based indicators from each listener. We collected NBIs from each listener in a dictionary and passed it to the diverter component through a callback method (collect_nbi). The diverter component then assembled NBIs from all listeners into a central dictionary structure, along with additional details such as process information, protocol, destination IP, port, etc. We developed a template.html file containing placeholders for NBIs, CSS, and JS code for the UI. After each FakeNet session termination, this template file is read, and actual NBI values from the session are inserted into the placeholders. The resulting report is saved with a timestamp in the main working directory of FakeNet. Users can open this HTML file in any browser to review the NBI summary.

Features

• We've introduced an interactive and responsive UI that presents NBIs in a user-friendly format. This UI is equipped with various functionalities such as filtering, selection, and copying, making it significantly easier for analysts to comprehend malware behavior. Fun fact: The copied format of NBIs aligns seamlessly with Flare Malware reports, simplifying the process even further!
• The UI incorporates NBIs from every listener, supporting both single-host and multi-host operations.
• Our codebase now enhances modularity, enabling future contributors to effortlessly support the representation of NBIs from new listeners within the UI. All that's required is a simple method call (collect_nbi) in the listener to the diverter. This avoids any concerns about integrating new NBIs directly into the UI itself.
• To enhance data abstraction, we've introduced the DiverterWrapper class. This class facilitates controlled access of the diverter to listeners, aligning with object-oriented programming practices. It offers specific methods from the diverter that listeners require access to, without exposing the entire diverter for improved coding practices.

Steps to verify

• Install FakeNet-NG on your system.
• Start a FakeNet session.
• Execute a benign script or malware to generate traffic against the FakeNet session.
• Stop the FakeNet session by pressing CTRL+C.
• Open the generated HTML report in a browser and explore the available options.

[tinajn]

Closes #164

[3V3RYONE]

Testing Results:
All tests have been passed for singlehost mode in windows and linux environments.
Note: Some tests are known to fail in windows (IRC & SMTP_SSL) and linux (SMTP_SSL).

Windows test results

PS C:\Users\IEUser\flare-fakenet-ng\test> python test.py here
Running with privileges on Windows
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 1940
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: TCP external IP @ bound
[ + ] Passed: TCP external IP @ unbound
[ + ] Passed: TCP arbitrary @ bound
[ + ] Passed: TCP arbitrary @ unbound
[ + ] Passed: TCP domainname @ bound
[ + ] Passed: TCP domainname @ unbound
[ + ] Passed: TCP localhost @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: TCP localhost @ unbound
[ + ] Passed: TCP custom test static Base64
[ + ] Passed: TCP custom test static string
[ + ] Passed: TCP custom test static file
[ + ] Passed: TCP custom test dynamic
[ + ] Passed: UDP external IP @ bound
[ + ] Passed: UDP external IP @ unbound
[ + ] Passed: UDP arbitrary @ bound
[ + ] Passed: UDP arbitrary @ unbound
[ + ] Passed: UDP domainname @ bound
[ + ] Passed: UDP domainname @ unbound
[ + ] Passed: UDP localhost @ bound
Socket error: [WinError 10054] An existing connection was forcibly closed by the remote host (SocketKind.SOCK_DGRAM 127.0.0.1:9999)
[ + ] Passed: UDP localhost @ unbound
[ + ] Passed: UDP custom test static Base64
[ + ] Passed: UDP custom test dynamic
[ + ] Passed: ICMP external IP
[ + ] Passed: ICMP arbitrary host
[ + ] Passed: ICMP domainname
[ + ] Passed: DNS listener test
[ + ] Passed: HTTP listener test
[ + ] Passed: HTTP custom test by URI
[ + ] Passed: HTTP custom test by hostname
[ + ] Passed: HTTP custom test by both URI and hostname
[ + ] Passed: HTTP custom test by both URI and hostname wrong URI
[ + ] Passed: HTTP custom test by both URI and hostname wrong hostname
[ + ] Passed: HTTP custom test by ListenerType
[ + ] Passed: HTTP custom test by ListenerType host port negative match
[ + ] Passed: FTP listener test
[ + ] Passed: POP3 listener test
[ + ] Passed: SMTP listener test
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
[!!!] FAILED: SMTP SSL listener test
Test IRC listener test: Uncaught exception of type <class '__main__.FakeNetTestException'>: privmsg test failed
Test IRC listener test: Uncaught exception of type <class '__main__.FakeNetTestException'>: privmsg test failed
[!!!] FAILED: IRC listener test
[ + ] Passed: Proxy listener HTTP test
[ + ] Passed: Proxy listener HTTP hidden test
Socket error: timed out (SocketKind.SOCK_STREAM 6.6.6.6:9999)
[ + ] Passed: TCP blacklisted host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:139)
[ + ] Passed: TCP arbitrary @ blacklisted unbound
Socket error: timed out (SocketKind.SOCK_DGRAM 8.8.8.8:67)
[ + ] Passed: UDP arbitrary @ blacklisted unbound
[ + ] Passed: Listener process blacklist
[ + ] Passed: Listener process whitelist
[ + ] Passed: Listener host blacklist
[ + ] Passed: Listener host whitelist
-------------------------------------------------------------------------------
Done.
Passed: 46/48 | Failed: 2/48

Failed tests:
[*] SMTP SSL listener test
[*] IRC listener test
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 4860
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: RedirectAllTraffic disabled external IP @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 10.0.2.15:9999)
[ + ] Passed: RedirectAllTraffic disabled external IP @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:1337)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:1337)
[ + ] Passed: RedirectAllTraffic disabled named host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:9999)
[ + ] Passed: RedirectAllTraffic disabled named host @ unbound
[ + ] Passed: RedirectAllTraffic disabled localhost @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: RedirectAllTraffic disabled localhost @ unbound
-------------------------------------------------------------------------------
Done.
Passed: 8/8 | Failed: 0/8
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 6584
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: Global blacklisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 2780
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: Global whitelisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
PS C:\Users\IEUser\flare-fakenet-ng\test>

Linux test results

rescuethetux@lugvitc:~/flare-fakenet-ng/test$ sudo python test.py here
Running with privileges on Linux
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 3456
Sleeping 4 seconds before commencing

  ______  	_  ________ _   _ ______ _______ 	_   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__ 	| |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|	| |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |  	| |\  | |__| |
 |_|/_/	\_\_|\_\______|_| \_|______|  |_|  	|_| \_|\_____|

                    	Version 3.0 (alpha)
  _____________________________________________________________
               	Developed by FLARE Team
	Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                          	 
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: TCP external IP @ bound
[ + ] Passed: TCP external IP @ unbound
[ + ] Passed: TCP arbitrary @ bound
[ + ] Passed: TCP arbitrary @ unbound
[ + ] Passed: TCP domainname @ bound
[ + ] Passed: TCP domainname @ unbound
[ + ] Passed: TCP localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: TCP localhost @ unbound
[ + ] Passed: TCP custom test static Base64
[ + ] Passed: TCP custom test static string
[ + ] Passed: TCP custom test static file
[ + ] Passed: TCP custom test dynamic
[ + ] Passed: UDP external IP @ bound
[ + ] Passed: UDP external IP @ unbound
[ + ] Passed: UDP arbitrary @ bound
[ + ] Passed: UDP arbitrary @ unbound
[ + ] Passed: UDP domainname @ bound
[ + ] Passed: UDP domainname @ unbound
[ + ] Passed: UDP localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_DGRAM 127.0.0.1:9999)
[ + ] Passed: UDP localhost @ unbound
[ + ] Passed: UDP custom test static Base64
[ + ] Passed: UDP custom test dynamic
[ + ] Passed: ICMP external IP
[ + ] Passed: ICMP arbitrary host
[ + ] Passed: ICMP domainname
[ + ] Passed: DNS listener test
[ + ] Passed: HTTP listener test
[ + ] Passed: HTTP custom test by URI
[ + ] Passed: HTTP custom test by hostname
[ + ] Passed: HTTP custom test by both URI and hostname
[ + ] Passed: HTTP custom test by both URI and hostname wrong URI
[ + ] Passed: HTTP custom test by both URI and hostname wrong hostname
[ + ] Passed: HTTP custom test by ListenerType
[ + ] Passed: HTTP custom test by ListenerType host port negative match
[ + ] Passed: POP3 listener test
[ + ] Passed: SMTP listener test
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
----------------------------------------
Exception happened during processing of request from ('10.0.2.15', 41754)
Traceback (most recent call last):
  File "/usr/lib/python3.8/socketserver.py", line 683, in process_request_thread
	self.finish_request(request, client_address)
  File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
	self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.8/socketserver.py", line 747, in __init__
	self.handle()
  File "/home/rescuethetux/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 256, in handle
	remote_sock.setblocking(0)
OSError: [Errno 9] Bad file descriptor
----------------------------------------
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
[!!!] FAILED: SMTP SSL listener test
----------------------------------------
Exception happened during processing of request from ('10.0.2.15', 41756)
Traceback (most recent call last):
  File "/usr/lib/python3.8/socketserver.py", line 683, in process_request_thread
	self.finish_request(request, client_address)
  File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
	self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.8/socketserver.py", line 747, in __init__
	self.handle()
  File "/home/rescuethetux/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 256, in handle
	remote_sock.setblocking(0)
OSError: [Errno 9] Bad file descriptor
----------------------------------------
[ + ] Passed: IRC listener test
[ + ] Passed: Proxy listener HTTP test
[ + ] Passed: Proxy listener HTTP hidden test
Socket error: timed out (SocketKind.SOCK_STREAM 6.6.6.6:9999)
[ + ] Passed: TCP blacklisted host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:139)
[ + ] Passed: TCP arbitrary @ blacklisted unbound
Socket error: timed out (SocketKind.SOCK_DGRAM 8.8.8.8:67)
[ + ] Passed: UDP arbitrary @ blacklisted unbound
[ + ] Passed: Listener process blacklist
[ + ] Passed: Listener process whitelist
[ + ] Passed: Listener host blacklist
[ + ] Passed: Listener host whitelist
-------------------------------------------------------------------------------
Done.
Passed: 46/47 | Failed: 1/47

Failed tests:
[*] SMTP SSL listener test
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 3536
Sleeping 4 seconds before commencing

  ______  	_  ________ _   _ ______ _______ 	_   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__ 	| |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|	| |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |  	| |\  | |__| |
 |_|/_/	\_\_|\_\______|_| \_|______|  |_|  	|_| \_|\_____|

                    	Version 3.0 (alpha)
  _____________________________________________________________
               	Developed by FLARE Team
	Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                          	 
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: RedirectAllTraffic disabled external IP @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 10.0.2.15:9999)
[ + ] Passed: RedirectAllTraffic disabled external IP @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:1337)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:1337)
[ + ] Passed: RedirectAllTraffic disabled named host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:9999)
[ + ] Passed: RedirectAllTraffic disabled named host @ unbound
[ + ] Passed: RedirectAllTraffic disabled localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: RedirectAllTraffic disabled localhost @ unbound
-------------------------------------------------------------------------------
Done.
Passed: 8/8 | Failed: 0/8
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 3590
Sleeping 4 seconds before commencing

  ______  	_  ________ _   _ ______ _______ 	_   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__ 	| |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|	| |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |  	| |\  | |__| |
 |_|/_/	\_\_|\_\______|_| \_|______|  |_|  	|_| \_|\_____|

                    	Version 3.0 (alpha)
  _____________________________________________________________
               	Developed by FLARE Team
	Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                          	 
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: Global blacklisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 3642
Sleeping 4 seconds before commencing

  ______  	_  ________ _   _ ______ _______ 	_   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__ 	| |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|	| |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |  	| |\  | |__| |
 |_|/_/	\_\_|\_\______|_| \_|______|  |_|  	|_| \_|\_____|

                    	Version 3.0 (alpha)
  _____________________________________________________________
               	Developed by FLARE Team
	Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                          	 
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: Global whitelisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly

[3V3RYONE]

Testing Results

All available tests have been passed for singlehost (Windows and Linux) and multihost (Linux with Windows) in the automated test suite test.py.

Singlehost test results - Windows

PS C:\Users\IEUser\flare-fakenet-ng\test> python test.py here
Running with privileges on Windows
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 6420
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: TCP external IP @ bound
[ + ] Passed: TCP external IP @ unbound
[ + ] Passed: TCP arbitrary @ bound
[ + ] Passed: TCP arbitrary @ unbound
[ + ] Passed: TCP domainname @ bound
[ + ] Passed: TCP domainname @ unbound
[ + ] Passed: TCP localhost @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: TCP localhost @ unbound
[ + ] Passed: TCP custom test static Base64
[ + ] Passed: TCP custom test static string
[ + ] Passed: TCP custom test static file
[ + ] Passed: TCP custom test dynamic
[ + ] Passed: UDP external IP @ bound
[ + ] Passed: UDP external IP @ unbound
[ + ] Passed: UDP arbitrary @ bound
[ + ] Passed: UDP arbitrary @ unbound
[ + ] Passed: UDP domainname @ bound
[ + ] Passed: UDP domainname @ unbound
[ + ] Passed: UDP localhost @ bound
Socket error: [WinError 10054] An existing connection was forcibly closed by the remote host (SocketKind.SOCK_DGRAM 127.0.0.1:9999)
[ + ] Passed: UDP localhost @ unbound
[ + ] Passed: UDP custom test static Base64
[ + ] Passed: UDP custom test dynamic
[ + ] Passed: ICMP external IP
[ + ] Passed: ICMP arbitrary host
[ + ] Passed: ICMP domainname
[ + ] Passed: DNS listener test
[ + ] Passed: HTTP listener test
[ + ] Passed: HTTP custom test by URI
[ + ] Passed: HTTP custom test by hostname
[ + ] Passed: HTTP custom test by both URI and hostname
[ + ] Passed: HTTP custom test by both URI and hostname wrong URI
[ + ] Passed: HTTP custom test by both URI and hostname wrong hostname
[ + ] Passed: HTTP custom test by ListenerType
[ + ] Passed: HTTP custom test by ListenerType host port negative match
[ + ] Passed: FTP listener test
[ + ] Passed: POP3 listener test
[ + ] Passed: SMTP listener test
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
[!!!] FAILED: SMTP SSL listener test
Test IRC listener test: Uncaught exception of type <class '__main__.FakeNetTestException'>: privmsg test failed
Test IRC listener test: Uncaught exception of type <class '__main__.FakeNetTestException'>: privmsg test failed
[!!!] FAILED: IRC listener test
[ + ] Passed: Proxy listener HTTP test
[ + ] Passed: Proxy listener HTTP hidden test
Socket error: timed out (SocketKind.SOCK_STREAM 6.6.6.6:9999)
[ + ] Passed: TCP blacklisted host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:139)
[ + ] Passed: TCP arbitrary @ blacklisted unbound
Socket error: timed out (SocketKind.SOCK_DGRAM 8.8.8.8:67)
[ + ] Passed: UDP arbitrary @ blacklisted unbound
[ + ] Passed: Listener process blacklist
[ + ] Passed: Listener process whitelist
[ + ] Passed: Listener host blacklist
[ + ] Passed: Listener host whitelist
-------------------------------------------------------------------------------
Done.
Passed: 46/48 | Failed: 2/48

Failed tests:
[*] SMTP SSL listener test
[*] IRC listener test
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 7160
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: RedirectAllTraffic disabled external IP @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 10.0.2.15:9999)
[ + ] Passed: RedirectAllTraffic disabled external IP @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:1337)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:1337)
[ + ] Passed: RedirectAllTraffic disabled named host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:9999)
[ + ] Passed: RedirectAllTraffic disabled named host @ unbound
[ + ] Passed: RedirectAllTraffic disabled localhost @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: RedirectAllTraffic disabled localhost @ unbound
-------------------------------------------------------------------------------
Done.
Passed: 8/8 | Failed: 0/8
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 2380
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: Global blacklisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
About to run fakenet -f C:\Users\IEUser\AppData\Local\Temp\stop_fakenet -n -l C:\Users\IEUser\AppData\Local\Temp\fakenet.log -c C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
FakeNet started with PID 1564
Sleeping 4 seconds before commencing
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: Global whitelisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly

Singlehost test results - Linux

rescuethetux@lugvitc:~/flare-fakenet-ng/test$ sudo python test.py here
Running with privileges on Linux
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 2205
Sleeping 4 seconds before commencing

  ______      _  ________ _   _ ______ _______     _   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__     | |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|    | |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
 |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|

                        Version 3.0 (alpha)
  _____________________________________________________________
                   Developed by FLARE Team
    Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                               
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: TCP external IP @ bound
[ + ] Passed: TCP external IP @ unbound
[ + ] Passed: TCP arbitrary @ bound
[ + ] Passed: TCP arbitrary @ unbound
[ + ] Passed: TCP domainname @ bound
[ + ] Passed: TCP domainname @ unbound
[ + ] Passed: TCP localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: TCP localhost @ unbound
[ + ] Passed: TCP custom test static Base64
[ + ] Passed: TCP custom test static string
[ + ] Passed: TCP custom test static file
[ + ] Passed: TCP custom test dynamic
[ + ] Passed: UDP external IP @ bound
[ + ] Passed: UDP external IP @ unbound
[ + ] Passed: UDP arbitrary @ bound
[ + ] Passed: UDP arbitrary @ unbound
[ + ] Passed: UDP domainname @ bound
[ + ] Passed: UDP domainname @ unbound
[ + ] Passed: UDP localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_DGRAM 127.0.0.1:9999)
[ + ] Passed: UDP localhost @ unbound
[ + ] Passed: UDP custom test static Base64
[ + ] Passed: UDP custom test dynamic
[ + ] Passed: ICMP external IP
[ + ] Passed: ICMP arbitrary host
[ + ] Passed: ICMP domainname
[ + ] Passed: DNS listener test
[ + ] Passed: HTTP listener test
[ + ] Passed: HTTP custom test by URI
[ + ] Passed: HTTP custom test by hostname
[ + ] Passed: HTTP custom test by both URI and hostname
[ + ] Passed: HTTP custom test by both URI and hostname wrong URI
[ + ] Passed: HTTP custom test by both URI and hostname wrong hostname
[ + ] Passed: HTTP custom test by ListenerType
[ + ] Passed: HTTP custom test by ListenerType host port negative match
[ + ] Passed: POP3 listener test
[ + ] Passed: SMTP listener test
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
----------------------------------------
Exception happened during processing of request from ('10.0.2.4', 53118)
Traceback (most recent call last):
  File "/usr/lib/python3.8/socketserver.py", line 683, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.8/socketserver.py", line 747, in __init__
    self.handle()
  File "/home/rescuethetux/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 256, in handle
    remote_sock.setblocking(0)
OSError: [Errno 9] Bad file descriptor
----------------------------------------
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
[!!!] FAILED: SMTP SSL listener test
----------------------------------------
Exception happened during processing of request from ('10.0.2.4', 53120)
Traceback (most recent call last):
  File "/usr/lib/python3.8/socketserver.py", line 683, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.8/socketserver.py", line 747, in __init__
    self.handle()
  File "/home/rescuethetux/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 256, in handle
    remote_sock.setblocking(0)
OSError: [Errno 9] Bad file descriptor
----------------------------------------
[ + ] Passed: IRC listener test
[ + ] Passed: Proxy listener HTTP test
[ + ] Passed: Proxy listener HTTP hidden test
Socket error: timed out (SocketKind.SOCK_STREAM 6.6.6.6:9999)
[ + ] Passed: TCP blacklisted host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:139)
[ + ] Passed: TCP arbitrary @ blacklisted unbound
Socket error: timed out (SocketKind.SOCK_DGRAM 8.8.8.8:67)
[ + ] Passed: UDP arbitrary @ blacklisted unbound
[ + ] Passed: Listener process blacklist
[ + ] Passed: Listener process whitelist
[ + ] Passed: Listener host blacklist
[ + ] Passed: Listener host whitelist
-------------------------------------------------------------------------------
Done.
Passed: 46/47 | Failed: 1/47

Failed tests:
[*] SMTP SSL listener test
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 2292
Sleeping 4 seconds before commencing

  ______      _  ________ _   _ ______ _______     _   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__     | |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|    | |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
 |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|

                        Version 3.0 (alpha)
  _____________________________________________________________
                   Developed by FLARE Team
    Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                               
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: RedirectAllTraffic disabled external IP @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 10.0.2.4:9999)
[ + ] Passed: RedirectAllTraffic disabled external IP @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:1337)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ unbound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:1337)
[ + ] Passed: RedirectAllTraffic disabled named host @ bound
Socket error: timed out (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:9999)
[ + ] Passed: RedirectAllTraffic disabled named host @ unbound
[ + ] Passed: RedirectAllTraffic disabled localhost @ bound
Socket error: [Errno 111] Connection refused (SocketKind.SOCK_STREAM 127.0.0.1:9999)
[ + ] Passed: RedirectAllTraffic disabled localhost @ unbound
-------------------------------------------------------------------------------
Done.
Passed: 8/8 | Failed: 0/8
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 2349
Sleeping 4 seconds before commencing

  ______      _  ________ _   _ ______ _______     _   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__     | |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|    | |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
 |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|

                        Version 3.0 (alpha)
  _____________________________________________________________
                   Developed by FLARE Team
    Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                               
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
Socket error: timed out (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: Global blacklisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG is stopped
Writing config to /tmp/fakenet.ini
About to run python3 -m fakenet.fakenet -f /tmp/stop_fakenet -n -l /tmp/fakenet.log -c /tmp/fakenet.ini
FakeNet started with PID 2399
Sleeping 4 seconds before commencing

  ______      _  ________ _   _ ______ _______     _   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__     | |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|    | |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
 |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|

                        Version 3.0 (alpha)
  _____________________________________________________________
                   Developed by FLARE Team
    Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
  _____________________________________________________________
                                               
Failed to restart dns-clean.service: Unit dns-clean.service not found.
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: Global whitelisted process test
-------------------------------------------------------------------------------
Done.
Passed: 1/1 | Failed: 0/1
-------------------------------------------------------------------------------
Sleeping 1 seconds before transitioning
Stopping FakeNet-NG and waiting for it to complete
FakeNet-NG was no longer running or was stopped forcibly

Multihost test results - Linux with Windows

PS C:\Users\IEUser\flare-fakenet-ng\test> python test.py 192.168.57.3
Running with privileges on Windows
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
fakenet-test\fakenet.ini
fakenet-test\custom_responses.ini
fakenet-test\CustomProviderExample.py
fakenet-test\sample_raw_response.txt
fakenet-test\sample_raw_tcp_response.txt
Waiting for you to transition the remote FakeNet-NG
system to run the General test suite
***Copy and uncompress this archive on the test system: C:\Users\IEUser\AppData\Local\Temp\fakenet-test.zip

Type 'ok' to continue, or 'exit' to stop
ok
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: TCP external IP @ bound
[ + ] Passed: TCP external IP @ unbound
[ + ] Passed: TCP arbitrary @ bound
[ + ] Passed: TCP arbitrary @ unbound
[ + ] Passed: TCP domainname @ bound
[ + ] Passed: TCP domainname @ unbound
[ + ] Passed: TCP custom test static Base64
[ + ] Passed: TCP custom test static string
[ + ] Passed: TCP custom test static file
[ + ] Passed: TCP custom test dynamic
[ + ] Passed: UDP external IP @ bound
[ + ] Passed: UDP external IP @ unbound
[ + ] Passed: UDP arbitrary @ bound
[ + ] Passed: UDP arbitrary @ unbound
[ + ] Passed: UDP domainname @ bound
[ + ] Passed: UDP domainname @ unbound
[ + ] Passed: UDP custom test static Base64
[ + ] Passed: UDP custom test dynamic
[ + ] Passed: ICMP external IP
[ + ] Passed: ICMP arbitrary host
[ + ] Passed: ICMP domainname
[ + ] Passed: DNS listener test
[ + ] Passed: HTTP listener test
[ + ] Passed: HTTP custom test by URI
[ + ] Passed: HTTP custom test by hostname
[ + ] Passed: HTTP custom test by both URI and hostname
[ + ] Passed: HTTP custom test by both URI and hostname wrong URI
[ + ] Passed: HTTP custom test by both URI and hostname wrong hostname
[ + ] Passed: HTTP custom test by ListenerType
[ + ] Passed: HTTP custom test by ListenerType host port negative match
[ + ] Passed: FTP listener test
[ + ] Passed: POP3 listener test
[ + ] Passed: SMTP listener test
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
Test SMTP SSL listener test: Uncaught exception of type <class 'smtplib.SMTPServerDisconnected'>: Connection unexpectedly closed: The read operation timed out
[!!!] FAILED: SMTP SSL listener test
[ + ] Passed: IRC listener test
[ + ] Passed: Proxy listener HTTP test
[ + ] Passed: Proxy listener HTTP hidden test
[!!!] FAILED: TCP blacklisted host @ unbound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 8.8.8.8:139)
[ + ] Passed: TCP arbitrary @ blacklisted unbound
Socket error: timed out (SocketKind.SOCK_DGRAM 8.8.8.8:67)
[ + ] Passed: UDP arbitrary @ blacklisted unbound
-------------------------------------------------------------------------------
Done.
Passed: 38/40 | Failed: 2/40

Failed tests:
[*] SMTP SSL listener test
[*] TCP blacklisted host @ unbound
-------------------------------------------------------------------------------
Writing config to C:\Users\IEUser\AppData\Local\Temp\fakenet.ini
fakenet-test\fakenet.ini
fakenet-test\custom_responses.ini
fakenet-test\CustomProviderExample.py
fakenet-test\sample_raw_response.txt
fakenet-test\sample_raw_tcp_response.txt
Waiting for you to transition the remote FakeNet-NG
system to run the No Redirect test suite
***Copy and uncompress this archive on the test system: C:\Users\IEUser\AppData\Local\Temp\fakenet-test.zip

Type 'ok' to continue, or 'exit' to stop
ok
-------------------------------------------------------------------------------
Testing
-------------------------------------------------------------------------------
[ + ] Passed: RedirectAllTraffic disabled external IP @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 192.168.57.3:9999)
[ + ] Passed: RedirectAllTraffic disabled external IP @ unbound
[!!!] FAILED: RedirectAllTraffic disabled arbitrary host @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM 8.8.8.8:9999)
[ + ] Passed: RedirectAllTraffic disabled arbitrary host @ unbound
[!!!] FAILED: RedirectAllTraffic disabled named host @ bound
Socket error: [WinError 10061] No connection could be made because the target machine actively refused it (SocketKind.SOCK_STREAM does-not-exist-amirite.fireeye.com:9999)
[ + ] Passed: RedirectAllTraffic disabled named host @ unbound
-------------------------------------------------------------------------------
Done.
Passed: 4/6 | Failed: 2/6

Failed tests:
[*] RedirectAllTraffic disabled arbitrary host @ bound
[*] RedirectAllTraffic disabled named host @ bound
-------------------------------------------------------------------------------
No matching tests
No matching tests
PS C:\Users\IEUser\flare-fakenet-ng\test>

Note

Some tests are known to fail in certain OS and network mode configuration. I am listing the known failed tests with supporting links below

• Failed tests on Singlehost on Windows
  • [*] SMTP SSL listener test - known failed test
  • [*] IRC listener test - known failed test
• Failed tests on Singlehost on Linux
  • [*] SMTP SSL listener test - known failed test
• Failed tests on Multihost with Linux and Windows
  • [*] SMTP SSL listener test - known failed test
  • [*] TCP blacklisted host @ unbound - known failed test
  • [*] RedirectAllTraffic disabled arbitrary host @ bound - known failed test
  • [*] RedirectAllTraffic disabled named host @ bound - known failed test

[tinajohnson]

Added a few comments. Most of them are for code style changes and wording sentences differently except for the one in TFTP listener.

Thank you and great job, Beleswar!

[tinajohnson]

@3V3RYONE could you give me permissions to push changes to your branch?

[strictlymike]

I would like us to document (via comments) why there must exist both a run() and a connect() method.

Your astute mentor reminded me that we documented this in our discussion notes:

The ThreadedTCPClientSocket (which is really a thread!) would implement a connect() method that the ThreadedTCPRequestHandler object could use to get the source port and then call a Diverter-supplied callback informing the diverter of the mapping between the old source port and the proxy source port.

Maintainers would benefit from seeing this represented in the comments for connect() along with commentary on the run() method indicating the expectation that connect() has already been called.