FakeNet Update

We’re releasing an update to the FakeNet tool to version 0.91 which can be downloaded here.  The following improvements have been made:

  • The dummy listener that listens on all ports now automatically detects SSL and if the connection is SSL it will decrypt the content and display it to the user.  This is very useful for when malware uses SSL to encrypt traffic to an unusual port.
  • Python is loaded dynamically so that if Python fails to load because the user does not have the Visual Studio redistributables the program will continue to execute without Python support.
  • The NXDomain feature has been added to the DNS server to return a domain not found message for the first n times that a domain is requested.  This is very useful is determining if a malware sample calls out to more than one domain if the first domain is blocked.
  • An option to output the text that is sent to the console to a text file as well.  Several users have asked for this feature.
  • Improvement in the generated .pcap file.  Some other programs were having trouble parsing the pcap data because the source and destination address were the same.  To resolve this one end of the connection is recorded as 127.0.0.1 and the other end is recorded as 127.0.0.2.  Additional TCP handshakes have been added to the packet recpature.

As usual we welcome feedback that could be used to improve the quality of this tool.

6 thoughts on “FakeNet Update

  1. I’m having trouble unzipping the archive. Same error on Linux and OSX (UnZip ver. 6.00 and 5.52).

    $ unzip FakeNet0.91.zip
    Archive: FakeNet0.91.zip
    End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive.
    unzip: cannot find zipfile directory in one of FakeNet0.91.zip or FakeNet0.91.zip.zip, and cannot find FakeNet0.91.zip.ZIP, period.

    • Thanks for letting me know.

      I packaged it with 7-zip, which will work. I uploaded a new version of the .zip file which should work with windows unzip, although sometimes it takes a few minutes for sourceforge to upload the “latest version” link so to be sure you get the right version click on “files” and download FakeNet0.91.zip.

  2. I finally got a chance to try FakeNet tonight and love it. It will definitely be a part of my malware investigation learning, along with your great book. Thanks for both!
    Ken
    @kdpryor

    • Yes and No.

      It listens for ICMP traffic and if it receives a ping it will respond. However, more likely than not your analysis machine is already listening for pings, so it will receive the ping and send it back before FakeNet has the chance. If something other than FakeNet listens for ICMP traffic then FakeNet won’t get a chance to see it. Likewise if FakeNet is listening for ICMP traffic it might receive a ping response that might have been meant for another process. Bottom line is that FakeNet tries, but because of the way FakeNet interacts with ICMP in windows problems can occur.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s