We’re releasing an update to the FakeNet tool to version 0.91 which can be downloaded here. The following improvements have been made:
- The dummy listener that listens on all ports now automatically detects SSL and if the connection is SSL it will decrypt the content and display it to the user. This is very useful for when malware uses SSL to encrypt traffic to an unusual port.
- Python is loaded dynamically so that if Python fails to load because the user does not have the Visual Studio redistributables the program will continue to execute without Python support.
- The NXDomain feature has been added to the DNS server to return a domain not found message for the first n times that a domain is requested. This is very useful is determining if a malware sample calls out to more than one domain if the first domain is blocked.
- An option to output the text that is sent to the console to a text file as well. Several users have asked for this feature.
- Improvement in the generated .pcap file. Some other programs were having trouble parsing the pcap data because the source and destination address were the same. To resolve this one end of the connection is recorded as 127.0.0.1 and the other end is recorded as 127.0.0.2. Additional TCP handshakes have been added to the packet recpature.
As usual we welcome feedback that could be used to improve the quality of this tool.