FakeNet-NG Levels Up: Introducing Interactive HTML-Based Output

FakeNet-NG Levels Up: Introducing Interactive HTML-Based Output

Written by: Beleswar Prasad Padhi, Tina Johnson, Michael Bailey, Elliot Chernofsky, Blas Kojusner


 

FakeNet-NG is a dynamic network analysis tool that captures network requests and simulates network services to aid in malware research. The FLARE team is committed to maintaining and updating the tool to improve its capabilities and usability. FakeNet is compatible across platforms and extensively customizable; however, we recognized a need to present captured network data in a more intuitive and user-friendly way to help you quickly identify relevant Network-Based Indicators (NBIs). To address this challenge and further enhance the usability, we extended FakeNet-NG to generate HTML-based output that enables you to view, explore, and share captured network data.

This feature was implemented by Beleswar Prasad Padhi as part of a Google Summer of Code (GSoC) project that the Mandiant FLARE team mentored in 2023. To learn more about the program and our open-source contributors, check out the introductory post.

Interactive HTML-Based Output

FakeNet-NG’s new interactive output is backed by an HTML page coupled with inline CSS and Javascript. Figure 1 shows the new HTML-based output and Figure 2 shows FakeNet-NG’s existing text-based output.

FakeNet-NG's new HTML-based output

Figure 1: FakeNet-NG’s new HTML-based output

FakeNet-NG's text-based output

Figure 2: FakeNet-NG’s text-based output

FakeNet-NG generates each report using a Jinja2 template that it populates with the captured network data. The final report is saved to the current working directory and can be reviewed using your favorite browser. You can also share this file with others to collaboratively analyze the captured network traffic.

The HTML interface supports selecting, filtering, and copying captured network data. The filtering functionality displays entries that match your search query, as shown in Figure 3.

Filtered results showing only entries containing search query ‘evil.com'

Figure 3: Filtered results showing only entries containing search query ‘evil.com’

You can copy Markdown-formatted network data by clicking the “Copy” button under the “Actions” column, as shown in Figure 3 to obtain results as shown in Figure 4.

Viewing Markdown-formatted network data

Figure 4: Viewing Markdown-formatted network data

You can also copy multiple entries by selecting their corresponding checkboxes and then clicking the “Copy Selected NBIs” button at the top of the page, as shown in Figure 5 and Figure 6.

Copying multiple entries by selecting corresponding checkboxes

Figure 5: Copying multiple entries by selecting corresponding checkboxes

Viewing multiple Markdown-formatted entries

Figure 6: Viewing multiple Markdown-formatted entries

Design and Implementation

FakeNet-NG Internals

FakeNet-NG operates through a modular architecture consisting of three primary components including:

  • Diverter: This central component intercepts all incoming and outgoing network traffic from the target system. By default, it forwards these packets to the Proxy Listener for further processing.

  • Proxy Listener: This component sits between the Diverter and the protocol-specific Listeners. It analyzes application layer data to identify the appropriate Listener for each network packet based on factors like port, protocol, and data content.

  • Protocol-specific Listeners: These specialized Listeners, such as those for HTTP, FTP, and DNS, handle requests specific to their respective protocols and generate appropriate responses to mimic legitimate server behavior.

This modular design, shown in Figure 7, allows for flexibility and extensibility, enabling the addition of new protocol listeners as needed.

FakeNet-NG's architecture

Figure 7: FakeNet-NG’s architecture

More extensive documentation on FakeNet-NG’s internal workings can be found on GitHub.

Extending FakeNet-NG for NBI Analysis

Enabling FakeNET-NG to generate comprehensive and informative reports required extending key components to record, store, and associate network data with the source processes. This included:

  • Enhancing data storage: The Diverter stores additional information, including process names, process IDs, and relationships between original and proxy-initiated source ports.

  • Introducing NBI mapping: The Diverter maps network data to source processes, enabling clear attribution of network activity.

  • Facilitating information exchange: The Proxy Listener relays relevant packet details to the Diverter, ensuring accurate data tracking.

FakeNet-NG combines the data captured by each component to generate the interactive HTML-based output.

Future Work

We believe that FakeNet-NG’s HTML-based output can be further enhanced to provide even greater value to analysts. One key addition would be a communication graph that visually depicts network behavior, as shown in Figure 8. This common technique is employed by other networking tools to map processes to their associated network requests, with edges linking process nodes to other nodes such as IP addresses or domain names. Adding such a visualization to FakeNet-NG would help give you a clear and immediate understanding of a program’s communication patterns.

A prototype communication graph

Figure 8: A prototype communication graph

Additionally, we are exploring other enhancements including:

  • Exclude irrelevant network traffic: Filter noise generated by benign Windows services and applications drawing focus to the most relevant network data. See GitHub issue here.

  • Include ICMP traffic in the HTML report: Provide a more comprehensive view of network activity by displaying ICMP-based network data. See GitHub issue here.

  • Add filtering options and preset filters: Offer convenient filtering options as well as include preset filters to exclude common Microsoft network traffic. 

  • Improve Markdown formatting: Enhance the usability of exported network data by allowing the user to choose the details that need to be included in the exported Markdown data.

If you are interested in getting involved in the development of FakeNet-NG, these enhancements in addition to our list of good first issues are a great way to get started.

Conclusion

FakeNet-NG continues to evolve as a go-to tool for dynamic network analysis in malware research. By adding interactive HTML-based output we hope to enhance its usability by giving you a clear, intuitive, and visually appealing way to navigate and analyze even the most extensive and complex network data captures.

We encourage you to explore the new HTML-based output and leverage its filtering, selection, and copying capabilities to streamline your dynamic network data analysis. We also welcome feedback and suggestions for further improvements. Please visit our Github repository to download the latest version of FakeNet-NG, contribute to the project, or share your thoughts.

Beleswar’s Acknowledgements

Participating in the Google Summer of Code Program, especially with FLARE, has been an excellent learning experience. This project has given me a deep understanding of network programming and systems programming. GSoC has also taught me to accept mentor feedback and code reviews positively and to work on them diligently. It has also helped me develop important soft skills like communication, time management, task scheduling, and progress tracking.

I want to express my thanks to FLARE for making the summer experience so smooth. I really appreciate the group kickoff meetings, which allowed us to interact and understand the projects and progress of fellow contributors. I also loved how all the mentors were approachable and always helped me overcome any roadblocks. I’m excited to continue contributing to the project and stay active in the FLARE community.