Getting Started with Network Simulation and Fakenet-NG
ฝัง
- เผยแพร่เมื่อ 23 มิ.ย. 2024
- Malware often requires access to the internet, but what if you don't want to let it connect out? Fakenet-NG to the rescue! In this video, we'll explore this useful utility for simulating many popular networking protocols - allowing you to get valuable insight into your malware's network behavior without giving it full access to the internet.
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 www.pluralsight.com/authors/j...
🌶️ TH-cam 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 github.com/jstrosch
1:40 Setting your VMs network
2:08 Sample program and analysis goals
3:30 Observing a lack of strings, particularly domains
4:29 Enter Fakenet-NG
5:45 Running Fakenet-NG
7:30 Running the sample program
8:20 Generating a PCAP file - วิทยาศาสตร์และเทคโนโลยี
Very useful video, THX.
Thank you :)
Hi Josh, great intro! Thank you! Would be cool if you could make a (longer) follow-up video showing how to do specific responses based on the queries sent. Is it possible to customize it so far that it even takes given input from the request (e.g. URL params) and build a custom response based on that? Also can we simulate raw socket I/O (no http or ftp or other known protocol)? Thanks!
Thanks for the feedback - adding more videos on fakenet to my video list :) in the meantime, this is a good blog on creating custom handlers www.mandiant.com/resources/blog/improving-dynamic-malware-analysis-with-cheat-codes-for-fakenet-ng.
hey John! does it write the initiating process for the communications as custom data in the pcap or should we rely on the fakenet's output?
The PCAP is network traffic only and afaik, fakenet isn't able to add any data to associated process activity :(
Any thoughts on this tool vs inetsim?
I haven't used inetsim much at this point, so I can't offer a fair comparison. I like using fakenet as it runs in the sam VM, so no need for additional server/network config. It has some bugs from time to time, but nothing major. I used to run a cuckoo setup locally and getting inetsim was always on my list... if I was doing something more elaborate like that I would likely pursue it as I don't think fakenet really fits into that setup. However, I would often want all my samples to connect to the internet via tor/vpn to get additional payloads (hence never setting up inetsim in the first place). I've never compared them directly but I'm under the impression that they offer similar network services and customization.
😮😮😮amazing
Thanks :)