Skip to content

Instantly share code, notes, and snippets.

@av-gantimurov

av-gantimurov/FakeNet with mitmproxy.md

Last active February 13, 2023 05:19
Show Gist options
  • Save av-gantimurov/6ed2420f6575b7d57eec7dd7ca8cfe36 to your computer and use it in GitHub Desktop.
Save av-gantimurov/6ed2420f6575b7d57eec7dd7ca8cfe36 to your computer and use it in GitHub Desktop.
Download ZIP
Small tutorial about setup internet simulator with FakeNet-NG and mitmproxy on Debian 11
Raw
FakeNet with mitmproxy.md

Internet simulator

Debian 11

FakeNet-NG

Mitmproxy 8.0

I use mitmproxy for proper certificates generation on-the-fly with preinstalled on VM root cert and exporting preshared SSL keys for traffic decryption.

FakeNet-NG by default using self-signed certificates.

In /mnt/public mounted shared folder for extracted preshared SSL keys.

Install and configure debian 11

Interface ens3 - NATed to external Internet, IP address acquired by DHCP.

Interface ens4 - for malware network, static IP-address 192.168.19.53.

Configure IP prerouting

All traffic to other IP-address redirect to out address. cat /etc/iptables.rules

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [1:61]
:OUTPUT ACCEPT [2:214]
:POSTROUTING ACCEPT [2:214]
-A PREROUTING ! -d 192.168.19.0/24 -j DNAT --to-destination 192.168.19.53
COMMIT

Setup networking

cat /etc/network/interfaces

allow-hotplug ens3
iface ens3 inet dhcp

auto ens4
iface ens4 inet static
    pre-up iptables-restore < /etc/iptables.rules
    netmask 255.255.255.0
    address 192.168.19.53

Install packages

apt update
apt install iptables

FakeNet-NG

FakeNet-NG uses python2.7 for work.

Install dependencies

apt install python2
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py --output-document get-pip.py
python2 get-pip.py
apt-get install build-essential python-dev libnetfilter-queue-dev
python2 -m pip install https://github.com/mandiant/flare-fakenet-ng/archive/refs/heads/master.zip

Configure FakeNet-NG

  1. Copy configs to /usr/local/etc/fakenet
cp -r cd /usr/local/lib/python2.7/dist-packages/fakenet /usr/local/etc/
  1. Change config /usr/local/etc/fakenet/configs/default.ini

Diff with default configuration.

...
LinuxRestrictInterface: ens4
...
DumpPacketsFilePrefix: fakenet
...
FixGateway:            No
FixDNS:                No
...

ModifyLocalDNS:        No
...
BlackListPortsTCP: 22, 139, 443
...
[HTTPListener443]
Enabled:     False
...

Don't forget to check path to defaultFiles. By default, fakenet use defaultFiles from python module. You may create symlink to defaultFiles in /usr/local/etc/fakenet.

ln -s /usr/local/lib/python2.7/dist-packages/fakenet/defaultFiles /usr/local/etc/fakenet/

Or just replace all relative paths to absolute by next sed command:

sed -ni 's| defaultFiles|/usr/local/etc/fakenet/defaultFiles|'

HTTPListener443 disabled because Mitmproxy used instead.

Blacklist 443 port for proper mitmproxy work, port 22 for SSH.

Configure FakeNet-NG service unit

Traffic of network interaction will be saved in /var/lib/fakenet.

/etc/systemd/system/fakenet-ng.service

[Unit]
Description=FakeNet-NG service
Requires=
Wants=network-online.target
After=network-online.target

[Service]
SyslogIdentifier=fakenet
# Environment=SYSTEMD_LOG_LEVEL=debug
WorkingDirectory=/var/lib/fakenet
Type=simple
User=root
ExecStartPre=-/bin/sh -c '/sbin/iptables-save > iptables.rules'
ExecStart=/usr/local/bin/fakenet --config-file /usr/local/etc/fakenet/configs/default.ini --no-console-output --log-syslog
KillSignal=SIGINT
ExecStopPost=-/sbin/iptables-restore iptables.rules
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target

Add config for fakenet in rsyslog

Different services in different log files in /var/log/fakenet.

/etc/rsyslog.d/41-fakenet.conf

if ($programname contains 'FakeNet-NG') then {
	action(type="omfile" file="/var/log/fakenet/main.log")
	if $msg contains '"moduleName":"HTTPListener"' then {
		action(type="omfile" file="/var/log/fakenet/http.log")
	}
	if $msg contains '"moduleName":"DNSListener"' then {
		action(type="omfile" file="/var/log/fakenet/dns.log")
	}
	if $msg contains '"moduleName":"RawListener"' then {
		action(type="omfile" file="/var/log/fakenet/raw.log")
	}
	if $msg contains '"moduleName":"IRCListener"' then {
		action(type="omfile" file="/var/log/fakenet/irc.log")
	}
	if $msg contains '"moduleName":"SMTPListener"' then {
		action(type="omfile" file="/var/log/fakenet/smtp.log")
	}
	if $msg contains '"moduleName":"FTPListener"' then {
		action(type="omfile" file="/var/log/fakenet/ftp.log")
	}
	if $msg contains '"moduleName":"TFTPListener"' then {
		action(type="omfile" file="/var/log/fakenet/tftp.log")
	}
	if $msg contains '"moduleName":"POPListener"' then {
		action(type="omfile" file="/var/log/fakenet/pop.log")
	}
    stop
}

Reload and start

systemctl restart rsyslog
systemctl daemon-reload
systemctl enable fakenet-ng
systemctl start fakenet-ng

Mitmproxy

My configuration

  • standalone app in /usr/local/bin/;
  • config and certs in /usr/local/etc/mitmproxy;
  • autostart via sysmemctl as service;
  • write generated preshared SSL keys to directory /mnt/public;
  • log to /var/log/mitm.log

Download and install

wget https://snapshots.mitmproxy.org/8.0.0/mitmproxy-8.0.0-linux.tar.gz --output-document=mitmproxy.tgz
tar -xzvf mitmproxy.tgz -C /usr/local/bin/

Generate root certs

mkdir -p /usr/local/etc/mitmproxy
cd /usr/local/etc/mitmproxy
openssl req -nodes -days 3650 -new -x509 -newkey rsa:2048 -keyout mitmproxy-ca-key.pem -out mitmproxy-ca-cert.pem -subj "/C=US/ST=California/L=Berkeley/O=DigiCert Inc/OU=DigiCert Inc Root CA/CN=www.digicert.com"
openssl pkcs12 -export -in mitmproxy-ca-cert.pem -inkey mitmproxy-ca-key.pem -name "Root Cert" -out mitmproxy-ca-cert.p12 --passout pass:
cat mitmproxy-ca-cert.pem mitmproxy-ca-key.pem > mitmproxy-ca.pem
cp mitmproxy-ca-cert.pem mitmproxy-ca-cert.cer

Configure mitmdump

/usr/local/etc/mitmproxy/config.yaml

confdir: /usr/local/etc/mitmproxy
# keep hostname to inetsim
keep_host_header: true
# listen connections on default HTTPS port
listen_port: 443
# NB! change <server> to your http server address
mode: reverse:http://192.168.19.53:80
# extra details (full header and content) in console log
flow_detail: 3

Configure mitmdump as service

/etc/systemd/system/mitmdump.service

[Unit]
Description=mitmdump service
Wants=network-online.target fakenet-ng.service
Requires=
After=fakenet-ng.service
RequiresMountsFor=/mnt/public

[Service]
SyslogIdentifier=mitmdump
Environment=MITMPROXY_SSLKEYLOGFILE=/mnt/public/ssl-keys.log
Type=simple
User=root
ExecStart=/usr/local/bin/mitmdump --set confdir=/usr/local/etc/mitmproxy
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target

Configure rsyslog

/etc/rsyslog.d/mitmdump.conf

if ($programname == 'mitmdump') then {
	action(type="omfile" file="/var/log/mitm.log")
	stop
}

Reload and run services

systemctl restart rsyslog
systemctl daemon-reload
systemctl enable mitmdump.service
systemctl start mitmdump.service

Configure VM

Configure interfaces. GW 192.168.19.53, DNS 192.168.19.53

network config

Via browser go to https:\\mitm.it.

If browser asks Accept risk and continue.

warning message

Install prepared certificates and enjoy.

mitm.it start page

Setup wireshark for decrypting SSL

By default Wireshark can't decrypt TLS/SSL traffic without preshared keys from mitmproxy.

Crypted packets

For decrypting captured traffic you must set tls.keylog_file by filename with extracted keys (/mnt/public/ssl-keys.log).

Setup keys

After that you can view decrypted packets.

Decrypted packets

Or you can simply analyse dumped packets in /var/lib/fakenet. They must be without SSL at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment