Merge pull request #1121 from mandiant/internet-detector

Add internet detector utility

Author: emtuls

Diff for: packages/fakenet-ng.vm/fakenet-ng.vm.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>fakenet-ng.vm</id>
-    <version>3.2.0.20240425</version>
+    <version>3.2.0.20240902</version>
     <description>FakeNet-NG is a dynamic network analysis tool.</description>
     <authors>Mandiant</authors>
     <dependencies>

Diff for: packages/fakenet-ng.vm/tools/chocolateyinstall.ps1

@@ -11,6 +11,7 @@ try {
   $zipSha256 = "5941a0401830c2310226f0cd2d640e091f1c8bf1b93c5288e6626eecebf20bff"
 
   $toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
+  $packageToolDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
 
   # Remove files from previous zips for upgrade
   VM-Remove-PreviousZipPackage ${Env:chocolateyPackageFolder}
@@ -34,6 +35,11 @@ try {
   VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -executableDir $toolDir -consoleApp $true
   Install-BinFile -Name $toolName -Path $executablePath
 
+  # Replace `default.ini` with our modified one that includes change for 'internet_detector'.
+  # IMPORTANT: Keep our modified `default.ini` in-sync on updates to package.
+  $fakenetConfigDir = Get-ChildItem "C:\Tools\fakenet\*\configs"
+  Copy-Item "$packageToolDir\default.ini" -Destination $fakenetConfigDir
+
   # Create shortcut in Desktop to FakeNet tool directory
   $desktopShortcut  = Join-Path ${Env:UserProfile} "Desktop\fakenet_logs.lnk"
   Install-ChocolateyShortcut -shortcutFilePath $desktopShortcut -targetPath $toolDir

Diff for: packages/fakenet-ng.vm/tools/default.ini

@@ -0,0 +1,349 @@
+###############################################################################
+# Fakenet Configuration
+
+[FakeNet]
+
+# Specify whether or not FakeNet should divert traffic. Disable if you want to
+# just start listeners and direct traffic manually (e.g. modify DNS server)
+DivertTraffic:         Yes
+
+###############################################################################
+# Diverter Configuration
+
+[Diverter]
+
+# Specify what mode of operation to use. Options:
+#   SingleHost - manipulate local traffic
+#   MultiHost - manipulate traffic from foreign hosts
+#   Auto - Use SingleMode on Windows or use MultiHost on Linux
+#
+# The current support for these modes on each supported platform is as follows:
+#              | Windows    | Linux        |
+#   -----------+------------+--------------+
+#   SingleHost | Functional | Experimental |
+#   MultiHost  |      -     | Functional   |
+# NetworkMode:           SingleHost
+# NetworkMode:           MultiHost
+NetworkMode:           Auto
+
+# DebugLevel: specify fine-grained debug print flags to enable. Enabling all
+# logging when verbose mode is selected results in overwhelming output, hence
+# this setting. Valid values (comma-separated) are:
+# 
+#    GENPKT     Generic packet information
+#    GENPKTV    Packet analysis, displays IP, TCP, UDP fields, very wide output
+#    CB         Diverter packet handler callback start/finish logging
+#    NONLOC     Nonlocal packet verbose logging
+#    DPF        Dynamic port forwarding decisions
+#    DPFV       Dynamic port forwarding table activity
+#    IPNAT      NAT decisions
+#    MANGLE     Packet mangling (modification) activity
+#    PCAP       PCAP writes of original and mangled packets
+#    IGN        Cases where packets are forwarded as is
+#    FTP        FTP-specific logic
+#    IGN-FTP    Cases where packets are forwarded as is due to FTP Active Mode
+#    MISC       Miscellaneous
+#    NFQUEUE    NetfilterQueue activity (Linux only)
+#    PROCFS     Procfs read/write activity (Linux only)
+#    IPTABLES   iptables firewall rule activity (Linux only)
+DebugLevel:            Off
+
+# Restrict which interface on which Fakenet-NG will intercept and handle
+# packets. Specify (only) one interface and Fakenet-NG will ignore all other
+# interfaces. This feature only applies to interfaces on different subnets.
+# Specify interface by name only (ex: eth0). To disable, set to "Off". In
+# order to run multiple instance of Fakenet-NG on different interfaces within
+# the same guest, LinuxFlushIptables must be turned off to avoid the latest
+# instance flushing the rules associated with other instances or restoring
+# rules to an incorrect state upon exit.
+LinuxRestrictInterface: Off
+
+# Set LinuxFlushIptables to Yes to have the Linux Diverter flush all iptables
+# rules before adding its FakeNet-NG-specific rules to iptables. This setting
+# also restores rules via `iptables-restore` when it exits, unless its
+# termination is interrupted.
+LinuxFlushIptables:    Yes
+
+# Incorporated so that users of the binary release may make this work for
+# various Linux distros. On Ubuntu, this is `service dns-clean restart`. For
+# other distributions, it may be `nscd -I hosts`. Check your manual for
+# details.
+LinuxFlushDNSCommand:  service dns-clean restart
+
+# Specify whether or not to save captured traffic. You can also change
+# the file prefix for the generated PCAPs.
+DumpPackets:           Yes
+DumpPacketsFilePrefix: packets
+
+# DHCP server running under VMWare Host-Only networking does not configure
+# interface gateway and DNS server. Gateway must be configured to allow
+# Windows to attempt to route external traffic so that FakeNet could
+# could intercept it. This option will automatically generate and set
+# appropriate gateway and DNS addresses to allow normal operation.
+FixGateway:            Yes
+FixDNS:                Yes
+
+# Enable 'ModifyLocalDNS' to statically set DNS server to the local machine.
+# Linux: Modifies (and restores) /etc/resolv.conf on Linux to make this an
+# ephemeral change.
+ModifyLocalDNS:        Yes
+
+# Enable 'StopDNSService' to stop Windows DNS client to see the actual 
+# processes resolving domains. This is a no-op on Linux, until such time as DNS
+# caching is observed to interfere with finding the pid associated with a DNS
+# request.
+StopDNSService:        Yes
+
+# Enable 'RedirectAllTraffic' to optionally divert traffic going to ports not
+# specifically listed in one of the listeners below. 'DefaultTCPListener' and
+# 'DefaultUDPListener' will handle TCP and UDP traffic going to unspecified ports.
+#
+# NOTE: Setting default UDP listener will intercept all DNS traffic unless you
+# enable a dedicated UDP port 53 DNS listener or add UDP port 53 to the 
+# 'BlackListPortsUDP' below so that system's default DNS server is used instead.
+
+RedirectAllTraffic:    Yes
+DefaultTCPListener:    ProxyTCPListener
+DefaultUDPListener:    ProxyUDPListener
+
+# Specify TCP and UDP ports to ignore when diverting packets. 
+# For example, you may want to avoid diverting UDP port 53 (DNS) traffic
+# when trying to intercept a specific process while allowing the rest to 
+# function normally
+#
+# NOTE: This setting is only honored when 'RedirectAllTraffic' is enabled.
+
+BlackListPortsTCP: 139
+BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355, 53
+
+# Specify processes to ignore when diverting traffic. Windows example used
+# here.
+ProcessBlackList: internet_detector.exe
+
+# Specify processes to consider when diverting traffic (others will be
+# ignored). Linux examples used here.
+# ProcessWhiteList: wget, nc
+
+# Specify hosts to ignore when diverting traffic.
+# HostBlackList: 6.6.6.6
+
+###############################################################################
+# Listener Configuration
+#
+# Listener configuration consists of generic settings used by the diverter which
+# are the same for all listeners and listener specific settings. 
+#
+# NOTE: Listener section names will be used for logging.
+#
+# NOTE: Settings labels are not case-sensitive.
+#
+# The following settings are available for all listeners:
+# * Enabled          - specify whether or not the listener is enabled.
+# * Port             - TCP or UDP port to listen on.
+# * Protocol         - TCP or UDP
+# * Listener         - Listener name to handle traffic.
+# * ProcessWhiteList - Only traffic from these processes will be modified
+#                      and the rest will simply be forwarded.
+# * ProcessBlackList - Traffic from all but these processes will be simply forwarded
+#                      and the rest will be modified as needed.
+# * HostWhiteList    - Only traffic to these hosts will be modified and
+#                      the rest will be simply forwarded.
+# * HostBlackList    - Traffic to these hosts will be simply forwarded
+#                      and the rest will be modified as needed.
+# * ExecuteCmd       - Execute command on the first connection packet. This is feature is useful
+#                      for extending FakeNet-NG's functionality (e.g. launch a debugger on the
+#                      connecting pid to help with unpacking and decoding.)
+#
+#                      The following format string variables are made available:
+#                      * {pid}      - process id
+#                      * {procname} - process executable name
+#                      * {src_addr} - source address
+#                      * {src_port} - source port
+#                      * {dst_addr} - destination address
+#                      * {dst_port} - destination port
+#
+# Listener entry which does not specify a specific listener service
+# will still redirect all packets to the local machine on the specified port and
+# subject to all the filters (processes, hosts, etc.). However, you must set-up a
+# third party service (e.g. proxy servers) to accept these connections. This feature can be
+# used to provide FakeNet-NG's passive traffic diverting and filtering capabilities to other
+# applications.
+#
+# Listener specific settings:
+#
+# * Timeout          - Set connection timeout for any listeners that support
+#                      TCP connections (e.g. RawListener, DNSListener, HTTPListener
+#                      SMTPListener).
+# * UseSSL           - Enable SSL support on the listener (RawListener, HTTPListener)
+# * Webroot          - Set webroot path for HTTPListener.
+# * DumpHTTPPosts    - Store HTTP Post requests for the HTTPListener.
+# * DumpHTTPPostsFilePrefix - File prefix for the stored HTTP Post requests used by the HTTPListener.
+# * TFTPFilePrefix   - File prefix for the stored tftp uploads used by the TFTPListener.
+# * DNSResponse      - IP address to respond with for A record DNS queries. (DNSListener)
+# * NXDomains        - A number of DNS requests to ignore to let the malware cycle through
+#                      all of the backup C2 servers. (DNSListener)
+# * Banner           - FTPListener, IRCListener: FTP or IRC banner to display.
+#                      Valid settings are any banner string, or !<key> where
+#                      <key> is a valid key in the BANNERS dictionary within
+#                      FTPListener.py or IRCListener.py, or !random to
+#                      randomize among the banners in the BANNERS dictionary.
+#                      The default value if none is specified is !generic,
+#                      which selects the banner in the BANNERS dictionary going
+#                      by that key. Banner string may specify the following
+#                      escapes/insertions:
+#                          {servername} - ServerName setting value
+#                          {tz} - Time zone, currently hard-coded to 'UTC'
+# * ServerName       - FTPListener, IRCListener: FTP or IRC server name for
+#                      insertion into selected default banners or into a
+#                      user-specified banner string. Valid settings are any
+#                      hostname string, !hostname to insert the actual hostname
+#                      of the system, or !random to generate a random hostname
+#                      between 1 and 15 characters (inclusive).
+
+[ProxyTCPListener]
+Enabled:     True
+Protocol:    TCP
+Listener:    ProxyListener
+Port:        38926
+Listeners:   HTTPListener, RawListener, FTPListener, DNSListener, POPListener, SMTPListener, TFTPListener, IRCListener
+Hidden:      False
+
+[ProxyUDPListener]
+Enabled:     True
+Protocol:    UDP
+Listener:    ProxyListener
+Port:        38926
+Listeners:   RawListener, DNSListener, TFTPListener, FTPListener
+Hidden:      False
+
+[Forwarder]
+Enabled:     False
+Port:        8080
+Protocol:    TCP
+ProcessWhiteList: chrome.exe
+Hidden:      False
+
+[RawTCPListener]
+Enabled:     True
+Port:        1337
+Protocol:    TCP
+Listener:    RawListener
+UseSSL:      No
+Timeout:     10
+Hidden:      False
+# To read about customizing responses, see docs/CustomResponse.md
+# Custom:    sample_custom_response.ini
+
+[RawUDPListener]
+Enabled:     True
+Port:        1337
+Protocol:    UDP
+Listener:    RawListener
+UseSSL:      No
+Timeout:     10
+Hidden:      False
+# To read about customizing responses, see docs/CustomResponse.md
+# Custom:    sample_custom_response.ini
+
+[FilteredListener]
+Enabled:     False
+Port:        31337
+Protocol:    TCP
+Listener:    RawListener
+UseSSL:      No
+Timeout:     10
+ProcessWhiteList: ncat.exe, nc.exe
+HostBlackList: 5.5.5.5
+Hidden:      False
+
+[DNS Server]
+Enabled:     True
+Port:        53
+Protocol:    UDP
+Listener:    DNSListener
+ResponseA:   192.0.2.123
+ResponseMX:  mail.evil2.com
+ResponseTXT: FAKENET
+NXDomains:   0
+Hidden:      False
+
+[HTTPListener80]
+Enabled:     True
+Port:        80
+Protocol:    TCP
+Listener:    HTTPListener
+UseSSL:      No
+Webroot:     defaultFiles/
+Timeout:     10
+DumpHTTPPosts: Yes
+DumpHTTPPostsFilePrefix: http
+Hidden:      False
+# To read about customizing responses, see docs/CustomResponse.md
+# Custom:    sample_custom_response.ini
+
+[HTTPListener443]
+Enabled:     True
+Port:        443
+Protocol:    TCP
+Listener:    HTTPListener
+UseSSL:      Yes
+Webroot:     defaultFiles/
+Timeout:     10
+DumpHTTPPosts: Yes
+DumpHTTPPostsFilePrefix: http
+Hidden:      False
+
+[SMTPListener]
+Enabled:     True
+Port:        25
+Protocol:    TCP
+Listener:    SMTPListener
+UseSSL:      No
+Hidden:      False
+
+[FTPListener21]
+Enabled:     True
+Port:        21
+Protocol:    TCP
+Listener:    FTPListener
+UseSSL:      No
+FTProot:     defaultFiles/
+PasvPorts:   60000-60010
+Hidden:      False
+Banner:      !generic
+ServerName:  !gethostname
+
+[FTPListenerPASV]
+Enabled:     True
+Port:        60000-60010
+Protocol:    TCP
+Hidden:      False
+
+[IRCServer]
+Enabled:     True
+Port:        6667
+Protocol:    TCP
+Listener:    IRCListener
+UseSSL:      No
+Banner:      !generic
+ServerName:  !gethostname
+Timeout:     30
+Hidden:      False
+
+[TFTPListener]
+Enabled:     True
+Port:        69
+Protocol:    UDP
+Listener:    TFTPListener
+TFTPRoot:    defaultFiles/
+Hidden:      False
+TFTPFilePrefix:  tftp
+
+[POPServer]
+Enabled:     True
+Port:        110
+Protocol:    TCP
+Listener:    POPListener
+UseSSL:      No
+Hidden:      False
+

Diff for: packages/internet_detector.vm/internet_detector.vm.nuspec

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>internet_detector.vm</id>
+    <version>1.0.0</version>
+    <authors>Elliot Chernofsky and Ana Martinez Gomez</authors>
+    <description>Tool that changes the background and a taskbar icon if it detects internet connectivity</description>
+    <dependencies>
+      <dependency id="common.vm" version="0.0.0.20240821" />
+      <dependency id="libraries.python3.vm" version="0.0.0.20240726" />
+      <dependency id="fakenet-ng.vm" version="3.2.0.20240902" />
+    </dependencies>
+  </metadata>
+</package>