Make default gateway IP '.1' instead of '.254' (#175)

* Make default gateway IP '.1' instead of '.254'

* Use .1 for default gateway instead of .254

* Updates to documentation:
Update documentation to use new year
Update documentation links to current working links
Update documentation to use Mandiant instead of FireEye

* Fix filepath of HTML report template

* Minor code cleanup

* Update CHANGELOG

---------

Co-authored-by: Tina Johnson <tinajohnson.1234@gmail.com>

CHANGELOG.txt

@@ -1,3 +1,13 @@
+Version 3.2
+-----------
+* Use .1 for default gateway instead of .254 because this is the default Virtual
+  Adapter address for VMWare and VirtualBox.
+* Update documentation to use new year
+* Update documentation links to current working links
+* Update documentation to use Mandiant instead of FireEye
+* Fix the filepath of HTML report template to work in all methods of installations
+  including Pyinstaller bundles.
+
 Version 3.1
 -----------
 * HTML and text NBI after-reporting courtesy of @3V3RYONE and @tinajohnson

LICENSE.txt

@@ -175,7 +175,7 @@
 
    END OF TERMS AND CONDITIONS
 
-   Copyright (C) 2018 FireEye, Inc.
+   Copyright (C) 2024 Mandiant, Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -7,7 +7,7 @@
 
            D   O   C   U   M   E   N   T   A   T   I   O   N
 
-FakeNet-NG 3.0 (alpha) is a next generation dynamic network analysis tool for malware
+FakeNet-NG 3.2 is a next generation dynamic network analysis tool for malware
 analysts and penetration testers. It is open source and designed for the latest
 versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is
 based on the excellent Fakenet tool developed by Andrew Honig and Michael
@@ -116,10 +116,10 @@ parameter to get simple help:
      | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
      |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|
 
-                             Version  3.0 (alpha)
+                             Version  3.2
       _____________________________________________________________
                        Developed by FLARE Team
-        Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved.
+        Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
       _____________________________________________________________
     Usage: python -m fakenet.fakenet [options]:
 
@@ -171,10 +171,10 @@ and an HTTP connection:
      | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
      |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|
 
-                             Version  3.0 (alpha)
+                             Version  3.2
       _____________________________________________________________
                        Developed by FLARE Team
-        Copyright (C) 2016-2022 Mandiant, Inc. All rights reserved.
+        Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
       _____________________________________________________________
 
     07/06/16 10:20:52 PM [           FakeNet] Loaded configuration file: configs/default.ini

docs/architecture.md

@@ -12,11 +12,11 @@ directly (if they are not hidden behind the ProxyListener) or through the
 ProxyListener. This architecture is in contrast to tools like PyNetSim (can't
 find an authoritative hyperlink to cite this reference) that effectively
 integrate all services into a bus. The benefit of this additional complexity in
-FakeNet-NG’s architecture is that it can incorporate Listeners based on generic
+FakeNet-NG's architecture is that it can incorporate Listeners based on generic
 code that expects to directly bind to ports and manage its own sockets. The
 FakeNet-NG architecture is diagrammed subsequently.
 
-![FakeNet-NG Architecture](https://github.com/fireeye/flare-fakenet-ng/raw/master/docs/fakenet_architecture.png "FakeNet-NG Architecture")
+![FakeNet-NG Architecture](https://github.com/mandiant/flare-fakenet-ng/blob/master/docs/fakenet_architecture.png "FakeNet-NG Architecture")
 
 # Diverters
 

docs/contributors.md

@@ -13,13 +13,13 @@ malware analysis on Windows XP.
 ## Windows
 
 Peter Kacherginsky [implemented
-FakeNet-NG](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html)
+FakeNet-NG](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen)
 targeting modern versions of Windows.
 
 ## Linux and Core
 
 Michael Bailey [implemented FakeNet-NG on
-Linux](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html),
+Linux](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool),
 and later refactored FakeNet-NG to use this as the unified packet processing
 logic for both Windows and Linux.
 
@@ -32,7 +32,7 @@ Haigh, Michael Bailey, and Peter Kacherginsky conceptualized the Proxy Listener
 and Hidden Listener mechanisms for introducing both of these content-based
 protocol detection features to FakeNet-NG. Matthew Haigh then [implemented
 Content-Based Protocol
-Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
+Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
 
 ## HTML- and Text-Based NBI After-Reporting
 

docs/srs.md

@@ -24,19 +24,19 @@ Analysis](https://nostarch.com/malware).
 ## History
 FakeNet-NG was initially released August 3, 2016 by Peter Kacherginsky with
 support for Windows: [FakeNet-NG: Next Generation Dynamic Network Analysis
-Tool](https://www.fireeye.com/blog/threat-research/2016/08/fakenet-ng_next_gen.html).
+Tool](https://www.mandiant.com/resources/blog/fakenet-ng-next-gen).
 
 On July 5, 2017 FakeNet-NG was updated by Michael Bailey to add support for
 Linux: [Introducing Linux Support for FakeNet-NG: FLARE's Next Generation
 Dynamic Network Analysis
-Tool](https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html).
+Tool](https://www.mandiant.com/resources/blog/introducing-linux-support-fakenet-ng-flares-next-generation-dynamic-network-analysis-tool).
 
 The next significant FakeNet-NG release was by Matthew Haigh on October 23,
 2017 to introduce a proxy listener to sample, identify, and route traffic to
 the most appropriate listener: [New FakeNet-NG Feature: Content-Based Protocol
-Detection](https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
+Detection](https://www.mandiant.com/content/fireeye-www/en_US/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html).
 
-FireEye's [flare-fakenet-ng](https://github.com/fireeye/flare-fakenet-ng)
+Mandiant's [flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng)
 repository contains `README.md` which documents usage and configuration; and
 `docs/internals.md` which describes Diverter internals for Linux.
 
@@ -157,7 +157,7 @@ The Configuration Logic for parsing and validating the configuration file is
 spread throughout the Application, Diverter, and Listeners.
 
 The configuration file is a
-[ConfigParser](https://docs.python.org/2/library/configparser.html)-compatible
+[ConfigParser](https://docs.python.org/3/library/configparser.html)-compatible
 file at an operator-specified location detailing how FakeNet-NG is to behave.
 
 Proposed: it may be beneficial to better encapsulate and centralize the

fakenet/defaultFiles/FakeNet.html

@@ -32,6 +32,6 @@
 <h3>Contact</h3>
 
 For bugs, crashes, or other comments please contact <b>The FLARE Team</b> by email
-<b>FakeNet@fireeye.com</b>.
+<b>FakeNet@mandiant.com</b>.
 </body>
 </html>

fakenet/defaultFiles/FakeNet.txt

@@ -14,4 +14,4 @@ FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and
 
 Contact
 
-For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@fireeye.com
+For bugs, crashes, or other comments please contact the FLARE Team by email FakeNet@mandiant.com

fakenet/diverters/diverterbase.py

@@ -16,6 +16,7 @@
 from .debuglevels import *
 from collections import namedtuple
 from collections import OrderedDict
+from pathlib import Path
 
 
 class DivertParms(object):
@@ -1259,21 +1260,15 @@ def formatPkt(self, pkt, pid, comm):
         Returns:
             A str containing the log line
         """
-        if pid == None:
-            pid = 'None'
-
-        if comm == None:
-            comm = 'None'
-
         logline = ''
 
         if pkt.proto == 'UDP':
             fmt = '| {label} {proto} | {pid:>6} | {comm:<8} | {src:>15}:{sport:<5} | {dst:>15}:{dport:<5} | {length:>5} | {flags:<11} | {seqack:<35} |'
             logline = fmt.format(
                 label=pkt.label,
                 proto=pkt.proto,
-                pid=pid,
-                comm=comm,
+                pid=str(pid),
+                comm=str(comm),
                 src=pkt.src_ip,
                 sport=pkt.sport,
                 dst=pkt.dst_ip,
@@ -1304,8 +1299,8 @@ def formatPkt(self, pkt, pid, comm):
             logline = fmt.format(
                 label=pkt.label,
                 proto=pkt.proto,
-                pid=pid,
-                comm=comm,
+                pid=str(pid),
+                comm=str(comm),
                 src=pkt.src_ip,
                 sport=pkt.sport,
                 dst=pkt.dst_ip,
@@ -1319,8 +1314,8 @@ def formatPkt(self, pkt, pid, comm):
             logline = fmt.format(
                 label=pkt.label,
                 proto='UNK',
-                pid=pid,
-                comm=comm,
+                pid=str(pid),
+                comm=str(comm),
                 src=str(pkt.src_ip),
                 sport=str(pkt.sport),
                 dst=str(pkt.dst_ip),
@@ -1959,7 +1954,13 @@ def generate_html_report(self):
         to the main working directory of flare-fakenet-ng. Called by stop() method
         of diverter.
         """
-        template_file = os.path.join("fakenet", "configs", "html_report_template.html")
+        if getattr(sys, 'frozen', False) and hasattr(sys, '_MEIPASS'):
+            # Inside a Pyinstaller bundle
+            fakenet_dir_path = os.getcwd()
+        else:
+            fakenet_dir_path = os.fspath(Path(__file__).parents[1])
+
+        template_file = os.path.join(fakenet_dir_path, "configs", "html_report_template.html")
         template_loader = jinja2.FileSystemLoader(searchpath=os.path.dirname(template_file))
         template_env = jinja2.Environment(loader=template_loader)
         template = template_env.get_template(os.path.basename(template_file))

fakenet/diverters/winutil.py

@@ -361,9 +361,10 @@ def fix_gateway(self):
             # (Host-Only)
             if self.check_ipaddresses_interface(adapter) and adapter.DhcpEnabled:
 
-                (ip_address, netmask) = next(
-                    self.get_ipaddresses_netmask(adapter))
-                gw_address = ip_address[:ip_address.rfind('.')] + '.254'
+                (ip_address, netmask) = next(self.get_ipaddresses_netmask(adapter))
+                # set the gateway ip address to be that of the virtual network adapter
+                # https://docs.vmware.com/en/VMware-Workstation-Pro/17/com.vmware.ws.using.doc/GUID-9831F49E-1A83-4881-BB8A-D4573F2C6D91.html
+                gw_address = ip_address[:ip_address.rfind('.')] + '.1'
 
                 interface_name = self.get_adapter_friendlyname(adapter.Index)
 

fakenet/fakenet.py

@@ -6,7 +6,7 @@
 # analysts and penetration testers.
 #
 # Original developer: Peter Kacherginsky
-# Current developer: FireEye FLARE Team (FakeNet@fireeye.com)
+# Current developer: Mandiant FLARE Team (FakeNet@mandiant.com)
 
 import logging
 import logging.handlers
@@ -349,7 +349,7 @@ def main():
  | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
  |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|
 
-                        Version 3.1
+                        Version 3.2
   _____________________________________________________________
                    Developed by FLARE Team
     Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.

setup.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2016-2023 Mandiant, Inc. All rights reserved.
+# Copyright (C) 2016-2024 Mandiant, Inc. All rights reserved.
 
 import os
 import platform
@@ -26,7 +26,7 @@
 
 setup(
     name='FakeNet NG',
-    version='3.1',
+    version='3.2',
     description="",
     long_description="",
     author="Mandiant FLARE Team with credit to Peter Kacherginsky as the original developer",
@@ -37,8 +37,8 @@
     ],
     package_dir={'fakenet': 'fakenet'},
     package_data={'fakenet': ['*.pem','diverters/*.py', 'listeners/*.py',
-        'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini', 'defaultFiles/*',
-        'lib/64/*', 'lib/32/*']},
+        'listeners/ssl_utils/*.py', 'listeners/ssl_utils/*.pem', 'configs/*.ini',
+        'configs/html_report_template.html', 'defaultFiles/*', 'lib/64/*', 'lib/32/*']},
     entry_points={
         "console_scripts": [
             "fakenet=fakenet.fakenet:main",

test/test.py

@@ -905,7 +905,7 @@ def __init__(self, startingpath, singlehost=True):
         self.listener_host_white = 8083 # HTTP listener with host whitelists
         self.localhost = '127.0.0.1'
         self.dns_expected = '192.0.2.123'
-        self.domain_dne = 'does-not-exist-amirite.fireeye.com'
+        self.domain_dne = 'does-not-exist-amirite.mandiant.com'
         self.sender = 'from-fakenet@example.org'
         self.recipient = 'to-fakenet@example.org'
         self.smtpmsg = 'FakeNet-NG SMTP test email'