levisre · December 16, 2018 18:10
diff --git a/fucking_wp_fakenet_log.log b/fucking_wp_fakenet_log.log
  ______      _  ________ _   _ ______ _______     _   _  _____
 |  ____/\   | |/ /  ____| \ | |  ____|__   __|   | \ | |/ ____|
 | |__ /  \  | ' /| |__  |  \| | |__     | |______|  \| | |  __
 |  __/ /\ \ |  < |  __| | . ` |  __|    | |______| . ` | | |_ |
 | | / ____ \| . \| |____| |\  | |____   | |      | |\  | |__| |
 |_|/_/    \_\_|\_\______|_| \_|______|  |_|      |_| \_|\_____|

                         Version  1.0
  _____________________________________________________________
                         Developed by
                      Peter Kacherginsky
       FLARE (FireEye Labs Advanced Reverse Engineering)
  _____________________________________________________________

 08/26/17 10:50:09 PM [           FakeNet] Loaded configuration file: configs\sin
 khole.ini
 08/26/17 10:50:09 PM [          Diverter] Capturing traffic to sinkholes_2017082
 6_225009.pcap
 08/26/17 10:50:09 PM [           FakeNet] Anonymous TCPListener listener on TCP
 port 80...
 08/26/17 10:50:09 PM [        DNS Server] Starting...
 08/26/17 10:50:09 PM [          Diverter] Starting...
 08/26/17 10:50:09 PM [          Diverter] Successfully disabled the service Dnsc
 ache.
 08/26/17 10:50:10 PM [          Diverter] Successfully stopped the service Dnsca
 che.
 08/26/17 10:50:10 PM [          Diverter] Diverting ports:
 08/26/17 10:50:10 PM [          Diverter] TCP: 80
 08/26/17 10:50:10 PM [          Diverter] UDP: 53
 08/26/17 10:50:10 PM [          Diverter] Failed to flush DNS cache. (DnsFlushRe
 solverCache)
 08/26/17 10:50:10 PM [          Diverter] Flushed DNS cache. (ipconfig)
 ...
diff --git a/fucking_wp_fakenet_log2.log b/fucking_wp_fakenet_log2.log

 08/26/17 10:50:28 PM [        DNS Server] Received A request for domain 'evil-ur
 l.com'.
 08/26/17 10:50:28 PM [        DNS Server] Responding with '192.168.63.128'
 08/26/17 10:50:28 PM [          Diverter] Modifying outbound external TCP reques
 t packet:
 08/26/17 10:50:28 PM [          Diverter]   from: 192.168.63.128:49417 -> 192.16
 8.63.128:80
 08/26/17 10:50:28 PM [          Diverter]   to:   192.168.63.128:49417 -> 192.16
 8.63.128:80
 08/26/17 10:50:28 PM [          Diverter]   pid:  2184 name: chrome.exe
 08/26/17 10:50:28 PM [          Diverter] Modifying outbound external TCP reques
 t packet:
 08/26/17 10:50:28 PM [          Diverter]   from: 192.168.63.128:49418 -> 192.16
 8.63.128:80
 08/26/17 10:50:28 PM [          Diverter]   to:   192.168.63.128:49418 -> 192.16
 8.63.128:80
 08/26/17 10:50:28 PM [          Diverter]   pid:  2184 name: chrome.exe
diff --git a/httpListener.py b/httpListener.py
 from flask import Flask, request
 import socket
 import logging

 def getlocalIP():
 	return socket.gethostbyname(socket.gethostname())

 app = Flask(__name__)

 @app.route("/", methods=["POST", "GET"])
 def postIndex():
 	remote_ip = request.remote_addr
 	# Write a log entry
 	app.logger.debug("%s -> %s" % (remote_ip, request.__dict__) )
 	# Return a simple message to clint
 	return "Yay! You\'re visiting my tiny sinkhole. I saw that you\'re at %s " % remote_ip

 if __name__ == "__main__":
 	ip = getlocalIP()
 	PORT = 80
 	formatter = logging.Formatter("[%(asctime)s] - %(message)s")
 	# Log to file
 	fileHandler = logging.FileHandler("client.log")
 	fileHandler.setLevel(logging.DEBUG)
 	fileHandler.setFormatter(formatter)
 	app.logger.addHandler(fileHandler)
 	# Log to console output
 	streamHandler = logging.StreamHandler()
 	streamHandler.setLevel(logging.DEBUG)
 	streamHandler.setFormatter(formatter)
 	app.logger.addHandler(streamHandler)
 	# Run in local address with predefined port
 	app.run(debug=True, host=ip, port=PORT, threaded=True)
diff --git a/sinkhole.ini b/sinkhole.ini
 #############################################################
 # Config for Fakenet
 [FakeNet]

 DivertTraffic: 	Yes

 #############################################################
 # Config for Diverter
 [Diverter]

 # Dump packet to pcap
 DumpPackets:			Yes
 DumpPacketsFilePrefix:  sinkholes

 ModifyLocalDNS:         No
 StopDNSService:         Yes

 RedirectAllTraffic: No
 # Set listener for TCP Protocol
 DefaultTCPListener: TCPListener

 # Ignore some common ports to not diverting traffics
 BlackListPortsTCP: 139
 BlackListPortsUDP: 53, 67, 68, 137, 138, 1900, 5355

 #############################################################
 # Config for Listener
 # Divert HTTP traffic to local ip
 [TCPListener]

 Enabled: 			True
 Port: 				80
 Protocol: 			TCP

 # Divert DNS Query to local ip
 # So whenever malware queries for malicious domain, fakenet-ng will leads it to our sinkhole
 [DNS Server]

 Enabled:     True
 Port:        53
 Protocol:    UDP
 Listener:    DNSListener
 # Change IP to sinkhole host IP
 DNSResponse: 192.168.63.128
 NXDomains:   0
	______ _ ________ _ _ ______ _______ _ _ _____
	\| ____/\ \| \|/ / ____\| \ \| \| ____\|__ __\| \| \ \| \|/ ____\|
	\| \|__ / \ \| ' /\| \|__ \| \\| \| \|__ \| \|______\| \\| \| \| __
	\| __/ /\ \ \| < \| __\| \| . ` \| __\| \| \|______\| . ` \| \| \|_ \|
	\| \| / ____ \\| . \\| \|____\| \|\ \| \|____ \| \| \| \|\ \| \|__\| \|
	\|_\|/_/ \_\_\|\_\______\|_\| \_\|______\| \|_\| \|_\| \_\|\_____\|

	Version 1.0
	_____________________________________________________________
	Developed by
	Peter Kacherginsky
	FLARE (FireEye Labs Advanced Reverse Engineering)
	_____________________________________________________________

	08/26/17 10:50:09 PM [ FakeNet] Loaded configuration file: configs\sin
	khole.ini
	08/26/17 10:50:09 PM [ Diverter] Capturing traffic to sinkholes_2017082
	6_225009.pcap
	08/26/17 10:50:09 PM [ FakeNet] Anonymous TCPListener listener on TCP
	port 80...
	08/26/17 10:50:09 PM [ DNS Server] Starting...
	08/26/17 10:50:09 PM [ Diverter] Starting...
	08/26/17 10:50:09 PM [ Diverter] Successfully disabled the service Dnsc
	ache.
	08/26/17 10:50:10 PM [ Diverter] Successfully stopped the service Dnsca
	che.
	08/26/17 10:50:10 PM [ Diverter] Diverting ports:
	08/26/17 10:50:10 PM [ Diverter] TCP: 80
	08/26/17 10:50:10 PM [ Diverter] UDP: 53
	08/26/17 10:50:10 PM [ Diverter] Failed to flush DNS cache. (DnsFlushRe
	solverCache)
	08/26/17 10:50:10 PM [ Diverter] Flushed DNS cache. (ipconfig)
	...

	08/26/17 10:50:28 PM [ DNS Server] Received A request for domain 'evil-ur
	l.com'.
	08/26/17 10:50:28 PM [ DNS Server] Responding with '192.168.63.128'
	08/26/17 10:50:28 PM [ Diverter] Modifying outbound external TCP reques
	t packet:
	08/26/17 10:50:28 PM [ Diverter] from: 192.168.63.128:49417 -> 192.16
	8.63.128:80
	08/26/17 10:50:28 PM [ Diverter] to: 192.168.63.128:49417 -> 192.16
	8.63.128:80
	08/26/17 10:50:28 PM [ Diverter] pid: 2184 name: chrome.exe
	08/26/17 10:50:28 PM [ Diverter] Modifying outbound external TCP reques
	t packet:
	08/26/17 10:50:28 PM [ Diverter] from: 192.168.63.128:49418 -> 192.16
	8.63.128:80
	08/26/17 10:50:28 PM [ Diverter] to: 192.168.63.128:49418 -> 192.16
	8.63.128:80
	08/26/17 10:50:28 PM [ Diverter] pid: 2184 name: chrome.exe
	from flask import Flask, request
	import socket
	import logging

	def getlocalIP():
	return socket.gethostbyname(socket.gethostname())

	app = Flask(__name__)

	@app.route("/", methods=["POST", "GET"])
	def postIndex():
	remote_ip = request.remote_addr
	# Write a log entry
	app.logger.debug("%s -> %s" % (remote_ip, request.__dict__) )
	# Return a simple message to clint
	return "Yay! You\'re visiting my tiny sinkhole. I saw that you\'re at %s " % remote_ip

	if __name__ == "__main__":
	ip = getlocalIP()
	PORT = 80
	formatter = logging.Formatter("[%(asctime)s] - %(message)s")
	# Log to file
	fileHandler = logging.FileHandler("client.log")
	fileHandler.setLevel(logging.DEBUG)
	fileHandler.setFormatter(formatter)
	app.logger.addHandler(fileHandler)
	# Log to console output
	streamHandler = logging.StreamHandler()
	streamHandler.setLevel(logging.DEBUG)
	streamHandler.setFormatter(formatter)
	app.logger.addHandler(streamHandler)
	# Run in local address with predefined port
	app.run(debug=True, host=ip, port=PORT, threaded=True)
	#############################################################
	# Config for Fakenet
	[FakeNet]

	DivertTraffic: Yes

	#############################################################
	# Config for Diverter
	[Diverter]

	# Dump packet to pcap
	DumpPackets: Yes
	DumpPacketsFilePrefix: sinkholes

	ModifyLocalDNS: No
	StopDNSService: Yes

	RedirectAllTraffic: No
	# Set listener for TCP Protocol
	DefaultTCPListener: TCPListener

	# Ignore some common ports to not diverting traffics
	BlackListPortsTCP: 139
	BlackListPortsUDP: 53, 67, 68, 137, 138, 1900, 5355

	#############################################################
	# Config for Listener
	# Divert HTTP traffic to local ip
	[TCPListener]

	Enabled: True
	Port: 80
	Protocol: TCP

	# Divert DNS Query to local ip
	# So whenever malware queries for malicious domain, fakenet-ng will leads it to our sinkhole
	[DNS Server]

	Enabled: True
	Port: 53
	Protocol: UDP
	Listener: DNSListener
	# Change IP to sinkhole host IP
	DNSResponse: 192.168.63.128
	NXDomains: 0