search

mandiant / flare-fakenet-ng

FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Apache License 2.0
1.76k stars 356 forks source link

Tunnel VM traffic into FakeNet on host #65

Closed zscholl closed 6 years ago

zscholl commented 6 years ago

So I've got a bit of an unusual use-case.

I have a Linux Host which is running a virtual machine. What I want to do is redirect all of the traffic from the virtual machine to FakeNet, which is running on the Host, without interfering with the other traffic on the host.

I thought I could easily accomplish this by leaving the guest in the default NAT configuration and simply adding a couple of iptables rules to the nat or mangle table to redirect all traffic to the FakeNet UDP and TCP proxies.

But all my attempts to do so have been met with a FakeNet error related to an un-instantiated diverter.

Exception happened during processing of request from ('127.0.0.1', 41482)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/home/reee/tools/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 276, in handle
    orig_src_ip, orig_src_port, 'TCP')
  File "/home/reee/tools/flare-fakenet-ng/fakenet/listeners/ProxyListener.py", line 203, in get_top_listener
    dport = diverter.getOriginalDestPort(orig_src_ip, orig_src_port, proto)
AttributeError: 'NoneType' object has no attribute 'getOriginalDestPort'

I get this error on for both TCP and UDP traffic when I turn the "DivertTraffic" configuration setting off. Of course, I turn this setting off because I don't want FakeNet to intercept the other traffic on my Host.

I've attempted to use the "LinuxRedirectNonlocal" option to only divert traffic coming from the bridge interface that the Guest (VM) sends its traffic through, this setup doesn't produce any errors, but it makes the internet non-functional on both my Host and the Guest. My initial thought was this was because of some DNS issues, but I can't get pings to 8.8.8.8 to return anything on the Guest in this configuration.

So after perusing the source and documentation, I think my only remaining option is to add a configuration line to the config file that would restrict the inserted iptables rules for diversion to a specific source subnet. In my case, the guest is assigned IP addresses from the 192.168.122.0/24 subnet.

I'm posting this as an issue for awareness. I'd like to know if I'm just doing something dumb and there's already and easy way to operate FakeNet in this fashion, and if not, I would like some advice on fixing the issue myself.

I can paste my FakeNet configs, iptables rules, and other log files for more information if requested.

Barring some feedback from the community, I will go ahead and modify the source in a way that is hopefully suitable enough for a pull request.

zscholl commented 6 years ago

I was able to figure this out without having to modify any FakeNet source. Turns out I can operate FakeNet in the default MultiHost mode on the Host and just point the guest to the Host's address as the gateway.

I'm closing the issue.