This article delves into tailoring Fakenet-NG's default web root, empowering you to craft a more precise and controlled environment for your dynamic network analysis endeavors. By modifying this key setting, you can gain the flexibility to serve specific content to malware samples, influencing their behavior and enhancing your insights. Let's embark on a journey to unlock the potential of personalized web root manipulation within FakeNet-NG!
Interested in seeing a practical example of how you can use this capability? Check out my video on modifying FakeNet's content to return a macro-enabled document that delivered Lockbit ransomware.
FakeNet's Configuration File
FakeNet's configuration file is default.ini, which will be located in the installation folder under configs. If you're using the FLARE-VM, the full path will be at:
C:\Tools\FakeNet-NG\fakenet<version>\configs.default.ini.
The setting is Webroot and will be located in two sections: HTTPListener80 and HTTPListener443.
This means that there is a default web root for both encrypted (i.e. TLS) and unencrypted (plain old HTTP) requests. The default location is defaultFiles, which can be found under the installation directory. This folder contains all of the default files that FakeNet serves.
To change the location that FakeNet uses, simply change the path for each instance of the Webroot setting. This can be an absolute or relative path. For example, let's change the path to a folder called www on the user's desktop.
You will want to consider adding all of the FakeNet's default files. You can now modify those files or add any custom content you need to serve. Keep in mind, you don't have to change the default location in the file system, you can also add or modify the existing location.
Confirming Your New Webroot
Regardless if you choose to point to a new location in the file system or modifying the existing content, you'll want to make sure your changes have taken affect. When FakeNet starts, you'll see a message about parsing the configuration file.
If any errors or typos in the configuration file were introduced, FakeNet would emit an error message at this stage. When you see it begin to start services, you'll know that the configuration file is in tact. Since I changed the location for this article, I'm going to make a simple change to ensure that FakeNet is using this new. path. The default file FakeNet.html is returned for any HTTP requests for HTML content. I copied this file to the new location and modified the banner. Now, simply opening a browser and making a request should return this content.
And as you can see, it's serving the content from my updated Webroot! As a last word of advice, when making changes to any configuration file I always make a back-up first :)