Keypoints
- FakeNet-NG adds interactive HTML output generated from a Jinja2 template, saved to the current working directory for review and sharing.
- The HTML report includes inline CSS/JavaScript to support selecting, filtering, and copying individual or multiple captured network entries as Markdown.
- The tool’s modular internals consist of a Diverter (intercepts traffic), a Proxy Listener (analyzes application-layer data), and protocol-specific Listeners (HTTP/FTP/DNS emulation).
- Enhancements to data storage let the Diverter record process names, PIDs, and relationships between original and proxy-initiated source ports for NBI mapping.
- The Proxy Listener forwards relevant packet details to the Diverter so captured data can be associated with source processes and combined into the HTML report.
- Planned improvements include adding a communication graph visualization, excluding noisy benign traffic, including ICMP in reports, preset filters, and improved Markdown export options.
MITRE Techniques
- [T1040] Network Sniffing – Intercepts incoming and outgoing network traffic for analysis: [‘This central component intercepts all incoming and outgoing network traffic from the target system. By default, it forwards these packets to the Proxy Listener for further processing.’]
- [T1090] Proxy – Forwards and relays traffic through intermediary components to analyze and handle connections: [‘By default, it forwards these packets to the Proxy Listener for further processing.’ / ‘This component sits between the Diverter and the protocol-specific Listeners.’]
- [T1071] Application Layer Protocol – Analyzes application-layer data to classify and route packets to protocol-specific handlers: [‘This component sits between the Diverter and the protocol-specific Listeners. It analyzes application layer data to identify the appropriate Listener for each network packet based on factors like port, protocol, and data content.’]
- [T1057] Process Discovery/Identification – Records process names and PIDs and maps network activity to originating processes for attribution: [‘The Diverter stores additional information, including process names, process IDs, and relationships between original and proxy-initiated source ports.’]
Indicators of Compromise
- [Domain] example used in UI filtering demo – evil.com (shown in filtered results screenshot)
- [File name / asset] example images used to illustrate output – fakenet-summer-of-code-fig1.max-1000×1000.png, fakenet-summer-of-code-fig3b.max-1000×1000.png (illustrative image assets)
FakeNet-NG now renders captured network activity into a single, self-contained HTML report created from a Jinja2 template; the page includes inline CSS and JavaScript so analysts can open the report in any browser, filter entries by search terms, select items, and copy either single NBIs or multiple selected NBIs as Markdown. The report generation pipeline writes the finalized HTML to the current working directory, enabling easy sharing and collaborative review of captured traffic.
To support accurate NBI attribution, the Diverter was modified to persist extra metadata (process names, PIDs, and mappings between original and proxy-initiated source ports), while the Proxy Listener extracts application-layer details and forwards relevant packet information back to the Diverter. Protocol-specific Listeners (HTTP, FTP, DNS, etc.) emulate legitimate server responses so captured requests look realistic; FakeNet-NG then aggregates data from all components to populate the HTML report.
Future work focuses on analyst-facing enhancements: adding a communication graph to visualize processes, IPs, and domains; filtering out benign OS-generated noise; including ICMP traffic in reports; introducing preset filters for common Microsoft noise; and making Markdown exports configurable so users can select which details to include.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/fakenet-ng-interactive-html-based-output/