Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies
  3. Setting Up REMnux Environment

Setting Up and Configuring FakeNet in REMnux

Issue: FakeNet Fails to Run Due to Port Conflict

  1. Error Encountered:

    • Upon running FakeNet, an error with code 98 might occur, indicating that the address (Port 53, DNS port) is already in use.

  2. Root Cause:

    • The error is due to the systemd-resolved service holding Port 53, which FakeNet also needs to use.

Steps to Resolve Port Conflict and Configure FakeNet

  1. Verify Network Route:

    • Ensure a valid network route is established:

      • Ping an Internet Address to verify connectivity.

      • If there are no responses, check and configure your VM network settings. The default setting is usually NAT mode.

      • Check the system's IP address using the ip command:

        bashCopy codeip addr show

      • If necessary, request a valid IP address by renewing DHCP:

        bashCopy codesudo renew-dhcp

  2. Disable systemd-resolved Service:

    • To free up Port 53 for FakeNet, disable the systemd-resolved service:

      bashCopy codesudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

  3. Edit Network Manager Configuration:

    • Modify the Network Manager's configuration file:

      • Open the file for editing:

        bashCopy codesudo nano /etc/NetworkManager/NetworkManager.conf

      • Add the following line under the [main] section:

        bashCopy codedns=default

      • Save the changes (Ctrl + X, then Y, and press Enter).

  4. Recreate the resolv.conf File:

    • Delete the existing resolv.conf file:

      bashCopy codesudo rm /etc/resolv.conf

    • Recreate resolv.conf as a symbolic link to the file generated by systemd-resolve:

      bashCopy codesudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

  5. Restart Network Manager Service:

    • Reboot the system or restart the Network Manager service to apply the changes:

      bashCopy codesudo systemctl restart NetworkManager

    • Verify Internet Connection: Ping an address to ensure connectivity wasn't disrupted.

  6. Run FakeNet:

    • After resolving the port conflict and network issues, you can now run FakeNet:

      bashCopy codesudo fakenet

    • Test FakeNet:

      • Visit any website to check if it returns FakeNet's default page.

Handling the Multi-Host Network Mode Issue

  1. Default Behavior:

    • In Linux, FakeNet defaults to multi-host mode, which may cause it to only log requests without responding with fake data.

  2. Solution: Change to Single Host Mode:

    • To change the network mode to single host:

      • Open the configuration file (default.ini):

        bashCopy codesudo nano /usr/local/lib/python2.7/dist-packages/fakenet/configs/default.ini

      • Locate the network_mode field and set it to single_host:

        bashCopy codenetwork_mode = single_host

      • Save and close the file.

  3. Rerun FakeNet:

    • Run FakeNet again and test by visiting a website to see if it now properly returns FakeNet's default page.

  4. Exiting FakeNet:

    • To exit FakeNet, press Ctrl + C.

PreviousSetting Up REMnux EnvironmentNextAnalyzing an ELF File

Last updated 9 months ago