top of page
  • Writer's pictureJosh Stroschein

Customizing FakeNet-NG's Default Web Root

Updated: Mar 5

This article delves into tailoring Fakenet-NG's default web root, empowering you to craft a more precise and controlled environment for your dynamic network analysis endeavors. By modifying this key setting, you can gain the flexibility to serve specific content to malware samples, influencing their behavior and enhancing your insights. Let's embark on a journey to unlock the potential of personalized web root manipulation within FakeNet-NG!


Interested in seeing a practical example of how you can use this capability? Check out my video on modifying FakeNet's content to return a macro-enabled document that delivered Lockbit ransomware.



FakeNet's Configuration File

FakeNet's configuration file is default.ini, which will be located in the installation folder under configs. If you're using the FLARE-VM, the full path will be at:

C:\Tools\FakeNet-NG\fakenet<version>\configs.default.ini.


The setting is Webroot and will be located in two sections: HTTPListener80 and HTTPListener443.


HTTP and HTTPS Listeners
HTTP and HTTPS Listeners

This means that there is a default web root for both encrypted (i.e. TLS) and unencrypted (plain old HTTP) requests. The default location is defaultFiles, which can be found under the installation directory. This folder contains all of the default files that FakeNet serves.


FakeNet-NG's default files
FakeNet-NG's default files

To change the location that FakeNet uses, simply change the path for each instance of the Webroot setting. This can be an absolute or relative path. For example, let's change the path to a folder called www on the user's desktop.


Default web root value modified to use absolute path
Default web root value modified to use absolute path

You will want to consider adding all of the FakeNet's default files. You can now modify those files or add any custom content you need to serve. Keep in mind, you don't have to change the default location in the file system, you can also add or modify the existing location.


Confirming Your New Webroot

Regardless if you choose to point to a new location in the file system or modifying the existing content, you'll want to make sure your changes have taken affect. When FakeNet starts, you'll see a message about parsing the configuration file.


FakeNet parsing the configuration file
FakeNet parsing the configuration file

If any errors or typos in the configuration file were introduced, FakeNet would emit an error message at this stage. When you see it begin to start services, you'll know that the configuration file is in tact. Since I changed the location for this article, I'm going to make a simple change to ensure that FakeNet is using this new. path. The default file FakeNet.html is returned for any HTTP requests for HTML content. I copied this file to the new location and modified the banner. Now, simply opening a browser and making a request should return this content.


Customized FakeNet default html page
Customized FakeNet default html page

And as you can see, it's serving the content from my updated Webroot! As a last word of advice, when making changes to any configuration file I always make a back-up first :)

279 views

Comments


Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page