navigator/navigator-server.ini at main · alan-turing-institute/navigator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
###############################################################################
# Fakenet Configuration
[FakeNet]

# Specify whether or not FakeNet should divert traffic. Disable if you want to
# just start listeners and direct traffic manually (e.g. modify DNS server)
DivertTraffic:         Yes

###############################################################################
# Diverter Configuration

[Diverter]

# Specify what mode of operation to use. Options:
#   SingleHost - manipulate local traffic
#   MultiHost - manipulate traffic from foreign hosts
#   Auto - Use SingleMode on Windows or use MultiHost on Linux
#
# The current support for these modes on each supported platform is as follows:
#              | Windows    | Linux        |
#   -----------+------------+--------------+
#   SingleHost | Functional | Experimental |
#   MultiHost  |      -     | Functional   |
# NetworkMode:           SingleHost
# NetworkMode:           MultiHost
NetworkMode:           Auto

# DebugLevel: specify fine-grained debug print flags to enable. Enabling all
# logging when verbose mode is selected results in overwhelming output, hence
# this setting. Valid values (comma-separated) are:
#
#    GENPKT     Generic packet information
#    GENPKTV    Packet analysis, displays IP, TCP, UDP fields, very wide output
#    CB         Diverter packet handler callback start/finish logging
#    NONLOC     Nonlocal packet verbose logging
#    DPF        Dynamic port forwarding decisions
#    DPFV       Dynamic port forwarding table activity
#    IPNAT      NAT decisions
#    MANGLE     Packet mangling (modification) activity
#    PCAP       PCAP writes of original and mangled packets
#    IGN        Cases where packets are forwarded as is
#    FTP        FTP-specific logic
#    IGN-FTP    Cases where packets are forwarded as is due to FTP Active Mode
#    MISC       Miscellaneous
#    NFQUEUE    NetfilterQueue activity (Linux only)
#    PROCFS     Procfs read/write activity (Linux only)
#    IPTABLES   iptables firewall rule activity (Linux only)
DebugLevel:            Off
# DebugLevel: GENPKT,DPF,IPNAT,IGN

# Restrict which interface on which Fakenet-NG will intercept and handle
# packets. Specify (only) one interface and Fakenet-NG will ignore all other
# interfaces. This feature only applies to interfaces on different subnets.
# Specify interface by name only (ex: eth0). To disable, set to "Off". In
# order to run multiple instance of Fakenet-NG on different interfaces within
# the same guest, LinuxFlushIptables must be turned off to avoid the latest
# instance flushing the rules associated with other instances or restoring
# rules to an incorrect state upon exit.
LinuxRestrictInterface: Off

# Set LinuxFlushIptables to Yes to have the Linux Diverter flush all iptables
# rules before adding its FakeNet-NG-specific rules to iptables. This setting
# also restores rules via `iptables-restore` when it exits, unless its
# termination is interrupted.
LinuxFlushIptables:    Yes

# Incorporated so that users of the binary release may make this work for
# various Linux distros. On Ubuntu, this is `service dns-clean restart`. For
# other distributions, it may be `nscd -I hosts`. Check your manual for
# details.
LinuxFlushDNSCommand:  service dns-clean restart

# Specify whether or not to save captured traffic. You can also change
# the file prefix for the generated PCAPs.
DumpPackets:           Yes
DumpPacketsFilePrefix: packets

# DHCP server running under VMWare Host-Only networking does not configure
# interface gateway and DNS server. Gateway must be configured to allow
# Windows to attempt to route external traffic so that FakeNet could
# could intercept it. This option will automatically generate and set
# appropriate gateway and DNS addresses to allow normal operation.
FixGateway:            Yes
FixDNS:                Yes

# Enable 'ModifyLocalDNS' to statically set DNS server to the local machine.
# Linux: Modifies (and restores) /etc/resolv.conf on Linux to make this an
# ephemeral change.
ModifyLocalDNS:        Yes

# Enable 'StopDNSService' to stop Windows DNS client to see the actual
# processes resolving domains. This is a no-op on Linux, until such time as DNS
# caching is observed to interfere with finding the pid associated with a DNS
# request.
StopDNSService:        Yes

# Enable 'RedirectAllTraffic' to optionally divert traffic going to ports not
# specifically listed in one of the listeners below. 'DefaultTCPListener' and
# 'DefaultUDPListener' will handle TCP and UDP traffic going to unspecified ports.
#
# NOTE: Setting default UDP listener will intercept all DNS traffic unless you
# enable a dedicated UDP port 53 DNS listener or add UDP port 53 to the
# 'BlackListPortsUDP' below so that system's default DNS server is used instead.

RedirectAllTraffic:    Yes
DefaultTCPListener:    NavigatorTCPListener
DefaultUDPListener:    NavigatorUDPListener

# Specify TCP and UDP ports to ignore when diverting packets.
# For example, you may want to avoid diverting UDP port 53 (DNS) traffic
# when trying to intercept a specific process while allowing the rest to
# function normally
#
# NOTE: This setting is only honored when 'RedirectAllTraffic' is enabled.

BlackListPortsTCP: 139, 3389, 445, 139, 22
BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355

# Specify ICMP IDs to be ignored when diverting the packets (Windows only).
# BlackListIDsICMP: 1234

# Specify processes to ignore when diverting traffic. Windows example used
# here.
# ProcessBlackList: sshd.exe, svchost.exe

# Specify processes to consider when diverting traffic (others will be
# ignored). Linux examples used here.
ProcessWhiteList: navigator.exe, frostygoware.exe, prove_fuzzing_capability.exe, iec_104.exe, frostygoware-readwrite.exe, trilog.exe, prove_fuzzing_capability_cmp_inline.exe

# Specify hosts to ignore when diverting traffic.
# HostBlackList: 6.6.6.6

###############################################################################
# Listener Configuration
#
# Listener configuration consists of generic settings used by the diverter which
# are the same for all listeners and listener specific settings.
#
# NOTE: Listener section names will be used for logging.
#
# NOTE: Settings labels are not case-sensitive.
#
# The following settings are available for all listeners:
# * Enabled          - specify whether or not the listener is enabled.
# * Port             - TCP or UDP port to listen on.
# * Protocol         - TCP or UDP
# * Listener         - Listener name to handle traffic.
# * ProcessWhiteList - Only traffic from these processes will be modified
#                      and the rest will simply be forwarded.
# * ProcessBlackList - Traffic from all but these processes will be simply forwarded
#                      and the rest will be modified as needed.
# * HostWhiteList    - Only traffic to these hosts will be modified and
#                      the rest will be simply forwarded.
# * HostBlackList    - Traffic to these hosts will be simply forwarded
#                      and the rest will be modified as needed.
# * ExecuteCmd       - Execute command on the first connection packet. This is feature is useful
#                      for extending FakeNet-NG's functionality (e.g. launch a debugger on the
#                      connecting pid to help with unpacking and decoding.)
#
#                      The following format string variables are made available:
#                      * {pid}      - process id
#                      * {procname} - process executable name
#                      * {src_addr} - source address
#                      * {src_port} - source port
#                      * {dst_addr} - destination address
#                      * {dst_port} - destination port
#
# Listener entry which does not specify a specific listener service
# will still redirect all packets to the local machine on the specified port and
# subject to all the filters (processes, hosts, etc.). However, you must set-up a
# third party service (e.g. proxy servers) to accept these connections. This feature can be
# used to provide FakeNet-NG's passive traffic diverting and filtering capabilities to other
# applications.
#
# Listener specific settings:
#
# * Timeout          - Set connection timeout for any listeners that support
#                      TCP connections (e.g. RawListener, DNSListener, HTTPListener
#                      SMTPListener).
# * UseSSL           - Enable SSL support on the listener (RawListener, HTTPListener)
# * Webroot          - Set webroot path for HTTPListener.
# * DumpHTTPPosts    - Store HTTP Post requests for the HTTPListener.
# * DumpHTTPPostsFilePrefix - File prefix for the stored HTTP Post requests used by the HTTPListener.
# * TFTPFilePrefix   - File prefix for the stored tftp uploads used by the TFTPListener.
# * DNSResponse      - IP address to respond with for A record DNS queries. (DNSListener)
# * NXDomains        - A number of DNS requests to ignore to let the malware cycle through
#                      all of the backup C2 servers. (DNSListener)
# * Banner           - FTPListener, IRCListener: FTP or IRC banner to display.
#                      Valid settings are any banner string, or !<key> where
#                      <key> is a valid key in the BANNERS dictionary within
#                      FTPListener.py or IRCListener.py, or !random to
#                      randomize among the banners in the BANNERS dictionary.
#                      The default value if none is specified is !generic,
#                      which selects the banner in the BANNERS dictionary going
#                      by that key. Banner string may specify the following
#                      escapes/insertions:
#                          {servername} - ServerName setting value
#                          {tz} - Time zone, currently hard-coded to 'UTC'
# * ServerName       - FTPListener, IRCListener: FTP or IRC server name for
#                      insertion into selected default banners or into a
#                      user-specified banner string. Valid settings are any
#                      hostname string, !hostname to insert the actual hostname
#                      of the system, or !random to generate a random hostname
#                      between 1 and 15 characters (inclusive).
# * Static_CA        - Set FakeNet to use user provided CA certificate to sign generated certificates.
# * CA_Cert          - CA certificate in PEM format to be used when Static_CA config is set. Manually
#                      add this certificate to Windows trust store before executing FakeNet.
# * CA_Key           - CA private key in PEM format to be used when Static_CA config is set.

[NavigatorTCPListener]
Enabled: True
Port: 8080
Protocol: TCP
UseSSL: No
Timeout: 10
Hidden: True

[NavigatorUDPListener]
Enabled: True
Port: 8081
Protocol: UDP
UseSSL: No
Timeout: 10
Hidden: True
# To read about customizing responses, see docs/CustomResponse.md
# Custom:    sample_custom_response.ini

#[DNS Server]
#Enabled:     True
#Port:        53
#Protocol:    UDP
#Listener:    DNSListener
#ResponseA:   192.0.2.123
#ResponseMX:  mail.evil2.com
#ResponseTXT: FAKENET
#NXDomains:   0
#Hidden:      False