CI CodeQL OpenSSF Scorecard Latest Release License

NotTheNet GUI

For malware analysis and sandboxed environments only. Never run on a production network or internet-connected interface.

NotTheNet simulates the internet for malware being detonated in an isolated lab. A single Python application with a live GUI — no race conditions, no socket leaks, no opaque config files.

Built to help people learn how malware behaves — whether you're studying for a cert, working through a CTF, taking a malware analysis course, or just curious how real-world C2 beaconing, DNS exfiltration, and credential theft look on the wire. You don't need a paid sandbox or cloud account. Spin up two VMs, install NotTheNet on Kali, detonate a sample on FlareVM, and watch every connection in the GUI log — decoded at the application layer: DNS queries and resolved names, HTTP requests with headers and body, SMTP envelope and message content, FTP commands and file transfers, raw catch-all payloads, and more. No raw packet capture required.

Run from a writable directory you own (e.g. your home dir). Do not clone into /opt/notthenet/ — that path is the install target of the .deb package and will be overwritten.

cd ~
# If you have a previous clone, remove it first:
rm -rf NotTheNet
git clone https://github.com/retr0verride/NotTheNet
cd NotTheNet
bash build-deb.sh
sudo install -d -m 755 /usr/local/bin # minimal Kali/WSL images may not have this path
sudo dpkg -i dist/notthenet_*.deb
sudo apt-get install -f # resolves any missing deps (e.g. python3-venv)
sudo notthenet

If dpkg fails with notthenet.postinst: ... /usr/local/bin/notthenet-gui: No such file or directory, run:

sudo install -d -m 755 /usr/local/bin
sudo dpkg --configure -a

Upgrading an existing install:

cd ~/NotTheNet
git pull origin main
rm -f dist/*.deb
bash build-deb.sh
sudo dpkg -i dist/notthenet_*.deb
sudo apt-get install -f

Air-gapped / offline install (Kali has no internet — download the .deb from Releases on any connected machine and copy it across):

# On Kali after copying the .deb:
sudo install -d -m 755 /usr/local/bin
sudo dpkg -i notthenet_*.deb
sudo apt-get install -f
sudo notthenet

See docs/installation.md for all three install methods (.deb, offline bundle, dev script) with upgrade and uninstall steps.

• 27 fake services running simultaneously — DNS, DoT, HTTP/S, SMTP/S, POP3/S, IMAP/S, FTP, NTP, TFTP, IRC, Telnet, SOCKS5, VNC, RDP, SMB, MySQL, MSSQL, Redis, LDAP, ICMP, TCP/UDP catch-all
• Every DNS query resolves to your Kali IP, with DGA/canary-domain NXDOMAIN detection
• Dynamic TLS certs — root CA + per-SNI cert forging; fake SCT extension; DoH + DoT interception
• Public-IP spoofing — 20+ IP-check endpoints return a fake residential IP (defeats AgentTesla, FormBook, stealers)
• TCP/IP fingerprint spoofing — fakes TTL, window size, MSS to mimic Windows/Linux/macOS
• Dynamic file responses — 70+ MIME-correct file stubs (.exe, .dll, .pdf, .zip, ...)
• Response delay + jitter — 120 +/- 80 ms artificial latency defeats timing-based sandbox detection
• Session-labelled JSON logs — each Start creates logs/events_YYYY-MM-DD_s1.jsonl, _s2.jsonl, ... automatically
• Privilege drop — binds ports as root then drops to nobody:nogroup
• Process masquerade — title set to [kworker/u2:1-events] to hide from ps
• Dark GUI — live colour-coded log, JSON Events viewer with search/filter, zoom controls
• Preflight checks — readiness audit + remote victim validation before detonation
• Lab hardening — harden-lab.sh stops conflicting services, blocks bridge<->management pivoting

• Kali Linux / Debian 12 / Ubuntu 22.04+
• Python 3.10+
• python3-tk (pre-installed on Kali)
• Root (for ports < 1024 and iptables)

Man page: man/notthenet.1 — installed automatically by notthenet-install.sh.

pytest tests/ -v # 391 tests — pure Python, no root, no network
ruff check . # lint
bandit -r . --exclude .venv # SAST

See CONTRIBUTING.md and docs/development.md.

MIT — see LICENSE.