finintrusion kit · web viewis a multi-purpose it intrusion kit that has been built specifically...

FinIntrusion Kit / User Manual

1


2

Copyright 2011 by Gamma Group International, UK

Date 2011-09-23

Release information

Version Date Author Remarks

1.0 2011-05-26 PK Initial version

1.1 2011-08-12 PK Review for release 2.1

1.2 2011-09-23 PK Review for release 2.2


3

Table of Content

1 Overview.............................................................................................................................................5

2 FinIntrusion Kit – Toolset.....................................................................................................................6

3 Equipment...........................................................................................................................................7

3.1 Notebook.....................................................................................................................................7

3.2 USB Hard-Disk..............................................................................................................................7

3.3 Wireless Equipment.....................................................................................................................8

4 Operating System................................................................................................................................9

4.1 Introduction.................................................................................................................................9

4.2 Notebook Usage..........................................................................................................................9

5 Installation.........................................................................................................................................10

5.1 Pre requirements:......................................................................................................................10

5.2 License.......................................................................................................................................12

5.3 Update Software........................................................................................................................14

6 Configuration.....................................................................................................................................16

6.1 Network Configuration..............................................................................................................16

6.1 Wireless Configuration..............................................................................................................17

6.2 Language Options......................................................................................................................18

7 FinIntrusion Kit – Network Intrusion.................................................................................................19

7.1 Target Identification..................................................................................................................19

OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.Jam Target...............................................................................................................................19

Jam Target.............................................................................................................................................20


4

7.2 Monitor Target..........................................................................................................................21

7.2.1 PCAP Recorder...................................................................................................................22

7.2.2 Open URL in Browser.........................................................................................................23

8 FinIntrusion Kit – Wireless Intrusion..................................................................................................24

8.1 Wireless Network Identification................................................................................................25

8.2 Identify hidden ESSID.................................................................................................................26

8.3 Jam Wireless Network...............................................................................................................27

8.4 Break Encryption........................................................................................................................28

8.4.1 WEP Cracking.....................................................................................................................28

8.4.2 WPA/WPA2-PSK.................................................................................................................30

8.5 Wireless Client Identification.....................................................................................................31

8.6 Fake / Rogue Access Point.........................................................................................................32

8.6.1 Adapter Selection...............................................................................................................33

8.6.2 Reply-to and broadcast all seen ESSID’s:............................................................................33

8.6.3 Emulate access-point only for ESSID..................................................................................34

8.6.4 “Monitor all” Button..........................................................................................................34

9 Password Generator Utils..................................................................................................................35

9.1 Limitations.................................................................................................................................36

10 FinIntrusion Kit – Other Options....................................................................................................37

10.1.1 Delete / Delete all..............................................................................................................37

10.1.2 Data Export........................................................................................................................37

11 Activity Log....................................................................................................................................38

12 Support..........................................................................................................................................39


5

1 OVERVIEW

The FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:

Breaking into- and monitoring Wireless and Wired Networks

Remotely breaking into E-Mail Accounts

Performing security assessments of Servers and Networks

The full capabilities are shown in several training courses, each focusing on different operational use-cases.

The following topics are covered within this document:

Equipment Installation Configuration Usage

FinSpy

FinSpy Mobile

FinFly

FinUSB Suite

FinIntrusion

Kit

FinFireWireFinTraining

FinAdvisory


6

Support


7

2 FININTRUSION KIT – TOOLSET

All the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface.

The FinIntrusion Kit toolset is categorized into the following sub-categories:

Network: Tools for Local Area Network (LAN) Intrusion

- Network Scanner discovers all Systems which are part of the same Local Area Network.- Network Scanner tries to identify Operating System and Hostname from Target PC.- Network Jammer prevents Internet Access for dedicated Systems.- Network Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target

PC.- MAC Change functions to spoof Hardware Address of a local Network Adapter.

Wireless: Tools for Wireless Network- and Client Intrusion

- Wireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna).

- Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems.

- Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”.

- Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point.

- WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks.- WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks.

Password: Password Generation Utilities

- Password Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.

Reporting:

- Export Function to save all results to “*.csv” files.- Generate Activity Log with all Status and Result Messages.


8

3 EQUIPMENTThe kit includes a range of equipment for various local and remote IT Intrusion scenarios. Some usage examples are supplied within the following chapters.

Overview of Equipment

3.1 NotebookThe notebook is the core of the kit. It is loaded with the BackTrack operating system and the FinIntrusion Kit software.

3.2 USB Hard-DiskThe external USB Hard-Disk contains various data to help with certain attacks, for example:

Rainbow Tables for LM/WPA /MD5

Default Password List

Wordlists for various languages and subjects

It can also be utilized as a storage device for gathered information.


9

3.3 Wireless EquipmentThe included Wireless (802.11) and Bluetooth equipment can be used for short- and long-distance attacks against wireless networks/clients and Bluetooth-enabled devices.

Wireless examples:

Scanning for Wireless Networks and Clients

Breaking WEP/WPA/WPA2 Encryption

Emulating an Access-Point for Client-Side attacks

Monitoring Wireless LAN Traffic

Bluetooth examples:

Scanning for Bluetooth Devices

Executing known attacks like Bluesnarf, Bluebug and more


10

4 OPERATING SYSTEM

4.1 IntroductionThe FinIntrusion Kit is shipped with a copy of BackTrack 5, an operating system that is based on Linux and includes a complete set of up-to-date IT intrusion and analysis tools.

BackTrack operating system is used by numerous professional IT security companies world-wide.

4.2 Notebook UsageTurn on the notebook and boot with the default settings. After the Backtrack graphical user interface (GDM) is loaded, it is ready to use.

The system can be customized using the programs included in the menu.


11

5 INSTALLATION

5.1 Pre requirements:

BackTrack 5 – R1 - 32bit operating system

Gnome desktop version

Following packages have to be installed before you can use FinIntrusion Kit:

Mono-runtime

Gtk-sharp2

Dhcp3-server

Whois


12

To install the software on the FinIntrusion Kit follow these steps:

1. Insert CD-Rom and open the folder FinIntrusion Kit

2. Click on the file “finintrusionkit_installer_v_XXX.ggi”

3. A shortcut for launching FinIntrusion Kit now appears on the desktop (/root/Desktop/FinIntrusionKit.desktop)


13

5.2 LicensePlace the license “.ggpck” – file on a USB dongle or CD-ROM:

1. Mount USB-Stick or CD/DVD

CD-ROM:

# sudo mount /media/cdrom0

USB-Stick:

# sudo mount /dev/sdb1 /mnt/

2. Copy license file to /tmp

CD-ROM:

# cp /media/cdrom0/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/ USB-Stick:

# cp /mnt/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/

3. Start FinIntrusion Kit and press button “import License”.

4. Choose your *.ggpck file and press button “import”.


14

5. After import the license will be checked.

6. If the license is valid, close the dialog.

7. Restart the FinIntrusion Kit Application.


15

5.3 Update SoftwareThe FinIntrusion Kit software is updated regularly to meet the requirements within the ever-changing IT.

FinIntrusion Kit is equipped with the option of downloading such software updates. It can be configured to automatically check for updates at certain intervals or the user can check straight away for an update.

Update checks can be configured to run every time the application starts or in various periods of time.


16

If an update was found, it will show the following dialogue including the automatic installation of the updated software.

After the installation of an update the user can verify that the new version has been installed by checking the version number in the About box.


17

6 CONFIGURATION

6.1 Network ConfigurationThe user can select the proper Network Adapter by choosing it from the “Interface:” combo box.

For Network Intrusion it is necessary that FinIntrusion Kit is running in the same network as the target system.

If the network adapter has no IP address, press button to get a new IP Address via DHCP.

The user can select the proper Network Interface by choosing it from the “Interface:” combo box.

In order to proceed with the Network Intrusion, click the tab button.


18

6.1 Wireless ConfigurationThe user can select the proper Wireless Adapter by choosing it from the “Interface:” combo box. To attack a target system which is connected through a wireless network it is necessary to be in the same wireless network.

To configure a wireless adapter for a specific wireless network we recommend using “Wicd Network Manager”.

Start “Wicd”, change Preferences and add Wireless Interface e.g. “wlan0” .

Press “Refresh” Button and select a Wireless Network (SSID Broadcasting should be activated!). Press “Connect” Button to configure all necessary parameter for the selected Wireless Network.


19

6.2 Language OptionsThe application is translated in a number of languages and the user has the option of choosing one.

Click on “Language” in the main menu on the left side.

After choosing a different language the application has to be restarted so that the changes are effective.


20

7 FININTRUSION KIT – NETWORK INTRUSION

7.1 Target IdentificationTo monitor or jam a Target system it is necessary to detect the system inside the (W)LAN. This feature is

provided by the “Network Scanner” and can be started with the button.

All Systems inside a network will be listed. By default a class C will be scanned (e.g. 10.0.0.0/24 or 10.0.0.1 – 10.0.0.254). The target must be in the same network where the FinIntrusion Kit runs.

Work flow:

1. ARP Scan captures all MAC Addresses for connected Targets.

2. Try to identify Operating System with OS Fingerprinting technique.

3. Try to identify Hostname.

OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.


21

Jam Target

“Network Jammer” blocks a Target of having Internet access.

“Network Jammer” initiates an „ARP Cache Poisoning“Attack against Target PC and overwrites MAC Address from Default Gateway with an invalid value.

The “Network Jammer” runs in the background as long as the FinIntrusion Kit is started or the

button was pressed.

Before (ARP Cache on Target PC)

After (Start „ARP Cache Poisoning“


22

7.2 Monitor Target“Network Sniffer” can be used to extract all usernames and passwords of known protocols from the network traffic.

Select to start parsing the traffic and printing all account data it finds.

FinIntrusion Kit includes three different types of Monitoring Modes. Default Mode is: “HTTPS Emulation”

Mode Protocols (Examples)

Mode DEFAULT MODE

Protocols (Examples)

Mode Protocols (Examples)

„Non“ SSL Mode = Capture Credentials which were transmitted in CLEARTEXT

SMTPPop3ImapTelnetSNMPHTTPFTP...

“HTTPS Emulation” = Capture Credentials which were transmitted in CLEARTEXT and try to redirect HTTPS HTTP

SMTPPop3ImapTelnetSNMPHTTP & HTTPS (Redirect) FTP...

SSL Mode = Capture Credentials which were transmitted in CLEARTEXT and „encrypted“ with SSL

SMTP & SMTPSPop3 & Pop3s Imap & Imaps TelnetSNMPHTTP & HTTPS FTP...


23

Note: Enabling “SSL Man-in-the-Middle” option will result in all clients seeing a warning that the SSL/TLS certificate for their servers has changed. This includes all SSL sessions (Web, E-Mail, etc.). This also happens if HTTPS HTTP redirect is not working!

7.2.1 PCAP RecorderThis feature can be used to record all data from a selected Target System into a PCAP File.

This file could be analyzed with different Network Analyze (e.g. Wireshark) or useful as a piece of evidence.

FinIntrusion Kit supports two different types of PCAP Recorder.

Mode Protocols (Examples) Mode Protocols (Examples)

„tcpdump“ Generate a Network Capture File (= pcap file) with „tcpdump“ in the background. A capture Filter for selected IP will be used. No Traffic Analyzer will be started.Generate a File:„/tmp/fik_pcap_recorder_IP-ADDRESS.pcap“

„Wireshark“ Start Wireshark in the foreground with a capture filter for selected Target IP (= selected row).Capture File must be saved at the end of the session!!!

Note: PCAP Recorder could be combined with all three different types of Monitoring Mode.


24

7.2.2 Open URL in BrowserSelect a FTP, HTTP or HTTPS logged credentials and a special option will be activated in the submenu (“Open URL in Browser”). This feature is useful to verify if the credentials are correct.

Note: The URL / Hostname could be different from URL, which will be typically used for the authentication process (Forwarding, Load Balancer, etc.). For a FTP Accounts the credentials (= username and password) will be used automatically.


25

8 FININTRUSION KIT – WIRELESS INTRUSIONFor all wireless based attacks, the Alfa USB adapter should be used as its functionality and drivers provided the best support for the applied Wireless Intrusion techniques.

After the Alfa USB adapter is plugged into the notebook via the provided USB cable, it will be recognized

automatically. If the interface isn’t listed, try to reconnect the adapter and press button.


26

8.1 Wireless Network IdentificationAll Wireless Network Intrusion functions are blocked until a Wireless Network was found.

“Wireless Network Intrusion” Submenu

Press button to scan for wireless networks within the range of the FinIntrusion Kit system and display them including detailed information.

The following information is displayed for discovered networks:

SSIDName of Access-Point / Wireless Network

BSSID MAC address of Access-Point

ChannelUsed Frequency / Channel

EncryptionType of Encryption OPEN/WEP/WPA/WPA2

KeyAfter Decryption

Example of “Wireless Network Scan”


27

Select an Access Point and a list of “Connected Clients” for this AP will be shown below.

8.2 Identify hidden ESSIDFinIntrusion Kit includes a module to identify a hidden ESSID. For this module it is necessary to have at least one connected client for the selected Access Point.

An ESSID is necessary for WPA Cracking and to setup a Fake AP for a specific ESSID.

After „Identify Hidden SSID“ finished successfully.

Before


28

8.3 Jam Wireless NetworkTo block all clients, which are connected to a specific Access Point or only one dedicated Wireless Client use the “Wireless Jammer” Module.

Example of “Wireless Jammer” was started.

“Wireless Jammer” sends out de-authentication packages to the Wireless Client(s).

Note: If a specific Connected Wireless is selected (before!) WLAN Jammer was started, only this Wireless Client will be blocked. If no “Connected Wireless Client” is selected, all Wireless Clients will be blocked.

The package counter for Wireless Jammer could be modified in (default value = 10 packages): “/usr/local/finintrusionkit/conf/FinIntrusionKit.cfg”

<?xml version="1.0" encoding="utf-8"?><FinIntrusionKit>....... s n i p .......... <WIRELESS>....... s n i p .......... <Wireless_Deauth_Counter>10</Wireless_Deauth_Counter>....... s n i p .......... </WIRELESS>


29

</FinIntrusion>

8.4 Break EncryptionFinIntrusion Kit includes a module to break the WEP and WPA/WPA2 (PSK mode) encryption. For this module it is necessary to have at least one connected Wireless Client.

In case a wireless network is encrypted using the WEP or WPA/WPA2 technology, select the encrypted

network and press button.

The software will now try to automatically retrieve the WEP encryption or WPA/WPA pre-share key, which then can be used to join the network.

8.4.1 WEP Cracking

Example of a successful “WEP Crack”

This process should not take longer than 10 minutes. In case it cannot recover the key, try to restart the process. As this technique cannot work on all types of wireless networks, this might need to be done in a manual process.

Work flow:

1. Identify a WEP encrypted Wireless Network with minimum one connected Wireless Client.


30

2. The connected Wireless Client will be disconnected with de-authentication packages.

3. Target System reconnects to Access Point these packages will be captured in the background.

4. Start a replay attack and replay these fragments.

5. Access Point / Wireless Clients will be triggered to send more packets more encrypted Data packets / IVs will be captured.

6. If enough IVs are collected a WEP Crack could be successful.

Depending on the size of WEP key and if ASCII or HEX values were used, a different amount of packages must be captured.

Key Length Encrypted Data Packages with different IVs

40 / 64 Bit ASCII ~ 30.000 Packages

40 / 64 Bit HEX ~ 40.000 Packages

104 / 128 Bit ASCII ~ 60.000 Packages

104 / 128 Bit HEX ~ 70.000 Packages


31

8.4.2 WPA/WPA2-PSK

Example of a successful “WEP Crack”

To try to recover a “WPA/WPA2” PSK (=PreShared Key) it is necessary to capture a 4-way Handshake. This handshake will only be done if a Wireless Client connects to a Wireless Network. If this process is passed, the Handshake wouldn’t be send by the Wireless Client anymore (until the next disconnect). To trigger this handshake it is necessary to do an active attack and disconnect a Wireless Client with some de-authentication packages.

Work flow:

1. Disconnect an established Wireless Client Access Point connection (with de-authentication packages)

2. Wireless Client tries to reconnect to the Access Point and pass 4-way handshake.

3. FinIntrusion Kit starts a Wordlist Attack against selected Access Point. On Backtrack exist a password list at the location:

“/pentest/passwords/wordlists/”

WPA Cracking Option Dialog Box


32

8.5 Wireless Client IdentificationAll Wireless Client Intrusion functions are blocked until a Wireless Network was found.

“Wireless Client Intrusion” Submenu

Press the button to scan for wireless clients within the range of the FinIntrusion Kit system and display them including detailed information.

The following information is displayed for discovered networks:

Client MACMAC Address Wireless Adapter of Target Client

Vendor Translated

„Organizationally Unique Identifier“ (OUI) = uniquely identifies a vendor / manufacturer

BSSIDMAC Address of Access Point (if associated!)

Probed ESSIDNames of previous used Wireless Networks, which Wireless Client is searching for.


33

8.6 Fake / Rogue Access PointFor this attack, the software emulates a fake Access Point which Wireless clients can find and connect to. This is a very useful attack to get access to targets network traffic and gain the position to attack their system.

Example of “Fake AP” was started

Two different types of Modes exist:

- Reply to all Broadcasts

- Reply to specific ESSID


34

8.6.1 Adapter SelectionIf a client gets connected and cannot access the internet, no valuable traffic will be created from his side and therefore no essential data can be gathered from monitoring it.

To redirect all traffic from the target wireless stations FinIntrusion Kit system needs an internet connection/uplink.

Using this technique, clients will assign normally to the Access Point and use the internet as they normally do when using public hotspots.

Fake AP - Adapter could only be Wireless Adapter. On this adapter a “Fake Access Point” will be started.

Uplink - Adapter is any other adapter, than “Fake AP – Adapter”, which has the Status “UP”!!! This Interface will be used to provide Internet Access for all connected Wireless Clients. Typically a “cable network interface” should be used in this case.

8.6.2 Reply-to and broadcast all seen ESSID’s:

In this mode, the software see’s all requests for Wireless LAN’s by systems and replies to all of them so the scanning systems connect to the emulated access point. This is very useful as especially Windows systems always scan for recently used Wireless networks (e.g. hotel/hotspot networks).

ESSID text field is deactivated. Gamma doesn’t recommend this Mode. If a Target Subject was previously connected e.g. “My Home Network” / “Hotel XYZ” / “Airport XYZ” and will be connect to an Access Point with the same “Network Name” it could be conspicuous (only if the Person is NOT in this environment anymore!).


35

8.6.3 Emulate access-point only for ESSID

This feature will emulate a normal access-point which the target systems see when scanning for wireless networks. The chosen ESSID can trick people into selecting and associating to this network.

8.6.4 “Monitor all” ButtonA passive Network sniffer will be started in the background. Features are:

- Capture all credentials from Wireless Clients which are connected to your Fake Access Point.- Traffic from all Wireless Clients will be captured, no single Target selection is necessary.- All Cleartext Passwords like FTP, IRC, SNMP, etc. will be captured (same like Non-SSL Mode

in the network section)- A HTTPS HTTP Emulation will be started automatically in the background, as long as it is

supported by the Target Webpage.

Press the button to stop the Fake-AP and Monitor function.


36

9 PASSWORD GENERATOR UTILSThe “Website Profiling” module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.).

Example of “Wordlist” generated from webpage “www.finfisher.com”:

Work flow:

1. A Webcrawler will be started. This Crawler mirrors max. 500 different Webpages from a Webserver and save it in “/tmp” – directory.

2. A Webparser will extract all Words and save it to a text file: “/tmp/WEBSITE.txt”

3. All Words will be imported into GUI and duplicates will be removed.

Note: Words which are longer than 33 characters will be ignored.


37

9.1 LimitationsThe „Website Profiling“ module has some limitations:

Only Webpages in HTML are support. Other Sourcecode (e.g. ASP, JS) could generate some unusable Words (e.g. Methods or Variable Names).

Only Webpages without Pre-authentication, Session-Cookie etc. could be analyzed.

No Proxy Authentication is supported.

Wordlist must be cleaned up manually. (Remove Nonsense / unlike used Words, like Methods or Variable Name etc.)


38

10 FININTRUSION KIT – OTHER OPTIONSFinIntrusion Kit provides some additional functions, which are available if a dedicated target PC or user credential is selected. User should select a row (left mouse key) and press right mouse key to get a submenu.

Submenu of “Network Scan” Submenu of “Wireless Scan”

10.1.1 Delete / Delete allDelete selected row or all entries in the list.

10.1.2 Data ExportSave all data tab separated into an external text file. This file could be analyzed e.g. with Excel.

Example of Target List loaded with Excel


39

11 ACTIVITY LOGFor legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.

Example of Wireless Activity Log:


40

12 SUPPORTAll customers have access to an after-sales website that gives the customers the following capabilities:

Download product information (Latest user manuals, specifications, training slides)

Access change-log and roadmap for products

Report bugs and submit feature requests

Inspect frequently asked questions (FAQ)

The after-sales website can be found at

https://www.gamma-international.de

o Username:

o Password:

https://www.gamma-international.de/


41

finintrusion kit · web viewis a multi-purpose it intrusion kit that has been built specifically...

Documents