overview€¦ · web viewthis document describes the full capabilities, ... bluetooth usb...

FinIntrusion Kit / Product Specifications

1


2

Copyright 2011 by Gamma Group International, UK

Date 2011-09-23

Release information

Version Date Author Remarks

1.0 2011-05-20 PK Initial version

1.1 2011-08-12 PK Review for release 2.1

1.2 2011-09-23 PK Review for release 2.2


3

Table of Content

1 Overview.............................................................................................................................................4

2 Capabilities..........................................................................................................................................5

2.1 Operating System........................................................................................................................5

2.1.1 FinIntrusion Kit - Toolset......................................................................................................6

2.2 FinIntrusion Kit............................................................................................................................7

2.2.1 Target Identification.............................................................................................................8

2.2.2 Sniffing.................................................................................................................................9

2.2.3 Wireless.............................................................................................................................12

2.2.4 Password Generator..........................................................................................................15

2.2.5 Activity Log.........................................................................................................................16

2.3 USB Hard-Disk............................................................................................................................17

2.3.1 Default Password List.........................................................................................................17

2.3.2 Wordlists / Dictionaries.....................................................................................................17

2.3.3 Rainbow Tables..................................................................................................................17

2.4 Advanced IT Intrusion Examples................................................................................................19

3 Components......................................................................................................................................21

4 Limitations.........................................................................................................................................24

5 Updates & Support............................................................................................................................26


4

1 OVERVIEW

The FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:

Breaking into- and monitoring Wireless and Wired Networks

Remotely breaking into E-Mail Accounts

Performing security assessments of Servers and Networks

The full capabilities are shown in several training courses, each focusing on different operational use-cases.

This document describes the full capabilities, included hard- and software, limitations and the support and update system.

FinSpy

FinSpy Mobile

FinFly

FinUSB Suite

FinIntrusion

Kit

FinFireWireFinTraining

FinAdvisory


5

2 CAPABILITIES

2.1 Operating SystemThe Operating System of FinIntrusion Kit based on Backtrack 5, which includes a full portfolio of the world’s best IT-Intrusion tools for a wide-range of operations.

Several patches for the 2.6 Linux Kernel have been applied to be able to do injection of raw wireless packets, emulation of wireless access-point (Master Mode) and more.

FinIntrusion Kit installed on BT5.


6

2.1.1 FinIntrusion Kit - ToolsetAll the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface.

The FinIntrusion Kit toolset is categorized into the following sub-categories:

Network: Tools for Local Area Network (LAN) Intrusion

- Network Scanner discovers all Systems which are part of the same Local Area Network.- Network Scanner tries to identify Operating System and Hostname from Target PC.- Network Jammer prevents Internet Access for dedicated Systems.- Network Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target

PC.- MAC Change functions to spoof Hardware Address of a local Network Adapter.

Wireless: Tools for Wireless Network- and Client Intrusion

- Wireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna).

- Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems.

- Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”.

- Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point.

- WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks.- WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks.

Password: Password Generation Utilities

- Password Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.

Reporting:

- Export Function to save all results to “*.csv” files.- Generate Activity Log with all Status and Result Messages.


7

2.2 FinIntrusion KitThe FinIntrusion Kit Operation automates several IT intrusion techniques so the Agent can quickly utilize them without a need for a prior long-time training program.

FinIntrusion Kit - Main Window


8

2.2.1 Target IdentificationFinIntrusion Kit discovers all Systems which are part of the same Local Area Network and displays relevant data like:

IP address, MAC address, Vendor, System Name and Operating System.

Example of a running “Network Scanner”

FinIntrusion Kit uses the Address Resolution Protocol (ARP) to discover active Systems.


9

2.2.2 Sniffing The network traffic between the Target Systems and the Gateway is redirected to the FinIntrusion Kit System which is then able to analyze and modify the network traffic.

The technique that is being used for the traffic redirection is called ARP Cache poisoning.

During this attack, FININTRUSION KIT sends spoofed ARP packets to the Target Systems and the Gateway to overwrite their ARP cache in order to:

a) Convince the Gateway that FININTRUSION KIT is all the Target Systems

b) Convince the Target Systems that FININTRUSION KIT is the Gateway


10

FinIntrusion Kit supports three types of Monitoring Modes:

Mode Protocols (Examples!)

Deactivated SSL Telnet, FTP, POP3, IMAP, HTTPActivate SSL + HTTPS Emulation

Telnet, FTP, POP3, IMAP, HTTP, HTTPS (no Certificate Warning, if HTTPS HTTP Redirect is supported!!)

Activate SSL + SSL Man-in-the-Middle

Telnet, FTP, POP3, POP3s, IMAP, IMAPs, HTTP, HTTPS (with Certificate Warning)

A PCAP Recorder can be started in parallel to log all packets with Wireshark or to save it into a PCAP file in the background.

The “Monitor Target” section of the FININTRUSION KIT offers the capability to capture User Credentials.

The credential sniffer extracts Usernames and Passwords which are sent across the targeted network.For each discovered login, the following information is displayed:

Example of running Network Sniffer: Protocol Username Password Server IP Address Hostname / URL

The following protocols are supported:

Telnet SSH v1 FTP URC VNC HTTP (e.g. Gmail, Facebook, Hotmail)

POP3 / IMAP SMB (Samba / NetBIOS) / NFS Oscar (ICQ/AOL) MSN Yahoo Messenger SNMP


11

When SSL Man-in-the-Middle is activated, also SSL and TLS encrypted communication can be intercepted and the Logins can be extracted. During this attack, a false certificate is presented to the Target Systems and their Browsers display a warning that has to be accepted before the communication takes place.

Example of Warning Popup by the Browser during SSL/TLS protected connection:


12

2.2.3 WirelessThe Wireless module gives an easy interface to discover Wireless Networks that are in range of the selected Wireless Adapter and breaks the encryption.

The following information is displayed for discovered networks:

NameSSID of Access-Point

BSSID MAC of Access-Point

ChannelUsed Frequency

EncryptionOPEN/WEP/WPA/WPA2

KeyAfter Decryption

Example of “Wireless Network Scan”

FinIntrusion Kit provides a function to identify “hidden ESSIDs”. If a connected Wireless Client for the selected Wireless Network could be found a De-authentication attack will be initiated and the ESSID will be captured.

FinIntrusion Kit has the possibility to “Jam a Wireless Client or Access Point”. This Mode sends out IEEE 802.11 De-authentication Management Frames.

Example Submenu of “Wireless Network Scan”


13

The “Break Encryption” option enables the end-user to recover the WEP encryption keys for 64- and 128-bit protected networks and WPA / WPA – PSK (Pre-share Key).

Example of WEP Key found (128bit):

Example of WPA-PSK found:


14

Another implemented technique is the emulation of Wireless Access-Points:

Reply-to and broadcast all seen ESSID’s

FININTRUSION KIT broadcasts all known ESSIDs and replies to all seen request so that Target

Systems that are currently searching for various wireless networks will be connected to the

FinIntrusion Kit system

Emulate Access-Point only for ESSID X

A dedicated network will be created that Target Systems can find and connect to (e.g. by using

the SSID: Free Internet)

The traffic can be routed through another existing Interface to ensure that Target Systems will stay connected and have full internet access.

Example of “Fake Access Point” was started:


15

2.2.4 Password GeneratorThe Password Generator module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.).

Example of “Wordlist” generated from webpage “www.finfisher.com”:


16

2.2.5 Activity LogFor legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.

Example of Wireless Activity Log:


17

2.3 USB Hard-DiskAn external USB Hard-Disk is included within the kit to store data gathered in operations. Also the hard-disk contains valuable data that is regularly required for IT Intrusion attacks.

2.3.1 Default Password ListThe Default Password List is a list with default Logon credentials for Wireless Access Points, Routers, Network Printers, Network Cameras and many more.

The list contains over 1000 entries for most common vendors or network hardware.

2.3.2 Wordlists / DictionariesThese are Wordlists that can be used for all kind of password-based attacks, for example against password-protected files, remote logon accounts (e.g. Email accounts) and more.

The Wordlists contain several million words and are separated into various categories.

Category Description

Dates Dates beginning from 1960.

Languages Wordlist made of different languages.

Literature Wordlists created from famous comics, fables, myths, legends or famous book authors.

Misc Various words of popular places, famous people, numbers, special words or facts.

Movie These wordlists consists of words from famous movies, TV shows and famous characters in movies.

Names Common names in various languages, famous persons, companies and more.

Religion These wordlists contains words from the Quran and the Bible.

Simple An effective and simple wordlist with the most common passwords, accounts, numbers and easy words.

2.3.3 Rainbow TablesRainbow Tables are pre-generated password hashes that can be used to lookup passwords instead of making a wordlist attack.


18

The following Rainbow Tables are included:

Category Description

LanManager (LM) All 1-7ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/

66.0 GB

Alpha-Numeric-SpaceABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

4.17 GB

Alpha-Numeric-Symbol14ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=

29.2 GB

MD5 Loweralpha-Numeric 1-8abcdefghijklmnopqrstuvwxyz012345678936.0 GB

WPA 1000 SSIDDictionary ~ 1 million words38.9 GB


19

2.4 Advanced IT Intrusion ExamplesThe Backtrack offers a wide-range of IT Intrusion tools and techniques which can be combined in hundreds of ways depending on the operation and Targets.

This chapter describes a few of the operations which can be conducted with the Backtrack Operating system.

Feature Description

Password Bruteforce The Backtrack Operating System contains several tools that can be used for dictionary attacks against password protected accounts (e.g. E-Mail- and Remote Login accounts).

The following protocols are supported:

Cisco (AAA, Auth, Enable) CVS FTP HTTP(S), HTTP-PROXY ICQ IMAP LDAP2/3 MS-SQL MYSQL POP3 Postgres SMB/SMBNT SMTP-AUTH SNMP SOCKS5 Teamspeak TELNET VNC

Exploit Framework A very advanced framework is included to simplify the use of exploits. A few hundred exploits against the most common services and operating systems are included.

SMB Browsing When part of a Local Area Network, the system automatically discovers all SMB enabled systems within the same network and provides access to their shared files and folders in a simple graphical user interface.


20

Web Application Penetration Various tools exist to perform security assessments of Web Applications and Web-Servers offering e.g. the following techniques:

Editing/Viewing HTTP/HTTPS data on-the-fly CGI vulnerability scanning SQL Injection Cross-Site-Scripting Arbitrary file creation/deletion Weak password strength on authentication pages


21

3 COMPONENTS

Component Details

Headquarter Notebook Model: Lenovo Thinkpad T410i

OS: Backtrack 5

CPU: Intel Core i5

RAM : 2 GB

Hard-Disk: 320 GB

Optical Drive: DVD-RW

FinIntrusion Kit / FININTRUSION KIT Software pre-installed on Notebook

Backtrack 5

FinIntrusion Kit 2.0

Full IT Intrusion Toolset

USB Hard-Disk Model: Freecom Mobile Classic ( Size: 500.0 GB)

Content: Rainbow Tables

Wordlists

Default Password List

WLAN USB Adapter Model: Alfa AWUS036H

Networks: 802.11ABG

Power: 500mW (27dBm +/- 1dBm)


22

Bluetooth USB Adapter Model: Aircable Host XR

Networks: 802.11b

Power: max 200mA (19.5dBm +/- 1dBm)

Omni-directional Antenna Model: FWA

Networks: 2.4GHz

Power: 9dBm

Directional Antenna Model: Stella Doradus Planar Antenna

Networks: 2.4GHz

Power: 9dBm

Tripod Stand Tripod-Stand for Directional Antenna

USB Network Adapter Model: Linksys Gigabit USB Adapter

Networks: 802.3, 802.3u, 802.3ab

Network Cables 1 RJ-45 Patch Cable

1 RJ-45 Cross-Over Cable

Case Model: Mandarina Duck


23

Standard Cabin Case

Foam for fitting in components inside

Documentation 1 User Manual

1 Product Specifications


24

4 LIMITATIONSFollowing sections describe the limitations of FinIntrusion Kit.

Feature Description

Backtrack Backtrack includes a wide-range of publicly available IT Intrusion tools within the Toolset. As most of them are proof-of-concept tools, their functionality cannot be guaranteed in every scenario.

FinIntrusion Kit The software is an approach to automate complex attacks with a simple user interface. Due to the wide-range of different networks and scenarios, the implemented operations cannot be guaranteed to work in all scenarios without more advanced user interaction.

The automated WEP cracking technique requires the Access-Point to be vulnerable against the fragmentation attack.

Password Generator from Websites

Only HTTP/HTTPS pages without pre-authentication could be scanned. No Proxy support at the moment. Only “pure” HTTP Webpages are supported. Password List could still have some useless Entries (e.g. script code), which must be removed manually.

WPA Cracking Only WPA/WPA2-PSK mode could be attacked. WPA/WPA2 in Enterprise mode couldn’t be attacked. There exists no possibility to identify “from outside” in which mode the Wireless Network runs (PSK / Enterprise). The success to crack a WPA-PSK depends on the password list and CPU power and could take days / weeks or couldn’t be found.

USB Hard-Disk The rainbow tables and default word lists provide a selection of possible passwords. It is not guaranteed that the Target’s passwords are contained within these lists.

OS Detection Not every Operating System can be identified. It is possible to prevent to fingerprint an OS with modified Firewall- or Kernel-Settings.

Antivirus / Personal Firewall OS Fingerprinting could trigger an Antivirus / Personal Firewall alert or warning.

SSL Man-in-the-Middle Not all Client Software (e.g. Browser) accepting self-signed / un-


25

trusted Certificates. Sometimes the request will be rejected.


26

5 UPDATES & SUPPORT

The software has a built-in update feature that pulls updates automatically from the Gamma Update server at configured time intervals. In case the system it not connected to the Internet, download locations are provided on request so the updates can be manually downloaded from other systems.

Every update is done through a secure encrypted link to ensure integrity of the transferred update files.

The amount of updates per year depends on the changes in the IT Intrusion field and the requirement of bug-fixes and new features. At least two major feature updates are provided per year per product.

Additional to the updates, all customers have access to an after-sales website that gives the customers the following capabilities:

Download product information (Latest user manuals, specifications, training slides)

Access change-log and roadmap for products

Report bugs and submit feature requests

Inspect frequently asked questions (FAQ)

Furthermore support is provided via telephone and E-Mail.


27


28

overview€¦ · web viewthis document describes the full capabilities, ... bluetooth usb...

Documents