FinIntrusion Kit - WikiLeaks



FINFISHER: FinIntrusion Kit 2.2 User Manual -914400-1371600Copyright2011 by Gamma Group International, UKDate2011-09-23Release informationVersionDateAuthorRemarks1.02011-05-26PKInitial version1.12011-08-12PKReview for release 2.11.22011-09-23PKReview for release 2.2Table of Content TOC \o "1-3" \h \z \u 1Overview PAGEREF _Toc304806179 \h 52FinIntrusion Kit – Toolset PAGEREF _Toc304806180 \h 63Equipment PAGEREF _Toc304806181 \h 73.1Notebook PAGEREF _Toc304806182 \h 73.2USB Hard-Disk PAGEREF _Toc304806183 \h 73.3Wireless Equipment PAGEREF _Toc304806184 \h 84Operating System PAGEREF _Toc304806185 \h 94.1Introduction PAGEREF _Toc304806186 \h 94.2Notebook Usage PAGEREF _Toc304806187 \h 95Installation PAGEREF _Toc304806188 \h 105.1Pre requirements: PAGEREF _Toc304806189 \h 105.2License PAGEREF _Toc304806190 \h 125.3Update Software PAGEREF _Toc304806191 \h 146Configuration PAGEREF _Toc304806192 \h 166.1Network Configuration PAGEREF _Toc304806193 \h 166.1Wireless Configuration PAGEREF _Toc304806194 \h 176.2Language Options PAGEREF _Toc304806195 \h 187FinIntrusion Kit – Network Intrusion PAGEREF _Toc304806196 \h 197.1Target Identification PAGEREF _Toc304806197 \h 19OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.Jam Target PAGEREF _Toc304806198 \h 19Jam Target PAGEREF _Toc304806199 \h 207.2Monitor Target PAGEREF _Toc304806200 \h 217.2.1PCAP Recorder PAGEREF _Toc304806201 \h 227.2.2Open URL in Browser PAGEREF _Toc304806202 \h 238FinIntrusion Kit – Wireless Intrusion PAGEREF _Toc304806203 \h 248.1Wireless Network Identification PAGEREF _Toc304806204 \h 258.2Identify hidden ESSID PAGEREF _Toc304806205 \h 268.3Jam Wireless Network PAGEREF _Toc304806206 \h 278.4Break Encryption PAGEREF _Toc304806207 \h 288.4.1WEP Cracking PAGEREF _Toc304806208 \h 288.4.2WPA/WPA2-PSK PAGEREF _Toc304806209 \h 308.5Wireless Client Identification PAGEREF _Toc304806210 \h 318.6Fake / Rogue Access Point PAGEREF _Toc304806211 \h 328.6.1Adapter Selection PAGEREF _Toc304806212 \h 338.6.2Reply-to and broadcast all seen ESSID’s: PAGEREF _Toc304806213 \h 338.6.3Emulate access-point only for ESSID PAGEREF _Toc304806214 \h 348.6.4“Monitor all” Button PAGEREF _Toc304806215 \h 349Password Generator Utils PAGEREF _Toc304806216 \h 359.1Limitations PAGEREF _Toc304806217 \h 3610FinIntrusion Kit – Other Options PAGEREF _Toc304806218 \h 3710.1.1Delete / Delete all PAGEREF _Toc304806219 \h 3710.1.2Data Export PAGEREF _Toc304806220 \h 3711Activity Log PAGEREF _Toc304806221 \h 3812Support PAGEREF _Toc304806222 \h 39OverviewThe FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:Breaking into- and monitoring Wireless and Wired NetworksRemotely breaking into E-Mail AccountsPerforming security assessments of Servers and NetworksThe full capabilities are shown in several training courses, each focusing on different operational use-cases.FinSpyFinSpy MobileFinFlyFinUSB SuiteFinIntrusion KitFinFireWireFinTrainingFinAdvisoryThe following topics are covered within this document:EquipmentInstallationConfigurationUsageSupportFinIntrusion Kit – ToolsetAll the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface. The FinIntrusion Kit toolset is categorized into the following sub-categories:Network: Tools for Local Area Network (LAN) IntrusionNetwork Scanner discovers all Systems which are part of the same Local Area work Scanner tries to identify Operating System and Hostname from Target work Jammer prevents Internet Access for dedicated work Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target PC.MAC Change functions to spoof Hardware Address of a local Network Adapter.Wireless:Tools for Wireless Network- and Client IntrusionWireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna).Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems.Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”.Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point.WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks.WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks.Password:Password Generation UtilitiesPassword Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.Reporting:Export Function to save all results to “*.csv” files.Generate Activity Log with all Status and Result Messages.EquipmentThe kit includes a range of equipment for various local and remote IT Intrusion scenarios. Some usage examples are supplied within the following chapters.Overview of EquipmentNotebookThe notebook is the core of the kit. It is loaded with the BackTrack operating system and the FinIntrusion Kit software.USB Hard-DiskThe external USB Hard-Disk contains various data to help with certain attacks, for example:Rainbow Tables for LM/WPA /MD5right-18415Default Password ListWordlists for various languages and subjectsIt can also be utilized as a storage device for gathered information.Wireless EquipmentThe included Wireless (802.11) and Bluetooth equipment can be used for short- and long-distance attacks against wireless networks/clients and Bluetooth-enabled devices.5267325123190Wireless examples:Scanning for Wireless Networks and ClientsBreaking WEP/WPA/WPA2 EncryptionEmulating an Access-Point for Client-Side attacks5029200226695Monitoring Wireless LAN TrafficBluetooth examples:Scanning for Bluetooth DevicesExecuting known attacks like Bluesnarf, Bluebug and moreOperating SystemIntroductionThe FinIntrusion Kit is shipped with a copy of BackTrack 5, an operating system that is based on Linux and includes a complete set of up-to-date IT intrusion and analysis tools.BackTrack operating system is used by numerous professional IT security companies world-wide.Notebook UsageTurn on the notebook and boot with the default settings. After the Backtrack graphical user interface (GDM) is loaded, it is ready to use.The system can be customized using the programs included in the menu.InstallationPre requirements:BackTrack 5 – R1 - 32bit operating systemGnome desktop versionFollowing packages have to be installed before you can use FinIntrusion Kit:Mono-runtime Gtk-sharp2Dhcp3-serverWhoisTo install the software on the FinIntrusion Kit follow these steps:Insert CD-Rom and open the folder FinIntrusion KitClick on the file “finintrusionkit_installer_v_XXX.ggi”A shortcut for launching FinIntrusion Kit now appears on the desktop (/root/Desktop/FinIntrusionKit.desktop)LicensePlace the license “.ggpck” – file on a USB dongle or CD-ROM:Mount USB-Stick or CD/DVD CD-ROM: # sudo mount /media/cdrom0 USB-Stick:# sudo mount /dev/sdb1 /mnt/ Copy license file to /tmp CD-ROM: # cp /media/cdrom0/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/ USB-Stick:# cp /mnt/CERTS- FinIntrusion-Kit-Customer_ID-Machine_ID-XX.DAYS.ggpck /tmp/32385003743325Start FinIntrusion Kit and press button “import License”.Choose your *.ggpck file and press button “import”.After import the license will be checked. 365760025336503143250-133350If the license is valid, close the dialog.21621755800725Restart the FinIntrusion Kit Application.Update SoftwareThe FinIntrusion Kit software is updated regularly to meet the requirements within the ever-changing IT.FinIntrusion Kit is equipped with the option of downloading such software updates. It can be configured to automatically check for updates at certain intervals or the user can check straight away for an update.Update checks can be configured to run every time the application starts or in various periods of time.If an update was found, it will show the following dialogue including the automatic installation of the updated software.After the installation of an update the user can verify that the new version has been installed by checking the version number in the About box.ConfigurationNetwork ConfigurationThe user can select the proper Network Adapter by choosing it from the “Interface:” combo box.For Network Intrusion it is necessary that FinIntrusion Kit is running in the same network as the target system.If the network adapter has no IP address, press button to get a new IP Address via DHCP.The user can select the proper Network Interface by choosing it from the “Interface:” combo box.In order to proceed with the Network Intrusion, click the tab button.Wireless Configuration3324225323850The user can select the proper Wireless Adapter by choosing it from the “Interface:” combo box. To attack a target system which is connected through a wireless network it is necessary to be in the same wireless network.To configure a wireless adapter for a specific wireless network we recommend using “Wicd Network Manager”.35746062419350Start “Wicd”, change Preferences and add Wireless Interface e.g. “wlan0” .27051005229225Press “Refresh” Button and select a Wireless Network (SSID Broadcasting should be activated!). Press “Connect” Button to configure all necessary parameter for the selected Wireless Network.Language OptionsThe application is translated in a number of languages and the user has the option of choosing one.Click on “Language” in the main menu on the left side.After choosing a different language the application has to be restarted so that the changes are effective.FinIntrusion Kit – Network IntrusionTarget IdentificationTo monitor or jam a Target system it is necessary to detect the system inside the (W)LAN. This feature is provided by the “Network Scanner” and can be started with the button.All Systems inside a network will be listed. By default a class C will be scanned (e.g. 10.0.0.0/24 or 10.0.0.1 – 10.0.0.254). The target must be in the same network where the FinIntrusion Kit runs. Work flow:ARP Scan captures all MAC Addresses for connected Targets.Try to identify Operating System with OS Fingerprinting technique.Try to identify Hostname.OS System Scan can trigger an AV Detection / Warning and is not working against all Target systems.Jam Target“Network Jammer” blocks a Target of having Internet access. “Network Jammer” initiates an ?ARP Cache Poisoning“Attack against Target PC and overwrites MAC Address from Default Gateway with an invalid value.Before (ARP Cache on Target PC)After (Start ?ARP Cache Poisoning“The “Network Jammer” runs in the background as long as the FinIntrusion Kit is started or the button was pressed.Monitor Target“Network Sniffer” can be used to extract all usernames and passwords of known protocols from the network traffic.Select to start parsing the traffic and printing all account data it finds.FinIntrusion Kit includes three different types of Monitoring Modes. Default Mode is: “HTTPS Emulation”Mode Protocols (Examples) Mode DEFAULT MODEProtocols (Examples) Mode Protocols (Examples) ?Non“ SSL Mode = Capture Credentials which were transmitted in CLEARTEXT SMTPPop3ImapTelnetSNMPHTTPFTP... “HTTPS Emulation” = Capture Credentials which were transmitted in CLEARTEXT and try to redirect HTTPS HTTP SMTPPop3ImapTelnetSNMPHTTP & HTTPS (Redirect) FTP... SSL Mode = Capture Credentials which were transmitted in CLEARTEXT and ?encrypted“ with SSL SMTP & SMTPSPop3 & Pop3s Imap & Imaps TelnetSNMPHTTP & HTTPS FTP... Note: Enabling “SSL Man-in-the-Middle” option will result in all clients seeing a warning that the SSL/TLS certificate for their servers has changed. This includes all SSL sessions (Web, E-Mail, etc.). This also happens if HTTPS HTTP redirect is not working!PCAP RecorderThis feature can be used to record all data from a selected Target System into a PCAP File. This file could be analyzed with different Network Analyze (e.g. Wireshark) or useful as a piece of evidence.FinIntrusion Kit supports two different types of PCAP Recorder. ModeProtocols (Examples)ModeProtocols (Examples)?tcpdump“Generate a Network Capture File (= pcap file) with ?tcpdump“ in the background. A capture Filter for selected IP will be used. No Traffic Analyzer will be started.Generate a File:?/tmp/fik_pcap_recorder_IP-ADDRESS.pcap“?Wireshark“Start Wireshark in the foreground with a capture filter for selected Target IP (= selected row).Capture File must be saved at the end of the session!!!Note: PCAP Recorder could be combined with all three different types of Monitoring Mode.Open URL in BrowserSelect a FTP, HTTP or HTTPS logged credentials and a special option will be activated in the submenu (“Open URL in Browser”). This feature is useful to verify if the credentials are correct.Note: The URL / Hostname could be different from URL, which will be typically used for the authentication process (Forwarding, Load Balancer, etc.). For a FTP Accounts the credentials (= username and password) will be used automatically.FinIntrusion Kit – Wireless IntrusionFor all wireless based attacks, the Alfa USB adapter should be used as its functionality and drivers provided the best support for the applied Wireless Intrusion techniques.After the Alfa USB adapter is plugged into the notebook via the provided USB cable, it will be recognized automatically. If the interface isn’t listed, try to reconnect the adapter and press button.Wireless Network IdentificationAll Wireless Network Intrusion functions are blocked until a Wireless Network was found. “Wireless Network Intrusion” SubmenuPress button to scan for wireless networks within the range of the FinIntrusion Kit system and display them including detailed information.The following information is displayed for discovered networks:SSID2386965189865Name of Access-Point / Wireless NetworkBSSID MAC address of Access-PointChannelUsed Frequency / ChannelEncryptionType of Encryption OPEN/WEP/WPA/WPA2KeyAfter DecryptionExample of “Wireless Network Scan”287655028575Select an Access Point and a list of “Connected Clients” for this AP will be shown below.Identify hidden ESSIDFinIntrusion Kit includes a module to identify a hidden ESSID. For this module it is necessary to have at least one connected client for the selected Access Point.After ?Identify Hidden SSID“ finished successfully.BeforeAn ESSID is necessary for WPA Cracking and to setup a Fake AP for a specific ESSID.Jam Wireless NetworkTo block all clients, which are connected to a specific Access Point or only one dedicated Wireless Client use the “Wireless Jammer” Module. Example of “Wireless Jammer” was started.“Wireless Jammer” sends out de-authentication packages to the Wireless Client(s).Note: If a specific Connected Wireless is selected (before!) WLAN Jammer was started, only this Wireless Client will be blocked. If no “Connected Wireless Client” is selected, all Wireless Clients will be blocked.The package counter for Wireless Jammer could be modified in (default value = 10 packages): “/usr/local/finintrusionkit/conf/FinIntrusionKit.cfg” <?xml version="1.0" encoding="utf-8"?><FinIntrusionKit>....... s n i p .......... <WIRELESS>....... s n i p .......... <Wireless_Deauth_Counter>10</Wireless_Deauth_Counter>....... s n i p .......... </WIRELESS></FinIntrusion>Break EncryptionFinIntrusion Kit includes a module to break the WEP and WPA/WPA2 (PSK mode) encryption. For this module it is necessary to have at least one connected Wireless Client.In case a wireless network is encrypted using the WEP or WPA/WPA2 technology, select the encrypted network and press button. The software will now try to automatically retrieve the WEP encryption or WPA/WPA pre-share key, which then can be used to join the network. WEP CrackingExample of a successful “WEP Crack”This process should not take longer than 10 minutes. In case it cannot recover the key, try to restart the process. As this technique cannot work on all types of wireless networks, this might need to be done in a manual process.Work flow:Identify a WEP encrypted Wireless Network with minimum one connected Wireless Client.The connected Wireless Client will be disconnected with de-authentication packages.Target System reconnects to Access Point these packages will be captured in the background.Start a replay attack and replay these fragments.Access Point / Wireless Clients will be triggered to send more packets more encrypted Data packets / IVs will be captured. If enough IVs are collected a WEP Crack could be successful.Depending on the size of WEP key and if ASCII or HEX values were used, a different amount of packages must be captured. Key Length Encrypted Data Packages with different IVs 40 / 64 Bit ASCII ~ 30.000 Packages 40 / 64 Bit HEX ~ 40.000 Packages 104 / 128 Bit ASCII ~ 60.000 Packages 104 / 128 Bit HEX ~ 70.000 Packages WPA/WPA2-PSKExample of a successful “WEP Crack”To try to recover a “WPA/WPA2” PSK (=PreShared Key) it is necessary to capture a 4-way Handshake. This handshake will only be done if a Wireless Client connects to a Wireless Network. If this process is passed, the Handshake wouldn’t be send by the Wireless Client anymore (until the next disconnect). To trigger this handshake it is necessary to do an active attack and disconnect a Wireless Client with some de-authentication packages.Work flow:35223455813044Disconnect an established Wireless Client Access Point connection (with de-authentication packages)Wireless Client tries to reconnect to the Access Point and pass 4-way handshake.FinIntrusion Kit starts a Wordlist Attack against selected Access Point. On Backtrack exist a password list at the location:“/pentest/passwords/wordlists/”WPA Cracking Option Dialog BoxWireless Client IdentificationAll Wireless Client Intrusion functions are blocked until a Wireless Network was found. “Wireless Client Intrusion” SubmenuPress the button to scan for wireless clients within the range of the FinIntrusion Kit system and display them including detailed information.The following information is displayed for discovered networks:21621753867150Client MACMAC Address Wireless Adapter of Target ClientVendor Translated ?Organizationally Unique Identifier“ (OUI) = uniquely identifies a vendor / manufacturer BSSIDMAC Address of Access Point (if associated!)Probed ESSIDNames of previous used Wireless Networks, which Wireless Client is searching for. Fake / Rogue Access PointFor this attack, the software emulates a fake Access Point which Wireless clients can find and connect to. This is a very useful attack to get access to targets network traffic and gain the position to attack their system.Example of “Fake AP” was startedTwo different types of Modes exist:Reply to all BroadcastsReply to specific ESSIDAdapter SelectionIf a client gets connected and cannot access the internet, no valuable traffic will be created from his side and therefore no essential data can be gathered from monitoring it. To redirect all traffic from the target wireless stations FinIntrusion Kit system needs an internet connection/uplink. Using this technique, clients will assign normally to the Access Point and use the internet as they normally do when using public hotspots.26955752209800Fake AP - Adapter could only be Wireless Adapter. On this adapter a “Fake Access Point” will be started. 27908253295650Uplink - Adapter is any other adapter, than “Fake AP – Adapter”, which has the Status “UP”!!! This Interface will be used to provide Internet Access for all connected Wireless Clients. Typically a “cable network interface” should be used in this case. Reply-to and broadcast all seen ESSID’s:In this mode, the software see’s all requests for Wireless LAN’s by systems and replies to all of them so the scanning systems connect to the emulated access point. This is very useful as especially Windows systems always scan for recently used Wireless networks (e.g. hotel/hotspot networks).ESSID text field is deactivated. Gamma doesn’t recommend this Mode. If a Target Subject was previously connected e.g. “My Home Network” / “Hotel XYZ” / “Airport XYZ” and will be connect to an Access Point with the same “Network Name” it could be conspicuous (only if the Person is NOT in this environment anymore!).Emulate access-point only for ESSIDThis feature will emulate a normal access-point which the target systems see when scanning for wireless networks. The chosen ESSID can trick people into selecting and associating to this network.“Monitor all” ButtonA passive Network sniffer will be started in the background. Features are:Capture all credentials from Wireless Clients which are connected to your Fake Access Point.Traffic from all Wireless Clients will be captured, no single Target selection is necessary.All Cleartext Passwords like FTP, IRC, SNMP, etc. will be captured (same like Non-SSL Mode in the network section)A HTTPS HTTP Emulation will be started automatically in the background, as long as it is supported by the Target Webpage.Press the button to stop the Fake-AP and Monitor function.Password Generator UtilsThe “Website Profiling” module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.). Example of “Wordlist” generated from webpage “”:Work flow:A Webcrawler will be started. This Crawler mirrors max. 500 different Webpages from a Webserver and save it in “/tmp” – directory. A Webparser will extract all Words and save it to a text file: “/tmp/WEBSITE.txt”All Words will be imported into GUI and duplicates will be removed. Note: Words which are longer than 33 characters will be ignored.LimitationsThe ?Website Profiling“ module has some limitations: Only Webpages in HTML are support. Other Sourcecode (e.g. ASP, JS) could generate some unusable Words (e.g. Methods or Variable Names).Only Webpages without Pre-authentication, Session-Cookie etc. could be analyzed.No Proxy Authentication is supported.Wordlist must be cleaned up manually. (Remove Nonsense / unlike used Words, like Methods or Variable Name etc.)FinIntrusion Kit – Other OptionsFinIntrusion Kit provides some additional functions, which are available if a dedicated target PC or user credential is selected. User should select a row (left mouse key) and press right mouse key to get a submenu. Submenu of “Network Scan”Submenu of “Wireless Scan”Delete / Delete allDelete selected row or all entries in the list.Data ExportSave all data tab separated into an external text file. This file could be analyzed e.g. with Excel.Example of Target List loaded with ExcelActivity LogFor legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.Example of Wireless Activity Log:SupportAll customers have access to an after-sales website that gives the customers the following capabilities:Download product information (Latest user manuals, specifications, training slides)Access change-log and roadmap for productsReport bugs and submit feature requestsInspect frequently asked questions (FAQ)The after-sales website can be found at: Password:-914400-1386840 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download