Release Information

Date2011-09-23

Release information

Version / Date / Author / Remarks
1.0 / 2011-05-20 / PK / Initial version
1.1 / 2011-08-12 / PK / Review for release 2.1
1.2 / 2011-09-23 / PK / Review for release 2.2

Table of Content

1Overview

2Capabilities

2.1Operating System

2.1.1FinIntrusion Kit - Toolset

2.2FinIntrusion Kit

2.2.1Target Identification

2.2.2Sniffing

2.2.3Wireless

2.2.4Password Generator

2.2.5Activity Log

2.3USB Hard-Disk

2.3.1Default Password List

2.3.2Wordlists / Dictionaries

2.3.3Rainbow Tables

2.4Advanced IT Intrusion Examples

3Components

4Limitations

5Updates & Support

1 Overview

The FinIntrusion Kit is a multi-purpose IT Intrusion kit that has been built specifically for nowadays operations by Law Enforcement and Intelligence Agencies. It can be utilized in a wide-range of operational scenarios like:

Breaking into- and monitoring Wireless and Wired Networks
Remotely breaking into E-Mail Accounts
Performing security assessments of Servers and Networks

The full capabilities are shown in several training courses, each focusing on different operational use-cases.

This document describes the full capabilities, included hard- and software, limitations and the support and update system.

2 Capabilities

2.1 Operating System

The Operating System of FinIntrusion Kit based on Backtrack 5, which includes a full portfolio of the world’s best IT-Intrusion tools for a wide-range of operations.

Several patches for the 2.6 Linux Kernel have been applied to be able to do injection of raw wireless packets, emulation of wireless access-point (Master Mode) and more.

FinIntrusion Kit installed on BT5.

2.1.1 FinIntrusion Kit - Toolset

All the tools within the Backtrack system require advanced knowledge on basic techniques related to their purpose. Most tools have to be used on the command-line as they do not provide any graphical user interface.

The FinIntrusion Kit toolset is categorized into the following sub-categories:

Network: Tools for Local Area Network (LAN) Intrusion

- Network Scanner discovers all Systems which are part of the same Local Area Network.

- Network Scanner tries to identify Operating System and Hostname from Target PC.

- Network Jammer prevents Internet Access for dedicated Systems.

- Network Sniffer redirects Traffic in Local Area Network and logs Credentials from a Target PC.

- MAC Change functions to spoof Hardware Address of a local Network Adapter.

Wireless:Tools for Wireless Network- and Client Intrusion

- Wireless Scanner discovers Access Points and connected Wireless Clients from all Wireless Networks which could be reached with the Adapter (and Antenna).

- Wireless Scanner discovers Wireless Clients which search for a known Wireless Network and emulate a “Fake” Access Point for these systems.

- Hidden ESSID Identifier which starts attacks against specific Wireless Network to extract “Hidden ESSID”.

- Wireless Jammer could be started against dedicated Wireless Clients or Access Point to re-route Target Systems over a “Fake” Access Point.

- WEP Cracking against 40/64bit or 104/128bit protected Wireless Networks.

- WPA Cracking against WPA-PSK or WPA2-PSK protected Wireless Networks.

Password:Password Generation Utilities

- Password Generator from specific Website. This Generator extracts Words from a specified Website and generates a unique Password List.

Reporting:

- Export Function to save all results to “*.csv” files.

- Generate Activity Log with all Status and Result Messages.

2.2 FinIntrusion Kit

The FinIntrusion Kit Operation automates several IT intrusion techniques so the Agent can quickly utilize them without a need for a prior long-time training program.

FinIntrusion Kit - Main Window

2.2.1 Target Identification

FinIntrusion Kit discovers all Systems which are part of the same Local Area Network and displays relevant data like:

IP address, MAC address, Vendor, System Name and Operating System.

Example of a running “Network Scanner”

FinIntrusion Kit uses the Address Resolution Protocol (ARP) to discover active Systems.

2.2.2 Sniffing

The network traffic between the Target Systems and the Gateway is redirected to the FinIntrusion Kit System which is then able to analyze and modify the network traffic.

The technique that is being used for the traffic redirection is called ARP Cache poisoning.

During this attack, FININTRUSION KIT sends spoofed ARP packets to the Target Systems and the Gateway to overwrite their ARP cache in order to:

a) Convince the Gateway that FININTRUSION KIT is all the Target Systems

b) Convince the Target Systems that FININTRUSION KIT is the Gateway

FinIntrusion Kit supports three types of Monitoring Modes:

Mode / Protocols (Examples!)
Deactivated SSL / Telnet, FTP, POP3, IMAP, HTTP
Activate SSL + HTTPS Emulation / Telnet, FTP, POP3, IMAP, HTTP, HTTPS (no Certificate Warning, if HTTPS  HTTP Redirect is supported!!)
Activate SSL + SSL Man-in-the-Middle / Telnet, FTP, POP3, POP3s, IMAP, IMAPs, HTTP, HTTPS (with Certificate Warning)

A PCAP Recorder can be started in parallel to log all packets with Wireshark or to save it into a PCAP file in the background.

The “Monitor Target” section of the FININTRUSION KIT offers the capability to capture User Credentials.

The credential sniffer extracts Usernames and Passwords which are sent across the targeted network.

For each discovered login, the following information is displayed:

Example of running Network Sniffer:

Protocol
Username
Password
Server IP Address
Hostname / URL

The following protocols are supported:

When SSL Man-in-the-Middle is activated, also SSL and TLS encrypted communication can be intercepted and the Logins can be extracted. During this attack, a false certificate is presented to the Target Systems and their Browsers display a warning that has to be accepted before the communication takes place.

Example of Warning Popup by the Browser during SSL/TLS protected connection:

2.2.3 Wireless

The Wireless module gives an easy interface to discover Wireless Networks that are in range of the selected Wireless Adapter and breaks the encryption.

The following information is displayed for discovered networks:

Name

SSID of Access-Point

BSSID

MAC of Access-Point

Channel

Used Frequency

Encryption

OPEN/WEP/WPA/WPA2

After Decryption

Example of “Wireless Network Scan”

FinIntrusion Kit provides a function to identify “hidden ESSIDs”. If a connected Wireless Client for the selected Wireless Network could be found a De-authentication attack will be initiated and the ESSID will be captured.

FinIntrusion Kit has the possibility to “Jam a Wireless Client or Access Point”. This Mode sends out IEEE 802.11 De-authentication Management Frames.

Example Submenu of “Wireless Network Scan”

The “Break Encryption” option enables the end-user to recover the WEP encryption keys for 64- and 128-bit protected networks and WPA / WPA – PSK (Pre-share Key).

Example of WEP Key found (128bit):

Example of WPA-PSK found:

Another implemented technique is the emulation of Wireless Access-Points:

Reply-to and broadcast all seen ESSID’s

FININTRUSION KIT broadcasts all known ESSIDs and replies to all seen request so that Target Systems that are currently searching for various wireless networks will be connected to the FinIntrusion Kit system

Emulate Access-Point only for ESSID X

A dedicated network will be created that Target Systems can find and connect to (e.g. by using the SSID: Free Internet)

The traffic can be routed through another existing Interface to ensure that Target Systems will stay connected and have full internet access.

Example of “Fake Access Point” was started:

2.2.4 Password Generator

The Password Generator module can be used to crawl a website, extract all words and export it to a password list. This specific password list could speed up a Brute Force Attack against a well know Target (e.g. web based Forum, Email Account etc.).

Example of “Wordlist” generated from webpage “

2.2.5 Activity Log

For legal reasons, FININTRUSION KIT records all actions that have been executed with a time stamp. The action log can be exported into a regular TXT / CSV file.

Example of Wireless Activity Log:

2.3 USB Hard-Disk

An external USB Hard-Disk is included within the kit to store data gathered in operations. Also the hard-disk contains valuable data that is regularly required for IT Intrusion attacks.

2.3.1 Default Password List

The Default Password List is a list with default Logon credentials for Wireless Access Points, Routers, Network Printers, Network Cameras and many more.

The list contains over 1000 entries for most common vendors or network hardware.

2.3.2 Wordlists / Dictionaries

These are Wordlists that can be used for all kind of password-based attacks, for example against password-protected files, remote logon accounts (e.g. Email accounts) and more.

The Wordlists contain several million words and are separated into various categories.

Category / Description
Dates / Dates beginning from 1960.
Languages / Wordlist made of different languages.
Literature / Wordlists created from famous comics, fables, myths, legends or famous book authors.
Misc / Various words of popular places, famous people, numbers, special words or facts.
Movie / These wordlists consists of words from famous movies, TV shows and famous characters in movies.
Names / Common names in various languages, famous persons, companies and more.
Religion / These wordlists contains words from the Quran and the Bible.
Simple / An effective and simple wordlist with the most common passwords, accounts, numbers and easy words.

2.3.3 Rainbow Tables

Rainbow Tables are pre-generated password hashes that can be used to lookup passwords instead of making a wordlist attack.

The following Rainbow Tables are included:

Category / Description
LanManager (LM) / All 1-7
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'>,.?/
66.0 GB
Alpha-Numeric-Space
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
4.17 GB
Alpha-Numeric-Symbol14
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=
29.2 GB
MD5 / Loweralpha-Numeric 1-8
abcdefghijklmnopqrstuvwxyz0123456789
36.0 GB
WPA / 1000 SSID
Dictionary ~ 1 million words
38.9 GB

2.4 Advanced IT Intrusion Examples

The Backtrack offers a wide-range of IT Intrusion tools and techniques which can be combined in hundreds of ways depending on the operation and Targets.

This chapter describes a few of the operations which can be conducted with the Backtrack Operating system.

Feature / Description
Password Bruteforce / The Backtrack Operating System contains several tools that can be used for dictionary attacks against password protected accounts (e.g. E-Mail- and Remote Login accounts).
The following protocols are supported:

Cisco (AAA, Auth, Enable)
CVS
FTP
HTTP(S), HTTP-PROXY
ICQ
IMAP
LDAP2/3
MS-SQL
MYSQL
POP3
Postgres
SMB/SMBNT
SMTP-AUTH
SNMP
SOCKS5
Teamspeak
TELNET
VNC

Exploit Framework / A very advanced framework is included to simplify the use of exploits. A few hundred exploits against the most common services and operating systems are included.
SMB Browsing / When part of a Local Area Network, the system automatically discovers all SMB enabled systems within the same network and provides access to their shared files and folders in a simple graphical user interface.
Web Application Penetration / Various tools exist to perform security assessments of Web Applications and Web-Servers offering e.g. the following techniques:

Editing/Viewing HTTP/HTTPS data on-the-fly
CGI vulnerability scanning
SQL Injection
Cross-Site-Scripting
Arbitrary file creation/deletion
Weak password strength on authentication pages

3 Components

Component / Details
Headquarter Notebook
/ Model: Lenovo Thinkpad T410i
OS: Backtrack 5
CPU: Intel Core i5
RAM : 2 GB
Hard-Disk: 320 GB
Optical Drive: DVD-RW
FinIntrusion Kit / FININTRUSION KIT
/ Software pre-installed on Notebook

Backtrack 5
FinIntrusion Kit 2.0
Full IT Intrusion Toolset

USB Hard-Disk
/ Model: Freecom Mobile Classic ( Size: 500.0 GB)
Content:

Rainbow Tables
Wordlists
Default Password List

WLAN USB Adapter
/ Model: Alfa AWUS036H
Networks: 802.11ABG
Power: 500mW (27dBm +/- 1dBm)
Bluetooth USB Adapter
/ Model: Aircable Host XR
Networks: 802.11b
Power: max 200mA (19.5dBm +/- 1dBm)
Omni-directional Antenna
/ Model: FWA
Networks: 2.4GHz
Power: 9dBm
Directional Antenna
/ Model: Stella Doradus Planar Antenna
Networks: 2.4GHz
Power: 9dBm
Tripod Stand
/ Tripod-Stand for Directional Antenna
USB Network Adapter
/ Model: Linksys Gigabit USB Adapter
Networks: 802.3, 802.3u, 802.3ab
Network Cables
/ 1 RJ-45 Patch Cable
1 RJ-45 Cross-Over Cable
Case
/ Model: Mandarina Duck
Standard Cabin Case
Foam for fitting in components inside
Documentation
/ 1 User Manual
1 Product Specifications

4 Limitations

Following sections describe the limitations of FinIntrusion Kit.

Feature / Description
Backtrack / Backtrack includes a wide-range of publicly available IT Intrusion tools within the Toolset. As most of them are proof-of-concept tools, their functionality cannot be guaranteed in every scenario.
FinIntrusion Kit / The software is an approach to automate complex attacks with a simple user interface. Due to the wide-range of different networks and scenarios, the implemented operations cannot be guaranteed to work in all scenarios without more advanced user interaction.
The automated WEP cracking technique requires the Access-Point to be vulnerable against the fragmentation attack.
Password Generator from Websites / Only HTTP/HTTPS pages without pre-authentication could be scanned. No Proxy support at the moment. Only “pure” HTTP Webpages are supported. Password List could still have some useless Entries (e.g. script code), which must be removed manually.
WPA Cracking / Only WPA/WPA2-PSK mode could be attacked. WPA/WPA2 in Enterprise mode couldn’t be attacked. There exists no possibility to identify “from outside” in which mode the Wireless Network runs (PSK / Enterprise). The success to crack a WPA-PSK depends on the password list and CPU power and could take days / weeks or couldn’t be found.
USB Hard-Disk / The rainbow tables and default word lists provide a selection of possible passwords. It is not guaranteed that the Target’s passwords are contained within these lists.
OS Detection / Not every Operating System can be identified. It is possible to prevent to fingerprint an OS with modified Firewall- or Kernel-Settings.
Antivirus / Personal Firewall / OS Fingerprinting could trigger an Antivirus / Personal Firewall alert or warning.
SSL Man-in-the-Middle / Not all Client Software (e.g. Browser) accepting self-signed / un-trusted Certificates. Sometimes the request will be rejected.

5 Updates & Support

The software has a built-in update feature that pulls updates automatically from the Gamma Update server at configured time intervals. In case the system it not connected to the Internet, download locations are provided on request so the updates can be manually downloaded from other systems.

Every update is done through a secure encrypted link to ensure integrity of the transferred update files.

The amount of updates per year depends on the changes in the IT Intrusion field and the requirement of bug-fixes and new features. At least two major feature updates are provided per year per product.

Additional to the updates, all customers have access to an after-sales website that gives the customers the following capabilities:

Download product information (Latest user manuals, specifications, training slides)
Access change-log and roadmap for products
Report bugs and submit feature requests
Inspect frequently asked questions (FAQ)

Furthermore support is provided via telephone and E-Mail.