New features of the legendary Intercepter-NG security scanner. Sniffer for Windows Intercepter-NG (instructions for use) Additional functions Intercepter-NG

06.12.2020

Browsers

Viewed: 2890

Intro

With great pleasure I would like to present a new version of Intercepter-NG 0.9.10, which, in my opinion,
greatly expands the scope of the tool. This overview will not be presented as a dry listing.
innovations, but rather as a description of new attack vectors along with a number of technical details and hack-story elements. Let's get started ...

Network scan

As always, a lot of fixes and minor improvements were made, which there is no point in listing.
Those who often use the tool know that one of the main modes is the network scan mode and in particular the Smart Scan function. To the already familiar information about IP and MAC addresses, the manufacturer of the network card and the operating system, the display of the computer name has been added.
For the same period of time, you can now additionally find out the Netbios name or the name of the device running iOS.
To resolve the latter, the MDNS protocol is used, on the basis of which Apple's Bonjour protocol works. All received names are now stored in a cache file and if during subsequent scans for some reason information about the hostname was not obtained dynamically, it will be taken from Here we can also mention the appearance of the Auto ARP Poison function, which is enabled in the expert settings. In the automatic mode, it is enough to add only 1 host to the list of targets, and Intercepter will scan the network itself at a certain interval and automatically add new targets.

Bruteforce mode

In this mode, TLS support has been added for the SMTP and POP3 protocols, as well as brute-force TELNET authorization.
Now, when a timeout occurs, the active thread is restarted from the same place and the iteration process continues.
Single Mode has appeared, which indicates that each new pair of LPs should be checked with the establishment of a new connection, for some protocols this allows you to increase the speed of work. The work log is saved in brute.txt.

Traffic Changer

More than once there have been requests to implement the function of traffic substitution and they were not left without attention, but you should not rejoice ahead of time.
To a counter question: "why exactly do you need this opportunity?" some users found it difficult to answer or said that they were joking to change words in web traffic. And in order not to explain to every joker why the result does not always meet expectations, you can only substitute data of equal size without changing the packet length. The limitation is not at all connected with problems of technical implementation; there is no difficulty in splitting ethernet frames with recalculation of the corresponding tcp fields. It all comes down to application protocols. Let's look at an example with HTTP.

Let's say the browser opens site.com/file.txt, which contains the string "12345". In response to a GET request, the server will return an HTTP header containing the length of the transmitted data - Content-length: 5. What happens if we replace “12345” with “12356”? The browser downloads only 5 bytes, discarding the added "6", and if we reduce the data size by replacing "12345" with "1234", the browser will receive only 4 bytes and will wait for another 1 byte from the server until the connection is broken by timeout. That is why this size limitation is made. You can change both textual data and binary, the syntax for binary patterns as in C is "x01x02x03".
If substitution in HTTP traffic is required, then the "Disable HTTP gzip encoding" option must be enabled in the settings.

HSTS Spoofing

As promised, there is a HSTS bypass for the SSL Strip. The bypass technique is relatively simple, but it is in the implementation that there are certain difficulties, so you should not expect any special results. Let's consider an example on Yandex Mail using the Chrome browser. If you go to, then in the upper right corner there will be a https link "Enter mail", which SSL Strip easily copes with. Next, an authorization form will open, where the data is transferred to the POST method. Even by "striping" https, authorization will be done via SSL. host passport.yandex.ru is on the preloaded chrome list. In order to intercept the data, we need to replace the hostname passport.yandex.ru with something else, so that the browser does not detect that this resource should be visited strictly over a secure connection. For example, you can replace passport.yandex.ru with paszport.yandex.ru, in this case the data will be sent in clear text to the changed domain name. But since there is no such domain - paszport.yandex.ru, then it is additionally required to do DNS Spoofing, i.e. the client, when resolving paszport.yandex.ru, should receive in response the original ip address from passport.yandex.ru. This procedure is automated and does not require additional user intervention during the attack. The only thing that is required is to first compile a list of replacements in mischsts.txt. By default, there are several entries for yandex, gmail, facebook, yahoo. It is important to understand that this bypass technique will not allow you to intercept the session or authorization if the user enters facebook.com in the browser, because the browser will immediately open the secure version of the site. In this case, the attack is possible only if the link to facebook.com is taken from another resource, for example, when entering facebook at. Of the main problems in the implementation of the attack, we can note the unpredictable logic of the operation of sites with their subdomains and the features of the web code, which can negate any attempts
bypass HSTS. That is why you should not add any sites to the list, even the domains present in Intercepter-NG have their own characteristics by default and do not always work correctly. I do not want to fence crutches for each resource, perhaps in the future some universal improvements will be made, but for now, as they say, as is.
One more nuance, in the current implementation for DNS Spoofing "and it is necessary that the DNS server is not on the local network, so that it is possible to see dns requests to the gateway and respond to them as needed.

It is important to note that the new version significantly improves the work of the SSL Strip itself.

Forced Download and JS Inject

Both innovations relate to the HTTP Injection mode. In Russian, Forced Download can be translated as "forced download", because this is exactly what happens on the target side during web surfing. When entering the site, it is proposed to download the file specified by the attacker, depending on the browser settings, it can download itself, and the user will already choose whether to launch it or not.
As you understand, you can add an .exe file with arbitrary content to the forced download, and the source of this file will be the site that the user is currently visiting. Knowing that the target is going to open adobe.com, you can issue flashplayer.exe, and adobe.com or one of its subdomains will be listed as the source of this file.
After a one-time dispensing, the forcing is disabled, to re-inject you need to click on the corresponding checkbox again.

JS Inject is not explicitly present among the controls, since in fact, this is the most common http inject, but with one difference. When you replace one file with another, for example pictures.jpg for a given one, it is the replacement of one content with another that occurs. Replacing the .js script with a high probability can disrupt the operation of the resource, therefore in the new version js inject does not replace one script with another, but adds it to the existing one, adding the ability to inject additional code without affecting the original one.

SSL MiTM

We are smoothly approaching the most interesting novelties. The new version has completely rewritten the code for SSL MiTM. It is now fast and stable. The algorithm for generating certificates has also changed, additional dns records are added to them, and all certificates are signed with a single key (miscserver). This means that by adding this self-signed certificate to the list of trusted ones on the target computer, it will be possible to listen for SSL traffic to any resource (where there is no SSL Pinning). Cookie Killer now works for SSL connections as well. Added black (miscssl_bl.txt) and white lists (miscssl_wl.txt). They can be used to exclude or rigidly specify IP addresses or domains to which SSL MiTM should or should not be applied. When specifying extra ssl port, you no longer need to specify the readwrite type, just specify the port number. All traffic is written to ssl_log.txt.

Group Policy Hijacking

Another killer-feature in Intercepter-NG. Despite the fact that the technique was not discovered by me at all, this is the first public and fully functional implementation of this attack. A detailed description is available and.

Once again, SMB put a pig on Microsoft, because thanks to this vulnerability, in about an hour and a half, you can get access to any computer in the domain (except for the domain controller). What is the point.

Every 90+ a random amount from 0 to 30 minutes, a domain member requests group policies from the DC. This happens via SMB, by opening the network address DCSYSVOLdomain.namePoliciesUUIDgpt.ini.

The content of this file is as follows:

Version \u003d 12345

This number is the relative version of the current Group Policy. If the version has not changed since the last update, then the process of receiving group policies stops, but if the version is different, then they need to be updated. At this stage, the client requests the domain for active CSEs (client-side extensions), which include various logon scripts, tasks for the scheduler, and so on. Naturally, the attacker, standing in the middle, can replace one of the tasks that is generated by the controller as a file. In this situation, the operation would be very simple, but all these CSEs are disabled by default and the only thing that can be done is to modify the registry, because when updating group policies, the client asks for another file - GptTmpl.inf, through which you can add or delete an entry. The authors of both articles decided to use a well-known method - AppInit_Dll to demonstrate code execution. We registered the loading of our dll from the network path in the required registry key, after which the newly created process in the system executed arbitrary code. But this method is only suitable as a proof of concept, because AppInit_Dll has been disabled by default for many years. In this regard, the task was set to find another way to remotely execute the code, and without having to wait for a restart, as in the case of adding autorun to the Run key.

Many attempts were made in one way or another to achieve what we wanted, to no avail, until one good person (thx man) suggested a very curious registry key that I did not know anything about before.

A debugger can be added to the key for any .exe file. For example, indicate that calc.exe must be opened via c: pathdebuger.exe and as soon as the calculator is launched, the debugger will open first, in the command line of which there will be a path to calc "a. This already seemed almost a ready-made solution, because we managed to execute the code without At that time, I was satisfied with the restriction on the inevitability of user participation in the process of gaining access, ie instead of a calculator it was possible to execute the code by calling IE or Chrome or any other application, but a new problem appeared. the user did not have administrative rights, then even after receiving the shell, it was not possible to delete the debugger previously added to the registry, which means that after the attack was stopped or upon reboot, the exploited application stopped working, because the spoofed network address with debuger.exe no longer existed.
It was necessary to find a way to get not just shell access, but always with administrator rights. Omitting all subsequent difficulties, I will describe the result. After receiving the group policies, the system must apply them, for this svchost is called and creates a new taskhost.exe process with SYSTEM rights. Having stood as a debugger for taskhost.exe, two birds with one stone were killed at once - we not only received a shell with SYSTEM rights, but also received it immediately, without any manual intervention from the user. The attack is fully automated, you can select a group of targets at once and within one and a half to two hours get a whole set of active shell sessions with maximum rights. You don't even need to be a member of the domain yourself. The only thing that is needed is to enable Network access: Let Everyone permissions apply to anonymous users. When testing, in order not to wait an hour and a half, it is enough to run gpupdate from the console. Tested on patched Windows 78.1 in domains with 2008R22012R2 servers.

What are the protection measures? Microsoft has released a patch for MS15-011, introducing the so-called UNC Hardened Access, which requires manual configuration. An interesting phrase appears in the newsletter:

"Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

As it has already become clear, the threat is equally high for any user.

Despite the full potential of GP Hijacking, it seems to me that another innovation of this release deserves special attention ...

Dessert

What will be discussed at the end is not a new feature. Rather, it is an attack vector that opens up when a number of existing solutions in Intercepter-NG are used together.

The emphasis in this case is on wireless networks and mobile devices, in particular, running iOS - Iphone "s and Ipad" s. Everyone knows that the elementary arp poison of these devices gives practically nothing. Interception of cookies from open sites in the browser is perhaps the only thing you can count on, because in most cases, the user works through branded applications from various services, where communication with the server takes place over SSL. Even if you try to conduct SSL MiTM, nothing will work, applications will simply stop working with an untrusted certificate. Therefore, it is believed that phones and tablets are fairly well protected from network interception by default.

But imagine the following situation, the average user sits on the Instagram app and views the feed.
Suddenly, the application stops working, complaining about the lack of connection and the user opens instagram.com in the browser, where an alert pops up with the text "To continue working on instagram.com, install a new security certificate" and after the message is closed, a request to install a new certificate appears on the screen. The further development of events, of course, depends on the user, but the likelihood that he will still install the proposed certificate is quite high, because the situation is quite plausible: the application stopped working, went to the site, saw a warning about a necessary update, updated - everything worked, although in fact the attacker substituted his certificate and now reads all SSL traffic. Implementation of Forced Download, JS Inject and stable SSL MiTM allow you to implement a similar scenario in no time:

1. Do.js inject with alert ("Please install new certificate for% domain%.");
The% domain% template will contain the name of the site where the injection occurred.

2. We force the download of miscserver.crt - the root certificate in Intercepter-NG.

3. Turn on SSL MiTM (as well as ssl strip for injections).

4. After launching the attack, SSL connections will stop working on the target's device, and an alert with a certificate will be displayed in the browser.

A natural question arises of what to do with SSL traffic, except for passive interception of already established sessions. Cookie Killer comes to the rescue, which works properly, for example, on the Facebook application.
IOS also has its own holy grail - iCloud, but clearing a cookie will not help reset its session. It is for iCloud, as well as Instagram and VK, that the iOS Killer function has been added, which resets the sessions of the specified applications and allows you to intercept re-authorization. This trick cannot be done with the AppStore, since there appears to be SSL Pinning. This vector has been tested on IOS 56 and 8.4.

The plans were to add the ability to independently create handlers in LUA or through a DLL plugin, but judging by the reaction of users, no one has real interest. The new version will most likely be next year, perhaps in the fall there will be a functional update of Intercepter-NG for Android. Questions, feedback, feature requests are always welcome. That's all.

A demonstration of the new features is shown in the video.

Project contacts.

Hello everyone who reads the article.

It described how to intercept passwords and cookies on the network using the Intercepter-ng program.

Some asked to tell more about the functionality, others asked to show more features, someone asked to consider the latest version (currently the current version is 0.9.10.

I had to lift my lazy butt and start studying all the material I found bit by bit.

Starting to write a draft, I realized that one article was not enough. Therefore, today there will be only a theory, a description of some functions and modes of Intercepter-ng. Within two or three days I will write about working with the program in practice, and then there will be several videos (for those who are so easier to learn).

I say right away - I do not have deep technical knowledge, so I write in simple words, and so that it is clear to ordinary people. If you notice an inaccuracy in my descriptions, or if you have something to add, write in the comments.

I cannot describe every function, only what I could find myself.

Let's start examining the patient.

Intercepter-ng. Pentester hacker tool.

Functionality (only a small part of all the possibilities).

Let's take a look at the modes and buttons.

1 - Select the interface through which you are connected to the router (the icon on the left switches between Wi-Fi or wired mode, choose yours).

2 — Messengers mode. Interception function for ICQ \\ AIM \\ JABBER messages. I consider it irrelevant these days, so it will not be considered.

3. — Resurection Mode - recovery mode. When the victim browses websites, there are files, pictures, some Html pages, etc. They are saved with you (not all may be saved, or partially). Perhaps the mode for analysis will be useful to someone.

4. - Password Mode - Cookies are displayed here, with luck the passwords entered by the victim and the sites visited. With the Https protocol, everything is often reduced to zero and only cookies will come across with luck. But thanks to some settings, it can sometimes be bypassed (more on that later).

5. . Here we will look for our victims. To do this, right-click in the window and select Smart scan.

All devices on the network and their approximate OS will be displayed.

Stealth IP is your hidden IP, under which you hide in your work.

Let's consider the mode in more detail.

If you click "Promisc detection", then devices that are most likely to intercept traffic (often mistaken) will be displayed ... Carefully, because it can show that your router is also an interceptor.

By clicking on a specific Ip, you can add a victim to Nat (Add to nat) in order to further engage in interception.

Also, if you select "Scan ports" you can scan open ports. The functions are far from Nmap, but if only this program is at hand, it will do.

There is nothing more interesting here.

6. Nat mode... Nat mode - The main mode in which we will work. This is where basic preparation and ARP attacks are done.

In this article, I will not focus on it, we will consider it in the next.

7. DHCP mode... DHCP mode - Allows you to raise your DHCP server within the network. I didn’t work with this mode and I can’t tell you anything about it.

8. RAW mode - Raw mode. Distantly similar to the Wireshark program. Shows the main activity on the network. Sometimes you can catch something interesting, if of course you know what to look for.

nine. . Intercepter-ng settings. An important part, so let's take a closer look.

Lock on tray - When minimizing the program, a password will be put in the tray. The default password is 4553.

Save session - automatically saves reports to PCAP files for further study and analysis.

Promiscuous - "Messy Mode". When activated, the program reads all packets. If it is not installed, it only reads packets that are sent to the specified interface. Not every Wi-FI module can work with it. I have no idea what it is for, I did not notice the difference with it and without it.

Autosave... Automatically saves reports in text format in the root folder with the program.

Grid View... View in the form of tables. If disabled, reports inside the program will go in a list. See how it is more convenient, with or without it.

Ios Killer and Cookie killer... Almost identical. Cookie killer is designed so that if the victim has already saved a password on the site, he leaves the site and he will have to re-enter, and therefore you will receive a password. Ios killer is designed for Iphone and Ipad, so that the victim exits the social client programs (VK, facebook, Icloud, etc.).

Kerberos downgrade.Kerberos is a network protocol, one of the types of authentication. Thanks to the feature, using smb hijaking, you can bypass this protection. I myself have not met such a protocol, so we will not consider it.

Hsts... An interesting trick for bypassing Hsts from the latest version, but not entirely stable. The bottom line is that many sites automatically switch from Http to Https secure protocol, which prevents us from intercepting data. SSl strip does not always cope, so this function can sometimes help. I will not describe the principle (you can find it on Habré).

The only thing you need to do in the folder with the program is to add the required domain to the misc \\ hsts.txt file. Some popular ones are already there. The bottom line is that you need to assign a letter to the main domain. For example vk.com:vvk.com or ok.ru:oks.ru and so on.

The program will replace the protected authorization page on the site with a spoofed one, but the authorization Ip remains as on the main one.

In my example, it works sometimes every other time, but better than nothing. Experiment in general.

Wpad configuration. Enter WPAD-WebProxy Auto-Discovery or enable standard Wpad proxy. To activate it, in Nat mode, check the Wpad mitm box.

In Exppert mode (planet icon) we may be interested in the Auto ARP poison checkbox. That is, when people connect to the network, they will automatically be added to nat mode.

There is nothing more to consider in the Settings section, so further.

10. - HeartBleed exploit - search for the HeartBleed vulnerability.

11. - Bruteforce mode - brute for some target protocols. You need to know the username. There are passwords for brute in the program and you can use your own dictionary.

12. ARP watch - in this mode, you can observe whether an ARP attack is being carried out (wiretapping, etc.) in case of attacks, in Nat mode a warning will be displayed in a timely manner.
13. ARP Cage - Arp cell. Isolates the host. Redirects the victim to a different IP. useful if you suspect outgoing spam, etc.

This is actually all the information that I can find and make out.

On the site Avi1.ru very cheap VK reposts are already available for ordering. Hurry up to make a profitable purchase while the service has really significant wholesale discounts. You can also get other resources on any page on the network: likes, views of records and videos, subscribers, friends, etc.

A little about Nat mode.

Since all the main work will take place directly through this mode, I will try to describe what we will encounter.

Router "s IP - directly the IP of the router to which they are connected. It is automatically detected when you run Smart scan in Scan mode.

Stealth Ip - Your hidden Ip.

Nat cliens - the attacked "Victims" are displayed here.

Mitm options.

Configure mitms - Basic Mitm attacks are enabled / disabled here.

I'll be looking at two: SSL Mitm and SSL Strip.

SSL mitm - A technique that replaces the victim's certificates.

Required when intercepting data. Unfortunately, many browsers and clients on mobile phones have learned to block them, warning us or even preventing us from accessing the Internet.

Ssl Strip - Also a function that we often need. SSL is more hidden. "Silent" technique for intercepting HTTPS connections. There is no certificate spoofing here, so it's harder to compute and there are no security warnings. Required when using the Cookie killer. when we need to slip a file to the victim, etc. We will consider in more detail in the next article.

Traffic changer - traffic substitution. Useless functionality for fun. Spoofing an Http request to the victim (for example, a person wants to get to one site and forwards it to another). But not everything is smooth here, more details in the next article.

Configure http injection - here we configure the victim to download the file we need. It can be a harmless picture, script or program. More details in the next article.

The Start arp poison and Start nat buttons begin our attack. When you turn on Start arp poison, the second is immediately activated. But before you enable it, you need to enable - Start sniffing at the top, next to the choice of the router interface.

That's actually all in this article, I am surprised at your excerpt if you read up to this point. If you have something to correct, or add, write in the comments, and I will add it to the article.

One of these days I will already consider working with Intercepter-ng in practice. So stay with us until we meet again.

And don't forget - Big Brother is watching you!

Description of Intercepter-NG

Intercepter-NG is a multifunctional set of networking tools for IT professionals of various types. The main goal is to recover interesting data from a network stream and perform various kinds of man-in-the-middle (MiTM) attacks. In addition, the program allows you to detect ARP spoofing (can be used to detect man-in-the-middle attacks), identify and exploit some types of vulnerabilities, brute force login credentials of network services. The program can work both with a live traffic stream and analyze files with captured traffic to detect files and credentials.

The program offers the following features:

Sniffing passwords / hashes of the following types: ICQ, IRC, AIM, FTP, IMAP, POP3, SMTP, LDAP, BNC, SOCKS, HTTP, WWW, NNTP, CVS, TELNET, MRA, DC ++, VNC, MYSQL, ORACLE, NTLM, KRB5 , RADIUS
Chat message sniffing: ICQ, AIM, JABBER, YAHOO, MSN, IRC, MRA
Reconstruction of files from: HTTP, FTP, IMAP, POP3, SMTP, SMB
Various scan types such as Promiscuous, ARP, DHCP, Gateway, Port and Smart scan
Packet capture and post (offline) analysis / RAW (raw) mode
Remote traffic capture via RPCAP daemon and PCAP Over IP
NAT, SOCKS, DHCP
ARP, DNS over ICMP, DHCP, SSL, SSLSTRIP, WPAD, SMB relay, SSH MiTM
SMB Hijack, LDAP relay, MySQL LOAD DATA injection
ARP Watch, ARP Cage, HTTP Injection, Heartbleed Exploit, Kerberos Downgrade, Cookie Killer
DNS, NBNS, LLMNR spoofing
Brute force various network services

The main version runs on Windows, there is a console version for Linux and a version for Android.

License: "as is"

Intercepter-NG modes

Intercepter-NG has seven main modes, which correspond to the number of program tabs and the number of main buttons:

These are the modes:

Messengers
Resurrection
Passwords
Scanning
RAW (raw)

Put in the first place Messenger Mode (ICQ logo). This happened for historical reasons - originally Intercepter-NG was created as a program for intercepting messages from ICQ and other instant messengers.

Resurrection mode (the logo on the button is Phoenix) means file recovery from a network stream. These can be files of images viewed on websites, as well as files of transferred archives, documents and any others.

When switching to Password Mode (the third button is the keychain) you will see the credentials captured from the network stream. Site addresses, entered logins and passwords are displayed.

When you start the program opens Scan Mode (middle button - radar). This is the initial mode for starting attacks: this tab is used to scan, select targets, and set other network parameters.

Tab MiTM (patch cord bundle) contains fields for entering target settings, many of which are filled in automatically during scanning on the Scan tab. There are also buttons to launch a variety of MiTM attacks.

Tab DHCPcontains some network and DHCP server settings.

RAW mode (raw) displays raw information about the data transmitted in the network stream. The information is presented in a form similar to.

Intercepter-NG Usage and Troubleshooting Tips:

Intercepter-NG requires WinPcap to work, but does not need to be installed separately as Intercepter comes with a portable version of WinPcap.
If you do not see your adapter in the list of adapters, it means that WinPcap does not support your card.
If nothing works with the WiFi card, even ARP etching, then use the NIC icon located on the left side of the list of adapters to switch to WiFi mode. Also make sure the Stealth IP has Internet access.
In some rare situations, the Base Filtering Engine (BFE) service may block local Intercepter ports. It manifests itself like this: ARP works, but other MiTM functions do not work (on Windows 7 and above). Antiviruses like Avast can also block them even if Network Protection is disabled in Control Panel. Another reason for this behavior may be the simultaneous operation of the WiFi connection and the Internet Connection Sharing service.
Intercepter supports 802.11 encapsulation, so you can use pcap dumps from programs and. PPPoE, GRE (PP2P) encapsulations and optional 802.11 headers are also supported. This does not mean that Intercepter can parse encrypted data, it means that Intercepter is able to strip ethernet \\ ip headers from packets of this kind and parse them.
Due to protocol limitations, the source and destination of UIN \\ MAIL \\… may not be shown in the chat messages tab.
To copy data from the password table, click on the line and press ctrl + c.
To hide the program window, use the keyboard shortcut Ctrl + Alt + S. Click it again to reappear the window.
Intercepter can even run on win9x (98 and 95!), But you need to install WinPcap 3.1 or WinPcap 4.0beta2. Newer WinPcap builds do not support win9x.
Console mode for offline analysis:

./intercepter -t dump.cap

To activate automatic sniffing, you need to open settings.cfg and edit " autorun". The default is 0 , change to the number of the interface you are going to sniff.
Intercepter converts raw IP encapsulated pcap dumps to Ethernet encapsulation (adding ethernet header information).
Intercepter can read a new format - pcapng. Since all Wireshark pcapng capture files use only the “Enhanced Packet Block” type, Intercepter only supports this type of packet block. Additionally, it displays comments on packages.
In RAW mode, you can set your own rules using pcap filters to filter traffic. See the pcap filtering syntax for details. Example:

port 80

means to receive only packets from tcp port 80 from the kernel.

Not port 80

means to exclude packets from port 80

You can combine rules:

Port 80 and not port 25

You should not work with huge dumps in raw mode, because Intercepter loads each packet into memory and does not use the hard disk as a swap partition (file).

Intercepter-NG Option Hints

Sniffer options:

If you are going to perform offline pcap dump analysis, then to speed up the process, uncheck the “ Resolve Hosts”.
If you tick the option " Lock on tray", then when restoring a window from the tray you will be asked for a password. The default password is" 4553 ". You can change it in the file settings.cfg... The password is base64 encoded.
Option " Save Session"means Intercepter will save all received packets to pcap file. This file can be used for offline data analysis. This is a kind of results export function.
If you install Promiscuousthen Intercepter opens the network adapter in promiscuous mode. This means that it will read all packets, even those that are not intended for the given network interface. If the checkbox is unchecked, then it will only read packets that are sent to the specified interface. Some Wi-Fi cards do not support this mode.
“Unique Data”- show only unique logins and passwords. Those. show captured logins and passwords only once - if the user entered the same login and password again, it will not be displayed.
Autosave - all text information will be saved every 10 seconds.
By default, there is a check mark on “ Grid View”. It means that passwords will look like a grid of data. To view full detailed information, uncheck the “ Grid View”.
eXtreme.In a typical workflow, the sniffer analyzes the predefined ports associated with specific protocols. If we say http, we mean port 80 (or 8080 or whatever is predefined in the list of ports associated with the http protocol). Those. only these ports will be analyzed. If some applications use a different port, for example 1234, then the sniffer will not analyze packets that pass through it. In mode eXtremeIntercepter will analyze all TCP packets without checking ports. Those. even if some application uses an undefined port, the sniffer will still check these packets. While this slows down performance (many more ports need to be checked than usual) and may reveal incorrect data or miss the correct protocol (for example, FTP and POP3 use the same authentication type), it makes it possible to find and intercept interesting data on undefined ports. Use this mode at your own risk, don't be surprised if something goes wrong when eXtreme mode is on.
"Capture Only"means Intercepter will only dump packets to a dump file without real-time analysis. This is useful for increasing performance when you are capturing a lot of network data.
Option Resurrectionmeans the inclusion of the Resurrection mode, which reconstructs files from the data transmitted in the network stream.
IM Ports
HTTP... HTTP associated ports, see option description for details eXtreme.
SOCKS
IRC \\ BNC

Intercepter-NG Man-in-the-Middle (MiTM) Attack Options

In all MiTM attacks, Intercepter uses spoofing (spoofing) of ip \\ mac addresses (option Spoof IP \\ MAC). If you use a Wi-Fi interface, then you must uncheck this option, since 99% of wifi drivers do not allow sending packets with a spoofed mac. Although you disclose your real address, you are at least capable of performing any MiTM attacks over the wifi interface. It's better than nothing. Instead of disabling spoofing in the settings, use WIFI mode. You can change the mac shown in Expert Mode.
iOS Killer was added for iCloud, as well as Instagram and VK. This function (iOS Killer) drops sessions of specified applications and allows interception of re-authorization.
Kerberos Downgrade
HSTS Spoofing... Bypassing HSTS when conducting an SSL Strip. The bypass technique is relatively simple, but it is in the implementation that there are certain difficulties, so you should not expect any special results. Let's consider an example on Yandex Mail using the Chrome browser. If you go to ya.ru, then in the upper right corner there will be an https link "Enter mail", which SSL Strip can easily handle. Next, an authorization form will open, where the data is transferred to passport.yandex.ru using the POST method. Even by "striping" https authorization will be done via SSL, since host passport.yandex.ru is listed in the preloaded chrome list. In order to intercept the data, we need to replace the hostname passport.yandex.ru with something else, so that the browser does not detect that this resource should be visited strictly over a secure connection. For example, you can replace passport.yandex.ru with paszport.yandex.ru, in this case the data will be sent in clear text to the changed domain name. But since there is no such domain - paszport.yandex.ru, then it is additionally required to do DNS Spoofing, i.e. When converting paszport.yandex.ru, the client should receive in response the original ip address from passport.yandex.ru.

This procedure is automated and does not require additional user intervention during an attack. The only thing that is required is to make a preliminary list of replacements in misc \\ hsts.txt... By default, there are several entries for yandex, gmail, facebook, yahoo. It is important to understand that this bypass technique will not allow you to intercept the session or authorization if the user enters facebook.com in the browser, because the browser will immediately open the secure version of the site. In this case, the attack is possible only if the link to facebook.com is taken from another resource, for example, when entering facebook on google.com. Among the main problems in the implementation of the attack, one can note the unpredictable logic of the operation of sites with their subdomains and the features of the web code, which can negate any attempts to bypass HSTS. That is why you should not add any sites to the list, even the domains present in Intercepter-NG have their own characteristics by default and do not always work correctly. I don't want to fence crutches for each resource, perhaps in the future some universal improvements will be made, but for now, as they say, as is. One more nuance, in the current implementation for DNS Spoofing "and it is necessary that the DNS server is not on the local network, so that it is possible to see dns requests to the gateway and respond to them as needed.

IP Forward... Enables pure IP forward mode. MiTM attacks are not available in this mode, but it allows you to start arp etching in situations where you cannot use Stealth IP. This is usually necessary when the gateway has a whitelist of legitimate computers on the network, so NAT cannot work properly.
Cookie killer - clears cookies, thereby forcing the user to re-authorize - enter a username and password so that an attacker can intercept them. The Cookie Killer function also works for SSL connections. There are black ( misc \\ ssl_bl.txt) and whitelisting ( misc \\ ssl_wl.txt). They can be used to exclude or rigidly specify IP addresses or domains to which SSL MiTM should or should not be applied. When specifying extra ssl port, there is no need to specify the read \\ write type, it is enough to specify the port number. All traffic is written to ssl_log.txt.
Remote Capture (RPCAP). Libpcap makes it possible to send network data from one host to another via its own protocol, called RPCAP. Those. you can bring up the rpcap daemon on your gateway and see all the traffic that goes through it. After starting the daemon, you can start capturing remote traffic using Intercepter. Enter the hostname or IP of the daemon in the provided field and then select the adapter from the list. Then you need to set the “not host IP” filter, replacing “IP” with a valid IP address assigned to your ethernet card (this is necessary to ignore rpcap traffic between you and the daemon).
PCAP Over IP

This feature is related to remote traffic capture and is an excellent replacement for the old and problematic rpcapd service. The name speaks for itself. Almost any Unix always has a bunch of tcpdump and netcat, with which you can log traffic to a remote receiving computer. In this case, Intercepter can open the port while waiting for a data stream in libpcap format and analyze it in real time.

There is no fundamental difference in the source of the traffic, so in addition to tcpdump, you can use the cat utility to read an existing.pcap log in the same way.

Here are some examples of use, by default Intercepter listens on port 2002:

Tcpdump -i face -w - | nc IP 2002

if you plan to transmit traffic through the same interface from which you are capturing, then you need to add a filtering rule that excludes service traffic between the server and the Intercepter:

Tcpdump -i face -w - not port 2002 | nc IP 2002 cat log.pcap | nc IP 2002 dumpcap -i face -P -w - | nc IP 2002

this is an analogue of tcpdump "and included in the. Flag -P indicates that packages should be saved in the standard libpcap format and not in the new pcapng.

Alternative way of forwarding packets without netcat help:

Tcpdump\u003e / dev / tcp / ip / port

WPAD stands for "WebProxy Autodiscovering Protocol" which corresponds to the "Automatically detect settings" feature in modern browsers. This feature allows the browser to get the current proxy configuration without user intervention. This is a threat even today, and an attacker can easily configure a malicious server to intercept web traffic. The situation is aggravated by the fact that Internet Explorer (and Chrome too) supports this feature by default.

Typically WPAD is not configured on the network, so the usual behavior for browsers is to send NetBios queries for the name "WPAD" (bypassing DHCP and DNS methods). If no response is received, the browser simply uses a direct connection. But if a response is received, the browser tries to download the config file from http: /ip_of_wpad_host/wpad.dat.

Intercepter-NG will respond to each request and ask clients to use its own configuration so that it can sniff traffic through the proxy server. You can customize your own configuration for any other proxy on the network, or simply choose the built-in proxy. The built-in proxy allows the use of the HTTP injection feature.

Intercepter-NG Expert Mode Options

SSL Strip Timeout (seconds) - Timeout in seconds SSL Strip
ARP Poison every (seconds) - Do ARP etching every ... seconds
ARP Scan Timeout (seconds) - ARP scan timeout
DNS Cache TTL (seconds) - DNS cache lifetime
Spoofing MAC - MAC address to which the attacker's address will be substituted
MySQL LOAD DATA Injection
LDAP Relay DN: DC \u003d xxx, DC \u003d xxx
Stop injiction on NBNS Request
Drop SSH connection after auth - Reset SSH connection after authorization
SMB Hijack -\u003e SMB Relay
Auto ARP Poison - In the automatic mode it is enough to add only 1 host to the list of targets, and Intercepter will scan the network itself at a certain interval and automatically add new targets.
Reset ARP Table- Reset ARP table
Custom payload for SMB Hijack (64kb max)
Custom payload for GP Hijack
Run Shell- Run shell
Run HTTP NTLM Grabber

Scan types

Scanning is the first stage, that is, many MiTM attacks start with it. To show the scan menu, go to the MiTM Mode and right-click on the table.

Smart Scanning: It combines ARP scan and gateway discovery. To the usual information about IP and MAC addresses, the manufacturer of the network card and the operating system, the computer name is displayed. For the same period of time, you can now additionally find out the Netbios name or the name of the device running iOS. To resolve the latter, the MDNS protocol is used, on the basis of which Apple's Bonjour protocol works. All received names are now saved in a cache file, and if during subsequent scans for some reason information about the hostname was not dynamically obtained, it will be taken from In addition, this scan shows Stealth IP and automatically sets the gateway IP (if detected) and Stealth IP in the appropriate fields in the MiTM tab. OS detection is also performed based on TTL values.
ARP Scanning (ARP scan): simply checks the C-class subnet assigned to the selected ethernet adapter. For example, if your IP is 192.168.0.10, then 255 IP addresses in the range 192.168.0.1-255 will be checked. Since version 0.9.5, the program checks the netmask to properly scan all subnets.
DHCP Discovering (DHCP Discovery): Sends DHCP-Discovery broadcasts and waits for responses from DHCP servers. If any servers respond, add them to the list.
Promisc Detection (promiscuous discovery of network cards): Sends special ARP requests to the network. The responding hosts are obviously sniffers. Some ethernet cards (3COM) may also respond, i.e. false positives are possible.
Gateway Discovering (gateway discovery): sends a SYN packet through all hosts on the network, if there is a gateway, a response will be sent back.

Intercepter-NG Man-in-the-Middle (MiTM) Attack Techniques

By pressing the button Configure MiTMs (hat with eye) dialog box opens MiTM Attacks:

It contains a list of supported techniques.

SSL MiTM

This is an old classic technique of spoofing certificates. Allows you to intercept data of any protocol protected by SSL. Supported as standard: HTTPS, POP3S, SMTPS, IMAPS. Any additional port can be optionally specified.

When intercepting HTTPS, certificates are generated “on the fly”, copying the original information from the requested resource. For all other cases, a static certificate is used.

Naturally, when using this functionality, warnings from the browser and other client software are inevitable.

The new version has completely rewritten the code for SSL MiTM. It is now fast and stable. The algorithm for generating certificates has also changed, additional dns records are added to them, and all certificates are signed with a single key ( misc \\ server). This means that by adding this self-signed certificate to the list of trusted ones on the target computer, it will be possible to listen for SSL traffic to any resource (where there is no SSL Pinning). Function Cookie killer now works for SSL connections too. Black appeared ( misc \\ ssl_bl.txt) and whitelisting ( misc \\ ssl_wl.txt). They can be used to exclude or rigidly specify IP addresses or domains to which SSL MiTM should or should not be applied. When specifying extra ssl port, it is no longer necessary to specify the read \\ write type, it is enough to specify the port number. All traffic is written to ssl_log.txt.

SSL Strip

SSL Strip is a silent technique for intercepting HTTPS connections. For a long time, the working version existed only under unix, now similar actions can be carried out in the NT environment. The bottom line is the following: the attacker is "in the middle", HTTP traffic is analyzed, all https: // links are identified and replaced with http: // Thus, the client continues to communicate with the server in an insecure mode. All requests for replaced links are monitored and data is delivered from the original https sources in response.

Because no certificates are replaced, then there are no warnings. To simulate a secure connection, the favicon icon is replaced.

DNC<> ICMP

This is a completely new technique, previously mentioned or not implemented. It builds on the same old ICMP Redirect MiTM but opens up a new way to sniff data. The first step of this attack is similar to the classic ICMP redirect, with one important difference.

The so-called "new record" is the victim's DNS server. We're going to take control of all DNS requests and do some magic before the victim gets the answers.

When we resolve (resolve) somehost.com, DNS sends us a response containing one or more responses from IP somehost.com. Moreover, it may contain "additional" answers, and we are going to take care of those as well. After completing the first part of the attack, the victim starts sending all DNS requests through the attacker's host (NAT). When NAT receives a response from DNS, it reads all IPs and then sends ICMP redirect messages to the victim with the resolved IP.

Thus, by the time NAT sends a DNS response back to the victim, his routing table already has entries for all the translated addresses that point to our host!

This means that we are not only sniffing the victim's DNS, but everything that has been transformed. All traffic will be spoofed via fake IP / MAC.

This part of the attack is done on the NAT side, for this reason you must configure it correctly.

Check the "DNS over ICMP" checkbox then fill in:

Router "s IP is the IP of the default gateway used by the victim.
Client "s IP is the victim's IP. You can add multiple targets, but remember to start by sending an ICMP redirect packet from Intercepter to each target.

After adding clients, you must put a free / unused IP in the "New Gateway" field and in the "Stealth IP".

Select an adapter, they should be the same as we are going to route traffic in the same ethernet area.

Start NAT.

All DNS responses are stored in a special list and NAT regularly (in accordance with the time set in the settings) resends ICMP redirects,

At the end, you need to do one more action. You cannot "disinfect" the victim's routing table (as with ARP poisoning), so you must uncheck "DNS ↔ ICMP" to prevent ICMP redirects from being re-sent and wait about 10-15 minutes. After that, no new entries will be added, but the old ones will work fine through NAT until they expire.

WPAD MiTM

See option description for details WPAD Configuration (PROXY: PORT).

SMB Hijack

SSH MiTM

You can intercept SSH authentication data (username / password) and see all the commands passing during the remote session. 2 authentication mechanisms are supported: by password and interactive. To sniff the victim's data, we need to act like a real sshd and we provide our own rsa / dsa keys. If the original host key is cached by the victim, then a warning message will appear, if not cached, then there will be no signs of an attack on the client side.

When the victim is logged in, they can work as usual, execute commands and pseudo-graphic programs such as midnight commander. Intercepter intercepts WINDOW_CHANGE requests, therefore, if the victim decides to resize the window, everything will be correctly redrawn in accordance with the new window size.

The program works with a remote session, but does not work with SFTP. If the victim launches an SFTP client, the authentication data will be intercepted, but then the connection will be dropped and flagged. Then, when the victim tries to reconnect, they will have access to the original ssh server in addition to our fake sshd.

It should be mentioned that the attacker logs into the remote server and leaves its IP address in the logs. In expert mode, you can select the option to drop the ssh connection after obtaining the victim's credentials. The connection will be marked and on the next attempt the program will allow access to the original server.

GP Hijack

Additional capabilities for Man-in-the-Middle (MiTM) attacks in Intercepter-NG

Buttons for using these features are also located in the section MiTM Options (cubes, JDownloader symbol, syringe, shield and free-standing radiation hazard symbol):

Traffic Changer (change text data in network traffic stream)

Only data of equal size can be substituted without changing the packet length. Let's say the browser opens site.com/file.txt, which contains the string "12345". In response to a GET request, the server will return an HTTP header, which will indicate the length of the transmitted data - Content-length: 5. What happens if we replace “12345” with “12356”? The browser downloads only 5 bytes, discarding the added "6", and if we reduce the data size by replacing "12345" with "1234", the browser will receive only 4 bytes and will wait for another 1 byte from the server until the connection is broken by timeout. That is why this size limitation is made. You can change both textual data and binary, the syntax for binary patterns as in C is "\\ x01 \\ x02 \\ x03".

If substitution in HTTP traffic is required, then the "Disable HTTP gzip encoding" option must be enabled in the settings.

Spoofing

Spoofing allows you to redirect hosts to a given IP. DNS, NBNS, LLMNR protocols are supported.

With DNS you can specify a mask to redirect all subdomains as well. Usually domain.com:IP pairs are set, but subdomains will not be spoofed. To redirect them all, add * (asterisk) before the domain name: * host.com

Forced Download and JS Inject

As you understand, you can also add an .exe file with arbitrary content to the forced download, and the source of this file will be the site that the user is currently visiting. Knowing that the target is going to open adobe.com, you can issue flashplayer.exe, and adobe.com or one of its subdomains will be listed as the source of this file.

After a one-time dispensing, the forcing is disabled, to re-inject you need to click on the corresponding checkbox again.

FATE mode combines two new functions: FAke siTE and FAke updaTE.

The key goal of FAke siTE is to obtain authorization data from any web resource, bypassing SSL and other security mechanisms. This is achieved by cloning the authorization page and creating a template that will be placed on the built-in pseudo-web server. By default, the interceptor includes one template for accounts.google.com, since the original page requires you to fill in one by one the field with the login, and then with the password. This template has been slightly modified to make both fields active at the same time. Before the attack, you must specify the domain where the template will be hosted. After the start of the attack, a redirect to the selected domain is injected into the target's traffic, and subsequently the interceptor will automatically perform DNS spoofing to the required addresses. As a result, the selected authorization page will open in the browser.

Functionality FAke updaTE (fake updates) means the appearance of messages about the software installed on the "victim" and the download of a supposedly update file, which added a payload. The list of supported software is very limited. If you wish, you can add your own templates, their structure can be found in misc \\ FATE \\ updates.

ARP Poison (ARP etching)

It is part of the classic man-in-the-middle attack. This attack starts with scanning hosts. When hosts are found and some of them are selected as targets, ARP poisoning starts, as a result of which the attacked hosts begin to forward their traffic not to the gateway, but to the attacker. The attacker examines (sniffs) this traffic, performs other manipulations and sends it to the target server. The target server responds to the attacker (as the source of the request), this traffic is also sniffed, modified and sent to the victim. As a result, no significant changes occur for the victim - it seems to be exchanging data with a remote server.

Additional Intercepter-NG features

Buttons for launching additional functions are located in a separate section of the right column in the program window:

Intercepter-NG has its own network scanner, which replaced the primitive port scanner from previous versions. Its main functions:

Scan open ports and heuristically detect the following protocols: SSH, Telnet, HTTP \\ Proxy, Socks4 \\ 5, VNC, RDP.
Detect SSL on an open port, read banners and various web headers.
If a proxy or soks is found, check their openness to the outside.
Check passwordless access to VNC servers, check SSL for HeartBleed. Read version.bind from DNS.
Check the database for the presence of scripts on the web server, potentially vulnerable to ShellShock. Check the list of directories and files for 200 OK in the database, as well as the list of directories from robots.txt.
Determine the OS version via SMB. If you have anonymous access, get local time, uptime, list of shared resources and local users. For found users, an automatic brute-force attack is launched.
Determine by the built-in list of SSH users by measuring the response time. For found users, an automatic brute-force attack is launched. If enumeration does not work (it does not work on all versions), the enumeration is started only for root.
Automatic brute-force for HTTP Basic and Telnet. Given the peculiarities of the telnet protocol, false positives are possible.

Any target can be scanned, both on the local network and on the Internet. You can specify a list of ports for scanning: 192.168.1.1:80,443 or the range 192.168.1.1:100-200. You can specify the address range for the scan: 192.168.1.1-192.168.3.255.

For a more accurate result, only 3 hosts can be scanned at a time. Literally at the last moment, checks were added for data from SSL certificates, for example, if the word Ubiquiti is encountered and port 22 is open, then the SSH brute-force of the ubnt user is automatically launched. Ditto for a pair of Zyxel pieces of iron with the admin user. For the first release of the scanner, the functionality is sufficient and it is well debugged.

Heartbleed exploit

Tests if the target is vulnerable to HeartBleed. If the target is vulnerable, then it exploits this vulnerability - it receives part of the contents of the remote host's RAM.

Bruteforce mode

Brute force attack (brute force, brute force) is supported for the following network protocols:

POP3 TLS
SMTP TLS
HTTP Basic
HTTP Post
TELNET
VMWARE

You can set the number of threads in which the credentials will be checked.

When a timeout occurs, the active thread is restarted from the same place and the iteration process continues.

There is Single Mode, which indicates that each new pair of login: password should be checked with the establishment of a new connection, for some protocols this allows to increase the speed of work. The work log is saved in brute.txt.

ARP functions

Besides ARP Etching and ARP Scanning, there are several other ARP-related functions. Two of them are placed in separate buttons of the right column in the program window:

ARP Watch: Built-in personal ARP surveillance service. You should start by performing an ARP scan to populate the list of trusted (clean) MAC addresses. If anyone tries to poison your arp cache, a warning message will appear.
ARP Cage: Isolates the target IP address from other local hosts by spoofing arp table entries.

Intercepter-NG launch examples

How to run MiTM in Intercepter-NG

Start by choosing a network adapter ( Network Adapter):

Right click on an empty table and select Smart Scan:

A list of targets will be displayed:

Add the targets you want ( Add as Target):

To start sniffing, click the corresponding icon:

Go to the tab MiTM mode (this is a globe with patch cords) and click the icon ARP Poison (radiation hazard symbol):

In the tab Password Mode (symbol is a keychain), the captured credentials will appear:

Work with Wi-Fi and work with Ethernet

When working with Wi-Fi or wired connections, there are no differences, but you need to switch to the desired mode by clicking the icon:

Offline analysis of pcap capture files

There are many options that can slow down or speed up the analysis time.

First, if you need to read a large .pcap file, disable the " Resolve".
If your .pcap contains large files and Resurrection is enabled, the speed may drop. The solution is to set a limit on the maximum file size for recovery.
If you do not need to reverse engineer anything, then disable this option in the settings. The speed will increase.
If you need to analyze only a specific protocol, for example, ICQ \\ AIM or only HTTP, then install the appropriate filter " pcap filter"from RAW MODE: tcp port xxxwhere xxxIs the port number of your protocol.
You can upload more than one capture for analysis. IN Open Dialog select multiple files, all of them will be analyzed in turn.

Installing Intercepter-NG

Installing on Linux Kali

To install and run Intercepter-NG in Kali Linux, run the following commands:

Wget https://github.com/intercepter-ng/mirror/blob/master/wine_pcap_dlls.tar.gz?raw\u003dtrue -O wine_pcap_dlls.tar.gz sudo apt install libpcap-dev sudo dpkg --add-architecture i386 sudo apt update sudo apt install wine32 sudo apt install tcpdump: i386 wine --config tar xvzf wine_pcap_dlls.tar.gz sudo cp wpcap / wpcap.dll.so / usr / lib / i386-linux-gnu / wine sudo cp packet / packet. dll.so / usr / lib / i386-linux-gnu / wine rm -rf wine_pcap_dlls.tar.gz wpcap / packet / sudo apt install winetricks winetricks cc580 sudo ethtool --offload eth0 rx off tx off # Load Intercepter-NG v1. 0 and delete the dll files wpcap.dll and Packet.dll: wget https://github.com/intercepter-ng/mirror/blob/master/Intercepter-NG.v1.0.zip?raw\u003dtrue -O Intercepter-NG .zip unzip Intercepter-NG.zip rm wpcap.dll rm Packet.dll sudo wine Intercepter-NG.exe

Installation on Windows

To install Intercepter-NG in Windows, go to and download the corresponding archive (without letters CE). The program does not require installation, just unpack the archive and run the file .exe.

Installation on Android

To install Intercepter-NG in Android go to and download the file apk... Root rights are required to run the application successfully.

Screenshots Intercepter-NG

After 10 years of development (this is how much the project hit), the index of the Intercepter-NG version finally reached 1.0. By tradition, updates for Windows are released once a year, and the anniversary release was really a success. I would like to thank all the people who, over the years, have provided assistance in testing, gave detailed feedback and ideologically inspired. Let's start the review with the little things and at the end we'll look at the most delicious feature of Intercepter-NG 1.0.

1. In RAW Mode, you can now export selected packages to a .pcap file. When Autosave is enabled, packages containing authorization data will be written to a separate.pcap.

2. In the Extra SSL Ports field, which is related to SSL MiTM, you can now drive multiple ports separated by commas.

3. When attacking an LDAP Relay on a domain controller with a language other than English, in the expert settings, you can specify the necessary group to add a user, for example, instead of Domain Admins, specify the Russian equivalent Domain Administrators.

4. Fixed a bug in the NTLMv2SSP hash handler that did not allow for correct password guessing.

5. Many improvements in Bruteforce Mode. Added: SSL support for HTTP, UTF8 support for LDAP brute-force, VNC protocols, Vmware Auth Daemon and RDP. RDP brute-force works on Windows 7/8/2008/2012. NLA and logins and passwords in any language are supported. RDP Security Layer is not supported.

6. Added "Inject Reverse Shell" option to HTTP Injections. This is a Forced Download with a backconnect payload to the built-in shell of the interceptor.

7. Many improvements and changes in general. Spoofing is now disabled by default.

FATE

FATE mode combines two new functions: FAke siTE and FAke updaTE.

This template has been slightly modified to make both fields active at the same time. Before the attack, you must specify the domain where the template will be hosted. After the start of the attack, a redirect to the selected domain is injected into the target's traffic, and subsequently the interceptor will automatically perform DNS spoofing to the required addresses. As a result, the selected authorization page will open in the browser. The process of cloning a site is also demonstrated in the video using mail.yandex.ru as an example.

Linux lovers are familiar with a tool called Evilgrade, which allows you to exploit the automatic update mechanism and implement an arbitrary payload. In fact, this vector is greatly overestimated, firstly, the impressive list of supported applications in Evilgrade is mostly outdated, and secondly, most of the most popular applications check for updates in a safe way.

Nevertheless, everyone has heard about high-profile omissions in the update mechanisms of large vendors and for sure this will happen in the future, so an analogue of Evilgrade appeared in Intercepter-NG, but the list of supported software is very modest. If you wish, you can add your own templates; their structure can be viewed in miscFATEupdates. Send the software that is updated openly, we will replenish the database.

X-Scan

Many years ago, I really liked a network security scanner from the Chinese Xfocus team called X-Scan. Light weight, convenient design, good functionality. In the mid-2000s, it allowed you to create a lot, but later on its development stopped and in the current realities it is of little use. For this reason, I wanted to create its modern counterpart, but somehow it didn't work out… until recently. For old love, it is under this name that Intercepter-NG has its own network scanner, which replaced the primitive port scanner from the previous version. So, what does he know how.

1. Scan open ports and heuristically detect the following protocols: SSH, Telnet, HTTPProxy, Socks45, VNC, RDP.

2. Determine the presence of SSL on an open port, read banners and various web headers.

3. If a proxy or sox is found, check their openness to the outside.

4. Check passwordless access to VNC servers, check SSL for HeartBleed. Read version.bind from DNS.

5. Check the database for the presence of scripts on the web server, potentially vulnerable to ShellShock. Check the list of directories and files for 200 OK in the database, as well as the list of directories from robots.txt.

6. Determine the OS version via SMB. If you have anonymous access, get local time, uptime, list of shared resources and local users. For found users, an automatic brute-force attack is launched.

7. Determine by the built-in list of SSH users by measuring the response time. For found users, an automatic brute-force attack is launched. If enumeration does not work (it does not work on all versions), the enumeration is started only for root.

8. Automatic brute force for HTTP Basic and Telnet. Given the peculiarities of the telnet protocol, false positives are possible.

ps: the first version of the manual in Russian will appear soon.

Site: sniff.su
Mirror: github.com/intercepter-ng/mirror
Mail: [email protected]
Twitter: twitter.com/IntercepterNG
Forum: intercepterng.boards.net
Blog: intercepter-ng.blogspot.ru

Hello friends.

As I promised, I continue about the Intercepter-ng program.

Today there will be an overview in practice.

Warning: you shouldn't change the settings or mindlessly press the settings. At best, it may just not work or you will hang up Wi Fi. And I had a case that the settings of the router were reset. So do not think that everything is harmless.

And even with the same settings as mine does not mean that everything will work smoothly. In any case, for serious business, you will have to study the work of all protocols and modes.

Let's get started?

Interception of cookies and passwords.

Let's start with the classic interception of passwords and cookies, in principle, the process is the same as in the article, but I will rewrite it again, with clarifications.

By the way, antiviruses can often fire such things and reduce data interception via Wi FI

If the victim is sitting on an android or IOS device, you can be content with only the fact that the victim enters only in the browser (passwords, websites, cookies); if the victim is using a social client for VK, problems already arise, they simply stop working. In the latest version of Intercepter NG, you can solve the problem by replacing the victim's certificate. More on this later.

To begin with, generally decide what you need to get from the victim? Maybe you need passwords from social networks, or maybe just from sites. Maybe cookies are enough for you to go under the victim and do something right away, or you need passwords for future saving. Do you need to analyze in the future the images viewed by the victim and some pages, or you don't need this stuff? Do you know that the victim has already entered the site (he is already logged in during the transition) or will he just enter his data?

If you do not need to receive pictures from visited resources, parts of media files and see some sites saved in the html file, disable in Settings - Ressurection. This will slightly reduce the load on the router.

What can be activated in Settings - if you are connected via ethernet cable you need to activate Spoof Ip / mac. Also activate the Cookie killer (it helps to reset cookies so that the victim can leave the site). Cookie killer belongs to SSL Strip Attack so don't forget to activate it.

It's also better if Promiscious is activated, which allows you to improve interception, but not all modules support it ... Extreme mode can be dispensed with. With it, sometimes it intercepts more ports, but extra information + load appears ...

First, we select the interface through which you are connected to the Internet and the type of Wi-fi or Ethernet connection if connected via a cable to the router.

In Scan Mode, right-click on an empty field and click Smart scan. All devices on the network are scanned, it remains to add the necessary victims to Add nat.

Or you can put any one IP, go to settings - expert mode and check the Auto ARP poison box, in which case the program will add everyone who is connected and will connect to the network.

It remains for us to switch to Nat mode.

Click configure mitms, here SSL mitm and SSL strip come in handy.

SSL mitm allows you to just engage in data interception, although many browsers react to it, warning the victim.

SSL Strip allows the victim to switch from the Https secure protocol to HTTP, as well as the cookie killer to work.

We don't need anything else, we press start arp poison (radiation icon) and wait for the victim's activity.

In the password mode section, click pkm and Show coolies. Then you can click on cookie pkm and go to full url.

By the way, if the victim is on social networks, there is a chance that his active correspondence will appear in Messengers mode.

Http inject (give the victim a file).

Mmm, pretty sweet option.

You can slip the victim to download the file. We can only hope that the victim will launch the file. For plausibility, you can analyze which sites the victim visits, slip something like an update.

For example, if the victim is on VK, name the file vk.exe. perhaps the victim will start deciding that it is useful what.

Let's get started.

Bruteforce mode.

The brute force and brute force mode of passwords.

One of the ways to use it is to brute-force access to the router's admin panel. Also some other protocols.

Brutus needs

In the Target server, drive in the ip of the router, the telnet protocol, username is the username, in our case Admin.

At the bottom there is a button on which a folder is drawn, you click on it and open the list of passwords (in the folder with the program, misc / pwlist.txt there is a list of frequently used passwords, or you can use your own list).

After loading, press start (triangle) and go to drink tea.

If there are matches (a password is found), the program will stop.

it is necessary to know the username. But if you want to access the router try the default one - admin.

How to make brute.

Traffic changer (substitution of traffic).

The function is more of a joke. You can change so that the victim entering one site, goes to another that you enter.

In traffic mode, on the left, enter the request, on the right, the result, but with the same number of letters and symbols, otherwise it will not work.

Example - on the left we will hammer in a changeable query, on the right we need - change test1 to test2. (check Disable HTTP gzip).