Intercepter-NG updated
The new version has a new functionality, and the old one has been updated.
Consider the most remarkable innovations.
1. PCAP Over IP.
')
This feature is related to remote traffic capture and is a great replacement.
old and problem service rpcapd. The name speaks for itself. Virtually any
Unix is always present a bunch of tcpdump and netcat, with which you can log
traffic to a remote receiving computer. In this case, the Intercepter may open a port
waiting for the data stream in the libpcap format and real-time analysis of them.
There is no fundamental difference in the traffic source, so besides tcpdump, you can also use the cat utility to read an existing .pcap log file.
Here are a few examples of use, by default, Intercepter listens on port 2002:
#tcpdump -i face -w - | nc IP 2002
if you plan to send traffic through the same interface from which you are capturing, then you need to add a filtering rule that excludes service traffic between the server and Intercepter: tcpdump -i face -w - not port 2002 | nc IP 2002
#cat log.pcap | nc IP 2002
#dumpcap -i face -P -w - | nc IP 2002
This is an analogue of tcpdump that is part of Wireshark. The -P flag indicates that packages should be saved in the standard libpcap format, and not in the new pcapng.
2. View caught Cookies in the browser (IE). A popular feature for which whole individual applications are created, such as Cookie Cadger.
3. Two protocols were added to the spoofing mode. Now, in addition to spoofing DNS responses, this can be done with NBNS (NetBios Name Service) and LLMNR (Link-local Multicast Name Resolution).
When DNS names were spoofed, it became possible to specify a mask, which allows you to substitute answers to several domains at once (* mail.com) or all subdomains of the same domain (* .mail.com).
4. Built-in socks service (when attacking WPAD) now supports the HTTP Inection feature.
5. In the Expert mode, an option appeared that allows you to remotely stop the http injection process. The area and method of application everyone will find for himself.
Short video review:
Download here (the main site is temporarily not working)
intercepter.nerf.ru
Feedback, suggestions and questions can be sent by mail or create a forum thread.
There is a manual in the form of a wiki page in which you can find answers to many questions.
UPDATE:
Prompted an alternative way to forward packets without using netcat:
tcpdump> / dev / tcp / ip / port
Consider the most remarkable innovations.
1. PCAP Over IP.
')
This feature is related to remote traffic capture and is a great replacement.
old and problem service rpcapd. The name speaks for itself. Virtually any
Unix is always present a bunch of tcpdump and netcat, with which you can log
traffic to a remote receiving computer. In this case, the Intercepter may open a port
waiting for the data stream in the libpcap format and real-time analysis of them.
There is no fundamental difference in the traffic source, so besides tcpdump, you can also use the cat utility to read an existing .pcap log file.
Here are a few examples of use, by default, Intercepter listens on port 2002:
#tcpdump -i face -w - | nc IP 2002
if you plan to send traffic through the same interface from which you are capturing, then you need to add a filtering rule that excludes service traffic between the server and Intercepter: tcpdump -i face -w - not port 2002 | nc IP 2002
#cat log.pcap | nc IP 2002
#dumpcap -i face -P -w - | nc IP 2002
This is an analogue of tcpdump that is part of Wireshark. The -P flag indicates that packages should be saved in the standard libpcap format, and not in the new pcapng.
2. View caught Cookies in the browser (IE). A popular feature for which whole individual applications are created, such as Cookie Cadger.
3. Two protocols were added to the spoofing mode. Now, in addition to spoofing DNS responses, this can be done with NBNS (NetBios Name Service) and LLMNR (Link-local Multicast Name Resolution).
When DNS names were spoofed, it became possible to specify a mask, which allows you to substitute answers to several domains at once (* mail.com) or all subdomains of the same domain (* .mail.com).
4. Built-in socks service (when attacking WPAD) now supports the HTTP Inection feature.
5. In the Expert mode, an option appeared that allows you to remotely stop the http injection process. The area and method of application everyone will find for himself.
Short video review:
Download here (the main site is temporarily not working)
intercepter.nerf.ru
Feedback, suggestions and questions can be sent by mail or create a forum thread.
There is a manual in the form of a wiki page in which you can find answers to many questions.
UPDATE:
Prompted an alternative way to forward packets without using netcat:
tcpdump> / dev / tcp / ip / port
Source: https://habr.com/ru/post/173869/
All Articles