Anniversary Edition Intercepter-NG 1.0
After 10 years of development (this is how much the project has knocked), the Intercepter-NG version index finally reached 1.0 . According to the established tradition, the release of updates under Windows occurs once a year, and the commemorative release really succeeded. I would like to thank all the people who for all these years have provided assistance in testing, gave detailed feedback and inspired ideologically. Let's start the review with trifles and at the end consider the most delicious feature of Intercepter-NG 1.0.
1. In RAW Mode, it is possible to export selected packages to a .pcap file. When Autosave is enabled, packages containing authorization data will be written to a separate .pcap.
2. In the field Extra SSL Ports, which refers to SSL MiTM, you can now enter several ports separated by commas.
')
3. When attacking an LDAP Relay on a domain controller with a language other than English, in the expert settings you can specify the necessary group to add a user, for example, instead of Domain Admins, specify the Russian equivalent of Domain Admins .
4. Fixed a bug in the handler NTLMv2SSP hashes, which did not allow to correctly select the password.
5. Multiple improvements in Bruteforce Mode. Added: SSL support for HTTP, UTF8 support for brute force LDAP, VNC, Vmware Auth Daemon and RDP protocols. Brute force RDP runs on Windows 7/8/2008/2012. NLA and logins \ passwords in any language are supported. RDP Security Layer is not supported.
6. Added the “Inject Reverse Shell” option in HTTP Injections. This is Forced Download with backconnect payload on the built-in shell intercept.
7. Multiple improvements and changes in general. Now, by default, spoofing is disabled.
FATE mode combines two new functions: FAke siTE and FAke updaTE.
The key purpose of FAke siTE is to obtain authorization data from any web resource, bypassing SSL and other security mechanisms. This is achieved by cloning the authorization page and creating a template that will be placed on the built-in pseudo-web server. How this works is demonstrated in the video at the end of the post. By default, the interceptor includes one template for accounts.google.com, because the original page requires you to fill in the field with a login, and then with a password. In this template, small changes have been made so that both fields are active at the same time. Before the attack, you must specify the domain on which the template will be placed. After the start of the attack, a redirect to the selected domain is injected into the target's traffic, and subsequently the interceptor will automatically conduct DNS spoofing to the required addresses. As a result, the selected authorization page will open in the browser. The process of cloning the site is also demonstrated in the video on the example of mail.yandex.ru.
The linux lovers are familiar with a tool called Evilgrade, which allows you to exploit the automatic update mechanism and implement an arbitrary payload. In fact, this vector is greatly overvalued, firstly, the impressive list of supported applications in Evilgrade is outdated in the bulk, and secondly, most of the most popular applications check for updates in a safe way. Nevertheless, everyone has heard of loud omissions in the mechanisms for updating major vendors and this will probably happen in the future, so the Evilgrade equivalent appeared in Intercepter-NG, but the list of supported software is very modest. If you wish, you can add your templates, their structure can be viewed in misc \ FATE \ updates. Send a software that is updated openly, we will replenish the base.
Many years ago, I really liked the network security scanner from the Chinese Xfocus team called X-Scan. Light weight, user-friendly design, good functionality. In the middle of zero he allowed to create a lot, but later his development stopped and in the current realities he was of little use. For this reason, I wanted to create its modern analogue, but somehow it did not work ... until recently. According to the old love, it was under this name that Intercepter-NG had its own network scanner, which came to replace the primitive port scanner from the previous versions. So, what does he do.
1. Scan open ports and heuristically determine the following protocols: SSH, Telnet, HTTP \ Proxy, Socks4 \ 5, VNC, RDP.
2. Determine the presence of SSL on the open port, read banners and various web headers.
3. If a proxy or socks is detected, check their openness to the outside.
4. Check passwordless access to VNC servers, check SSL on HeartBleed. Read version.bind from DNS.
5. Check the database for the presence of scripts on a web server potentially vulnerable to ShellShock. Check the list of directories and files for 200 OK, as well as a list of directories from robots.txt.
6. Determine the OS version via SMB. If you have anonymous access, get local time, uptime, list of shared resources and local users. For the found users, automatic brute force is launched.
7. Determine the built-in list of users of SSH through the measurement of response time. For the found users, automatic brute force is launched. If enumeration did not produce a result (does not work on all versions), the search is started only for root.
8. Automatic brute force for HTTP Basic and Telnet. Given the characteristics of the telnet protocol, false positives are possible.
You can scan any target, both on the local network and on the Internet. You can specify a list of ports for the scan: 192.168.1.1:80,443 or a range of 192.168.1.1:100-200. You can specify the address range for the scan: 192.168.1.1-192.168.3.255.
For a more accurate result, only 3 hosts can be scanned at a time. Literally at the last moment checks for data from SSL certificates were added, for example, if the word Ubiquiti is found and port 22 is open, the brute force SSH user ubnt is automatically started. The same is true for a pair of Zyxel glands with the admin user. For the first release of the scanner, the functionality is sufficient and it is well debugged. Send your ideas and suggestions.
ps: in the near future, the first version of the manual in Russian.
1. In RAW Mode, it is possible to export selected packages to a .pcap file. When Autosave is enabled, packages containing authorization data will be written to a separate .pcap.
2. In the field Extra SSL Ports, which refers to SSL MiTM, you can now enter several ports separated by commas.
')
3. When attacking an LDAP Relay on a domain controller with a language other than English, in the expert settings you can specify the necessary group to add a user, for example, instead of Domain Admins, specify the Russian equivalent of Domain Admins .
4. Fixed a bug in the handler NTLMv2SSP hashes, which did not allow to correctly select the password.
5. Multiple improvements in Bruteforce Mode. Added: SSL support for HTTP, UTF8 support for brute force LDAP, VNC, Vmware Auth Daemon and RDP protocols. Brute force RDP runs on Windows 7/8/2008/2012. NLA and logins \ passwords in any language are supported. RDP Security Layer is not supported.
6. Added the “Inject Reverse Shell” option in HTTP Injections. This is Forced Download with backconnect payload on the built-in shell intercept.
7. Multiple improvements and changes in general. Now, by default, spoofing is disabled.
FATE
FATE mode combines two new functions: FAke siTE and FAke updaTE.
The key purpose of FAke siTE is to obtain authorization data from any web resource, bypassing SSL and other security mechanisms. This is achieved by cloning the authorization page and creating a template that will be placed on the built-in pseudo-web server. How this works is demonstrated in the video at the end of the post. By default, the interceptor includes one template for accounts.google.com, because the original page requires you to fill in the field with a login, and then with a password. In this template, small changes have been made so that both fields are active at the same time. Before the attack, you must specify the domain on which the template will be placed. After the start of the attack, a redirect to the selected domain is injected into the target's traffic, and subsequently the interceptor will automatically conduct DNS spoofing to the required addresses. As a result, the selected authorization page will open in the browser. The process of cloning the site is also demonstrated in the video on the example of mail.yandex.ru.
The linux lovers are familiar with a tool called Evilgrade, which allows you to exploit the automatic update mechanism and implement an arbitrary payload. In fact, this vector is greatly overvalued, firstly, the impressive list of supported applications in Evilgrade is outdated in the bulk, and secondly, most of the most popular applications check for updates in a safe way. Nevertheless, everyone has heard of loud omissions in the mechanisms for updating major vendors and this will probably happen in the future, so the Evilgrade equivalent appeared in Intercepter-NG, but the list of supported software is very modest. If you wish, you can add your templates, their structure can be viewed in misc \ FATE \ updates. Send a software that is updated openly, we will replenish the base.
X-Scan
Many years ago, I really liked the network security scanner from the Chinese Xfocus team called X-Scan. Light weight, user-friendly design, good functionality. In the middle of zero he allowed to create a lot, but later his development stopped and in the current realities he was of little use. For this reason, I wanted to create its modern analogue, but somehow it did not work ... until recently. According to the old love, it was under this name that Intercepter-NG had its own network scanner, which came to replace the primitive port scanner from the previous versions. So, what does he do.
1. Scan open ports and heuristically determine the following protocols: SSH, Telnet, HTTP \ Proxy, Socks4 \ 5, VNC, RDP.
2. Determine the presence of SSL on the open port, read banners and various web headers.
3. If a proxy or socks is detected, check their openness to the outside.
4. Check passwordless access to VNC servers, check SSL on HeartBleed. Read version.bind from DNS.
5. Check the database for the presence of scripts on a web server potentially vulnerable to ShellShock. Check the list of directories and files for 200 OK, as well as a list of directories from robots.txt.
6. Determine the OS version via SMB. If you have anonymous access, get local time, uptime, list of shared resources and local users. For the found users, automatic brute force is launched.
7. Determine the built-in list of users of SSH through the measurement of response time. For the found users, automatic brute force is launched. If enumeration did not produce a result (does not work on all versions), the search is started only for root.
8. Automatic brute force for HTTP Basic and Telnet. Given the characteristics of the telnet protocol, false positives are possible.
You can scan any target, both on the local network and on the Internet. You can specify a list of ports for the scan: 192.168.1.1:80,443 or a range of 192.168.1.1:100-200. You can specify the address range for the scan: 192.168.1.1-192.168.3.255.
For a more accurate result, only 3 hosts can be scanned at a time. Literally at the last moment checks for data from SSL certificates were added, for example, if the word Ubiquiti is found and port 22 is open, the brute force SSH user ubnt is automatically started. The same is true for a pair of Zyxel glands with the admin user. For the first release of the scanner, the functionality is sufficient and it is well debugged. Send your ideas and suggestions.
ps: in the near future, the first version of the manual in Russian.
Site: sniff.su
Mirror: github.com/intercepter-ng/mirror
Mail: intercepter.mail@gmail.com
Twitter: twitter.com/IntercepterNG
Forum: intercepterng.boards.net
Blog: intercepter-ng.blogspot.ru
Source: https://habr.com/ru/post/309406/
All Articles