Intercepter-NG 2.5 released for Android

Yes, Intercepter is still alive! And after a long lull, I am pleased to introduce a new version.

Initially, the task was to comb the interface, fix errors, introduce some innovations and test performance on new versions of Android.

What came of it - under the cut.

So. Improved application appearance and usability. The displayed information is delimited by colors, text is resized by gestures, you can switch between tabs using swipes, and a vibration response is also added.

Routing rules and iptables are automatically saved before starting work and restored at completion.

To avoid unnecessary expectations at the time of launch, the result of the previous scan for the current network is displayed. Also, a quick pre-scan is done at startup - to eliminate the need for re-scanning, as was required in previous versions. The scanning process has been improved, a new way to resolve names has been added. Added function to automatically save names. If during the scan it was not possible to determine the name of the device, it will be taken from the cache.

A diagnostic button has been added to the settings. In case of problems, the displayed information can facilitate the search for a solution. In particular, SELinux status is checked. Intercepter automatically switches setenforce to 0 during startup, so if Enforcing is in the diagnostics, it means we don’t turn it off on this system and you should not wait for proper operation. This situation occurs, for example, on stock firmware from Samsung. It is solved by installing third-party ROMs, for example LineageOS.

The new Intercepter runs on all architectures starting with Android 4.4. The main testing was conducted on Android 9 and 10, there should not be any differences in the work on earlier versions. No additional installation of BusyBox and SuperSU required. Enough Magisk or other built-in root-managers. Libpcap has been updated to version 1.9.1. Starting with Android 8.1, to obtain the SSID of the network (it is displayed on the initial screen), you must provide access to location data. You can not provide them, this does not affect the functionality of the program.

Improved SSLStrip code, added HSTS spoofing.

The existing port scanner has been converted into a simplified X-Scan from the original version for Windows. A check for SSL is applied to open ports, then the service banner is displayed (if available) and the port is checked for belonging to the HTTP protocol.
If so, information from various HTTP headers is output.

If port 445 is open, an attempt is made to read the OS version through an SMB request. Additionally, a check is launched for the presence of the EternalBlue vulnerability.

Now I want to talk about a new functionality that can grow into something really big if the community actively supports the idea.

By performing a regular ARP scan, we get a pair of IP: MAC. By the MAC address we can determine the manufacturer of the network card, through the ICMP request we can get the TTL value and determine, in general terms, the type of operating system: Windows (128), Unix (64) or something more rare - Cisco IOS (255) . If the tested device has open TCP ports, then we can get the TCP Window Size and already separate Windows XP from Windows 7 or Linux from FreeBSD.

It was according to this scheme that the operating system was determined in previous versions of Intercepter.

In an attempt to expand the possibilities of determining the OS, I turned to passive fingerprinting, which for many years simply ignored. The most relevant application with a relatively fresh base is Satori. Both Satori and p0f (another well-known tool) work in exactly the same way as described above, only in addition to two marker values, a number of other IP and TCP header fields are analyzed, as well as TCP options, their value and sequence. The resulting fingerprint is a line of the following form: 64240: 128: 1: 52: M1460, N, W8, N, N, S: T. This is a fingerprint for Windows 10, which is also relevant for Windows 7.

Having carefully examined the entire fingerprint database for the TCP protocol, it became clear that using it can really improve the accuracy of determining the OS, but the initial expectations did not materialize, because many prints are suitable for several versions of operating systems, so it is extremely difficult to make a choice among a number of options.

Initially, such fingerprint systems were created as a universal way to determine the OS, applicable to traffic from different networks, including global ones,
where such a parameter as the MAC address is not significant. But Intercepter works strictly in an Ethernet environment, where each device is directly accessible and has a unique MAC.

If we add the first 3 bytes of the MAC address to the TCP fingerprint, we get an almost unique record that allows us to determine with a high degree of accuracy not so much the operating system as the device model! At a minimum, this applies to smartphones, tablets, and other office network devices such as routers, printers, and so on. This way we significantly increase the benefits of using network fingerprints. The only difficulty is to collect the database of records ...

The problem is solved in several ways:

1.

A button has been added to the Intercepter settings that generates a fingerprint for your device, just copy it and send it to me by mail.

The main thing is to make sure that the randomization of the MAC address is disabled, otherwise the fingerprint will be completely useless.

Pros : does not require special gestures.
Cons : it only imprints Android devices with root privileges.

2.

X-scan. If there is at least one open port, upon completion of the scan, a fingerprint is displayed for the device under investigation, which is automatically copied to the clipboard. If you have the opportunity to find out the OS version and / or device model - sign the fingerprint and send it to e-mail.

Pros : additional information displayed in this mode can help determine the model of the device and form an imprint, even if you do not know what is in front of you.
Cons : low coverage, one print per scan.

3.

Intercepter-NG 1.0+. I released a small update by adding fingerprint output on Smart Scan. There are various corrections and improvements to the previous version 1.0, including the checker on EternalBlue added to X-Scan, the oui database has been updated. Remember to install npcap.

Pros : allows you to get fingerprints for a large number of devices on the network at a time.
Cons : a limited list of the most common ports is scanned.

An example of a complete fingerprint: CC2DE0; 14480: 64: 1: 60: M1460, S, T, N, W5: ZAT = Linux 3.x; MikroTik RB750Gr3

At the initial stage, fingerprints are required even from conventional computer systems that do not have a specific model. It is necessary to replenish the so-called generic fingerprints that combine the family of operating systems of different versions.

This database will be useful not only for use in Intercepter, it will also become useful for any other project that deals with traffic analysis, for example NetworkMiner, used in computer forensics. Existing bases for passive OS detection by TCP fingerprints are very outdated or have an insufficient number of entries. There is nmap, which is updated one way or another, but nmap is about active scanning, a completely different story ...

Intercepter offers a convenient and quick way to collect fingerprints without requiring deep knowledge in IT - start scanning, copy the fingerprint - sign it, send it. Piece of cake.

I give the instrument, and what to do next is up to you ...

Many are interested in the fate of the main Windows version. A full-fledged update will certainly be released, but when - it is still unknown.

I thank AndraxBoy and other w3bsit3-dns.com users for their help in testing. Special thanks to Magomed Magomadov and Alexander Dmitrenko.

Questions, wishes and prints can be sent to intercepter.mail@gmail.com. For fingerprints, you must specify the Fingerprint theme.

Site: sniff.su
Mirror: github.com/intercepter-ng/mirror
Mail: intercepter.mail@gmail.com
Twitter: twitter.com/IntercepterNG
Forum: intercepterng.boards.net
Blog: intercepter-ng.blogspot.ru