You are here: Technician's functions > The Network Injector > Injection rule data

Injection rule data

Data that define the available infection rules are described below:

Data Description

Enabled

If selected, the rule will be sent to the Network Injector.

If not selected, the rule is saved but not sent.

Disable on sync

If selected, the rule is disabled after the first synchronization of the agent defined in the rule.

If not selected, the Network Injector continues to apply the rule, even after the first synchronization.

Probability

Probability (in percent) of applying the rule after the first infected resource.

0%: after infecting the first resource, Network Injector will no longer apply this rule.

100%: after infecting the first resource, Network Injector will always apply this rule.

Tip: if a value over 50% is selected, we recommend you use the Disable on sync option.

Target

Name of the target to be infected.

Ident

Target's HTTP connection identification method.

NOTE: Network Injector cannot monitor FTP or HTTPS connections.

Each method is described below:

Data Description
STATIC-IP

Static IP assigned to the target.

STATIC-RANGE

Range of IP addresses assigned to the target.

STATIC-MAC

Target's static MAC address, both Ethernet and WiFi.

DHCP

Target's network interface MAC address.

RADIUS-LOGIN

RADIUS user name. User-Name (RADIUS 802.1x).

RADIUS-CALLID

RADIUS caller ID. Calling-Station-Id (RADIUS 802.1x).

RADIUS-SESSID

RADIUS session ID. Acct-Session-Id (RADIUS 802.1x).

RADIUS-TECHKEY

RADIUS key. NAS-IP-Address: Acct-Session-Id (RADIUS 802.1x).

STRING-CLIENT

Text string to be identified in the data traffic from the target.

STRING-SERVER

Text string to be identified in the data traffic to the target.

TACTICAL

The target is not automatically identified but can be identified by the operator on Tactical Network Injector. Only after the device is identified by the operator is the Ident field customized with the data received from the device.

Pattern

Target's traffic identification method. The format depends on the type ofIdent selected.

Method Format

DHCP

STATIC-IP

STATIC-MAC

Corresponding address (i.e.: "195.162.21.2").

STATIC-RANGE

Address range separated by '-' (i.e.: "195.162.21.2-195.162.21.5".

STRING-CLIENT

STRING-SERVER

Text string (i.e.: "John@gmail.com").

RADIUS-CALLID

ID or part of the ID.

RADIUS-LOGIN

Name or part of the user name.

RADIUS-SESSID

ID or part of the ID.

RADIUS-TECHKEY

Key or part of the key (i.e.: "*.10.*").

TACTICAL

A value cannot be set. The correct value will be set by the field operator.

Action

Infection method that will be applied to the resource indicated in Resource pattern:

Method Function
INJECT-EXE

Infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.

INJECT-HTML-FILE

Lets you add the HTML code provided in the file in the visited web page.

Please contact HackingTeam technicians for further details.

INJECT-HTML-FLASH Blocks videos on YouTube and requires the user to install a fake Flash update to view them. The agent is installed when the target installs the update.
REPLACE

Replaces the resource set in the Resource pattern with the supplied file.

Tip: this type of action is very effective when used in combination with Exploit generated documents.

 

Resource Pattern

Identification method of the resource to be injected, applied to the Web re source URL. The format depends on the type of Action selected.

 

Action type Resource Pattern Content
INJECT-EXE

URL of the executable file to be infected. Use wildcards to increase the number of matching URLs.

Examples of possible formats:

*[nameExe]*.exe

www.mozilla.org/firefox/download/firefoxsetup.exe

NOTE: when a full path is specified, be careful of any mirrors used by websites to download files (i.e.: "firefox.exe?mirror=it").

Tip: enter *.exe* to infect all executable files, regardless of the URL.

IMPORTANT: for example, if *exe* is entered without the '.' file extension separator, all the pages that accidentally contain the letters "exe" will be injected..

INJECT-HTML-FILE

URL of the website to be infected.

Examples of possible formats:

www.oracle.com/

www.oracle.com/index.html

NOTE: the site address must include the final '/' character if an HTML or dynamic page is not specified (i.e.: "www.oracle.com/").

NOTE: a redirect page cannot be infected. Check the browser for the correct site path before using it in a rule.

INJECT-HTML-FLASH

Preset for YouTube and read-only by the user.

REPLACE

URL of a resource to be replaced.

Factory

For all actions except REPLACE. Agent to be injected into the selected Web resource.

File

For REPLACE Action only. File to be replaced with the one indicated in Resource pattern.

 

RCS9.3 | User's and Installation Guide | © COPYRIGHT 2013