You are here: Technician's functions > The Network Injector > What you should know about Tactical Control Center

What you should know about Tactical Control Center

Introduction

Tactical Control Center is an application installed on a notebook, called Tactical Network Injector.

It can infect devices in a WiFi or wired network thanks to RCS identification and injection rules. Device identification can be automatic or manual. In the latter case, the operator recognizes the device to be infected and runs the injection rule application command for that device.

The identification method should be agreed with the operating center.

Tactical Control Center operations

With Tactical Control Center you can:

NOTE: the injection network can be an external network or an open WiFi network simulated by Tactical Control Center.

Synchronization with RCS server

Tactical Control Center synchronizes with RCS to receive the updated infection rules and to check whether a new version of Tactical Control Center is available and send logs.

Synchronization can occur in two ways:

During synchronization, RCS communicates with Tactical Network Injector at set intervals of time (about 30 sec.).

In Tactical Control Center, decide when to enable synchronization using the Network Injector function.

Updating infection rules

If traffic generated by the target cannot be infected with the current rules, request operator assistance on RCS Console to generate new rules and update Network Injector. At the next synchronization, Tactical Control Center receives the new rules and they can be viewed and enabled for injection.

Using network interfaces

Two different network interfaces are available during an attack, one for sniffing and one for injection. Using two separate interfaces is indicated to guarantee continuity, especially for sniffing.

Only the sniffing interface is used when emulating the Access Point and acquiring network passwords.

Sniffing interfaces can be internal or external: external interfaces are indicated for sniffing because transmission speed is higher.

Infection via automatic identification

The steps needed to infect devices automatically identified by RCS rules are described below. The attack can be run on wired or WiFi networks:

Phase Description Where
1 Prepare identification and injection rules for known targets to be attacked. Send the rules to Tactical Network Injector. RCS Console, System, Network Injectors
2 Enable synchronization with RCS to receive updated rules and enable the rules to be used for injection. Tactical Network Injector, Network Injector
3 If target devices are connected to a protected WiFi network, acquire the password. Tactical Network Injector, Wireless Intruder
4

The system sniffs traffic, identifies target devices thanks to identification rules and infects them thanks to injection rules.

Tactical Network Injector, Network Injector
5 If necessary, force re-authentication on devices not identified by the rules.
Infection via manual identification

Following are the steps required to infect manually identified devices. The operator's goal is to identify target devices.

The attack can be run on wired or WiFi networks:

Phase Description Where
1 Prepare identification rules that include manual identification and injection rules for all the target devices to be attacked. Send the rules to Tactical Network Injector. RCS Console, System, Network Injectors
2 Enable synchronization with RCS to receive updated rules and enable the rules to be used for injection. Tactical Network Injector, Network Injector
3 If target devices are connected to a protected WiFi network, acquire the password. Tactical Network Injector, Wireless Intruder
4 If target devices can connect to an open WiFi network, try emulating an Access Point known by the target. Tactical Network Injector,Fake Access Point
5

The system proposes all devices connected to the selected network interface. Use filters to search for target devices or check the web chronology for each device.

Tactical Network Injector, Network Injector
6 Select devices and infect them.
Protected WiFi network password acquisition

If the target device is connected to a protected WiFi network, the access password must be obtained to login.

The Wireless intruder function lets you connect to a WiFi network and crack the password. For WPA and WPA 2 protected networks, an additional dictionary can be loaded in addition to the standard dictionary. The password is displayed and the operator can copy it to use it with the sniffing and injection function (Network Injector function).

Forcing unknown device authentication

You may not be able to connect to some devices in a password protected WiFi network. These types of devices appear in the list as unknown.

In this case, their authentication can be forced: the device will disconnect from the network, reconnect and be identified.

Infection via automatic identification

This work mode is suited for situations when some target device information is known (i.e.: IP address).

In this case, RCS injection rules include all the data required to automatically identify target devices. Only enable all rules required at that time for each injection.

Starting automatic identification using the Network Injector function gradually displays target devices that are immediately infected by the injection rules.

Infection via manual identification

Manual identification can be indicated in RCS identification rules. This procedure is frequently run when there is no information on the device to be infected and it must be identified on the field.

In this case, a series of functions to select devices connected to the network is available to the operator:

Once target devices are identified, simply select them to start infection; the identification rules are "customized" with the device data to allow injection rules to be applied.

Setting filters on tapped traffic

When manually identifying targets, some targets may not be identified among those connected to the network. In this case, use the Network Injector function to set filters on tapped traffic.

Tactical Control Center provides to types of filters:

Filter with regular expression

Regular expressions are broad filters. For example, if our target is visiting a Facebook page and talking about windsurf, simply enter "facebook" or "windsurf".

Tactical Network Injector taps all traffic data and searches for the entered words.

For further information on all admitted regular expressions, see https://en.wikipedia.org/wiki/Regular_expression .

BPF (Berkeley Packet Filter) network filter

This is used to more accurately filter devices using BPF syntax. This syntax includes key words accompanied by qualifiers:

For example, if our target is visiting a Facebook page, enter "host facebook.com"

For further details on syntax qualifiers, see http://wiki.wireshark.org/CaptureFilters.

Identifying the target by analyzing chronology

Another way to filter and shorten the list of possible targets is to analyze device web traffic to identify it as the target.

Emulating an Access Point known by the target

In certain scenarios target devices must be attracted to tap their data, identify and infect them.

To do this, Tactical Network Injector emulates an Access Point already known to the target device.

This way, if the device is enabled to automatically connect to available WiFi networks, it automatically connects to the Access Point emulated by Tactical Network Injector as soon as it enters the WiFi area.

Unlocking the operating system password

An operating system password can be unlocked. To learn more see "What you should know about unlocking the operating system password".

Remote access to Tactical Control Center

Tactical Control Center can also be remotely accessed. To learn more, see "What you should know about Control Center remote access".

 

RCS9.3 | User's and Installation Guide | © COPYRIGHT 2013