Tactical Control Center is an application installed on a notebook, called Tactical Network Injector.
It can infect devices in a WiFi or wired network thanks to RCS identification and injection rules. Device identification can be automatic or manual. In the latter case, the operator recognizes the device to be infected and runs the injection rule application command for that device.
The identification method should be agreed with the operating center.
With Tactical Control Center you can:
NOTE: the injection network can be an external network or an open WiFi network simulated by Tactical Control Center.
Tactical Control Center synchronizes with RCS to receive the updated infection rules and to check whether a new version of Appliance Control Center is available and send logs.
Synchronization can occur in two ways:
During synchronization, Network Injector communicates with RCS at set intervals (about 30 sec.).
Communication is via an Anonymizer. In the Tactical Control Center System Management tab set the Anonymizer to be used for RCD synchronization and decide when to enable synchronization.
An authentication key must be installed on Network Injector to securely communicate with the RCS server. The key must be generated when the Network Injector object is created on RCS Console and installed via Tactical Control Center at the first Network Injector synchronization with RCS
If traffic generated by the target cannot be infected with the current rules, request operator assistance on RCS Console to generate new rules and update Network Injector. At the next synchronization, Tactical Control Center receives the new rules and they can be viewed and enabled for injection.
Two different network interfaces are available during an attack, one for sniffing and one for injection. Using two separate interfaces is indicated to guarantee continuity, especially for sniffing.
Only the sniffing interface is used when emulating the Access Point and acquiring network passwords.
Sniffing interfaces can be internal or external: external interfaces are indicated for sniffing because transmission speed is higher.
The steps needed to infect devices automatically identified by RCS rules are described below. The attack can be run on wired or WiFi networks:
Phase | Description | Where |
---|---|---|
1 | Prepare identification and injection rules for known targets to be attacked. Send the rules to Tactical Network Injector. | RCS Console, System, Network Injectors |
2 | Enable synchronization with RCS to receive updated rules and enable the rules to be used for injection. | Tactical Network Injector, Network Injector |
3 | If target devices are connected to a protected WiFi network, acquire the password. | Tactical Network Injector, Wireless Intruder |
4 |
The system sniffs traffic, identifies target devices thanks to identification rules and infects them thanks to injection rules. |
Tactical Network Injector, Network Injector |
5 | If necessary, force re-authentication on devices not identified by the rules. |
Following are the steps required to infect manually identified devices. The operator's goal is to identify target devices.
The attack can be run on wired or WiFi networks:
Phase | Description | Where |
---|---|---|
1 | Prepare identification rules that include manual identification and injection rules for all the target devices to be attacked. Send the rules to Tactical Network Injector. | RCS Console, System, Network Injectors |
2 | Enable synchronization with RCS to receive updated rules and enable the rules to be used for injection. | Tactical Network Injector, Network Injector |
3 | If target devices are connected to a protected WiFi network, acquire the password. | Tactical Network Injector, Wireless Intruder |
4 | If target devices can connect to an open WiFi network, try emulating an Access Point known by the target. | Tactical Network Injector,Fake Access Point |
5 |
The system proposes all devices connected to the selected network interface. Use filters to search for target devices or check the web chronology for each device. |
Tactical Network Injector, Network Injector |
6 | Select devices and infect them. |
If the target device is connected to a protected WiFi network, the access password must be obtained to login.
The Wireless intruder function lets you connect to a WiFi network and crack the password. For WPA and WPA 2 protected networks, an additional dictionary can be loaded in addition to the standard dictionary. The password is displayed and the operator can copy it to use it with the sniffing and injection function (Network Injector function).
You may not be able to connect to some devices in a password protected WiFi network. These types of devices appear in the list as unknown.
In this case, their authentication can be forced: the device will disconnect from the network, reconnect and be identified.
This work mode is suited for situations when some target device information is known (i.e.: IP address).
In this case, RCS injection rules include all the data required to automatically identify target devices. Only enable all rules required at that time for each injection.
Starting automatic identification using the Network Injector function gradually displays target devices that are immediately infected by the injection rules.
Manual identification can be indicated in RCS identification rules. This procedure is frequently run when there is no information on the device to be infected and it must be identified on the field.
In this case, a series of functions to select devices connected to the network is available to the operator:
Once target devices are identified, simply select them to start infection; the identification rules are "customized" with the device data to allow injection rules to be applied.
NOTE: devices that were already infected via automatic identification can be manually infected.
When manually identifying targets, some targets may not be identified among those connected to the network. In this case, use the Network Injector function to set filters on tapped traffic.
Tactical Control Center provides to types of filters:
Regular expressions are broad filters. For example, if our target is visiting a Facebook page and talking about windsurf, simply enter "facebook" or "windsurf".
Tactical Network Injector taps all traffic data and searches for the entered words.
For further information on all admitted regular expressions, see https://en.wikipedia.org/wiki/Regular_expression .
This is used to more accurately filter devices using BPF syntax. This syntax includes key words accompanied by qualifiers:
For example, if our target is visiting a Facebook page, enter "host facebook.com"
For further details on syntax qualifiers, see http://wiki.wireshark.org/CaptureFilters.
Another way to filter and shorten the list of possible targets is to analyze device web traffic to identify it as the target.
In certain scenarios target devices must be attracted to tap their data, identify and infect them.
To do this, Tactical Network Injector emulates an Access Point already known to the target device.
This way, if the device is enabled to automatically connect to available WiFi networks, it automatically connects to the Access Point emulated by Tactical Network Injector as soon as it enters the WiFi area.
Unlocking the operating system password
An operating system password can be unlocked. To learn more see "What you should know about unlocking the operating system password".
Remote access to Tactical Control Center
Tactical Control Center can also be remotely accessed. To learn more, see "What you should know about Control Center remote access".
RCS9.5 | User manual | © COPYRIGHT 2014