Full Report
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks. Specifically referring to Intercepter-NG Console Edition which works on a range of systems including NT, Linux, BSD, MacOSX, IOS and Android. The Windows […]
Analysis Summary
# Tool/Technique: Intercepter-NG
## Overview
Intercepter-NG is a multi-functional network toolkit designed to recover interesting data from network streams and perform various Man-in-the-Middle (MiTM) attacks. It is available across multiple platforms, including a dedicated Android application.
## Technical Details
- Type: Tool
- Platform: NT, Linux, BSD, MacOSX, IOS, Android (Console Edition is widely supported)
- Capabilities: Network sniffing, credential harvesting, various MiTM attacks, packet capturing/analysis.
- First Seen: Information not explicitly provided in the text, but the article is dated August 30, 2018.
## MITRE ATT&CK Mapping
Based on its functionality as a network sniffing and MiTM tool targeting authentication protocols and data interception:
- **TA0008 - Lateral Movement**
- T1090 - Proxy
- T1090.004 - Multi-hop Proxy (Implied through network bridging/relay capabilities like SSLSTRIP, SMB Relay)
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (Implied through sniffing and data reconstruction)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Via sniffing protocols like NTLM, Kerberos)
- **TA0007 - Discovery**
- T1046 - Network Service Discovery (Via Scanning functionalities like ARP, DHCP, Gateway Scanning)
- **TA0001 - Initial Access**
- T1557 - Man-in-the-Middle
- T1557.001 - ARP Spoofing (Via ARP Cage/ARP Spoofing capabilities)
## Functionality
### Core Capabilities
- **Network Sniffing:** Capturing and sniffing passwords or hashes for numerous protocols including ICQ, IRC, AIM, FTP, IMAP, POP3, SMTP, LDAP, BNC, SOCKS, HTTP, WWW, NNTP, CVS, TELNET, MRA, DC++, VNC, MYSQL, ORACLE, NTLM, KRB5, and RADIUS.
- **Chat Message Sniffing:** Recovering chat messages from ICQ, AIM, JABBER, YAHOO, MSN, IRC, MRA.
- **File Reconstruction:** Reconstructing files transferred over HTTP, FTP, IMAP, POP3, SMTP, SMB.
- **Scanning:** Performing Promiscuous-mode, ARP, DHCP, Gateway, Port, and Smart Scanning.
- **Packet Analysis:** Capturing packets and performing post-capture (offline) analysis in RAW Mode.
### Advanced Features
- **Remote Capturing:** Remote traffic capturing via RPCAP daemon and PCAP Over IP.
- **MiTM Techniques:** Implementation of ARP, DNS over ICMP, DHCP, SSL, **SSLSTRIP**, WPAD, **SMB Relay**, SSH MiTM.
- **Injection/Relay Attacks:** SMB Hijack, LDAP Relay, MySQL LOAD DATA Injection.
- **Exploits/Specific Attacks:** ARP Watch, ARP Cage, HTTP Injection, **Heartbleed exploit**, **Kerberos Downgrade**, Cookie Killer.
- **Spoofing:** DNS, NBNS, LLMNR Spoofing.
- **Platform Support:** Comprehensive support across desktop/server OSes (Windows NT variants, Linux, BSD, MacOSX) and mobile (IOS, Android).
## Indicators of Compromise
*Note: Specific hashes/file names for the 2018 release links are not included as they are download links, but generic indicators for the tool execution are listed.*
- File Hashes: [N/A specific to tested version found in context]
- File Names: `Intercepter-NG.v1.0.zip` (Windows), `Intercepter-NG.2.0.apk` (Android)
- Registry Keys: [N/A]
- Network Indicators: [N/A specific C2 or domain identified, as it is a passive scanning/MiTM tool]
- Behavioral Indicators: High network traffic generation during active sniffing/capturing phases; attempts to send forged ARP, DHCP, or DNS replies to redirect traffic.
## Associated Threat Actors
The provided context does not associate Intercepter-NG with specific named Advanced Persistent Threat (APT) groups. It is generally categorized as an open-source hacking or penetration testing tool.
## Detection Methods
- **Signature-based detection:** Signatures for the known executable/APK filenames (`Intercepter-NG.*`).
- **Behavioral detection:** Monitoring for system calls related to promiscuous interface mode activation or abnormal ARP/DNS packet generation characteristic of spoofing techniques (ARP Spoofing, LLMNR poisoning).
- **YARA rules:** Not specified in the text.
## Mitigation Strategies
- **Prevention measures:** Use the tool only in controlled/authorized penetration testing environments.
- **Hardening recommendations:**
- Utilize end-to-end encryption (HTTPS/TLS 1.2+) for all network communications to nullify cleartext sniffing and SSLSTRIP attacks.
- Employ Network Access Control (NAC) or use static ARP entries in critical segments to defend against ARP spoofing.
- Disable LLMNR/NBNS if not required, or configure them to use DNS servers only.
- Ensure strong authentication protocols that do not rely on easily sniffable hashes (e.g., avoid legacy protocols listed).
## Related Tools/Techniques
- Hijacker – Reaver For Android Wifi Hacker App
- BootStomp (Vulnerability Scanner)
- General Network Sniffers (e.g., Wireshark, tcpdump)
- MiTM frameworks (e.g., Bettercap, Ettercap, ZAP's SSLStrip proxy functionality)