Tactical Network Injector
Datasheet
THIS DOCUMENT IS STRICTLY CONFIDENTIAL
Contents
1
2
3
Overview ..................................................................................................................3
Infection walkthrough .............................................................................................4
2.1
Intrusion ..................................................................................................... 4
2.2
Target identification .................................................................................... 4
2.3
Infection...................................................................................................... 5
Components ............................................................................................................6
Page 2 of 6
1 Overview
HackingTeam’s Tactical Network Injector (TNI) is a portable solution to infect targets connected to a
WiFi network. It provides everything needed in order to crack a WiFi network, join it, identify the
interested target and deploy the RCS Agent.
The Tactical Network Injector can be used in a wired network, as long as the TNI is able to see the
traffic of the target.
The TNI supports all the current network standards:
Band (Ghz)
2.4
5
802.11 Standard
b/g/n
a/n
To increase the range of attack, external antennas can be connected using R-SMA connectors.
The Tactical Network Injector is capable of cracking a wireless network when the password is
unknown, including cracking of WEP, WPA and WPA2 wireless protection; it includes a dictionary of
over 45 Million words for dictionary based attacks.
The TNI supports the identification of the host to be infected showing various information about all
hosts connected to the network under attack, including but not limited to IP address, hostname and
visited websites.
All devices identified as targets can be subject to different attacks, according to predetermined rules.
Infection vectors include the injection of code into visited webpages and on-the-fly melting of the RCS
Agent with executable files downloaded from the target.
Moreover, the TNI can be disguised as a regular laptop for use in undercover operations.
Full disk encryption prevents any accidental leak of information if the TNI is lost.
The Tactical Network Injector is shipped with all necessary tools for its use and protection, including a
ruggedized case for shock-protection and extra batteries that can guarantee up to 35 hours of
continuous operation.
Page 3 of 6
2 Infection walkthrough
The target infection using the Tactical Device consists of different steps: intrusion, target identification
and infection.
In the first step the operator gains access to the network, while in the following steps the target device
is identified and injected with the RCS Agent.
2.1 Intrusion
To carry out an attack against a target, the Tactical Network Injector must join the same network that
the target is using. In case the network is password protected, the TNI provides robust cracking
techniques for all the current encryption protocols.
Cracking capabilities can recover access credentials to network protected by:

Wired Equivalent Privacy (WEP): the recovery of a WEP passphrase can take as little as 3
minutes. The TNI automatically exploits protocol vulnerabilities in order to provide the user with
the WiFi password in the shortest timeframe possible;

WiFi Protected Access (WPA/WPA2): the retrieval of a WPA/WPA2 passphrase depends on its
strength. Attacks to WPA/WPA2 protected networks are based on dictionary-based attacks.
The TNI automatically covers all steps needed, from de-authenticating the target to cracking of
the password;

WiFi Protected Setup (WPS): in the case where the target router supports the WPS standard, a
special attack obtains the network credentials in the shortest timeframe, sidestepping the
above scenarios.
In the case where cracking the password is ineffective, or there is not enough time, the Tactical
Network Injector can activate a rogue Access Point to give free Internet access to anybody in the
area.
Once the network credentials are obtained or the rogue AP is active, the traffic of all users can be
monitored and any user of the TNI Access Point can be infected.
2.2 Target identification
Finding the target device is the second step in the TNI infection process. This step consists in gathering
as much information as possible on all the hosts on the network, to ease the identification of the
intended target(s).
Different information is available for each host to aid the identification:

MAC Address

IP Address

Hostname

Operating System
Page 4 of 6

Browser in use

History of visited websites
With all this information, the operator can easily find the target host. The history of visited websites
provides useful hints to better prepare the following step, the Infection.
2.3 Infection
The infection methods provided by the Tactical Network Injector are configured defining specific rules.
The TNI provides many attacks, targeting different resources commonly used on the Web:

Web Pages: when the target visit any website on the Internet, the TNI injects additional code
to install the RCS Agent;

Applications: when an application is downloaded, the TNI appends the RCS Agent to the file.
When the application is executed, the Agent is installed on the device;

YouTube: the target user is infected when viewing videos on YouTube. TNI forces the Adobe
Flash upgrade, once accepted RCS Agent is installed on the computer. This attack is effective
since YouTube is considered a trusted source.

Resource replacement: You can replace any file on the web with a different file. I.e. it is
possible to replace any .doc file downloaded by the target user with a .doc previously built and
containing a zero-day exploit.
Page 5 of 6
3 Components
The Tactical Network Injector is presented in a ruggedized briefcase with all components to
support tactical operations.
The TNI briefcase contains:
Component
Notebook (Dell E6330)
Battery 97 Wh (Dell)
Battery 60 Wh (Dell)
Battery 30 Wh (Dell)
Car + Plain chargers (Dell)
Network card RJ45 external
Network card Wi-Fi external
Network card Wi-Fi internal (replacement)
USB extension cable 1 Mt
USB extension cable 3 Mt
B
A
G
Rugged bag
Shoulder belt
Internal sponge
Page 6 of 6