Transcript RCS Installation

Delivery Training
Agenda
RCS Overview
RCS Architecture and Components
RCS Installation
RCS Configuration
Hands On
Infection Vectors
Hands On
TNI and NIA
Hands On
Intelligence
Monitor
Test
Q&A
RCS Overview
 Ethical Hacking Solution for governmental
agencies
 A software agent installed on the device
 to monitor the device
 able to hide itself inside the target devices
 enables both active data monitoring and process
control
 designed to be polymorphic, to evade common
Anti-Viruses and Anti-Rootkits
designed to evade encryption
RCS Overview
Evidence collection on monitored devices is
stealth
Transmission of collected data from the device
to the RCS server is encrypted and untraceable
Identity and location of the Headquarter are
hidden through the use of Anonymizers.
RCS Overview
Complete solution, not a toolkit
Centrally managed through a Console
Totally developed by Hacking Team
RCS Components
 Frontend
 Collector
Anonymizers
Backend
Masternode
Shards
Console
RCS Frontend
RCS Collector
RCS Collectors are published on Internet
(DMZ)
The main function of Collectors is receiving
the Evidence from the Agents and forwarding it
to the Database for further processing
Collectors make possible to change the
configuration of agents, sending commands to
perform special operations, etc
RCS Collector
Agents communicate with the Collectors using
an encrypted and authenticated channel
no other component is capable of communicating
with the Agents
security is guaranteed by strong double-layered
encryption
Agents need to reach the Collector anywhere
they are
Anonymizers
Anonymizers are used to hide the real identity
of the Customer to anyone trying to figure out
where the Agent is connecting to
Anonymizers are used to send the collected
evidence to avoid exposing the real IP address
of the Collector
They can be deployed anywhere on the
Internet
Anonymizers
They can be safely placed in untrusted
networks
Each connection is fully encrypted from the
target to the frontend
Anonymizers can be linked into one or more
chains that can be fully controlled and
monitored using the Console.
RCS Backend
Master Node
The core of the whole infrastructure
It stores the Evidence collected from the
targets
Scaling capabilities
 adding Shards and making them work in
parallel
auto load-balancing
Master Node
Master Node stores the evidence
It manages the configuration of the Agents
and the build of the Infection Vectors
It uses MongoDB (NoSQL DB)
Backup capabilities integrated and automated
Full (incremental or not)
Selective
Only metadata
Shards
Used to increase the number of concurrent
Agents that can be supported
Hot-plug
Automatically integrate with the infrastructure
Increase the overall capacity
The database automatically balances itself,
distributing the data according to the new
resources made available
RCS Console
Centrally manages all the RCS infrastructure
Intuitive and easy to use interface
It allows performing any operation, according
to user privileges
Wizards are available to semplify
investigations and archive
RCS Agent
Is the software that has to be installed on the
target PC or smartphone to be monitored
It extracts information already present on the
device
 It keeps real-time user’s activity under
surveillance
It is invisible to Antivirus and Antirootkit
RCS Agent
Once collected, the Evidence is sent to the
Collector
if an Internet connection is not always available,
the Agent will continue to collect the Evidence,
waiting for the next opportunity to transfer it
The Agent can be configured to collect all
kinds of data from the target device
Evidence is stored encrypted and hidden on the
device itself, until the Agent can send it
RCS Agent
Once configured, Agents are autonomous on
their operation, even when they’re isolated from
the Internet
Agents configuration is made by the Console
and it can be changed everytime is needed
Q&A
RCS Installation
Backend Installation
Exec rcs-setup-[current version].exe on
Backend Server
Backend Installation
Shard[n] Installation
Frontend Installation
Console Installation
 Install AdobeAir
Install rcs-console-[version].air
Starting RCS Console
 Enter the credential on Username and Password tab
On server : enter the name of the machine or server address to connect to
The first time install the certificate under Trusted CA
Anonymizer Installation
Open Console  System  New Anonymizer
 Then select download installer
Open scp client (ex. winscp)  copy the
installer.zip file
Anonymizer Installation
 Connect to Anonymizer via ssh (ex. Putty)
Go on the folder in which there is the
anonim.zip file
Unzip the file
Lauch the script (sh [file name])
On the Console select the anonymizer and
then click on Apply Configuration
Notes:
• Check that there are no processes listen on port 80 on
anonymizer server (netstat –antp | grep 80)
•Stop all services you don’t need on anonymizer (chkconfig - level [service name] off)
Tips&Tricks after RCS installation
Check Log
C:\RCS\DB\log
C:\RCS\Collector\log
Type also rcs-db-log and rcs-collector-log on
Backend and Collector command prompt
In order to retrive the certificate for Collector,
on Collector command prompt type:
rcs-collector-config -d [host master name] -u admin
-p [password] -t –s
Restart Collector service
Tips&Tricks after RCS installation
In order to retrive the certificate for
Anonymizer on DB server open a command
prompt and type:
rcs-db-config –a
Restart Collector service
Check that all RCS services are running
(under service search RCS)
Reset pwd admin
Backup
RCS Backup
Mount an external storage on Master Node
Create a subfolder inside c:\rcs\db\backup,
let's name it c:\rcs\db\backup\backup
Configure the backup to use that directory
from CLI of Master Node type "rcs-db-config -B
c:\rcs\db\backup\backup"
Open the console and schedule the backups:
1 backup job for metadata/day
1 backup job for full backup/week
Operation and target backup when you need
Notes: The backups can be incremental or not
Q&A
RCS Configuration
Define Users and Groups
On the Console Click Accounting  User  New User
Note: Only Administrators can add new users and groups
Define Users and Groups
Privileges assigned to the user:
Administrator
System Administrator
Technician
Analyst
Define Users and Groups
Administrator
User and group management
Operations management
Target management
System auditing
License modification
System Administrator
Frontend management
Backend management
System Backup & Restore
Injector management
Connectors management
Define Users and Groups
Technician
Factory creation
Installation vector creation
Agent configuration
Command execution on agents
Upload files to agent
Import evidence
Injector rules management
Analyst
Alerts creation
File system browsing on agents
Evidence editing
Evidence deletion
this authorization is never enabled by
default since it requires a user license.
Evidence export
Entity management
Define Users and Groups
Advanced Permission:
Define Users and Groups
1. On the Console Click Accounting  Groups  New Group
2. Enter a name to be assigned to the group  Click Save
3. In the Users in this Group table, click to add users to the group.
4. In the Operations in this Group table, click to add operations to the
group
Hands On
Create users and group with different permission
Install RCS Console
Login with the user created and see the differences
Define Operation
On the Console Click Operations  New Operation,
than assign the operation to the right group
Define Target
On the Console Click Operations  Click on the Operation  Click
On New Target
Note: Target is a physical person
under investigation.
He/she can have more than one device
(Laptop/Mobile phones/tablet)
Define a Factory
On the Console Click Operations  Click on the Operation  Click
On the Target name  Click on New Factory.
Choose Desktop or Mobile (depends from target device)
Define Factory
The factory is a model to be used to create agents to be installed
The icon varies according to the type of device intended for the agent
The following must be set in the factory
 data to be acquired (basic configuration)
 modules to be dynamically activated (advanced configuration)
installation vectors (i.e.: CD, exploit, Network Injector)
There is no license for factory. It is possible to create as many
as needed
Define Factory
 The factory can be:
Create
Close
Delete
Saved as template
Used to create several agents: for example, to be installed
via different installation vectors or two computers with different
operating systems, etc
Note: Close and Delete factory are irreversible!
If a factory is closed is not possible to open it again, active agents
remain accessible while all agents that have not been synchronized
at least once before the factory is closed will be uninstalled once before
the factory is closed will be uninstalled.
Basic Configuration
 Add data acquisition and simple command
execution modules that do not require
complex settings
 Enable and quickly set evidence
acquisition
 Not include the acquisition of some types
of evidence nor detailed acquisition method
options
Basic Configuration
Advanced Configuration
Events can be linked to actions, to trigger specific agent
reactions to changing conditions in the Device
The Agent can detect specific events and react with
appropriate actions
i.e. screensaver is started
Actions can start or stop modules
Actions can enable or disable other events
All the event, action and module options can be individually set
Advanced Configuration
Hands On
Create an operation
Create a target
Play with basic and Advanced configuration
Infection Methods
A device can be infected via:
Physical infection
the device is infected by the execution of a file transmitted
using USB memories, CDs or documents.
Evidence can be collected physically or via Internet as soon
as the device connects
Remote infection
the device is infected by the execution of a file transferred via
Internet connection or made available in a Web resource.
Evidence can be collected physically or via Internet as soon as
the device connects
Remote infection can be enhanced using Network Injector.
Infection Vectors Overview
Infection Vectors Desktop
Zero-Day Exploits: zero-day exploits researched and
developed in house to provide easy delivery through common
applications are available.
Melted Application: the Agent can be melted with any
application; when run, only the original application will be
visible to the user, while the Agent will be silently installed.
Agent can be disguised with any other Application. Perfect for
social engineering attacks. Melted application can be remotely
delivered
From the network: Tactical Network Injector (TNI) and
Network Injector Appliance (NIA) will let you infect any target
on a LAN or connected to any ADSL; see the respective
sections for details
Infection Vectors Desktop
Physical Access: when physical access to the
device is available, infection can be performed
whether the computer is running or is turned off
without need of any user password :
Offiline Installation
Infection performed in as little as few seconds
Silent install
Infection Methods Desktop
Windows
Silent Installer
Melted Application
U3 Installation
Offline Installation
 Exploit
Network Injection
OSX
Silent Installer
Melted Application
Offline Installation
Network Injection
Linux
Silent Installer
Melted Application
Network Injection
Infection Vectors Mobile
Physical Access: when physical access to the device is
possible, local installation can be performed
Inside Application: the Agent can be melted with any
application
when run, only the original application will be visible to the user,
while the Agent will be silently installed
 Through Message: a Message containing an infecting link can
be sent to the target.
With this infection vector agent can be configured to appear as
any application (for example, as an Operating System update)
 the link will be automatically loaded and prompted to the user
Any text can be included in the message
Infection Methods Mobile
Blackberry
Local Installation
Installation Package
Wap Push Message
SMS
Wap Push
QR Code / Web Link
Android
Installation Package
Wap Push Message
SMS
Wap Push
QR Code / Web Link
Melted Application
iOS
Local Installation
Installation Package
Social Exploit
Infection Methods Mobile
Windows Phone
Installation Package
Windows Mobile
Local Installation
Installation Package
Wap Push Message
SMS
Wap Push
QR Code / Web Link
Melted Application
Symbian
Installation Package
Wap Push Message
SMS
Wap Push
QR Code / Web Link
Melted Application
Hands On
Use the factories created to infect the available devices
With different infection methods
Network Injectors
Network Injector allows to tap the target's HTTP
connections and inject an agent on the device
Monitoring all the HTTP connections
Identifying the target's connections
Injecting the agent into the connections
linking it to the resources the target is downloading
from Internet
Network Injector types
Appliance: network server for installation in an intraswitch segment at an Internet service provider
Tactical: laptop for tactical installation on LAN or WiFi
networks
Network Injector Appliance
NIA is installed at Internet Service Provider’s premises
Doesn’t need to be installed inline, thanks to a patented technology
Different target identification possibilities:
IP Address or IP Range
MAC Address
DHCP Parameters
Radius Parameters
Content of packets through DPI
Different infection techniques
when the target downloads any executable file (.exe) from
the Internet
when the target visits any website
when user’s applications try to update
when the target user, prevented from viewing a video
online, will perform the operations needed to see the video
when the TNI replaces any file with a different file provided
by the operator.
Network Injector Appliance
Available for 1GB and 10GB lines
Supports Fiber and Copper channels
Easy management even when multiple NIA’s are
deployed
Full support from HackingTeam in the implementation of
any NIA Project
Tactical Network Injector
TNI supports the operator in the identification of the target on the field,
discovering all hosts on the network by displaying the following information:
 MAC Address
IP Address
Hostname
Operating System
Browser in use
List of all visited website
Attacks performed on the Target
TNI supports different infection techniques:
when the target downloads any executable file (.exe) from
the Internet;
when the target visits any website;
when the target user, prevented from viewing a video online,
performs the operations needed to see the video;
when the TNI replaces any file with a different file provided
by the operator
Hands On
Play with TNI
Test fake access Point
Test different infection vectors
Scout and Elite
Only for Windows Agent there are two
stages of infection:
Scout
Elite
 Scout : invisible for all AV in the list, checks
only device and screenshot (if the module is
enable on the configuration). No hidden
features
Elite : full agent with all hidden features
Scout and Elite Behavior
The Scout is installed through an infection
vector.
After 5 minutes (in order to start the agent is
waiting for user input, so the counter will start at
the first user input) the Scout will syncronize.
After the first sync it is possible to proceed to
upgrade the agent from scout to elite using RCS
Console.
Then wait 20 minutes for the next sync.
The time of the subsequent synchronizations will
match the configuration made on RCS console
Evidence
Agents can collect different type of evidence
depending on the type of Device, either
Desktop or Mobile, and the specific target
platform
Desktop:
Evidence
Chat and messages from different Social Networks
(Facebook, Twitter, and more)
Mail from different Mail Clients and Web Interfaces (Outlook,
Windows Mail, GMail, and more)
 Automatic and on-the-fly interception and copy of any file
opened, even when its encrypted and does not reside on the
hard disk
Screenshots
List of visited web sites
Download of passwords stored on the device (Browsers, Mail
clients, etcetera)
Keylogger with the possibility to capture also on-screen
keyboards
Desktop:
Evidence
Copied and pasted text
Position of the device, even when no GPS is available
Recording from the microphone of the device
Detailed information on hardware and software on the device
Photos taken with the device webcam
Monitoring and recording of VOIP Calls (Skype,
LiveMessenger, and more)
Download and Upload of files to and from the device
Contacts information
New and past appointments from different calendars
More …
Evidence
Mobile:
Keylogger
Retrieve of passwords saved on the device
Position of the device (Cell signal, Wi-Fi and GPS)
Remote Audio Surveillance using the phone’s microphone
(no need to place a call)
Photos taken with the device camera
List of visited websites
Download and Upload of files from the device
More …
Hands On
Check the evidence collected from the infected devices
Try to change the configuration
See the behavior of the agent
Intelligence
The data collected through different
methods can grow indefinitely, making
it hard to extract useful information
from raw data
Intelligence
Intelligence module can:
Collect
Profiling
Correlate
It operates independently
analyzing incoming evidences on-the-fly
automatically creating relevant records
for each entity
Can be modified manually to enable
correlation of previously collected data
E.g. target’s photos, phone numbers,
accounts, etc
Intelligence Modules
Intelligence module
Automatically creates a profile for each
target, showing the digital identity of your
target
Correlation module
gives information on interactions
(communications, meetings, etc) between
different targets
Intelligence
Monitor
Test
Q&A