Delivery Training

Agenda  RCS Overview  RCS Architecture and Components  RCS Installation  RCS Configuration  Hands On  Infection Vectors  Hands On  TNI and NIA  Hands On  Intelligence  Monitor  Test  Q&A

RCS Overview  Ethical Hacking Solution for governmental agencies  A software agent installed on the device  to monitor the device  able to hide itself inside the target devices  enables both active data monitoring and process control  designed to be polymorphic, to evade common Anti-Viruses and Anti-Rootkits  designed to evade encryption

RCS Overview  Evidence collection on monitored devices is stealth  Transmission of collected data from the device to the RCS server is encrypted and untraceable  Identity and location of the Headquarter are hidden through the use of Anonymizers.

RCS Overview  Complete solution, not a toolkit  Centrally managed through a Console  Totally developed by Hacking Team

RCS Components  Frontend  Collector  Anonymizers  Backend  Masternode  Shards  Console

RCS Frontend

RCS Collector  RCS Collectors are published on Internet (DMZ)  The main function of Collectors is receiving the Evidence from the Agents and forwarding it to the Database for further processing  Collectors make possible to change the configuration of agents, sending commands to perform special operations, etc

RCS Collector  Agents communicate with the Collectors using an encrypted and authenticated channel  no other component is capable of communicating with the Agents  security is guaranteed by strong double-layered encryption  Agents need to reach the Collector anywhere they are

Anonymizers  Anonymizers are used to hide the real identity of the Customer to anyone trying to figure out where the Agent is connecting to  Anonymizers are used to send the collected evidence to avoid exposing the real IP address of the Collector  They can be deployed anywhere on the Internet

Anonymizers  They can be safely placed in untrusted networks  Each connection is fully encrypted from the target to the frontend  Anonymizers can be linked into one or more chains that can be fully controlled and monitored using the Console.

RCS Backend

Master Node  The core of the whole infrastructure  It stores the Evidence collected from the targets  Scaling capabilities  adding Shards and making them work in parallel  auto load-balancing

Master Node  Master Node stores the evidence  It manages the configuration of the Agents and the build of the Infection Vectors  It uses MongoDB (NoSQL DB)  Backup capabilities integrated and automated  Full (incremental or not)  Selective  Only metadata

Shards  Used to increase the number of concurrent Agents that can be supported  Hot-plug  Automatically integrate with the infrastructure  Increase the overall capacity  The database automatically balances itself, distributing the data according to the new resources made available

RCS Console  Centrally manages all the RCS infrastructure  Intuitive and easy to use interface  It allows performing any operation, according to user privileges  Wizards are available to semplify investigations and archive

RCS Agent  Is the software that has to be installed on the target PC or smartphone to be monitored  It extracts information already present on the device  It keeps real-time user’s activity under surveillance  It is invisible to Antivirus and Antirootkit

RCS Agent  Once collected, the Evidence is sent to the Collector  if an Internet connection is not always available, the Agent will continue to collect the Evidence, waiting for the next opportunity to transfer it  The Agent can be configured to collect all kinds of data from the target device  Evidence is stored encrypted and hidden on the device itself, until the Agent can send it

RCS Agent  Once configured, Agents are autonomous on their operation, even when they’re isolated from the Internet  Agents configuration is made by the Console and it can be changed everytime is needed

Q&A

RCS Installation

Backend Installation  Exec rcs-setup-[current version].exe on Backend Server

Backend Installation

Shard[n] Installation

Frontend Installation

Console Installation  Install AdobeAir  Install rcs-console-[version].air

Starting RCS Console  Enter the credential on Username and Password tab  On server : enter the name of the machine or server address to connect to  The first time install the certificate under Trusted CA

Anonymizer Installation  Open Console  System  New Anonymizer  Then select download installer  Open scp client (ex. winscp)  copy the installer.zip file

Anonymizer Installation  Connect to Anonymizer via ssh (ex. Putty)  Go on the folder in which there is the anonim.zip file  Unzip the file  Lauch the script (sh [file name])  On the Console select the anonymizer and then click on Apply Configuration Notes: Check that there are no processes listen on port 80 on anonymizer server (netstat –antp | grep 80) Stop all services you don’t need on anonymizer (chkconfig - - level [service name] off)

Tips&Tricks after RCS installation  Check Log  C:\RCS\DB\log  C:\RCS\Collector\log  Type also rcs-db-log and rcs-collector-log on Backend and Collector command prompt  In order to retrive the certificate for Collector, on Collector command prompt type:  rcs-collector-config -d [host master name] -u admin -p [password] -t –s  Restart Collector service

Tips&Tricks after RCS installation  In order to retrive the certificate for Anonymizer on DB server open a command prompt and type:  rcs-db-config –a  Restart Collector service  Check that all RCS services are running (under service search RCS)  Reset pwd admin  Backup

RCS Backup  Mount an external storage on Master Node  Create a subfolder inside c:\rcs\db\backup, let's name it c:\rcs\db\backup\backup  Configure the backup to use that directory from CLI of Master Node type "rcs-db-config -B c:\rcs\db\backup\backup"  Open the console and schedule the backups:  1 backup job for metadata/day  1 backup job for full backup/week  Operation and target backup when you need Notes: The backups can be incremental or not

Q&A

RCS Configuration

Define Users and Groups On the Console Click Accounting  User  New User Note: Only Administrators can add new users and groups

Define Users and Groups  Privileges assigned to the user:  Administrator  System Administrator  Technician  Analyst

Define Users and Groups  Administrator  User and group management  Operations management  Target management  System auditing  License modification  System Administrator  Frontend management  Backend management  System Backup & Restore  Injector management  Connectors management

Define Users and Groups  Technician  Factory creation  Installation vector creation  Agent configuration  Command execution on agents  Upload files to agent  Import evidence  Injector rules management  Analyst  Alerts creation  File system browsing on agents  Evidence editing  Evidence deletion  this authorization is never enabled by default since it requires a user license.  Evidence export  Entity management

Define Users and Groups Advanced Permission:

Define Users and Groups 1.On the Console Click Accounting  Groups  New Group 2.Enter a name to be assigned to the group  Click Save 3.In the Users in this Group table, click to add users to the group. 4.In the Operations in this Group table, click to add operations to the group

Hands On  Create users and group with different permission  Install RCS Console  Login with the user created and see the differences

Define Operation On the Console Click Operations  New Operation, than assign the operation to the right group

Define Target On the Console Click Operations  Click on the Operation  Click On New Target Note: Target is a physical person under investigation. He/she can have more than one device (Laptop/Mobile phones/tablet)

Define a Factory On the Console Click Operations  Click on the Operation  Click On the Target name  Click on New Factory. Choose Desktop or Mobile (depends from target device)

Define Factory  The factory is a model to be used to create agents to be installed  The icon varies according to the type of device intended for the agent  The following must be set in the factory  data to be acquired (basic configuration)  modules to be dynamically activated (advanced configuration)  installation vectors (i.e.: CD, exploit, Network Injector)  There is no license for factory. It is possible to create as many as needed

Define Factory  The factory can be:  Create  Close  Delete  Saved as template  Used to create several agents: for example, to be installed via different installation vectors or two computers with different operating systems, etc Note: Close and Delete factory are irreversible! If a factory is closed is not possible to open it again, active agents remain accessible while all agents that have not been synchronized at least once before the factory is closed will be uninstalled once before the factory is closed will be uninstalled.

Basic Configuration  Add data acquisition and simple command execution modules that do not require complex settings  Enable and quickly set evidence acquisition  Not include the acquisition of some types of evidence nor detailed acquisition method options

Basic Configuration

Advanced Configuration  Events can be linked to actions, to trigger specific agent reactions to changing conditions in the Device  The Agent can detect specific events and react with appropriate actions  i.e. screensaver is started  Actions can start or stop modules  Actions can enable or disable other events  All the event, action and module options can be individually set

Advanced Configuration

Hands On  Create an operation  Create a target  Play with basic and Advanced configuration

Infection Methods  A device can be infected via:  Physical infection  the device is infected by the execution of a file transmitted using USB memories, CDs or documents.  Evidence can be collected physically or via Internet as soon as the device connects  Remote infection  the device is infected by the execution of a file transferred via Internet connection or made available in a Web resource.  Evidence can be collected physically or via Internet as soon as the device connects  Remote infection can be enhanced using Network Injector.

Infection Vectors Overview

Infection Vectors Desktop  Zero-Day Exploits: zero-day exploits researched and developed in house to provide easy delivery through common applications are available.  Melted Application: the Agent can be melted with any application; when run, only the original application will be visible to the user, while the Agent will be silently installed. Agent can be disguised with any other Application. Perfect for social engineering attacks. Melted application can be remotely delivered  From the network: Tactical Network Injector (TNI) and Network Injector Appliance (NIA) will let you infect any target on a LAN or connected to any ADSL; see the respective sections for details

Infection Vectors Desktop  Physical Access: when physical access to the device is available, infection can be performed whether the computer is running or is turned off without need of any user password :  Offiline Installation  Infection performed in as little as few seconds  Silent install

Infection Methods Desktop  Windows  Silent Installer  Melted Application  U3 Installation  Offline Installation  Exploit  Network Injection  OSX  Silent Installer  Melted Application  Offline Installation  Network Injection  Linux  Silent Installer  Melted Application  Network Injection

Infection Vectors Mobile  Physical Access : when physical access to the device is possible, local installation can be performed  Inside Application : the Agent can be melted with any application  when run, only the original application will be visible to the user, while the Agent will be silently installed  Through Message : a Message containing an infecting link can be sent to the target.  With this infection vector agent can be configured to appear as any application (for example, as an Operating System update)  the link will be automatically loaded and prompted to the user  Any text can be included in the message

Infection Methods Mobile  Blackberry  Local Installation  Installation Package  Wap Push Message  SMS  Wap Push  QR Code / Web Link  Android  Installation Package  Wap Push Message  SMS  Wap Push  QR Code / Web Link  Melted Application  iOS  Local Installation  Installation Package  Social Exploit

Infection Methods Mobile  Windows Phone  Installation Package  Windows Mobile  Local Installation  Installation Package  Wap Push Message  SMS  Wap Push  QR Code / Web Link  Melted Application  Symbian  Installation Package  Wap Push Message  SMS  Wap Push  QR Code / Web Link  Melted Application

Hands On  Use the factories created to infect the available devices With different infection methods

Network Injectors  Network Injector allows to tap the target's HTTP connections and inject an agent on the device  Monitoring all the HTTP connections  Identifying the target's connections  Injecting the agent into the connections  linking it to the resources the target is downloading from Internet  Network Injector types  Appliance: network server for installation in an intra- switch segment at an Internet service provider  Tactical: laptop for tactical installation on LAN or WiFi networks

Network Injector Appliance  NIA is installed at Internet Service Provider’s premises  Doesn’t need to be installed inline, thanks to a patented technology  Different target identification possibilities :  IP Address or IP Range  MAC Address  DHCP Parameters  Radius Parameters  Content of packets through DPI  Different infection techniques  when the target downloads any executable file (.exe) from the Internet  when the target visits any website  when user’s applications try to update  when the target user, prevented from viewing a video online, will perform the operations needed to see the video  when the TNI replaces any file with a different file provided by the operator.

Network Injector Appliance  Available for 1GB and 10GB lines  Supports Fiber and Copper channels  Easy management even when multiple NIA’s are deployed  Full support from HackingTeam in the implementation of any NIA Project

Tactical Network Injector  TNI supports the operator in the identification of the target on the field, discovering all hosts on the network by displaying the following information:  MAC Address  IP Address  Hostname  Operating System  Browser in use  List of all visited website  Attacks performed on the Target  TNI supports different infection techniques:  when the target downloads any executable file (.exe) from  the Internet;  when the target visits any website;  when the target user, prevented from viewing a video online,  performs the operations needed to see the video;  when the TNI replaces any file with a different file provided  by the operator

Hands On  Play with TNI  Test fake access Point  Test different infection vectors

Scout and Elite  Only for Windows Agent there are two stages of infection:  Scout  Elite  Scout : invisible for all AV in the list, checks only device and screenshot (if the module is enable on the configuration). No hidden features  Elite : full agent with all hidden features

Scout and Elite Behavior The Scout is installed through an infection vector. After 5 minutes (in order to start the agent is waiting for user input, so the counter will start at the first user input) the Scout will syncronize. After the first sync it is possible to proceed to upgrade the agent from scout to elite using RCS Console. Then wait 20 minutes for the next sync. The time of the subsequent synchronizations will match the configuration made on RCS console

Comunication

Evidence Agents can collect different type of evidence depending on the type of Device, either Desktop or Mobile, and the specific target platform

Evidence Desktop:  Chat and messages from different Social Networks (Facebook, Twitter, and more)  Mail from different Mail Clients and Web Interfaces (Outlook, Windows Mail, GMail, and more)  Automatic and on-the-fly interception and copy of any file opened, even when its encrypted and does not reside on the hard disk  Screenshots  List of visited web sites  Download of passwords stored on the device (Browsers, Mail clients, etcetera)  Keylogger with the possibility to capture also on-screen keyboards

Evidence Desktop:  Copied and pasted text  Position of the device, even when no GPS is available  Recording from the microphone of the device  Detailed information on hardware and software on the device  Photos taken with the device webcam  Monitoring and recording of VOIP Calls (Skype, LiveMessenger, and more)  Download and Upload of files to and from the device  Contacts information  New and past appointments from different calendars  More …

Evidence Mobile:  Keylogger  Retrieve of passwords saved on the device  Position of the device (Cell signal, Wi-Fi and GPS)  Remote Audio Surveillance using the phone’s microphone (no need to place a call)  Photos taken with the device camera  List of visited websites  Download and Upload of files from the device  More …

Hands On  Check the evidence collected from the infected devices  Try to change the configuration  See the behavior of the agent

Intelligence The data collected through different methods can grow indefinitely, making it hard to extract useful information from raw data

Intelligence  Intelligence module can:  Collect  Profiling  Correlate  It operates independently  analyzing incoming evidences on-the-fly  automatically creating relevant records for each entity  Can be modified manually to enable correlation of previously collected data  E.g. target’s photos, phone numbers, accounts, etc

Intelligence Modules  Intelligence module  Automatically creates a profile for each target, showing the digital identity of your target  Correlation module  gives information on interactions (communications, meetings, etc) between different targets

Intelligence

Monitor

Test

Q&A