1 / 24

] Hacking Team [

] Hacking Team [. RCS Remote Control System. Remote Control System. RCS Architecture. ASP. HCM. Backdoor. RSS. RLD. Backdoor. DB. Console. Backdoor.

beltran
Download Presentation

] Hacking Team [

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ]Hacking Team[ • RCS • Remote Control System

  2. Remote Control System

  3. RCS Architecture ASP HCM Backdoor RSS RLD Backdoor DB Console Backdoor

  4. It is used to create the configurations for the Backdoors. It communicates with ASP thru the DB in order to send the configurations to the Backdoors. It is used to create infection vectors such as melted executables, CD/USB, etc. ASP It is composed by two different windows services: RSS and RLD. RSS is responsible for the communication with the Backdoor. RLD decrypts the logs and sends them to the DB. Stealth monitoring program written both in C++ and ASM. Connects to ASP using an encrypted channel. It uses an event/actions paradigm and it is made up of different agents that can be activated separately. HCM Backdoor RSS RLD RCS Internals

  5. This is the main visualization tool. It can be used to administrate users, groups, activities, targets and backdoors. It is used to browse the logs too. It is accessed by different users with different profiles (a user can only see logs from the activities assigned to him). All the information about users, activities, targets, backdoors and logs are contained into the DB. All the other components talk to the DB thru an XML-RPC interface. DB Console RCS Internals

  6. Backdoor

  7. trigger Events Agents Actions Events are raised by the event manager based on the configuration file. Agents can be activated on startup or started/stopped by an action. Each agent has its own configuration and behavior Actions are triggered by Events. Each event is configured to trigger exactly one action. Sub-actions are available. • Executed Processes • Network Connections • Screensaver start/stop • Time/Date • WinEvt • Quota • Synchronize • Start / stop agent • Uninstallation • Command execution • Voip • Microphone • Webcam • Key logger • Instant Messaging • URL • Password • Snapshot • Print • Clipboard • File Capture Backdoor Logic

  8. Dropper Actions Agents to ASP Core Logs Actions Table Event Manager Action Manager Backdoor Workflow

  9. HCM

  10. Configuration Module • Single point management: • Select remote repository (DB) • Authenticate • Manage backdoor configuration • Create Infection media Remote DB HCM Remote DB Remote DB

  11. Configuration Management • Repository selection: • Choose a repository of backdoor configuration • Authenticate with Username/Password Select DB & Authenticate Manage Backdoors Configurations • Manage configuration: • Add/Delete/Change events-actions, modifiy agent params, etc. • Save and update configuration on DB • Build Infection media: • Polymorphic Melted Executable • Offline installation tool (CDRom/USB pen) • INJ proxy: polymorphic core, plugin, etc. Build Infection Tools Logout

  12. INJ Proxy EXE Melting Intercepts all the HTTP connections of the target and inject the backdoor into any executable file downloaded. When the target execute the file, the backdoor will execute unnoticed and the target will be infected. Boot CD/USB The target PC will be booted with the provided CD or USB key and the offline installation will start. You can choose the users of the machine on which the backdoor will be installed. You can even retrieve the log already collected. Hacking Resources The backdoor is melted within any executable. When the executable is launched the backdoor will install silently and the original executable will continue as usual. The client target can be attacked thru exploits and forced to upload and execute the backdoor. Eg: malicious website, evilly crafted file Infection Vectors HCM

  13. Injection Proxy

  14. http request file download file + backdoor Injection Proxy HTTP transparent proxy HTTP Server Client Melter configuration HCM

  15. ASP

  16. Offline Retrieving Encrypted Logs Repository Monitoring from Backdoor Log Retrieving Configuration Manager Reassembly Send Decryption Identification to DB SSL socket ASP Workflow RSS RLD

  17. ASP Internals • Encrypted communications • Mutual authentication with the backdoors (prevents MITM and spoofing attacks) • Multi-threaded • Two independent window services for communication (RSS) and decryption (RLD) • Hidden behind a fake web server

  18. DB

  19. DB Structure Apache XML-RPC XML-RPC ASP PHP Console XML-RPC HCM MySQL

  20. DB data organization • Users and Groups • Activities, Targets and Backdoors • Logs • Audit Logs • Binaries and Certificates • Encryption Keys • Configurations

  21. Console

  22. Users Privileges User ADMN TECH VIEW • Creates Backdoors • Creates infection vectors • Manages configurations • Performs queries on logs • Views the Dashboard • Generates Blotters • Manages Users and Groups • Manages Activities and Targets • Can access the Trace log • Cannot create Backdoors • Cannot view Logs • Cannot create Targets • Cannot view Logs • Cannot create Targets • Cannot configure Backdoors

  23. Object Hierarchy (users and group) Users Group Activity Users Group Activity

  24. Object Hierarchy (activity, target, backdoor) Activity Target Target Backdoor Backdoor Backdoor Backdoor Backdoor

More Related