RCS 7.0.0 - Injection Proxy Appliance Manual
Contents
1. HackingTeam Remote Control system 7 0 0 Injection Proxy Appliance Manual HackingTeam Summary Remote Control System O E 1 S EE o e ia ann 2 Nat ge ie en a e PPP e e ere tam 4 leto MOOOC ONNO e eisi sia i i a i ee ee 4 LM EE 4 Me Omio MENIMO OGY sise a so ai i i EE 4 2 EP PUM IS CUS deefe i i a r i i i as a a 5 21 TdS EE 6 PRI USIhO ler ey Me e EE 6 CN US AR 6 22 Kn ele e Pen iii a i o osa 7 8 SA POWE et Ee EE 8 32 POSLINSTAl COMM CL ANON MER 13 3 3 Physical installation and cabling pp 14 eM POTATO EE 15 BAL ROUSING ug 15 ZZ e elle tee E E 15 HackingTeam Hacking Team 1 Introduction 1 1 Injection technology RCS Injection Proxy Appliance RCS IPA is an offensive security device developed to perform remote installation of Remote Control System By using man in the middle attack techniques and our proprietary streamline injection mechanism it can transparently operate in different network scenarios either on LANs or intra switch segments RCS IPA rule based configuration allows the user to setup a set of resources i e executable files and users 1 e IP address Radius authentication to be injected Employing purpose specific network hardware RCS IPA is able to perform on network links up to several gigabits of bandwith using different physical connection standards Gigabit Ethernet SONET E1 T1 J1 1 2 Features 1 3 Common Terminology Illustrated here are the concepts that will b2. Intel hardware such as off the shelf laptops or netbooks Installation is identical for both types of hardware while there some minor differences in post install configuration 3 1 Software installation Installing the software on the appliance is done using the RCS IPA Installation CD Power up the system and insert the CD into the tray If the system does not boot from the CD you need to change the configuration of the BIOS and modify the boot seguence After the boot process completes a confirmation screen appears starting the RCS IPA installation process x This will destroy all your data on the harddisktt Would you like to continue Lyes n01 yes type Axas to contra Figure 3 Confirmation screen If you want to continue type yes then press Enter Hacking Team creating the key s cryptsetup for dev sda3 to dev Mapper root cryptsetup for dev sda4 to dev mapper rcsipa Formatting the partitions Swap on dev sdal boot on dev sda2 root on dev Mapper root data on dev Mapper rcsipa Mounting the partitions dev mapper root on tMp root dev sda2 on tMp root boot dev mapper rcsipa on tMp rcsipa Creating and mounting the pseudo filesystem proc sys tMp root proc tmp root sys Extracting the boot tarball kernel and initrd Installing the crypto key s repacking the initrd and installing the rootfs key datafs key to tmp root rcsipa Extracting the root tarball Extracting the data tarball set
3. e commonly used during the rest of this document Target the user computer on which you want to remotely install RCS Access Switch the switching apparatus on which the target is connected IPA needs to monitor a segment of this switch to be able to see the traffic of the target and eventually modify it User the IPA identifies users by means of their identification on the network This could be their IP address Radius credentials etc This concept ideally matches Target but will be used to distinguish the mean by which interesting connections are discriminated by IPA i e by IP address Resource a resource is intended as an object of interest to the IPA Usually this consists of an EXE file sent through an HTTP connection This is usually identified by configuring the IPA with a string that should match the URL of interesting resources i e all EXE files HackingTeam 2 IPA Architecture RCS Injection Proxy Appliance can be plugged into any network in which a SPAN capable network switch is present or a TAP device is available to monitor the traffic RCS IPA once deployed will reside outside the customer network Figure 1 RNC RCS Network Controller will periodically poll the IPA to send it new configurations monitor its state and collect the logs According to the received configuration the IPA actively monitors all HTTP network connections and eventually modifies them as needed After the first configurati
4. nfiguration you have to edit etc conf d net accordingly Please ask the HT support team how to do that 3 3 Physical installation and cabling Once the software has been installed onto the RCS IPA you can proceed cabling the RCS IPA to the network segment to be monitored Strictly follow the configuration you made in the rcsredirect conf file You can test the sniffing interface using tcpdump please refer to tcpdump manual for instructions on how to use it to see if you discern the expected traffic When sniffing traffic to see if you are monitoring the correct network segment try to look for target authentication factors such as a specific IP address or Radius authentication headers The injection proxy also supports wifi connectivity In this case you will need two different wifi network interface One for monitor mode sniffing and one associated to the network you want to operate on You also need to put the correct wifi password inside the rcsredirect conf file The wifi key can be one of the following formats WIFI wifi key wep 64 5 x12 x34 x56 x78 x90 x12 x34 wifi key wep 128 s x12 x34 x56 x78 x90 x12 x34 x56 x78 x90 xAB xCD xEF wifi key wpa psk 663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f323670846 wifi key wpa pwd password BSSID http www tepdump org 14 acking Team 4 IPA Configuration Once the appliance has been installed and put in place at least a first time c
5. on of the IPA even if the connection to RNC isn t present anymore the IPA will continue working monitoring and injecting connections as configured so an IPA can be configured beforehand then deployed the IPA will operate on its own completely isolated from the RCS infrastructure Set and Forget configuration RCS oj l Remote Network Controller Firewall Access Switch Customer network Foreign Network Figure 1 IPA Architecture overview RCS IPA can be inserted into the target network by using a network switch and if available a tap device Figure 2 HackingTeam Injection Proxy Appliance Injection Proxy Appliance HTTP Connections HTTP Connections Two Sniffing interfaces Packet injection Sniffing interface Packet injection Network TAP Access Switch with mirror port Access Switch no configuration Figure 2 IPA setup with and without TAP device RCS IPA requires two network links to operate one for intercepting the traffic the other to inject traffic into the network 2 1 Traffic interception The RCS IPA monitors network traffic to detect HTTP connections There are two different solutions to replicate the network traffic and send it to the RCS IPA Since both solutions use passive interception no degradation or interruption of service can be caused by RCS IPA 2 1 1 Using a SPAN port If you only have the Access Switch available you can use one or more SPAN
6. onfiguration must be made 4 1 Registering the IPA The first step in using the RCS IPA is to register it using the RCSConsole Please refer to the Console User Manual The Network Section gt Injection Proxies for the registration procedure 4 2 Adding the rules A rule needs to be added to the IPA for each user and resource you want to inject Please refer to the Console User Manual The Network Section gt Injection Proxies Rules for adding a rule When adding a rule a mean of identifying the target is needed if operating within an ISP network have them collaborate to provide you information about how to discriminate traffic from the target Otherwise sniffing some traffic and analyzing it can be the only way you have to find out how to identify your target In this respect WireShark is a very effective sniffing tool http www wireshark org 15
7. ports on the switch to monitor the traffic and send it to the IPA Using a SPAN port is the most common solution but it carries a few drawbacks e CPU load on the switch may be sensibly higher due to SPAN port usage s if the SPAN port on the switch is already in use it may not be possible to use it for IPA e viceversa if the SPAN port is in use by IPA this prevents any other usage of the same port for other purposes 2 1 2 Using a TAP device A TAP device may already be present on the network segment you want to monitor using RCS IPA HackingTeam Since using a TAP device does not carry any of the drawbacks of using a SPAN port this is the preferred solution 2 2 Traffic injection RCS IPA examines the intercepted traffic looking for HTTP connections In case a connection is found that matches the rules some traffic is injected into the network to send the RCS payload together with the original data To inject the traffic one link is needed on the Access Switch this port must be configured to see all the VLANs that are present on the intercepted ports ac lt ing Team 3 Installation Before using the RCS Injection Proxy Appliance you need to reset the system installing the software from the provided bootable media i e CD Software installation is automated requiring only a few confirmation steps IPA software can be installed either on dedicated appliances with wire speed capture network cards or on standard
8. ting up udev for the new networking device driver Finalizing the installation Installing grub pjesskente ACOLO N ti nue Press ENTER to continue _ Figure 4 Installation completed The installation procedure may require up to 20 minutes to complete When completed please press Enter to continue Hostname RCS IPA IP address Netmask Gateway DNS server 192 168 208 100 Figure 5 SYSCONF screen acking Team The SYSCONF screen allows you to setup the network interface This configuration is relative to the injection interface To move inside the SYSCONF you can use the following keys Action Move within the menus Normally you want to use only the Network menu to configure the IP address gateway and DNS and the File menu to save the configuration Hostname RCS_IPA IP address Netmask Gateway DNS server 192 168 208 100 Figure 6 Network menu The Network menu gives you the following options Hostname Change the hostname for the system default is RCS_IPA IP address Change the IP address and netmask DNS Change the DNS server auto detected if possible 10 acking Team Select IP address menu then change IP and netmask SYSLONF onf igurat ion Hostname 192 168 1 131 IP address Netmask Gateway DNS server 192 168 248 14848 Figure 7 Changing IP address and netmask SYSLONF onfiguration Hostname 192 168 1 2 IP address Ne
9. tmask Gateway DNS server 192 168 248 148 Figure 8 Changing gateway bash Hacking Team Hostname RCS_IPA IP address 192 168 Netmask Bier A Eer to Gateway 192 168 DNS server 192 168 206 108 Figure 9 Saving the configuration A shell has been opened into the new filesystem if you need to tune the new system before the first boot do it now You are in a chroot environment so you can install a new kernel as you were in the live system To finalize the installation exit from the current shell no job control in this shell exit_ Figure 10 Exiting from installation 12 acking Team Installation completed starting local elcome to the Gentoo Linux Minimal Installation CD he root password on this system has been auto scrambled for security If any ethernet adapters were detected at boot they should be auto conf igured if DHCP is available on your network Type net setup eth8 to specify etha IP ddress settings by hand heck etc kernels kernel config for kernel configuration s he latest version of the Handbook is always available from the Gentoo web site by typing links http www gentoo org doc en handbook handbook xml o start an ssh server on this system type etc init d sshd start If you need to log in remotely as root type passwd root to reset root s password o a known value lease report any bugs you find to http bugs gentoo org Be sure
10. to include etailed information about how to reproduce the bug you are reporting hank you for using Gentoo Linux livecd reboot _ Figure 11 Rebooting the appliance 3 2 Post install configuration Once the appliance rebooted you can login into the system using the following default credentials Username root Password demorcs By default traffic monitoring and injection are both done on interface eth0 If you have two network cards you may want to use different ports for sniffing and injecting traffic while if you have installed the IPA on an hardware accelerated appliance you want to change the sniffing interface to use the accelerated network card To change how the network ports are used edit the file rcsipa etc rcsredirect conf then change the variables sniffing iface and response iface to the interfaces you want to use for each purpose In case you have hardware accelerated network cards each port on them is named dag dag and so on Non accelerated network ports are named eth0 eth1 and so on 13 acking Team In order to configure the communication with the RNC daemon you have to copy two files from the Database server into the rcsipa etc directory rcs client pem network sig Those two files can be found on the desktop of the database server in the RCS Files directory NOTE remember that the automatic configuration thru sysconfig only configures the eth0 If you need special network co
Download Pdf Manuals
Related Search