Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 FINFISHER: FinSpy 3.10 Product Training. 2 Table of Content 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting.

Similar presentations


Presentation on theme: "1 FINFISHER: FinSpy 3.10 Product Training. 2 Table of Content 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting."— Presentation transcript:

1 1 FINFISHER: FinSpy 3.10 Product Training

2 2 Table of Content 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

3 3 Portfolio Overview

4 4 Introduction FinSpy is designed to help Law Enforcement and Intelligence Agencies remotely monitor computer systems and gain full access: Key Features: Online Communication Skype, Messengers, VoIP, , Browsing and more Internet Activity Social Networks, Discussion Boards, Blogs, File-Sharing and more Stored Data Remote access to hard-disk, deleted files, Recently Opened Files, crypto containers and more Surveillance Devices Use of Integrated webcams, microphones and more Location

5 5 Introduction Strategic use of the FinSpy System: IT Intrusion System Internal Monitoring System Covert Surveillance Device Remote Control System

6 6 FinSpy – Components

7 7 FinSpy Agent 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

8 8 FinSpy Agent – Components Provides Graphical User Interface for FinSpy System Shows Target List Provides Interface for Target Analysis Allows Target Configuration Facilitates Target Updates Enables Target Trojan Creation Facilitates Creation of differing Infection Techniques

9 9 FinSpy Agent – Contents Overview Target List Target Options Evidence Protection Target Creation Infection Techniques Analyses

10 10 FinSpy Agent – Overview FinSpy Agent – Login Window 1.Username and Password 2.IP Address or DNS Name and Port of FinSpy Master 3.Logoff from the FinSpy Master

11 11 FinSpy Agent – Overview FinSpy Agent – Main Window

12 12 FinSpy Agent – Overview The FinSpy Agent Main Window offers the following functionalities: Data Analysis – Analysis of selected or multiple Targets Create Target – Wizard to create a new Target Trojan Configuration – Basic Settings for FinSpy Agent and FinSpy Master Show Logfiles – To view the Logfiles on the FinSpy Master Agent List – To view which Agents are connected to which Target(s) License Information – To view the actual License and Import one LEMF – Data Management – To configure the LEMF About – Shows the FinSpy Version and License Online Help – Visit Support Website Logoff – Disconnect the FinSpy Agent from FinSpy Master

13 13 FinSpy Agent 1.Introduction 2.FinSpy Agent  Target List 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

14 14 FinSpy Agent – Target List

15 15 FinSpy Agent – Target List The FinSpy Agent Target List displays information about a Target. FinSpy Target Name Unique FinSpy System Name of Target System Username under which the FinSpy Infection operates Country & City in which the FinSpy Targets ISP Access point is located Global IP & Public IP address of the FinSpy Target Operating System including Service Pack Target Time & Target Time Zone Software Version of the FinSpy Target Install Mode (MBR, Kernel Mode, User Mode)

16 16 FinSpy Agent – Target List – Online

17 17 FinSpy Agent – Target List – Online The Online List of Targets offers the following functionalities to manage, monitor and reconfigure an active FinSpy Target: Analyse Data Visualize Data Evidence Protection Configuration Live Session Download Now Update Remove Infection Disconnect

18 18 FinSpy Agent – Target List – Offline

19 19 FinSpy Agent – Target List – Offline The Offline List of Targets offers the following functionalities to manage and monitor a FinSpy Target: Analyse Data Visualize Data Evidence Protection Configuration Remove Infection

20 20 The Archived List of Targets offers the following functionalities to manage a FinSpy Target, where, the infection was removed but data is still on the FinSpy Master Server: Analyse Data Visualize Data Evidence Protection Remove Data FinSpy Agent – Target List – Archived

21 21 If the maximum number of infection is reached, the Target is unavailable as long as no license is freed and an infected Target is uninfected. First come – first serve principle FinSpy Agent – Target List – Target Licensing

22 22 Symbols indicate availability of new data 1.Star indicates Data on FinSpy Master is available 2.Bullet indicates Data on FinSpy Target is available for download to Master Server FinSpy Agent – Target List – Recorded Data Availability

23 23 FinSpy Agent 1.Introduction 2.FinSpy Agent  Target Analysis 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

24 24 All or Selected recorded data can be shown or replayed Data is stored on the FinSpy Master Data can be viewed, deleted, exported and commented on FinSpy Agent – Target Analysis

25 25 FinSpy Agent – Target Analysis FinSpy Agent – Target Analysis Main Window

26 26 FinSpy Agent – Target Analysis The FinSpy Agent Target List Main Window shows the following information: Identifies the Infection module (device/application) An importance level can be associated with specific stored data FinSpy Target Name Unique internal FinSpy System reference to the Specific FinSpy Target Size of the stored data set in bytes The date when the data was recorded on the Target PC

27 27 FinSpy Agent – Target Analysis Possible actions each entry: Opens & shows the recorded data Deletes the data set from the FinSpy Master Server The data can be exported to the FinSpy Agent computer. Comments to the data can be stored

28 28 FinSpy Agent – Target Analysis Recorded Comments: Comments cannot be deleted Importance Levels are also comments Descending order

29 29 FinSpy Agent – Target Analysis Filter Search: Start / End Date Module Advanced Options

30 30 FinSpy Agent – Target Analysis Embedded Audio Player (Skype, VoIP, Microphone): Start / Pause / Stop Equalizer for each channel Volume control

31 31 FinSpy Agent – Target Analysis Embedded Video Player (Webcam, Screen, Mouse Clicks): 1.Play / Pause, Stop, One Screenshot Backward, One Screenshot Forward 2.Current Time, Total Length 3.Preview Images (generated at runtime)

32 32 FinSpy Agent – Target Analysis – Hands-On Hands-On:

33 33 FinSpy Agent – Target Analysis – Hands-On Hands-On: Select a Target Search for Microphone Recordings only Open Microphone Recording Change Priority Level to High Write a Comment

34 34 FinSpy Agent 1.Introduction 2.FinSpy Agent  Visualize Data 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

35 35 FinSpy Agent – Visualize Data Analyzing Data on a graphical way.

36 36 FinSpy Agent – Visualize Data Analyzing Data on a graphical way. The art of visualization The recorded data on each day Setting the importance level

37 37 FinSpy Agent – Visualize Data Analyzing Data on a graphical way. Overview divided by module Amount of recordings for each module Meta Information

38 38 FinSpy Agent 1.Introduction 2.FinSpy Agent  Evidence Protection 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

39 39 FinSpy Agent – Evidence Protection Prove collected Data has not been altered, for use as evidence in court Import of a Security certificate Digital Check for each item Activity Logging (Who, What, Where) Signature Verification

40 40 FinSpy Agent – Evidence Protection Certificate Management

41 41 FinSpy Agent – Evidence Protection Status of Evidence Signature Checking Export of Evidence

42 42 FinSpy Agent – Evidence Protection Activity Log Event Description (Who/What/Where)

43 43 FinSpy Agent – Evidence Protection Exported evidence can generate a report

44 44 FinSpy Agent – Evidence Protection Evidence history can be viewed

45 45 FinSpy Agent – Evidence Protection External Verification Tool Can be used portable

46 46 FinSpy Agent – Configuration – Hands-On Hands-On:

47 47 FinSpy Agent – Configuration – Hands-On Hands-On: Select a Target Go to Evidence Protection Export the Evidence Use external Evidence Verification Tool Run the external Evidence Verification Tool

48 48 FinSpy Agent 1.Introduction 2.FinSpy Agent  Configuration 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

49 49 FinSpy Agent – Configuration Configuration of the FinSpy Target: General settings Network settings Download Schedule Alert Settings User Permissions Modules

50 50 FinSpy Agent – Configuration Configuration Window:

51 51 FinSpy Agent – Configuration If all modules are installed, the following can be configured: General – Information on Trojan, Network, Heart-beat and Removal Download Schedule Alert Settings User Permissions Accessed Files Changed Files Command Shell Deleted Files File Access Forensics Tools

52 52 FinSpy Agent – Configuration If all modules are installed, the following can be configured: Keylogger MouseClicks Microphone Printer Scheduler Skype Screen & Webcam VoIP

53 53 FinSpy Agent – Configuration – General Infection Executable Information: Cannot be changed as fixed in the FinSpy Target

54 54 FinSpy Agent – Configuration – General Hiding Techniques: Hide the network connections Hide the registry entries Hide the trojan process

55 55 FinSpy Agent – Configuration – General Infection Self Removal: Scheduled Removal of the FinSpy Target Time-Out Removal

56 56 FinSpy Agent – Configuration – General Target Settings: Target Name displayed in the Target List Heartbeat – Communication period between FinSpy Target and FinSpy Master Download Speed Limit

57 57 FinSpy Agent – Configuration – General Relay Settings: Different Hosts / FinSpy Relay Possible Ports where FinSpy Proxy / FinSpy Relay can be contacted Randomness

58 58 FinSpy Agent – Configuration – General The Application Based Events specify the communication: Active and Running Applications Stop the communication

59 59 FinSpy Agent – Configuration – Hands-On Hands-On:

60 60 FinSpy Agent – Configuration – Hands-On Hands-On: Select a Target Configure General Settings Give Target another Name

61 61 FinSpy Agent 1.Introduction 2.FinSpy Agent  Download Schedule 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

62 62 FinSpy Agent – Configuration – Download Schedule To configure: Automated Downloads Time & Date based Application based

63 63 FinSpy Agent – Configuration – Download Schedule Application Events: Screensaver Active Screen Locked Data Available

64 64 FinSpy Agent – Configuration – Download Schedule Time Events: Start Event Date Event Time Interval Time Zone

65 65 FinSpy Agent – Download Schedule – Hands-On Hands-On:

66 66 FinSpy Agent – Download Schedule – Hands-On Hands-On: Select a Target Create a Download Schedule If Screensaver is active Create a Download Schedule Every Monday morning at 10 am

67 67 FinSpy Agent 1.Introduction 2.FinSpy Agent  Alert Settings 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

68 68 FinSpy Agent – Alert Settings Alert Settings: Sending s if Event occurs Based on Events (Target Online, Data Available, Data Downloaded)

69 69 FinSpy Agent – Alert Settings – Hands-On Hands-On:

70 70 FinSpy Agent – Alert Settings – Hands-On Hands-On: Select a Target Create an Alarm for a certain event Let the event occur and check your Inbox

71 71 FinSpy Agent 1.Introduction 2.FinSpy Agent  User Permissions 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

72 72 FinSpy Agent – User permissions User permissions: Different users System Administrator Administrator User Detailed configuration per user & target Action allowed / Action not allowed

73 73 FinSpy Agent – User permissions Hands-On:

74 74 FinSpy Agent – User permissions Hands-On: Select a Target Choose one user and give him the following rights Live Session Configuration Are the rights correct displayed afterwards?

75 75 FinSpy Agent 1.Introduction 2.FinSpy Agent  Modules 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

76 76 FinSpy Agent – Configuration – Accessed Files Recording Accessed Files: In predefined directories & hard drives Exceptions can be set Defining of file types

77 77 FinSpy Agent – Configuration – Changed Files Recording Changed Files: In predefined directories & hard drives Exceptions can be set Defining of file types

78 78 FinSpy Agent – Configuration – Deleted Files Recording Deleted Files: In predefined directories & hard drives Exceptions can be set Defining of file types

79 79 FinSpy Agent – Configuration – Keylogger Keylogger: Indication as to which application used (e.g. Mail-Client, Browser, Explorer, Notepad) Helps to remove unnecessary information for faster analysis Entries are based on Process and Window Name

80 80 FinSpy Agent – Configuration – MouseClicks MouseClicks: Video Quality (Low, Normal, Good, Best) & Mode (Color, B&W) Definition of Mouse Click Type (Left, Right, Double) Rectangle Size (captured area around the click in pixel) Sensitivity (distance from previous click) Application Based Events

81 81 FinSpy Agent – Configuration – Microphone Configuring the Microphone Quality: Low- to Best Quality Will affect the recording size Depending on distance of the Target to the Speaker

82 82 FinSpy Agent – Configuration – Scheduler Scheduling of the following: Module (Webcam, Microphone, Screen) Different intervals (Once, Daily, Weekly, Monthly) Duration

83 83 FinSpy Agent – Configuration – Scheduler No live session necessary (Use when Target Offline) Automatic, defined recording

84 84 FinSpy Agent – Configuration – Skype Skype module: Interception of Voice & Chat Communication Interception of File Transfers Retrieving the Skype Contact List No need for Live Session

85 85 FinSpy Agent – Configuration – Screen & Webcam Quality & Size can be defined Useful for indication of Disk space on the Target Computer Automatic Recording of the Screen if certain applications are running

86 86 FinSpy Agent – Configuration – VoIP Application based recording Recording if Microphone/Speaker are used Initial Screenshot for information gathering Sound quality

87 87 FinSpy Agent – Configuration – Add/Remove Module Add Module:Remove Module:

88 88 FinSpy Agent – Configuration – Activate/Deactivate Module 1.Deactivate Module 2.Active Module

89 89 FinSpy Agent 1.Introduction 2.FinSpy Agent  Live Session 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

90 90 FinSpy Agent – Live Session The Live Session gives the possibility of the following options: Establishing a live session to the Target’s Display Establishing a live session to the Target’s Webcam Establishing a live session to the Target’s Microphone Will show a live session of the Target’s keys pressed Commands can be entered at the Target’s command shell Will show a live File Browser for the Target’s file system Execute Applications on Target’s system

91 91 FinSpy Agent – Live Session Record Display / Record Webcam / Record Microphone Start the Live Session

92 92 FinSpy Agent – Live Session Record Display / Record Webcam / Record Microphone Stop the Live Session

93 93 FinSpy Agent – Live Session Recorded Keystrokes includes the following information: Process Name Date and Time of the Keylogging Application Name & Window Title Enable/Disable Special Chars

94 94 FinSpy Agent – Live Session Command Shell offers - Shutting down the FinSpy Target Creating Files Executing Files Creating Accounts Accessing Other Computers Uploading Data Access to Powershell And many more

95 95 FinSpy Agent – Live Session Access Files offers: Easy browsing through the whole Target PC File System including Hidden, System and Locked Files Downloading Files and Folders Uploading Files Directory Refresh (right-click)

96 96 FinSpy Agent – Live Session Forensic tools offers: Execution of applications Reading out saved passwords Retrieving system information

97 97 FinSpy Agent – Live Session – Hands-On Hands-On:

98 98 FinSpy Agent – Live Session – Hands-On Hands-On – 1: Select a Target Establish two Live Sessions Watch the Screen Browse Files Upload a File

99 99 FinSpy Agent – Live Session – Hands-On Hands-On – 2: Select a Target Establish Forensic Tools Live Session Upload & Execute Application to FinSpy Target View the Data Remove the Application from FinSpy Target

100 100 FinSpy Agent 1.Introduction 2.FinSpy Agent  Download Data 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

101 101 FinSpy Agent – Download Data Immediate Manual Download from Target to FinSpy Master Server Indicated by a bullet Download Data can be chosen

102 102 FinSpy Agent – Download Data Immediate Manual Download from Target to FinSpy Master Server Separated by module Separated by time Separated by size

103 103 FinSpy Agent 1.Introduction 2.FinSpy Agent  Update Modules 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

104 104 FinSpy Agent – Update Modules Update Active Modules on Target Automatically / Manually Always latest functionality Restart required to apply

105 105 FinSpy Agent 1.Introduction 2.FinSpy Agent  Remove Data 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

106 106 FinSpy Agent – Remove Infection Complete removal of FinSpy Infection, Trojan, Stored Files and Modules FinSpy Target needs restart before re-infection

107 107 FinSpy Agent – Remove Data Removing Data on FinSpy Master Server Only works on Archived Targets

108 108 FinSpy Agent 1.Introduction 2.FinSpy Agent  Create Target 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

109 109 FinSpy Agent – Create Target Creating a FinSpy Target

110 110 FinSpy Agent – Create Target Giving an infection name To identify the FinSpy Target in Target List Choosing a unique, easy to remember name

111 111 FinSpy Agent – Create Target Choosing the Target Operating System Currently possible: Microsoft Windows Mac OS X Linux

112 112 FinSpy Agent – Create Target Network Configuration, Heartbeat & Download Speed Limit Application based Events

113 113 FinSpy Agent – Create Target Self Removal Max Infection Avoid accidental Mass Infections and wasting of license limits Scheduled Removal On given date the FinSpy Target removes itself Time-Out Removal After being out of Communication with the Finspy Master for a given time, FinSpy Target removes itself

114 114 FinSpy Agent – Create Target Module Selection

115 115 FinSpy Agent – Create Target Module Availability – 1

116 116 FinSpy Agent – Create Target Module Availability – 2

117 117 FinSpy Agent – Create Target Modules can be selected Recommendation for Physical and Remote Infection Use no modules - FinSpy Installer at minimum and lack of activity of modules does not attract attention from Antivirus/Antispyware upon initial installation. Minimum size: ~ 590 KB (no modules) Maximum size: ~ 1.8 MB (all modules)

118 118 FinSpy Agent – Create Target Target Options Installing into Master Boot Record Vista and Windows 7 infection (UAC Popup) More hidden infection!

119 119 FinSpy Agent – Create Target User Permissions Allowing certain users, certain actions for this Trojan

120 120 FinSpy Agent – Create Target Summary of created FinSpy Target Name Operating System Network Information Modules Etc.

121 121 FinSpy Agent – Create Target Generate Infection Infected Application – Original exe still opens as usual with original ICON Infected Screensaver – Original screensaver still runs with original ICON Infected Office Document – Add Macro to Word & Excel File Infected File (Extension Rename) – Adds.exe extension, original File still opens Infected File (Advanced File Name Converstion) Bootable ISO Image – Burns Trojan to a bootable CD/DVD

122 122 FinSpy Agent – Create Target Generate Infection Bootable Infection Dongle – Install Trojan on a bootable USB device For infection of Harddrive encrypted systems (TrueCrypt, PGP, etc.) Runtime Infection Dongle For infection of running systems via Autorun

123 123 FinSpy Agent – Configuration – Hands-On Hands-On:

124 124 FinSpy Agent – Configuration – Hands-On Hands-On: Create a Target Following Modules: Microphone, Keylogger, Skype Choose MBR Infection Any Infection Path How big is the file size of the Target? Useful for which kind of distribution?

125 125 FinSpy Agent 1.Introduction 2.FinSpy Agent  Infection Techniques 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

126 126 FinSpy – Infection Techniques – FinFly USB FinFly USB FinSpy Target on USB Stick Physical Access needed Automated Execution Little or No User Interaction (Dependant on Autoplay configuration on Target)

127 127 FinSpy – Infection Techniques – FinFly USB Created through FinSpy Agent

128 128 FinSpy – Infection Techniques – FinFly USB Trojan will be generated and copied to FinFly USB Stick

129 129 FinSpy – Infection Techniques – FinFly USB Automatic execution behaviour on: Operating SystemDefault behavior Windows 2000 <= SP3Manual interaction required Windows 2000 SP4 Windows XP Autorun on Insertion Windows Vista Windows 7 Depending on the configuration interaction might be required

130 130 FinSpy – Infection Techniques – FinFly USB Manual infection: OR

131 131 FinSpy – Infection Techniques – Application CD Create an Autorun CD with Infected Installer of: Games (World of Warcraft) DVD (Video Player) Etc.

132 132 FinSpy – Infection Techniques – Application CD Using FinSpy to infect an application

133 133 FinSpy – Infection Techniques – Application CD Creating the according autorun.inf within the same directory of FinSpy target Burn to a CD / DVD

134 134 FinSpy – Infection Techniques – Application CD Distribute to the following locations: Mailbox of the Target Internet Cafes Business Centres Offices

135 135 FinSpy – Infection Techniques – Office Document Office Document Infection No *.exe or *.scr File Word or Excel Document can be infected Will pass Attachment scanner (e.g. Gmail, Hotmail,...)

136 136 FinSpy – Infection Techniques – Office Document Make the Document look real

137 137 FinSpy – Infection Techniques – FinFly Lite FinFly Lite:

138 138 FinSpy – Infection Techniques – FinFly Lite Key Features: Binary Infection: Downloads of Executables or Screensavers will be infected with the pre-configured “payloads” Update Injection: Several Client-Software can be forced to update and install the configured software when checking for updates Website Infection Infect Target Systems through Websites which install the software by using the Web-browser module functionalities Custom Payloads: The software that will be injected can be uploaded and configured and is not bound to any other product Traffic Inspection: Identify Target Systems by IP Address or Radius username

139 139 FinSpy – Infection Techniques – FinFly Web FinFly Web Example with IFrame Injection:

140 140 FinSpy – Infection Techniques – FinFly Web Key Features: Different Infection Modules JavaScript / IFrame / Sun Java / XPI Plugin / ActiveX Multiple Browser support Internet Explorer, Mozilla Firefox, SeaMonkey, Safari, Google Chrome, Opera Multiple Operation System support Windows 2000, Windows XP, Windows Vista, Windows 7, MacOS Snow Leopard Implementation into Standard Websites

141 141 FinSpy Administration 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

142 142 FinSpy Administration FinSpy Administration offers: FinSpy Configuration through the FinSpy Agent Configuration of FinSpy Master Logfile Viewer of FinSpy Master FinSpy Agent Connection Viewer Viewing License Information

143 143 FinSpy Administration 1.Introduction 2.FinSpy Agent 3.FinSpy Administration  Configuration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

144 144 FinSpy Administration – Configuration Inside the Configuration Options, the following can be configured: Configuration of the FinSpy Agent Data Download/Export FinSpy Master Internal/External Network Interfaces Connection configuration for the FinSpy Target Configuring Settings for Alerts FinSpy Master and FinSpy Target Updates Certificates, Activity Logging & Functionality Database Integration of a LEMF Target Modules Definition

145 145 FinSpy Administration – Configuration User Management Users can be added, changed or deleted Four different user roles User Privileged User Administrator System Administrator

146 146 FinSpy Administration – Configuration User Management

147 147 FinSpy Administration – Configuration Agent Configuration Download Data Folder Created Targets will be placed here Exported Evidence Updated Installer Files

148 148 FinSpy Administration – Configuration Network Configuration FinSpy Agent Connection Internal / External Connection Port FinSpy Master to Internet Connection DHCP / Static

149 149 FinSpy Administration – Configuration Relay Network Configuration This data will be retrieved at the Target Creation Can contain multiple Hosts/IPs Can contain multiple Ports Partly randomness

150 150 FinSpy Administration – Configuration Notification Alerting system for FinSpy Targets Template system Local MTA Predefined Free Mailer Custom

151 151 FinSpy Administration – Configuration Updates Update Check for a new FinSpy version Updating Targets automatically

152 152 FinSpy Administration – Configuration Evidence Protection Enable / Disable Evidence Protection Certificate Import Logging Level

153 153 FinSpy Administration – Configuration LEMF Interface Only needed if existing LEMF system is available & connected Database can be set for data transmission

154 154 FinSpy Administration – Configuration Target Modules System Administrator can define modules Only enabled modules can be used on Trojan Creation

155 155 FinSpy Administration 1.Introduction 2.FinSpy Agent 3.FinSpy Administration  Show Logfiles 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

156 156 FinSpy Administration – Show Logfiles This will show the FinSpy Master Logfile Live refresh Separation (Info, Warning, Error) Export for further or external analysis

157 157 FinSpy Administration 1.Introduction 2.FinSpy Agent 3.FinSpy Administration  Agent List 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

158 158 FinSpy Administration – Agent List Overview of all configured User Accounts / FinSpy Agents When did what FinSpy Agent Login? From where is the FinSpy Agent connecting? Where is the FinSpy Agent connected to?

159 159 FinSpy Administration 1.Introduction 2.FinSpy Agent 3.FinSpy Administration  License Information 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

160 160 FinSpy Administration – Agent List Overview of current License Information Number of Agents / Targets Validity Import of a new License

161 161 FinSpy Master 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

162 162 FinSpy Master – Components Software: FinSpy Master FinSpy Proxy Hardware: FinSpy Master Server FinSpy Master Spare Server KVM Console Switch UPS Ruggedized Box

163 163 FinSpy Master – Contents 1.Overview 2.Brief Linux Command Instructions 3.Master & Proxy Configuration 4.Monitoring 5.Port Forwarding 6.Dynamic DNS

164 164 FinSpy Master – Overview One Server with Software Different Networks Own File-based Database Hardened Kernel and Operating System based on Debian Massive and Robust Space for Data (RAID 6, 1.6 TB)

165 165 FinSpy Master 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master  Linux Commands 5.FinSpy Relay 6.Troubleshooting

166 166 FinSpy Master – Linux Commands Directories FinSpy Applications /usr/local/finspy_master/ /usr/local/finspy_proxy/ Log Files /var/log/ Temporary Files /tmp Init-Scripts /etc/init.d/

167 167 FinSpy Master – Linux Commands Super User Rights sudo command Changing Directories cd /usr/local/finspy_master/ Rename File mv finspy_master.cfg_template finspy_master.cfg Edit & Read (Configuration File) with Console Text Editor nano /usr/local/finspy_master/data/finspy_master.cfg Show latest Entries (of Logfile) tail –f /var/log/finspy_proxy.log Show Network Config ifconfig

168 168 FinSpy Master – Linux Commands Remove Files rm filename Remove Directories rm –r directoryname Copy File cp finspy_master.cfg_template finspy_master.cfg Show content of file (Version of FinSpy Master) cat /usr/local/finspy_master/data/version

169 169 FinSpy Master 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master  Master Configuration 5.FinSpy Relay 6.Troubleshooting

170 170 FinSpy Master – Master Configuration Configuration File /usr/local/finspy_master/data/finspy_master.cfg Network for the FinSpy Master FIN_AGENT_NETWORK_INTERFACE = eth1 FIN_PROXY_1 = , 9118 Update Check on Daily basis FINUM_SERVER = update.gamma-international.de FINUM_PORTS = FINUM_DESTINATION_PATH =../updates Evidence Protection switch FIN_EVIDENCE_PROTECTION = true

171 171 FinSpy Master – Master Configuration Notification (Alert Settings) /usr/local/finspy_master/data/finspy_master.cfg Settings variable begins with FIN_MX_ By default – localhost will be used Settings found under “FIN_MX_xxx” Free Webmail services can be used (including TLS support) E.g. Gmail, Hotmail, Yahoo, …

172 172 FinSpy Master – Master Configuration User Management /usr/local/finspy_master/data/.fin_passwd Structure userid ; groupid ; login name ; user description ; password ; database permission ; file permission To change userid ; login name; user description; password

173 173 FinSpy Master 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master  Proxy Configuration 5.FinSpy Relay 6.Troubleshooting

174 174 FinSpy Master – Proxy Configuration Configuration File /usr/local/finspy_master/data/finspy_master.cfg Network for the FinSpy Master FIN_AGENT_NETWORK_INTERFACE = eth1 FIN_PROXY_1 = , 9118 Ports where FinSpy Target or FinSpy Relay connect to FIN_TARGET_PORTS = 22,53,80,443,4111

175 175 FinSpy Master 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master  Misc Configuration 5.FinSpy Relay 6.Troubleshooting

176 176 FinSpy Master – Monitoring Automatic Check for not running applications “monit” command sudo monit summary Successful: Process ‘finspy_master’running Failed: Process ‘finspy_master’not monitored Process ‘finspy_master’Does not exist

177 177 FinSpy Master – Port forwarding To ensure FinSpy Proxy retrieves packets Router must have Port forwarding activated

178 178 FinSpy Master – Dynamic DNS If FinSpy Master or Router doesn’t have a static IP Free Service can be used to map hostname dynamic IP Software on FinSpy Master ddclient Possible Free Services

179 179 FinSpy Master – Dynamic DNS Configuration File /etc/ddclient.conf Example Content protocol=dyndns2 use=web, web=checkip.dyndns.com, web-skip='IP Address' server=members.dyndns.org login=finspy-test password='dfUc!45XfP'

180 180 FinSpy Relay 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

181 181 FinSpy Relay – Components Windows Software: FinSpy Relay FinSpy Relay Monitoring

182 182 FinSpy Relay – Components Linux Software: FinSpy Relay

183 183 FinSpy Relay – Overview Anonymize FinSpy Connections Can be located anywhere in the world Small piece of software No big hardware requirements Chain of Relays possible

184 184 FinSpy Relay – Requirements Windows: Windows Firewall must accept FinSpy Ports Windows Server 2003 or higher Administrator rights Linux: Debian or Ubuntu System 256MB Ram Monitor software installed (monit)

185 185 FinSpy Relay – Configuration Configuration File (relay.cfg) Windows: Same directory as installed Linux: /usr/local/ffrelay/data/ Example Configuration File CFG_TARGET_PORTS= 21,80,443,4111# Incoming Connections CFG_NEXT_HOP_1= server.ath.cx, 2050# FinSpy Master or Next FinSpy Relay CFG_SOCKET_TIMEOUT= 10# Socket Read/Write Timeout

186 186 Troubleshooting 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting

187 187 FinSpy Relay – Troubleshooting FinSpy was distributed but FinSpy Target doesn’t show online Discussion of Activation on Target PC and Network Issues

188 188 FinSpy Relay – Troubleshooting FinFly Dongle / Autostart CD didn’t auto execute Is Autostart enabled on FinSpy Target system? Windows Vista and Windows 7 have Autostart disabled by default Correct entry in autorun.inf for Autostart CD?

189 189 FinSpy Relay – Troubleshooting FinSpy is detected by Anti-Virus Vendor XYZ (Be careful, as AV and ASW products these days flag every activity, whats important to Gamma are products that physically remove Finfisher. Otherwise press allow on the Application that flagged.) Report to Gamma Group immediately I have a suggestion / bug report. Whom to contact? Login to After-Sales Website https://www.gamma-international.de

190 190 Vielen Dank für die Aufmerksamkeit Questions? Thank you for your attention!


Download ppt "1 FINFISHER: FinSpy 3.10 Product Training. 2 Table of Content 1.Introduction 2.FinSpy Agent 3.FinSpy Administration 4.FinSpy Master 5.FinSpy Relay 6.Troubleshooting."

Similar presentations


Ads by Google