1
FINFISHER: FinSpy 3.10
Product Training
Table of Content
2
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
Portfolio Overview
3
Introduction
4
FinSpy is designed to help Law Enforcement and Intelligence Agencies remotely monitor
computer systems and gain full access:
Key Features:
•
Online Communication
•
•
Internet Activity
•
•
Remote access to hard-disk, deleted files, Recently Opened Files, crypto containers and more
Surveillance Devices
•
•
Social Networks, Discussion Boards, Blogs, File-Sharing and more
Stored Data
•
•
Skype, Messengers, VoIP, E-Mail, Browsing and more
Use of Integrated webcams, microphones and more
Location
Introduction
Strategic use of the FinSpy System:
•
IT Intrusion System
•
Internal Monitoring System
•
Covert Surveillance Device
•
Remote Control System
5
FinSpy – Components
6
FinSpy Agent
7
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Components
•
Provides Graphical User Interface for FinSpy System
•
Shows Target List
•
Provides Interface for Target Analysis
•
Allows Target Configuration
•
Facilitates Target Updates
•
Enables Target Trojan Creation
•
Facilitates Creation of differing Infection Techniques
8
FinSpy Agent – Contents
•
Overview
•
Target List
•
Target Options
•
Evidence Protection
•
Target Creation
•
Infection Techniques
•
Analyses
9
FinSpy Agent – Overview
FinSpy Agent – Login Window
1. Username and Password
2. IP Address or DNS Name and Port of FinSpy Master
3. Logoff from the FinSpy Master
10
FinSpy Agent – Overview
FinSpy Agent – Main Window
11
FinSpy Agent – Overview
The FinSpy Agent Main Window offers the following functionalities:
•
Data Analysis – Analysis of selected or multiple Targets
•
Create Target – Wizard to create a new Target Trojan
•
Configuration – Basic Settings for FinSpy Agent and FinSpy Master
•
Show Logfiles – To view the Logfiles on the FinSpy Master
•
Agent List – To view which Agents are connected to which Target(s)
•
License Information – To view the actual License and Import one
•
LEMF – Data Management – To configure the LEMF
•
About – Shows the FinSpy Version and License
•
Online Help – Visit Support Website
•
Logoff – Disconnect the FinSpy Agent from FinSpy Master
12
FinSpy Agent
13
1. Introduction
2. FinSpy Agent

Target List
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Target List
FinSpy Agent – Target List
14
FinSpy Agent – Target List
The FinSpy Agent Target List displays information about a Target.
•
FinSpy Target Name
•
Unique FinSpy System Name of Target System
•
Username under which the FinSpy Infection operates
•
Country & City in which the FinSpy Targets ISP Access point is located
•
Global IP & Public IP address of the FinSpy Target
•
Operating System including Service Pack
•
Target Time & Target Time Zone
•
Software Version of the FinSpy Target
•
Install Mode (MBR, Kernel Mode, User Mode)
15
FinSpy Agent – Target List – Online
FinSpy Agent – Target List – Online
16
FinSpy Agent – Target List – Online
17
The Online List of Targets offers the following functionalities to manage, monitor and
reconfigure an active FinSpy Target:
•
Analyse Data
•
Configuration
•
Visualize Data
•
Live Session
•
Evidence Protection
•
Download Now
•
Update
•
Remove Infection
•
Disconnect
FinSpy Agent – Target List – Offline
FinSpy Agent – Target List – Offline
18
FinSpy Agent – Target List – Offline
19
The Offline List of Targets offers the following functionalities to manage and monitor a
FinSpy Target:
•
Analyse Data
•
Visualize Data
•
Evidence Protection
•
Configuration
•
Remove Infection
FinSpy Agent – Target List – Archived
20
The Archived List of Targets offers the following functionalities to manage a FinSpy Target,
where, the infection was removed but data is still on the FinSpy Master Server:
•
Analyse Data
•
Visualize Data
•
Evidence Protection
•
Remove Data
FinSpy Agent – Target List – Target Licensing
21
If the maximum number of infection is reached, the Target is unavailable as long as no
license is freed and an infected Target is uninfected.
•
First come – first serve principle
FinSpy Agent – Target List – Recorded Data Availability
22
Symbols indicate availability of new data
1. Star indicates Data on FinSpy Master is available
2. Bullet indicates Data on FinSpy Target is available for download to Master Server
FinSpy Agent
23
1. Introduction
2. FinSpy Agent

Target Analysis
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Target Analysis
•
All or Selected recorded data can be shown or replayed
•
Data is stored on the FinSpy Master
•
Data can be viewed, deleted, exported and commented on
24
FinSpy Agent – Target Analysis
FinSpy Agent – Target Analysis Main Window
25
FinSpy Agent – Target Analysis
The FinSpy Agent Target List Main Window shows the following information:
•
Identifies the Infection module (device/application)
•
An importance level can be associated with specific stored data
•
FinSpy Target Name
•
Unique internal FinSpy System reference to the Specific FinSpy Target
•
Size of the stored data set in bytes
•
The date when the data was recorded on the Target PC
26
FinSpy Agent – Target Analysis
Possible actions each entry:
•
Opens & shows the recorded data
•
Deletes the data set from the FinSpy Master Server
•
The data can be exported to the FinSpy Agent computer.
•
Comments to the data can be stored
27
FinSpy Agent – Target Analysis
Recorded Comments:
•
Comments cannot be deleted
•
Importance Levels are also comments
•
Descending order
28
FinSpy Agent – Target Analysis
Filter Search:
•
Start / End Date
•
Module
•
Advanced Options
29
FinSpy Agent – Target Analysis
Embedded Audio Player (Skype, VoIP, Microphone):
•
Start / Pause / Stop
•
Equalizer for each channel
•
Volume control
30
FinSpy Agent – Target Analysis
Embedded Video Player (Webcam, Screen, Mouse Clicks):
1. Play / Pause, Stop, One Screenshot Backward, One Screenshot Forward
2. Current Time, Total Length
3. Preview Images (generated at runtime)
31
FinSpy Agent – Target Analysis – Hands-On
Hands-On:
32
FinSpy Agent – Target Analysis – Hands-On
Hands-On:
•
Select a Target
•
Search for Microphone Recordings only
•
Open Microphone Recording
•
Change Priority Level to High
•
Write a Comment
33
FinSpy Agent
34
1. Introduction
2. FinSpy Agent

Visualize Data
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Visualize Data
Analyzing Data on a graphical way.
35
FinSpy Agent – Visualize Data
Analyzing Data on a graphical way.
•
The art of visualization
•
The recorded data on each day
•
Setting the importance level
36
FinSpy Agent – Visualize Data
Analyzing Data on a graphical way.
•
Overview divided by module
•
Amount of recordings for each module
•
Meta Information
37
FinSpy Agent
38
1. Introduction
2. FinSpy Agent

Evidence Protection
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Evidence Protection
•
Prove collected Data has not been altered, for use as evidence in court
•
Import of a Security certificate
•
Digital Check for each item
•
Activity Logging (Who, What, Where)
•
Signature Verification
39
FinSpy Agent – Evidence Protection
•
Certificate Management
40
FinSpy Agent – Evidence Protection
•
Status of Evidence
•
Signature Checking
•
Export of Evidence
41
FinSpy Agent – Evidence Protection
•
Activity Log
•
Event Description (Who/What/Where)
42
FinSpy Agent – Evidence Protection
•
Exported evidence can generate a report
43
FinSpy Agent – Evidence Protection
•
Evidence history can be viewed
44
FinSpy Agent – Evidence Protection
•
External Verification Tool
•
Can be used portable
45
FinSpy Agent – Configuration – Hands-On
Hands-On:
46
FinSpy Agent – Configuration – Hands-On
Hands-On:
•
Select a Target
•
Go to Evidence Protection
•
Export the Evidence
•
Use external Evidence Verification Tool
•
Run the external Evidence Verification Tool
47
FinSpy Agent
48
1. Introduction
2. FinSpy Agent

Configuration
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Configuration
Configuration of the FinSpy Target:
•
General settings
•
Network settings
•
Download Schedule
•
Alert Settings
•
User Permissions
•
Modules
49
FinSpy Agent – Configuration
Configuration Window:
50
FinSpy Agent – Configuration
If all modules are installed, the following can be configured:
•
General – Information on Trojan, Network, Heart-beat and Removal
•
Download Schedule
•
Alert Settings
•
User Permissions
•
Accessed Files
•
Changed Files
•
Command Shell
•
Deleted Files
•
File Access
•
Forensics Tools
51
FinSpy Agent – Configuration
If all modules are installed, the following can be configured:
•
Keylogger
•
MouseClicks
•
Microphone
•
Printer
•
Scheduler
•
Skype
•
Screen & Webcam
•
VoIP
52
FinSpy Agent – Configuration – General
Infection Executable Information:
•
Cannot be changed as fixed in the FinSpy Target
53
FinSpy Agent – Configuration – General
Hiding Techniques:
•
Hide the network connections
•
Hide the registry entries
•
Hide the trojan process
54
FinSpy Agent – Configuration – General
Infection Self Removal:
•
Scheduled Removal of the FinSpy Target
•
Time-Out Removal
55
FinSpy Agent – Configuration – General
Target Settings:
•
Target Name displayed in the Target List
•
Heartbeat – Communication period between FinSpy Target and FinSpy Master
•
Download Speed Limit
56
FinSpy Agent – Configuration – General
Relay Settings:
•
Different Hosts / FinSpy Relay
•
Possible Ports where FinSpy Proxy / FinSpy Relay can be contacted
•
Randomness
57
FinSpy Agent – Configuration – General
The Application Based Events specify the communication:
•
Active and Running Applications
•
Stop the communication
58
FinSpy Agent – Configuration – Hands-On
Hands-On:
59
FinSpy Agent – Configuration – Hands-On
Hands-On:
•
Select a Target
•
Configure General Settings
•
Give Target another Name
60
FinSpy Agent
61
1. Introduction
2. FinSpy Agent

Download Schedule
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Configuration – Download Schedule
To configure:
•
Automated Downloads
•
Time & Date based
•
Application based
62
FinSpy Agent – Configuration – Download Schedule
Application Events:
•
Screensaver Active
•
Screen Locked
•
Data Available
63
FinSpy Agent – Configuration – Download Schedule
Time Events:
•
Start Event Date
•
Event Time
•
Interval
•
Time Zone
64
FinSpy Agent – Download Schedule – Hands-On
Hands-On:
65
FinSpy Agent – Download Schedule – Hands-On
Hands-On:
•
Select a Target
•
Create a Download Schedule
•
•
If Screensaver is active
Create a Download Schedule
•
Every Monday morning at 10 am
66
FinSpy Agent
67
1. Introduction
2. FinSpy Agent

Alert Settings
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Alert Settings
Alert Settings:
•
Sending E-Mails if Event occurs
•
Based on Events (Target Online, Data Available, Data Downloaded)
68
FinSpy Agent – Alert Settings – Hands-On
Hands-On:
69
FinSpy Agent – Alert Settings – Hands-On
Hands-On:
•
Select a Target
•
Create an Alarm for a certain event
•
Let the event occur and check your Inbox
70
FinSpy Agent
71
1. Introduction
2. FinSpy Agent

User Permissions
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – User permissions
User permissions:
•
Different users
•
System Administrator
•
Administrator
•
User
•
Detailed configuration per user & target
•
Action allowed / Action not allowed
72
FinSpy Agent – User permissions
Hands-On:
73
FinSpy Agent – User permissions
Hands-On:
•
Select a Target
•
Choose one user and give him the following rights
•
•
Live Session
•
Configuration
Are the rights correct displayed afterwards?
74
FinSpy Agent
75
1. Introduction
2. FinSpy Agent

Modules
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Configuration – Accessed Files
Recording Accessed Files:
•
In predefined directories & hard drives
•
Exceptions can be set
•
Defining of file types
76
FinSpy Agent – Configuration – Changed Files
Recording Changed Files:
•
In predefined directories & hard drives
•
Exceptions can be set
•
Defining of file types
77
FinSpy Agent – Configuration – Deleted Files
Recording Deleted Files:
•
In predefined directories & hard drives
•
Exceptions can be set
•
Defining of file types
78
FinSpy Agent – Configuration – Keylogger
79
Keylogger:
•
Indication as to which application used (e.g. Mail-Client, Browser, Explorer, Notepad)
•
Helps to remove unnecessary information for faster analysis
•
Entries are based on Process and Window Name
FinSpy Agent – Configuration – MouseClicks
MouseClicks:
•
Video Quality (Low, Normal, Good, Best) & Mode (Color, B&W)
•
Definition of Mouse Click Type (Left, Right, Double)
•
Rectangle Size (captured area around the click in pixel)
•
Sensitivity (distance from previous click)
•
Application Based Events
80
FinSpy Agent – Configuration – Microphone
Configuring the Microphone Quality:
•
Low- to Best Quality
•
Will affect the recording size
•
Depending on distance of the Target to the Speaker
81
FinSpy Agent – Configuration – Scheduler
Scheduling of the following:
•
Module (Webcam, Microphone, Screen)
•
Different intervals (Once, Daily, Weekly, Monthly)
•
Duration
82
FinSpy Agent – Configuration – Scheduler
•
No live session necessary (Use when Target Offline)
•
Automatic, defined recording
83
FinSpy Agent – Configuration – Skype
Skype module:
•
Interception of Voice & Chat Communication
•
Interception of File Transfers
•
Retrieving the Skype Contact List
•
No need for Live Session
84
FinSpy Agent – Configuration – Screen & Webcam
•
Quality & Size can be defined
•
Useful for indication of Disk space on the Target Computer
•
Automatic Recording of the Screen if certain applications are running
85
FinSpy Agent – Configuration – VoIP
•
Application based recording
•
Recording if Microphone/Speaker are used
•
Initial Screenshot for information gathering
•
Sound quality
86
FinSpy Agent – Configuration – Add/Remove Module
Add Module:
Remove Module:
87
FinSpy Agent – Configuration – Activate/Deactivate Module
1. Deactivate Module
2. Active Module
88
FinSpy Agent
89
1. Introduction
2. FinSpy Agent

Live Session
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Live Session
The Live Session gives the possibility of the following options:
•
Establishing a live session to the Target’s Display
•
Establishing a live session to the Target’s Webcam
•
Establishing a live session to the Target’s Microphone
•
Will show a live session of the Target’s keys pressed
•
Commands can be entered at the Target’s command shell
•
Will show a live File Browser for the Target’s file system
•
Execute Applications on Target’s system
90
FinSpy Agent – Live Session
Record Display / Record Webcam / Record Microphone
•
Start the Live Session
91
FinSpy Agent – Live Session
Record Display / Record Webcam / Record Microphone
•
Stop the Live Session
92
FinSpy Agent – Live Session
Recorded Keystrokes includes the following information:
•
Process Name
•
Date and Time of the Keylogging
•
Application Name & Window Title
•
Enable/Disable Special Chars
93
FinSpy Agent – Live Session
Command Shell offers -
•
Shutting down the FinSpy Target
•
Creating Files
•
Executing Files
•
Creating Accounts
•
Accessing Other Computers
•
Uploading Data
•
Access to Powershell
•
And many more
94
FinSpy Agent – Live Session
95
Access Files offers:
•
Easy browsing through the whole Target PC File System including Hidden, System and
Locked Files
•
Downloading Files and Folders
•
Uploading Files
•
Directory Refresh (right-click)
FinSpy Agent – Live Session
Forensic tools offers:
•
Execution of applications
•
Reading out saved passwords
•
Retrieving system information
96
FinSpy Agent – Live Session – Hands-On
Hands-On:
97
FinSpy Agent – Live Session – Hands-On
Hands-On – 1:
•
Select a Target
•
Establish two Live Sessions
•
Watch the Screen
•
Browse Files
•
Upload a File
98
FinSpy Agent – Live Session – Hands-On
Hands-On – 2:
•
Select a Target
•
Establish Forensic Tools Live Session
•
Upload & Execute Application to FinSpy Target
•
View the Data
•
Remove the Application from FinSpy Target
99
FinSpy Agent
100
1. Introduction
2. FinSpy Agent

Download Data
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Download Data
Immediate Manual Download from Target to FinSpy Master Server
•
Indicated by a bullet
•
Download Data can be chosen
101
FinSpy Agent – Download Data
Immediate Manual Download from Target to FinSpy Master Server
•
Separated by module
•
Separated by time
•
Separated by size
102
FinSpy Agent
103
1. Introduction
2. FinSpy Agent

Update Modules
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Update Modules
•
Update Active Modules on Target
•
Automatically / Manually
•
Always latest functionality
•
Restart required to apply
104
FinSpy Agent
105
1. Introduction
2. FinSpy Agent

Remove Data
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Remove Infection
•
Complete removal of FinSpy Infection, Trojan, Stored Files and Modules
•
FinSpy Target needs restart before re-infection
106
FinSpy Agent – Remove Data
•
Removing Data on FinSpy Master Server
•
Only works on Archived Targets
107
FinSpy Agent
108
1. Introduction
2. FinSpy Agent

Create Target
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Agent – Create Target
•
Creating a FinSpy Target
109
FinSpy Agent – Create Target
•
Giving an infection name
•
To identify the FinSpy Target in Target List
•
Choosing a unique, easy to remember name
110
FinSpy Agent – Create Target
•
Choosing the Target Operating System
•
Currently possible:
•
Microsoft Windows
•
Mac OS X
•
Linux
111
FinSpy Agent – Create Target
•
Network Configuration, Heartbeat & Download Speed Limit
•
Application based Events
112
FinSpy Agent – Create Target
•
Self Removal
•
Max Infection
•
•
Avoid accidental Mass Infections and wasting of license limits
Scheduled Removal
•
•
113
On given date the FinSpy Target removes itself
Time-Out Removal
•
After being out of Communication with the Finspy Master for a given time, FinSpy Target removes itself
FinSpy Agent – Create Target
•
Module Selection
114
FinSpy Agent – Create Target
•
Module Availability – 1
115
FinSpy Agent – Create Target
•
Module Availability – 2
116
FinSpy Agent – Create Target
•
Modules can be selected
•
Recommendation for Physical and Remote Infection
•
117
Use no modules - FinSpy Installer at minimum and lack of activity of modules does not attract attention
from Antivirus/Antispyware upon initial installation.
•
Minimum size: ~ 590 KB (no modules)
•
Maximum size: ~ 1.8 MB (all modules)
FinSpy Agent – Create Target
Target Options
•
Installing into Master Boot Record
•
Vista and Windows 7 infection (UAC Popup)
•
More hidden infection!
118
FinSpy Agent – Create Target
User Permissions
•
Allowing certain users, certain actions for this Trojan
119
FinSpy Agent – Create Target
Summary of created FinSpy Target
•
Name
•
Operating System
•
Network Information
•
Modules
•
Etc.
120
FinSpy Agent – Create Target
Generate Infection
•
Infected Application – Original exe still opens as usual with original ICON
•
Infected Screensaver – Original screensaver still runs with original ICON
•
Infected Office Document – Add Macro to Word & Excel File
•
Infected File (Extension Rename) – Adds .exe extension, original File still opens
•
Infected File (Advanced File Name Converstion)
•
Bootable ISO Image – Burns Trojan to a bootable CD/DVD
121
FinSpy Agent – Create Target
Generate Infection
•
Bootable Infection Dongle – Install Trojan on a bootable USB device
•
•
For infection of Harddrive encrypted systems (TrueCrypt, PGP, etc.)
Runtime Infection Dongle
•
For infection of running systems via Autorun
122
FinSpy Agent – Configuration – Hands-On
Hands-On:
123
FinSpy Agent – Configuration – Hands-On
Hands-On:
•
Create a Target
•
Following Modules:
•
Microphone, Keylogger, Skype
•
Choose MBR Infection
•
Any Infection Path
•
How big is the file size of the Target?
•
Useful for which kind of distribution?
124
FinSpy Agent
125
1. Introduction
2. FinSpy Agent

Infection Techniques
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy – Infection Techniques – FinFly USB
FinFly USB
•
FinSpy Target on USB Stick
•
Physical Access needed
•
Automated Execution
•
Little or No User Interaction (Dependant on Autoplay configuration on Target)
126
FinSpy – Infection Techniques – FinFly USB
•
Created through FinSpy Agent
127
FinSpy – Infection Techniques – FinFly USB
Trojan will be generated and copied to FinFly USB Stick
128
FinSpy – Infection Techniques – FinFly USB
Automatic execution behaviour on:
Operating System
Windows 2000 <= SP3
Default behavior
Manual interaction required
Windows 2000 SP4
Autorun on Insertion
Windows XP
Windows Vista
Depending on the configuration interaction might be required
Windows 7
129
FinSpy – Infection Techniques – FinFly USB
Manual infection:
OR
130
FinSpy – Infection Techniques – Application CD
Create an Autorun CD with Infected Installer of:
•
Games (World of Warcraft)
•
DVD (Video Player)
•
Etc.
131
FinSpy – Infection Techniques – Application CD
•
Using FinSpy to infect an application
132
FinSpy – Infection Techniques – Application CD
•
Creating the according autorun.inf within the same directory of FinSpy target
•
Burn to a CD / DVD
133
FinSpy – Infection Techniques – Application CD
Distribute to the following locations:
•
Mailbox of the Target
•
Internet Cafes
•
Business Centres
•
Offices
134
FinSpy – Infection Techniques – Office Document
Office Document Infection
•
No *.exe or *.scr File
•
Word or Excel Document can be infected
•
Will pass E-Mail Attachment scanner (e.g. Gmail, Hotmail, ...)
135
FinSpy – Infection Techniques – Office Document
Make the Document look real
136
FinSpy – Infection Techniques – FinFly Lite
FinFly Lite:
137
FinSpy – Infection Techniques – FinFly Lite
138
Key Features:
• Binary Infection:
•
Downloads of Executables or Screensavers will be infected with the pre-configured “payloads”
• Update Injection:
•
Several Client-Software can be forced to update and install the configured software when checking for
updates
• Website Infection
•
Infect Target Systems through Websites which install the software by using the Web-browser module
functionalities
• Custom Payloads:
•
The software that will be injected can be uploaded and configured and is not bound to any other product
• Traffic Inspection:
• Identify Target Systems by IP Address or Radius username
FinSpy – Infection Techniques – FinFly Web
FinFly Web Example with IFrame Injection:
139
FinSpy – Infection Techniques – FinFly Web
Key Features:
•
Different Infection Modules
•
•
Multiple Browser support
•
•
Internet Explorer, Mozilla Firefox, SeaMonkey, Safari, Google Chrome, Opera
Multiple Operation System support
•
•
JavaScript / IFrame / Sun Java / XPI Plugin / ActiveX
Windows 2000, Windows XP, Windows Vista, Windows 7, MacOS Snow Leopard
Implementation into Standard Websites
140
FinSpy Administration
141
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Administration
FinSpy Administration offers:
•
FinSpy Configuration through the FinSpy Agent
•
Configuration of FinSpy Master
•
Logfile Viewer of FinSpy Master
•
FinSpy Agent Connection Viewer
•
Viewing License Information
142
FinSpy Administration
143
1. Introduction
2. FinSpy Agent
3. FinSpy Administration

Configuration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Administration – Configuration
Inside the Configuration Options, the following can be configured:
•
Configuration of the FinSpy Agent Data Download/Export
•
FinSpy Master Internal/External Network Interfaces
•
Connection configuration for the FinSpy Target
•
Configuring E-Mail Settings for Alerts
•
FinSpy Master and FinSpy Target Updates
•
Certificates, Activity Logging & Functionality
•
Database Integration of a LEMF
•
Target Modules Definition
144
FinSpy Administration – Configuration
User Management
•
Users can be added, changed or deleted
•
Four different user roles
•
User
•
Privileged User
•
Administrator
•
System Administrator
145
FinSpy Administration – Configuration
User Management
146
FinSpy Administration – Configuration
Agent Configuration
•
Download Data Folder
•
Created Targets will be placed here
•
Exported Evidence
•
Updated Installer Files
147
FinSpy Administration – Configuration
Network Configuration
•
•
FinSpy Agent Connection
•
Internal / External Connection
•
Port
FinSpy Master to Internet Connection
•
DHCP / Static
148
FinSpy Administration – Configuration
Relay Network Configuration
•
This data will be retrieved at the Target Creation
•
Can contain multiple Hosts/IPs
•
Can contain multiple Ports
•
Partly randomness
149
FinSpy Administration – Configuration
Email Notification
•
Alerting system for FinSpy Targets
•
Template system
•
Local MTA
•
Predefined Free Mailer
•
Custom
150
FinSpy Administration – Configuration
Updates
•
Update Check for a new FinSpy version
•
Updating Targets automatically
151
FinSpy Administration – Configuration
Evidence Protection
•
Enable / Disable Evidence Protection
•
Certificate Import
•
Logging Level
152
FinSpy Administration – Configuration
LEMF Interface
•
Only needed if existing LEMF system is available & connected
•
Database can be set for data transmission
153
FinSpy Administration – Configuration
Target Modules
•
System Administrator can define modules
•
Only enabled modules can be used on Trojan Creation
154
FinSpy Administration
155
1. Introduction
2. FinSpy Agent
3. FinSpy Administration

Show Logfiles
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Administration – Show Logfiles
This will show the FinSpy Master Logfile
•
Live refresh
•
Separation (Info, Warning, Error)
•
Export for further or external analysis
156
FinSpy Administration
157
1. Introduction
2. FinSpy Agent
3. FinSpy Administration

Agent List
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Administration – Agent List
Overview of all configured User Accounts / FinSpy Agents
•
When did what FinSpy Agent Login?
•
From where is the FinSpy Agent connecting?
•
Where is the FinSpy Agent connected to?
158
FinSpy Administration
159
1. Introduction
2. FinSpy Agent
3. FinSpy Administration

License Information
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Administration – Agent List
Overview of current License Information
•
Number of Agents / Targets
•
Validity
•
Import of a new License
160
FinSpy Master
161
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Master – Components
Software:
•
FinSpy Master
•
FinSpy Proxy
Hardware:
•
FinSpy Master Server
•
FinSpy Master Spare Server
•
KVM Console
•
Switch
•
UPS
•
Ruggedized Box
162
FinSpy Master – Contents
1. Overview
2. Brief Linux Command Instructions
3. Master & Proxy Configuration
4. Monitoring
5. Port Forwarding
6. Dynamic DNS
163
FinSpy Master – Overview
•
One Server with Software
•
Different Networks
•
Own File-based Database
•
Hardened Kernel and Operating System based on Debian
•
Massive and Robust Space for Data (RAID 6, 1.6 TB)
164
FinSpy Master
165
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master

Linux Commands
5. FinSpy Relay
6. Troubleshooting
FinSpy Master – Linux Commands
Directories
•
•
FinSpy Applications
•
/usr/local/finspy_master/
•
/usr/local/finspy_proxy/
Log Files
•
•
Temporary Files
•
•
/var/log/
/tmp
Init-Scripts
•
/etc/init.d/
166
FinSpy Master – Linux Commands
•
Super User Rights
•
•
Changing Directories
•
•
nano /usr/local/finspy_master/data/finspy_master.cfg
Show latest Entries (of Logfile)
•
•
mv finspy_master.cfg_template finspy_master.cfg
Edit & Read (Configuration File) with Console Text Editor
•
•
cd /usr/local/finspy_master/
Rename File
•
•
sudo command
tail –f /var/log/finspy_proxy.log
Show Network Config
•
ifconfig
167
FinSpy Master – Linux Commands
•
Remove Files
•
•
Remove Directories
•
•
rm –r directoryname
Copy File
•
•
rm filename
cp finspy_master.cfg_template finspy_master.cfg
Show content of file (Version of FinSpy Master)
•
cat /usr/local/finspy_master/data/version
168
FinSpy Master
169
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master

Master Configuration
5. FinSpy Relay
6. Troubleshooting
FinSpy Master – Master Configuration
•
Configuration File
•
•
/usr/local/finspy_master/data/finspy_master.cfg
Network for the FinSpy Master
FIN_AGENT_NETWORK_INTERFACE = eth1
FIN_PROXY_1 = 127.0.0.1, 9118
•
Update Check on Daily basis
FINUM_SERVER
FINUM_PORTS
FINUM_DESTINATION_PATH
•
= update.gamma-international.de
= 42662
= ../updates
Evidence Protection switch
FIN_EVIDENCE_PROTECTION = true
170
FinSpy Master – Master Configuration
•
E-Mail Notification (Alert Settings)
•
•
Settings variable begins with
•
•
FIN_MX_
By default – localhost will be used
•
•
/usr/local/finspy_master/data/finspy_master.cfg
Settings found under “FIN_MX_xxx”
Free Webmail services can be used (including TLS support)
•
E.g. Gmail, Hotmail, Yahoo, …
171
FinSpy Master – Master Configuration
•
User Management
•
•
Structure
•
•
/usr/local/finspy_master/data/.fin_passwd
userid ; groupid ; login name ; user description ; password ; database permission ; file permission
To change
•
userid ; login name; user description; password
172
FinSpy Master
173
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master

Proxy Configuration
5. FinSpy Relay
6. Troubleshooting
FinSpy Master – Proxy Configuration
•
Configuration File
•
•
/usr/local/finspy_master/data/finspy_master.cfg
Network for the FinSpy Master
FIN_AGENT_NETWORK_INTERFACE = eth1
FIN_PROXY_1 = 127.0.0.1, 9118
•
Ports where FinSpy Target or FinSpy Relay connect to
FIN_TARGET_PORTS = 22,53,80,443,4111
174
FinSpy Master
175
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master

Misc Configuration
5. FinSpy Relay
6. Troubleshooting
FinSpy Master – Monitoring
•
Automatic Check for not running applications
•
“monit” command
•
•
•
176
sudo monit summary
Successful:
Process ‘finspy_master’
running
Failed:
Process ‘finspy_master’
Process ‘finspy_master’
not monitored
Does not exist
FinSpy Master – Port forwarding
•
To ensure FinSpy Proxy retrieves packets
•
Router must have Port forwarding activated
177
FinSpy Master – Dynamic DNS
•
If FinSpy Master or Router doesn’t have a static IP
•
Free Service can be used to map hostname <-> dynamic IP
•
Software on FinSpy Master
•
•
ddclient
Possible Free Services
178
FinSpy Master – Dynamic DNS
•
Configuration File
•
•
/etc/ddclient.conf
Example Content
protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=finspy-test
password='dfUc!45XfP'
179
FinSpy Relay
180
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Relay – Components
Windows Software:
•
FinSpy Relay
•
FinSpy Relay Monitoring
181
FinSpy Relay – Components
Linux Software:
•
FinSpy Relay
182
FinSpy Relay – Overview
•
Anonymize FinSpy Connections
•
Can be located anywhere in the world
•
Small piece of software
•
No big hardware requirements
•
Chain of Relays possible
183
FinSpy Relay – Requirements
Windows:
•
Windows Firewall must accept FinSpy Ports
•
Windows Server 2003 or higher
•
Administrator rights
Linux:
•
Debian or Ubuntu System
•
256MB Ram
•
Monitor software installed (monit)
184
FinSpy Relay – Configuration
•
•
185
Configuration File (relay.cfg)
•
Windows: Same directory as installed
•
Linux: /usr/local/ffrelay/data/
Example Configuration File
CFG_TARGET_PORTS
CFG_NEXT_HOP_1
CFG_SOCKET_TIMEOUT
= 21,80,443,4111
= server.ath.cx, 2050
= 10
# Incoming Connections
# FinSpy Master or Next FinSpy Relay
# Socket Read/Write Timeout
Troubleshooting
186
1. Introduction
2. FinSpy Agent
3. FinSpy Administration
4. FinSpy Master
5. FinSpy Relay
6. Troubleshooting
FinSpy Relay – Troubleshooting
•
FinSpy was distributed but FinSpy Target doesn’t show online
•
Discussion of Activation on Target PC and Network Issues
187
FinSpy Relay – Troubleshooting
•
FinFly Dongle / Autostart CD didn’t auto execute
•
Is Autostart enabled on FinSpy Target system?
•
Windows Vista and Windows 7 have Autostart disabled by default
•
Correct entry in autorun.inf for Autostart CD?
188
FinSpy Relay – Troubleshooting
•
FinSpy is detected by Anti-Virus Vendor XYZ (Be careful, as AV and ASW products these
days flag every activity, whats important to Gamma are products that physically
remove Finfisher. Otherwise press allow on the Application that flagged.)
•
Report to Gamma Group immediately
• support@gamma-international.de
•
189
I have a suggestion / bug report. Whom to contact?
•
Login to After-Sales Website
• https://www.gamma-international.de
Vielen Dank für die Aufmerksamkeit
Questions?
Thank you for your attention!
190