]HackingTeam[ KnowledgeBase Product
Search:     Advanced search

EDN Architecture

Article ID: 210
Last updated: 28 May, 2015

The main components

The Exploit Delivery Network service is sold separately; it consists of a root server connected to two chains of servers:

  • the first chain is dedicated to the Windows exploits;
  • the second chain is dedicated to the Android exploits.

!!! ⇒ Except in some particular cases, all the elements that make up this architecture are controlled directly only by HT, not by customers.

On the top of the structure there is the root server (A) used by our Support Team to create the exploits by means of a dedicated console:

  1. the customer sends to the HT Support Team, through the ticketing system, the agent he made by means of his RCS console and the files required to create the exploit;
  2. the root server generates a component (i.e. a link, a code snippet or a file) which will be sent to the client in response to the request and a package containing the exploit;
  3. the package contaning the exploit is then automatically published on the content provider of the chain (B) through an encrypted and unidirectional connection (the communication is always from A to B);
  4. the component sent to the customer (and later delivered to the target) will interact with the exploit copied on content providers in order to install the agent on the target device through the relay servers (C, D).

!!! ⇒ The data recorded in the content provider do not allow in any way to identify the customer. The collected logs are sent to the root server and are made available by means of the console management interface.

The content providers (B) are not exposed to Internet. Each content provider is connected to two relay systems (CD) and accepts connections only from these machines which serve the exploit:

  • the first relay supplies its exploits through the HTTP port (80);
  • the second relay supplies its exploits through the HTTPS port (443); this server must have a domain name and valid certificate.

The communication between the content provider and the relay servers is authenticated and encrypted (strong encryption is used) in both directions.
The relay servers are exposed to Internet because they have to be reached by the target, but they do not contain any sensitive data and play only the role of reverse proxy: they receive the requests coming from the target and hijack them to the content provider of their chain.

Relay servers under customer control

The customers who wish to hide the IP addresses of their targets can add to each chain two relay servers under their direct control (E, F).

These relay servers must meet the following requirements:

  • CentOS 6, 64 bit VPS (Virtual Private Server);
  • a public IP address;
  • a public domain name;
  • a valid SSL certificate (ongli for the HTTPS server).

HT will provide the installation packages compatible with CentOS 6 to be used to install the appropriate services in the customer relay systems.

Recommended providers

Below is a list of recommended providers:

  • digitalocean.com
  • ovh.com
  • linode.com
  • godaddy.com
  • rackone.it

Common questions

The customer wants to know if, in relation to the download of the exploit from our EDN, something will remain that can make the target suspicious.
  • No data is kept in the browser cache. Obviously the agent is installed on the target upon success.

A suspect receives the mail with the exploit and opens it, therefore he will be infected. What happens if (after that) he sends the attachment to an antivirus? What will the antivirus see in the exploits?

  • There is nothing suspicious in the attachment, just a link to an nonexistent resource.

Will it be possible to track back the IP address that pushed the download of the backdoor?
  • Once installed, the agent cannot be linked to the download IP address.

Will any trace remain on our EDN?
  • Only relevant information about the process is stored in order to provide support to clients.

If the above mentioned target sends the document to an antivirus without opening it, what will happen? What will the antivirus see?
  • The EDN has a lot of protections in order to avoid analysis: such as autopurge, expiration and client recognition.

Article ID: 210
Last updated: 28 May, 2015
Revision: 28
document Public
Views: 5
Comments: 0
This article was:   Helpful | Not helpful
Prev   Next
EDN     Exploits