Remote Control System
8.3.x Upgrading Procedure8.3.x Upgrading Procedure
Revision
Author (s)
Release Date
1.0
FAE Team
2013, April 23th
2
Contents
1
2
3
4
Scope ........................................................................................................................4
Requirements ..........................................................................................................5
2.1
Operating System ...................................................................................... 5
2.2
Overall Usage Info ..................................................................................... 5
2.3
Anonymizers .............................................................................................. 5
2.4
Firewall ....................................................................................................... 6
Upgrading Core Components ................................................................................7
3.1
Backend ..................................................................................................... 7
3.2
Collector ..................................................................................................... 7
3.3
Latest minor release .................................................................................. 7
CNI Anonymizers ....................................................................................................8
4.1
Current Configuration ................................................................................. 8
4.2
Introduction to first Anonymizer ................................................................. 8
4.3
Upgrading to 8.3 and adding the additional anonymizers ......................... 9
4.4
What is changed ........................................................................................ 9
3
1 Scope
This document details the procedure to upgrade Remote Control System Da Vinci from Version 8.2.x
to 8.3.2.
Please verify that all of the prerequisites are fulfilled before proceeding with the upgrade.
4
2 Requirements
2.1 Operating System
Recommended Operating System for RCS Da Vinci 8.3.2 is Windows Server 2008 R2 Enterprise
SP1 on Masternode and Shard Servers and Windows Server 2008 R2 Standard SP1 on Collector
Servers.
CAUTION:
From version 8.4 HT will drop the support for Windows server 2003. Although RCS Da
Vinci 8.3.2 can work also on Windows Server 2003, we strongly suggest upgrading the
Operating System to the recommended Operating System.
2.2 Overall Usage Info
Before upgrading RCS, you are required to share with HT some information about the usage of the
system, in order to check if your hardware resources are suitable for the Intelligence module,
according with your current system workload.
We ask you to kindly open a ticket at https://support.hackingteam.com providing the following
information:
-
Amount of RAM on Masternode, Shard, and Collector Servers
-
Total “Data” size and ”On Disk” size
o
-
Login as sysadmin in RCS User Console, then click System->Backend. Expand each
shard server by clicking on the box representing it and check the information to provide.
Usage statistics
o
Login to the Masternode Server, open a command prompt (cmd.exe) and run the
following command. Attach to the ticket “stats.txt” which can be found on the desktop.
C:\RCS\DB\bin\rcs-db-stats.bat > %userprofile%\Desktop\stats.txt
2.3 Anonymizers
You are required to provide two new VPS to be used as Anonymizers. Hacking Team will provide you
with a new license with 2 additional Anonymizers, free of charge.
WARNING: Starting from RCS 8.3, it is mandatory to have at least 2 Anonymizers in
synchronization chain. If there are already Anonymizers in your synchronization chain, 2
new Anonymizers are to be added after the upgrade to RCS 8.3. After the upgrade,
existing agents can only synchronize to existing Anonymizers and new agents
generated can only synchronize to newly added Anonymizers.
New agents are not able to synchronize directly to the Collector Server. Domain Names are no
longer supported when setting up Anonymizers. Only IP address is allowed.
5
2.4 Firewall
We strongly suggest you to restrict reachability of collector to only Anonymizers/VPS IP addresses
only. After installing the new Anonymizers, you will be required to add the VPS IP addresses to the
Firewall ruleset.
6
3 Upgrading Core Components
3.1 Backend
-
Copy rcs-setup-8.3.0.exe on Masternode Server
-
Stop Collector Service on Collector Server
-
Execute rcs-setup-8.3.0.exe on Masternode Server, choose Upgrade and follow through the
installation process until it is completed.
-
Login to Console, upgrade the Console if prompted. Ensure that you are able to login to the
console after the upgrade.
3.2 Collector
-
Copy rcs-setup-8.3.0.exe on Collector Server
-
Execute rcs-setup-8.3.0.exe on Collector Server, choose Upgrade and follow through the
installation process until it is completed.
-
Login to Console, upgrade the Console if prompted. Go to Monitor pane and verify that the
following components are up (Green Tick):
-
o
RCS::DB
o
RCS::Worker
o
RCS::Collector
o
RCS::NetworkController
With any text editor edit the file c:\RCS\DB\config\certs\rcs-network.pem and check that it does
not contain any reference to “HT SRL” or “RCS” or “DA VINCI”. In case you find such references,
please contact us immediately.
3.3 Latest minor release
After upgrading the system to 8.3.0, add the 2 new Anonymizers and ensure that you are able to
generate new agent.. After that, you can upgrade your system to the latest minor release (8.3.2 at the
time of writing), following the normal upgrade procedure.
7
4 CNI Anonymizers
4.1 Current Configuration
The current configuration is composed of the collector protected by the custom CNI anonymizer
network, as depicted in Figure 1.
Figure 1 - Current architecture
Since the upgrade to 8.3 introduces the mandatory use of RCS anonymizers and the current
architecture does not satisfy this requirement, CNI needs to upgrade your architecture.
4.2 Introduction to first Anonymizer
The first anonymizer to be added is for version 8.2, to allow the current target to synchronize. Once
done, the new architecture should be as depicted in Figure 2.
Intro
Figure 2 - First anonymizer added
With the anonymizer 8.2 in place, all the agents shall be reconfigured to migrate against it, instead of
using the CNI custom network.
8
4.3 Upgrading to 8.3 and adding the additional anonymizers
Once the 8.2 anonymizer is in place, it’s possible to add the anonymizers for 8.3, aligning the
architecture to the current requirements and obligations for version 8.3.
Figure 3 - Final architecture
4.4 What is changed
After the system is up to date, the Masternode will consider the Anonimizer 8.2 “blacklisted” for all the
deployed 8.3 agents. Collector node will refuse any connection coming from agents that have been
deployed before upgrading the system to 8.3.x as well as coming from “old” anonymizers (8.2).
Dynamic DNS or using domain names as synch address is discouraged from 8.3 on and it’s not
possible to add any domain name as synch endpoint (collector or anonymizer) in system->fronte
WARNING: When setting the synch address in the agent configuration, you can select any synch
endpoint previously configured in system->frontend. You can also manually insert a
domain name or an IP address to be contacted by the agent; however, HT strongly
discourage the manual modification of synch address.
9