Vault7: CIA Hacking Tools Revealed

Navigation: » Latest version
Last updated: 6 March 2015
('toc' missing)
How to get the AngerManagement project
Using Quaffle's Hammer (NEW):
- In Stash, go to angermanagement_manifest project and copy the Clone HTTPSHypertext Transfer Protocol Secure on the right hand side.
- ie.
- In your desired directory, repo init -u
- repo sync
Using Mission Control (OLD):
- In Stash, go to remoterage_manifest project and copy the Clone HTTPSHypertext Transfer Protocol Secure on the right hand side.
- ie.
- In your desired directory, repo init -u
- repo sync
All my bowtie changes are in remoterage_manifest's branch note4. You can check out the note4 branch by going to .repo/manifests and "git checkout -b note4 origin/note4."
Caution: Multiple files/directories with the same name
When looking through the AngerManagement project, please do not be confused with multiple directories of the same name. Understand that refactoring is necessary to be done.
Here is a list of multiple files/directories with the same name and what's their differences:
- remoterage
- In the past, AngerManagement directory is called remoterage because it is a repo project using remoterage_manifest.git. Within this directory, there might be another directory called remoterage. This remoterage is the remoterage.git. Do not get confused with AngerManagement directory.
- bowtie
- angerquake vs angerquaker vs output angerquaker
Components of AngerManagement
AngerMangement repo project contains multiple git projects -> outputs angermanagement(NEW)/angerquaker(OLD) executable -> creates plugins in a form of a zip, ie.
AngerManagement repo project contains multiple git projects where the goal is to output an executable that builds the necessary plugins for Mission Control to target a particular Android mobile device. This executable is a python zip file called angerquake, but in the future, it will be renamed to angermanagement to fit with the naming convention of all the plugins. The reason why it's called angerquake is because the first plugin incorporated was Dugtrio, and as a Pokemon, Dugtrio's ability is to quake; therefore, it is named angerquake.
To build the output of AngerManagement, angerquake, please see the "Build" section under "Angerquake (aq)."
To build a Mission Control Server based on AngerManagement, please see the section "How to Build Mission Control Server using AngerManagement."
Angerquake (aq)
Angerquake build project outputs angerquaker/angermanagement
Angerquake git project builds and outputs the executable python zip file called angerquaker (in the future, it will be called angermanagement). The Angerquake project relies on BodyBuilder project for building the rooters
Angerquake (or angermanagement in the future) contains
he executable contains the necessary components (ie. remote exploit, privilege escalation, implant/survey tool, and etc.) to create a plugin that remotely exploits a mobile device. AngerManagement is currently outputted with an executable python zip file called
include plugins: common, android_ua, droidid, necessary exploit plugin, necessary exploit plugin based on each target device
make clean
make dist
put it in build and dist directory
Output in "build" directory
- asdfasf
Output in "dist" directory
Dugtrio (da)
Salamander (sm)
Skor (sk)
Spearow (sp)
Starmie (sp)
Mission Control
* timeout
If the connection to Mission Control failed for the first time (due to slow
internet connection and etc), the device has to wait until the timeout
happens before it can reconnect to Mission Control. The default timeout is
set to 180 seconds, approximately 3 minutes.
* target id
If multiple devices have the same target id, whichever device connects to
Mission Control first, the other devices are not allowed to connect to
Mission Control until the timeout occurs.
* session id
If a device has already established a connection with Mission Control and it
talks with Mission Control without a session id, the communication with
Mission Control is terminated. Same vice versa. If it has a session id but
not a target id, communication is also terminated.
Bowtie + Dugtrio
status 2 = beachhead lands, but it doesn't call back to grab the implant
For Dugtrio and Bowtie (because Bowtie uses Dugtrio),
if the user performed the following actions before status 2, then subsequent
actions will NOT continue, and you need to restart the server.
* close the tab
* go to another webpage
* turn off Wi-Fi
* turn off device
* get out of the (browser) application using the center button
If the user performed the following actions before status 2, subsequent
actions will continue.
* device goes to lockscreen
For Bowtie,
if one of the files to collect did not exist, Bowtie will continue
until finish.
Bodybuilder git project
Bodybuilder git project outputs
Sepol (SE Policy fixes)
How to Add New Plugins
How to Build Mission Control Server using AngerManagement