Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
AngerManagement
Last updated: 6 March 2015
('toc' missing)
How to get the AngerManagement project
Using Quaffle's Hammer (NEW):
- In Stash, go to angermanagement_manifest project and copy the Clone HTTPSHypertext Transfer Protocol Secure on the right hand side.
- ie. https://username@stash.devlan.net/scm/droid/angermanagement_manifest.git
- In your desired directory, repo init -u https://username@stash.devlan.net/scm/droid/angermanagement_manifest.git
- repo sync
Using Mission Control (OLD):
- In Stash, go to remoterage_manifest project and copy the Clone HTTPSHypertext Transfer Protocol Secure on the right hand side.
- ie. https://username@stash.devlan.net/scm/droid/remoterage_manifest.git
- In your desired directory, repo init -u https://username@stash.devlan.net/scm/droid/remoterage_manifest.git
- repo sync
All my bowtie changes are in remoterage_manifest's branch note4. You can check out the note4 branch by going to .repo/manifests and "git checkout -b note4 origin/note4."
Caution: Multiple files/directories with the same name
When looking through the AngerManagement project, please do not be confused with multiple directories of the same name. Understand that refactoring is necessary to be done.
Here is a list of multiple files/directories with the same name and what's their differences:
- remoterage
- In the past, AngerManagement directory is called remoterage because it is a repo project using remoterage_manifest.git. Within this directory, there might be another directory called remoterage. This remoterage is the remoterage.git. Do not get confused with AngerManagement directory.
- bowtie
- TODO
- packager.py
- TODO
- angerquake vs angerquaker vs output angerquaker
- TODO
Components of AngerManagement
AngerMangement repo project contains multiple git projects -> outputs angermanagement(NEW)/angerquaker(OLD) executable -> modifies Mission Control's configuration.plist and creates Mission Control plugins in a form of a zip, ie. da_mc.zip.
AngerManagement repo project contains multiple git projects where the goal is to output an executable that builds the necessary plugins for Mission Control (MC) to target a particular Android mobile device. This executable is a python zip file called angerquake, but in the future, it will be renamed to angermanagement to fit with the naming convention of all the plugins. The reason why it's called angerquake is because the first plugin incorporated was Dugtrio, and as a Pokemon, Dugtrio's ability is to quake; therefore, it is named angerquake.
To build the output of AngerManagement, angerquake, please see the "How to Build Angerquake" section under "Angerquake."
To build a Mission Control Server based on the output of AngerManagement, please see the section "How to Build Mission Control Server using AngerManagement."
Angerquake
Angerquake git project -> outputs angermanagement(NEW)/angerquaker(OLD) executable
Angerquake git project builds and outputs the executable python zip file called angerquaker (in the future, it will be called angermanagement). The Angerquake project relies on BodyBuilder project for building the rooters and for providing the command-line interface (docopt), the encryption library (packer.py), and the packaging library (packager.py). Remember that angermanagement(NEW)/angerquaker(OLD) executable, when executed, not only creates the Mission Control plugins based on a particular remote exploit but it also modifies the Mission Control configuration plist, the file needed to configure the Mission Control server based on the specified remote exploit.
How to Build Angerquake
To create the angermanagement(NEW)/angerquaker(OLD) executable, run "make dist" at the root directory of Angerquaker git. If you wanted to clean it first and then build it, you can run "make clean dist."
You should see two directories being created: build and dist.
In the build/Release directory, each remote exploit will have its own directory containing everything copied over from its original directory. However, the resource folder, res, will have its contents renamed by the Makefile so that it is not obvious when it is being packaged up into the angerquaker executable and used on the target device. It will also have packer.py from the BodyBuilder project. The build/Release directory should also contain packager directory from the BodyBuilder project and mc_creator executable copied over from MissionControl project's creator. aq contains the packager directory from the BodyBuilder project as well as the logic to take input from the user and package up a Mission Control plugin based on that input. In aq/res directory, it has all the rooters built by BodyBuilder project, all
For the moment, please ignore the rrhandler directory as we are planning to separate the logic of handling the RRRoidRage (Malware) implant into its own plugin.
In the dist directory, askdjfaksdjfkajdksfj
This is roughly what it should look like when you unzip angerquaker:
Archive: angerquaker
warning angerquaker: 18 extra bytes at beginning or within zipfile
(attempting to process anyway)
Length Date Time Name
-------- ---- ---- ----
6860 03-04-15 11:32 _main_.py ......................................................... ihuhu
7342 03-04-15 11:32 angerquaker.py .................................................
19780 03-04-15 14:51 docopt.py ........................................................
10154 03-04-15 14:51 packager.py ....................................................
7498 03-04-15 14:51 packer.py ...........................................................
0 03-04-15 14:51 res/
0 03-04-15 14:51 res/_init_.py ............................................................
1499 03-04-15 14:51 res/android_ua.zip .............................................
6293 03-04-15 14:51 res/bowtie.jar ....................................................
1401 03-04-15 14:51 res/bowtie_ua.zip ..............................................
4699 03-04-15 14:51 res/common.zip ................................................
8023 03-04-15 14:51 res/da.zip ..........................................................
4469 03-04-15 14:51 res/download.jar ..............................................
1017 03-04-15 14:51 res/droidid.zip ..................................................
7449 03-04-15 14:51 res/dugtrio_bowtie.zip ......................................
9440 03-04-15 14:51 res/ei ................................................................ EerieIndiana binary ("make" in EerieIndiana dir)
36644 03-04-15 14:51 res/eis ............................................................ EerieIndiana shellcode binary ("make shellcode" in EerieIndiana dir)
26916 03-04-15 14:51 res/fdsm ........................................................ Freedroid shellcode manual binary ("make shellcode manual" in Freedroid dir)
22586 03-04-15 14:51 res/helios_bowtie.zip ....................................
190600 03-04-15 14:51 res/hghsb .................................................... HGH shellcode binary ("make shellcode" in HGH dir)
18800 03-04-15 14:51 res/remote ..................................................... Remr ("make" in remoterage dir)
32488 03-04-15 14:51 res/sa.zip .......................................................
11669 03-04-15 14:51 res/sk.zip .......................................................
29089 03-04-15 14:51 res/sm.zip .....................................................
5554 03-04-15 14:51 res/sp.zip ........................................................
7904 03-04-15 14:51 res/st.zip .........................................................
26692 03-04-15 14:51 res/t2 ............................................................ T2 binary ("make" in T2 dir)
57940 03-04-15 14:51 res/t2s ...........................................................
-------- -------
562806 28 files
include plugins: common, android_ua, droidid, necessary exploit plugin, necessary exploit plugin based on each target device
put it in build and dist directory
Output in "build" directory
- asdfasf
Output in "dist" directory
Angerquaker (aq)
docopt
Plugins
Bowtie
bowtie_ua
dugtrio_bowtie
helios_bowtie
Dugtrio (da)
Helios
Salazar(sa)
Salamander (sm)
Skor (sk)
Spearow (sp)
Starmie (sp)
-------------------------------------------------------------------------------
Mission Control
-------------------------------------------------------------------------------
* timeout
If the connection to Mission Control failed for the first time (due to slow
internet connection and etc), the device has to wait until the timeout
happens before it can reconnect to Mission Control. The default timeout is
set to 180 seconds, approximately 3 minutes.
* target id
If multiple devices have the same target id, whichever device connects to
Mission Control first, the other devices are not allowed to connect to
Mission Control until the timeout occurs.
* session id
If a device has already established a connection with Mission Control and it
talks with Mission Control without a session id, the communication with
Mission Control is terminated. Same vice versa. If it has a session id but
not a target id, communication is also terminated.
-------------------------------------------------------------------------------
Bowtie + Dugtrio
-------------------------------------------------------------------------------
status 2 = beachhead lands, but it doesn't call back to grab the implant
For Dugtrio and Bowtie (because Bowtie uses Dugtrio),
if the user performed the following actions before status 2, then subsequent
actions will NOT continue, and you need to restart the server.
* close the tab
* go to another webpage
* turn off Wi-Fi
* turn off device
* get out of the (browser) application using the center button
If the user performed the following actions before status 2, subsequent
actions will continue.
* device goes to lockscreen
For Bowtie,
if one of the files to collect did not exist, Bowtie will continue
until finish.
Bodybuilder
Bodybuilder git project
Bodybuilder git project outputs
Bowtie
Deps
DroidMake
Webutils
Downloader
Makedeps
MCPlugins
MissionControl
RRCommon
Rooters
EerieIndiana
Freedroid
HGH
T2
Sporker
Sepol (SE Policy fixes)
How to Add New Plugins
How to Build Mission Control Server using AngerManagement