Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #14587667
DUT 1 - RB493G - Notes
Perseus 1.1.0
MikroTik RB493G
General Info
WAN (from TR-Core) 172.20.100.4/30
TR-CoreSwx: 172.20.100.5 Perseus: 172.20.100.6
TR-Core Switch Route: 192.168.88.0/27 -> 172.20.100.6 (This gives the Perseus LANLocal Area Network 30 host IPs)
ICON-CR: 172.20.12.23/24
LAN Hosts:
192.168.88.2 Perseus Test1 -1.1.0b1 - UbuntuDesktop 14.10 x64
192.168.88.3 Windows 7 VM
VLAN 10 IP: 192.168.0.1
Cisco 2960: 192.168.0.2
Test Notes
7/7/2015
- Threw CR, Tsh, and Perseus onto DUT1.
7/8/2015
- Observed Tsh showing up in firewall connections list.
- Reported bug PS-8, but proved to be a Flux user error.
- Found bug PS-9.
7/10/2015
- Turned on console logging (/system logging add action=echo topics=!ntp,!dhcp,!rip,!snmp)
Observations
- Tsh connection shows up in Firewall Connections list (/ip firewall connection print):
- Flux connections show up in Firewall Connectins list:
Access List Configuration
Create ACL
ip access-list ext Perseus-WAN
permit ip host 172.20.100.6 host 172.20.12.23
deny ip any any log
show access-list
Apply ACLAccess Control List to VLAN
int vlan 601
ip access-group Perseus-WAN in
show access-list Perseus-WAN
Add statement to ACLAccess Control List and resequence
ip access-list ext Perseus-WAN
15 permit ip host 172.20.100.6 host 172.20.100.5
ip access-list resequence Perseus-WAN 10 10
Show Access List hits
show log | inc list Perseus-WAN
Areas to test
ID | Status | Task |
---|---|---|
8 | incomplete | Perseus 1.1.0b1 was installed. I performed a Netinstall from 6.27 to 6.28 and selected to keep the configuration, but the config was deleted after the netinstall finished. I then manually loaded the config and performed a netinstall again (from 6.27 to 6.28) and the config did persist. Bug or Coincidence? |
32 | incomplete | stapmer.py |
def parse_args(self, args):
# XXX TODO Bounds checks
# XXX Add checking for os version file, mcc, hide_files
ID | Status | Task |
---|---|---|
9 | incomplete | Network latency |
Decreate network latency <40%
ID | Status | Task |
---|---|---|
10 | incomplete | File remnants after Perseus removal |
11 | complete | Running processes ("ps ax") |
12 | incomplete | bouncing VMVirtual Machine / restarting networking service |
17 | incomplete | change MTU |
18 | incomplete | change latency |
30 | incomplete | Use MT Torch tool while implanting and see if anything is detected. |
19 | complete | Check available disk space (does it change after implanted?) |