Vault7: CIA Hacking Tools Revealed

Navigation: » Latest version
Owner: User #14587667
Bumble - Test Notes
- Installed HP MSR 4080 chassis in Rack 2/Pod 4.
- Installed MPU-100 (x2), and SPU-100 cards into MSR 4080 chassis.
- Racked and Setup console access for Cisco 2911 and 3845 in Rack 2 to use for Bumble testing.
- Configure E1 cards in 2911:
HWIC0 (2E1): card type e1 0 0
HWIC1 (1E1): card type e1 0 1
- Configure E1 cards in 2911:
- Created RANCID project for Bumble network devices. Added 2911, 3845.
- Added static route to
- Setup MSR
- Configure static IP, static route to, NTPNetwork Time Protocol client
- Requested POS card and E1 cables (MSR (DB15) <-> Cisco (RJ48C)) from User #73737.
- Installed 4-port E1 card in MSR
- Racked Cisco 3825 (from old cabinet) and 2811 (from NDBNetwork Devices Branch lab). Configured console server and connected ethernet cables to TOR2 gi1/0/5-6.
- Backed up original 2811 config and connected to network (IP =
- Configured MSR to Cisco E1 links
- Configured MSR to Cisco Mutilink ppp lines (3E1).
- Installed 1E1 HWIC into 2811. Upon reboot, the 2811 gives a memory error and will not boot.
- Installed 2E1 HWIC in 3845. Removed old 1E1 HWIC.
- Configured 4E1 on 3845 (IP = and MSR.
- Determine OSPFOpen Shortest Path First configuration in target config.
osfp 1
import-route direct # Redistribute networks of local active interfaces
import-route static #Redistribute static routes
network #Enable OSPFOpen Shortest Path First on the interface attached to this network
- Configured SNMPSimple Network Management Protocol on MSR and SolarWinds.
- Configured 3825 (NE40 surrogate).
- Configured netstream on MSR. Confirmed int gi2/0/0 is being monitored by solardwinds.
- Completed SNMPSimple Network Management Protocol configuration on MSR.
- Configured lo0, 1, and 2 on 3825.
- Configured OSPFOpen Shortest Path First on 3825 and MSR.
- Configured loopback interfaces on 3845, 2911, 3825.
- Configured ACLs on MSR.
- Add NM ESW card to 3825 and configure host switchports. Advertised XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US])/24 and XXX.X.XXX.X (JUMPSTART-5[US])/24 on OSPF.
- Created host VMs for Attack side of network.
- Spoke with GYSON regarding current test network setup.
- Installed PoS card in ASR1002.
- Configured Mgt int on ASRAzure Site Recovery and added to RANCID. Configured NTPNetwork Time Protocol client.
- Configured loopbacks on ASR.
- Backup and replace 2811. Replaced CF card. Install and configure E1 card on new 2811.
- Configured DelaySim using tc
### Since the following parameters are applied on both interfaces, the effective properties are as follows:
# Delay: 5s +/- 1s with a normal distribution (default)
# Packet Loss: 50% of packets will be randomly dropped and each successive probability depends by 25% on the last one
# Packet Duplication: 3%
# Packet Corruption: 1% of all traffic
# Packet Reordering: first 25% of packets (with a correlation of 50%) will get sent immediately
sudo tc qdisc add dev eth0 root netem delay 2.5s 0.5s loss 25% 25% duplicate 1.5% corrupt 0.5% reorder 12.5% 50%
sudo tc qdisc add dev eth1 root netem delay 2.5s 0.5s loss 25% 25% duplicate 1.5% corrupt 0.5% reorder 12.5% 50%
- Created Seeds VMs for 2911,2811,3845, and ASR.
- Configured and tested POS interfaces on ASRAzure Site Recovery (had to create 2 VRFs)
- Configured TOR2 switch and vCenter with VLANs for IXIA connection
- Added FastEthernet HWIC to 2851 to used for Seeds/IXIA network.
- Upgraded 2851 IOSApple operating system for small devices to 15.0 in order to support Fa HWIC
- Created/configured VMs for Bumble testing
- Updated MSR with target changes (specifically ACLs)
- Configure QoS policy on MSR.
- Upgraded Cisco 3825 IOSApple operating system for small devices to 15.1. Installed Fa HWIC in 3825 (.111 and .112).
- Configured 3825
- Added 2 web servers behind 3825.
- Unpack/rack H3C
- Ran patch cables from Core Rack (R3) to Rack 2 for Ixia testing.
- Configure Windows Server 2003 VMVirtual Machine IP settings. Setup FTPFile Transfer Protocol server.
- Backup MSR config
- Copy off MSR f/w
- Upload MSR f/w
ID | Status | Task |
14 | incomplete | User #14587667 Delete default route on all routers (except MSR) after testbed complete. |
15 | complete | User #14587667 Get 2800 router from NDBNetwork Devices Branch Lab (R6/U27) |
6 | complete | User #14587667 Put 1E1 HWIC in 2800 router |
7 | complete | User #14587667 Setup SNMPSimple Network Management Protocol on solarwinds and configure MSR. |
8 | complete | User #14587667 Setup loopbacks on MSR neighbor routes. Use downstream IPs from MSR static routes. |
5 | complete | User #14587667 Configure syslog server |
3 | complete | User #14587667 Configure OSPFOpen Shortest Path First on MSR |
10 | complete | User #14587667 Configure OSPFOpen Shortest Path First on Cisco (Grabe new router and use Gig int for OSPFOpen Shortest Path First - per target config). Use IP on MSR and on Cisco. |
2 | complete | User #14587667 Configure E1 links |
11 | incomplete | User #14587667 Configure netstream on MSR interface to TRCore (in-/out-bound). |
12 | incomplete | User #14587667 Configure netstream on MSR interface to 2911 (inbound). |
13 | complete | User #14587667 Confirm netflow is being collect by SolarWinds |