Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Configuration Gyrfalcon v1.0 User Manual
2.2.3 Target Executable
This is where you specify the path to an executable on your configuration machine that you would like
to run on the matched during the traced SSH session. It can be a bash script, or other executable file. The
executable will be copied into gyrfalcon's configuration file and stored in RAM while gyrfalcon runs, so
it should be kept to a small size.
IMPORTANT: The executable should not be a long running one. Ideally it would just daemonize itself
to run in the background and exit immediately. The SSH session remains active for as long as the
executable runs, so if the legitimate user tries to exit the session, he will notice that ssh doesn't quit when
he tells it to.
2.3 Saving the Configuration
The eyrie tool exports a gyrfalcon executable and config file as well as some other log information to a
single tar file. The 's' command is used to save the data to a user specified file. The output file is in tar.gz
format, so it is recommended to use the .tgz or .tar.gz file extension.
2.3.1 Example Configuration Archive Contents
Here is the output of a tar -tvf command run on an eyrie config package.
$ tar -tvf test.tgz
drwx------ 0 user staff 0 Dec 13 18:41 test/
drwxr-xr-x 0 user staff 0 Dec 13 18:41 test/keys/
-rw-r--r-- 0 user staff 16 Dec 13 18:41 test/keys/aes_iv.bin
-rw-r--r-- 0 user staff 32 Dec 13 18:41 test/keys/aes_key.bin
-rw-r--r-- 0 user staff 1675 Dec 13 18:41 test/keys/private.pem
-rw-r--r-- 0 user staff 294 Dec 13 18:41 test/keys/public.der
drwxr-xr-x 0 user staff 0 Dec 13 18:41 test/log/
-rw-r--r-- 0 user staff 391 Dec 13 18:41 test/log/config.bin
-rw-r--r-- 0 user staff 227 Dec 13 18:41 test/log/config.ini
drwxr-xr-x 0 user staff 0 Dec 13 18:41 test/upload/
-rw-r--r-- 0 user staff 400 Dec 13 18:41 test/upload/.gfconf
-rw-r--r-- 0 user staff 93848 Dec 13 18:41 test/upload/gyr64-linux
The log directory contains a plaintext representation of the gyrfalcon config file (config.ini) which can
be used as a build receipt. Incidentally, the config.ini file can be used to seed new gyrfalcon
configurations.
The upload directory contains the files to be placed on target. In this case gyr64-linux is the gyrfalcon
executable, and .gfconf is the config file.
The keys directory contains crypto keys which can be used to decrypt the data that gyrfalcon collects.
2.4 Reconfiguration
Once a gyrfalcon instance has been deployed, the operator may wish to change the configuration of the
running instance on target. This is also accomplished using the eyrie tool to generate a new config
tarball from the previous one. Use the '-f' command line option to create an updated configuration.
4 SECRET//NOFORN January 2013