Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN Gyrfalcon 2.0
4 (U) Install and Uninstall Procedures
4.1 (U) Install onto Target Platform
(S//NF) The operator is free to install and configure Gyrfalcon as they please within the limits of the
COG/NOD standard operating procedures. The operator is also bound by the install and configure
constraints of the JQC/KitV root kit. However, the following is a list of conditions the operator should
consider before installing Gyrfalcon on the target platform. Also, the Gyrfalcon library must be
installed in a directory accessible to the OpenSSH client which will make the library visible to any
target platform user and system administrator.
1. (U) Determine the target platform's processor architecture and Linux distribution.
1.1 uname -m
1.2 cat /etc/redhat-release
2. (U) Based on the processor architecture and Linux distribution, copy the correct library and
application to a working directory on the local operator computer.
2.1 (U) Rename the application, “client”, to the file name provided in step 4.3.6 below.
3. (U) Copy genconfig.py and postproc.py to the same working directory on the local operator
computer.
3.1 (U) At this point, the local working directory should contain the following files.
3.1.1 libgssapi.so.2.0.1 (library)
3.1.2 client (renamed in step 2 and named in step 4.3.6)
3.1.3 genconfig.py (Python script)
3.1.4 postproc.py (Python script)
4. (S//NF) Within the working directory on the local operator computer, execute genconfig.py to
generate a new encrypted configuration file, archive file, receipt file, and RSA public and private
keys.
4.1
./genconfig.py -g archive_file
4.2 (U) Where archive_file can be any file name you want it to be. The script will create this
file with “_YYYY-MM-DD_HH:MM:SS.MS.tar.bz2” appended to the file name.
4.3 (U) The script will ask you a series of questions where the answer s should be determined
before executing th e genconfig.py script .
4.3.1 (U) “What version is the target running?”
4.3.1.1 (U) At this time, the only answer to this question is “2.0”.
4.3.2 (U) “What will be the collection file size?”
4.3.2.1 (U) Any size is allowed between 4096 and 4194304 bytes.
4.3.2.2 (U) Suggestion: sizes equivalent to a power of 2 are best.
4.3.3 (U) “What will be the implant's working directory?”
4.3.3.1 (S//NF) The directory where the collection file will be kept.
4.3.3.2 (S//NF) Preferably the JQC/KitV hidden directory.
4.3.3.3 (U) Directory name can be anything between 1 and 63 characters long.
6 SECRET//NOFORN//20381126 November 2013

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh