Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
3.6 (U) Usage
(S//NF) The following instructions assume the directions in 3.5 were followed.
Specifically, it is assumed that the BothanSpy Shellterm script was installed correctly,
and BothanSpy.dll, BothanSpy.dll.META.xml, and (optionally) ice_handler.py were all
correctly placed on the attack machine.
3.6.1 (S//NF) Fire and Collect usage
(S//NF) You should have ice_handler.py up and running before using BothanSpy in F&C
mode. Attach to a valid Shellterm session on a target of interest and run the following
command to steal credentials from all running Xshell processes that have active SSH
sessions:
>BothanSpy <path to local copy of BothanSpy.dll>
(S//NF) The BothanSpy Shellterm script will look for all known processes of Xshell that
have been known to store credential information for the 'officially' supported versions.
For each discovered process, it will inject BothanSpy.dll into the process to actually steal
the credentials available. There is no need to run BothanSpy more than once on a target
unless you suspect a new session has been established using credentials you have not
stolen already.
(S//NF) The output file given to ice_handler.py will contain the user name and password
for password authenticated sessions. For private key authenticated sessions, the user
name, key file name (with some exceptions, see section 3.6) and key file password will
be available. The order of credentials for each connection will be:
Password authentication
User name
Password
Public key authentication
User name
Private key file name (if available)
Private key password
3.6.2 (S//NF) Fire and Forget usage
(S//NF) Attach to a valid Shellterm session on a target of interest and run the following
command to steal credentials from all running Xshell processes that have active SSH
sessions:
>BothanSpy <path to local copy of BothanSpy.dll> Forget <path to writeable
folder on target>\<base file name> <passphrase>
SECRET//NOFORN
7

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh