Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Gyrfalcon 2.0 SECRET//NOFORN
1.4.4.2 (U) Any valid IPv4 or IPv6 address is allowed – or –
1.4.4.3 (U) Any valid IPv4 CIDR address (i.e., 10.0.0.0/24) is allowed – or –
1.4.4.4 (U) Any valid alphanumeric hostname is allowed – or –
1.4.4.5 (U) Any valid FQDN (i.e.,
www.google.com) is allowed.
1.4.4.6 (U) Address can be any of the above between 1 and 31 characters long.
1.4.5 (U) “[ ignore | partial | full | execute ] – “
1.4.5.1 (S//NF) Partial collects enough of the OpenSSH session to collect the user
name and password for each connection.
1.4.5.2 (S//NF) Full collects the entire OpenSSH session from beginning to end.
1.4.5.3 (S//NF) Execute is not complete at this time, but the script will allow the
operator to configure the white list with execute the behavior of the Gyrfalcon
library is similar to the ignore command.
1.4.5.4 (S//NF) Ignore is the default behavior meaning if the remote host on the
OpenSSH session is not in the white list, then the Gyrfalcon library ignores the
session.
1.4.6 (U) After executing genconfig.py, the local working directory should consist of
the following files.
1.4.6.1 genconfig.py
1.4.6.2 archive_file
1.4.6.3 archive_file_YYYY-MM-DD_HH:MM:SS.MS.tar.bz2
1.4.6.4 Where archive_file is a symbolic link to archive_file_YYYY-MM-
DD_HH:MM:SS.MS.tar.bz2.
1.4.7 (U) At this time, the archive file will contain the following files.
1.4.7.1 public.pem
1.4.7.2 private.pem
1.4.7.3 receipt.xml
1.4.7.4 config_file
1.4.7.5 (U) To confirm the archive file contents:
1.4.7.5.1
tar jtvf archive_file
2. (S//NF) Upload the new encrypted configuration file to the target platform.
2.1 (U) The new encrypted configuration file must be extracted from the archive file before
uploading.
2.1.1 tar jxvf archive_file config_file
2.2 (S//NF) Gyrfalcon does not provide any communication services between the local
operator computer and target platform. The operator must use another application to upload
the new encrypted configuration file to the target platform.
3. (S//NF) If not already in the proper location after upload, copy the new encrypted configuration
file to the correct directory.
3.1 (S//NF) The application and encrypted configuration file must be kept in the same
directory of the operator's choosing, and preferably that is the JQC/KitV hidden directory.
4. (U) Determine the PID of the running Gyrfalcon application on the target platform.
November 2013 SECRET//NOFORN//20381126 13

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh