Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
3.5 (U) Installation
(S//NF) The usage here assumes Shellterm 3.x is being used. If you are using another
loader, some of the instructions below may not apply. Contact the developer if you have
questions regarding other loaders.
(S//NF) BothanSpy.dll requires no configuration before it can be used. Before use with
Shellterm, install the BothanSpy.py file into the Shellterm configured scripts folder
(usually 'scripts' in the shellterm installation folder. If the folder does not exist, create
one named 'scripts'). This will add a new command to Shellterm called 'BothanSpy'.
Also, ensure you have BothanSpy.dll and BothanSpy.dll.META.xml on the attack
machine, in the same folder.
3.5.1 (S//NF) Fire and Collect (v3) Mode
(S//NF) The recommended, and default, mode that BothanSpy uses is Fire and Collect
(v3) mode. Using Fire and Collect (F&C) will allow BothanSpy to collect credentials
without writing a single byte to disk. All collected credentials are sent back to the attack
box using a loader-provided pipe, on which data is encrypted. To setup the attack box to
use F&C, copy the ice_handler.py script to the attack machine, and open a shell at this
location (Yes, it's that easy!)
(S//NF) Before running BothanSpy on target, you have to start the (F&C) handler on the
attack machine. Using the shell you've opened in the folder containing ice_handler.py,
run the following command:
>./ice_handler.py <path to output file>
(S//NF) The <path to output file> should be a valid path, along with a file name. If the
file exists already, data will be appended to it. If the file does not exist already, a new file
is created. All credentials that BothanSpy steals will be stored here. If run successfully,
you should see something like:
14:00:59: @@@ Settings up UDS [/tmp/bothan]
14:00:49: @@@ Waiting for connection from ICE host/loader
(S//NF) There will be timestamps on each output line. The script will inform you when it
gets a connection from Shellterm (or another F&C loader) and the script is processing
exfiltrated data. The data will be written to the output file. When data is collected from
the target, you'll see the following output for each Xshell process on target:
<time stamp> ### ICE loader connected! Reading data on pipe
<time stamp> ### Output received
<time stamp> @@@ Waiting for connection from ICE host/loader
(S//NF) Once the ice_handler.py script is running, you are ready to throw BothanSpy on
target machines.
SECRET//NOFORN
5

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh