Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Gyrfalcon v1.0 User Manual Introduction
1 Introduction
Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target
host on which it is run. It can log SSH sessions (including login credentials), as well as execute
commands on behalf of the legitimate user on the remote host.
1.1 General Workflow
The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left
running. Some time later, the operator returns and commands gyrfalcon to flush all of its collection to
disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data.
1.2 Dependencies
1.2.1 Configuration Tool
The configuration tool is a zipped Python executable. It requires Python 2.5-2.7 and the openssl
command line tool (included in most *nix distributions by default) for key generation.
1.2.2 Gyrfalcon Executable
The executable that runs on target comes in two flavors: 32-bit and 64-bit Linux ELF. They are
dynamically linked, meaning they depend on several libraries to be present on the target system:
libz.so.1
libpthread.so.0
libc.so.6
Without the required libraries, the tool will simply fail to run.
The tool must be executed on systems running Linux kernel 2.6.14 or greater, and glibc 2.5 or greater.
To get the kernel version of the target system, run the following at a command prompt:
$ uname -r
2.6.18-194.el5
To get the glibc version of the target system, run the following at a command prompt:
$ getconf GNU_LIBC_VERSION
glibc 2.5
Also, SELinux can prevent gyrfalcon from attaching to targeted processes by enabling the deny_ptrace
boolean. Fortunately, this boolean is disabled by default so far, but future distros may enable it. To
disable deny_ptrace do:
$ setsebool deny_ptrace 0
January 2013 SECRET//NOFORN 1

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh