Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Gyrfalcon v1.0 User Manual Postprocessing
4.3 Analysis
The output file (in the example above, output.txt) contains the collected data organized as a python
dictionary. This makes analysis of the data straightforward using the python interpreter to selectively
view data of interest. Here is an example raw output file:
{ '15154': { 'command_line': 'ssh test@10.5.1.10',
'dest_addr': '10.5.1.10',
'executed': [],
'packets': [ { 'data': 'Password:10sne1\n\nLast login:
Wed Dec 12 13:53:36 2012 from 10.5.1.11\r\r\n\x1b[?1034hrafes-mac-pro:~ test$
ls / \nls /
\r\nApplications\t\tcores\t\t\topt\r\nLibrary\t\t\tdev\t\t\tprivate\r\nNetwork\
t\t\tetc\t\t\tprivate_key.pem\r\nSystem\t\t\texport\t\t\tpublic_key.der\r\nUser
s\t\t\thome\t\t\tsbin\r\nVolumes\t\t\thome (from old
Mac)\ttmp\r\nXcode3.1.3\t\tlost+found\t\tusr\r\nbin\t\t\tmach_kernel\t\tvar\r\n
bundle.h\t\tnet\r\nrafes-mac-pro:~ test$ logout\n\nlogout\r\n',
'timestamp': '2012-12-12T12:25:43'}],
'session_id': '15154',
'timestamp': '2012-12-12T12:25:42',
'username': 'root'},
'15156': { 'command_line': 'ssh test@localhost',
'dest_addr': '127.0.0.1',
'executed': [],
'packets': [ { 'data': "test@localhost's password:
10sne1\n\nLast login: Wed Dec 12 12:25:36 2012 from
127.0.0.1\r\r\n\x1b]0;test@localhost:~\x07[test@localhost ~]$ ls / \nls /
\r\n\x1b[00m\x1b[00;34mbin\x1b[00m \x1b[00;34mdev\x1b[00m
\x1b[00;34mhome\x1b[00m \x1b[00;34mlib64\x1b[00m
\x1b[00;34mmedia\x1b[00m \x1b[00;34mmnt\x1b[00m \x1b[00;34mopt\x1b[00m
\x1b[00;34mroot\x1b[00m \x1b[00;34mselinux\x1b[00m \x1b[00;34msys\x1b[00m
\x1b[00;34musr\x1b[00m\r\n\x1b[00;34mboot\x1b[00m \x1b[00;34metc\x1b[00m
\x1b[00;34mlib\x1b[00m \x1b[00;34mlost+found\x1b[00m \x1b[00;34mmisc\x1b[00m
\x1b[00;34mnet\x1b[00m \x1b[00;34mproc\x1b[00m \x1b[00;34msbin\x1b[00m
\x1b[00;34msrv\x1b[00m \x1b[00;34mtmp\x1b[00m
\x1b[00;34mvar\x1b[00m\r\n\x1b[m\x1b]0;test@localhost:~\x07[test@localhost ~]$
logout\n\nlogout\r\n\x1b[H\x1b[2J",
'timestamp': '2012-12-12T12:25:45'}],
'session_id': '15156',
'timestamp': '2012-12-12T12:25:43',
'username': 'root'}}
Ugly right? The dictionary consists of a nested set of key, value pairs. At the first level, the keys are
numbers (in the example 15154 and 15156). These are the process id's of the SSH instances that were
traced. The value for each process id key is itself a dictionary of key, value pairs. Each value contains
the following keys:
January 2013 SECRET//NOFORN 9