Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN Gyrfalcon 2.0
5.1 (U) Update Encrypted Configuration File
(S//NF) Gyrfalcon is capable of updating the encrypted configuration file on the target platform without
stopping the Gyrfalcon application. You will need genconfig.py and the current archive file for the
target platform. Copy these files to a working directory on your local operator computer. The
following list is what can be or will be updated on the target platform.
1. (S//NF) The RSA-2048 public and private keys. (always updated)
2. (S//NF) The AES-256 initialization vector (IV). (always updated)
3. (S//NF) The compressed, encrypted collection file size. (user dependent)
4. (S//NF) The compressed, encrypted collection file working directory. (user dependent)
5. (S//NF) The compressed, encrypted collection file name. (user dependent)
6. (S//NF) The IP, hostname, or FQDN white list. (user dependent)
(U) Items 3 6 depend on user input with genconfig.py. Below are the steps you need to follow to
update the configuration file on the target platform.
1. (S//NF) Within the working directory on the local operator computer, execute genconfig.py to
generate a new encrypted configuration file, archive file, receipt file, and RSA public and private
keys.
1.1 ./genconfig.py -u archive_file
1.2 NOTE : use -u instead of -g to update the configuration file.
1.3 Where archive_file is the current target platform archive file.
1.4 (U) The script will ask you a series of questions where the answers should be determined
before executing this script.
1.4.1 (U) “What will be the collection file size?”
1.4.1.1 (U) If there is no change in size then repeat the previous value.
1.4.1.2 (U) Any size is allowed between 4096 and 4194304 bytes.
1.4.1.3 (U) Suggestion: sizes equivalent to a power of 2 are best.
1.4.2 (U) “What will be the implant's working directory?”
1.4.2.1 (U) If there is no change in directory then repeat the previous value.
1.4.2.2 (S//NF) The directory where the collection file will be kept.
1.4.2.3 (U) Directory name can be anything between 1 and 63 characters long.
1.4.2.4 (U) Directory must exist
on the target platform.
1.4.2.5 (U) Relative directories are allowed relative to the application directory.
1.4.2.6 (U) Absolute directories are also allowed.
1.4.3 (U) “What do you want to name the collection file?”
1.4.3.1 (U) If there is no change in file name then repeat the previous value.
1.4.3.2 (U) File name can be anything between 1 and 15 characters long.
1.4.4 (U) “[ IPv4/IPv6 | IPv4 CIDR | hostname | FQDN ] – “
1.4.4.1 (U) If there is no change in the white list, then repeat the previous values.
12 SECRET//NOFORN//20381126 November 2013

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh