Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
the Target’s approximate login time at the terminal. Note that if there is a Target Alert,
and then there is no activity from that Target for Session Timeout, and then there is
activity again, a Derived MAC Alert is sent. Similarly, if a Target email/chat has not been
detected in traffic for “Session Timeout”, and then is detected again, another email/chat
Alert will be sent. In this use case, it is probably not desirable to send Derived MAC
Alerts, but is desirable to send another instance of email/chat Alerts periodically. The
operator should consider both of these items when determining the Session Timeout
parameter.
(S) Copy Actions probably do make sense in this case, but only with an appropriate
timeout. Note that if it is known that a Target visits terminal periodically, and it is desired
to Copy this Targets traffic for a timeout, then a new Mission should be created and
assigned between Target visits – recall that once a Copy has timed out for a particular
Target, data from that Target’s client MAC address will not be copied from that Flytrap
until a new Mission is assigned and retrieved by the Flytrap (see 7.7).
11.4 (S) Suspected Target with Unknown Email/Chat Address
(S) The Harvest (see 5.2.3.12) and Copy All (see 5.2.3.10) features probably make the
most sense in this case. Note that the Harvest Data is sent with each Beacon, and that the
Flytrap can only store up to 3 kilobytes of Harvest data. So, Beacon Interval should be set
appropriately.
(S) If Copy All is used with a timeout, once the Copy All has timed out, a new Mission
must be created/assigned to perform another Copy All. Also note that the Flytrap begins
Copy All on the first packet passing through the Flytrap after retrieving a new Mission.
11.5 (S) Wireless Network Access
(S) Flytrap beacons include security settings (see 15.1.3). The security settings can be
used to gain wireless network access to a device secured with WEP or WPA/WPA2.
11.6 (S) Target Computer Exploitation (with Windex)
(S) A Target computer connected to a Flytrap (either wired or wirelessly), can be
exploited using the Windex option (see 5.2.3.9.1). If a Target email/chat/MAC is
detected, and a Windex action has been configured, the Windex action will occur when
the Target surfs to a root web page (e.g., www.slashdot.org).
11.7 (S) Network Discovery/Intrusion/Exploitation (with VPN Link)
(S) The VPN Link Action (see 5.2.3.9.3) provides a network path to clients sitting on a
Flytrap’s LAN/WLAN (normally these clients would not be routable from the WAN side
of the Flytrap). For example, nmap or netcat can be used to run a port scan on a client
through the VPN Link tunnel. Vulnerable services found from the port scan could then be
exploited through the VPN Link Tunnel. Perhaps the easiest way to perform such a task
is to plan a Mission with a VPN Link Global Action (see 5.2.3.10) with an indefinite
timeout (see 9.11.9) and assign this Mission to the Flytrap. Once the Flytrap successfully
119
SECRET//20350112