Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
(S) As of svn revision 8222 (CB v4.0), Flytraps send a “Windex Alert” to the CT when a
Target’s browser has been redirected. Windex Alert information is viewable on CW and
includes the date/time of the redirect and the original URL request of the Target browser.
(S) See Windex documentation and 9.11.3 for how to create a Browser Redirect
(Windex) Action.
5.2.3.9.2 (U) Copy
(S) The Flytrap can copy a Target’s network traffic to the CT. The copied data is in
standard pcap format. The Copy Action copies all data, regardless of port or protocol.
Copy timeouts can be specified on a per-Target basis in a Mission.
(S) Roundhouse version 2 devices (svn revision > 7500) support the “Copy VoIP” Target
Action which copies only Target VoIP traffic (RTP, RTCP, and SIP) for calls established
after the Target detection. A “Copy VoIP” timeout can be specified in the Mission.
(S) Roundhouse version 2 devices (svn revision > 7500) support the “Copy Call” Target
Action for VoIP Target types. The VoIP call traffic (RTP, RTCP, and SIP) as a result of
the VoIP Target detection is copied. A “Copy Call” timeout can be specified in the
Mission.
(S) The distinction between “Copy VoIP” and “Copy Call” is that “Copy Call” is related
to VoIP Targets only, whereas “Copy VoIP” is related to any Target type. So, for
example, if an email Target with a “Copy VoIP” action were detected, any VoIP traffic
(of calls established after the start of the “Copy VoIP” action) to/from that Target’s client
computer would be copied until the Copy timeout.
(S) See 5.2.3.11 for more info on VoIP Copy Actions.
5.2.3.9.3 (U) VPN Proxy/Link
(S) The Flytrap can, upon Target detection, proxy the Target’s network traffic through a
CB VPN Proxy Server (CB-VPN). All TCP and UDP traffic is proxied via an encrypted
VPN tunnel that is established between the Flytrap and the CB-VPN (note that the CB-
VPN does not respond to traceroute requests). VPN Proxy is useful for running
processor-intensive man-in-the-middle attacks and for packet capture (similar to Copy
Action in this respect). By default, the CB-VPN will dump all proxied traffic to a
standard pcap file which is accessible via CherryWeb. VPN Proxy timeouts can be
specified on a per-Target basis in a Mission.
(S) The Flytrap, upon Target detection, can also establish an encrypted VPN Link with
the CB-VPN. Typically, Flytraps have non-routable WANs, making remote access
to/attack of clients connected to the Flytrap’s LAN/WLAN difficult. VPN Link provides
a routable network path from the CB-VPN to the Flytrap’s WAN. In this respect, VPN
Link accomplishes pinholing-like capabilities without the complication of pinholing port
specification, etc. Once the VPN Link is established, an operator can run nmap-scans and
other network discovery/intrusion/exploitation tools against clients on the LAN/WLAN
16
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh