Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Proxy (i.e. outbound NAT dest IP translation )
Firewall Manipulation:
We will have to open up the firewall to allow for inbound or outbound pinhole (packet with
original IP destination must be allowed, regardless of user configured firewall).
As simple as programatically (preferred) or via an exec on the cmd line, adding an accept rule to
every IP table. This estimate is for support on one device FT, FT's with a similar kernel would
also likely be supported with little or no effort.
netfilter firewall configuration:
1-2 weeks
static/hardwired pinhole test for forward and reverse pinhole assuming options A-1, B-1, C-1:
2-5 days
UDP support (depends on previous TCP test working)
1 day
mission protocol configuration/support:
1-2 days
CW support:
target action/activated pinhole: + 5-10 days
static mission FW pinhole: 2-4 days if added to generic MissionProperties page
Note: sponsor has not requested Reverse Pinhole (RP)
domain-> IP pinholing / redirection (option RP-3): + 3-5 days
global/mission (option RP-1,2) : +2 days
Testing:
1 week minimum
Windex Connection Negotiation over HTTPS
Main Requirement: application layer proxy app (hereto referred as 'wxpx') that servers as a HTTP
connection proxy and can hand off a connection to windex. See white board for pseudo code impl.
stages.
Significant Development tasks:
1. HTTP request and response inspection and domain lookup (already have kernel level functions
for HTTP request and response inspection)
or
Including destination IP (port optional) in packet before sending over local interface or over
NETLINK. If forwarding multiple connections from gf, local interface is preferred.
2. SSL support (many libs available, we need to choose a small footprint one that is portable to
most Fts)