Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
Master and Slave server. As of writing, a solution to this problem has not been
definitively documented, but is likely a managed switch firewall issue – contact a sponsor
network engineer. Note that this problem will likely result in a Flytrap not being able to
beacon through a PoP to the CB Master server (because PoPs have one network interface
connected to the same managed switch).
8.3 (U) Troubleshooting CB Flytrap Beacon Issues
(S) Operational Flytraps Beacon through one of the PoPs assigned to the CB system (see
section network diagram of 5.1). This section describes how to troubleshoot problems
related to Flytraps beaconing through PoPs to the CB Master server. Problems typically
resolve to one of four cases:
1. The Flytrap is configured with an errant PoP IP address or URL. Double check
the IP address/URL of the PoP to which the Flytrap has been configured to beacon
– e.g., connect a (true) hub to the WAN of the Flytrap, and connect a network
sniffing client to the hub. Analyze the sniffed traffic for the beacon and verify the
IP is correct.
2. The CB Master server and related sponsor network infrastructure is
down/misconfigured – see sections 8.2.4 and 8.1.
3. The PoP or sponsor network is misconfigured and is not properly forwarding
beacon traffic to the CB Master server. Consult with a sponsor network engineer.
4. The Beacon is being rejected/altered by a firewall/IDS/proxy/etc somewhere in
the network path, and as such, doesn’t authenticate properly at the CB Master
server, or doesn’t decrypt properly at the Flytrap. This is a complex problem. As of
svn revision 6200, Flytrap software successfully beacons through squid proxy
servers that have been configured in a fairly default/standard manner. Cherry Web
will log the situation where a Flytrap can Beacon to the CB Master server, but does
not fully receive its tasking (Mission) as a response to the beacon (i.e., the socket
closes before the Mission is fully received). To show this, go to the Cherry Web
View -> Flytraps page, and click on the link for the Flytrap of interest. Then click
on the “Diagnostics” View link. If there is a relevant error message, then the
Flytrap can Beacon, but the CB Master server cannot fully send the Mission – e.g.,
some process in the middle is mucking with the network traffic in a way that the
Flytrap does not like or understand; or, the process in the middle does not like
something in the (encrypted) Mission data, and is simply closing the connection on
both ends. At this point, gather as much tcpdump/ethereal/wireshark pcap data as
possible at both the Flytrap (i.e., connect a (true) hub to the WAN of the Flytrap,
and connect a network sniffing client to the hub) and on the CB Master server (run
tcpdump) and send to the appropriate CB staff. It is likely software modifications
will be needed to fix the problem.
SECRET//20350112
18