Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Cherry Bomb Program Cherry Blossom Internal Test Procedures
Run: generate Alerts (and trigger Actions) for a random sampling of the Targets.
Pass/Fail: the test passes if all expected Alerts are received/displayed on
CherryWeb in a timely fashion, and all Actions occur as expected.
4.2.19 Encrypted Comm Test
Description: Tests that the Flytrap’s communications (Beacons and Alerts) are
indeed encrypted.
Setup: connect the Flytrap’s WAN to a true hub, connect the hub to the internet,
and connect the Second Client Computer to the hub. Start Wireshark on the
Second Client Computer. Plan/Assign a Mission with Target abc@def.com. Set
other parameters as in 4.2.1.
Run: while Wireshark on the Second Client Computer is capturing data, have the
Flytrap beacon and generate an Alert for abc@def.com. Stop/examine the
Wireshark capture.
Pass/Fail: the test passes if the packets related to the Beacon and Alert events
are encrypted (unintelligible).
4.2.20 Port/Protocol Scanning Tests
Description: Tests that Port/Protocol Scanning feature of the Flytrap.
Setup: connect the Flytrap’s WAN to a true hub, connect the hub to the internet,
and connect the Proxy Server to the hub. Connect the Client Computer to the
Flytrap.
Run: assign a Mission with “Port Scanning” set to ”80 and Chat Ports”, “Protocol
Scanning” set to ”Only Scan TCP”, Target abc@def.com, and other parameters
as in 4.2.1. Have the Flytrap beacon and receive this Mission.
Configure Apache on the Proxy Server to bind to port 12121 (edit the Listen field
in <APACHE_HOME>/conf/httpd.conf), add a webpage that has abc@def.com
(e.g., add <CB>/Test/GenericFilter/WebServer/GenericFilterTest1A.html to
Apache’s web content path), and start Apache. From the Client Computer, open
the webpage with abc@def.com on the web server (remember to append :12121
to the URL). Verify (using CherryWeb) that no Alert is sent (this tests that port
scanning is working properly).
If the ProxyServer is not available, any locally installed Tomcat instance running
on port 8080 can be used.
UNCLASSIFIED
32