Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
for device-specific information on administrator password exploits. See section 16
for firmware upgrade procedures (both wired and wireless) for all devices that
have passed FAT (see 6.2), as well as default IP addresses and default web
interface passwords.
(S) NOTE: if physical access can be obtained to the device, it is safer and more reliable
to do a firmware upgrade over a wired connection (most device manufacturers warn
against upgrading firmware over a wireless link). If a wireless link is used, it is
recommended to establish a high signal strength link to the device before upgrading.
Note that some wireless devices may be WEP or WPA/WPA2 protected, so in order to
connect to these devices wirelessly, you will need knowledge of the WEP or WPA/WPA2
key. Specific upgrade procedures for devices having passed FAT are in section 16. In
general, however, to implant the device, logon to the device’s web interface (i.e., open a
web browser and point it to http://<device LAN IP address>), which will require
knowledge of the device’s LAN IP address and the device’s web interface password. A
common default device LAN IP address is 192.168.1.1 (also 192.168.0.1, 192.168.2.1,
and 192.168.10.1). Although if you’ve connected to the device, then it is most likely
running a DHCP server and the device’s LAN IP address will be your client’s default
gateway. Obtaining the device’s password is trickier. In some cases the password may
not have been set (i.e., the password is the device’s default password). Additionally, a
number of tools have been developed for retrieving device passwords (Tomato for
example) – see section 6.3. Note that section 16 lists default device IP address and
default web interface password. Once you have successfully logged on to the device’s
web interface, go to the device’s “firmware upgrade” web page, select the appropriate
CB firmware image file, and click upgrade. Most devices will reset themselves after a
firmware upgrade, although a few may require a manual restart. Most device web
interfaces include a “reset” or “reboot” device option.
(S) If the firmware upgrade is successful, the device (now a Flytrap) will send its Initial
Beacon after meeting the Initial Beacon criteria that have been built into the firmware
image (see 15.2 and 15.5).
(S) It is important to determine and record the WLAN and LAN MAC addresses of the
device you are implanting, as CherryWeb uses these as the Flytrap’s unique identifiers.
The user can then use these MAC addresses to configure the Flytrap -- assign it a more
meaningful name, group, and location, and potentially pre-assign it a particular Mission
(see 9.7 and 9.9). The user can view a list of the WLAN MAC addresses of surveyed
devices via the Claymore GUI or in the report log file. Wireless sniffers (e.g., Airopeek)
will typically show the WLAN MAC as the ESSID. Most devices have this information
labeled somewhere on the device. In some cases, the MAC address printed on the device
is the LAN or WAN MAC, and it is usually similar (only the last octet differs) or
identical to the WLAN MAC. Section 16 documents which MAC address(es) are
labeled/printed on the supported devices that have passed FAT. When the Flytrap
beacons, it sends WLAN, LAN, and WAN MAC addresses, and CherryWeb displays
these three MAC addresses on the “Flytrap Details” page (see Figure 9), so that the user
can disambiguate if necessary.
48
SECRET//20350112