Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

iptables -A input_rule -i $WAN -p tcp --dport 1723 -j
ACCEPT
### Allow GRE protocol (used by PPTP data stream)
iptables -A output_rule -p 47 -j
ACCEPT
iptables -A input_rule -p 47 -j
ACCEPT
Note: we need to do IP src bassed routing, i.e. Iptables support for the ROUTE target in order to
direct traffic to the pptpd localip. Note: any firewall between the FT and the proxy server must allow
GRE packets (protocol 47).
General Problem:
1) any protocol that embeds the client's IP or negotiates subsequent connections on a new port will
require a special proxy server impl. (and firewall reconfiguration on the FT) or it will fail.
2) True IP Transparency can only be achieved when the proxy server is a MITM between the
client and the destination server (the FT is, but the remote proxy server likely isn't).
Protocols that would break under a simple proxy:
FTP, SIP (most VOIP) requires a specialized proxy
Best solution: allow for configurable ports to proxy out and in (inbound ports require altering firewall)
allow for ability to save port configs and name: e.g. FTP proxy, VOIP proxy, etc. One way of looking
at this is as a control message sent from the proxy server to the FT that registers pinouts on the fly.
Therefore, the best temporary solution might be to only proxy specific types of traffic or ports in a
static mission configuration (pinouts).
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.129.66.1 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
10.1.1.0 * 255.255.255.0 U 0 0 0 vlan1
192.12.16.0 10.1.1.1 255.255.255.0 UG 0 0 0 vlan1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.129.66.1 0.0.0.0 UG 0 0 0 tun0

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh