Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Hole punching:
Technique of establishing and outbound TCP connection or UDP packet (or UDP handshake) in order
to open up a hole in Firewalls between a non public addressable FT and an outside destination IP. This
is useful in order to
Pinhole Estimate of Work
This estimate is for kernel/netfilter based impl (Option D-1) on FT's that already support HTTP
Proxy (i.e. outbound NAT dest IP translation )
Firewall Manipulation:
We will have to open up the firewall to allow for inbound or outbound pinhole (packet with
original IP destination must be allowed, regardless of user configured firewall).
As simple as programatically (preferred) or via an exec on the cmd line, adding an accept rule to
every IP table. This estimate is for support on one device FT, FT's with a similar kernel would
also likely be supported with little or no effort.
netfilter firewall configuration:
1-2 weeks
static/hardwired pinhole test for forward and reverse pinhole assuming options A-1, B-1, C-1:
2-5 days
UDP support (depends on previous TCP test working)
1 day
mission protocol configuration/support:
1-2 days
CW support:
target action/activated pinhole: + 5-10 days
static mission FW pinhole: 2-4 days if added to generic MissionProperties page
Note: sponsor has not requested Reverse Pinhole (RP)
domain-> IP pinholing / redirection (option RP-3): + 3-5 days
global/mission (option RP-1,2) : +2 days
Testing:
1 week minimum
Windex Connection Negotiation over HTTPS
Main Requirement: application layer proxy app (hereto referred as 'wxpx') that servers as a HTTP
connection proxy and can hand off a connection to windex. See white board for pseudo code impl.
stages.
Significant Development tasks:

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh