Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Cherry Bomb Program Cherry Blossom Internal Test Procedures
4.3.3 S/E 3xxx Default Gateway Discovery (DGD) Test
Description: Tests the Default Gateway Discovery (DGD) capability of the
device.
Context: Flytraps can be built with Default Gateway Discovery (DGD) built in.
This is typically done for true Access Points (i.e., not routers), because on many
AP's there is no need to set the default gateway (i.e., there’s no routing to
another subnet, just simply bridging clients on the same LAN subnet. The device
is built with DGD enabled.
DGD is a little complex, and so requires a number of manual steps to test all of
the functionality. These steps explain the procedure specifically for the S/E 3xxx
device (other future AP’s should be fairly similar). In all tests, typically any default
gateways configured and/or cached on the device are unset, then mm is started,
and after generating certain traffic types, the device should successfully beacon.
You can also examine the routing table (with “route”) to see if a default gateway
has been properly set by DGD.
Setup: configure the device in AP mode. Wirelessly connect the Client Computer
to the device.
Run:
ARP Test – one technique that DGD uses is an ARP mac/ip address
discovery. The Flytrap filters ARP packets, and keeps a mapping of MAC/IP
address mapping of local clients. It also filters TCP/IP packets destined for a
different subnet, and pulls the MAC address of the router from this packet. It
can then look up the IP address from the MAC/IP mapping, or if there is no
mapping yet, it polls periodically until the mapping is found. When found, the
Flytrap sets its default gateway to this value and stores it persistently over
future power-cycles in NVRAM.
First configure the AP without a default gateway using the web interface.
Then, telnet to the AP, killall mm, and unset any default gateways cached in
NVRAM (this is done with “flash set DEF_WLAN1_ACCOUNT_RS_IP
0.0.0.0”). You may also need to manually remove the default gateway from
the routing table (with “route del default”). Next, start mm. Connect the
wireless Client Computer to the Flytrap, and then connect to an internet
website (it is assumed that the AP is connected to the internet most likely
through a router). In most, cases this should cause all the packets necessary
for the ARP technique. If the technique is successful, the Flytrap should
beacon successfully. If not, try clearing the ARP table on the wireless client
(typically with arp -d *). Then try connecting to the internet again. mm debug
output should indicate “Found ARP gw=a.b.c.d” or something similar.
DHCP Test – another technique that DGD uses is DHCP “Options, Router”
discovery. Most DHCP servers will serve clients a DHCP packet that includes
UNCLASSIFIED
44