Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
data (including “Power-Cycle Wait” and “Traffic Requirement”) and make the –b and –t
options relevant.
15.7 (S) Default Gateway Discover (DGD) Details
(S) Section 5.2.3.17 briefly describes DGD. DGD is a series of passive techniques to
discover the default gateway of a LAN if one has not been configured on the Flytrap
device. Certain Flytrap make/models running later firmware versions (Mission Manager
version >= 4) support Default Gateway Discovery – in particular the Senao/Engenius
3220 devices support DGD.
(S) Typically, DGD is only needed on true Access Points (i.e., not wireless routers),
because true AP’s do not typically need a default gateway in order to operate – they
merely bridge same subnet clients and do not route traffic to other subnets. There is
therefore no real need for an AP to “know” the default gateway.
(S) In many cases, AP’s can configured as a DHCP server to serve IP addresses on the
wireless LAN between a certain subnet range (e.g., 192.168.1.100 to 192.168.1.200).
Usually, the DHCP server is configured to also serve a default gateway IP address (and
DNS server IP addresses) – in this case DGD is not needed.
(S) Most AP’s also allow a default gateway to be set through the web interface, even
though it is not technically necessary in some modes – in this case DGD is not needed.
(S) In other cases, however, a Flytrap AP can be configured without a default gateway,
which means there is no default gateway route in the routing table, and hence the Flytrap
can never open a connection over the internet, for example, to send a Beacon. DGD
alleviates this problem by passively listening for network traffic that indicates the IP
address of the local default gateway. DGD uses two main techniques, both of which are
passive (i.e., no network packets are emitted by the Flytrap):
1. ARP discovery – DGD listens for ARP packets, and builds a mapping table of
client MAC/IP address pairs. DGD also listens for a TCPIP packet destined for a
different subnet – this packet reveals the MAC address of the default gateway.
The default gateway MAC address can then be mapped to the default gateway IP
address using the MAC/IP mapping table.
2. DHCP discovery – DGD searches DHCP packets for the “Router” field in the
“DHCP Options” section. This field lists default gateway IP addresses in the order
of preference. Note that DGD only uses the first default gateway in the list.
DGD will cache a discovered default gateway IP address in a special key in nvram so it
can be retrieved quickly on future power-cycles.
The DGD logic flow is as follows:
140
SECRET//20350112