Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page5
FULCRUM ENCRYPTERisahelperutilityusedontheDeploymentPreparationMachinetomanipulate
Fulcrum’sconfigurationandlogfiles.
Fourhighlevelobjectiveswereidentifiedandprioritizedforthisproject.Inorderofhighesttolowest
priority,theyare:
1.
Correctness–CorrectTarget,CorrectNetwork,SuccessfulInjection
2. Stability–Don’tcrashthesystem,theapplication,ortheprocess.
3. Stealth–Remainimperceptibletotheuser,avoidPersonalSecurityProduct(PSP)Detection,
avoidIntrusionDetectionSystem(IDS)detection,anddon’tgetcaught.
4. Usability–Avoidhumanerrors(easytoconfigure,easytodeploy),ManageApplicationSize
(largebinariespresentaproblem),ManageResourceUsage
2.5 ANATOMYOFTHEPIVOT
Therearetwobasiccomponentstothispivotingtechnique:theARPbasedmaninthemiddle(MITM)
andTCPsessionhijackforHTTPtrafficinjection.SpeciallycraftedHTTPresponsesaresenttothetarget
inresponsetoHTTPrequestsmadebythetargetbyhijackingtheTCPsession.Theseresponsesdeliver
theoriginallyrequestedcontentaswellasthewax.
2.5.1 ARPSPOOFINGTOGETINTHEMIDDLE
TheAddressResolutionProtocol(ARP)isthenetworkprotocolusedtoresolveOSILayer3Network
Addresses(e.g.IPv4addresses)intoOSILayer2LinkAddresses(e.g.MACaddress).AlthoughARPhas
beenimplementedforanumberofcombinationsofLayer3andLayer2implementations,Fulcrumis
focusedonlyontheInternetProtocolVersion4(IPv4)andIEEE802.3(Ethernet)environment.The
combinationofIPv4andEthernetrepresentstheoverwhelmingmajorityofLocalAreaNetworks(LAN).
WhenacomputerwantstosenddatatoanothercomputeronanEthernetnetwork,itmustfirst
translatetheIPaddressoftheremotemachineintoitscorrespondingMACaddress.Thisinformationis
thenusedtoformanEthernetFramecontaining,amongotherthings,theIPpacketandthedata
payload.InaswitchedEthernetenvironment(whichisthemostcommon),theMACaddress
informationintheEthernetFrameisthenusedtoroutetheframefromtherequestingmachinetothe
remotemachine.AsaresultpeermachinesonaLANdonotseethevastmajorityoftrafficthatis
generatedbyeachother.
ARPSpoofingisatechniqueusedonaLANtoallowanattacker’smachinetointerceptdataframesfrom
peermachinesthatwereintendedforotherdestinations.Thisplacestheattacker’smachineinthe
middleofanytrafficfromthetarget’smachinetoanyotherdestinationandisknownmorecommonly
asthemaninthemiddle.ARPSpoofingcompromisesthetargetsmachine’stranslationofIPv4
addressesintoMACaddressesbysendingspoofedARPpacketswhichassociatetheattacker’sMAC
addresswithIPaddressofanotherhost(suchasthedefaultgateway).AnytrafficmeantforthatIP
addresswouldbemistakenlysenttotheattackerinstead.
1
RefertoFigure1ARPSpooftovisualizethe
technique.
1
http://en.wikipedia.org/wiki/ARP_spoofing