Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
4
SECRET//NOFORN
shouldbenospacesbetweenURLs.ThefollowingisanexampleofspecifyingtheHOST_WHITELISTinthe
configurationfile:
HW=www.badguys.com,target.com,www.target.com
(S//NF)Intheexampleab ove,theusehasspecifiedthreetargetsthatcan beinjectedagainst:
“www.badguys.com”,“target.com”,and“ www.target.com”.Whitelistmatchesarecaseinsensitive,butexact.In
thisexample,notethatArchimedeswillnotidentifythefollowinghostsasmatch es:“badguys.com”,
“web.target.com”,“site.www.target.com”.Atthisti me,thereisnosupportforwildcardorregularexpression
matchinginthew hitelistprocessing.
(C)FIREANDFORGETSUPPORT
(S//NF)FireandForget(v.2)sup porthasbeenupdatedtorequirethenewcommandlineswitchesasdescribed
previously.
(U)CHANGESTO APPLICATION DEFAULTS
(S//NF)ThedefaultvalueforINJECTION_METHOD(IM)ischangedtoSO(SURVEY_ONLY).
(S//NF)ThedefaultvalueforVERIFY_ROUTE(VR)hasbeenchangedtoFALSE.
(S//NF)Themaximumnumberofinjectionsthat willbeattemptedbeforequitt inghasbeenreducedfrom10to5.
(S//NF)TheAESkeythatArchimedesusestoencrypt/decrypttheconfigurationfileandthesurveyresults(andthe
debuglog,forthedebugversion)hasbeenchan gedandthereisnobackwards/ forwardscompatibilitybetween
versions.
(U)TROUBLESHOOTING
(S//NF)Version1.2requiresthatthenewnames(asdescribedinthe“ RenamedConfigurationItems”sectionare
usedintheconfiguration fileandfortheINJECTION_METHODasspecifiedonthecommandline.Forexample,one
mustuse“mDF”fortheDOUBLE_FRAMEmethod.UsingtheoldstylenamewillcauseArchimedestofail.
(S//NF)Archimedesverifiesasuccessfulinjectionagainstatargetbymonitoringth eH TTPtrafficforthetarget’s
requestthatcontainsth einjectedURL.Unfortunately,iftheinjectedURLusesanSSLconnectionorusesaport
otherthanthemonitoredport,thentheinjectedURLwillneverbeseen.Afterwaitingafewseconds,
Archimedeswillresetitselfandperformthein jectio nattackagain.Thiswilloccur5timesb eforethetoolgivesup
andquits.ItishighlyrecommendedthattheoperatorstopsArchimedes(usingtheappropriatestopEXE/DLL)once
asuccessfulattackhasbeenperformed(asdeterminedbyobservingthecallin totheattackserver).
(S//NF)CertainHTMLtagsdesignedtoprotectusersagainstcrosssitescriptingattacksareincompatiblewiththe
HTMLinjectedby someofth einjectionmethods.Thesetags,whichpreventtheuseofFRAMEsorIFRAMEs,will
causeablankpagetoloadonthetargetorawarnin gtoappearinthebrowser.Ithasbeenobservedthatseveral
popularwebsites(e. g.
www.google.com)employthesetags,sothepurposeofthesurveymodeandwhitelististo
allowanoperatortospecifya(small)setofexploitablesitesbasedonobservedtraffic.