Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED//LES
UNCLASSIFIED//LES Page21
9 KNOWNISSUES
IfthepivotmachineismovedtoanothernetworkwhileFulcrumisrunning,thepivotmachine
willnotbeabletoconnecttotheinternetorgenerallyusenetworkingservices.Thisisbecause
FulcrumplacesastaticARPentryforthedefaultgatewayinthepivotmachine’sARP
table/neighbor’scachewhentheapplicationstartsup.Thiswillbeaddressedinfutureversions.
Fornow,therecommendedworkaroundisnottodeployFulcrumonmachinesthatarelikelyto
changenetworks,suchaslaptopsandnetbooks.
MACaddressesmustbespecifiedintheformXX:XX:XX:XX:XX:XXusingcolons,notdashes.Ina
futureversionwewilllikelyaccepteither.
FulcrumShutdownonlyworksifitisrunasthesameuserwiththesameprivilegesthatFulcrum
wasstartedwith.IfFulcrumisrunningasNTAUTHORITY\SYSTEMforexample,anormaluseror
evenanadministratorcannotshutdownFulcrumusingFulcrumShutdown.Inthecaseof
Fulcrumrunningasthesystemaccount,youcanrunFulcrumShutdownusingSysinternal’s
psexectoolasthesystemaccountusingthe–sflag.Forexample:psexecsfs32.exe
WinPcapleaksatwohandleseachtimeFulcrumisrunoneforaregistryHKEYandoneforthe
packet[nt|2k|vista].dll.EvenifFulcrumisrunthousandsoftimesinthesameprocess,thiswon’t
exhaustthehandleaddressspace.
IfFulcrumisrunonapivotmachinewhichisactuallyavirtualmachineandthehostmachineis
runningLinuxandVMware,thenanotificationisdisplayedonthehostsystem.Thenotification
isamessageboxthatstates:Thevirtualmachine’soperatingsystemhasattemptedtoenable
promiscuousmodeonadapterEthernet0.Thisisnotallowedforsecurityreasons.
Fulcrumdoesnotmeasureitssuccessorfailurebasedonwaxsuccess.Fulcrumbasesitssuccess
orfailureonwhetherthetargetmachinerequeststheinjectedURL.
Ifthetargetmachinegoesofflineandthepivotmachinedoesn’tnoticeforanextendedperiod
oftimeORifthetargetmachineisonlinebutnotgeneratinganytrafficforanextendedperiod
oftime,thentheswitchthatthetargetandpivotarebothconnectedtomaybeginsendingout
theARPspoofpacketstoallportsontheswitch.Thisisknownas“failingopen”andisaresultof
thetargetmachine’sMACaddressexpiringoutoftheCAMtableontheswitch.Allother
machinesontheswitchwilldiscardthistrafficunlesstheirinterfaceisinpromiscuousmode.
Eveniftheinterfaceisinpromiscuousmode,someoperatingsystemversionswillnotupdate
theirARPcachefromthesepacketsandthuswillnotbeARPspoofed.Finally,forthose
machinesthatdohavetheirinterfacesinpromiscuousmodeandupdatetheirARPtablefrom
thesebroadcastedunicastARPspoofpackets,Fulcrumwillstillnotfireonanyofthemandwill
simplyroutetheirtrafficontotherealgateway.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh