Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page6
addresswouldbemistake nlysenttotheattackerinstead.
1
RefertoFigure1‐ARPSpooftovisualizethe
technique.
FIGURE 1‐ARPSPOOF
FulcrumusesARPspoofing togetinthemiddleofthetargetmachineandthedefaultgate wayonthe
LANsothatitcanmonitoralltrafficleavingthetargetmachine.ItisimportanttonotethatFulcrumonly
establishesitselfinthemiddleononesideofthetwo‐waycommunicationchannelbetweenthetarget
machineandthedefaultgateway.OnceFulcrumisinthemiddle,itforwardsallrequestsfromthetarget
machinetotherealgateway.
2.5.2 HTTPTRAFFICINJECTION
Onceallnetworktraffic fromthetargetmachineisro utedtothepivotmachine,Fulcrummonitorsfor
specificHyperTextTransportProtocol(HTTP)messages.Fulcrumwaitsforanopportunitytoariseto
directthetargetsHTTPclienttoretrieveandrendercontentcontr olledbythepivotmachine.Whenthe
conditionoccurs(suchasa nHTTPGETrequest),FulcrumrespondsbysendingaspeciallyformedHTTP
packettothetargetmachine.ItisimportanttonoteagainthatFulcrumisforwardingalltrafficfromthe
targetmachinetotherealgatewayandisonlyinthemiddleofonesideoftheconversation.Asaresult,
Fulcrumsspeciallycraftedpacketmustbeattheresponsepacketfromtherealdestination(e.g.
www.somedomain.com
).Iftheinjectedpacketarrivesaftertherealresponse,thetargetmachinewill
simply discard it and the HTTP client will not receive or render it.
1
http://en.wikipedia.org/wiki/ARP_spoofing