Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
5.2 (U) Configuration
(S//NF) The Listening Post instance can be configured with a local JSON encoded text file called
“config.json”. The setup script will write out a configuration file, config.json, as well as copy the
corresponding required Server python files to /var/www/html. The config.json file contains the
information generated by the setup script and is read by the Server python script on start-up. The
config.json can be edited manually to add/modify/delete any user updates, if edits are made the
Apache server should be restarted to insure everything is refreshed. The config.json contains,
{
"DATA_URLS": ["/blog/comm", "/php/id", "/"],
"ROOT_DIR": "/srv/athena",
"WEB_URLS": ["/html", "/", "/web"],
"OUT_FOLDER": "OUT",
"IN_FOLDER": "IN",
"HOST" : "0.0.0.0",
"PORT" : "",
"LOG_SIZE" : "65536",
"HTTP_ERROR_CODE" : 200
}
Figure 8 - (S//NF) Listening Post Configuration File
Warning
(S//NF) The values in DATA_URLS must contain the value
configured in the Implant Builder field, Beacon URL Path for
LP. The values in WEB_URLS must contain the value
configured in the LP Builder field, URL Path for Web
Resources.
1) DATA_URLS – This is the virtual URL path sent from the target to inform Apache to forward requests to
the Athena Listening Post.
2) ROOT_DIR - This is the root directory location where the parent folder must be created with the 4
character identifier configured for the target.
3) WEB_URLS – This value defines the URL path of web resource. This can be any URL path that you plan
on delivering normal web content (must not be the same as tasking URL path)
4) DATA_URLS - Tasking directory - this is the root directory location where the parent folder must be
created with the 4 character identifier configured for the target.
5) OUT_FOLDER - This folder contains the tasking files generated by the Tasker that will be sent to the
target for processing.
6) IN_FOLDER - This folder contains the files that the target will upload back to the LP for post-processing
by the Parser.
7) HOST – This is the NIC binding address. (default 0.0.0.0)
8) PORT – This value defines the web port. (default 443)
9) LOG_SIZE – This value defines the size of a single log file. (default 64K) By setting this value to zero, no
logging information will be stored. The server will store at most 5 backup logs in the current instance.
10) HTTP_ERROR_CODE – This value defines the error code returned to the target when an error occurs. It
is the responsibility of the system administrator to validate alternate return codes to support forwarding or
other capabilities.
HTTP Status codes for failure:
a) 407 - proxy authentication failed
b) 502, 504 - proxy or gateway failure
c) 600, 601, 602, 603 - squid error codes
d) All other status codes indicates successful beacon.
SECRET//NOFORN 9

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh