Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
3
SECRET//NOFORN
(S//NF)Thefollowinginjectionmethodshaveb eenrenamed:
OLDNAME
NEWNAME
DESCRIPTION
DOUBLE_FRAME DF Doubleframeinjectionmethod
HIDDEN_IFRAME
HI
HiddenIFRAMEinjection method
META_REFRESH MR Metarefreshinjectionmethod
SURVEY_ONLY
SO
Surveyonlyinjectionmethod
(S)SURVEY_ONLY(SO)MODE
(S//NF)TheINJECTION_METHODconfigurationoptioncanbeusedtor unthetoolinamodethatcollects
informationaboutatarget’sHTTPrequestsbutd oesnotattempttoperformanyinjectionattacks.Theresultsare
storedtoanAES 128bitencryptedfilewiththename“msipv4.dll” (thisfilecontainsencrypteddata,andis
notaDLL).Thefil ewillbelocatedineitherthecurrentdirectory(inthecaseoftheArchimedesEXE s)ortheuser’s
temporaryfolder(%TEMP%,inthecaseofafireandforgetDLL).
(S//NF)Thefileshouldbebroughtbackto theoperator’sworkstationbeforebeingdecryptedusingtheprovided
Encrypter32.EXEapplication.Forexample:
Encrypter32.exe –d msipv4.dll survey.txt
(S//NF)Encrypter3232.exeshouldbeconsideredsensitiveandshouldbekeptinacontrolledenvironment.
(S//NF)ProducesthefollowingSURVE Y.T XTfileaftercollectin gafewrequestsinthelab:
USER AGENT: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)
HOST: Host: mytest.com
REQUEST: GET / HTTP/1.1
USER AGENT: User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
HOST: Host: 10.0.0.11
REQUEST: GET / HTTP/1.1
USER AGENT: User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:23.0)
Gecko/20100101 Firefox/23.0
HOST: Host: www.mytest.com
REQUEST: GET / HTTP/1.1
(S//NF)Thesurveyresultscanbeusedtobuildatargethostwhitelistasdescribedinthefollowingsection.
(S)HOST_WHITELIST(HW)CONFIGURATION
(S//NF)TheINJECTION_METHOD(IM)configurationoptio ncanbeusedtorunt hetoolinamodethatcollects
informationaboutatarget’sHTTPrequestsbutd oesnotattempttoperformanyinjectionattacks.Thewhitelistis
specifiedintheconfiguration fileas“HW=VALUES”andonthecommandlineas“–wVALUES”where“VALUES”isa
comma(“,”)separatedlistofURLstomatchagainst.Notethatquo tationmarksshouldnotbeusedandthatthere