Documente Academic
Documente Profesional
Documente Cultură
Implanted
Host
Implanted
Host
Proxy / Cover
VPN Server Server
Implanted
Host
DNS
Server
SSL Session
OSN
Implanted VPN Network
Host Connections
Linux-based Infrastructure
1
SECRET//NOFORN
SECRET//NOFORN
Bridge: br0
2
SECRET//NOFORN
SECRET//NOFORN
3 … ...
VPN tunnels Blot
eth1 eth2
172.16.63.101
Beastbox
tap31
tap2 tap21 10.6.5.196
Implanted eth0
Host 2 tap3
10.6.5.192
Target domain: vhost2.edb.devlan.net
eth1
172.16.63.2 Blot In-bound Ports 5
10.2.4.119 Honeycomb
8001: vhost1 44301: vhost1
8002: vhost2 44302: vhost2 Tool Handler
… ...
3
SECRET//NOFORN
SECRET//NOFORN
3 … ...
VPN tunnels Blot
eth1 eth2
172.16.63.101
Beastbox
tap31
tap2 tap21 10.6.5.196
Implanted eth0
Host 2 tap3
10.6.5.192
Target domain: vhost2.edb.devlan.net
eth1
172.16.63.2 Blot In-bound Ports 5
10.2.4.119 Honeycomb
8001: vhost1 44301: vhost1
8002: vhost2 44302: vhost2 Tool Handler
… ...
4
SECRET//NOFORN
TOP SECRET//SI//NOFORN
Gateway:78.47.131.65
Implanted eth0
Host 78.47.131.68/29 eth1 Gateway: 88.198.156.225
88.198.156.226/29 Honeycomb
Target domain: viva-rio-engracado.com 172.24.5.188/23 Tool Handler
CentOS-5.8
64-bit
5
TOP SECRET//SI//NOFORN
TOP SECRET//SI//NOFORN
Gateway:78.47.131.65
Implanted eth0
Host 78.47.131.68/29 eth1 Gateway: 88.198.156.225
88.198.156.226/29 Honeycomb
Target domain: viva-rio-engracado.com 172.24.5.188/23 Tool Handler
CentOS-5.8
64-bit
6
TOP SECRET//SI//NOFORN
SECRET//NOFORN
7
SECRET//NOFORN
SECRET//NOFORN
Hive Operation
hived hclient / cutthroat
SSL Session
GENESIS
Implanted
ICON
Host
Workstation
Listening port
TriggerListen $ ./cutthroat ./hive
Trigger
> ilm connect <target IP>
fork_process P C
start_triggered_connect
TriggerCallbackSession Call-back
StartClientSession
P C shell open > shell open <client IP> <client port> <pw>
launchShell
shell
8
SECRET//NOFORN
SECRET//NOFORN
Raw TCP/UDP Trigger
400 Bytes
0 8 92
8-bytes CRC 1-byte Encoded
Random Data of length 12-byte Integer 25-byte 2-
Random Random CRC XOR 12-byte Random Data
CRC % 200 PAD N x 127 PAD byte
Data Data value Trigger
PAD
The twelve byte trigger is encoded by XORing the 1-byte XOR value with the first five bytes of the trigger and the remaining trigger bytes or XORed with 0xB6.
The twelve byte trigger is encoded by computing an offset of CRC % 72 into the CRC random data field and XORing each of the twelve following bytes
with the corresponding byte of the twelve-byte trigger payload.
9
SECRET//NOFORN
Scrap slides follow
10
SECRET//SI//NOFORN
eth0
Implanted 10.2.5.5
Host 00:0C:42:99:8A:E1
PowerPC
eth0 VLAN 65
Implanted 10.2.5.6
Host 00:0C:42:4D:7B:DE
CentOS-6.2
MIPSBE 64-bit
Target domain: domainA.com tun0
eth0 10.177.77.10 eth1 eth0
Implanted
Host
10.6.5.190 172.16.64.10 Cover 10.6.5.197
52:54:00:9A:B0:72
x86 eth0
eth1 Server
172.16.63.1/24 CentOS-5.9
10.6.5.191/24
eri0 CentOS-6.3 32-bit
Implanted 10.2.5.5
Host 64-bit
sparc
00:03:BA:86:6A:78
eth1 Blot
172.16.63.101
VPN tunnels Beastbox VLAN 65
eth2
172.16.64.1
eth0
tun0 10.6.5.196
10.177.77.1
Implanted
Host eth0 eth1 eth1 eth0
10.6.5.192/24 172.16.63.2/24
VLAN 65
172.16.64.100 Honeycomb 10.6.5.198
Target domain: domainB.com Tool Handler
CentOS-6.2
64-bit CentOS-6.2
64-bit
11
SECRET//SI//NOFORN
SECRET//SI//NOFORN
eth0
Implanted 10.2.5.5
Host 00:0C:42:99:8A:E1
PowerPC
eth0 VLAN 65
Implanted 10.2.5.6
Host CentOS-6.2
00:0C:42:4D:7B:DE
MIPSBE 64-bit
Target domain: domainA.com tun0
eth0 10.177.77.a eth1 eth0
Implanted
Host
10.6.5.190 172.16.64.10 Cover 10.6.5.197
x86
52:54:00:9A:B0:72
eth0
eth1 eth1:1 .11 Server
172.16.63.1/24 CentOS-5.9 eth1:2 .12
10.6.5.191/24
eri0 CentOS-6.3 32-bit
Implanted 10.2.5.5 eth1
Host 64-bit 172.16.63.101
eth2
sparc
00:03:BA:86:6A:78 Blot
172.16.64.1
VPN tunnels eth1:1
172.16.63.102 Beastbox VLAN 65
tun0
10.177.77.b
eth0
tun0 10.6.5.196
eth0 10.177.77.1
Implanted 10.6.5.193
Host 52:54:00:95:DA:16 eth0 eth1 eth1 eth0
10.6.5.192/24 172.16.63.2/24
VLAN 65
172.16.64.100 Honeycomb 10.6.5.198
Target domain: domainB.com Tool Handler
CentOS-6.2
64-bit CentOS-6.2
64-bit
12
SECRET//SI//NOFORN
SECRET//SI//NOFORN
eth0
Implanted 10.2.5.5
Host 00:0C:42:99:8A:E1
PowerPC
eth0 VLAN 65
Implanted 10.2.5.6
Host CentOS-6.2
00:0C:42:4D:7B:DE
MIPSBE 64-bit
Target domain: domainA.com
eri0 eth1 eth0
Implanted 10.2.5.5 172.16.64.10 10.6.5.197
Host 00:03:BA:86:6A:78
Cover Server
sparc eth1 domainA.com eth1:1 .11
eth0 172.16.63.1/24 CentOS-6.4 domainB.com eth1:2 .12
10.6.5.191/24
CentOS-6.3 64-bit
64-bit eth1
eth2
172.16.63.111
eth0 172.16.64.2
Implanted 10.6.5.190 Nginx Proxy
SSL eth1:1
implant1 Host 52:54:00:9A:B0:72
172.16.63.112
VLAN 65
x86
eth0
10.6.5.189
eth0
implant2
Implanted 10.6.5.193
Host 52:54:00:95:DA:16 eth0 eth1 eth1
10.6.5.192/24 172.16.63.2/24
VLAN 65
172.16.64.100 Honeycomb
Target domain: domainB.com domainA.com eth1:1 .101 Tool Handler eth0
domainB.com eth1:2 .102 10.6.5.198
CentOS-6.2
64-bit CentOS-6.2
64-bit
13
SECRET//SI//NOFORN
SECRET//NOFORN
172.16.64.10 10.3.2.113
Cover
172.16.64.1 Server
Blot Proxy
172.16.63.101 with:
VPN Server
Apache Server
10.3.2.125
Honeycomb
Implanted Tool Handler
10.2.4.119
Host 10.3.2.185 172.16.63.131
Target domain: vhost2.edb.devlan.net
172.16.64.10 10.6.5.197
tap32 Cover
172.16.64.1 tap41 Server tap4
Blot Proxy
172.16.63.101 with:
VPN Server
Apache Server
tap31 10.6.5.196
tap2 tap21
tap3 Honeycomb
Implanted eth0 Tool Handler
eth1 10.2.4.119
Host 10.6.5.192
172.16.63.2
Target domain: vhost2.edb.devlan.net
16
SECRET//NOFORN