Documents
VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN
Mar. 12, 2014
A as es
TOP TD USA, AUS, CAN, GER, NZLi'i'2fl291123
VPN Phase 1: IKE Metadata Onlv (Spin 15)
I IKE packets are extiled to TURIVIOIL APEX.
I APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components.
I TURMOIL VPN extracts metadata from each key exchange and sends to the
CES metadata database. This database i_s used by SIGDEV
to identify potential targets for further exploitation.
Iv VPN Phase 2: Targeted IKE Forwarding (Spin 15)
I TURIVIOIL VPN looks up IKE packet IP addresses in KEYCARD.
I It either IP address is targeted the key exchange ackets are forwarded to
the CES Attack Orchestrator (POISON NUT) for PN key recovery.
VPN Phase 3: Static Tasking of ESP
I HAMMERSTEIN receives static tasking to exiil targeted ESP packets.
I APEX reconstructs/reinjects ESP packets to the TUFIIVIOIL VPN components.
I TURIVIOIL VPN requests VPN key from CES and attempts
VPN Phase 4: Dynamic Targeting of ESP
I Based on the value returned by KEYCAFID, the ESP for a particular VPN may
be targeted as well.
I TURMOIL sends to HAMMEFISTEIN (lvlia TURBINE) the parameters for
capturing the ESP for the targeted VP .
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR,
A as es
TOP TD USA, AUS, CAN, GER, NZLi'i'2fl291123
VPN Phase 1: IKE Metadata Onlv (Spin 15)
I IKE packets are extiled to TURIVIOIL APEX.
I APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components.
I TURMOIL VPN extracts metadata from each key exchange and sends to the
CES metadata database. This database i_s used by SIGDEV
to identify potential targets for further exploitation.
Iv VPN Phase 2: Targeted IKE Forwarding (Spin 15)
I TURIVIOIL VPN looks up IKE packet IP addresses in KEYCARD.
I It either IP address is targeted the key exchange ackets are forwarded to
the CES Attack Orchestrator (POISON NUT) for PN key recovery.
VPN Phase 3: Static Tasking of ESP
I HAMMERSTEIN receives static tasking to exiil targeted ESP packets.
I APEX reconstructs/reinjects ESP packets to the TUFIIVIOIL VPN components.
I TURIVIOIL VPN requests VPN key from CES and attempts
VPN Phase 4: Dynamic Targeting of ESP
I Based on the value returned by KEYCAFID, the ESP for a particular VPN may
be targeted as well.
I TURMOIL sends to HAMMEFISTEIN (lvlia TURBINE) the parameters for
capturing the ESP for the targeted VP .
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR,
To usn, AUS, cm, GER,
A EX Vol ases
Phase 1: Static Taskinci ot VolP (Spin 16)
I HAMMERCHANT monitors signaling and extiltrates only targeted
RTP sessions to TURMOIL.
I APEX reconstructs and bundles the voice packets into a file, attaches appropriate
metadata, and delivers to PRESSUREWA E.
I This triggers a modified analytic to prepare the for corporate delivery.
Phase 2. Call Survey
I HAMMERCHANT monitors signaling and extiltrates all call signaling
metadata to TURMOIL.
I APEX inserts call signaling metadata into an ASDF record and publishes it to the
AsdfFieporter component for target SIGDEV.
Phase 3. Dynamic Targeting of
HAMMERSTEIN captures/exfils all signaling
APEX reconstructs/reinjects the signaling to the TU RMOIL components.
extracts call metadata and sends to checks KEYCARD for hits.
it called/callin party is targeted for active extil, then TURMOIL sends to HAMMERSTEIN
(via TU the parameters to capture the targeted session.
Implementation of Phase 2 and 3 will be driven by mission need.
I Phase 3 levera es all TURMQIL si_ naling protocol processors to expand beyond
SIP and H.323 e.g. Skype) without addi ional evelopment on the implan .
TOP SECRETHCOMINTHREL T0 USA, AUS, CAN, GBR,
To usn, AUS, cm, GER,
A EX Vol ases
Phase 1: Static Taskinci ot VolP (Spin 16)
I HAMMERCHANT monitors signaling and extiltrates only targeted
RTP sessions to TURMOIL.
I APEX reconstructs and bundles the voice packets into a file, attaches appropriate
metadata, and delivers to PRESSUREWA E.
I This triggers a modified analytic to prepare the for corporate delivery.
Phase 2. Call Survey
I HAMMERCHANT monitors signaling and extiltrates all call signaling
metadata to TURMOIL.
I APEX inserts call signaling metadata into an ASDF record and publishes it to the
AsdfFieporter component for target SIGDEV.
Phase 3. Dynamic Targeting of
HAMMERSTEIN captures/exfils all signaling
APEX reconstructs/reinjects the signaling to the TU RMOIL components.
extracts call metadata and sends to checks KEYCARD for hits.
it called/callin party is targeted for active extil, then TURMOIL sends to HAMMERSTEIN
(via TU the parameters to capture the targeted session.
Implementation of Phase 2 and 3 will be driven by mission need.
I Phase 3 levera es all TURMQIL si_ naling protocol processors to expand beyond
SIP and H.323 e.g. Skype) without addi ional evelopment on the implan .
TOP SECRETHCOMINTHREL T0 USA, AUS, CAN, GBR,
. ., . . . . . . . . . . . . . . . . .
I Fl 3 ua I I I.-al u-al ua. u-al nag nag I-al ual Ina. u-a| nag nag nu: u-al u-a| u-al n-a. u-a| nag nag nag u-a| u-al u-al u-al u-a. nu: u-a. u-al u-a| u-al u-2'2. 2'2. 2'2. 2' 2'2. 2'2. 2'2. 2' 2'2. 2'2. 2
Exmation
Key exchange
FASHION CLEF
Wrapped
Exfil
Look Up IP
Address For
Content Targeting
Socketconnection IKE Exchanges
5 Socket Connection Key Requestsmespenses
IKE Full take
Metadata
(Files)
Selected
Full take
metadata re ositery
Management
TOP SECR TIFCOMINTIIRE USA, VE
. ., . . . . . . . . . . . . . . . . .
I Fl 3 ua I I I.-al u-al ua. u-al nag nag I-al ual Ina. u-a| nag nag nu: u-al u-a| u-al n-a. u-a| nag nag nag u-a| u-al u-al u-al u-a. nu: u-a. u-al u-a| u-al u-2'2. 2'2. 2'2. 2' 2'2. 2'2. 2'2. 2' 2'2. 2'2. 2
Exmation
Key exchange
FASHION CLEF
Wrapped
Exfil
Look Up IP
Address For
Content Targeting
Socketconnection IKE Exchanges
5 Socket Connection Key Requestsmespenses
IKE Full take
Metadata
(Files)
Selected
Full take
metadata re ositery
Management
TOP SECR TIFCOMINTIIRE USA, VE
if a --an --an --an --5 --an war we: --4 --an --5 --an war Ha: we: Her --an --Apex voup Expioatataon
5. Cf}
VolP Signaling
FASHIONCLEFT Targeted VOIP Content
Wrapped
Exfil
/nuxmk
NSA Net
In
um I
-I
VINCE Voice Repository
TOP SECR TIICOMINTIIRE USA,
if a --an --an --an --5 --an war we: --4 --an --5 --an war Ha: we: Her --an --Apex voup Expioatataon
5. Cf}
VolP Signaling
FASHIONCLEFT Targeted VOIP Content
Wrapped
Exfil
/nuxmk
NSA Net
In
um I
-I
VINCE Voice Repository
TOP SECR TIICOMINTIIRE USA,