VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN
Mar. 12 2014 — 1:00p.m.
A as es TOP TD USA, AUS, CAN, GER, NZLi'i'2fl291123 VPN Phase 1: IKE Metadata Onlv (Spin 15) I IKE packets are extiled to TURIVIOIL APEX. I APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components. I TURMOIL VPN extracts metadata from each key exchange and sends to the CES metadata database. This database i_s used by SIGDEV to identify potential targets for further exploitation. Iv VPN Phase 2: Targeted IKE Forwarding (Spin 15) I TURIVIOIL VPN looks up IKE packet IP addresses in KEYCARD. I It either IP address is targeted the key exchange ackets are forwarded to the CES Attack Orchestrator (POISON NUT) for PN key recovery. VPN Phase 3: Static Tasking of ESP I HAMMERSTEIN receives static tasking to exiil targeted ESP packets. I APEX reconstructs/reinjects ESP packets to the TUFIIVIOIL VPN components. I TURIVIOIL VPN requests VPN key from CES and attempts VPN Phase 4: Dynamic Targeting of ESP I Based on the value returned by KEYCAFID, the ESP for a particular VPN may be targeted as well. I TURMOIL sends to HAMMEFISTEIN (lvlia TURBINE) the parameters for capturing the ESP for the targeted VP . TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GBR,
To usn, AUS, cm, GER, A EX Vol ases Phase 1: Static Taskinci ot VolP (Spin 16) I HAMMERCHANT monitors signaling and extiltrates only targeted RTP sessions to TURMOIL. I APEX reconstructs and bundles the voice packets into a file, attaches appropriate metadata, and delivers to PRESSUREWA E. I This triggers a modified analytic to prepare the for corporate delivery. Phase 2. Call Survey I HAMMERCHANT monitors signaling and extiltrates all call signaling metadata to TURMOIL. I APEX inserts call signaling metadata into an ASDF record and publishes it to the AsdfFieporter component for target SIGDEV. Phase 3. Dynamic Targeting of HAMMERSTEIN captures/exfils all signaling APEX reconstructs/reinjects the signaling to the TU RMOIL components. extracts call metadata and sends to checks KEYCARD for hits. it called/callin party is targeted for active extil, then TURMOIL sends to HAMMERSTEIN (via TU the parameters to capture the targeted session. Implementation of Phase 2 and 3 will be driven by mission need. I Phase 3 levera es all TURMQIL si_ naling protocol processors to expand beyond SIP and H.323 e.g. Skype) without addi ional evelopment on the implan . TOP SECRETHCOMINTHREL T0 USA, AUS, CAN, GBR,
. ., . . . . . . . . . . . . . . . . . I Fl 3 ua I I I.-al u-al ua. u-al nag nag I-al ual Ina. u-a| nag nag nu: u-al u-a| u-al n-a. u-a| nag nag nag u-a| u-al u-al u-al u-a. nu: u-a. u-al u-a| u-al u-2'2. 2'2. 2'2. 2' 2'2. 2'2. 2'2. 2' 2'2. 2'2. 2 Exmation Key exchange FASHION CLEF Wrapped Exfil Look Up IP Address For Content Targeting Socketconnection IKE Exchanges 5 Socket Connection Key Requestsmespenses IKE Full take Metadata (Files) Selected Full take metadata re ositery Management TOP SECR TIFCOMINTIIRE USA, VE
if a --an --an --an --5 --an war we: --4 --an --5 --an war Ha: we: Her --an --Apex voup Expioatataon 5. Cf} VolP Signaling FASHIONCLEFT Targeted VOIP Content Wrapped Exfil /nuxmk NSA Net In um I -I VINCE Voice Repository TOP SECR TIICOMINTIIRE USA,