JTRIG Tools and Techniques
Jul. 14 2014 — 4:21p.m.
navigation I Main Page Help Pages Wikipedia Mirror Ask Me Random page Recent changes Report a Problem I Contacts I search Go Search toolbox I What links here I Related changes I Upload file I Special pages I Printable version I Permanent link r. Pow-d By 0, ll MeleWIlu This page was last modified on 5 July 2012, at 13:05. This page has been accessed 19,579 times. All material is UK 9. my talk my preferences additional statistics my watchlist my contributions page discussion edit delete move watch TOP SECRET COMINT The maximum classification allowed on GCWiki is TOP SECRET COMINT. Click to report inappropriate content. For GCWilti help contact?Support page JTRIG tools and techniques (Peclirectecl from JTRIG CITD - Coven Internet Technical Development) history Overview Contacts JTRIG Capabilities  JTRIG tools Contents 1 JTRIG tools 1.1 Understanding this page 1.2 Current Priorities 1.2.1 Engineering 1.2.2 Collection 1.2.3 Effects Capability 1.2.4 Work Flow Management 1.2.5 Analysis Tools 1.2.6 Databases 1.2.7 Forensic Exploitation 1.2.8 Techniques 1.2.9 Shaping and Honeypots We don?t update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at  Understanding this page Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use, but we also don?t want to oversell our capability. For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make external commitments before speaking to us you will probably end up looking stupid. Most of our tools are fully operational, tested and reliable. We will indicate when this is the case; however there can be reasons why our tools won?t work for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions. 80 please come and speak to JTRIG operational staff early in your operational planning process.  Current Priorities Capability Development Priorities can be fond by following the link below I CapDev Priorities (Discover)?
 Engineering Cerberus Statistics Collection JTRIG RADIANT SPLENDOUR ALLIUM ARCH ASTRAL PROJECTION TWILIGHT ARROW SPICE ISLAND POISON ARROW FRUIT BOWL NUT ALLERGY BERRY TWISTER BERRY BRANDY SNAP WIND FARM CERBERUS BOMBAYROLL JAZZ FUSION COUNTRY FILE TECHNO VIKING JAZZ BUMBLEBEE DANCE AIR BAG EXPOW AXLE GREASE POD RACE WATCHTOWER GCNET CERBERUS Export Gateway Interface System CERBERUS GCNET Import Gateway Interface System External Internet Redial and Monitor Daemon REAPER FOREST WARRIOR DOG HANDLER DIRTY DEVIL Description Collects on-going usage information about how many users utilise UIA capability, what sites are the most frequently visited etc. This is in order to provide JTRIG infrastucture and lTServices management information statistics. is a 'Data Diode' connecting the CERBERUS network with GCNET JTRIG UIA via the Tor network. Remote GSM secure covert internet proxy using TOR hidden services. Remote GSM secure covert internet proxy using VPN services. new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ FUSION and other JTRIG systems will form part of the SPICE ISLAND infrastru re Safe Malware download capability. CERBERUS UIA Replacement and new tools infrastructure Primary Domain for Generic User/Tools Access and TOR split into 3 sub- systems. JTRIG Torweb browser- Sandbox IE replacement and FRUIT BOWL sub-system A sub-system of FRUIT BOWL A sub-system of FRUIT BOWL JTRIG UIA contingency at Scarborough. offsite facility. legacy UIA desktop, soon to be replaced with FOREST WARRIOR. legacy UIA standalone capability. BOMBAY ROLL Replacement which will also incorporate new collectors - Primary Domain for Dedicated Connections split into 3 sub-systems. A sub-system of JAZZ FUSION A sub-system of JAZZ FUSION A sub-system of JAZZ FUSION JTRIG Operational architecture JTRIG Laptop capability for field operations. GCHQ's UIA capability provided by JTRIG. The covert banking link for CPG MS update farm Desktop replacement for CERBERUS development network research network Status OPERATIONAL OPERATIONAL OPERATIONAL OPERATIONAL OPERATIONAL DEV DESIGN DESIGN ntacts JTRIG Software Developers JTRIG Software Developers JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team IMPLEMENTATION JTRIG Infrastructure Team E1 DESIGN OPERATIONAL OPERATIONAL JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team IMPLEMENTATION JTRIG Infrastructure Team OPERATIONAL DESIGN DESIGN OPERATIONAL OPERATIONAL OPERATIONAL OPERATIONAL DESIGN OPERATIONAL OPERATIONAL OPERATIONAL DESIGN DESIGN DESIGN JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team JTRIG Infrastructure Team IE JTRIG Infrastructure Team JTRIG Software Developers IE JTRIG Software Developers IS JTRIG Software Developers IE JTRIG Infrastructure Team JTRIG Infrastructure Team E1 JTRIG Infrastructure Team
 Tool AIRWOLF ANCESTRY BEARTRAP BIRDSONG BUGSY DANCING BEAR DEVILS HANDSHAKE SNOUT EXCALIBUR FAT YAK FUSEWIRE GLASSBACK GODFATHER GOODFELLA HACIENDA ICE INSPECTOR LANDING PARTY Collection Description YouTube profile, comment and video collection. Tool for discovering the creation date of yahoo selectors. Bulk retrieval of public BEBO profiles from member or group ID. Automated posting of Twitter updates. Twitter monitoring and profile collection. Click here for the User Guide. Google+ collection (circles, profiles etc.) obtains the locations of WiFi access points. ECI Data Technique. Paltalk group chat collection. acquires a Paltalk UID and/or email address from a Screen Name. Public data collection from Linkedln. Provides 2447 monitoring of Vbulliten forums for target postings/online activity. Also allows staggered postings to be made. Technique of getting atargets IP address by pretending to be a spammer and ringing them. Target does not need to answer. Public data collection from Facebook. Generic framework for public data collection from Online Social Networks. is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to identify IP locations. Banners and content are pulled back on certain ports. Content is put into the EARTHLING database, and all other scanned data is sent to ONE and is available through GLOBAL SURGE and Fleximart. is an advanced IP harvesting technique. Tool for monitoring domain information and site availability. Tool for auditing dissemination of VIKING PILLAGE data. Contacts I I13 I '13 '3 oftware I '13 '3 oftware [Ilez'elcqiei's '13 [Ile'xelcqiers Status Beta release. Fully Operational. Fully Operational. Decomissioned. Replaced by SYLVESTER. Fully Operational. Tech Leadsz-In early [Tech Lead:- Expen Usen [Tech Lead:- Expen User: Tech Leads: I <3 '3 oftwar Erie'selcrper-E. [Tech Lead: I '13 cuftware [ieuelcqner-g 1:3 '3 oftwar?e [Tech Lead: [I'ech Lead: IIAC HACIENDA Tail. er-s. I '3 ottware Deselcqyei I I13 oftware '13 '3 [Jez'eIc-ijers. development. Fully Operational. Fully Operational. Beta release. Fully operational (against current Paltalk version) In development Fully operational. Fully operational. In Development (Supports RenRen and Xing). Fully operational. Fully Operational. Fully Operational.
MINIATURE Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and HERO bidirectional instant messaging. Also contact lists. MOUTH Tool for collection for downloading a user's files from Archiveorg. MUSTANG provides covert access to the locations of GSM cell towers. PHOTON At t' I th IP dd MON TORPEDO ec nique 0 ac Ivey gra a ress 0 an a messenger user. RESERVOIR Facebook application allowing collection of various information. SEBACIUM An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are accessible via DIRTY RAT. SILVER Allows batch Nmap scanning over TOR SPECTER SODAWATER A tool for regularly downloading gmail messages and forwarding them onto mailboxes SPRING F'd't ht ft bk BISHOP in priva ograp arge on ace oo . SYLVESTER Framework for automated interaction alias management on online social networks. TANNER A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of Internet Cafe's. TRACER An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to FIRE GCHQ. VIEWER A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG personnel. VIKING Distributed network for the automatic collection of data from remotely PILLAGE hosted JTRIG projects. TOP HAT A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell Tower and WiFi locations targeted against particular areas. Fully operational, but note usage restrictions . oftware [Jaselchera oftware Fully Operational. [Tech Lead - Expert Fully Operational. User: Operational, but usage restrictions. Tech Lead: Fully Soft-wan:- operational, but note operational restrictions. [Tech Lead:- User: JTFIIG Somme In Development [Jen'elcuper-s. Software Fully Operational. Tech Lead: Tech Lead: ?23 CI C) In Development. Replaced by HAVOK. In Development. PACER ech Lead: -Operational, but Expert . . . awaiting field User: . PILLAGE Operational [Ilez'eloljuer-a [Tech Lead: In development.
 Effects Capability JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further developed to provide weaponised capability. Don?t treat this like a catalogue. If you don?t see it here, it doesn?t mean we can?t build it. If you involve the JTRIG operational teams at the start of your operation, you have more of a chance that we will build something for you. For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready (operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early. Tool ANGRY PIRATE ARSON SAM BOMB BAY BADGER BURLESQUE CANNONBALL CLEAN SWEEP CLUMSY BEEKEEPER CHINESE FIRECRACKER CONCRETE DONKEY DEER STALKER GATEWAY GAMBIT GESTATOR GLITTERBALL IMPERIAL BARGE PITBULL POISONED DAGGER Description is a tool that will permanently disable a target's account on their computer. is a tool to test the effect of certain types of PDU SMS messages on phones network. It also includes PDU SMS Dumb Fu:: testing?? is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other material. The technique employs the services provided by upload providers to report offensive materials. is the capability to increase website hits/rankings. mass delivery of email messaging to support an Information Operations campaign is the capability to send spoofed SMS text messages. is the capability to send repeated text messages to a single target. Masquerade Facebook Wall Posts for individuals or entire countries Some work in progress to investigate IRC effects. Overt brute Iogin attempts against online forums is the capability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message. Ability to aid-geolocation of Sat Phones GSM Phones via a silent calling to the phone. Ability to artificially increase traffic to a website Deployable pocket-sized proxy server amplification of a given message, normally video, on popular multimedia websites (Youtube). Online Gaming Capabilities for Sensitive Operations. Currently Second Life. For connecting two target phone together in a call. Capability, under development, enabling large scale delivery of a tailored message to users of Instant Messaging services. Effects against Gigatribe. Built by ICTR, deployed by JTRIG. Status Contacts [Tech Lead: Ready to fire (but see target restrictions). Expen User: Ready to fire (Not [Tech Lead: against live tar ets this is a Expert User:] Tool). '13 Ready to fire. Developers ech Lead In Development. [r Ready to fire. Ci Ready to fire. (3'30 Ready to fire. nzizv'Enzii [Tech Lead: Ready to fire (SIGINT sources Expert User; required) Tech Lead:- Expen User: NOT READY TO FIRE. Ready to fire. In development. [Tech Lead: Ready to fire. Expert User: Ready to fire. ln-development [Tech Lead: Expert User: In development. [Tech Lead: Tested. In development. Tech Lead:
Tech Lead: - PREDATORS Targeted Denial Of Service against Web Sewers. FACE ROLLING Tech Lead: Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG. THUNDER SCARLET 9 Targeted denial of service against targets phones via call bombing. Ready to fire. 1' EMPEROR [Ile'xelc-pei-s. SCRAPHEAP f' Perfect spoofing of emails from Blackberry targets. ea 0 Ir?? CHALLENGE see constraints. SERPENTS t? It I [rem LeaEd: it TONGUE or ax message roa cas ing 0 mu ip num ers. re eve opmen . xpe User: SILENT . . . . . ech Lead: Targeted denial of service against SSH seNices. Ready to fire. MOVIE [Tech Lead:- SILVERBLADE Reporting of extremist material on DAILYMOTION. Ready to fire. Expert User: [Tech Lead:- SILVERFOX List provided to industry of live extremist material files hosted on FFUs. Ready to fire. Ex ert User: [Tech Lead:- Disruption of video-based websites hosting extremist content through concerted target Expert User: SILVERLORD . Ready to fire. discovery and content removal. [Tech Lead: Section Ready to fire. Expert Users: Production and dissemination of multimedia via the web in the course of information operations. Language Team] SLIPSTREAM Ability to inflate page views on websites Ready to fire. Read to fire but ech Lead: STEALTH is atool that will Disrupt target's Windows machine. Logs of how long and when the effect ty see ar MOOSE is active. I I9 restrictions). Expert User: Tested, but [Tech Lead: Section SUNBLOCK Ability to deny functionality to send/receive email orview material online. operational Ex ert User limitations. ech Lead: . . . . . Ready to fire (but Swamp is atool that Will Silently locate all predefined types of file and them on a targets see tar et donkey machine. . Expert User: restrictions). ech Lead: I I I Ready to fire (but TORNADO is a delivery method (Excel Spreadsheet) that can Silently extract and run an executable see tar et ALLEY on a target's machine. . Expert User: restrictions). [Tech Lead: Section UNDERPASS Change outcome of online polls (previously known as NUBILO) In development. Expert User: ech Lead: VIPERS Ready to fire (buttr? is atool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone. see target TONGUE . . Expert User: restrictions). i Ci C) WARPATH Mass delivery of SMS messages to support an Information Operations campaign Ready to fire.  Work Flow Management Tool Description Contacts (3 HOME PORTAL A central hub for all JTRIG Cerberus tools E. I opera CYBER COMMAND A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber CONSOLE community. [hex'elclpei-s. I (3 A web service and admin console for the translation of usernames between networks. For use with NAMEJACKER I gateways and other such technologies.
 Analysis Tools Tool Description Contacts BABYLON is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick 'E-oftwai'e indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo. [iexelcqner-s. CRYOSIAT is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links 'E-oftware between targets. [ie?xelcrper-s. ELATE is a suite of tools for monitoring target use of the UK auction site eBay (vwvw.ebay.co.uk). These tools are Software hosted on an Internet sewer, and results are retreived by email. PRIMATE is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and metadata. Developer-3. JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production [Tech Lead:- JEDI Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to -Expert User: customer needs. ech Lead: JILES is bespoke web browser. - -Expert User:] - . . 'E-off: 'e MIDDLEMAN is a distributed real time event aggregation, tip off and tasking platform utilised by JTRIG as a middleware war layer. . . OUTWARD is a collection of DNS Iookup, WHOIS Lookup and other network tools. I opera is a bulk search tool which queries a set of online resources. This allows to quickly check the TANGLEFOOT . online presence of a target. is a data index and repository that provides with the ability to query data collected from the smwa'e SLAMMER Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by etc.  Databases Tool Description Contacts BYSTANDER is a categorisation database accessed via web service. ?E-oftware Eire-seloiziers is a database of C2C identifiers for Intelli ence Communi assets actin online CONDUIT ty 9 Software [Irex'elopei-s. either under alias or in real name. is a database of C2C identifiers obtained from a variety of unique sources, and a NEWPIN . ?E-oftware [Zie'seloiziere swte of tools for exploring this data. [Tech Lead:_Expert Users: - QUINCY is an enterprise level suite of tools for the exploitation of seized media.  Forensic Exploitation Tool Description Contacts BEARSCRAPE can extract WiFi connection history (MAC and timing) when supplied With a copy of the [Tech Lead:_Expert registry structure or run on the box. User:] ech Lead The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG SFL as its email extraction and first-pass analysis of seized media solution. Expert User: Snoo is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied Uech Lma? py as an image file extracted through FTK. is atool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY, ?ech Lead. MobileHoover Snoopy and USIM detective. These reports are transposed into a Newpin XML format to upload to Newpin. News is a tool developed by NTAC to search disk images for signs of possible [Tech Lead: products. CMA have further developed this tool to look for signs of Steganography.