S3285/InternProjects - Wikilnfo The accredited security level of this system is: TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY * TOP SECRET//SI//REL T0 USA, FVEY (U) S3285/InternProjects TOP SECRET//SI//REL TO USA, FVEY From Wikilnfo < S3285 Jump to: navigation. search (TS//SI//REL) This page contains ideas about possible future projects for the Persistence Division. Contents 0 1 (TS//SI//REL) CNA Team POLITERAIN o 1.1 (U) PASSIONATEPOLKA 1.2 ) AR YLEALIEN o 1.3 (U) BARNFIRE 0 2 (U) Hard Drive Recoverv 0 3 (U) IRATEMONK o 3.1 (TS//SI//REL) SSD SuDDort O 3.2 (TS//SI//REL) Covert Storaae Product 0 3.3 (U/(FOUO) SADDLEBACK o 3.4 (U//FOUO) ALTEREDCARBON Sumaort o 3.5 (U//FOUO) FAKEDOUBT Support 0 3.6 U/ FOUO PLUCKHAGEN Su ort o 3.7 (U//FOUO) EASYKRAKEN Support 0 3.8 (TS /SI/ REL) USB Hard Drive Persistence 0 3.9 (TS /SI/ REL) IRATEMONK on Server RAID S stems o 3.10 (U//FOUO) Enhancrnent of testinq capabilities o 3.11 (TS//SI//REL) Self—Encrv tino—Drive SED) Persistence 0 4 (TS//SI//REL) OS Execution o 4.1 (U//FOUO) CASTLECRASHER 0 4.2 (TS//SI//REL) Alternate Windows Execution Technique 0 4.3 (TS /SI/ REL) Mac OSX Execution Techni ue 0 5 (U) SIERRAMIST/IUMPDOLLAR o 5.1 (U) Extensibilitv Annlication 0 5.2 U) MOPNGO A lication 0 5.3 (TS//SI//REL) NTFSD DOS Driver 0 5.4 (U) Full Featured Shell 0 5.5 (TS[[SI[[REL) Windows Registry Readzwrite Capability o .6 (T ‘// ‘I//REL) EFI M dule 1of13 S3285/InternProjects - Wikilnfo o 5.7 (TSZZSIZZREL) Linux Ap_p 0 5.8 (TS//SI//REL) File Svstem Support I 5.8.1 (TS//SI//REL) BTRFS I 5.8.2 (TS//SIZ/REL) LVM I 5.8.3 (TS//SI//REL) EXT4 I 5.8.4 (TS//SI//REL) UFS/ZFS 0 6 (U//FOUO) BERSERKR 0 7 (U//FOUO) GOPHERRAGE 0 8 (U//FOUO) Windows Tools 0 8.1 (_U/ FOUO) WISTFULTOLL o 8.2 (U//FOUO) CENTRICDUD 0 8.3 (U FOUO) STYLISHCHAMP 0 9 (U[[EOU0) Network Infrastructure [edit] (TS//SI//REL) CNA Team POLITERAIN (TS//SI//REL FVEY) TAO/ATO Persistence POLITERAIN(CNA) team is looking for interns who want to break things. We are tasked to remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware using low—level programming. It would be expected that our interns would learn to: 0 (U//FOUO) Write drivers for LINUX, Windows, Solaris, or Apple OS. 0 (U//FOUO) Use SVN in a group environment. o (TS//SI//REL) Reverse engineer embedded systems 0 (TS//SI//REL) Deliver code that conforms to Op—sec and deniability reguirements. 0 (TS//SI//REL) Recover eguipment that has been attacked. 0 (U//FOUO) Work with multiple SME’s to build something unigue. I (TS//SI//REL) Developing an attacker's mind set. (TS//SI//REL FVEY) POLITERAIN always has a backlog of smaller attacks than those listed below that need to be productized. We are also always open for ideas but our focus is on firmware, BIOS, BUS or driver level attacks. The projects below an intern could be expected to produce results in 4-6 months. Most of the projects are unique enough to allow for results to be briefed or published in a classified venue. [edit] (U) PASSIONATEPOLKA (TS//SI//REL FVEY)We have discovered a way that may be able to remotely brick network cards. We need someone to perform research and develop a deployable tool. Intern would have access to driver level developers, mentors 2of13 S3285/InternProjects - Wikilnfo Sc SMES but would own the project and be responsible for it. [edit] (U) ARGYLEALIEN (TS//SI//REL FVEY)There is a security feature built into many modern hard-drives that allows for zeroization. We want to use this feature to cause the loss of data. Intern would be working closely with a POLITERAIN engineer to develop a solution that would work on multiple vendors leveraging Persistence divisions SIVIES, investigating via experimentation. Intern would learn about hard—drive recovery, reverse engineering, hard—drive architecture and much more. [Q] (U) BARNFIRE (TS//SI//REL FVEY)This attack effort will erase the BIOS on a brand of servers that act as a backbone to many rival governments. An intern working on this project would need to be a *nix expert with experience with low—level development experience of multiple types and reverse engineering experience. Intern would be working and learning from SMEs during this development. First tour interns would not be considered for this project. [edit] (U) Hard Drive Recovery (TS//SI//REL FVEY) When someone really needs the information off of a damaged hard drive, they call Persistence. This would be a unique tour learning from a world—class expert how to fix hardware and firmware problems. You would be working on targets, extracting data, troubleshooting hardware, rebuilding SCSI arrays, and using analytical engineering skill to produce real collection. Position requires good hearing for some of the troubleshooting. Intern should know how to solder. [edit] (U) IRATEMONK [edit] (TS//SI//REL) SSD Support (TS//SI//REL) Integrate SSD research into IRATEMONK products. This will involve 4 different parts: I (TS//SI//REL) Leveraging research to create ARM—based SSD implant. This works involves reverse engineering SSD firmware and creating C and ARM assembly code to place inside of a firmware image to implement the IRATEMONK algorithm. 0 (TS//SI//REL) Create version of the IMBIOS code that supports the SSD implant. This code runs on the x86 host and involves writing both C and 30f13 S3285/InternProjects - Wikilnfo x86 assembly. This work will involve interacting with the firmware implant as well as the code that IMBIOS bootstraps (SIERRAMIST). 0 (TS//SI//REL) Add support for the SSD to WICKEDVICAR. WICKEDVICAR is the remote tool used to perform remote survey and installation. This code is C++ and will involve interacting with the firmware implant from a Windows OS. 0 (TS//SI//REL) Add the SSD vendor support to the IRATEMONK firmware and implant database tool. This code is mostly python code that interacts with a drive via a Linux driver. (TS//SI//REL) The SSD support for IRATEMONK project currently offers the greatest variety of new work that an intern might be able to do. [edit] (TS//SI//REL) Covert Storage Product (TS//SI//REL) Create a covert storage product that is enabled from a hard drive firmware modification. The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes say half of its available space. It would report this size back to the operating system and not provide any way to access the additional space. The firmware would have a special hook inside of it that on receipt of some custom ATA command, it would "unlock" the rest of the drive on the next boot of the drive. When covert storage is locked, only 1 partition would be present on the drive. When unlocked, the firmware would fix up the partition table to account for the second hidden partition whose space is now available on the drive. When finished with covert storage, a special command can be sent back to the drive that will lock the drive again. On the next boot, the firmware will hide the extra space and fix up the partition table so only 1 partition exists. [edit] (U//FOUO) SADDLEBACK (TS//SI//REL) Utilizing a hard drive's serial port, create a firmware implant that has the ability to pass to and from an implant running in the operating system. In practice, the serial port will be connected to a short hop radio that can communicate with another radio in a system. Doing a firmware modification eliminates the need to tap the SATA bus as was done on other versions of SADDLEBACK. Performing firmware modification will allow for a smaller SADDLEBACK in the form of a laptop drive as opposed to the current version which only comes in a a 3.5 inch version. [edit] (U//FOUO) ALTEREDCARBON Support (TS//SI//REL) Develop IRATEMONK implants for the newest Seagate drives including their hybrid drive products. This work will primarily be a reverse engineering effort, but if successful will require updates to both IMBIOS (x86 code, C and assembly), WICKEDVICAR (x86, C++), and SPITEFULANGEL 4of13 S3285/InternProjects - Wikilnfo (python). [edit] (U//FOUO) FAKEDOUBT Support (TS//SI//REL) Create an IRATEMONK implementation for ARM—based Hitachi drives. This includes a firmware implant, IMBIOS code, and WICKEDVICAR and SPITEFULANGEL support. [edit] (U//FOUO) PLUCKHAGEN Support (TS//SI//REL) Create an IRATEMONK implementation for ARM—based Fujitsu drives. This includes a firmware implant, IMBIOS code, and WICKEDVICAR and SPITEFULANGEL support. [edit] (U//FOUO) EASYKRAKEN Support (TS//SI//REL) Add more drive support for ARM—based Samsung drives. [edit] (TS//SI//REL) USB Hard Drive Persistence (TS//SI//REL) Develop a capability to install a hard drive implant on a USB hard drive. Since external hard drives are not normally boot from, the new implant will need to be an improved version of MADBISHOP so the hard drive implant will have the ability to manipulate the file system of the drive inside of the firmware itself. Development would consist of 3) main development areas: I (TS//SI//REL) Reliable, robust, and portable NTFS C code. Other file systems could also be looked into such as FAT, EXT2, etc. I (TS//SI//REL) Hard drive implant I (TS//SI//REL) Remote installation over USB [emit] (TS//SI//REL) IRATEMONK on Server/RAID Systems (TS//SI//REL) Investigate the feasibility of developing a hard drive persistence implant for Server/RAID systems. This will primarily involve investigating what ATA commands are allowed through various RAID controllers. Also, coming up with a scheme to handle different RAID configurations will be needed since the data on the drives will differ depending on the the RAID setup. It will be important to examine how RAID controllers interact the drives and where data (especially the MBR) is stored. If feasible, this investigation could lead to the extension of IRATEMONK—type 5of13 S3285/InternProjects - Wikilnfo hard drive implants into server spaces which provide increased covert storage and the capability to keep persistence logs which currently aren't available on BIOS only techniques. [edit] (U//FOUO) Enhancment of testing capabilities (TS//SI//REL) IRATEMONK makes use of ROGUE SAMURAI and actual hardware to perform its testing. The downside of testing with actual hardware is that testing takes many hours/days to complete. Someone with the right level of test development experience can help to improve the current IRATEMONK testing strategy. [edit] (TS//SI//REL) Self-Encrypting-Drive (SED) Persistence (TS//SI//REL) SED drives provide additional security measures which often thwart IRATE MONK developer efforts to modify the firmware on these drives. I highly skilled intern with reverse engineering skills and understanding of security in computing systems would be invaluable in tackling one of the persistence divisions more difficult problems. [edit] (TS//SI//REL) OS Execution (TS//SI//REL) While a lot of work in the Persistence Division involves modifying firmware, there is still a large need for OS kernel and user-mode expertise. The firmware modification done at the lowest levels of hardware needs a way to obtain execution inside of a running OS so that a DNT payload can be either given execution or installed. [edit] (U//FOUO) CASTLECRASHER (TS//SI//REL) CASTLE CRASHER is the primary technique used in executing DNT Windows payloads from all payload persistence techniques (i.e. IRATEMONK and SIERRAMISTFREE). It is all Windows native mode code built using Visual Studio. CASTLECRASHER has many advanced techniques in it including thread injection and anti—stack backtracing. In many cases, CASTLECRASHER is closer to the DNT style kernel work than it is to traditional Persistence work. While the current version is quite robust, there are several features that need to be added: I (TS//SI//REL) Currently CASTLECRASHER doesn't work against systems with .360 Safe installed. We need to find a way around this even if it involves using the older Windows service method of execution. This 6of13 S3285/InternProjects - Wikilnfo will more than likely require a refactoring of how the configuration data of CASTLECRASHER is stored. I (TS//SI//REL) Develop an automated test suite using the Persistence Division's ROGUESAMURAI test framework to provide more robust testing for this important project. [edit] ("ES//SI//REL) Alternate Windows Execution Technique (TS//SI//REL) Currently, CASTLECRASHER is the only production quality Windows execution technigue that Payload Persistence technigues have. Another mechanism to execute DNT payloads is needed. Most pre—boot Persistence techniques only have the ability to influence an OS through modifications to the target file system. Work needs to be done to investigate other ways to get execution inside of Windows. This work will start looking at other techniques that have been provided to the Persistence Division from other partners. The feasibility of these techniques should be assessed. If feasible, the technique should be productized into a deployable solution. [edit] (TS//SI//REL) Mac OSX Execution Technique (TS//SI//REL) Research needs to be done to investigate different ways that a pre—boot Persistence technique that can modify the target file system can get execution inside of OSX. Maybe start—up scripts can be modified or special files can be added that will get executed. In order for Payload Persistence to work against OSX, a execution technique is needed. [e_clitl (U) SIERRAMIST/JUMPDOLLAR [edit] (U) Extensibility Application (TS//SI//REL) Create a new extensibility application that checks for a file on the file system that it will run to update the SIERRAMIST partition. This application would replace the current one and would have list of configurable file paths to check. This could be written for both SIERRAMIST and JUMPDOLLAR. Create a ROGUE SAMURAI test suite to test all aspects of this app. [edit] (U) MOPNGO Application 7of13 S3285/InternProjects - Wikilnfo (TS//SI//REL) Update the MOPNGO application to remove the buffer overflow issue it has when more than 512 characters are configured. Also, port this application to JUMPDOLLAR. Create a ROGUESAMURAI test suite to test the application. Look into creating unit tests as well. [edit] (TS//SI//REL) NTFSD DOS Driver (TS//SI//REL) The MX team has requested an upgrade of their NTF SD DOS driver for their DOS—based thumb drives used in interdiction deployments. The newest FSM should be compiled into a DOS driver for their use. This problem will be solved with the creation of a MKUSB utility for JUMPDOLLAR. [edit] (U) Full Featured Shell (TS//SI//REL) A full featured shell should be written (particularly for JUMPDOLLAR). The ability to run scripts and have some sort of flow control logic would be desirable. This could eventually be used by the MX team as a means to deploy implants. They have expressed a desire to have one environment that can work on a Mac, Linux, or a Windows machine. Provided we have the file system support, this could eventually provide them what they want. [edit] (TS//SI//REL) Windows Registry Read/Write Capability (TS//SI//REL) Create the ability from SIERRAMIST/JUMPDOLLAR to be able to read and write the Windows registry. This will provide new capability to apps to do a whole host of new things. It may be possible to install VALIDATOR manually instead of relying on its installers. This work may also allow some IT Geo applications as well if we can tweak some keys. [edit] (TS//SI//REL) EFI Module (TS//SI//REL) Build an EFI module out of SIERRAMIST/JUMPDOLLAR apps that can be loaded via normal EFI mechanisms including an EFI shell. This is similar to what Sandia can do with their MOUSETRAP implant. This work could provide a new mechanism to achieve persistence and might prove to be easier than current patching techniques. [flit] (TS//SI//REL) Linux App (TS//SI//REL) Rewrite the Linux App to be configurable and add logging into it for use with IRATEMONK. Integrate build into BORGERKING. Investigate 8of13 S3285/InternProjects - Wikilnfo whether or not ROGUESAMURAI can be used to test. [edit] (TS//SI//REL) File System Support (TS//SI//REL) The following file systems need support by SIERRAMIST/JUMPDOLLAR: [edit] (TS//SI//REL) BTRFS (TS//SI//REL) This file system is slated to become the default in Fedora Core 17 or 18. Work can begin on supporting this now, however. This is applicable primarily for JUMPDOLLAR, but maybe SIERRAMIST as well. leditl (TS//SI//REL) LVM (TS//SI//REL) Back port changes of the LVM code in _]UMPDOLLAR's EXT4 FSM to SIERRAMIST's EXT3. [edit] (TS//SI//REL) EXT4 (TS//SI//REL) Back port JUMPDOLLAR's EXT4 FSM to SIERRAMIST. [edit] (TS//SI//REL) UFS/ZFS (TS//SI//REL) Create UFS and ZFS FSMS for_]UMPDOLLAR. [edit] (U//FOUO) BERSERKR (TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications. (TS//SI//REL) Some notable applications that need development: I (TS//SI//REL) KIRKBOMB ~- Windows kernel examination to detect loaded drivers, running processes as well. There is a prototype which works on Windows 7, this needs to work on XP and 2008 including 64-bit systems. I (TS//SI//REL) SODAPRESSED — Linux application persistence. Given a running installation of Linux, install some application or inject something into memory which will. This currently works on certain versions of Linux without SELinux enabled. (TS//SI//REL) There may also be requirements in the near future for: 9of13 S3285/InternProjects - Wikilnfo I (TS//SI//REL) BENTWHISTLE — A collection tool that runs from BERSERKR. (TS//SI//REL) BERSERKR is often looking to expand its target support. A big way this is done is via adding network card support. Currently, BERSERKR does not support any wireless network cards. [edit] (U//FOUO) GOPHERRAGE (TS//SI//REL) GOPHERRAGE is a project that seeks to develop a hypervisor implant that would leverage both AMD and Intel's virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door. (TS//SI//REL) Develop a hypervisor implant that would leverage both Intel's and AMDs virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door access. The idea would be similar to what BERSERKR can do from SMM in that it should be able to use "the machine's network interface card (NIC) to communicate independently of the host operating system (OS)". Also, this hypervisor implant should have full read/write access of host memory so it will be possible to change Host OS behavior in ways that could allow code execution, OS injection, system survye, VM break-in, etc. (TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment. [edit] (U//FOUO) Windows Tools [mi (U//FOUO) WISTFULTOLL (TS//SI//REL) WISTFULTOLL is the premiere target survey tool for Windows that runs on almost all targets automatically. It brings back information about the target system's machine and operating system that is invaluable for both the Persistence Division and analysts enterprise wide. New features need to be added to WISTFULTOLL as well as it being refactored. [edit] (U//FOUO) CENTRICDUD (TS//SI//REL) CENTRICDUD is a tool to read and writes bytes in the CMOS. 10 of 13 S3285/InternProjects - Wikilnfo It needs to be rewritten and productized so that it can be incorporated into a proper UR plug—in. The driver associated with this tool also needs to be redone as it is being flagged by PSPs for unknown reasons. This tool is used both by the BIOS team as well as the IT Geo team. [edit] (U//FOUO) STYLISHCHAMP (TS//SI//REL) STYLISHCHAMP is a tool that can create a HPA on a hard drive and then provide raw reads and writes to this area. This tool should incorporate latest TWISTEDKILT code so that it can support SATA drives. This will allow SWAP to be used on newer systems. Currently, only IDE drives are used. [edit] (U//FOUO) Network Infrastructure (TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor. This persistence effort would use one's reverse engineering, computer architecture, "C" programming and assembly language coding skills. Retrieved from TOP SECRET//SI//REL TO USA, FVEY Derived From: SI Classification Guide, 02-01, Dated: 20060711 and NSA/CSSM 1-52, Dated: 20070108 Declassify On: 20320108 11 0f13 S3285/InternProjects - Wikilnfo I Read I Edit I View historv Actions I Move I Watch I Tag this page Search Go Navigation I Main Page I Community portal I Recent chan es I Random pa e I H_e1D Toolbox I What links here I Related chan es I Trackback I U load file I S ecial ages I Printable version I Permanent link social software tools I lournalNSA I Ihnigga I Connexions o LINKUP I S VS ace I Round Table I WikiInfo—NF partner wikis I Intellipedia I CSEC wiki Search 12 of 13 S3285/InternProjects - Wikilnfo I GCHO wiki I DSD wiki I GCSB wiki Derived From: SI Classification Guide, 02-01, Dated: 20060711 and NSA/CSSM 1-52, Dated: 20070108 Declassify On: 20320108 TOP SECRET//SI//REL TO USA, FVEY The accredited security level of this system is: TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY * 13 of 13