This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
APEX
APEX

Version management

Difference between version and

At line 1 added 271 lines
!!! Overview
[{$pagename}] is an [National Security Agency] ([NSA]) [SIGINT] program.
! VPN Phase 1: [IKE] [Metadata] Only (Spin 15)
* [IKE] packets are exfiled to [TURMOIL] [{$pagename}].
* APEX reconstructs/reinjects [IKE] packets to the [TURMOIL] [VPN] components.
* [TURMOIL] [VPN] extracts [metadata] from each [Key-Exchange] and sends to the [CES] [TOYGRIPPE] [metadata] [database] This database is used by [SIGDEV] analysts to identify potential targets for further exploitation
! VPN Phase 2:
Targeted IKE Forwarding (Spin 15)-
* [TURMOIL] [VPN] looks up [IKE] packet [IP Address] in [KEYCARD].
* If either [IP Address] is targeted, the [Key-Exchange] packets are forwarded to the CES Attack Orchestrator (POISON NUT) for [VPN] key recovery.
! [VPN] Phase 3: Static Tasking of [ESP]
* [HAMMERSTEIN] receives static tasking to exfil targeted [ESP] packets.
* APEX reconstructs/reinjects [ESP] packets to the [TURMOIL] VPN components.
* TURMOIL VPN requests [VPN] key from [CES] and attempts [decryption].
!! VPN Phase 4: Dynamic Targeting of [ESP]
* Based on the value returned by [KEYCARD], the [ESP] for a particular [VPN] may be targeted as well
* TURMOIL sends to [HAMMERSTEIN] (via [TURBINE]) the parameters for capturing the [ESP] for the targeted [VPN]
!! [{$pagename}] [Voice over IP] Phases
! VoIP Phase 1: Static Tasking of VoIP (Spin 16)
* [HAMMERCHANT] monitors VoIP [SIP]/[H.323] signaling and exfiltrates only targeted [VoIP] [RTP] sessions to [TURMOIL]
* [{$pagename}] reconstructs and bundles the voice packets into a file, attaches appropriate [metadata] and delivers to [PRESSUREWAVE]
* This triggers a modified [VoIP] analytic to prepare the [VoIP] for corporate delivery.
! VoIP Phase 2. VoIP Call Survey
* HAMMERCHANT monitors [VoIP] [SIP]/[H.323] signaling and exfiltrates all call signaling [metadata] to [TURMOIL]
* [{$pagename}] inserts call signaling [metadata] into an [ASDF] record and publishes it to the [TURMOIL] [AsdfReporter] component for target [SIGDEV]
! VoIP Phase 3. Dynamic Targeting of [VoIP]
* [HAMMERSTEIN] captures/exfils all VoIP signaling
* APEX reconstructs/reinjects the signaling to the TURMOIL VoIP components.
* [TURMOIL] [VoIP] extracts call [metadata] and sends to [FASCIA]; checks [KEYCARD] for hits.
* If called/calling party is targeted for active exfil, then [TURMOIL] sends to [HAMMERSTEIN] (via TURBINE) the parameters to capture the targeted RTPT session
! [Implementation] of [Voice over IP] Phase 2 and 3 will be driven by mission need.
* Phase 3 leverages all [TURMOIL] [VoIP] signalling protocol processorsa to expand [SIP] and [H.323] (e.g. Skype) without additional development on the implant.
!! Category
%%category [Government Surveillance]%%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN|https://theintercept.com/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/|target='_blank'] - based on information obtained 2018-08-03-
* [#2] - [https://www.aclu.org/sites/default/files/assets/vpn-and-voip-exploitation-with-hammerchant-and.pdf|https://www.aclu.org/sites/default/files/assets/vpn-and-voip-exploitation-with-hammerchant-and.pdf|target='_blank'] - based on information obtained 2019-05-18
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop