<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an [National Security Agency] ([NSA]) [SIGINT] program.

! VPN Phase 1: [IKE] [Metadata] Only (Spin 15)
* [IKE] packets are exfiled to [TURMOIL] [{$pagename}].
* APEX reconstructs/reinjects [IKE] packets to the [TURMOIL] [VPN] components.
* [TURMOIL] [VPN] extracts [metadata] from each [Key-Exchange] and sends to the [CES] [TOYGRIPPE] [metadata] [database] This database is used by [SIGDEV] analysts to identify potential targets for further exploitation 

! VPN Phase 2: 
Targeted IKE Forwarding (Spin 15)- 
* [TURMOIL] [VPN] looks up [IKE] packet [IP Address] in [KEYCARD].
* If either [IP Address] is targeted, the [Key-Exchange] packets are forwarded to the CES Attack Orchestrator (POISON NUT) for [VPN] key recovery.

! [VPN] Phase 3: Static Tasking of [ESP]
* [HAMMERSTEIN] receives static tasking to exfil targeted [ESP] packets.
* APEX reconstructs/reinjects [ESP] packets to the [TURMOIL] VPN components.
* TURMOIL VPN requests [VPN] key from [CES] and attempts [decryption].

!! VPN Phase 4: Dynamic Targeting of [ESP]
* Based on the value returned by [KEYCARD], the [ESP] for a particular [VPN] may be targeted as well
* TURMOIL sends to [HAMMERSTEIN] (via [TURBINE]) the parameters for capturing the [ESP] for the targeted [VPN]


!! [{$pagename}] [Voice over IP] Phases

! VoIP Phase 1: Static Tasking of VoIP (Spin 16)
* [HAMMERCHANT] monitors VoIP [SIP]/[H.323] signaling and exfiltrates only targeted [VoIP] [RTP] sessions to [TURMOIL]
* [{$pagename}] reconstructs and bundles the voice packets into a file, attaches appropriate [metadata] and delivers to [PRESSUREWAVE]
* This triggers a modified [VoIP] analytic to prepare the [VoIP] for corporate delivery.

! VoIP Phase 2. VoIP Call Survey
* HAMMERCHANT monitors [VoIP] [SIP]/[H.323] signaling and exfiltrates all call signaling [metadata] to [TURMOIL]
* [{$pagename}] inserts call signaling [metadata] into an [ASDF] record and publishes it to the [TURMOIL] [AsdfReporter] component for target [SIGDEV] 

! VoIP Phase 3. Dynamic Targeting of [VoIP]
* [HAMMERSTEIN] captures/exfils all VoIP signaling
* APEX reconstructs/reinjects the signaling to the TURMOIL VoIP components.
* [TURMOIL] [VoIP] extracts call [metadata] and sends to [FASCIA]; checks [KEYCARD] for hits.
* If called/calling party is targeted for active exfil, then [TURMOIL] sends to [HAMMERSTEIN] (via TURBINE) the parameters to capture the targeted RTPT session

! [Implementation] of [Voice over IP] Phase 2 and 3 will be driven by mission need. 
* Phase 3 leverages all [TURMOIL] [VoIP] signalling protocol processorsa to expand [SIP] and [H.323] (e.g. Skype) without additional development on the implant.

!! Category
%%category [Government Surveillance]%%


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN|https://theintercept.com/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/|target='_blank'] - based on information obtained 2018-08-03- 
* [#2] - [https://www.aclu.org/sites/default/files/assets/vpn-and-voip-exploitation-with-hammerchant-and.pdf|https://www.aclu.org/sites/default/files/assets/vpn-and-voip-exploitation-with-hammerchant-and.pdf|target='_blank'] - based on information obtained 2019-05-18 


























































































































































































































</pre>