This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.
Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks' earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.
Crypto Notes: ========================================================================== To set up a Certificate Authority, there is a good HOWTO in this file: ./libs/polarssl-0.14.0/programs/ssl/CA-HOWTO.txt ========================================================================== There are a number helpful programs within the PolarSSL release: (1) ../programs/x509/cert_app - can be run against a .crt file or a live SSL server to enumerate information about the Certificate. For example, running against Swindle provides the following output: . SSL connection to tcp/10.3.2.169/443 ... ok . Peer certificate information ... cert. version : 1 serial number : 00:E2:59:E0:40:27:4A:9C:EF issuer name : C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=domain.com subject name : C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=domain.com issued on : 2008-12-10 15:25:10 expires on : 2010-12-10 15:25:10 signed using : RSA+SHA1 RSA key size : 1024 bits (2) the openssl equivalent is: openssl x509 -in server.crt -text -noout ========================================================================== Procedure for Changing/Embedding certs and keys within Hive/PolarSSL: * application must include polarssl/certs.h (libs/crypto.c does this) for only one time, or as needed: * create a Certificate Authority (at this time, the mygen.sh script will generate a new CA each time it is run, in addition to creating client/server keys and certs * the Certificate Authority's certificate are built into the hive-client and implants (TBD) for each new release of hive-client: * use the pkey/dh_genprime application to generate a new my_dhm_P variable. note, this will take a long time, possibly 10 minutes or more * import that new DHM_P value into libs/crypto.c (used by SSL server) * currently, this import is done by-hand * not sure if this value is used because dhm_calc_secret() is never called by hive. see dh_client.c and dh_server.c for examples for each new release of hive implant: * use the mygen.sh script to generate new client.key, server.key, client.crt, server.crt, ca.key, ca.crt, and the CA's password, as needed, and replace the embedded values in crypto.c. See library/certs.c for an example. for each hive implant generated by patcher: * TBD ========================================================================== ==========================================================================