Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
( T S / / S I / / R E L ) V P N S i g D e v
B a s i c s
S31244 - OTTERCREEK
Derived From: NSA/CSSM 1-52 Dated: 20070108
Declassify On: 20341101
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
UNCLASSIF IED
(U) What is a VPN? • (U) A Virtual Private Network or VPN is a
computer network that uses encryption to securely connect remote users/networks over an otherwise insecure network, usually the public internet.
• (U) Common Types: ° PPTP, IPSec, SSL
• (U) Public Key Encryption ° Diffie-Hellman, RSA
UNCLASSIF IED
UNCLASSIF IED
(U) PPTP • (U) Microsoft Point-to-Point Tunneling
Protocol • (U) Control Channel
° TCP port 1723 • (U) Data Channel
° GRE-Next Protocol 47 • (U) RFC 2637, RFC 3078
UNCLASSIF IED
UNCLASSIF IED
(U)IPSec • (U) Authentication
° Pre-shared key (PSK) or Public key certificates • (U) ISAKMP/IKE packets are used for key exchange
and to establish the secure connection • UDP port 500, 4500; TCP port 500
• (U) ESP packets contain the encrypted data • IP Next Protocol 50; UDP port 500
• (U) RFC2402, RFC2406, RFC2409, RFC4306, RFC2408
UNCLASSIF IED
UNCLASSIF IED
(U) IPSec in a nutshell
UNCLASSIF IED
UNCLASSIF IED
(U) SSL/TLS • (U) Secure Sockets Layer/Transport Layer
Security • (U) WARNING! e-commerce = tons of
uninteresting SSL traffic (U) Common ports: TCP ports 443, 995
• (U) RFC2246, RFC4346, RFC5246
UNCLASSIF IED
(U) SSL in a nutshell Certificate Subject Validity Public Key
T7 )/
CL Eh 7
- a
2.4.5
Issuer Etc...
(II) SSL Exchange 1 Client connects to server 2 Server sends cert to client 3. Client validates cert 4 Key exchange s Pass encrypted material
1 ^—i 1 r
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI/REL) Who works VPNs? (TS//SI//REL) VPN Workin o vpn)
• S2, SSG, CES (OTTERCREEK, NSP, S31322, S3117, S3112), TAO, etc.
a s: alias:
(TS//SI//REL) Meets every other Thursday at 1300
iïîll fcfiWill J WH
(TS//SI/REL) Who works VPNs?
.now your target
Gain Access Decrypt etermine Intel
Value W
\ k and Report
• S3117 + S3142 • OTTERCREEK • NSP •S313
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
j j
(TS//SI//REL) So you think your target is using a VPN...
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) SigDev Tools
• BLEAKINQUIRY DISCOROUTE TOYG RIPPE
MARINA MÄSTERSHAKE NKB PINWALE RENOIR TREASUREMAP TUNINGFORK XKEYSCORE
TOP
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) TOYGRIPPE • (TS//SI//REL) Database of VPN metadata
° IPSec, PPTP, ViPNet
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO U
Rie Edi: View History Bookmarks Tools Heb * - ft
^XKEYSCORE $~orGRIPPE >NKB:Home ^l^KB Disco Route Ro9d3eJ.netMvPage |®)Gold=oint
XK Results •Logoff
Query
•standard •FreeForm
Results •AIIResults •view •Excel •Text Delimited
Preferences •General
Help •FAO •contact Us
|0 Standard Forrr • Execute Clear Al Second level
Execute 11 Clear AI |
TOP SECRET//COMINT//REL TO US;
r text styles «I ( t s / / r e l ì T Y G Tips: 0 Populate "Display
3 Fields" 0 For both directions between 2 Ips, use AND 0 For either direction connecting to a single IP, put IP in both "Source" and
J "Destination" boxes, 3 and use OR
a
TOP SECRET//COMINT//REL TO USA, AUS, C^
File Edit View History Bookmarks Tools Help
X X K E Y 5 C O R E i®TOYGRIPFE l»IMKB:Home "^NKB Disco Route ~/f RoadOed.net MyPage (e]GoldPoint
Q u e r y R e s u l t s - M o z i l l a F l r e f o x
VL XK Results x | 0 Query Results TSflSlflHEL TO USA, FVEY
•
TSflSlflREL TO USA
TSflSlflHEL TO U S A
TSflSlflHEL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflHEL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO USA
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO USA
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO USA
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO USA
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO U S A
TSflSlflREL TO USA
TSflSlflREL TO USA, FVEY
04-02 [8:28 38.0 n 11 o \/ 04-03 12:22 03.0
04-03 [1:08:00.0
04-03 [1:54:35 0
04-03 [3:24:55 0
04-03 [4 58:08 0
04-01 11:37.48.0
04-01 17:37:33.0
04-01 12:51'08.0
04-01 [0:08 15 0
04-01 C0:23.25.0
04-03 [5:41:27 0
04-03 [6:25:53.0
04-03 [7:56:09 0
04-03 [8:42:05 0
04-03 [9:32.55.0
04-03 10:15 16.0
04-03 10:59 38 0
04-03 11:50.28.0
04-03 12:34:43.0
04-03 12:34:45 0
04-03 12:34:44 0
04-03 [1:23 5 1 0
04-03 13:23 50.0
04-03 13:23:51.0
04-02 [6:52 02 0
04-02 [5:07 5 1 0
04-02 [6:16.31.0
04-02 [7:48:23 0
04-02 [5:34:51.0
04-02 [ 0 : 1342 0
04-02 [0 :01 51.0
04-02 [0:19.41.0
04-02 [0:10.51.0
K L D A B 0 0 0 0 L M 1 1 0 0 UKJ-260D IIU-VJ. II X
iflpve KLDAB00001M11Q I
K L D A B 0 0 0 0 1 M 1 1 I 0
K L D A B 0 0 0 0 L M 1 1 0 0
K L V 1 2 5 8 S S 7 5 0 0 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 L M 1 1 0 0
K L D A E 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 L M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
KLDAB00001M1100
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 L M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 L M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
KLDAB00001M1100
K L D A B 0 0 0 0 L M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 1 M 1 1 0 0
K L D A B 0 0 0 0 L M 1 1 0 0
II\C.VJ. | in
tGxt sty I a s m
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
DE pro-shared key
DE pre Glared key
• E pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre Glared key
DE pre-jfiared key
DE pre-shared key
DE
IR
DE
DE
DE
DE pre-Siared key
DE pre-shared ksy
DE pre-shared key
DE pre-jiiared key
DE pre-Glared key
DE pre-shared key
DE pre-^iared key
IR pre-shared key
IR pro-shared key
IR
DE pre-shared key
DE pre-^iared key
IR pre-Siared key
IR
DE
DE
DE
DE
DE
DE
DE
DE
DE
0 (U) Export results to excel or text doc for easier sorting.
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) XKEYSCORE (TS//REL) Fingerprints • IPSec
(TS//REL) Search Forms
° vpn/esp ° vpn/isakmp PPTP ° vpn/pptp*
• SSL ° network_encyption/ssl
• Start with FULL DNI ° vpn/* ° networkencrytion/*
• IPSec ° IKE Parser
• SSL ° SSL Parser
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
XK Search: Full L o g - Mozi l la F i refox
File Ecit View History Bookmarks Tools Help
« - $ US 5 !tfXKEYSCO=ÏE ^TOYGRIPFE > NKB: hone Disco Route /{Roadbed.net MyPaçe ®GoldPoint
i^Hcme C^S
|| Navigation Filter I Search Wzaid 3 • CME aQCIassit
S Q HuhiSearch 3 Q Classic AM
Alert S&lackEeny
Call Logs Categoiy UN
u Cellular CNI 0 Cisco PaE5vnrd5 gClarent E l DNS
Document Metadata ^DocumemTaggng J ] Email Addresses E l Extracted Files ^ Full Los CNI [^GeolifQ 5 HTTP Activity gjKEPaser
Keylogger 0 Log n s and Fassword ^Machl 0 Microplug n Metadata 5 ObfuscatlonfUunged
• Classic N-Z Network Infonnaliori
0 Network Ligs 5] PILBEAM g]PPF VolPMetacata
Passports from luaje ••[§ Phcne Number Extiac g RBGAN 0 RTF
Racius Legs g]Re£i5tiy I S I P
g]SSI- Parser ^¡SSLPErser
UShellcode
I E ™ gjllPGFF Collection ^jlopicyTech String:
User Aitlvity J ] User Activity (New/Exf
H * i 1»
fv/orfcfllew Centra [f]̂ Results P] Fingerprints [̂ J S-ati Show>Hide Fields'
» .a a Advarcej Features1
Search: Full Log w
Query Name:
Justification:
Additional uiis.ification:
Mlianda Number:
XKEYSCORE Welccine srwilsZ! Warning; your password has expired! ; (¡§Map 1, My Account I([XKF:>rum
Shew l-idden SearchTields" Clea- Searih Values Reloac Last Search Valu;s
WLAN Chanrel:
WLAN S SID:
WLAN BSSID:
WLAN DMAC:
WLAN SMAC:
(TS//SI//REL) Ljokirg fo- , t r a l f i c to perfirri vulnerabil ity assessment.
Recen: JLStilicatioris
Surent Time: 2011 -04-04 14:04:04 GMT
Date time: [ l D a y î | Start: 2011-34-03 0 00:00 Stop: 2011-04-05 0 00:00 Ö
Client IP pC-Fo«ardec-For): [P Address Fiefcl Builder]
brllSSID I 8 and Huren Rghts Act conplBici
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP S E RET//CO MINT//RE L TO USA, AUS, CAN, GBR, NZL
X K Sea r ch : Full L o g - Moz i l l a F I r e f o x
File Edit View History Bookmarks Tools Help
âl JfcXKEYSCORE [^TOYGRIPPE ^ NKB: Home ~^NKB Disco Route 7/ Roadbed.net MyPage GoldPDint
XK Search Full Leg x | [ g standard Form x~\ +
XKEYSCORE Welcome srwils2! Warn imi: your password has expired! Log Out
â Home Q^ Search Ì f Workflow Central (jy Results ^ Finge-prints [Ü Statist ^Map ^ My Account -(t XK Forum
| Navigaton Filter
g Search Wizard 0 Q CNE 0 t 3 Classic
aQMuitiSearch a â Classic A-M
2Alert BiackBerry Call Logs
3 Category DNI U Cellular DMI 2 Cisco Passwords
Ciarent
U D N S
2 Document Metadata 2 Document Tagging
Emai Addresses 2 Extracted Files g Full Log DNI
2 Geo Info HTTP Activity
51 IKE Parser 2 Keylogger 2 Logirs and Password
Machine Info Micrcplugin Metadata
2 Obfuscation(Munged • Classic M-Z
Network Information 2 Netwjrh Logs g P I L B E A M
2 PPF VoIP Meiadata Passports from Image
3 Phone Number Extrac
2 RBGAN
Radius Logs 2 Registry EL SIP
2 SSH Parser =2 SSL Parser SShellGode 3 T D I
5|tIPOFF Collection ï ] Topic /Tech String! 2 User Activity
User Activity (New/Exp
X 3 Ï
Country:
Country:
City (IP):
City (IP):
Latitude (IP):
Latitude (IP):
Longitude (IP):
Longitude (IP):
Map Field Builder •egions (IP):
Oute'Tunnel IP Address:
Oute'Tunnel IP Address:
Outer Tunnel Port:
Outer Tunnel Fort:
Application Type*:
Application Itilo*:
Applic
ApsID Ç+Fingerphnts)* [fulltextl:
I From r
J \K ILS AND IGB AND !CA AND INZAND !AU v | From ® • One side is rwt5-eyss
ILS AND IGB AND !CA AND INZAND !AU v | [ l o Ì | ^ 0 Both sides are not E-eyes
C
3
J I From
D
S-
' [Map Field Buildeil
I IIP Address Fiele Builderl
I IIP Address Fiele Builder!
J I From T1
la.
[Populate wilh Field Builderl ^ [Populate wilh Tree Field Builderl
*
0 (TS//REL) For initial searches, you may want to leave this blank to see all of the different kinds of traffic are found on the IP pair.
Baud ted lor USSID18 and Human Rights Act corrplancs
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
I X K M e t a v i e w e r : _vpn - Mozi l la F l r e fox _ n a File Edit View History Bookmarks Tools Help
- 1 « i |
ÍK XKEYSCORE ^TOYGR IPPE >- NKB Home ¡ T j w D i s » toute Roadbed.net MyPage |i)GoldPoint
I y XK Metaviewer: 84 11 25 13... X | |i| standard Form x ^ NKB D15C0 Route X h«ps://ncmd...24B3236B1254 * &
XKEYSCORE Welcome srw II s2! Warning: your password has expired!
"írí Nome Q^ Se arci 9 Workflow Central j Results pj Fingerprints Statistics ^ Map ' J , My Account XK Forum
Navigation Filter a i a a
IS1 Search Wizard H £ J C N E
• t 3 Classic a • MultiSearch a Q Classic ArM
EL Alert fel BlackBe'ry [=| Call Logs
Categoi} DNI E l Cellular DNI ISI Cisco Passwords
Clarent SJDMS
Document Metadata S Document Tagging ISI Email Addresses fel Extracted Files u Full Log DNI
Geo Info EL HTTP Adivity EL IKE Parssr fel Keylogger fel Logins aid Password;
Machine Info § Microplugin Metadata ^ Qbfu5cation(Munged 1
g Q Classic N-Z E l Network nformation
Network .ogs § PILBEAN s PPF VoIP Metadata fel Passports from Images E l Phone Number Extrac ^|RBGAN
E JRTP
¡ 3 Radius Logs EL Registry EL SIP
SSH Parser E ] SSL Parser j g Shellcode E|TDI E|TIPOFF Collection ¡^Topic/Tech String:
User Actwity User Actwity (New/Exp
F
W Help ActionsT ReportsT V i e w
UKJ-260D UKJ-2S0D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-26QD UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-26QD UKJ-260D UKJ-260D UKJ-260D UKJ-260D
Case notati on KL DABOOOOIM 1100
KL DA B00001M1100 KL DA B00001M1100 KLDAB00001M1100 KL DA B00001M1100 KLDAB00001M1100 KL DABOOOOIM1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL OA B00001M1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DA B00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DA B00001M1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDABOOOOIMIIQO KL DABOOOOIM 1100 KLDAB00001M1100 KL DA B00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDABOOOOIMUOO
Map View
Dateti me a 2011-04-03
2011-0403 2011-04-03
2011-0403 2011-04-03
2011-0+03 2011-04-03 2011-04-03 2011-04-03 2011-04-03
2011-0403 2011-04-03
20110403 2011-0403 2011-04-03 2011-0403
2011-0403 2011-04-03
2011-0403 2011-0403
2011-0403 2011-0403 2011-04-03 2011-0403 2011-04-03
2011-0403 2011-0403
2011-0403 2011-0403 2011-04-03 2011-0403 2011-04-03
2011-0403 2011-0403
2011-0403
00:00:52 00:03:52
16:52 00:09:52
12:52 00:15:52 00:18:52 00:21:52 00:22:01
24:52 00:27:52
30:52 00:33:52 00:36:52 00:39:52 00:42:52 00:45:52
51:52 00:54:52
57:52 01:00:52 01:06:31 01:07:58 01:09:53 01:12:53 01:15:53 01:18:53 01:21:53 01:24:53 01:30:53 01:33:53 01:36:53 01:39:53 01:42:53 01:45:53
Dateti m e E F m Port 2D11-04-03 fl O 21)11-0403(1 O 2011-04-03 II O 21)11-0403(1 O 2011-04-03 fl O 2D11-0403 (1 O 2D11-04-03 fl O 2D11-04-03 fl O 2D11-04-03 fl 500 2011-04-03 fl O 2011-0403(1 O 20114)403 fl O 2011-0403 fl O 2011-0403 fl O 2D11-04-03 fl O 2B11-04-03 fl O 2011-04-03 C O 2011-04-03 0 O 2011-0403(1 O 2011-0403« O 2011-04-03 C O 2B11-04-03 fl O 2D11-04-03 fl 500 2011-0403 fl O 20114)403 (1 O 2011-0403(1 O 2011-0403 fl O 20114)403(1 O 20114)44)3 0 O 20114)440« O 2011-0403(1 O 20114)403 fl O 2011-0403(1 O 2011-04031] O 20114)403(1 O
III
Fm City [IP) Fm Co Fm IP To IP To Cou To City [IP) To Port Application AppID (+Fingerprints) 0 vpn/esp vpn/esp nac/vpn/protocol/esr>
0 vp rt/e sp vpn/esp nao/vprtforotooolfesD
0 vpn/esp vpn/esp nflc/vnnJprotocolJesn
0 vpn/esp vpn/esp nac/vpn/protocoUesD
0 vp ufe sp vpn/esp nac/vprk/protocoliesD
0 vpn/esp vpn/esp nac/vpn/protocol/esD 0 vpn/esp vpn/esp nac/vpnlprotocollesp 0 vpn/esp vpn/esp nac/vpnJprotoco!/esr> 500 vpn/isakmp vpn/isakmp vpn/ipsec/isakmplmain modefkev exchanwe message vpn/ire 4 vpn/isakmp content
0 vpn/esp vpn/esp nac/vpriJprotocol/esD
0 vpn/esp vpnfesp nac/vpn/protocoUesD
0 vpn/esp vpn/esp riac/vpn/prolocolfesD
0 vpn/esp vpn/esp nac/vpníprotocGlíesD
0 vpn/esp vpn/esp nac/vpn/prrtocolfesp 0 vpn/esp vpn/esp nac/vpn/protocol/esc
0 vpn/esp vpn/esp nac/vpnlprotocollesp
0 vpn/esp vpn/esp nac/vpn/arotocoHesd
0 vpn/esp vpn/esp nac/vpnfnrotocoliesp
0 vpn/esp vpnfesp nac/vp nip rotocol/esD
0 vpn/esp vpn/esp nac/vpn/pro(ocoliesD
0 vpn/esp vpn/esp nac/vpn/protocot/esc 0 vpn/esp vpnfesp nac/vpn/protocoI/esE 500 vpn/isakmp vpn/isakmp vpn/ipsec/isakmc'main mode/key excharwre message vpniire 4 vpn/isakmp content
0 vpn/esp vpn/esp nac/vprtfarotocolfesp _ 0 vpn/esp vpn/esp nac/vnrJnrotocolJesr
0 vpn/esp vpn/esp nac/vpn/protocol/esD
0 vpn/esp vpn/esp nac/vpnlprotocolesD
0 vpn/esp vpn/esp nac/vpn/protocot/esc 0 vpn/esp vpn/esp nac/vpnlprotocolIesD
0 vpn/esp vpn/esp nac/vpnJprotocol/esp
0 vpn/esp vpn/esp nac/vpnfprotocolfesp
0 vpn/esp vpn/esp nac/vpnfnrotocoliesn
0 vpn/esp vpnfesp nac/vp nip rotocol/esD
0 vpn/esp vpn/esp nac/vpnlprotocol/esD 0 vpn/esp vpn/esp nac/vpn/protocot/esc
Page 1 erf 24 \t M ^ Page Size: 50 (Max 100 rows per page)
~ r
Displaying 1 - 50 of 1171
jb_58f22JM9785670013Q1926190_l
M m
•
XK M e t a v i e v j e r : C R E A K S T I L E H W P K - Mozl l la F i re fox
File Edit View History Bookmarks Tools Help
« * 0 â 0 r ¡Google
ï fcXKEYSCORE i^TOYGRIPPE ^ NKB: Home ~^NKB Discc Route ^ Roadbed .net MyPage (¿jGoldPDint
XK Results
Is2! Warning; your password has expired! Log Out
| Nauigat * i i a Histogram Grid *
S I Sea-eh Wizard É Q C N E
a Q Classic H MultlSearch 9 Q Classic ArM
g ] Alert H BlackBerry
Call Logs |ï| Category DNI 51 Cellular DNI
Cisco Passwords Clarent
U D M S
g ] Document Metadata § Document Tagging
Email Addresses |i] Extracted Files 5 | Pull Log DNI 51 Geo Info 51 HTTP Activity
IKE Parser |5] Keylogger
Logins and Password! 21 Machine Info if] Microplugin Metadata § ObfuscationfMunged '
a Q Classic N-Z 5 ] Network Information
Network Logs g ] PILBEAM 51PPF VoIP Metadata 51 Passports from Image;
Phone Number Extrac U R B G A N
U R T P
g ] Radius Logs Registry
A SIP
5|SSH Parser 51 SSL Parser 5 | Shellcode 1TDI g]TIPOFF Collection g]Topic/Tech Strings s User Activity J ] User Activity (New/Exp
Page 1 of 1 sç? Clear Selection Expon Displaying l-4cf4
CREAKSTILE_HW_PK
Kt Help Actons- Reports* View* ^ Map View FILTERS: 9 - 1
• I| B 2 •
3 B 4 •
5 B 6 O
7| B 8 B
9 0 10 0
111 o
12 n 23 | 0 14 O
15 | B 16 O
17 | B 18 •
19 | B 20 •
211 B 22 •
23 | B 24 O
25 B
Classification TOP SECRETWCOM INTWREL TO USA, AUS CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRET//COHINTWREL TO USA, AUS, CAN, TOP SECRET//COHINTWREL TO USA, AUS, CAN, TOP SECRETWCOMINTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS. CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN,
Si g ad UKC-302A UKG-302A UKC-3QZA UKC-302A UKC302A
UKC-302A
UKC-302A UKC3Q2A
UKC-302A UKC3Q2A
UKC-302A UKC302A
UKC-302A UKC-302A
UKC-302A
UKC-302A
UKC-302A
UKC-302A UKC-302A
UKG-302A UKG30ZA
UKC302A UKC302A
UKC-302A UKC3Q2A
Case not an on
PKCSE018A000HD0 PKCSE018AOOOHDO
PKCSE018A000HD0 PKCSE018AOOOHDO
PKCSE018A000HD0 PKCSEOI8AOOOHDO
PKCSE018A000HD0
PKCSE018A000HD0
PKCSEOI8AOOOHDO PKCSE018A000HD0 PKCSEOI8AOOOHDO
PKCSE018AÛ00HD0 PKC5E087AOOOHDO
PKCSE087A0Û0HD0
PKCSED37AOOOHDO
PKCSE087A0Û0HD0
PKCSE013AOOOHDO
PKC5E018AOOOHDO
PKCSEU87AOWHDO
PKCSE087AOOOHDO PKCSE018A000HD0 PKCSEOI8AOOOHDO
PKCSE018A000HD0 PKCSEOI8AOOOHDO
PKCSE018A000HD0
Datetime * 2011-04-0100:41:04 500 2011-04-0100:41:04 500 2011-04-01 00:41:04 500 2011-044100:41:04 500 2011-04-0100:46:33 500 2011-04-0100:46:33 500 2011-04-0100:49:00 500 2011-04-0100:49:00 500 2011-04-0101:45:31 500 2011-04-0101:45:31 500 2011-04-0102:42:40 500 2011-04-0102:42:40 500
2011-04-0103:27:09 500 2011-04-0103:27:09 500
2011-04-0103:27:10 500 2011-04-0103:27:10 500
2011-04-0103:34:12 500
2011-04-01 03:34:12 500 2011-04-0103:58:52 500
2011-04-0103:58:52 500 2011-044)107:15:29 500
2011-04-0107:15:29 500 2011-04-0108:24:36 500
2011-04-01 06:24:36 500 2011-04-0108:24:38 500
Fm Pon Fm City (IP) Fm Co Fm IP To Cou To City (P) To Port Applicaton
vpnfisafrrnp
AppID (-«-Fingerprints) vpn'isakmp vpnfisakmp content vpnlisakmp pli vpn'isakmp vpnfisakmp chasel policy vpn'isakmp vpnfisakmp chasel policy vpn'isakmp vpnfisakmp content vpnfisakmp ph
vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp conter» vpn'isakmp vpnfisakmp content vprk'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vprk'isakmp vpnfisakmp content vpn'isakmp vpnfdevicefipsec vpnJisakriip phase
vprk'isakmp vpnfrtevice/ipsec vpnlisakmp phase vpn'isakmp vpnJisakmp content vpn/tsakmp ph
vpn'isakmp vpnfisakmp content vi vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content
Page 1 of 6 ^ H $ Page Size: 5C (Max:J00 rows per sage) Displaying 1 - 50 of 298
jb_58f22_009G624B00130194635i_l
htips://xks-cej a
(TS//SI//REL) PINWALE (TS//SI/REL) Both VPN traffic and Sys Admins passing information about VPN setup
(TS//SI/REL) IP addresses and port numbers (ex. AP 00500) ***Document Zone = C2C (TS//SI/REL) Display 'DZ Protocol SRC Port'/DZ Protocol DEST Port', 'Next Protocol Name'
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) DISCOROUTE • (TS//SI/REL) Router configuration data
° From passive and active collection ° Key terms to search for within configs: ° 'crypto map', 'isakmp', 'ipsec', 'pre-shared-key'
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
NKB Discs Route - Mozilla Flrefox
Rie Edit View History Bookmarks lools Help
« * - $ a M H !fiXKEY5C0RE ^TOYGRIPPE > NKB: Home ^ N K B Discc Route Roadbed.net MyPage @GoldPoint
I XK Results « J ® Query Results K M^NKB Disco Route K -Ë-TREASUREMAP - TOOLS
EE
combinedQuery Network Mgmt Query (Coming Soon) He|P F M d t a c l f
DiscoRoute Combined Query
Submit C S V Tips: It TAO has a Point-ot-presense, you will see h mantesttag in results. Query History:
- collapse Results byh:
General Query Terms
Text Query ® . \_
Date
Start Date: • IP Address: ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ End Date: ^ 1 [1.2 3.a Of 11 :/i;c : R] Dr 12.34 • 3AS.6)
O DOI O Load Date ® Entire Database
0 Cisco 0 Huawei 0 infinet 0 Juniper 0 Mikrotik 0 Tenorswitch
IP Range Search 0 interfaces - Subnet 0 Static Route IP 0 Access Lists 0 Routing Protocol IP
Exact IP Search 0 IP Header FROM/TO • Irterfaces - Exact 0 Anywhere else in the XML
Limit Search to CIDR Ranges Smaller Than (or equal ¡24 | v | ^ ^
I Select All I |ci Any checked items can be found (QR condition) in config
Hostname:
SIGAD:
Case:
Country ®
TAO Project Name ®
AS Number
• Seen in Config • Derived
Manifest (Cisco Only) *
u A EQUANT • - Show Interfaces U p Voip u B BGP • K Crypto Keys u R Show Run • D Show CDP • M - Multihop • T Taoacs u G GPRS J N Tgt Net Sendee u V Show Version u H TAO Pop J 0 - OSPF
Snmp Community:
IOS Image Name:
Device Type: Q
All checked items must be found (AND condition) in config
I
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
• MINT//REL TO USA, AUS, CAN, GBR,
N K B Disco R o u t e - Mozil la F l r e fox
File Edit View History Bookmarks Tools Help
Ä IBT3 t] EE ?KXKEY5CORE tgTOYGR IP f i >-NKB Home J ] N K B Disco Route ^RoadOed net MyPage |«| GoldPoint
| % XK Results k ] ? l Standard Form —
Combined Query Ne iwork Mgmt Query (Coming S o o r )
* M NKB Disco Route
Help Feedbnck
^jntlpsi/ncmd,..255963345563 « 3 hllp5:/lh:md...255303960492 * ] g https/tlcmd...299304204961 » D y n a m i c P a g e -- H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s
T O P S E C R E T , ' / C O M I N T / / O R C O N / N O F O R N / / 2 0 3 2 0 1 0 8
Detailed Combined Command Results Q Hostname Model DOI • Vendor Si g ad Case Manifest IOS Image Sauree IP S County S City Sessior Qualit SP on DP on E ILI fcWJsMS zuu»iz-29 riuawei USU-lOJllfc MNDAQ 44Ä 10 00023 124ÜÜ
• GW_SMS 2009-12-15" huawei USD-1031TE MNDAQ 25956 20 00023 1332 0
• GW_SMS 200&12-15" huawei USD-10D1TE MNDAQ 25956 20 00023 1332 0
• 2009-11-131 cisco USD-10Î1TE MNDAQ 96 9 00023 13429
0 A6-VPN 2009-10-22' huawei USF-790 5CDVBQQQ0001MWC R 23955 51 00023 01327
0 A6-VPN 2009-10-22' huawei USF-790 5CDVBQQ00001MWC R 17894 55 00023 01327
0 A&VPN 2009-10-137 huawei USF-790 5CDVB0000001MWC R 8509 47 00023 01059
• 2009-10-021 huawei USD-1031TE MNDAQ 57299 1 23 13332
Q 200909-101 huawei USD-10M.TE MNDAQ 4210 1 23 15973
• 2009-09-101 huawei USD-10D1TE MNDAQ 4905 1 23 13841
• 2009-06-1ST huawei USF-790 5CDVB0000001MWC 31407 54 23 1031
1 III 1 Page 1 of 1 Save as CS1/ Save Files ta Disk Compare Results Summary » Mailorder Out Map in Renoir Find Related Results 1-33 c
Powered b/the SIGDEV Lat Version Number: 214 New! Last Modilied Date: VIarch 14. 2011 Last Reviewed Date: March 14. 2011 Content S teward.^^^^^BsSG21. 969-1341 Page Publ isher.^^^^^•coisi ; SSG21 969-0342
D y n a m i c P a g e - - H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s T O P S E C R E T / / C O M I N T / / O R C O N / / N O F O R N / / 2 0 3 2 0 1 0 B
K Find: 1 ^Prev io s t^Next ^ H ili light ail • Match case
w^mtnmMìMimimmmMAm
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
N K B D i s c o Rou te - Moz i l l a F l r e f o i
Rle Edit View History Bookmarks Tools Help * - rj a I/IH^M ù [ E - ¡ G o o g l e « I
XKEYSCORE ^TOYGRIPPE > Nffi HDme Diszo Route rf Roadbed.net MyPage 0GodPoint
I XK Results c j Standard Form I NKB Disco ROUIB [ H https //rcmd...2488236S1254 « +
combined Query Network Mgmt Query (Coming Soon) He|i> Feedback
DiscoRoute Combined Query
D y n a m i c P a g e -- H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s T O P S E C R E T / / C O M I N T/, O R C 0 N / N O F O R N/. '2 0 3 2 0 1 0 8
Submit CSV Tips: • is 1li3 new DISCOROUTE webserver. Update any bockmarks to bring you her«. Query History:
-D Collapse Results by H estri am eisig;
Te>t Query
Date
Ö- U
Stan Date
End Date
O DO I o Load Date ® Entire Database
0 Cisco 0 Huawei 0 Infinsi 0 Juniaer 0 Mikro:ik 0 Tenorswitcn
Select Al I | Clear All |
IP Address: [
IP Range Search • Interfaces - Subnet
• Static Rsute IP
• Access Lists
• RoLting Protocol IP
Lirrlt Search to CID3 Ranges SmalterThan (or equal to):
| Select All
Exact IP Search • IP Header FROM,TO
• interfaces - Exact
• Anywhere else in the XML
Any checked items can be found (OR condition) in config
Hoanarre:
5IGAD:
Case:
Country ® :
TAO Project Name
AS dumber
Manife si (Cisco Only) *
• Seen ir Config E Derived
• A EQUANT • - Show Interfaces • B 3GP H K Crypta Keys
• D Show CDP • M - Multihop • G G P R S • N - Tgt Net Service
• H TAO Pop • 0 - O S P F
Voip - Show Run
• T - Tacacs
All checked items must be found [AND condition) in config
>
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
N K B D i s c o R o u t e - M o z i l l a F l r e f o x
File Edit V iew History Bookmarks Tools Help
XKEYSCORE ' i j iTOYGRIPPE f> NKB: Home ^ N K B Disco Route ¡^Roadt jed jne tMyPage (ojGoldRiint
" I I B "
(©1 Standard Form
Combined Query Ne twork Mgmt Q u e r y ( C o m i n g S o o n )
ä NKB Disco Route
> DiscoRoute
Help Feedback
Deta i l ed C o m b i n e d ,
https://ncmd...248823681254 * | D y n a m i c P a g e - - H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s
T O P S E C R E T / , 1 C O M I N T / / O R C O N / N O F O R N , 1 , 2 0 3 2 0 1 0 8
( V e r s i o n 2.14)
Command R e s u l t s
s
hostname DDI Vendor Sigad Manifest _•• * IDS Image N Source IP S CoLintn SCily Session Qu al it SPort DPort E
s VPN 01-U NAM 1 -E J 2009-06-09T c SCO UKC-12SW G 2 B7000001MWC K PR RESERVED 109460 78 23 61470 GILAT-HRT5826 C2500^ " 2009-10-151 c SCO UKC-12SW G 2 B 82 00001MWC D K RT c2600-adws( RESERVED 134422 75 00023 03319
i S o o 2009-10317 c SCO UKC-125W G 2 B8200001MWC D K R c2600-adws( RESERVED 38202 75 00023 02012
B kuw-hub 2009-10-151 c SCO UKC-125W G2BG900001 MWC D K R RESERVED 32B79 74 00023 50554
• kuw-hub 2009-10-151 c SCO UKC-12SW G2BG900001 MWC D K R RESERVED 32879 74 00023 50554
• kuw-hub 2009-10-151 c SCO UKC-125W G 2 B7900001MWC D K R RESERVED 30000 74 00023 50554
• VPNQ2-UNAMI-K 2009-09-101 C SCO UKC-125W G 2 B 8200001MWC K PR c2800nnm-ad RESERVED 58980 73 23 3408
n r-unami-kuw-isp 2009-01-161 c SCO UKC-125W G2B6900001 MWC D I R RESERVED 26342 71 23 59226
n 1 SP 02-U N AM l-Ah 2009-07-03T c SCO US-967J 1AH116337454200 B K OPR DUBAI 29872 71 23 27714
n bd rOl-un ami-kir 2009-06-071 c SCO UKC-125W G 2 B7000001MWC K PR DUBAI 23927 69 23 64278
n bdrOl-unami-mc c2800nm 2010-06-22" C SCO UKC-125W G 2 B 67000001MWC K W PR c2800nnm-ad RESERVED 40264 68 00023 44033
i Page 1 o42 H S SaveasCSV Save Files to Disk Compare Results Summary * Mailorder Out Map in Renoir
Paytaad [ XML |[ Summary || Map || Query Parameters [ppenJii Mew Window]
Find Related Results 1 - 200 c
UNAMI
Authorized Personnel Only I f you do not have e x p l i c i t author izat ion issued by UNAMI NMU to access
t h i s H C device, l eave now! *
* DESCRIPTION ; THIS ROUTER I S THEVOKE GATEWAY INTENDED FOR USE WITH THE
g{ *
Powered fey the 5IGDEV Lab Version Mumber: 2.14 Nlw! Last Mttlrlied Date: March 14. 2011 Last Reviewed tote: March 14. 2011 Content Stevt/arclT Pape Publisher:^
D y n a m i c P a g e - - H i g h e s t P a s s i b l e C I e s s i f i c e t i a ri i s T O P S E C R E T / / C O H I N T / / O R C O N / / N O F O R N / / 2 0 3 2 0 1 0 8
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
T O P S E C R E T / / R E L T O U S A , i
(U) Others • (TS//REL) NKB • (TS//REL) TUNINGFORK • (TS//REL) TREASUREMAP • (TS//REL) RENOIR • (TS//REL) MASTERSHAKE • (TS//REL) ROADBED • (TS//REL) BLEAKINQUIRY
MJS, CAN, GBR, NZL
u u
US, CAN, GBR, NZL
(TS//SI//REL) Basic VPN rules of {TS//REL) If you have an IP address.. .
Check TOYGRIPPE and XKS ° Look for paired traffic
• For IPSec, check sys admin chatter for PSK (DISCOROUTE; PINWALE; MARINA)
Share your data with OTTERCREEK for vulnerability assessment (XKEYSCORE or DROPBOX)
ED If you don't...
Submit tasking
Look in DISCOROUTE Query Sys Admins in PINWALE and MARINA Check your targets TAO projects
EITHER WAY, JOIN THE
VPN WORKING GROUP FOR ALL OF YOUR
VPN SIGDEV NEEDS
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U//FOUO) Useful Links (TS//SI//REL) VPN Working Group (go vpn)|
(TS//SI//REL) OTTERCREEK (go VPN XFT)
VPNXFT DROPBOX
(T5//5I//REL) Network Security Products (go N5P)
UNCLASSIF IED
i i
(U) Questions?
OTTERCREEK
UNCLASSIF IED