(TS//SI//REL)VPN SigDev Basics · 04-02 [8:2 38.8 0 n 1 o1 \/ 04-03 12:2 03.2 0 04-03 [1:08:00.0 04-03 [1:54:3 0 5 04-03 [3:24:5 0 5 04-03 [4 58:08 0 04-01 11:37.48.0 04-01 17:37:33.0

$Page 1: (TS//SI//REL)VPN SigDev Basics · 04-02 [8:2 38.8 0 n 1 o1 \/ 04-03 12:2 03.2 0 04-03 [1:08:00.0 04-03 [1:54:3 0 5 04-03 [3:24:5 0 5 04-03 [4 58:08 0 04-01 11:37.48.0 04-01 17:37:33.0$
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

( T S / / S I / / R E L ) V P N S i g D e v

B a s i c s

S31244 - OTTERCREEK

Derived From: NSA/CSSM 1-52 Dated: 20070108

Declassify On: 20341101



TOP SECRET//COMINT//REL TO USA, FVEY


UNCLASSIF IED

(U) What is a VPN? • (U) A Virtual Private Network or VPN is a

computer network that uses encryption to securely connect remote users/networks over an otherwise insecure network, usually the public internet.

• (U) Common Types: ° PPTP, IPSec, SSL

• (U) Public Key Encryption ° Diffie-Hellman, RSA

UNCLASSIF IED

UNCLASSIF IED

(U) PPTP • (U) Microsoft Point-to-Point Tunneling

Protocol • (U) Control Channel

° TCP port 1723 • (U) Data Channel

° GRE-Next Protocol 47 • (U) RFC 2637, RFC 3078

UNCLASSIF IED

UNCLASSIF IED

(U)IPSec • (U) Authentication

° Pre-shared key (PSK) or Public key certificates • (U) ISAKMP/IKE packets are used for key exchange

and to establish the secure connection • UDP port 500, 4500; TCP port 500

• (U) ESP packets contain the encrypted data • IP Next Protocol 50; UDP port 500

• (U) RFC2402, RFC2406, RFC2409, RFC4306, RFC2408

UNCLASSIF IED

UNCLASSIF IED

(U) IPSec in a nutshell

UNCLASSIF IED

UNCLASSIF IED

(U) SSL/TLS • (U) Secure Sockets Layer/Transport Layer

Security • (U) WARNING! e-commerce = tons of

uninteresting SSL traffic (U) Common ports: TCP ports 443, 995

• (U) RFC2246, RFC4346, RFC5246

UNCLASSIF IED

(U) SSL in a nutshell Certificate Subject Validity Public Key

T7 )/

CL Eh 7

- a

2.4.5

Issuer Etc...

(II) SSL Exchange 1 Client connects to server 2 Server sends cert to client 3. Client validates cert 4 Key exchange s Pass encrypted material

1 ^—i 1 r


(TS//SI/REL) Who works VPNs? (TS//SI//REL) VPN Workin o vpn)

• S2, SSG, CES (OTTERCREEK, NSP, S31322, S3117, S3112), TAO, etc.

a s: alias:

(TS//SI//REL) Meets every other Thursday at 1300

iïîll fcfiWill J WH

(TS//SI/REL) Who works VPNs?

.now your target

Gain Access Decrypt etermine Intel

Value W

\ k and Report

• S3117 + S3142 • OTTERCREEK • NSP •S313


j j

(TS//SI//REL) So you think your target is using a VPN...



(TS//SI//REL) SigDev Tools

• BLEAKINQUIRY DISCOROUTE TOYG RIPPE

MARINA MÄSTERSHAKE NKB PINWALE RENOIR TREASUREMAP TUNINGFORK XKEYSCORE

TOP


(TS//SI//REL) TOYGRIPPE • (TS//SI//REL) Database of VPN metadata

° IPSec, PPTP, ViPNet


TOP SECRET//COMINT//REL TO U

Rie Edi: View History Bookmarks Tools Heb * - ft

^XKEYSCORE $~orGRIPPE >NKB:Home ^l^KB Disco Route Ro9d3eJ.netMvPage |®)Gold=oint

XK Results •Logoff

Query

•standard •FreeForm

Results •AIIResults •view •Excel •Text Delimited

Preferences •General

Help •FAO •contact Us

|0 Standard Forrr • Execute Clear Al Second level

Execute 11 Clear AI |

TOP SECRET//COMINT//REL TO US;

r text styles «I ( t s / / r e l ì T Y G Tips: 0 Populate "Display

3 Fields" 0 For both directions between 2 Ips, use AND 0 For either direction connecting to a single IP, put IP in both "Source" and

J "Destination" boxes, 3 and use OR

a

TOP SECRET//COMINT//REL TO USA, AUS, C^

File Edit View History Bookmarks Tools Help

X X K E Y 5 C O R E i®TOYGRIPFE l»IMKB:Home "^NKB Disco Route ~/f RoadOed.net MyPage (e]GoldPoint

Q u e r y R e s u l t s - M o z i l l a F l r e f o x

VL XK Results x | 0 Query Results TSflSlflHEL TO USA, FVEY

•

TSflSlflREL TO USA

TSflSlflHEL TO U S A


TSflSlflREL TO U S A







TSflSlflREL TO USA





TSflSlflREL TO USA







TSflSlflREL TO USA





TSflSlflREL TO USA





TSflSlflREL TO USA

TSflSlflREL TO USA, FVEY

04-02 [8:28 38.0 n 11 o \/ 04-03 12:22 03.0

04-03 [1:08:00.0

04-03 [1:54:35 0

04-03 [3:24:55 0

04-03 [4 58:08 0

04-01 11:37.48.0

04-01 17:37:33.0

04-01 12:51'08.0

04-01 [0:08 15 0

04-01 C0:23.25.0

04-03 [5:41:27 0

04-03 [6:25:53.0

04-03 [7:56:09 0

04-03 [8:42:05 0

04-03 [9:32.55.0

04-03 10:15 16.0

04-03 10:59 38 0

04-03 11:50.28.0

04-03 12:34:43.0

04-03 12:34:45 0

04-03 12:34:44 0

04-03 [1:23 5 1 0

04-03 13:23 50.0

04-03 13:23:51.0

04-02 [6:52 02 0

04-02 [5:07 5 1 0

04-02 [6:16.31.0

04-02 [7:48:23 0

04-02 [5:34:51.0

04-02 [ 0 : 1342 0

04-02 [0 :01 51.0

04-02 [0:19.41.0

04-02 [0:10.51.0

K L D A B 0 0 0 0 L M 1 1 0 0 UKJ-260D IIU-VJ. II X

iflpve KLDAB00001M11Q I

K L D A B 0 0 0 0 1 M 1 1 I 0

K L D A B 0 0 0 0 L M 1 1 0 0

K L V 1 2 5 8 S S 7 5 0 0 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 L M 1 1 0 0

K L D A E 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 L M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

KLDAB00001M1100

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 L M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 L M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

KLDAB00001M1100

K L D A B 0 0 0 0 L M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 1 M 1 1 0 0

K L D A B 0 0 0 0 L M 1 1 0 0

II\C.VJ. | in

tGxt sty I a s m


DE pro-shared key

DE pre Glared key

• E pre-shared key

DE pre-shared key

DE pre-shared key

DE pre-shared key

DE pre Glared key

DE pre-jfiared key

DE pre-shared key

DE

IR

DE

DE

DE

DE pre-Siared key

DE pre-shared ksy

DE pre-shared key

DE pre-jiiared key

DE pre-Glared key

DE pre-shared key

DE pre-^iared key

IR pre-shared key

IR pro-shared key

IR

DE pre-shared key

DE pre-^iared key

IR pre-Siared key

IR

DE

DE

DE

DE

DE

DE

DE

DE

DE

0 (U) Export results to excel or text doc for easier sorting.


(TS//SI//REL) XKEYSCORE (TS//REL) Fingerprints • IPSec

(TS//REL) Search Forms

° vpn/esp ° vpn/isakmp PPTP ° vpn/pptp*

• SSL ° network_encyption/ssl

• Start with FULL DNI ° vpn/* ° networkencrytion/*

• IPSec ° IKE Parser

• SSL ° SSL Parser


XK Search: Full L o g - Mozi l la F i refox

File Ecit View History Bookmarks Tools Help

« - $ US 5 !tfXKEYSCO=ÏE ^TOYGRIPFE > NKB: hone Disco Route /{Roadbed.net MyPaçe ®GoldPoint

i^Hcme C^S

|| Navigation Filter I Search Wzaid 3 • CME aQCIassit

S Q HuhiSearch 3 Q Classic AM

Alert S&lackEeny

Call Logs Categoiy UN

u Cellular CNI 0 Cisco PaE5vnrd5 gClarent E l DNS

Document Metadata ^DocumemTaggng J ] Email Addresses E l Extracted Files ^ Full Los CNI [^GeolifQ 5 HTTP Activity gjKEPaser

Keylogger 0 Log n s and Fassword ^Machl 0 Microplug n Metadata 5 ObfuscatlonfUunged

• Classic N-Z Network Infonnaliori

0 Network Ligs 5] PILBEAM g]PPF VolPMetacata

Passports from luaje ••[§ Phcne Number Extiac g RBGAN 0 RTF

Racius Legs g]Re£i5tiy I S I P

g]SSI- Parser ^¡SSLPErser

UShellcode

I E ™ gjllPGFF Collection ^jlopicyTech String:

User Aitlvity J ] User Activity (New/Exf

H * i 1»

fv/orfcfllew Centra [f]̂ Results P] Fingerprints [̂ J S-ati Show>Hide Fields'

» .a a Advarcej Features1

Search: Full Log w

Query Name:

Justification:

Additional uiis.ification:

Mlianda Number:

XKEYSCORE Welccine srwilsZ! Warning; your password has expired! ; (¡§Map 1, My Account I([XKF:>rum

Shew l-idden SearchTields" Clea- Searih Values Reloac Last Search Valu;s

WLAN Chanrel:

WLAN S SID:

WLAN BSSID:

WLAN DMAC:

WLAN SMAC:

(TS//SI//REL) Ljokirg fo- , t r a l f i c to perfirri vulnerabil ity assessment.

Recen: JLStilicatioris

Surent Time: 2011 -04-04 14:04:04 GMT

Date time: [ l D a y î | Start: 2011-34-03 0 00:00 Stop: 2011-04-05 0 00:00 Ö

Client IP pC-Fo«ardec-For): [P Address Fiefcl Builder]

brllSSID I 8 and Huren Rghts Act conplBici


TOP S E RET//CO MINT//RE L TO USA, AUS, CAN, GBR, NZL

X K Sea r ch : Full L o g - Moz i l l a F I r e f o x


âl JfcXKEYSCORE [^TOYGRIPPE ^ NKB: Home ~^NKB Disco Route 7/ Roadbed.net MyPage GoldPDint

XK Search Full Leg x | [ g standard Form x~\ +

XKEYSCORE Welcome srwils2! Warn imi: your password has expired! Log Out

â Home Q^ Search Ì f Workflow Central (jy Results ^ Finge-prints [Ü Statist ^Map ^ My Account -(t XK Forum

| Navigaton Filter

g Search Wizard 0 Q CNE 0 t 3 Classic

aQMuitiSearch a â Classic A-M

2Alert BiackBerry Call Logs

3 Category DNI U Cellular DMI 2 Cisco Passwords

Ciarent

U D N S

2 Document Metadata 2 Document Tagging

Emai Addresses 2 Extracted Files g Full Log DNI

2 Geo Info HTTP Activity

51 IKE Parser 2 Keylogger 2 Logirs and Password

Machine Info Micrcplugin Metadata

2 Obfuscation(Munged • Classic M-Z

Network Information 2 Netwjrh Logs g P I L B E A M

2 PPF VoIP Meiadata Passports from Image

3 Phone Number Extrac

2 RBGAN

Radius Logs 2 Registry EL SIP

2 SSH Parser =2 SSL Parser SShellGode 3 T D I

5|tIPOFF Collection ï ] Topic /Tech String! 2 User Activity

User Activity (New/Exp

X 3 Ï

Country:

Country:

City (IP):

City (IP):

Latitude (IP):

Latitude (IP):

Longitude (IP):

Longitude (IP):

Map Field Builder •egions (IP):

Oute'Tunnel IP Address:

Oute'Tunnel IP Address:

Outer Tunnel Port:

Outer Tunnel Fort:

Application Type*:

Application Itilo*:

Applic

ApsID Ç+Fingerphnts)* [fulltextl:

I From r

J \K ILS AND IGB AND !CA AND INZAND !AU v | From ® • One side is rwt5-eyss

ILS AND IGB AND !CA AND INZAND !AU v | [ l o Ì | ^ 0 Both sides are not E-eyes

C

3

J I From

D

S-

' [Map Field Buildeil

I IIP Address Fiele Builderl

I IIP Address Fiele Builder!

J I From T1

la.

[Populate wilh Field Builderl ^ [Populate wilh Tree Field Builderl

*

0 (TS//REL) For initial searches, you may want to leave this blank to see all of the different kinds of traffic are found on the IP pair.

Baud ted lor USSID18 and Human Rights Act corrplancs


I X K M e t a v i e w e r : _vpn - Mozi l la F l r e fox _ n a File Edit View History Bookmarks Tools Help

- 1 « i |

ÍK XKEYSCORE ^TOYGR IPPE >- NKB Home ¡ T j w D i s » toute Roadbed.net MyPage |i)GoldPoint

I y XK Metaviewer: 84 11 25 13... X | |i| standard Form x ^ NKB D15C0 Route X h«ps://ncmd...24B3236B1254 * &

XKEYSCORE Welcome srw II s2! Warning: your password has expired!

"írí Nome Q^ Se arci 9 Workflow Central j Results pj Fingerprints Statistics ^ Map ' J , My Account XK Forum

Navigation Filter a i a a

IS1 Search Wizard H £ J C N E

• t 3 Classic a • MultiSearch a Q Classic ArM

EL Alert fel BlackBe'ry [=| Call Logs

Categoi} DNI E l Cellular DNI ISI Cisco Passwords

Clarent SJDMS

Document Metadata S Document Tagging ISI Email Addresses fel Extracted Files u Full Log DNI

Geo Info EL HTTP Adivity EL IKE Parssr fel Keylogger fel Logins aid Password;

Machine Info § Microplugin Metadata ^ Qbfu5cation(Munged 1

g Q Classic N-Z E l Network nformation

Network .ogs § PILBEAN s PPF VoIP Metadata fel Passports from Images E l Phone Number Extrac ^|RBGAN

E JRTP

¡ 3 Radius Logs EL Registry EL SIP

SSH Parser E ] SSL Parser j g Shellcode E|TDI E|TIPOFF Collection ¡^Topic/Tech String:

User Actwity User Actwity (New/Exp

F

W Help ActionsT ReportsT V i e w

UKJ-260D UKJ-2S0D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-26QD UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-260D UKJ-26QD UKJ-260D UKJ-260D UKJ-260D UKJ-260D

Case notati on KL DABOOOOIM 1100

KL DA B00001M1100 KL DA B00001M1100 KLDAB00001M1100 KL DA B00001M1100 KLDAB00001M1100 KL DABOOOOIM1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL OA B00001M1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DA B00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KL DA B00001M1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDABOOOOIMIIQO KL DABOOOOIM 1100 KLDAB00001M1100 KL DA B00001M1100 KL DABOOOOIM 1100 KLDAB00001M1100 KL DABOOOOIM 1100 KLDABOOOOIMUOO

Map View

Dateti me a 2011-04-03

2011-0403 2011-04-03

2011-0403 2011-04-03

2011-0+03 2011-04-03 2011-04-03 2011-04-03 2011-04-03

2011-0403 2011-04-03

20110403 2011-0403 2011-04-03 2011-0403

2011-0403 2011-04-03

2011-0403 2011-0403

2011-0403 2011-0403 2011-04-03 2011-0403 2011-04-03

2011-0403 2011-0403

2011-0403 2011-0403 2011-04-03 2011-0403 2011-04-03

2011-0403 2011-0403

2011-0403

00:00:52 00:03:52

16:52 00:09:52

12:52 00:15:52 00:18:52 00:21:52 00:22:01

24:52 00:27:52

30:52 00:33:52 00:36:52 00:39:52 00:42:52 00:45:52

51:52 00:54:52

57:52 01:00:52 01:06:31 01:07:58 01:09:53 01:12:53 01:15:53 01:18:53 01:21:53 01:24:53 01:30:53 01:33:53 01:36:53 01:39:53 01:42:53 01:45:53

Dateti m e E F m Port 2D11-04-03 fl O 21)11-0403(1 O 2011-04-03 II O 21)11-0403(1 O 2011-04-03 fl O 2D11-0403 (1 O 2D11-04-03 fl O 2D11-04-03 fl O 2D11-04-03 fl 500 2011-04-03 fl O 2011-0403(1 O 20114)403 fl O 2011-0403 fl O 2011-0403 fl O 2D11-04-03 fl O 2B11-04-03 fl O 2011-04-03 C O 2011-04-03 0 O 2011-0403(1 O 2011-0403« O 2011-04-03 C O 2B11-04-03 fl O 2D11-04-03 fl 500 2011-0403 fl O 20114)403 (1 O 2011-0403(1 O 2011-0403 fl O 20114)403(1 O 20114)44)3 0 O 20114)440« O 2011-0403(1 O 20114)403 fl O 2011-0403(1 O 2011-04031] O 20114)403(1 O

III

Fm City [IP) Fm Co Fm IP To IP To Cou To City [IP) To Port Application AppID (+Fingerprints) 0 vpn/esp vpn/esp nac/vpn/protocol/esr>

0 vp rt/e sp vpn/esp nao/vprtforotooolfesD

0 vpn/esp vpn/esp nflc/vnnJprotocolJesn

0 vpn/esp vpn/esp nac/vpn/protocoUesD

0 vp ufe sp vpn/esp nac/vprk/protocoliesD

0 vpn/esp vpn/esp nac/vpn/protocol/esD 0 vpn/esp vpn/esp nac/vpnlprotocollesp 0 vpn/esp vpn/esp nac/vpnJprotoco!/esr> 500 vpn/isakmp vpn/isakmp vpn/ipsec/isakmplmain modefkev exchanwe message vpn/ire 4 vpn/isakmp content

0 vpn/esp vpn/esp nac/vpriJprotocol/esD

0 vpn/esp vpnfesp nac/vpn/protocoUesD

0 vpn/esp vpn/esp riac/vpn/prolocolfesD

0 vpn/esp vpn/esp nac/vpníprotocGlíesD

0 vpn/esp vpn/esp nac/vpn/prrtocolfesp 0 vpn/esp vpn/esp nac/vpn/protocol/esc

0 vpn/esp vpn/esp nac/vpnlprotocollesp

0 vpn/esp vpn/esp nac/vpn/arotocoHesd

0 vpn/esp vpn/esp nac/vpnfnrotocoliesp

0 vpn/esp vpnfesp nac/vp nip rotocol/esD

0 vpn/esp vpn/esp nac/vpn/pro(ocoliesD

0 vpn/esp vpn/esp nac/vpn/protocot/esc 0 vpn/esp vpnfesp nac/vpn/protocoI/esE 500 vpn/isakmp vpn/isakmp vpn/ipsec/isakmc'main mode/key excharwre message vpniire 4 vpn/isakmp content

0 vpn/esp vpn/esp nac/vprtfarotocolfesp _ 0 vpn/esp vpn/esp nac/vnrJnrotocolJesr

0 vpn/esp vpn/esp nac/vpn/protocol/esD

0 vpn/esp vpn/esp nac/vpnlprotocolesD

0 vpn/esp vpn/esp nac/vpn/protocot/esc 0 vpn/esp vpn/esp nac/vpnlprotocolIesD

0 vpn/esp vpn/esp nac/vpnJprotocol/esp

0 vpn/esp vpn/esp nac/vpnfprotocolfesp

0 vpn/esp vpn/esp nac/vpnfnrotocoliesn

0 vpn/esp vpnfesp nac/vp nip rotocol/esD

0 vpn/esp vpn/esp nac/vpnlprotocol/esD 0 vpn/esp vpn/esp nac/vpn/protocot/esc

Page 1 erf 24 \t M ^ Page Size: 50 (Max 100 rows per page)

~ r

Displaying 1 - 50 of 1171

jb_58f22JM9785670013Q1926190_l

M m

•

XK M e t a v i e v j e r : C R E A K S T I L E H W P K - Mozl l la F i re fox


« * 0 â 0 r ¡Google

ï fcXKEYSCORE i^TOYGRIPPE ^ NKB: Home ~^NKB Discc Route ^ Roadbed .net MyPage (¿jGoldPDint

XK Results

Is2! Warning; your password has expired! Log Out

| Nauigat * i i a Histogram Grid *

S I Sea-eh Wizard É Q C N E

a Q Classic H MultlSearch 9 Q Classic ArM

g ] Alert H BlackBerry

Call Logs |ï| Category DNI 51 Cellular DNI

Cisco Passwords Clarent

U D M S

g ] Document Metadata § Document Tagging

Email Addresses |i] Extracted Files 5 | Pull Log DNI 51 Geo Info 51 HTTP Activity

IKE Parser |5] Keylogger

Logins and Password! 21 Machine Info if] Microplugin Metadata § ObfuscationfMunged '

a Q Classic N-Z 5 ] Network Information

Network Logs g ] PILBEAM 51PPF VoIP Metadata 51 Passports from Image;

Phone Number Extrac U R B G A N

U R T P

g ] Radius Logs Registry

A SIP

5|SSH Parser 51 SSL Parser 5 | Shellcode 1TDI g]TIPOFF Collection g]Topic/Tech Strings s User Activity J ] User Activity (New/Exp

Page 1 of 1 sç? Clear Selection Expon Displaying l-4cf4

CREAKSTILE_HW_PK

Kt Help Actons- Reports* View* ^ Map View FILTERS: 9 - 1

• I| B 2 •

3 B 4 •

5 B 6 O

7| B 8 B

9 0 10 0

111 o

12 n 23 | 0 14 O

15 | B 16 O

17 | B 18 •

19 | B 20 •

211 B 22 •

23 | B 24 O

25 B

Classification TOP SECRETWCOM INTWREL TO USA, AUS CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWREL TO USA, AUS, CAN, TOP SECRET//COHINTWREL TO USA, AUS, CAN, TOP SECRET//COHINTWREL TO USA, AUS, CAN, TOP SECRETWCOMINTWREL TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS. CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN, TOP SECRETWCOM INTWRE L TO USA, AUS, CAN,

Si g ad UKC-302A UKG-302A UKC-3QZA UKC-302A UKC302A

UKC-302A

UKC-302A UKC3Q2A

UKC-302A UKC3Q2A

UKC-302A UKC302A

UKC-302A UKC-302A

UKC-302A

UKC-302A

UKC-302A

UKC-302A UKC-302A

UKG-302A UKG30ZA

UKC302A UKC302A

UKC-302A UKC3Q2A

Case not an on

PKCSE018A000HD0 PKCSE018AOOOHDO

PKCSE018A000HD0 PKCSE018AOOOHDO

PKCSE018A000HD0 PKCSEOI8AOOOHDO

PKCSE018A000HD0

PKCSE018A000HD0

PKCSEOI8AOOOHDO PKCSE018A000HD0 PKCSEOI8AOOOHDO

PKCSE018AÛ00HD0 PKC5E087AOOOHDO

PKCSE087A0Û0HD0

PKCSED37AOOOHDO

PKCSE087A0Û0HD0

PKCSE013AOOOHDO

PKC5E018AOOOHDO

PKCSEU87AOWHDO

PKCSE087AOOOHDO PKCSE018A000HD0 PKCSEOI8AOOOHDO

PKCSE018A000HD0 PKCSEOI8AOOOHDO

PKCSE018A000HD0

Datetime * 2011-04-0100:41:04 500 2011-04-0100:41:04 500 2011-04-01 00:41:04 500 2011-044100:41:04 500 2011-04-0100:46:33 500 2011-04-0100:46:33 500 2011-04-0100:49:00 500 2011-04-0100:49:00 500 2011-04-0101:45:31 500 2011-04-0101:45:31 500 2011-04-0102:42:40 500 2011-04-0102:42:40 500

2011-04-0103:27:09 500 2011-04-0103:27:09 500

2011-04-0103:27:10 500 2011-04-0103:27:10 500

2011-04-0103:34:12 500

2011-04-01 03:34:12 500 2011-04-0103:58:52 500

2011-04-0103:58:52 500 2011-044)107:15:29 500

2011-04-0107:15:29 500 2011-04-0108:24:36 500

2011-04-01 06:24:36 500 2011-04-0108:24:38 500

Fm Pon Fm City (IP) Fm Co Fm IP To Cou To City (P) To Port Applicaton

vpnfisafrrnp

AppID (-«-Fingerprints) vpn'isakmp vpnfisakmp content vpnlisakmp pli vpn'isakmp vpnfisakmp chasel policy vpn'isakmp vpnfisakmp chasel policy vpn'isakmp vpnfisakmp content vpnfisakmp ph

vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp conter» vpn'isakmp vpnfisakmp content vprk'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vprk'isakmp vpnfisakmp content vpn'isakmp vpnfdevicefipsec vpnJisakriip phase

vprk'isakmp vpnfrtevice/ipsec vpnlisakmp phase vpn'isakmp vpnJisakmp content vpn/tsakmp ph

vpn'isakmp vpnfisakmp content vi vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content vpn'isakmp vpnfisakmp content

Page 1 of 6 ^ H $ Page Size: 5C (Max:J00 rows per sage) Displaying 1 - 50 of 298

jb_58f22_009G624B00130194635i_l

htips://xks-cej a

(TS//SI//REL) PINWALE (TS//SI/REL) Both VPN traffic and Sys Admins passing information about VPN setup

(TS//SI/REL) IP addresses and port numbers (ex. AP 00500) ***Document Zone = C2C (TS//SI/REL) Display 'DZ Protocol SRC Port'/DZ Protocol DEST Port', 'Next Protocol Name'


(TS//SI//REL) DISCOROUTE • (TS//SI/REL) Router configuration data

° From passive and active collection ° Key terms to search for within configs: ° 'crypto map', 'isakmp', 'ipsec', 'pre-shared-key'


TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

NKB Discs Route - Mozilla Flrefox

Rie Edit View History Bookmarks lools Help

« * - $ a M H !fiXKEY5C0RE ^TOYGRIPPE > NKB: Home ^ N K B Discc Route Roadbed.net MyPage @GoldPoint

I XK Results « J ® Query Results K M^NKB Disco Route K -Ë-TREASUREMAP - TOOLS

EE

combinedQuery Network Mgmt Query (Coming Soon) He|P F M d t a c l f

DiscoRoute Combined Query

Submit C S V Tips: It TAO has a Point-ot-presense, you will see h mantesttag in results. Query History:

- collapse Results byh:

General Query Terms

Text Query ® . \_

Date

Start Date: • IP Address: ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ End Date: ^ 1 [1.2 3.a Of 11 :/i;c : R] Dr 12.34 • 3AS.6)

O DOI O Load Date ® Entire Database

0 Cisco 0 Huawei 0 infinet 0 Juniper 0 Mikrotik 0 Tenorswitch

IP Range Search 0 interfaces - Subnet 0 Static Route IP 0 Access Lists 0 Routing Protocol IP

Exact IP Search 0 IP Header FROM/TO • Irterfaces - Exact 0 Anywhere else in the XML

Limit Search to CIDR Ranges Smaller Than (or equal ¡24 | v | ^ ^

I Select All I |ci Any checked items can be found (QR condition) in config

Hostname:

SIGAD:

Case:

Country ®

TAO Project Name ®

AS Number

• Seen in Config • Derived

Manifest (Cisco Only) *

u A EQUANT • - Show Interfaces U p Voip u B BGP • K Crypto Keys u R Show Run • D Show CDP • M - Multihop • T Taoacs u G GPRS J N Tgt Net Sendee u V Show Version u H TAO Pop J 0 - OSPF

Snmp Community:

IOS Image Name:

Device Type: Q

All checked items must be found (AND condition) in config

I


• MINT//REL TO USA, AUS, CAN, GBR,

N K B Disco R o u t e - Mozil la F l r e fox


Ä IBT3 t] EE ?KXKEY5CORE tgTOYGR IP f i >-NKB Home J ] N K B Disco Route ^RoadOed net MyPage |«| GoldPoint

| % XK Results k ] ? l Standard Form —

Combined Query Ne iwork Mgmt Query (Coming S o o r )

* M NKB Disco Route

Help Feedbnck

^jntlpsi/ncmd,..255963345563 « 3 hllp5:/lh:md...255303960492 * ] g https/tlcmd...299304204961 » D y n a m i c P a g e -- H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s

T O P S E C R E T , ' / C O M I N T / / O R C O N / N O F O R N / / 2 0 3 2 0 1 0 8

Detailed Combined Command Results Q Hostname Model DOI • Vendor Si g ad Case Manifest IOS Image Sauree IP S County S City Sessior Qualit SP on DP on E ILI fcWJsMS zuu»iz-29 riuawei USU-lOJllfc MNDAQ 44Ä 10 00023 124ÜÜ

• GW_SMS 2009-12-15" huawei USD-1031TE MNDAQ 25956 20 00023 1332 0

• GW_SMS 200&12-15" huawei USD-10D1TE MNDAQ 25956 20 00023 1332 0

• 2009-11-131 cisco USD-10Î1TE MNDAQ 96 9 00023 13429

0 A6-VPN 2009-10-22' huawei USF-790 5CDVBQQQ0001MWC R 23955 51 00023 01327

0 A6-VPN 2009-10-22' huawei USF-790 5CDVBQQ00001MWC R 17894 55 00023 01327

0 A&VPN 2009-10-137 huawei USF-790 5CDVB0000001MWC R 8509 47 00023 01059

• 2009-10-021 huawei USD-1031TE MNDAQ 57299 1 23 13332

Q 200909-101 huawei USD-10M.TE MNDAQ 4210 1 23 15973

• 2009-09-101 huawei USD-10D1TE MNDAQ 4905 1 23 13841

• 2009-06-1ST huawei USF-790 5CDVB0000001MWC 31407 54 23 1031

1 III 1 Page 1 of 1 Save as CS1/ Save Files ta Disk Compare Results Summary » Mailorder Out Map in Renoir Find Related Results 1-33 c

Powered b/the SIGDEV Lat Version Number: 214 New! Last Modilied Date: VIarch 14. 2011 Last Reviewed Date: March 14. 2011 Content S teward.^^^^^BsSG21. 969-1341 Page Publ isher.^^^^^•coisi ; SSG21 969-0342

D y n a m i c P a g e - - H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s T O P S E C R E T / / C O M I N T / / O R C O N / / N O F O R N / / 2 0 3 2 0 1 0 B

K Find: 1 ^Prev io s t^Next ^ H ili light ail • Match case

w^mtnmMìMimimmmMAm

TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

N K B D i s c o Rou te - Moz i l l a F l r e f o i

Rle Edit View History Bookmarks Tools Help * - rj a I/IH^M ù [ E - ¡ G o o g l e « I

XKEYSCORE ^TOYGRIPPE > Nffi HDme Diszo Route rf Roadbed.net MyPage 0GodPoint

I XK Results c j Standard Form I NKB Disco ROUIB [ H https //rcmd...2488236S1254 « +

combined Query Network Mgmt Query (Coming Soon) He|i> Feedback

DiscoRoute Combined Query

D y n a m i c P a g e -- H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s T O P S E C R E T / / C O M I N T/, O R C 0 N / N O F O R N/. '2 0 3 2 0 1 0 8

Submit CSV Tips: • is 1li3 new DISCOROUTE webserver. Update any bockmarks to bring you her«. Query History:

-D Collapse Results by H estri am eisig;

Te>t Query

Date

Ö- U

Stan Date

End Date

O DO I o Load Date ® Entire Database

0 Cisco 0 Huawei 0 Infinsi 0 Juniaer 0 Mikro:ik 0 Tenorswitcn

Select Al I | Clear All |

IP Address: [

IP Range Search • Interfaces - Subnet

• Static Rsute IP

• Access Lists

• RoLting Protocol IP

Lirrlt Search to CID3 Ranges SmalterThan (or equal to):

| Select All

Exact IP Search • IP Header FROM,TO

• interfaces - Exact

• Anywhere else in the XML

Any checked items can be found (OR condition) in config

Hoanarre:

5IGAD:

Case:

Country ® :

TAO Project Name

AS dumber

Manife si (Cisco Only) *

• Seen ir Config E Derived

• A EQUANT • - Show Interfaces • B 3GP H K Crypta Keys

• D Show CDP • M - Multihop • G G P R S • N - Tgt Net Service

• H TAO Pop • 0 - O S P F

Voip - Show Run

• T - Tacacs

All checked items must be found [AND condition) in config

>


N K B D i s c o R o u t e - M o z i l l a F l r e f o x

File Edit V iew History Bookmarks Tools Help

XKEYSCORE ' i j iTOYGRIPPE f> NKB: Home ^ N K B Disco Route ¡^Roadt jed jne tMyPage (ojGoldRiint

" I I B "

(©1 Standard Form

Combined Query Ne twork Mgmt Q u e r y ( C o m i n g S o o n )

ä NKB Disco Route

> DiscoRoute

Help Feedback

Deta i l ed C o m b i n e d ,

https://ncmd...248823681254 * | D y n a m i c P a g e - - H i g h e s t P o s s i b l e C l a s s i f i c a t i o n i s

T O P S E C R E T / , 1 C O M I N T / / O R C O N / N O F O R N , 1 , 2 0 3 2 0 1 0 8

( V e r s i o n 2.14)

Command R e s u l t s

s

hostname DDI Vendor Sigad Manifest _•• * IDS Image N Source IP S CoLintn SCily Session Qu al it SPort DPort E

s VPN 01-U NAM 1 -E J 2009-06-09T c SCO UKC-12SW G 2 B7000001MWC K PR RESERVED 109460 78 23 61470 GILAT-HRT5826 C2500^ " 2009-10-151 c SCO UKC-12SW G 2 B 82 00001MWC D K RT c2600-adws( RESERVED 134422 75 00023 03319

i S o o 2009-10317 c SCO UKC-125W G 2 B8200001MWC D K R c2600-adws( RESERVED 38202 75 00023 02012

B kuw-hub 2009-10-151 c SCO UKC-125W G2BG900001 MWC D K R RESERVED 32B79 74 00023 50554

• kuw-hub 2009-10-151 c SCO UKC-12SW G2BG900001 MWC D K R RESERVED 32879 74 00023 50554

• kuw-hub 2009-10-151 c SCO UKC-125W G 2 B7900001MWC D K R RESERVED 30000 74 00023 50554

• VPNQ2-UNAMI-K 2009-09-101 C SCO UKC-125W G 2 B 8200001MWC K PR c2800nnm-ad RESERVED 58980 73 23 3408

n r-unami-kuw-isp 2009-01-161 c SCO UKC-125W G2B6900001 MWC D I R RESERVED 26342 71 23 59226

n 1 SP 02-U N AM l-Ah 2009-07-03T c SCO US-967J 1AH116337454200 B K OPR DUBAI 29872 71 23 27714

n bd rOl-un ami-kir 2009-06-071 c SCO UKC-125W G 2 B7000001MWC K PR DUBAI 23927 69 23 64278

n bdrOl-unami-mc c2800nm 2010-06-22" C SCO UKC-125W G 2 B 67000001MWC K W PR c2800nnm-ad RESERVED 40264 68 00023 44033

i Page 1 o42 H S SaveasCSV Save Files to Disk Compare Results Summary * Mailorder Out Map in Renoir

Paytaad [ XML |[ Summary || Map || Query Parameters [ppenJii Mew Window]

Find Related Results 1 - 200 c

UNAMI

Authorized Personnel Only I f you do not have e x p l i c i t author izat ion issued by UNAMI NMU to access

t h i s H C device, l eave now! *

* DESCRIPTION ; THIS ROUTER I S THEVOKE GATEWAY INTENDED FOR USE WITH THE

g{ *

Powered fey the 5IGDEV Lab Version Mumber: 2.14 Nlw! Last Mttlrlied Date: March 14. 2011 Last Reviewed tote: March 14. 2011 Content Stevt/arclT Pape Publisher:^

D y n a m i c P a g e - - H i g h e s t P a s s i b l e C I e s s i f i c e t i a ri i s T O P S E C R E T / / C O H I N T / / O R C O N / / N O F O R N / / 2 0 3 2 0 1 0 8


T O P S E C R E T / / R E L T O U S A , i

(U) Others • (TS//REL) NKB • (TS//REL) TUNINGFORK • (TS//REL) TREASUREMAP • (TS//REL) RENOIR • (TS//REL) MASTERSHAKE • (TS//REL) ROADBED • (TS//REL) BLEAKINQUIRY

MJS, CAN, GBR, NZL

u u

US, CAN, GBR, NZL

(TS//SI//REL) Basic VPN rules of {TS//REL) If you have an IP address.. .

Check TOYGRIPPE and XKS ° Look for paired traffic

• For IPSec, check sys admin chatter for PSK (DISCOROUTE; PINWALE; MARINA)

Share your data with OTTERCREEK for vulnerability assessment (XKEYSCORE or DROPBOX)

ED If you don't...

Submit tasking

Look in DISCOROUTE Query Sys Admins in PINWALE and MARINA Check your targets TAO projects

EITHER WAY, JOIN THE

VPN WORKING GROUP FOR ALL OF YOUR

VPN SIGDEV NEEDS


(U//FOUO) Useful Links (TS//SI//REL) VPN Working Group (go vpn)|

(TS//SI//REL) OTTERCREEK (go VPN XFT)

VPNXFT DROPBOX

(T5//5I//REL) Network Security Products (go N5P)

UNCLASSIF IED

i i

(U) Questions?

OTTERCREEK

UNCLASSIF IED

Documents

(TS//SI//REL)VPN SigDev Basics · 04-02 [8:2 38.8 0 n 1 o1 \/ 04-03 12:2 03.2 0 04-03 [1:08:00.0 04-03 [1:54:3 0 5 04-03 [3:24:5 0 5 04-03 [4 58:08 0 04-01 11:37.48.0 04-01 17:37:33.0