Title: VPN SigDev Basics

Release Date: 2014-12-28

Description: This undated NSA presentation describes how to perform attacks against VPNs: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL)VPN SigDev
Basics

S31244 - OTTERCREEK

Derived From: NSA/CSSM 1-52
Dated: 20070108
______Declassify On: 20341101

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

UNCLASSIFIED

(U) What is a VPN?

• (U) A Virtual Private Network or VPN is a
computer network that uses encryption to
securely connect remote users/networks over
an otherwise insecure network, usually the
public internet.

• (U) Common Types:

° PPTP, IPSec, SSL

• (U) Public Key Encryption
° Diffie-Hellman, RSA

UNCLASSIFIED

UNCLASSIFIED

(U) PPTP

• (U) Microsoft Point-to-Point Tunneling
Protocol

• (U) Control Channel
° TCP port 1723

• (U) Data Channel

° GRE-Next Protocol 47

• (U) RFC 2637, RFC 3078

UNCLASSIFIED

UNCLASSIFIED

(U)IPSec

• (U) Authentication

° Pre-shared key (PSK) or Public key certificates

• (U) ISAKMP/IKE packets are used for key exchange
and to establish the secure connection

° UDP port 500, 4500; TCP port 500

• (U) ESP packets contain the encrypted data
° IP Next Protocol 50; UDP port 500

• (U) RFC2402, RFC2406, RFC2409, RFC4306, RFC2408

UNCLASSIFIED

UNCLASSIFIED

(U) IPSec in a nutshell

UNCLASSIFIED

UNCLASSIFIED

(U) SSL/TLS

• (U) Secure Sockets Layer/Transport Layer
Security

• (U) WARNING! e-commerce = tons of
uninteresting SSL traffic

• (U) Common ports: TCP ports 443, 995

• (U) RFC2246, RFC4346, RFC5246

UNCLASSIFIED

UNCLASSIFIED

(U) SSL in a nutshell

Certificate

Subject
Validity
Public Key

Issuer

Etc...

CL

Eh

T

(U) SSL Exchange

1 Client connects to server

2 Server sends cert to client

3 Client validates cert

4 Key exchange

s Pass encrypted material

l I ll —f

UNCLASSIFIED

(TS//SI/REL) Who works VPNs?

(TS//SI//REL) VPN Workin

o vpn)

S2, SSG, CES (OTTERCREEK, NSP, S31322, S3117,
S3112), TAO, etc.

(ts//si//rel) Alias:

(Board alias:

)

(ts//si//rel) Meets every other Thursday at 1300

(TS//SI/REL) Who works VPNs?

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) So you think your
target is using a VPN...

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) SigDev Tools

(ts//rel) VPN Specific

• BLEAKINQUIRY
DISCOROUTE
TOYGRIPPE

(ts//rel) Also useful

• MARINA

• MASTERSHAKE

• NKB

• PIN WALE

• RENOIR

• TREASUREMAP

• TUNINGFORK
XKEYSCORE

TOP SEC

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) TOYGRIPPE

• (TS//SI//REL) Database of VPN metadata
° IPSec, PPTP, ViPNet

TOP SECRET//COMINT//REL TO USA, AUS,

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Standard Form - Mozilla Firefox

Rie Edi: View History Bookmarks Tools Heb

öl

XKEYSCDRE jTOrGRIPPE NKB: Home ^NKB Disco Route Roadoed.netMvPage g|Gold=oint



XK Results

♦Logoff

Query

♦standard

♦FreeForm

Results

♦AIIResults

♦view

♦Excel

♦Text

Delimited

Preferences

♦General

Help

♦fao

♦contact Us

J0

Standard Forrr



Execute Clear Al

)ate Range(Required):

STAHf: 14 |f 11 I ? |/[ 2011 ;|

Second level
rd.

|j Ja :_j 2011 T I - 100 t\:

^ F ou

Data Fields:

level

=ield Information:

** Uss checkooxes to exclude the Indicated value. *
Sites |~ ^ 11

□ Selected Sites f~t][ Remove |
Sources I ACTIVE_SURVEY

I LllsjNotaloV- V C

□ Selected Sources [ t\\ Remove I

□ Case Notation

□ Vendor Name

□ Source CIDR ____________________

□ Destination CIDR

□ Source Company
D Dest, Company

□ Source Country

□ Dest. Country

□ Source Domain

Site

’N Type

Geo Source Country
Source I3Address
Destinât or IP Address
Geo Destination Country
IPSEC Authentication Name

□ Dest, Domain

□ Info Name i)

Query data fields based oi AND ± | constraints.

Save Standard Query:
Queiy Name :
Description :
I Store I

* Timestarrp: The tiiTestamp of
the traffic as provided by the
source, (dtTiire, tiirestamp)

5ort ] [ Up I [ Down [

|IP Addresses(Ranges and Wildcards Accepted):

Source IP Addresses

Source IP Ports

Clear Addresses File. ..

Destinât on IP Addiesses

Destinât on IP Ports

Clear j| Addresses File

CoisTain resUtsto source AND î destination P Address matches.

Execute 11 ClearAI |

3

(ts/zreuTYG Tips:

0 Populate "Display
Fields"

0 For both directions
between 2 Ips, use
AND

0 For either direction
connecting to a
single IP, put IP in
both "Source" and
"Destination" boxes,
and use OR

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Query Results - Mozilla Firefox

History Bookmarks Iools Help

a


L^L^^clit Mas

Q 11®] Query Results Q QornnH |P\/<
TS//SI//REL TO USA, FVEY 2011-04-02 C8:28:38.0 j£\ plRlqQp.1 ^J/-2|0D| 1C V1
TS//SI//REL TO USA, FVEY 2011-04-02 C9:13:14.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-02 10:48:10 0 n KpÄfia^oi^i^e£i _(| l-?r,0 l Su rJ
TS//SI//REL TO USA, FVEY 2011-04-02 11:31:53.0 KiDArfcocU^iiloo" c 1
TS//SI//REL TO USA, FVEY 2011-04-03 12:22:03.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 Cl:08:00.0 KK)AB0[pIf|!1|0| U|Jfro[r hi P\/P
TS//SI//REL TO USA, FVEY 2011-04-03 Cl:54:35.0 KLDABOtfcoif^^o' ■flfj-l6oPr IKEvl *
TS//SI//REL TO USA, FVEY 2011-04-03 03:24:56 0 KLDABOOOOlMliyüJ gK^Otj IKEvl, IR , 1
TS//SI//REL TO USA, FVEY 2011-04-03 04 58:08 0 KLDAB00001M1i|T Hfc *V0l
TS//SI//REL TO USA, FVEY 2011-04-01 11:37:49 0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-01 17:37:33.0 KLV125899750000 US-966E ESP DE
TS//SI//REL TO USA, FVEY 2011-04-01 12.51 08.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-01 00:08 15.0 IRS1037 DS-300 ESP IR
TS//SI//REL TO USA, FVEY 2011-04-01 C0:23:25.0 IRS1037 DS-300 IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 05:41:27 0 KLDAB0000LM1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 06:25:53.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 07:5609.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 08:42:05.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 C9:32:55.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 10:1616.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 10:59:38.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 11:50:29.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:43.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:45.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:44.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 Cl:23:51.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 13:23:50.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 13:23:51.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-02 06:5202.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 05:07:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 C6:16:31.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 07:48:23.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 05:34:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:18:42 0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-02 00:01:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:18:41,0 IRS1037 DS-300 IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:16:51.0 IRS1037 DS-300 ESP IR

TOP SECRET//COMINT//REL TO U

ter text



DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE
IR
DE
DE
DE
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
IR pre-shared key
IR pre-shared key
IR
DE pre-shared key
DE pre-shared key
IR pre-shared key
IR
DE
DE
DE
DE
DE
DE
DE
DE
DE

0 (U) Export
results to
excel or
text doc for
easier
sorting.

a

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) XKEYSCORE

(ts//rel) Fingerprints

• IPSec

° vpn/esp
° vpn/isakmp

• PPTP

° vpn/pptp*

• SSL

° network_encyption/ssl

(ts//rel) Search Forms

• Start with FULL DNI

° vpn/*

° networkencrytion/*

• IPSec

° IKE Parser

• SSL

° SSL Parser

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

XK Search: Full Log - Mozilla Firefox

Rle Eclt View History Bookmarks Tools Help

« ^ Q o 6 §g



m

»tfXKEYSCORE ^TOYGRIPFE }> NKB: l-one jj^HKB Disco Reute // Roadbed.net MyPaçe gGoldPoint

XK Search: Ful Log

* (#| Standard Form

XKEY5CQRE Welcome srwils2! Warning: your password has expired! Log Out

■ir^Home 0^ Seaxh V/orkf lew Centra [f]^ Results p] Fingerprints ^Statistics |§Map My Account XK Ftirum

, Showd-lide Fields* Advarcej Feaiures* Shew l-idden Search Fields Clea- Search Values Reloac Last Search Values

| Navigation Filter x|lkl Eg 1-------------------------

! 2 Searct Wzaid
aDcME
3 Qj Classic
; 0 Q MultlSeareh
; gQ| Classic AM
hi] Alert

! S&lackEeriy

2 Call Logs
^ Category UN
i-0 Cellular CNI
21 Cisco Passwords
| EClarent
j~H DNS

21 Documem Metadata
: 21 DocumerU Tagg ng
2 Email Addresses
I Extracted Files
21 Full Log CNI
2 Geo In'o
[^1 HTTP Activity
I 2|KEPa'5er
hE Keylogger
: 2 Log ns and Fassword
21 Machine Info
2 Microplug n Metadata
21 ObfuscatlonfMunged'
□ Q| Classic N-Z

2 Network Information

2 Network Logs
2 pilbeam

: 2PPFVolPMetacata
2 Passports from Image:

1 2 Phene Number Extiac
2 RBGAN
0 RTF

2 Racius Legs
i 121 Registiy

Esip

: 2^5F Parser
; 2SSLF,Erser
1 EShellcode

IE™

; 2TIPGFF Collection
; E T°Pic f Tech Strings
1 2 User Aotivity
2 User Activity (New/Exf -

Search: Full Log 6

Query Name:

Justification:

Additional justification:
Miianda Number:

Client IP (X-Fowardec-For):

WLAN Chanrel:
Y/LAN SSID:
WLAN BSSID:
WLAN DMAC:
WLAN SMAC:

(-S//SI//REL) Lookirg fo-
tralfic to perfirr
vnlrerability assessment,________

Recen: JLStilications

C

u'rentTIme: 2011-04-04 14:04:04 GMT

|lDay |t| Start: [ï0:iO4-03 I"5 00:00 Slop: 12011-04-05 Q| 00:00 \^\ 0

I ^ [P Address Field Builder!

c

ThB.awip- L audited br USSID18 and Human Fights Art wnpliai»

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

XK Search: Full Log - Mozilla Firefox

Rie Edit View History ¿ookmarks Tools Help

ffid XKEYSCORE ¡^TOYGRIPPE !>■ NKB: Home ^NKB Disco Route J/ Roadbed.net MyPage (f) GoldPoint

XK Search Full Leg

I [oj Standard Form

XKEYSCORE Welcome srwils2! Warning: your nassword has expired! Log Out


|1EK



II Navigaton Filter

* ö si

[£] Search Wizard
a □ CNE
30 Classic
, B Pi Multi Search
aQCIasslcA-M
£] Alert
£| BlacfcBerry
£| Call Logs
3 Category DNI
2 Cellular DNI
£1 Cisco Passwords
ICiaren,

2 DNS

£1 Document Metadata
£| Document Tagging
P| Emai Addresses
£] Extracted Files
£| Full Log DNI
£| Geo Info
£| HTTP Activity
£| IKE Parser
£]Keylcgger
£| Logirs and Password
£| Machine Info
£] Micrcplugin Metadata
£1 Obfuseation(Munged
3 Classics

£| Network Information
£] Netwark Logs
£] PILBEAM
£| PPF VoIP Meiadata
£| Passports from Image
£| Phone Number Extrac
£] RBGAN
£|rtp

£] Radius Logs
£| Registry
£|SIP

£| SSN Parser
£| SSL Parser
£]ShellGode

£]tdi

£|TIPOFF Collection
£|Topic/Tech String:

£| User Activity
£| User Activity (New/Exp —

c

X

X

Country:
Country:
City (IP):
City (IP):
Latitude (IP):
Latitude (IP):
Longitude (IP):
Longitude (IP):

Map Field Builder «glons (IP):

Oute'Tunnel IP Address:
Qute'Tunnel IP Address:
Outer Tunnel Port:
Outer Tunnel Pori:

ApsID (+Firgerprints)' ffulltextl:

I From T

[ils AND !GB AND ICAAND INZAND !AU v | From t\ © □ One side is not 5-eyes

[iLS AND IGB AND ICAAND INZ AND !AU w ¡To t\ & ® Both sides are not E-eyes

c

I From T

ED

I From t

Ï

I From i

' [Map Field Buildeil

I From t] A |IP Address Fiele Builderl

[ TO t\ * IIP Address Fiele Builderl

I From t ]

iT° PI

[Populate wilh Field Builderl
A [Populate with Tree Field Builderl

0 (ts//rel) For initial
searches, you may
want to leave this
blank to see all of
the different kinds
of traffic are found
on the IP pair.



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

XK Metaviewer:

- Mozilla Firefox

File Edit View History Bookmarks Tools Help

^ ^ - êÿ

ï(£XKEYSCQRE 0TOYGRIPPE ^ NKB Home ^"JKB Disco Route "ft Roadbed.net MyPage gGoldPoint

I® Standard Form x| @ NKB Disco Route x [ |5| https://ncmd... 248823681254 x

*] IH

%

XK Metaviewer: 84.11.25.13...

XKEYSCORE Welcome srwils2! Warning: your password has expired!

"r)r Nome Searcn
|| Navigation Filter
1^1 Search Wizard
aC]CNE
□ 0 Classic
S □ MultiSearch
; aQ ClassicArM
: o]Alert
l^l BlackBe'ry
I ^ Call Logs
j^l Category DNI
!m Cellular 3MI
i -3 Cisco Passwords
ÆI Clarent
g] DNS

1^1 Document Metadata
1^1 Document Tagging
i 3 Email Addresses
¿1 Extracted Files
2 Full Log DNI
j^l Geo Into
1 HTTP Aciivity
¡ HI IKE Parser
ÆI Keylogger
¡5 Logins and Passwords
[^| Machine Info
1 5 Microplugin Metadata
LS OWuscation(Munged 1
a Q Classic N-Z

2 Network nformation
1^1 Network .ogs

! Upilbeaw
i BPPFVoIP Metadata
ÆI Passports from Image;
lil Phone Number Extrac
! j^RBGAN

S URTP

Radius Logs

iSI Registry
; II SIP
=1 SSH Parser
1 j=| SSL Parser
¡^| Shellcode
j-HTDI

0TIPOFF Collection
^Topic/Tech String:

1 [^| User Activity

User Activity (New/Exp —

f Workflow Central ~ f Results Fingerprints EtI Statistics £¿¡1 Map My Account ?
* fi Si

W Help ActionsT ReportsT View1
: Sigad
UKJ-260D

UKJ-260D

UKJ-2G0D

UKJ-260D

UKJ-260D

UKJ-Z60D

UKJ-260D

UKJ-260D

UKJ-260D

UKJ-260D

UKT260D

UKJ-260D

UKJ-Z60D

UKJ-260D

UKJ-260D

UK3-260D

UKJ-260D

UKT2G0D

UKJ-260D

UKJ-Z60D

UKJ-260D

UKJ-260D

UKJ-260D

UKJ-260D

UKT2G0D

UKJ-260D

UKJ-Z60D

UKJ-260D

UKJ-260D

UK3-260D

UKJ-26QD

UKJ-260D

UKJ-260D

UKJ-260D

UKJ-260D

» Case notation

KL D A B00001M1100

KL DA BÖÖÖ01M1100
KL D A B00001M1100
KLDAB00001M1100
KLDAB00001M1100
KL DAB00001M 1100

KL D A B00001M1100
KL DAB00001M1100
KL D A B00001M1100
KLDABOÛ001M1100
KL DAB00001M1100
KLDAB00001M1100
KL DABflOOOlM 1100
KLDAEOQOOIMIIOO
KL DAB00001M1100
KLDAB00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDAB00001M1100
KL DABflOOOlM 1100
KLDABOOOOIMIIDO

KL D A BQ0Q01M1100
KLDABOOOOIMIIDO
KLDABOOOOIMIIDO
KL □ A B00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDABOOOOIMIIDO
KL D A BQ0Q01M1100
KLDABOOOOIMIIDO
KLDAB00001M1100
KL □ A B00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDABOOOOIMIIDO

□atetime »
2011-04-03 00:00:52
2011-044)3 00:03:52
20114)403 00:06:52
20114)44)3 00:09:52
20114)403 00:12:52
20114)403 00:15:52
20114)403 00:18:52
20114)403 00:21:52
20114)403 00:22:01
20114)403 00:24:52
20110403 00:27:52
20114)4031)0:30:52
20114)403 00:33:52
2011-0403 00:30:52
20114)403 00:39:52
20114)403 00:42:52
2011-0403 00:45:52
20114)403 00:51:52
20114)4031)0:54:52
20114)403 00:57:52
20114)403 01:00:52
20114)403 01:06:31
20114)403 01:07:58
20114)403 01:09:53
20114)403 01:12:53
20114)403 01:15:53
20114)403 01:18:53
20110403 01:21:53
20114)403 01:24:53
20114)403 01:30:53
2011-0403 01:33:53
20110403 01:36:53
20110403 01:39:53
20114)403 01:42:53
20110403 01:45:53

Datetime E Fm Port
20110403 0 0
25114)4-03 0 0
2011-0403 0 0
20114)44)3 0 0
20114)44)31] 0
2011-0403 0 0
20110403 0 0
20114)44)3 0 0
20110403 0 500
2011-044)3 0 0
20114)403 0 0
2011-044)3 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)31] 0
2011-0403 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 500
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
2011-04-03 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)31] 0
2011-04-03 0 0
20110403 0 0

ToCou To City [IP) To Port Application
vpnJesp
ypn/esp
vpp/esp
vpnJesp
ypn/esp
vprVesp
vpnJesp
ypn/esp
vpp/isakmp
vpnJesp
vpafesp
vpnJesp
vpnJesp
vpnJesp

vpnJesp
vpnJesp
vpnJesp
vpp/esp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJisakmp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp

ApgID (+Fingerprints)
vpnJesp nacJvpnJnrotocollesD
vpnJesp nacJvpnJorotQcolfesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nacJvpnJgrotocQlJesD
vpnJesp nacJvpnJarotQCQUesD
vpnJesp nacJvpnlarotocollesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nac/vpnJarotocotJesp

vpnJisakmp vpnfipsec/isakmpJmain triode/kev exchange message vpniire 4 vpnJisakmp content

vpnJesp nacJvpnJprotocoUesp

vpnJesp nacJvpnlarotocollesp

vpnJesp nac/vpnJgrotocoUesD

vpnJesp nacJvpnlarotocollesp

vpnfesp nac/ypn/grotocQl/esc

vpnJesp nacJvpn/nrotocolJesp

vpnJesp nacJvpnJprotocoUesp

vpnJesp nac/ypnlprotocoUesp

vpnJesp nacJvpnlprotocoUesp

vpnJesp nacJvpnJarotQCQUesD

vpnJesp nacJvpnlarotocollesp

ypn/esp nacJvpnJarpiQCQl/esc

vpnJesp nacJvpn/grotocolJesp

vpnJisakmp vpnfipsec/isakmpJmain mode/kev exchange message vpnlire 4 vpnJisakmp content

vpnJesp nacJvpnJprotocoUesp

vpnJesp nacJvpnJprotocoUesp

vpnJesp nac/vonJorotocoUesD

vpnJesp nacJvpnlarotocollesp

vpnfesp nac/ypn/arotocQl/esc

vpnJesp nacJvpn/prptQcolJesp

vpnJesp nacJvpnJprotocoUesp

vpnJesp nac/ypnlprotocoUesp

vpnJesp nacJvpnlprotocoUesp

vpnJesp nac/vpnJgrotocQUesp

vpnJesp nacJvpnlarotocollesp

< -
Page 1 of 24 il H ^ Page Size: 50 (Max 100 rows per page) Displaying 1 - 50 of 1171

c



jb_5Bf22_00976 567001301926190_1

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

XK Metaviewer: CREAKSTILE HW PK - Mozilla Firefox

Hie Edit View History Bookmarks Tools Help

^ .

© & m

'’[Google

XKEYSCORE i^TOYGRIPPE ^ NKB: Home "^NKB Discc Route ^ Roadbed.net MyPage [éjGoldPbint

XK Results

XK Metaviewer: CREAKSTIL... x |$] Query Results

XKEYSCORE Welcome srwils2! Warning; your password has expired! Log Out

^|Home Search ©" Workflow Central [T]yResuts ^Fingerprints H Statistics ©Map ^ My Account ij£XKFor

I Navigation Filter | * 11!=, Ijjjjl

Histogram Grid *

^ Sea-ch Wizard
SOCNE
3 0 Classic

a ^ MultiSearch
a Q Classic AM
El Alert
U]BlaGkBerry
|U Call Logs
El Category DNI
El Cellular DNI
H Cisco Passwords
E| Clarent
El DNS

E] Document Metadata
El DocumentTagging
El Email Addresses
¡^] Extracted Files
U Full Log DNI
El Geo Info
El HTTP Activity
g| IKE Parser
HT Keylogger
0 Logins and Passwotdr
E] Machine Info
E| Microplugin Metadata
El Qbfuscatlon(Munged'
¿0 Classic N-Z

El Network Information
¡¿| Network Logs
51PILBEAM
5| PPF VoIP Metadata
5] Passports from Image;
El Phone Number Extrac
EJRBGAN
ElRTP

El Radius Logs
El Registry

a sip

51SSH Parser
51 SSL Parser
5] Shellcode

Htdi

ElTIPOFF Collection
E|Topic/Tech Strings
H User Activity
S User Activity [New/Exi

Clear Selection Export

Displaying l-4cf4

CREAKSTILE_HW_PK

ti Help Actons’’ Reports" View’ ©MapView FILTERS: ffl’
□ State ID Classification Si gad Case notation □atetime a Fm
1 id 0 226 TOP SECRET//COMINT//REL TO USA, AUS, CAN,< UKG-302A PKCSE018AOOOHDO 2011-04-01 00:41:04 500
2 E 263 TOP SECRETffOOMINTffRELTO USA, AUS, CAN,! UKG-30ZA PKCSE018A0Ü0HDO 2011-04-0100:41:04 500
3 B M 264 TOP SECRETÍJCOMINTfJREL TO USA, AUS, CAN,r UKG-302A PKCSE013AOOOHDO 2011-04-0100:41:04 500
4 E 294 TOP SECRETffOOMINTffRELTO USA, AUS, CAN.I UKG30ZA PKCSEOIBAOOOHDO 2011-04-0100:41:04 500
5 B 0 261 TOP SECRETÍJCOM INTfJRE L TO USA, AUS, CAN,r UKC-302A PKCSE018A000HD0 2011-04-0100:46:33 500
6 E 262 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSE018A0O0HDO 20114)4-0100:46:33 500
7 B 0 256 TOP SECRETÍJCOM INTff RE L TO USA, AUS, CAN.r UKC-302A PKCSE018AOOOHDO 2011-044)100:49:00 500
8 E 260 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)44)100:49:00 500
9 □ 0 265 TOP SECRETÍJCOM INTff RE L TO USA, AUS, CAN.r UKC302A PKCSE018AOOOHDO 2011-044)101:45:31 500
10 E 266 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSE018A0O0HDO 20114)44)101:45:31 500
11 B 0 267 TOP SECRET/JCOMINT/JRELTO USA, AUS, CAN.r UKC302A PKCSE019AOOOHDO 2011-044)102:42:40 500
12 O 0 268 TOP SECRET/JCOMINT/JREL TO USA, AUS, CAN.r UKC3Ö2A PKCSEÖ18AÖÜÖHD0 20114)44)102:42:40 500
13 □ 0 162 TOP SECRET/fCOMINT/fRELTO USA, AUS, CAN.r UKC3Ö2A PKCSE087AÖÖÖHDO 2011-044)103:27:0© 500
14 □ 0 237 TOP SECRET/fCOMINT/fREL TO USA, AUS. CAN.I UKC302A PKCSE087A00ÜHDO 20114)44)103:27:09 500
15 E 0 271 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC302A PKCSED87AOOOHDO 2011-04-0103:27:10 500
16 0 0 272 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,I UKC302A PKCSE087A00OHDO 20114)44)103:27:10 500
17 E 0 163 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,t UKC302A PKCSEOIBAOOOHDO 2011-04-0103:34:12 500
16 0 0 236 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,' UKC-3Q2A PKCSEOIBAOOOHDO 20114)44)103:34:12 500
19 E 0 1 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,' UKC-302A PKCSE087A0Q0HDQ 2011-04-0103:58:52 500
20 0 0 2 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,r UKG302A PKC5E087AOOOHDO 20114)40103:58:52 500
21 E 0 10 TOP SECRETfJCOMINTf/RELTO USA, AUS, CAN.I UKC-302A PKCSE018AOOOHDO 20114)40107:15:29 500
22 B 0 247 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC-302A PKC5E018AOOOHDO 2011-040107:15:29 500
23 E 0 175 TOP SECRETIJCOMINTIJRELTO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)40108:24:36 500
24 B 0 230 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC-302A PKCSE018AOOOHDO 2011-044)106:24:36 500
25 E 0 3 TOP SECRETfJCOMINTf/REL TO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)40108:24:38 500

Fm Port Fm City [IP) Fm Co Fi

To Port Applicaton
500 vpnfisakmp

500 vpnfiaakmp

500 vpnJisafniD

500 vpnfisakmp

500 vpnfisakmp

500 vpnJisakmp

500 vpnJisakmp

500 vpnfisakmp

500 vpnJisakmp

AppID C+Fingerprints)

vpn'isakmp vonJisaknip content VDtVisakmp ph

vpn'isakmp vpnfisakmp phase 1 policv
vpni'isakmp vpnJisakmp chasel policy
vpn'isakmp vpnfisakmp content vpnlisakmp ph

vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnJisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnftlevicefipsec vpnJisakmp phase

vpn'isakmp vpnftleviceJipsec vpnJisakmp phase

vpn'isakmp vpnJisakmp content vpnJrsaknip ph

vpn'isakmp vpnfisakmp content vpnJisakmp ph

vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content

vDn/isakrriD von'isakniD vpnJisakmp content
vpnJisakmp VDn'isakmD VDnfisakmD content
vpnfisakmp VDn'isakniDVDnfisakniD content
vpnJisakmp VDn'isakmD VDnfisakmD content

Page 1 of 6 ► H $ Page Size: ~ 5C | (Max: 100 rows per cage)

Displaying 1-50 of 298
jb_S8f22JB966248001301946356_1

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) PINWALE

• (Ts//si/REL) Both VPN traffic and Sys Admins
passing information about VPN setup

• (ts//si/rel) IP addresses and port numbers (ex.

AP 00500) ***Document Zon = C2C

• (ts//si/rel) Display 'DZ Protocol SRC Port'/DZ
Protocol DEST Port', 'Next Protocol Name'

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) DISCOROUTE

• (ts//si/rel) Router configuration data
° From passive and active collection
° Key terms to search for within configs:

° 'crypto map', 'isakmp', 'ipsec', 'pre-shared-key'

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

NKB Disco Route - Mozilla Firefox

Rie Edit View History Bookmarks Tools Help

^ O â

Ùw\ ||G|y oog'e

?j¿XKEY5CORE ^TOYC-RIPPE NKB: Home NKB Discc Route Roadbed.net MyPage |©|GoldPolnt

XK Results

* ® Query Results

K NKB Disco Route

K £r TREASUREMAP - TOOLS

"I ■»

jT_



conbined Query Network Mgmt Query (Coming Soon) He|P

DiscoRoute Combined Query

Submit CSV Tips; If TAO has a Point-of-pres slice, you will see li man test tag in results. Query History:
1 -

- Collapse Results by hostname/slgad

General Query Tern

Text Query ®
Date

IP Address *

Start Date: \ □
End Date: >1 □

O DOI O Load Date © Entire Database

0 Cisco 0 Huawei 0 Inf ¡net
0 Juniper 0 Mikrotik 0 Tenorswitch

(1.2 3.4 or 1.2 3.4/[CIDR] OT 1.2.3.4 • 3.4.5.E)

IP Range Search Exact IP Search
0 Interfaces - Subnet 0 IP Header FRQM/TO
0 Static Route IP □ Interfaces - Exact
0 Access Lists 0 Anywhere else in the XML
0 Routing Protocol IP

Limit Search to CIDR Ranges Smaller Than (or equal m v

I Select All I | Cl

Any checked Items can be found (OR condition) In config

Hostname:

SIGAD:

Case:

Countiy »
TAO Project Name ®.
. AS Number

Manifest (Cisco Only) '

□ Seen in Config □ Derived * IOS

□ A - EQUANT □ 1 - Show Interfaces □ P - Voip
□ B-BGP □ K - Crypto Keys □ R - 5howRun
□ D - Show CDP □ M - Multihop □ T - Tacacs
□ G - GPRS □ N - Tgt Net Service □ V - Show Version
□ H - TAO Pop □ 0 -OSPF

Snmp Community:

IOS Image Name:

Device Type: Q

All checked items must be found (AND condition) in contig

OP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

-________________________ ______________________________________________________________________—--------------------------------------------------------------------------------------------------------------------------rBm

Fjle Edit View History Bookmarks Tools Help

*"| ||C|-*- ¡Google '%|

ÎK'XKEYSCORE ®TOYGRIPPE ^NKBHome ^ NKB Disco Route J{Roadbed.netMyPage gGoldPoint

1 *H XK Results * [ ® Standard Form K ^ NKB DISCO Route K |[5|http5://ncmd ..255963345553 * @ http5://n:md...255303960492 * | ^ https ://ncmd...299304204961 * * -
Dynamic Page -- Highest Possible Classification is
JÄ 'inwvotft Rtwswl^la^ k«m 0 DiscoRoute TOP S ËCRIT//COM INT//ORCO N/NO FORN//20320108 (Version 2.14) NKB HOMe|

combined Query Network Mgmt Query (Coming Soon) Help F“dback

Detailed Combined Command Results

_S£

□ Hostname Model DOI ▼ Vendor Sigad Case Manifesto^ IOS Image IS
IU GW SMS 2UU912-29 nuawei usu-iojut MnuAU
□ GW_SMS 2 009-12-15 huawei USD-1031TE MNDAO
h| GW SMS 200942-15T huawei USD-1 Q31TE MNDAQ
□ 2009-11-131 tlsco USD-1Q31TE MNDAQ
a A6-VPN 2009-10-22' huawei USF-790 5CDVBQQQ0001MWC R
□ □ A6-VPN 2009-10-22" huawei USF-790 5CDVB0000001MWC R
AS-VPN 2009-10-131 huawei USF-790 5CDVB0000001MWC R
□ 2009-10-021 huawei USD-10D1TE MNDAQ
□ 2009-09-101 huawei USD-10J1TE MNDAQ
□ 2009-09-101 huawei USD-10D1TE MNDAQ
□ 200906-151 huawei USF-790 5CDVB0000001MWC

SPort DPort

UUU23 124ÜÜ
00023 1332 0
00023 1332 0
00023 13429
00023 01327
00023 01327
00023 01059
23 13332

23 15973

23 13841

23 1031

<1 ~ 1'
M Page 1 of 1 ►I 1 © Save as CSV Save F i 1 e s to Dl sk Compare Results Summary * Mailorder Out Map in Renoir MapMul pie Confias ir Reno Find Related Results 1-33 c
PayHad XML 1 Summary Map 1 Query Parameters | | Open n New V/indow 0

password cipher IS,[51EA,'%B,A0C3YB91!
service-type telnet terminal
level 3., .1,. L

ike proposal 10
encryption-algorithm 3des-cbc
dh group2I.,U,

ipserpnfBi«H!f!jpBsal_ph2

esp authentication-algorithm shal

NAC

Powered b/the SIGDEV Lat
Version Number: 214 New!

Last Modified Date: VIarch 14. 2011
Last Reviewed DattiMarchl4. 2011
Content Steward %0-j -L

Page . ¡she oil: so.-. 1 ■■■-■•

FI 5 1
* Find: 1 1 Previa. js ^ Next iÿHig all □ Match case

a

Done

TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

NKB Disco Route - Mozilla Firefox

RIe Edit View History Bookmarks Tools Help

S* - 0» e ñ

Ú H lEI’*’ [ boogie



XKEYSCORE i^TDYGRIPPE NKB: Home ^NKE Disco Route /¡ Roadbed.net MyPage gGodPoint

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

File Edit View History Bookmarks Tools Help



jlGl^ I Google

!
([Ü https://ncmd...248823681254 * | *

I í*¿ XK Results



. Standard Form

combined Query Network Mgmt Query (Coming Soon)

1 NKB Disco Route

* DiscoRoufe

Help

Detailed Combined,

Dynamic Page - - Highest Possible Classification is

TOP SECRET//COMINT//QRCON/NOFORN//2032Q10S

(Version 2.14)

Command Results

hostname Moo^^^ DOI Vendor Sigad Case Manifest IOS Image N
m VPNOl-UNAMI-E \ 2009-06-09T cisco UKC-12SW G 2 B 7 0Q0001MWC K pr
GILAT-HRT5826 c2600^^ r 2009-1CH57 cisco UKC-125W G 2 B8200001MWC D K RT c2600-advs(
2009-10317 cisco UKC-12SW G 2 B8200001MWC D K a c2500-advs(
e kuw-hub 2009-10-157 cisco UKC-12SW G2B6900001 MWC D K a
□ kuw-hub 2009-10-157 cisco UKC-125W G2BG900001 MWC D K a
E kuw-hub 2009-10-157 cisco UKC-125W G2B79Q0001MWC □ K a
O VPN02-UNAMI-K 2009-09-107 cisco UKC-12SW G 2 B8200001MWC K PR c2800nm-ad
E r-unami-kuw-isp 2009-01-161 cisco UKC-12SW G2B6900001 MWC D K R
D ISP02-UNAMI-AI 2009-07-03T cisco US-967J 1AH116337454200 B K OPR
D bdr01-un ami-kir 2009-06-077 cisco UKC-12SW G2B70Q0001MWC K PR
|EL bdrOl-unami-mc c2800nm 2010-08-22' cisco UKC-12SW G 2 B 67000001MWC K PR c2800nm-ad

S Country SCily

RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
DUBAI
DUBAI
RESERVED

109460

134422

38202

32B79

32879

30000

58980

26342

29872

23927

40264

23

00023

00023

00023

00023

00023

23

DPort E

61470

0Q319

02012

50554

50554

50554

3408

59226

27714

64278

44033

Page 1 of 2 ^ M $ Save as CSV Save Files to Disk Compare Results Sum maiy T Mailorder Out Map in Renoir

Payload XML || Summary || Map || Query Parameters | | Open in New Window j

Find Related Results 1 - 200 c



Authorized Personnel Only

If you do not have explicit authorization issued by IINAMI NHU to access
this H

device, leave now! *

■y.-'J t4ln: T-î" _m/; ^^ ' •K‘\ ' V*j

IF' — ■:! rl : ‘ J

* DESCRIPTION ; THIS ROUTER IS THEVQKE GATEWAY INTENDED FOR USE WITH THE

g{ *

Powered bvthe SIGDEV Lab
Version Number: 2.14 NEW!

Last Motfilietl Date: March 14. 2011
Last Reviewed Date: March 14. 2011

Dynamic Page -- Highest Possible Classification is
TOP SECRET//COMINT ORCOU NOFORM / ,'2 0 3 20 10 8

[*] ÍT
Done a

TOP SECRET//COMINT//REL TO USA,

AUS, CAI

GBR, NZL

TOP SECRET//REL TO USA, j

(U) Others

• (TS//REL) NKB

• (TS//REL) TUNINGFORK

• (TS//REL) TREASUREMAP

• (TS//REL) RENOIR

• (TS//REL) MA5TER5HAKE

• (TS//REL) ROADBED

• (TS//REL) BLEAKINQUIRY

«VUS, CAN, GBR, NZL

MIS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) Basic VPN rules of

(TS//REL)

If you have an IP address...

Check TOYGRIPPE and XKS

thÿipb el) If you don't...

Look in DISCOROUTE

° Look for paired traffic

• For IPSec, check sys admin
chatter for PSK
(DISCOROUTE; PINWALE;
MARINA)

Query Sys Admins in
PINWALE and MARINA

Check your targets TAO
projects

• Share your data with
OTTERCREEK for vulnerability
assessment (XKEYSCORE or
DROPBOX)

• Submittasking

EITHER WAY,

JOIN THE

VPN WORKING GROUP
FOR ALL OF YOUR
VPN SIGDEV NEEDS

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

-

(U//FOUO) Useful Links

■ (ts//si//rel) VPN Working Group (go vpn)

■ (ts//si//rel) OTTERCREEK (go VPN XFT)

□ VPNXFT DROPBOX

UNCLASSIFIED

il

(U) Questions?

OTTERCREEK

UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh