Title: VPN SigDev Basics
Release Date: 2014-12-28
Description: This undated NSA presentation describes how to perform attacks against VPNs: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.
Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL)VPN SigDev
Basics
S31244 - OTTERCREEK
Derived From: NSA/CSSM 1-52
Dated: 20070108
______Declassify On: 20341101
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
UNCLASSIFIED
(U) What is a VPN?
• (U) A Virtual Private Network or VPN is a
computer network that uses encryption to
securely connect remote users/networks over
an otherwise insecure network, usually the
public internet.
• (U) Common Types:
° PPTP, IPSec, SSL
• (U) Public Key Encryption
° Diffie-Hellman, RSA
UNCLASSIFIED
UNCLASSIFIED
(U) PPTP
• (U) Microsoft Point-to-Point Tunneling
Protocol
• (U) Control Channel
° TCP port 1723
• (U) Data Channel
° GRE-Next Protocol 47
• (U) RFC 2637, RFC 3078
UNCLASSIFIED
UNCLASSIFIED
(U)IPSec
• (U) Authentication
° Pre-shared key (PSK) or Public key certificates
• (U) ISAKMP/IKE packets are used for key exchange
and to establish the secure connection
° UDP port 500, 4500; TCP port 500
• (U) ESP packets contain the encrypted data
° IP Next Protocol 50; UDP port 500
• (U) RFC2402, RFC2406, RFC2409, RFC4306, RFC2408
UNCLASSIFIED
UNCLASSIFIED
(U) IPSec in a nutshell
UNCLASSIFIED
UNCLASSIFIED
(U) SSL/TLS
• (U) Secure Sockets Layer/Transport Layer
Security
• (U) WARNING! e-commerce = tons of
uninteresting SSL traffic
• (U) Common ports: TCP ports 443, 995
• (U) RFC2246, RFC4346, RFC5246
UNCLASSIFIED
UNCLASSIFIED
(U) SSL in a nutshell
Certificate
Subject
Validity
Public Key
Issuer
Etc...
CL
Eh
T
(U) SSL Exchange
1 Client connects to server
2 Server sends cert to client
3 Client validates cert
4 Key exchange
s Pass encrypted material
l I ll —f
UNCLASSIFIED
(TS//SI/REL) Who works VPNs?
(TS//SI//REL) VPN Workin
o vpn)
S2, SSG, CES (OTTERCREEK, NSP, S31322, S3117,
S3112), TAO, etc.
(ts//si//rel) Alias:
(Board alias:
)
(ts//si//rel) Meets every other Thursday at 1300
(TS//SI/REL) Who works VPNs?
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) So you think your
target is using a VPN...
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) SigDev Tools
(ts//rel) VPN Specific
• BLEAKINQUIRY
DISCOROUTE
TOYGRIPPE
(ts//rel) Also useful
• MARINA
• MASTERSHAKE
• NKB
• PIN WALE
• RENOIR
• TREASUREMAP
• TUNINGFORK
XKEYSCORE
TOP SEC
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) TOYGRIPPE
• (TS//SI//REL) Database of VPN metadata
° IPSec, PPTP, ViPNet
TOP SECRET//COMINT//REL TO USA, AUS,
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Standard Form - Mozilla Firefox
Rie Edi: View History Bookmarks Tools Heb
öl
XKEYSCDRE jTOrGRIPPE NKB: Home ^NKB Disco Route Roadoed.netMvPage g|Gold=oint
XK Results
♦Logoff
Query
♦standard
♦FreeForm
Results
♦AIIResults
♦view
♦Excel
♦Text
Delimited
Preferences
♦General
Help
♦fao
♦contact Us
J0
Standard Forrr
□
Execute Clear Al
)ate Range(Required):
STAHf: 14 |f 11 I ? |/[ 2011 ;|
Second level
rd.
|j Ja :_j 2011 T I - 100 t\:
^ F ou
Data Fields:
level
=ield Information:
** Uss checkooxes to exclude the Indicated value. *
Sites |~ ^ 11
□ Selected Sites f~t][ Remove |
Sources I ACTIVE_SURVEY
I LllsjNotaloV- V C
□ Selected Sources [ t\\ Remove I
□ Case Notation
□ Vendor Name
□ Source CIDR ____________________
□ Destination CIDR
□ Source Company
D Dest, Company
□ Source Country
□ Dest. Country
□ Source Domain
Site
’N Type
Geo Source Country
Source I3Address
Destinât or IP Address
Geo Destination Country
IPSEC Authentication Name
□ Dest, Domain
□ Info Name i)
Query data fields based oi AND ± | constraints.
Save Standard Query:
Queiy Name :
Description :
I Store I
* Timestarrp: The tiiTestamp of
the traffic as provided by the
source, (dtTiire, tiirestamp)
5ort ] [ Up I [ Down [
|IP Addresses(Ranges and Wildcards Accepted):
Source IP Addresses
Source IP Ports
Clear Addresses File. ..
Destinât on IP Addiesses
Destinât on IP Ports
Clear j| Addresses File
CoisTain resUtsto source AND î destination P Address matches.
Execute 11 ClearAI |
3
(ts/zreuTYG Tips:
0 Populate "Display
Fields"
0 For both directions
between 2 Ips, use
AND
0 For either direction
connecting to a
single IP, put IP in
both "Source" and
"Destination" boxes,
and use OR
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Query Results - Mozilla Firefox
History Bookmarks Iools Help
a
L^L^^clit Mas
Q 11®] Query Results Q QornnH |P\/<
TS//SI//REL TO USA, FVEY 2011-04-02 C8:28:38.0 j£\ plRlqQp.1 ^J/-2|0D| 1C V1
TS//SI//REL TO USA, FVEY 2011-04-02 C9:13:14.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-02 10:48:10 0 n KpÄfia^oi^i^e£i _(| l-?r,0 l Su rJ
TS//SI//REL TO USA, FVEY 2011-04-02 11:31:53.0 KiDArfcocU^iiloo" c 1
TS//SI//REL TO USA, FVEY 2011-04-03 12:22:03.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 Cl:08:00.0 KK)AB0[pIf|!1|0| U|Jfro[r hi P\/P
TS//SI//REL TO USA, FVEY 2011-04-03 Cl:54:35.0 KLDABOtfcoif^^o' ■flfj-l6oPr IKEvl *
TS//SI//REL TO USA, FVEY 2011-04-03 03:24:56 0 KLDABOOOOlMliyüJ gK^Otj IKEvl, IR , 1
TS//SI//REL TO USA, FVEY 2011-04-03 04 58:08 0 KLDAB00001M1i|T Hfc *V0l
TS//SI//REL TO USA, FVEY 2011-04-01 11:37:49 0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-01 17:37:33.0 KLV125899750000 US-966E ESP DE
TS//SI//REL TO USA, FVEY 2011-04-01 12.51 08.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-01 00:08 15.0 IRS1037 DS-300 ESP IR
TS//SI//REL TO USA, FVEY 2011-04-01 C0:23:25.0 IRS1037 DS-300 IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 05:41:27 0 KLDAB0000LM1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 06:25:53.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 07:5609.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 08:42:05.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 C9:32:55.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 10:1616.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 10:59:38.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 11:50:29.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:43.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:45.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 12:34:44.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-03 Cl:23:51.0 KLDAB00001M1100 UKJ-260D IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-03 13:23:50.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-03 13:23:51.0 IR1S035 DS-200B IKEvl DE
TS//SI//REL TO USA, FVEY 2011-04-02 06:5202.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 05:07:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 C6:16:31.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 07:48:23.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 05:34:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:18:42 0 KLDAB00001M1100 UKJ-260D IKEvl IR
TSWSI//REL TO USA, FVEY 2011-04-02 00:01:51.0 KLDAB00001M1100 UKJ-260D ESP IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:18:41,0 IRS1037 DS-300 IKEvl IR
TS//SI//REL TO USA, FVEY 2011-04-02 00:16:51.0 IRS1037 DS-300 ESP IR
TOP SECRET//COMINT//REL TO U
ter text
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE
IR
DE
DE
DE
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
DE pre-shared key
IR pre-shared key
IR pre-shared key
IR
DE pre-shared key
DE pre-shared key
IR pre-shared key
IR
DE
DE
DE
DE
DE
DE
DE
DE
DE
0 (U) Export
results to
excel or
text doc for
easier
sorting.
a
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) XKEYSCORE
(ts//rel) Fingerprints
• IPSec
° vpn/esp
° vpn/isakmp
• PPTP
° vpn/pptp*
• SSL
° network_encyption/ssl
(ts//rel) Search Forms
• Start with FULL DNI
° vpn/*
° networkencrytion/*
• IPSec
° IKE Parser
• SSL
° SSL Parser
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
XK Search: Full Log - Mozilla Firefox
Rle Eclt View History Bookmarks Tools Help
« ^ Q o 6 §g
m
»tfXKEYSCORE ^TOYGRIPFE }> NKB: l-one jj^HKB Disco Reute // Roadbed.net MyPaçe gGoldPoint
XK Search: Ful Log
* (#| Standard Form
XKEY5CQRE Welcome srwils2! Warning: your password has expired! Log Out
■ir^Home 0^ Seaxh V/orkf lew Centra [f]^ Results p] Fingerprints ^Statistics |§Map My Account XK Ftirum
, Showd-lide Fields* Advarcej Feaiures* Shew l-idden Search Fields Clea- Search Values Reloac Last Search Values
| Navigation Filter x|lkl Eg 1-------------------------
! 2 Searct Wzaid
aDcME
3 Qj Classic
; 0 Q MultlSeareh
; gQ| Classic AM
hi] Alert
! S&lackEeriy
2 Call Logs
^ Category UN
i-0 Cellular CNI
21 Cisco Passwords
| EClarent
j~H DNS
21 Documem Metadata
: 21 DocumerU Tagg ng
2 Email Addresses
I Extracted Files
21 Full Log CNI
2 Geo In'o
[^1 HTTP Activity
I 2|KEPa'5er
hE Keylogger
: 2 Log ns and Fassword
21 Machine Info
2 Microplug n Metadata
21 ObfuscatlonfMunged'
□ Q| Classic N-Z
2 Network Information
2 Network Logs
2 pilbeam
: 2PPFVolPMetacata
2 Passports from Image:
1 2 Phene Number Extiac
2 RBGAN
0 RTF
2 Racius Legs
i 121 Registiy
Esip
: 2^5F Parser
; 2SSLF,Erser
1 EShellcode
IE™
; 2TIPGFF Collection
; E T°Pic f Tech Strings
1 2 User Aotivity
2 User Activity (New/Exf -
Search: Full Log 6
Query Name:
Justification:
Additional justification:
Miianda Number:
Client IP (X-Fowardec-For):
WLAN Chanrel:
Y/LAN SSID:
WLAN BSSID:
WLAN DMAC:
WLAN SMAC:
(-S//SI//REL) Lookirg fo-
tralfic to perfirr
vnlrerability assessment,________
Recen: JLStilications
C
u'rentTIme: 2011-04-04 14:04:04 GMT
|lDay |t| Start: [ï0:iO4-03 I"5 00:00 Slop: 12011-04-05 Q| 00:00 \^\ 0
I ^ [P Address Field Builder!
c
ThB.awip- L audited br USSID18 and Human Fights Art wnpliai»
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
XK Search: Full Log - Mozilla Firefox
Rie Edit View History ¿ookmarks Tools Help
ffid XKEYSCORE ¡^TOYGRIPPE !>■ NKB: Home ^NKB Disco Route J/ Roadbed.net MyPage (f) GoldPoint
XK Search Full Leg
I [oj Standard Form
XKEYSCORE Welcome srwils2! Warning: your nassword has expired! Log Out
|1EK
II Navigaton Filter
* ö si
[£] Search Wizard
a □ CNE
30 Classic
, B Pi Multi Search
aQCIasslcA-M
£] Alert
£| BlacfcBerry
£| Call Logs
3 Category DNI
2 Cellular DNI
£1 Cisco Passwords
ICiaren,
2 DNS
£1 Document Metadata
£| Document Tagging
P| Emai Addresses
£] Extracted Files
£| Full Log DNI
£| Geo Info
£| HTTP Activity
£| IKE Parser
£]Keylcgger
£| Logirs and Password
£| Machine Info
£] Micrcplugin Metadata
£1 Obfuseation(Munged
3 Classics
£| Network Information
£] Netwark Logs
£] PILBEAM
£| PPF VoIP Meiadata
£| Passports from Image
£| Phone Number Extrac
£] RBGAN
£|rtp
£] Radius Logs
£| Registry
£|SIP
£| SSN Parser
£| SSL Parser
£]ShellGode
£]tdi
£|TIPOFF Collection
£|Topic/Tech String:
£| User Activity
£| User Activity (New/Exp —
c
X
X
Country:
Country:
City (IP):
City (IP):
Latitude (IP):
Latitude (IP):
Longitude (IP):
Longitude (IP):
Map Field Builder «glons (IP):
Oute'Tunnel IP Address:
Qute'Tunnel IP Address:
Outer Tunnel Port:
Outer Tunnel Pori:
ApsID (+Firgerprints)' ffulltextl:
I From T
[ils AND !GB AND ICAAND INZAND !AU v | From t\ © □ One side is not 5-eyes
[iLS AND IGB AND ICAAND INZ AND !AU w ¡To t\ & ® Both sides are not E-eyes
c
I From T
ED
I From t
Ï
I From i
' [Map Field Buildeil
I From t] A |IP Address Fiele Builderl
[ TO t\ * IIP Address Fiele Builderl
I From t ]
iT° PI
[Populate wilh Field Builderl
A [Populate with Tree Field Builderl
0 (ts//rel) For initial
searches, you may
want to leave this
blank to see all of
the different kinds
of traffic are found
on the IP pair.
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
XK Metaviewer:
- Mozilla Firefox
File Edit View History Bookmarks Tools Help
^ ^ - êÿ
ï(£XKEYSCQRE 0TOYGRIPPE ^ NKB Home ^"JKB Disco Route "ft Roadbed.net MyPage gGoldPoint
I® Standard Form x| @ NKB Disco Route x [ |5| https://ncmd... 248823681254 x
*] IH
%
XK Metaviewer: 84.11.25.13...
XKEYSCORE Welcome srwils2! Warning: your password has expired!
"r)r Nome Searcn
|| Navigation Filter
1^1 Search Wizard
aC]CNE
□ 0 Classic
S □ MultiSearch
; aQ ClassicArM
: o]Alert
l^l BlackBe'ry
I ^ Call Logs
j^l Category DNI
!m Cellular 3MI
i -3 Cisco Passwords
ÆI Clarent
g] DNS
1^1 Document Metadata
1^1 Document Tagging
i 3 Email Addresses
¿1 Extracted Files
2 Full Log DNI
j^l Geo Into
1 HTTP Aciivity
¡ HI IKE Parser
ÆI Keylogger
¡5 Logins and Passwords
[^| Machine Info
1 5 Microplugin Metadata
LS OWuscation(Munged 1
a Q Classic N-Z
2 Network nformation
1^1 Network .ogs
! Upilbeaw
i BPPFVoIP Metadata
ÆI Passports from Image;
lil Phone Number Extrac
! j^RBGAN
S URTP
Radius Logs
iSI Registry
; II SIP
=1 SSH Parser
1 j=| SSL Parser
¡^| Shellcode
j-HTDI
0TIPOFF Collection
^Topic/Tech String:
1 [^| User Activity
User Activity (New/Exp —
f Workflow Central ~ f Results Fingerprints EtI Statistics £¿¡1 Map My Account ?
* fi Si
W Help ActionsT ReportsT View1
: Sigad
UKJ-260D
UKJ-260D
UKJ-2G0D
UKJ-260D
UKJ-260D
UKJ-Z60D
UKJ-260D
UKJ-260D
UKJ-260D
UKJ-260D
UKT260D
UKJ-260D
UKJ-Z60D
UKJ-260D
UKJ-260D
UK3-260D
UKJ-260D
UKT2G0D
UKJ-260D
UKJ-Z60D
UKJ-260D
UKJ-260D
UKJ-260D
UKJ-260D
UKT2G0D
UKJ-260D
UKJ-Z60D
UKJ-260D
UKJ-260D
UK3-260D
UKJ-26QD
UKJ-260D
UKJ-260D
UKJ-260D
UKJ-260D
» Case notation
KL D A B00001M1100
KL DA BÖÖÖ01M1100
KL D A B00001M1100
KLDAB00001M1100
KLDAB00001M1100
KL DAB00001M 1100
KL D A B00001M1100
KL DAB00001M1100
KL D A B00001M1100
KLDABOÛ001M1100
KL DAB00001M1100
KLDAB00001M1100
KL DABflOOOlM 1100
KLDAEOQOOIMIIOO
KL DAB00001M1100
KLDAB00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDAB00001M1100
KL DABflOOOlM 1100
KLDABOOOOIMIIDO
KL D A BQ0Q01M1100
KLDABOOOOIMIIDO
KLDABOOOOIMIIDO
KL □ A B00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDABOOOOIMIIDO
KL D A BQ0Q01M1100
KLDABOOOOIMIIDO
KLDAB00001M1100
KL □ A B00001M1100
KLDAB00001M1100
KL DAB00001M1100
KLDABOOOOIMIIDO
□atetime »
2011-04-03 00:00:52
2011-044)3 00:03:52
20114)403 00:06:52
20114)44)3 00:09:52
20114)403 00:12:52
20114)403 00:15:52
20114)403 00:18:52
20114)403 00:21:52
20114)403 00:22:01
20114)403 00:24:52
20110403 00:27:52
20114)4031)0:30:52
20114)403 00:33:52
2011-0403 00:30:52
20114)403 00:39:52
20114)403 00:42:52
2011-0403 00:45:52
20114)403 00:51:52
20114)4031)0:54:52
20114)403 00:57:52
20114)403 01:00:52
20114)403 01:06:31
20114)403 01:07:58
20114)403 01:09:53
20114)403 01:12:53
20114)403 01:15:53
20114)403 01:18:53
20110403 01:21:53
20114)403 01:24:53
20114)403 01:30:53
2011-0403 01:33:53
20110403 01:36:53
20110403 01:39:53
20114)403 01:42:53
20110403 01:45:53
Datetime E Fm Port
20110403 0 0
25114)4-03 0 0
2011-0403 0 0
20114)44)3 0 0
20114)44)31] 0
2011-0403 0 0
20110403 0 0
20114)44)3 0 0
20110403 0 500
2011-044)3 0 0
20114)403 0 0
2011-044)3 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)31] 0
2011-0403 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 500
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
2011-04-03 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)3 0 0
20110403 0 0
2011-044)31] 0
2011-04-03 0 0
20110403 0 0
ToCou To City [IP) To Port Application
vpnJesp
ypn/esp
vpp/esp
vpnJesp
ypn/esp
vprVesp
vpnJesp
ypn/esp
vpp/isakmp
vpnJesp
vpafesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpp/esp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJisakmp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
vpnJesp
ApgID (+Fingerprints)
vpnJesp nacJvpnJnrotocollesD
vpnJesp nacJvpnJorotQcolfesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nacJvpnJgrotocQlJesD
vpnJesp nacJvpnJarotQCQUesD
vpnJesp nacJvpnlarotocollesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nac/vpnJarotocotJesp
vpnJisakmp vpnfipsec/isakmpJmain triode/kev exchange message vpniire 4 vpnJisakmp content
vpnJesp nacJvpnJprotocoUesp
vpnJesp nacJvpnlarotocollesp
vpnJesp nac/vpnJgrotocoUesD
vpnJesp nacJvpnlarotocollesp
vpnfesp nac/ypn/grotocQl/esc
vpnJesp nacJvpn/nrotocolJesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nac/ypnlprotocoUesp
vpnJesp nacJvpnlprotocoUesp
vpnJesp nacJvpnJarotQCQUesD
vpnJesp nacJvpnlarotocollesp
ypn/esp nacJvpnJarpiQCQl/esc
vpnJesp nacJvpn/grotocolJesp
vpnJisakmp vpnfipsec/isakmpJmain mode/kev exchange message vpnlire 4 vpnJisakmp content
vpnJesp nacJvpnJprotocoUesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nac/vonJorotocoUesD
vpnJesp nacJvpnlarotocollesp
vpnfesp nac/ypn/arotocQl/esc
vpnJesp nacJvpn/prptQcolJesp
vpnJesp nacJvpnJprotocoUesp
vpnJesp nac/ypnlprotocoUesp
vpnJesp nacJvpnlprotocoUesp
vpnJesp nac/vpnJgrotocQUesp
vpnJesp nacJvpnlarotocollesp
< -
Page 1 of 24 il H ^ Page Size: 50 (Max 100 rows per page) Displaying 1 - 50 of 1171
c
jb_5Bf22_00976 567001301926190_1
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
XK Metaviewer: CREAKSTILE HW PK - Mozilla Firefox
Hie Edit View History Bookmarks Tools Help
^ .
© & m
'’[Google
XKEYSCORE i^TOYGRIPPE ^ NKB: Home "^NKB Discc Route ^ Roadbed.net MyPage [éjGoldPbint
XK Results
XK Metaviewer: CREAKSTIL... x |$] Query Results
XKEYSCORE Welcome srwils2! Warning; your password has expired! Log Out
^|Home Search ©" Workflow Central [T]yResuts ^Fingerprints H Statistics ©Map ^ My Account ij£XKFor
I Navigation Filter | * 11!=, Ijjjjl
Histogram Grid *
^ Sea-ch Wizard
SOCNE
3 0 Classic
a ^ MultiSearch
a Q Classic AM
El Alert
U]BlaGkBerry
|U Call Logs
El Category DNI
El Cellular DNI
H Cisco Passwords
E| Clarent
El DNS
E] Document Metadata
El DocumentTagging
El Email Addresses
¡^] Extracted Files
U Full Log DNI
El Geo Info
El HTTP Activity
g| IKE Parser
HT Keylogger
0 Logins and Passwotdr
E] Machine Info
E| Microplugin Metadata
El Qbfuscatlon(Munged'
¿0 Classic N-Z
El Network Information
¡¿| Network Logs
51PILBEAM
5| PPF VoIP Metadata
5] Passports from Image;
El Phone Number Extrac
EJRBGAN
ElRTP
El Radius Logs
El Registry
a sip
51SSH Parser
51 SSL Parser
5] Shellcode
Htdi
ElTIPOFF Collection
E|Topic/Tech Strings
H User Activity
S User Activity [New/Exi
Clear Selection Export
Displaying l-4cf4
CREAKSTILE_HW_PK
ti Help Actons’’ Reports" View’ ©MapView FILTERS: ffl’
□ State ID Classification Si gad Case notation □atetime a Fm
1 id 0 226 TOP SECRET//COMINT//REL TO USA, AUS, CAN,< UKG-302A PKCSE018AOOOHDO 2011-04-01 00:41:04 500
2 E 263 TOP SECRETffOOMINTffRELTO USA, AUS, CAN,! UKG-30ZA PKCSE018A0Ü0HDO 2011-04-0100:41:04 500
3 B M 264 TOP SECRETÍJCOMINTfJREL TO USA, AUS, CAN,r UKG-302A PKCSE013AOOOHDO 2011-04-0100:41:04 500
4 E 294 TOP SECRETffOOMINTffRELTO USA, AUS, CAN.I UKG30ZA PKCSEOIBAOOOHDO 2011-04-0100:41:04 500
5 B 0 261 TOP SECRETÍJCOM INTfJRE L TO USA, AUS, CAN,r UKC-302A PKCSE018A000HD0 2011-04-0100:46:33 500
6 E 262 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSE018A0O0HDO 20114)4-0100:46:33 500
7 B 0 256 TOP SECRETÍJCOM INTff RE L TO USA, AUS, CAN.r UKC-302A PKCSE018AOOOHDO 2011-044)100:49:00 500
8 E 260 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)44)100:49:00 500
9 □ 0 265 TOP SECRETÍJCOM INTff RE L TO USA, AUS, CAN.r UKC302A PKCSE018AOOOHDO 2011-044)101:45:31 500
10 E 266 TOP SECRETIJCOM INTff RE L TO USA, AUS, CAN.I UKC302A PKCSE018A0O0HDO 20114)44)101:45:31 500
11 B 0 267 TOP SECRET/JCOMINT/JRELTO USA, AUS, CAN.r UKC302A PKCSE019AOOOHDO 2011-044)102:42:40 500
12 O 0 268 TOP SECRET/JCOMINT/JREL TO USA, AUS, CAN.r UKC3Ö2A PKCSEÖ18AÖÜÖHD0 20114)44)102:42:40 500
13 □ 0 162 TOP SECRET/fCOMINT/fRELTO USA, AUS, CAN.r UKC3Ö2A PKCSE087AÖÖÖHDO 2011-044)103:27:0© 500
14 □ 0 237 TOP SECRET/fCOMINT/fREL TO USA, AUS. CAN.I UKC302A PKCSE087A00ÜHDO 20114)44)103:27:09 500
15 E 0 271 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC302A PKCSED87AOOOHDO 2011-04-0103:27:10 500
16 0 0 272 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,I UKC302A PKCSE087A00OHDO 20114)44)103:27:10 500
17 E 0 163 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,t UKC302A PKCSEOIBAOOOHDO 2011-04-0103:34:12 500
16 0 0 236 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,' UKC-3Q2A PKCSEOIBAOOOHDO 20114)44)103:34:12 500
19 E 0 1 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,' UKC-302A PKCSE087A0Q0HDQ 2011-04-0103:58:52 500
20 0 0 2 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN,r UKG302A PKC5E087AOOOHDO 20114)40103:58:52 500
21 E 0 10 TOP SECRETfJCOMINTf/RELTO USA, AUS, CAN.I UKC-302A PKCSE018AOOOHDO 20114)40107:15:29 500
22 B 0 247 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC-302A PKC5E018AOOOHDO 2011-040107:15:29 500
23 E 0 175 TOP SECRETIJCOMINTIJRELTO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)40108:24:36 500
24 B 0 230 TOP SECRET/fCOMINT/fREL TO USA, AUS, CAN.r UKC-302A PKCSE018AOOOHDO 2011-044)106:24:36 500
25 E 0 3 TOP SECRETfJCOMINTf/REL TO USA, AUS, CAN.I UKC302A PKCSEOIBAOOOHDO 20114)40108:24:38 500
Fm Port Fm City [IP) Fm Co Fi
To Port Applicaton
500 vpnfisakmp
500 vpnfiaakmp
500 vpnJisafniD
500 vpnfisakmp
500 vpnfisakmp
500 vpnJisakmp
500 vpnJisakmp
500 vpnfisakmp
500 vpnJisakmp
AppID C+Fingerprints)
vpn'isakmp vonJisaknip content VDtVisakmp ph
vpn'isakmp vpnfisakmp phase 1 policv
vpni'isakmp vpnJisakmp chasel policy
vpn'isakmp vpnfisakmp content vpnlisakmp ph
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnJisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnfisakmp content
vpn'isakmp vpnftlevicefipsec vpnJisakmp phase
vpn'isakmp vpnftleviceJipsec vpnJisakmp phase
vpn'isakmp vpnJisakmp content vpnJrsaknip ph
vpn'isakmp vpnfisakmp content vpnJisakmp ph
vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vpn'isakmp vcnJisakmc content
vpn'isakmp vpnfisakmp content
vDn/isakrriD von'isakniD vpnJisakmp content
vpnJisakmp VDn'isakmD VDnfisakmD content
vpnfisakmp VDn'isakniDVDnfisakniD content
vpnJisakmp VDn'isakmD VDnfisakmD content
Page 1 of 6 ► H $ Page Size: ~ 5C | (Max: 100 rows per cage)
Displaying 1-50 of 298
jb_S8f22JB966248001301946356_1
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) PINWALE
• (Ts//si/REL) Both VPN traffic and Sys Admins
passing information about VPN setup
• (ts//si/rel) IP addresses and port numbers (ex.
AP 00500) ***Document Zon = C2C
• (ts//si/rel) Display 'DZ Protocol SRC Port'/DZ
Protocol DEST Port', 'Next Protocol Name'
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) DISCOROUTE
• (ts//si/rel) Router configuration data
° From passive and active collection
° Key terms to search for within configs:
° 'crypto map', 'isakmp', 'ipsec', 'pre-shared-key'
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
NKB Disco Route - Mozilla Firefox
Rie Edit View History Bookmarks Tools Help
^ O â
Ùw\ ||G|y oog'e
?j¿XKEY5CORE ^TOYC-RIPPE NKB: Home NKB Discc Route Roadbed.net MyPage |©|GoldPolnt
XK Results
* ® Query Results
K NKB Disco Route
K £r TREASUREMAP - TOOLS
"I ■»
jT_
conbined Query Network Mgmt Query (Coming Soon) He|P
DiscoRoute Combined Query
Submit CSV Tips; If TAO has a Point-of-pres slice, you will see li man test tag in results. Query History:
1 -
- Collapse Results by hostname/slgad
General Query Tern
Text Query ®
Date
IP Address *
Start Date: \ □
End Date: >1 □
O DOI O Load Date © Entire Database
0 Cisco 0 Huawei 0 Inf ¡net
0 Juniper 0 Mikrotik 0 Tenorswitch
(1.2 3.4 or 1.2 3.4/[CIDR] OT 1.2.3.4 • 3.4.5.E)
IP Range Search Exact IP Search
0 Interfaces - Subnet 0 IP Header FRQM/TO
0 Static Route IP □ Interfaces - Exact
0 Access Lists 0 Anywhere else in the XML
0 Routing Protocol IP
Limit Search to CIDR Ranges Smaller Than (or equal m v
I Select All I | Cl
Any checked Items can be found (OR condition) In config
Hostname:
SIGAD:
Case:
Countiy »
TAO Project Name ®.
. AS Number
Manifest (Cisco Only) '
□ Seen in Config □ Derived * IOS
□ A - EQUANT □ 1 - Show Interfaces □ P - Voip
□ B-BGP □ K - Crypto Keys □ R - 5howRun
□ D - Show CDP □ M - Multihop □ T - Tacacs
□ G - GPRS □ N - Tgt Net Service □ V - Show Version
□ H - TAO Pop □ 0 -OSPF
Snmp Community:
IOS Image Name:
Device Type: Q
All checked items must be found (AND condition) in contig
OP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
-________________________ ______________________________________________________________________—--------------------------------------------------------------------------------------------------------------------------rBm
Fjle Edit View History Bookmarks Tools Help
*"| ||C|-*- ¡Google '%|
ÎK'XKEYSCORE ®TOYGRIPPE ^NKBHome ^ NKB Disco Route J{Roadbed.netMyPage gGoldPoint
1 *H XK Results * [ ® Standard Form K ^ NKB DISCO Route K |[5|http5://ncmd ..255963345553 * @ http5://n:md...255303960492 * | ^ https ://ncmd...299304204961 * * -
Dynamic Page -- Highest Possible Classification is
JÄ 'inwvotft Rtwswl^la^ k«m 0 DiscoRoute TOP S ËCRIT//COM INT//ORCO N/NO FORN//20320108 (Version 2.14) NKB HOMe|
combined Query Network Mgmt Query (Coming Soon) Help F“dback
Detailed Combined Command Results
_S£
□ Hostname Model DOI ▼ Vendor Sigad Case Manifesto^ IOS Image IS
IU GW SMS 2UU912-29 nuawei usu-iojut MnuAU
□ GW_SMS 2 009-12-15 huawei USD-1031TE MNDAO
h| GW SMS 200942-15T huawei USD-1 Q31TE MNDAQ
□ 2009-11-131 tlsco USD-1Q31TE MNDAQ
a A6-VPN 2009-10-22' huawei USF-790 5CDVBQQQ0001MWC R
□ □ A6-VPN 2009-10-22" huawei USF-790 5CDVB0000001MWC R
AS-VPN 2009-10-131 huawei USF-790 5CDVB0000001MWC R
□ 2009-10-021 huawei USD-10D1TE MNDAQ
□ 2009-09-101 huawei USD-10J1TE MNDAQ
□ 2009-09-101 huawei USD-10D1TE MNDAQ
□ 200906-151 huawei USF-790 5CDVB0000001MWC
SPort DPort
UUU23 124ÜÜ
00023 1332 0
00023 1332 0
00023 13429
00023 01327
00023 01327
00023 01059
23 13332
23 15973
23 13841
23 1031
<1 ~ 1'
M Page 1 of 1 ►I 1 © Save as CSV Save F i 1 e s to Dl sk Compare Results Summary * Mailorder Out Map in Renoir MapMul pie Confias ir Reno Find Related Results 1-33 c
PayHad XML 1 Summary Map 1 Query Parameters | | Open n New V/indow 0
password cipher IS,[51EA,'%B,A0C3YB91!
service-type telnet terminal
level 3., .1,. L
ike proposal 10
encryption-algorithm 3des-cbc
dh group2I.,U,
ipserpnfBi«H!f!jpBsal_ph2
esp authentication-algorithm shal
NAC
Powered b/the SIGDEV Lat
Version Number: 214 New!
Last Modified Date: VIarch 14. 2011
Last Reviewed DattiMarchl4. 2011
Content Steward %0-j -L
Page . ¡she oil: so.-. 1 ■■■-■•
FI 5 1
* Find: 1 1 Previa. js ^ Next iÿHig all □ Match case
a
Done
TOP SERET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
NKB Disco Route - Mozilla Firefox
RIe Edit View History Bookmarks Tools Help
S* - 0» e ñ
Ú H lEI’*’ [ boogie
XKEYSCORE i^TDYGRIPPE NKB: Home ^NKE Disco Route /¡ Roadbed.net MyPage gGodPoint
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
File Edit View History Bookmarks Tools Help
4»
jlGl^ I Google
!
([Ü https://ncmd...248823681254 * | *
I í*¿ XK Results
. Standard Form
combined Query Network Mgmt Query (Coming Soon)
1 NKB Disco Route
* DiscoRoufe
Help
Detailed Combined,
Dynamic Page - - Highest Possible Classification is
TOP SECRET//COMINT//QRCON/NOFORN//2032Q10S
(Version 2.14)
Command Results
hostname Moo^^^ DOI Vendor Sigad Case Manifest IOS Image N
m VPNOl-UNAMI-E \ 2009-06-09T cisco UKC-12SW G 2 B 7 0Q0001MWC K pr
GILAT-HRT5826 c2600^^ r 2009-1CH57 cisco UKC-125W G 2 B8200001MWC D K RT c2600-advs(
2009-10317 cisco UKC-12SW G 2 B8200001MWC D K a c2500-advs(
e kuw-hub 2009-10-157 cisco UKC-12SW G2B6900001 MWC D K a
□ kuw-hub 2009-10-157 cisco UKC-125W G2BG900001 MWC D K a
E kuw-hub 2009-10-157 cisco UKC-125W G2B79Q0001MWC □ K a
O VPN02-UNAMI-K 2009-09-107 cisco UKC-12SW G 2 B8200001MWC K PR c2800nm-ad
E r-unami-kuw-isp 2009-01-161 cisco UKC-12SW G2B6900001 MWC D K R
D ISP02-UNAMI-AI 2009-07-03T cisco US-967J 1AH116337454200 B K OPR
D bdr01-un ami-kir 2009-06-077 cisco UKC-12SW G2B70Q0001MWC K PR
|EL bdrOl-unami-mc c2800nm 2010-08-22' cisco UKC-12SW G 2 B 67000001MWC K PR c2800nm-ad
S Country SCily
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
DUBAI
DUBAI
RESERVED
109460
134422
38202
32B79
32879
30000
58980
26342
29872
23927
40264
23
00023
00023
00023
00023
00023
23
DPort E
61470
0Q319
02012
50554
50554
50554
3408
59226
27714
64278
44033
Page 1 of 2 ^ M $ Save as CSV Save Files to Disk Compare Results Sum maiy T Mailorder Out Map in Renoir
Payload XML || Summary || Map || Query Parameters | | Open in New Window j
Find Related Results 1 - 200 c
Authorized Personnel Only
If you do not have explicit authorization issued by IINAMI NHU to access
this H
device, leave now! *
■y.-'J t4ln: T-î" _m/; ^^ ' •K‘\ ' V*j
IF' — ■:! rl : ‘ J
* DESCRIPTION ; THIS ROUTER IS THEVQKE GATEWAY INTENDED FOR USE WITH THE
g{ *
Powered bvthe SIGDEV Lab
Version Number: 2.14 NEW!
Last Motfilietl Date: March 14. 2011
Last Reviewed Date: March 14. 2011
Dynamic Page -- Highest Possible Classification is
TOP SECRET//COMINT ORCOU NOFORM / ,'2 0 3 20 10 8
[*] ÍT
Done a
TOP SECRET//COMINT//REL TO USA,
AUS, CAI
GBR, NZL
TOP SECRET//REL TO USA, j
(U) Others
• (TS//REL) NKB
• (TS//REL) TUNINGFORK
• (TS//REL) TREASUREMAP
• (TS//REL) RENOIR
• (TS//REL) MA5TER5HAKE
• (TS//REL) ROADBED
• (TS//REL) BLEAKINQUIRY
«VUS, CAN, GBR, NZL
MIS, CAN, GBR, NZL
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(TS//SI//REL) Basic VPN rules of
(TS//REL)
If you have an IP address...
Check TOYGRIPPE and XKS
thÿipb el) If you don't...
Look in DISCOROUTE
° Look for paired traffic
• For IPSec, check sys admin
chatter for PSK
(DISCOROUTE; PINWALE;
MARINA)
Query Sys Admins in
PINWALE and MARINA
Check your targets TAO
projects
• Share your data with
OTTERCREEK for vulnerability
assessment (XKEYSCORE or
DROPBOX)
• Submittasking
EITHER WAY,
JOIN THE
VPN WORKING GROUP
FOR ALL OF YOUR
VPN SIGDEV NEEDS
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
-
(U//FOUO) Useful Links
■ (ts//si//rel) VPN Working Group (go vpn)
■ (ts//si//rel) OTTERCREEK (go VPN XFT)
□ VPNXFT DROPBOX
UNCLASSIFIED
il
(U) Questions?
OTTERCREEK
UNCLASSIFIED