EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-08-2017, 14:45
chants chants is offline
Friend
 
Join Date: Jul 2016
Posts: 66
Rept. Given: 0
Rept. Rcvd 7 Times in 5 Posts
Thanks Given: 47
Thanks Rcvd at 64 Times in 34 Posts
chants Reputation: 7
Trove of CIA hacking tools

https://wikileaks.org/ciav7p1/

Perhaps we can maintain a thread that highlights the key articles with reverse engineering related exploits and zero day vulnerabilities. There is a huge amount of documents and unfortunately key code snippets are redacted. Nonetheless, I think a lot relevant to RE can be gleaned.
Reply With Quote
The Following 4 Users Say Thank You to chants For This Useful Post:
alekine322 (03-11-2017), niculaita (03-09-2017), tonyweb (03-08-2017), _Servil_ (03-09-2017)
  #2  
Old 03-08-2017, 17:32
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 39
Rept. Given: 0
Rept. Rcvd 9 Times in 2 Posts
Thanks Given: 74
Thanks Rcvd at 49 Times in 21 Posts
abhi93696 Reputation: 9
WARNING- DOWNLOAD AT YOUR OWN RISK!!

I was searching regarding this and found this torrent-:
Quote:
pass-: SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds
PS- I have not seen what's inside it!!So use it at your own risk!!

Regards
Reply With Quote
  #3  
Old 03-08-2017, 18:46
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 243
Rept. Given: 0
Rept. Rcvd 253 Times in 90 Posts
Thanks Given: 0
Thanks Rcvd at 60 Times in 28 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
The published "leak" doesn't really contain anything interesting, just a bunch of text messages and a few PDFs. No libraries, binaries or sources are included.

I looked into a few of these messages and some of them made me really believe they were written by some business economist since no "spy" or "coder" could be that stupid.

A few examples:
  • The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run was classified as "secret" and "don't share with foreign nationals" in the year 2014. It's not like that was public information worldwide for 20 years...
  • SHA384 must be used without truncating. I have no idea how SHA384 is supposed to do that since it is truncated per definition.
  • AES must be used with at least 256 bit. AES is only specified with a maximum of 256 bit. And what should we use as a key? A non-truncated SHA384?
  • Coders should use secure random number generators. If that is not possible, coders should use SHA256 on that weak random number in order to make it a secure random number. Did they get that information from the tabloids?
  • If some covert US spy enters a country and customs asks him what he's doing there, he should answer "I'm an engineer, I'm here for engineering stuff". No comment on that...
  • The CIA has a 3-user WinHex 16.1 license. If somebody gets access to a newer license they should share it in the CIA wiki. Seriously... ? (no WinHex license in the leak, don't ask)
  • Don't compile malware binaries in US business hours since the timestamp would allow to trace them back to the US. I'm wondering if paying for all that overtime is cheaper than telling the coders about SetFileTime.
  • In order to update their iPhone/iPad operating systems the employees must fill out a form so an admin can activate internet access for that device from the secret CIA network which isn't connected to the internet. And they're really wondering how things "leak" to the public?

Last edited by Kerlingen; 03-08-2017 at 18:55.
Reply With Quote
The Following User Says Thank You to Kerlingen For This Useful Post:
klvgen (03-08-2017)
  #4  
Old 03-08-2017, 19:20
klvgen klvgen is offline
Friend
 
Join Date: Feb 2017
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
klvgen Reputation: 0
I can agree to Kerlingen, same with UAC bypass codes or code injection. Most if not all techniques are known since x years.
Reply With Quote
  #5  
Old 03-08-2017, 19:52
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 56
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 4
Thanks Rcvd at 9 Times in 6 Posts
mcp Reputation: 12
Without citing sources for you claims, your "collection" of statements is practically worthless, sorry.

Just a few less hyperbolic comments:
  • The registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run certainly wasn't classified as "secret" as you claim. The page talking about a *module* which exposes functionality to create a key in that path was. It even says that on the page "Technique Origin: Internet/open-source (Well-known)".
  • wrt SHA384 it's pretty clear that advice is to not truncate the result any further. Not that truncation may never happen in any form.
  • Same for AES. It says minimum bit length is 256 - entirely correct from a mathematical perspective.
  • It's not only about the time stamp of the executable file itself - it's also about time stamps in included files, resources or other lesser known compiler/linker artifacts that might carry time stamps with them. In general, these folks of course do care a lot about making it harder for 3rd parties to attribute anything to them. See their internal discussion about the equation group kaspersky reports.
Reply With Quote
  #6  
Old 03-08-2017, 21:35
gabri3l's Avatar
gabri3l gabri3l is offline
Parity Error 0x0FF2131D
 
Join Date: Aug 2003
Location: Eastern Shore
Posts: 118
Rept. Given: 0
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 3
Thanks Rcvd at 10 Times in 4 Posts
gabri3l Reputation: 4
One interesting find is that the CIA use an internal debugging environment developed by the NSA called Ghidra. Obviously no binary included but interesting none the less.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Reply With Quote
The Following 2 Users Say Thank You to gabri3l For This Useful Post:
kienmanowar (03-08-2017), sh3dow (03-30-2017)
  #7  
Old 03-08-2017, 23:05
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 39
Rept. Given: 0
Rept. Rcvd 9 Times in 2 Posts
Thanks Given: 74
Thanks Rcvd at 49 Times in 21 Posts
abhi93696 Reputation: 9
Yeah it doesn't contain binaries but has many interesting things!!
For eg-:CIA hackers were able to bypass the encryption implemented by most popular secure messaging apps such as Signal, WhatsApp, and Telegram. And much more....
Reply With Quote
  #8  
Old 03-09-2017, 03:47
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Quote:
Originally Posted by Kerlingen View Post
The CIA has a 3-user WinHex 16.1 license. If somebody gets access to a newer license they should share it in the CIA wiki. Seriously... ? (no WinHex license in the leak, don't ask)
So the CIA is allowed to violate license agreements at will because its the CIA. Fun. What truly pisses me off is they can claim its for some bullshit "national security" reason....

Last edited by mudlord; 03-09-2017 at 03:56.
Reply With Quote
The Following User Says Thank You to mudlord For This Useful Post:
abhi93696 (03-09-2017)
  #9  
Old 03-09-2017, 04:11
ionioni ionioni is offline
Friend
 
Join Date: Jul 2016
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 1 Time in 1 Post
ionioni Reputation: 0
--not needed anymore--

Last edited by ionioni; 03-12-2017 at 01:24.
Reply With Quote
  #10  
Old 03-09-2017, 12:56
abhi93696 abhi93696 is offline
Friend
 
Join Date: Mar 2017
Location: India
Posts: 39
Rept. Given: 0
Rept. Rcvd 9 Times in 2 Posts
Thanks Given: 74
Thanks Rcvd at 49 Times in 21 Posts
abhi93696 Reputation: 9
Quote:
Originally Posted by mudlord View Post
So the CIA is allowed to violate license agreements at will because its the CIA. Fun. What truly pisses me off is they can claim its for some bullshit "national security" reason....
Yup! All rules r for us! & No rules for them!!
Hope they will not read this thread!
Reply With Quote
  #11  
Old 03-09-2017, 18:17
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 739
Rept. Given: 756
Rept. Rcvd 81 Times in 53 Posts
Thanks Given: 1,097
Thanks Rcvd at 88 Times in 64 Posts
niculaita Reputation: 81
more links contain fake leaks!
__________________
Decode and Conquer
Reply With Quote
  #12  
Old 03-12-2017, 16:33
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 173
Rept. Given: 87
Rept. Rcvd 59 Times in 37 Posts
Thanks Given: 29
Thanks Rcvd at 7 Times in 6 Posts
deepzero Reputation: 59
I so hope we'll see some binaries once they got the zerodays fixed.
Reply With Quote
  #13  
Old 03-13-2017, 00:21
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 327
Rept. Given: 96
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 49
Thanks Rcvd at 28 Times in 21 Posts
bolo2002 Reputation: 9
Quote:
Originally Posted by deepzero View Post
I so hope we'll see some binaries once they got the zerodays fixed.
it would'nt be a leaks anymore,a lots of noise for nothing as usual,the recents leaks created articles but nothing usable.
__________________
I like this forum!
Reply With Quote
  #14  
Old 03-13-2017, 12:55
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 79
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 14
Thanks Rcvd at 16 Times in 6 Posts
cybercoder Reputation: 11
It's giving the alphabet agencies enough time to cover their tracks and update their stuff.. These tools will be useless once they are released..
Reply With Quote
  #15  
Old 03-13-2017, 15:16
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Yep, and considering the billions in government funding these agencies have...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 09:52.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX