SECRET//NOFORN

(U) Hive
Infrastructure Installation
and
Configuration Guide

November 11, 2012

Classified By: 0706993

Reason: 1.4(c)
Declassify On: 20371105
Derived From: COL S-06

SECRET//NOFORN
 SECRET//NOFORN
Hive Infrastructure Configuration Guide

ii SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide

(U) Table of Changes

Date Change Description Authority

Initial Release EDG/AED/EDB

November 2012 SECRET//NOFORN//20371105 iii

 SECRET//NOFORN
Hive Infrastructure Configuration Guide

iv SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide

(U) Table of Contents

1 (U) Overview...........................................................................................................................................1
2 (S//NF) Cover Server...............................................................................................................................2
2.1 (U//FOUO) Install and Configure Apache web server.....................................................................2
2.2 (U) Secure Apache Web Server........................................................................................................2
3 (S//NF) Honeycomb Tool Handler..........................................................................................................3
4 (S//NF) Blot Proxy...................................................................................................................................4
4.1 (U) Network Interfaces.....................................................................................................................4
4.2 (S//NF) Blot Proxy............................................................................................................................4
4.2.1 (U) Software Installation............................................................................................................4
4.2.2 (U) Configuration.......................................................................................................................4
4.3 (S//NF) OpenVPN.............................................................................................................................6
4.3.1 (U) Software Installation............................................................................................................6
4.3.2 (S//NF) Key Generation.............................................................................................................7
4.3.3 (S//NF) Blot-Side Configuration................................................................................................7
5 (S//NF) VPS Redirector...........................................................................................................................9
5.1 (S/NF) IPv6 Security.........................................................................................................................9
5.2 (S//NF) Install and Configure Redirection Script.............................................................................9
5.3 (S//NF) OpenVPN Configuration...................................................................................................10
5.4 (S//NF) Add Redirection and Logging (Optional)..........................................................................10
5.5 (U) Configure Routing....................................................................................................................10
6 (U) Test and Troubleshooting................................................................................................................11
6.1 Unresponsive Cover Server............................................................................................................11
6.2 Lost Beacons...................................................................................................................................11

November 2012 SECRET//NOFORN//20371105 v

 SECRET//NOFORN
Hive Infrastructure Configuration Guide

vi SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (U) Overview

1 (U) Overview
(S//NF) Pictured below is an example of the Hive operating environment.

(S//NF) Beacons from an implanted host enter a commercial VPS server that has been configured as a
redirector for the given domain (domainA.com or domainB.com). Traffic for these domains is redirected
into a VPN tunnel to a Blot proxy. Each VPS redirector modifies the destination port number to one that
corresponds to the domain that it is servicing. So, for example, beacons and other web traffic entering
the VPS redirector servicing domain A would have port 80 traffic changed to port 8001 before being sent
on to the Blot proxy. The Blot proxy looks at the redirected traffic and, if it finds a valid beacon,
forwards it to the tool handler (Honeycomb in this case); all other traffic is forwarded to the cover
server. The cover server uses the destination port number to determine what web pages it will display,
domain A or domain B.

(S//NF) Each section below covers the installation and configuration of the key components making up
this infrastructure, starting with the cover server and working out to the VPS redirectors. All servers are
assumed to be running a CentOS distribution of Linux.

November 2012 SECRET//NOFORN//20371105 1

 SECRET//NOFORN
(S//NF) Cover Server Hive Infrastructure Configuration Guide
2 (S//NF) Cover Server

2.1 (U//FOUO) Install and Configure Apache web server

• Install the Apache web server using:
yum install httpd
• Go to the directory /etc/httpd/conf
• Edit /etc/httpd/conf/httpd.conf
Add the following line to the bottom of the file.
include /etc/httpd/vhosts.d/*.conf

• Create the directory /etc/httpd/vhosts.d

• Create a file for each domain that is to be served using the name vhost<n>.conf using the
format shown below in an example configuration for /etc/httpd/vhosts.d/vhost1.conf
#NameVirtualHost *:80

Listen 172.16.64.10:8001
<VirtualHost 172.16.64.10:8001>
DocumentRoot /var/www/html/vhosts/vhost1/docroot
ServerName vhost1.edb.devlan.net
ServerAlias 10.6.5.191
ErrorLog /var/log/www/vhosts/vhost1/error.log
TransferLog /var/log/www/vhosts/vhost1/access.log
<Directory /var/www/html/vhosts/vhost1/docroot>
Options Indexes FollowSymLinks Multiviews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

Virtual host address – the real (internal address) used for internal routing
ServerAlias – is the address that is seen in the public address space

• /etc/httpd/vhosts.d/vhost2.conf
•

2.2 (U) Secure Apache Web Server

(U) [The configuration files need to be scrutinized carefully to assure that the server has adequate
security.]

2 SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (S//NF) Honeycomb Tool Handler

3 (S//NF) Honeycomb Tool Handler

(S//NF) Refer to documentation on the Honycomb Tool Handler for this task.

November 2012 SECRET//NOFORN//20371105 3

 SECRET//NOFORN
(S//NF) Blot Proxy Hive Infrastructure Configuration Guide
4 (S//NF) Blot Proxy
(S//NF) Three components must be configured: 1) Network interfaces, 2) the Beastbox proxy, and 3) the
VPN connections.

4.1 (U) Network Interfaces

(S//NF) Two network interfaces are required: one for the back-end and one for the front-side that faces
the public Internet.

4.2 (S//NF) Blot Proxy

Beastbox is the proxy router used in the Blot system. Beastbox receives packets from the outside
network and presents them to an Implant Traffic Detector (ITD) that is associated with the
corresponding transport protocol. The transport protocol and the name of the corresponding ITD are as
follows:
Transport Blot Tool Handler
Protocol Protocol (bthp) ITD
HTTPS 1 Swindle
HTTP 12 Vortex
DNS 3 Brawl

4.2.1 (U) Software Installation

(S//NF) Install Blot-4.3 sinnertwin-blot-beastbox-1.3-1.

4 SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (S//NF) Blot Proxy
4.2.2 (U) Configuration
(S//NF) Configuring Blot requires the configuration of Beastbox and the associated ITDs. At the time of
this writing, Hive uses only the HTTPS transport. Consequently two files need to be modified:
/etc/blot/beastbox.cfg and /etc/blot/itds/swindle/swindle.cfg. Use the following sample configuration to
configure the Beastbox.
<beastbox>
<version>4.3</version>
<server-pending-timer>5000</server-pending-timer>
<th-pending-timer>120000</th-pending-timer>
<external-ip>10.177.77.1</external-ip>

<th name="honeycomb">
<ip>10.2.4.119</ip>
<port>4098</port>
</th>

November 2012 SECRET//NOFORN//20371105 5

 SECRET//NOFORN
(S//NF) Blot Proxy Hive Infrastructure Configuration Guide
<server name="vhost1-https" in_port="44301">
<ip>172.16.64.11</ip>
<port>443</port>
<protocol>tcp</protocol>
</server>

<server name="vhost1-https" in_port="44302">

<ip>172.16.64.11</ip>
<port>443</port>
<protocol>tcp</protocol>
</server>

<server name="vhost1" in_port="8001">

<ip>172.16.64.11</ip>
<port>8001</port>
<protocol>tcp</protocol>
</server>

<server name="vhost2" in_port="8002">

<ip>172.16.64.10</ip>
<port>8002</port>
<protocol>tcp</protocol>
</server>

<server name="Bind" in_port="5301">

<ip>172.16.64.10</ip>
<port>5301</port>
<protocol>udp</protocol>
</server>

<itd path="/etc/blot/itds/swindle/swindle_itd.so" name="Swindle ITD"

config="/etc/blot/itds/swindle/swindle.cfg" enabled="true">
<tid num="0x65ae82c7" th="honeycomb" />
<bthp>1</bthp>
</itd>

<itd path="/etc/blot/itds/brawl/brawl_itd.so" name="Brawl ITD"

config="/etc/blot/itds/brawl/brawl.cfg" enabled="false">
<bthp>3</bthp>
</itd>

<itd path="/etc/blot/itds/vortex/VortexITD.so" name="Vortex ITD"

config="/etc/blot/itds/vortex/vortex.cfg" enabled="false">
<bthp>12</bthp>
</itd>

<log>
<path>/var/log/blot</path>
<encryption>
<session-algorithm>NONE</session-algorithm>
<entry-algorithm>NONE</entry-algorithm>

<key>xV8JjUEooa0H9RxdSki8CcYcIywFbU3C3BHyx0rnCwaVs8H8/hnSjlwseloF+eHJUfZJ9Wrqieebi9Br/
pIpNAXq39MrreH1RJ4onxn+2d1VOtF8TZrWHhUg8A0jEEucCIi4zqEqoLLX0uKPjAYQFcimsJsYfHd2klt4R3i
pdQJ70Kv72j7WILT2fcynwEqbBGT5iqhWhSAOq+BIKqQRMNuN9D1Es8eQmPBjh0qzjMPSDH9xRkS3EDszNVbn9
h40mYPiWj9gtRbnbJE8ED85Gb5uFWkVbD6Lh6hdgJam+r8F3lLqsQBBbcilQdnDWfQkCyNOmllRTBv+45uoKrN
4kQ==</key>
</encryption>
</log>

</beastbox>

6 SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (S//NF) Blot Proxy
• External IP: There can be only one external IP address on which the proxy will listen.
• Tool handler name (th): There must be a tool handler configured for each ITD defined below
and the tool-handler names must match.
• Server names – must be unique
• ITD number: The ITD number used in the itd declaration must match the code that is baked-
into the implant.
The following shows the ITD configuration file for Swindle (HTTPS). Here the port numbers must
reflect the ports that the ITD will listen to for an implant beacon. The Vortex (HTTP) and Brawl (DNS)
ITD configurations will be similar.
<itd version="1.2">
<ports>
<port protocol="tcp">44301</port>
<port protocol="tcp">44302</port>
</ports>
<certFilePath>/etc/blot/itds/swindle/swindle.crt</certFilePath>
</itd>

(S//NF) NOTE: Beastbox is very sensitive to the configuration file. A syntax error, the use of the wrong
version number and other such anomalies will cause the Beastbox proxy to die silently without any
output to the console or log file. Here are key items to note.

4.3 (S//NF) OpenVPN

(S//NF) OpenVPN is used to tunnel the connections between the VPS redirectors and the Blot proxy.

4.3.1 (U) Software Installation

(S//NF) The following software packages are required:
• openvpn version 2.2.2 or later
(S//NF) To install these, install epel-release-5-4.noarch.rpm. If this is not available in the Yum
repository, get it by using:
wget http://download.fedoraproject.org/pub/epel/5/i386/epel­release­5­4.noarch.rpm

and then install it using:

rpm ­ivh epel­release­5­4.noarch.rpm

(S//NF) Then install OpenVPN using:

yum install openvpn

(S//NF) This should install the lzo compression software as a dependency.

(S//NF) Setup OpenVPN so that it will start after booting by using chkconfig.
chkconfig --add openvpn

November 2012 SECRET//NOFORN//20371105 7

 SECRET//NOFORN
(S//NF) Blot Proxy Hive Infrastructure Configuration Guide
chkconfig --levels 2345 openvpn on
(S//NF) Then verify that it will be on in runlevels 2, 3, 4, and 5.
chkconfig --list openvpn

4.3.2 (S//NF) Key Generation

(S//NF) Generate the master Certificate Authority (CA) certificate and key on a secure host apart from
the Blot and VPS proxies. This is done using the source code directory tree. After installing the source
code, go to the easy-rsa/2.0 directory and edit the vars file. This file contains a number of variables that
will need to be changed before generating the CA certificates and keys. After editing this file, execute
the following commands:

$ . ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client1
$ ./build-key client2
.
.
$ ./build-dh

(S//NF) The following files are generated:

Filename Needed By Purpose Secret?
ca.crt Blot + all VPS clients Root CA certificate No
ca.key Key signing host only Root CA key Yes
dh{n}.pem Blot only Diffie Hellman parameters No
Server.crt Blot only Server Certificate No
Server.key Blot only Server Key Yes
Client1.crt VPS1 only Client1 Certificate No
Client1.key VPS1 only Client 1 Key Yes
. . . .
Clientn.crt VPSn only Clientn Certificate No
Clientn.key VPSn only Clientn Key Yes

(S//NF) Distribute the keys to the /etc/openvpn directory on the appropriate hosts.

4.3.3 (S//NF) Blot-Side Configuration

(S//NF) Edit the server.conf file in /etc/openvpn. Keep the defaults, but check the following parameters
and make changes if necessary.
port 1194
proto tcp
/dev/tun

8 SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (S//NF) Blot Proxy
dh /etc/openvpn/dh2048.pem (for 2048-bit keys)
server <IP address> <bitmask>
keep-alive 10 120
comp-lzo
log-append /var/log/openvpn.log
(S//NF) The server's IP address should be a non-routable address such as 10.177.77.1. When
configuration is complete, start openvpn.
service openvpn start

November 2012 SECRET//NOFORN//20371105 9

 SECRET//NOFORN
(S//NF) VPS Redirector Hive Infrastructure Configuration Guide
5 (S//NF) VPS Redirector

5.1 (S/NF) IPv6 Security

(S//NF) If IPv6 is functional (verified by noting the presence of inet6 addresses on the network interface
configurations after using ifconfig), then add the following IPv6 firewall rules using ip6tables:
ip6tables ­F INPUT
ip6tables ­F OUTPUT
ip6tables ­F FORWARDING
ip6tables ­P INPUT DROP
ip6tables ­P OUTPUT DROP
ip6tables ­P FORWARD DROP

(S//NF) Use ip6tables-save to save these into /etc/sysconfig/ip6tables and then review the settings in the
ip6tables-config file.

5.2 (S//NF) Install and Configure Redirection Script

(S//NF) Copy the redirection script to /etc/init.d/redirection.

(S//NF) Copy the redirection configuration file, redirect.conf to the /etc/openvpn directory and edit it to
conform to the desired configuration. It looks similar to this:
outside_interface=eth0
inside_interface=eth1
tunnel_interface=tun0

VPN_PORT=1194 # VPN tunnel port

ADMIN_PORT=3600 # SSH port used by administrator

PUBLIC_IP=10.6.5.191 # Public-facing IP
PRIVATE_IP=10.177.77.1 # IP of next hop

VDNS_PORT=5301 # Virtual DNS port

VHTTP_PORT=8001 # Virtual HTTP port
VHTTPS_PORT=44301 # Virtual HTTPS port

(S//NF) Use chkconfig to set redirection to start and stop on system startup and shutdown.

chkconfig   ­­add redirection

(S//NF) Set the system configuration to perform IP forwarding by editing /etc/sysctl.conf as follows.
net.ipv4.ip_forward = 1
(S//NF) To start redirection after first installing the script use:

service redirection start

(S//NF) To stop redirection, but maintain the tunnel and administrative access through ssh, use:

service redirection stop

10 SECRET//NOFORN//20371105 November 2012

 SECRET//NOFORN
Hive Infrastructure Configuration Guide (S//NF) VPS Redirector
(S//NF) To view the iptables rules currently in effect use:

service redirection status

5.3 (S//NF) OpenVPN Configuration

(S//NF) Edit the client.conf file in /etc/openvpn. Keep the defaults, but check the following parameters
and make changes if necessary.
/dev/tun
proto tcp
remote <IP address> <port>
user nobody
group nobody
comp-lzo
cipher BF-CBC
log-append /var/log/openvpn.log
(S//NF) Use the IP address of the server from section 4.3.3 above as the remote IP address.

5.4 (S//NF) Add Redirection and Logging (Optional)

(S//NF) To facilitate monitoring and troubleshooting of redirection, the log entries can be sent to a
separate log file by modifying /etc/rsyslog.conf. Add the following line

kern.warn /var/log/iptables

(S//NF) To control the size and number of these log files, add a logrotate configuration for iptables under
/etc/logrotate.d with the following contents:
/var/log/iptables {
missingok
notifempty
size 5M
compress
rotate 5
create 0600 root root
}

5.5 (U) Configure Routing

(S//NF) Add a line to /etc/rc.local that will create a route for OpenVPN to connect with the Blot proxy.
ip route add <Blot Proxy Address> via <gateway on interface facing Blot proxy>

example:
ip route add 172.16.63.101 via 172.16.60.1

November 2012 SECRET//NOFORN//20371105 11

 SECRET//NOFORN
(U) Test and Troubleshooting Hive Infrastructure Configuration Guide
6 (U) Test and Troubleshooting
(S//NF) After completing the previous sections, redirection should be established through the Blot proxy
to the cover server and tool handler. Attempting to access the public IP website with a web browser
should produce a valid web page from the cover server. Verifying this implies that any HTTP-based
beacon should reach the tool handler, barring any misconfiguration of the Blot proxy.

6.1 Unresponsive Cover Server

(S//NF) If a cover web page does not appear in this testing, here are some things to check.

• (S//NF) Use ifconfig on the VPS redirector and the Blot proxy to verify that a tunnel interface
(e.g. tun0) is present. If not, then openvpn is not operational. Recheck the configuration and
restart openvpn using the command: service  openvpn restart. Look for problems in
the openvpn log file /var/log/openvpn.log.

• (S//NF) On the VPS redirector, verify that the iptables redirection script was executed by issuing
the command:
service redirection status
or
watch service redirection status
(S//NF) This will display the current firewall rules. By reissuing this command and comparing
the packet/byte counts displayed (or using the watch command to see it updated continually), it is
possible to get an idea of the packet flows when a web page is requested. The PREROUTING
chain in the nat table should increase for each web page requested, along with the related rules in
the FORWARD chain of the filter table.

• (S//NF) If there seems to be problems in establishing the tunnel between the VPS redirector and
the Blot proxy, verify the communications between them. Check the routing. While the default
route will likely be to the public-facing gateway, there must also be a route to get to the Blot
proxy.

6.2 Lost Beacons

(S//NF) If an implant beacon fails to arrive at the tool-handler, first follow the steps above in
section 6.1 to verify that the path to the Blot proxy is functional. If it is, then the problem is most
likely the Blot proxy configuration. Verify the parameters in /etc/blot/beastbox.cfg and the ITD
configuration file(s) in /etc/blot/itds. The port number(s) in the itd file files must match those
configured in the beastbox.cfg file.

12 SECRET//NOFORN//20371105 November 2012