Hive
9th of November wikileaks published git repository with source code of Hive. It’s a client/server solution uses SSL to encrypt data and split VPN communication into two paths – one for known users (CIA) and second for not known which see cover server. I’m not going to describe here in details how it works, if you are interested just follow to mentioned page. Also, you can find there documents which are part of git repository – mostly user guides without a code for non technical persons.
Because I’m a programmer and I’m just curious how do they do it? I will try find out more about that repo. First, I decided split this article into two parts:
- metadata – find out as much as possible about authors, environment and used tools,
- source code – shape of it, order of work, code style, etc.
This post focuses only on metadata, in the next week will be second part.
Basic information from git
To start just grab the zipped git repo. After extract
we enter into it and … we see nothing, OK there is a hidden .git folder:
dirdival@pld:/tmp/hive$ ls -a
. .. .git
Let’s check what git say:
dirdival@pld:/tmp/hive$ git status | head -n 10
On branch master
Changes not staged for commit:
(use "git add/rm <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
deleted: .cproject
deleted: .project
deleted: Doxyfile
deleted: Makefile
deleted: README
dirdival@pld:/tmp/hive$ git status | wc -l
921
So, somebody decided to remove all files and just leaved hidden repository .git.
Interesting idea, I’m not sure is it a clever solution but for non technical
people it might be a challenge.
First, we have to clean up a mess:
dirdival@pld:/tmp/hive$ git reset --hard
HEAD is now at b6ac4fd User's Guide date corrections.
dirdival@pld:/tmp/hive$ git status
On branch master
nothing to commit, working directory clean
Done. The time has come find out what we have here. We start from branches and tags:
dirdival@pld:/tmp/hive$ git branch
armv5
autotools
debug
dhm
makemods
* master
mt6
polar-0.14.3
polar-1.1.8
polar-1.2.11
polar-1.3.4
solarisbug
ubiquiti
dirdival@pld:/tmp/hive$ git log --tags --simplify-by-decoration --pretty="format:%ai %d"
2015-10-30 09:58:22 -0400 (HEAD, tag: 2.9.1, master)
2015-09-11 13:18:54 -0400 (tag: 2.9.1-RC1)
2015-07-01 15:04:40 -0400 (tag: Hive-2.9, tag: 2.9-RC7)
2015-06-23 08:04:26 -0400 (tag: 2.9-RC5)
2015-06-03 10:49:11 -0400 (tag: 2.9-RC4)
2015-05-20 16:03:11 -0400 (tag: 2.9-RC3)
2015-03-11 15:41:13 -0400 (tag: 2.8.1)
2015-03-02 14:38:09 -0500 (tag: 2.8.1-RC1)
2015-01-30 11:12:58 -0500 (tag: 2.8)
2015-01-14 15:18:17 -0500 (tag: 2.8RC4)
2014-12-17 13:01:07 -0500 (tag: 2.8-RC2)
2014-10-17 15:22:07 -0400
2014-10-17 15:20:39 -0400 (dhm)
2014-10-17 11:38:52 -0400 (tag: 2.8-RC1)
2014-08-28 16:06:50 -0400 (polar-1.1.8)
2014-04-09 13:34:13 -0400
2014-04-08 13:56:14 -0400 (makemods)
2014-04-03 10:37:03 -0400 (tag: 2.7.1)
2014-04-02 16:00:49 -0400 (tag: 2.7.1-RC1)
2014-04-02 11:52:25 -0400
2014-03-12 10:23:51 -0400 (debug)
2014-03-13 15:33:32 -0400 (tag: 2.7)
2014-02-21 10:20:16 -0500 (tag: 2.7-RC1)
2014-01-10 15:20:53 -0500 (tag: hive-2.6.2)
2013-08-08 15:33:44 -0400 (tag: hive-2.6.1)
First observation – a repository is quite old. Last commit comes from 2015:
commit b6ac4fd7cdeac91bb8425b9f9df49bda4411186b
Author: User #142 <Account.156@devlan.net>
Date: Fri Oct 30 09:58:22 2015 -0400
User's Guide date corrections.
and the first one:
commit cd32369f329cef1a4f185e42024b9d58a2a31792
Author: User #226 <Account.234@devlan.net>
Date: Thu Aug 8 15:33:44 2013 -0400
Hive version 2.6.1 as of 8 August 2013 as pulled from old repository https://teamforge.devlan.net/svn/repos/hive/tags/hive-2.6.1. A lot of the old directories have been removed to simplify future builds using git. All subversion directories have been removed.
We have more than 2 years of development here. Finally, address of repository:
ssh://stash.devlan.net:7999/hive/hive
mentioned many times in merge commits.
Users and working hours
How many developers work on Hive?
dirdival@pld:/tmp/hive$ git log | grep '^Author' | sort | uniq
Author: User #140 <Account.155@devlan.net>
Author: User #142 <Account.156@devlan.net>
Author: User #217 <Account.227@devlan.net>
Author: User #226 <Account.233@devlan.net>
Author: User #226 <Account.234@devlan.net>
Author: User #226 <Account.235@devlan.net>
We have 6 accounts, but user IDs repeats. What does it mean? I suppose that
they made copy/paste of git configuration and they changed only account
numbers. Can we assume that in that department works at least 235 developers?
Can we assume that a higher number means junior employees? Let it be: so, we
have 2 veterans and 4 newbies.
When do they work and how often make a new commit?
...
Date: Fri Jan 10 15:20:53 2014 -0500
Date: Fri Nov 22 14:34:03 2013 -0500
Date: Wed Oct 30 14:37:35 2013 -0400
Date: Wed Oct 30 14:17:35 2013 -0400
Date: Wed Oct 30 14:17:35 2013 -0400
Date: Tue Oct 1 10:53:12 2013 -0400
Date: Tue Oct 1 09:39:45 2013 -0400
Date: Tue Sep 24 14:04:09 2013 -0400
Date: Mon Sep 23 15:28:10 2013 -0400
Date: Tue Aug 20 10:31:52 2013 -0400
Date: Thu Aug 8 17:10:47 2013 -0400
Date: Thu Aug 8 15:33:44 2013 -0400
dirdival@pld:/tmp/hive$ git log | grep '^Date:' | wc -l
345
It gives use more or less one commit per 2 days in main branch. I check with grep all hours and the earliest commit comes from:
commit 471078b8d7522f19792e29e74140de6f32f9e49d
Author: User #142 <Account.156@devlan.net>
Date: Thu Jun 5 07:22:10 2014 -0400
Changes to fix build issues with debugging.
and the latest is:
commit 0265ca26c2c7f1765ab7c87b60a06a8a5587d2bd
Author: User #226 <Account.234@devlan.net>
Date: Thu Aug 8 17:10:47 2013 -0400
Trunk as pulled from the old repository https://teamforge.devlan.net/svn/repos/hive/trunk cleaned up on 8 August 2013 with the infrastructure branch added. All future development should occur here using git.
Small observation: this commit is a second commit in the repo (just after the init version) and was made in the same day.
I didn’t found commits from Saturday nor Sunday, so it looks like a ordinary work in the office. Moreover, we have information about timezone in each commit, for example:
Date: Fri Jan 10 15:20:53 2014 -0500
Date: Fri Nov 22 14:34:03 2013 -0500
The -0500 means UTC time minus 5 hours. I check that and it might
be (surprise) – Washington DC, Miami, New York – east USA.
Data, environment, programs … and more data
Data
List all the files that ever existed in a Git repository:
dirdival@pld:/tmp/hive$ git log --pretty=format: --name-status | cut -f2- | sort -u > /tmp/all_files.txt
dirdival@pld:/tmp/hive$ cat /tmp/all_files.txt | wc -l
2798
and their extensions:
.1 .3des .a .aes128 .aes192 .aes256 .arch .arm .attr .bak .blurb .bsh .bz2 .c .C
.cc .cfg .com .conf .cpp .crt .csr .css .data .def .des .dll .dsp .dsw .exe
.filters .fmt .gch .gz .h .hive .html .jpg .key .lib .log .mak .md5 .mipsel
.msc .o .odp .odt .out .pdf .pem .pfx .pl .prefs .prj .project .ps .pub
.py .pyc .ref .sh .sln .STUFF .tar .tcl .tgz .txt .user .vcproj .vcxproj .vpj
.vpw .xml .xs
Most of files come from OpenSource projects. But what they really did we find out in next week.
Sometimes developers are sloppy and they just commit things which should not be part of repository: object files, compiled binary data, configuration of programs, etc. Let’s find them to determine used programs end environment.
Programs
commit 54bb023b7b95908455dddbc1b4ca984cd484e095
Author: User #140 <Account.155@devlan.net>
Date: Tue Aug 20 10:31:52 2013 -0400
Added files and directories related to Eclipse IDE.
They don’t hides. If you are interested more see file:
.cproject
in main repo directory.
Also we have server/.settings/org.eclipse.cdt.codan.core.prefs:
eclipse.preferences.version=1
org.eclipse.cdt.codan.checkers.errnoreturn=Warning
org.eclipse.cdt.codan.checkers.errnoreturn.params={launchModes\=>{RUN_ON_FULL_BUILD\=>true,RUN_ON_INC_BUILD\=>true,RUN_ON_FILE_OPEN\=>false,RUN_ON_FILE_SAVE\=>false,RUN_AS_YOU_TYPE\=>true,RUN_ON_DEMAND\=>true},implicit\=>false}
org.eclipse.cdt.codan.checkers.errreturnvalue=Error
org.eclipse.cdt.codan.checkers.errreturnvalue.params={launchModes\=>{RUN_ON_FULL_BUILD\=>true,RUN_ON_INC_BUILD\=>true,RUN_ON_FILE_OPEN\=>false,RUN_ON_FILE_SAVE\=>false,RUN_AS_YOU_TYPE\=>true,RUN_ON_DEMAND\=>true}}
...
Part of file client/ssl/polarssl-0.14.0-pre-patches/README:
-- COMPILING
There are currently three active build systems within the PolarSSL releases:
- Make
- CMake
- Microsoft Visual Studio
...
--- Microsoft Visual Studio
The build files for Microsoft Visual Studio are generated for Visual Studio 6.0 all future Visual Studio's should be able to open and use this older version of the build files.
and small prove. We can find many dsp files
$ find -name '*.dsp' | wc -l
22
They start from
Microsoft Developer Studio Project File - Name="sha1sum" - Package Owner=<4>
# Microsoft Developer Studio Generated Build File, Format Version 6.00
# ** DO NOT EDIT **
and more
dirdival@pld:/tmp/hive$ cat server/cryptcat/cryptcat.sln
Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cryptcat", "cryptcat.vcxproj", "{766CE45E-FC38-40B3-910A-34E72DEBBD7E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
and much more: server/polarssl-0.14.0/visualc/aescrypt2.vcproj
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="8.00"
Name="aescrypt2"
ProjectGUID="{484F1631-1185-47AA-887E-65BC19355E8E}"
RootNamespace="aescrypt2"
>
I also found a strange for me .mak extension and that file contains configuration
for SlickEdit:
# SlickEdit generated file. Do not edit this file except in designated areas.
and .vpj files with project configuration:
<!DOCTYPE Project SYSTEM "http://www.slickedit.com/dtd/vse/10.0/vpj.dtd">
<Project
Version="10.0"
VendorName="SlickEdit"
WorkingDir="."
BuildSystem="automakefile"
BuildMakeFile="%rp%rn.mak"
VCSProject='SCC:Surround SCM SCCI:"SurroundSCMScci"'
VCSLocalPath="SCC:Surround SCM SCCI:C:\Dev\JY008C637-ILM_SDK\1_1"
VCSAuxPath="SurroundSCMScci">
...
And the last one tool which is worth mentioning.
Script for indentation server/cryptcat-c-port/indent.sh uses indent:
#!/bin/sh
indent --blank-lines-after-declarations \
--blank-lines-after-procedures \
--swallow-optional-blank-lines \
--blank-lines-before-block-comments \
...
Environment
Can we determine used system? Yes we can.
There are few files .o from client/ssl/polarssl-0.14.0
(changeset 9e92609a43890ee6ec0a72d5f0b85a8cd85c5856)
and they were generated by:
dirdival@pld:/tmp/hive$ strings client/ssl/polarssl-0.14.0/library/arc4.o
GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-51)
A pyc files help recognize python version:
dirdival@pld:/tmp/hive$ file ./server/mod_hexify.pyc
./server/mod_hexify.pyc: python 2.4 byte-compiled
dirdival@pld:/tmp/hive$ file ./client/mod_hexify.pyc
./client/mod_hexify.pyc: python 2.4 byte-compiled
Also, we have very interesing document which gives us info about LibreOffice:
Title: Hive Engineering Development Guide
Creator: Writer
Producer: LibreOffice 3.5
It describes problems with getting time after boot on different machines – it’s
crutial to get valid date because Hive deletes self after 60 days.
I searched any linux home directories and I found hundreds hits.
git grep '\<home\>' $(git rev-list --all) > /tmp/home.txt
Most of them uses account miker, small probe:
INPUT = /home/miker/codeDevelopment/projects/gitolite/hive/trunk/ilm-client/resetTimer_v1.0
/home/miker/tempPayload
/home/miker/tempInstall
touch -r /export/home/tempPayload /export/home/hived-solaris-sparc-PATCHED 2>/dev/null
There are more one hits but I suppose they are not strict connected with Hive,
like this one from the first commit:
ilm-client/xterm-notes.txt:pushd /home/jeremy/sourceforge/hive/trunk/ilm-client/ && gnome-terminal --geometry=75x25 -t "Hive Shell" -e "./cutthroat hive"; popd
I also found windows paths but most of them are useless:
hinstLib = LoadLibrary(TEXT("C:\\work\\dlltest\\HiveServerDLL.dll"))
from server/DllTestLoader/dlltestloadermain.c
… More data
I went through few readme files. In this section you can find small sumary of
used data.
Part of client/ssl/CA/README:
Procedure for Changing/Embedding certs and keys within Hive/PolarSSL:
* application must include polarssl/certs.h (libs/crypto.c does this)
for only one time, or as needed:
* create a Certificate Authority (at this time, the mygen.sh script will generate
a new CA each time it is run, in addition to creating client/server keys and certs
* the Certificate Authority's certificate are built into the hive-client
and implants (TBD)
I checked mentioned certificate and others. Just take a look on
cient/ssl/CA/client.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawt
.com
Validity
Not Before: Sep 30 20:27:29 2010 GMT
Not After : Sep 24 20:27:29 2035 GMT
Subject: C=RU, O=Kaspersky Laboratory, CN=www.kaspersky.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B0:56:99:81:7C:87:D0:3F:10:CF:99:0E:6E:9E:39:B4:1E:C5:53:B0
X509v3 Authority Key Identifier:
DirName:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Some guys have obsession with Kaspersky. More evidence:
dirdival@pld:/tmp/hive$ cat /tmp/all_files.txt | grep -i kaspersky
client/ssl/CA/examples/activation.kaspersky.com
client/ssl/CA/examples/my.kaspersky.com
client/ssl/CA/examples/support.kaspersky.com
client/ssl/CA/examples/www.kaspersky.com
client/ssl/CA/kaspersky.conf
I checked all XML files but first they are obscured with base64 and second
they are not interesting. Small example of content, it looks like GUI part
– What did you expect from CSS.xml?:
dirdival@pld:/tmp/hive$ cat snapshot_20140506-1200/ctDirectory/CCS.xml | base64 -d | head -n 10
<?xml version="1.0"?>
<commoncommandset version="2.2">
<cmdgrp title="module">
<cmdgrp title="persist">
<cmd title="enable">
<helptext>Moves the module into persistent non-volatile storage on the target. Add invisible attribute.</helptext>
<primitives>
<required_primitives>
<primitive>0x07000003</primitive>
</required_primitives>
...
I also went through all conf, cfg files and I think that this one is the
most interesting. Whole infrastructure/scripts/redirect.conf:
DEBUG=1
outside_interface=eth0
inside_interface=eth1
tunnel_interface=tun0
VPN_PORT=43653
ADMIN_PORT=29610
PUBLIC_IP=78.47.131.68
PRIVATE_IP=91.93.104.178
TUNNEL_IP=10.177.77.1
#VDNS_PORT=5302
VHTTP_PORT=8002
VHTTPS_PORT=44302
I checked history of that file and PUBLIC_IP were never changed. Let’s check it:
dirdival@pld:/tmp/hive$ whois 78.47.131.68
...
inetnum: 78.46.0.0 - 78.47.255.255
netname: DE-HETZNER-20070416
country: DE
org: ORG-HOA1-RIPE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ALLOCATED PA
...
created: 2007-04-16T11:23:45Z
last-modified: 2016-08-25T13:25:27Z
source: RIPE # Filtered
organisation: ORG-HOA1-RIPE
org-name: Hetzner Online GmbH
org-type: LIR
address: Industriestrasse 25
address: D-91710
address: Gunzenhausen
address: GERMANY
...
Finaly we end with IP adresses. I greped all files searching for IPv4 and
again we have hundreds of hits.
We have some clues about internal network from honeycomb/owt/swift_upload.py:
#default_feeder_ip = '10.249.91.60' #O
default_feeder_ip = '172.20.17.51' #Icon
#default_feeder_ip = '172.24.2.41' #TDN
#default_feeder_ip = '172.28.5.51' #Admin
#default_feeder_ip = '192.168.230.11' #BigMac
#default_feeder_ip = '192.168.254.9' #BAR
I also selected some interesting IP and localizations according to the file honeycomb/processRSI.py:
dirdival@pld:~$ whois 201.218.252.110
...
% 2017-11-18 15:19:08 (BRST -02:00)
inetnum: 201.218.252/24
status: reallocated
owner: ENCRYPT FORTRESS CORP.
ownerid: PA-ENFO-LACNIC
responsible: Encrypt Fortress IT Dept
address: Pullen Street Building, 216,
address: - Panama -
country: PA
person: Encrypt Fortress IT Dept
dirdival@pld:~$ whois 31.210.100.208
...
inetnum: 31.210.100.0 - 31.210.100.255
netname: SAYFA-NET
descr: INTER NET BILGISAYAR LTD STI
country: TR
person: Sayfa Net ISTANBULDC VERI MERKEZI
address: bu ip adresleri diger yer saglayicilarina kiralanmistir.
address: adli makamlarca gereken musteri bilgisi icin telefonumuz 0212 920 00 00
address: Istanbul
address: Turkey, TR
dirdival@pld:~$ whois 78.138.97.145
...
inetnum: 78.138.96.0 - 78.138.99.255
netname: VELIANET-DE-Customer
descr: velia.net Internetdienste GmbH
country: DE
organisation: ORG-VIG2-RIPE
org-name: velia.net Internetdienste GmbH
org-type: LIR
address: Hessen-Homburg-Platz 1
address: 63452
address: Hanau
address: GERMANY
dirdival@pld:~$ whois 82.221.131.100
inetnum: 82.221.131.0 - 82.221.131.255
netname: IS-ICENETWORKS
country: IS
org: ORG-IL351-RIPE
org-name: Icenetworks Ltd.
org-type: OTHER
address: 60 Market Square
address: Belize City, Belize
role: OrangeWebsite.com Technical Department
address: OrangeWebsite.com
address: Klapparstigur 7
address: 101 Reykjavik
address: Iceland
On the end small announcement of future post. Section from
documentation/DevelopersGuide/DevelopersGuide.pdf:
Discrepancy report DR-00134-2012 was issued after Operations determined that Hive version 2.5 was
self-deleting prematurely. Analysis showed that a calculation involving the current time and the file
modification time used to determine the time since last contact could result in a negative number that
was then cast from an integer to an unsigned long integer. This resulted in a large positive number that
exceeded the delete delay and subsequently caused Hive to self-delete.