Open Problems

The following is an annotated list of ANT projects pulled from :



COTTONMOUTH-I: COTTONMOUTH-I is a USB plug that uses TRINITY as digital core and HOWLERMONKEY as RF transceiver. Cost in 2008 was slightly above $1M for 50 units.

COTTONMOUTH: (see image at right) A family of modified USB and Ethernet connectors that can be used to install Trojan horse software and work as wireless bridges, providing covert remote access to the target machine.

COTTONMOUTH-II is deployed in a USB socket (rather than plug), and costs only $200K per 50 units, but requires further integration in the target machine to turn into a deployed system.

COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units.

The USB components are covered by ADAPTERNOODLE.  SLOTSCREAMER intends to act as a generic DMA over PCI via PCI jumpers, ExpressCard, and Thunderbolt.

Network Recon:

BANANAGLEE : High level Cisco/Juniper trojan
ZESTYLEAK: High level Juniper trojan
JETPLOW(6): firmware rootkit for cisco routers
FEEDTROUGH(3) : BIOS rootkit for Juniper netscreen firewalls
GOURMETTROUGH(4): BIOS rootkit for other Juniper firewalls
SOUFFLETROUGH(7): BIOS rootkit for Juniper SSG 500 and 300
HALLUXWATER(5): boot ROM rootkit for Huawei routers
HEADWATER(8): trojan for Huawei routers

SCHOOLMONTANA(9): rootkit for Juniper J-series routers/firewalls

SIERRAMONTANA(10): rootkit for Juniper M-series routers/firewalls

STUCCOMONTANA(11): rootkit for Juniper T-series routers/firewalls

While we don't need to recreate tools for these specific use cases, it would be interesting to recreate some high level / low level functionality in other commercial routers.

GSM Stuff:

CANDYGRAM(35): A $40,000 tripwire device that emulates a GSM cellphone tower.

CYCLONE-HX9: EGSM base station router

EBSR(38): 1 watt (pico class) GSM base station

NEBULA(41): (macro class) Base station router GSM/UMTS/CDMA2000/ LTE coming soon*

TYPHON HX(42): GSM base station router

HOLLOWPOINT: GSM/UTMS/CSMA2000/FRS signal platform. Operates In the 10MHz to 4GHz range. Includes receiver and antenna. Can both transmit and receive.

WATERWITCH(43): A portable "finishing tool" that allows the operator to find the precise location of a nearby mobile phones.

GENESIS(40): Modified GSM handset (Motorola SLVR L9) to sniff and monitor traffic (covered by TWILIGHTVEGETABLE)

PICASSO(32): Modified GSM handset for jamming, sniffing, recording from microphone

ENTOURAGE(39): locates wireless devices (phones etc)

SIM stuff:

GOPHERSET: SIM implant to exfiltrate Phonebook, SMS/Call logs

MONKEYCALENDAR: SIM implant to exfiltrate location data

Phone rootkits:

TOTECHASER(33) : Windows CE trojan

TOTEGHOSTLY(34): Windows mobile trojan

DROPOUTJEEP(29): iPhone trojan

Clearly Windows CE and Mobile aren't super interesting, but it would be nice to be able to provide baseline rootkit functionality for iOS and Android.


RAGEMASTER(48): bugged video cable

LOUDAUTO: $30 audio-based RF retro-reflector listening device.[19]

CTX4000: Used to light up TAWDRYYARD etc

PHOTOANGLO(16): upgrade of CTX4000

NIGHTWATCH(15): Portable computer used to reconstruct and display video data from VAGRANT signals; used in conjunction with a radar source like the CTX4000 to illuminate the target in order to receive data from it.

TAWDRYYARD: locator beacon, when it detects a certain signal, it sends one back

SURLYSPAWN(28): Keystroke monitor technology that can be used on remote computers that are not internet connected.

Firmware Implants:

IRATEMONK(21): Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate, and Western Digital.

IRONCHEF: Technology that can "infect" networks by installing itself in a computer I/O BIOS.

DEITYBOUNCE: Technology that installs a backdoor software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s).

SWAP: Technology that can reflash the BIOS of multiprocessor systems that run FreeBSD, Linux, Solaris, or Windows.

Hardware Implants:

WAGONBED: I2C module for remote

CROSSBEAM :  GSM module that mates a modified commercial cellular product with a WAGONBED controller board.

BULLDOZER: Technology that creates a hidden wireless bridge allowing NSA personnel to remotely control a system wirelessly.

FIREWALK: A device that looks identical to a standard RJ45 socket that allows data to be monitored/injected

Software Implants:

WISTFULTOLL: Collects “forensic information” from windows machines.

SOMBERKNAVE: Software that can be implanted on a Windows XP system allowing it to be remotely controlled from NSA headquarters.

Can we just call this good with meterpreter and dumpcreds etc?

Generic hardware:

JUNIORMINT(22): tiny board for hidden implants

TRINITY(26): tiny microcontroler for hidden implants

MAESTRO-II(23): a multi-chip module approximately the size of a dime that serves as the hardware core of several other products. The module contains a 66 MHz ARM7 processor, 4 MB of flash, 8 MB of RAM, and a FPGA with 500,000 gates. Unit cost: $3–4K (in 2008). It replaces the previous generation modules which were based on the HC12 microcontroller.

HOWLERMONKEY: tiny, generic RF transceiver

All of these tools are essentially trimmed down versions of existing hardware, which even if we were to recreate them, wouldn't do much good except as components in other playset projects.

Wifi Tools:

NIGHTSTAND(14): Portable system that wirelessly installs Microsoft Windows exploits from a distance of up to eight miles.

SPARROW II(17): WLAN monitoring from a UAV

NIGHTSTAND is essentially a pineapple (or even a netbook) with a powerful directional antenna. Should be easy enough to throw together.
Several WiFi UAV projects have been demoed at hacker cons. If someone could throw a kit together, it would make a great replica of the SPARROW system.