Public Documents in Vault 7: CIA Hacking Tools Revealed

As I reported in Fact Checking Wikileaks' Vault 7: CIA Hacking Tools Revealed (Part 1), the Vault 7: CIA Hacking Tools Revealed leak from Wikileaks, contains a minority of CIA documents.

I originally said there were 114 arguably CIA documents but upon further review, the correct number is 125. Subject to your corrections of course.

For ease of use, I split the files into three listings: CIA (this file), Public and Wikileaks placeholders separately.

Perhaps my very brief notes will assist you in not search cruft such as 3261 pages of one line of non-printing characters (ifx_tapi.run.pdf) or 3310 pages of an ls on an unknown machine (full_ls.txt.pdf). I probably have core dumps laying about but I would be very surprised if anyone "leaked" them as being of general interest.

The initial hyperlink in each entry points to a local copy of the file. Drop this file into a directory with these files and it should "just work."

  1. ~02.2.dat.pdf, CIA (maybe), 1 page. Binary dump of unknown origin.
  2. ~02.3.dat.pdf, CIA (maybe), 1 page. Binary dump of unknown origin.
  3. 2013.12.09_DART_user_manual, Modified by BK.docx.pdf, CIA (maybe), DART (software testing), unclassified manual by Lockheed Martin Advanced Technology Labs, 47 pages.
  4. 2014.02.19_DART_user_manual.docx.pdf, CIA (maybe), DART (software testing), unclassified manual by Lockheed Martin Advanced Technology Labs, 102 pages.
  5. 2014 10 23 -- EDG Testing White Paper -- Rev Draft B.docx.pdf, CIA (maybe), 32 pages.
  6. 2015-04-16_063833-Perseus-Install_Log.log.pdf, CIA (maybe), 4 pages. install log.
  7. 2015.05.18_DART_administrator_manual.docx.pdf, CIA (maybe), DART Administration Manual, 94 pages.
  8. 2015.05.18_DART_user_manual.docx.pdf, CIA (maybe), Another DART users manual, 170 pages.
  9. 2015-07-15_DUT3-CPU_Graph.pdf, CIA (maybe), RouterOS -> MikroTik -> CPU Usage Graphing, uncertain source/value, 2 pages.
  10. 2015-07-15_DUT3-Disk_Usage_Graph.pdf, CIA (maybe), RouterOS -> MikroTik -> Disk Usage Graphing, uncertain source/value, 2 pages.
  11. 2015-07-15_DUT3-Memory_Graph.pdf, CIA (maybe), RouterOS -> MikroTik -> Memory Usage Graphing, uncertain source/value, 2 pages.
  12. accounts.json.pdf, CIA (maybe), 1 page. Login to Atlassian?.
  13. airport-admin-login.pcap.pdf, CIA (maybe), a dump, 27 pages.
  14. aquaman-5h.txt.pdf, CIA (maybe) settings?, 1 page.
  15. aquaman-5h.txt.txt.pdf, CIA (maybe) settings?, 1 page. BTW, just eyeballing it, aquaman-5h.txt.pdf and aquaman-5h.txt.txt.pdf are duplicates. Not the only ones you will find.
  16. bghj.key.pdf, CIA (maybe), a private key, 1 page.
  17. bghj.net.crt.pdf, CIA (maybe), a certificate, 1 page.
  18. cadmium.pdf, CIA (maybe), Android exploit. 28 pages.
  19. captive.html.pdf, CIA (maybe), 1 page.
  20. CaterpillarDataFlow.pptx.pdf, CIA (maybe), data flow graphic for Caterpillar, 1 page.
  21. CCDF - TDIW_Schema_Guide_for_Version_2_3_v1_0_3.pdf, CIA (maybe), TAO Data Item Wrapper (TDIW) Schema Documentation Guide For TDIW version 2.3, 31 pages.
  22. ccdf_xml_traffic_v2.5.1_final.dtd.dtd.pdf, CIA (maybe), an XML DTD, 28 pages.
  23. CodeReview.pdf, CIA (maybe), Code Reviews, 16 pages.
  24. Codex-Spec-v1-SECRET.pdf, CIA (maybe), (S//OC/NF) Network Operations Division CNE Operational Data Exchange Format (Codex) Specification, 27 pages.
  25. colloquy-long_time.patch.pdf, CIA (maybe), xsl fragment, 1 page..
  26. com.apple.ifdreader_2015-09-17-123848_users-MacBook-Pro.crash.pdf, CIA (maybe), MacBook crash, 11 pages.
  27. CompoundBinaryTemplate.bt.pdf, CIA (maybe), 010 Editor v3.1.3 Binary Template. 10 pages.
  28. config_wireshark-ubuntu_user.txt.pdf, CIA (maybe), 1 page.
  29. Cryptographic Requirements v1.1 UNCLASSIFIED.pdf, CIA (maybe), Cryptographic Requirements, 17 pages.
  30. DevelopersGuide.pdf, CIA (maybe), Hive Engineering Development Guide, 14 pages.
  31. devlan_ca.cer.pdf,CIA (maybe), a certificate, 1 page.
  32. dhcpd.conf.pdf, CIA (maybe), one line call to JS?, 1 page.
  33. Dockerfile.pdf, CIA (maybe), apache/ssh startup script, 1 page..
  34. DRBOOM_V1.0_User_Guide.pdf, CIA (maybe), DRBOOM v1.0 User's Guide, iPad, 14 pages.
  35. enterprise_certs.pdf, CIA (maybe), a page of zeros, 1 page..
  36. etc-bind-db.loki.lab.txt.pdf, CIA (maybe), BIND data file for local loopback interface, 1 page.
  37. etc-bind-named.conf.local.txt.pdf, CIA (maybe), bind local configuration, 2 pages.
  38. etc-bind-named.conf.options.txt.pdf, CIA (maybe), directory "/var/cache/bind", 1 page.
  39. fff.py.pdf, CIA (maybe), dcode/ncode python, 19 lines, 1 page.
  40. Fire & Forget Spec.pdf, CIA (maybe), MRC Module Format for Userspace Injection by Archangel, interesting there are no classification markings, yes?, 2 pages.
  41. flashLeds.bsh.pdf, CIA (maybe), led bash script, 1 page.
  42. floppyScript.bsh.pdf, CIA (maybe), led/floppy bash script, 1 page.
  43. full_ls.txt.pdf, CIA (maybe), an ls of an unknown machine, 3310 pages.
  44. Galleon-Design_v1_rFinal.pdf, CIA (maybe), 7 pages.
  45. Galleon-Interface-Log_v1_rFinal.pdf, CIA (maybe), 5 pages.
  46. Galleon-Interface-Publish_v1_rFinal.pdf, CIA (maybe), 7 pages.
  47. Galleon-Interface-Transport_v1_rFinal.pdf, CIA (maybe), 8 pages.
  48. gd_bundle.crt.pdf, CIA (maybe), one certificate, 1 page.
  49. geteltorito.pl.pdf, CIA (maybe), a GPL Perl bootimage extractor, 4 pages.
  50. Hive Operating Environment - Test Infrastructure.pdf, CIA (maybe), Hive Beacon Lab Test Infrastructure, SECRET//SI//NOFORN, page 11 out of ? pages, 1 page.
  51. hotspot-detect.html.pdf, CIA (maybe), pdf of HTML source on need to authenticate to local network, I'm marking as CIA (maybe) b/c that may be its source. May have another source, 1 page..
  52. ICE-Spec-v3-final-SECRET.pdf, CIA (maybe), this and ICE-Spec-v3-final-UNCLASSIFIED.pdf are good examples of why I say "CIA (maybe), the documents have identical page breaks, despite radically different security markings, up until page 20. Notice that the number 20 is mis-aligned and creeps into the block of markup on the page. I can't say when these documents were altered but clearly they are copies of the same document, made into two documents. Who performed that act and why is unknown. 23 pages.
  53. ICE-Spec-v3-final-UNCLASSIFIED.pdf, CIA (maybe), see: ICE-Spec-v3-final-SECRET.pdf comments, 23 pages.
  54. ifx_tapi.run.pdf, CIA (maybe), almost 8 pages of a script, followed by 3261 pages of a few lines of unprintable characters per page, 3269 pages.
  55. install.reg.pdf, CIA (maybe), not sure what this is, 31 pages.
  56. iOS Exploits - iOS - EDG Confluence.pdf, CIA (maybe), iOS exploit chart, 3 pages.
  57. JetsamEvent-iPad2,1 2005L247.ips.pdf, CIA (maybe), iPhone crash report?, 5 pages.
  58. Kernel-Execution-Spec-v1-SECRET.pdf, CIA (maybe), (S//NF) Network Operations Division Kernel-mode Execution Specification, 5 pages.
  59. Link.bt.pdf, CIA (maybe), 010 Editor v3.1.3 Binary Template, 1 page.
  60. manifest.xml.pdf, CIA (maybe), gerrit.zoo.lan, 2 pages.
  61. Marble Framework.pptx.pdf, CIA (maybe), Marble Framework, no classification markings but not visible on the net, 24 pages.
  62. MCNUGGET_V4.0_User_Guide.pdf, CIA (maybe), MCNUGGET v4.0 User’s Guide, SECRET//NOFORN, note the cover page does not follow classification requirements, 12 pages.
  63. NetApp Build Document1.docx.pdf, CIA (maybe), Test Range NetApp Build Document, 6 pages.
  64. NewDevelopmentWorkflow.pptx.pdf, CIA (maybe),EDG’s Development Lifecycle, UNCLASSIFIED//FOUO, 24 pages.
  65. nightskies.txt.pdf, CIA (maybe), SHA1-SUM, 4 lines, 1 page.
  66. NOD Cryptographic Requirements v1.1 SECRET.pdf, CIA (maybe), (C//NF) Network Operations Division Cryptographic Requirements,SECRET//NOFORN, appears to be identical to NOD Cryptographic Requirements v1.1 TOP SECRET.pdf, same classification officer, two different classifications, 17 pages.
  67. NOD Cryptographic Requirements v1.1 TOP SECRET.pdf, CIA (maybe), (C//NF) Network Operations DivisionCryptographic Requirements , TOP SECRET//SI//NOFORN,appears to be identical to NOD Cryptographic Requirements v1.1 SECRET.pdf, same classification officer, two different classifications, 17 pages.
  68. ns2-named.conf.options.pdf, CIA (maybe), one page of a DNS config?, 1 page.
  69. nspkg design.graffle.pdf,CIA (maybe), Apple DTD, has the same reference for the DTD as ios8_launchd__bs_plist.plist.pdf, but different element structure?, DTD appears to be followed by data, 55 pages.
  70. nspkg design.pdf, CIA (maybe), a flow chart, 1 page.
  71. ns-Release-v3.0-b19.pdf,CIA (maybe), zeroes identical to enterprise_certs.pdf, 1 page.
  72. offline.html.pdf, CIA (maybe), Android Developer, HTML source as PDF?, 11 pages.
  73. OXF Data Standard, Version 1-2, 29 April 2013.docx.pdf, CIA (maybe), OXF Data Standardization Requirements for Interactive Tools for Microsoft Windows-Based Personal Computers and Servers, 6 pages.
  74. Persisted-DLL-Spec-v2-SECRET.pdf, CIA (maybe), Network Operations Division Persisted DLL Specification, (S//OC/NF), 5 pages.
  75. Persistence-Spec-v1-SECRET.pdf, CIA (maybe), Network Operations Division Persistence Specification, (S//NF), identical to (except for classification markings) Persistence-Spec-v1-UNCLASSIFIED.pdf, 5 pages.
  76. Persistence-Spec-v1-UNCLASSIFIED.pdf, CIA (maybe), Network Operations Division Persistence Specification,(U//FOUO), identical to (except for classification markings) Persistence-Spec-v1-SECRET.pdf, 5 pages. .
  77. precise-sources.list.txt.pdf, CIA (maybe), Ubuntu repositories on devlan.net?, 1 page.
  78. ProxyIn.py.pdf, CIA (maybe), toy Pthon code, 2 pages.
  79. ProxyOut.py.pdf, CIA (maybe), toy Python code, 2 pages.
  80. publicKey.pem.pdf, CIA (maybe), an RSA Public Key, 1 page.
  81. Rain Maker Design.pptx.pdf, CIA (maybe), Design flow for Rain Maker, 1 page.
  82. Rain Maker v1.0 User Guide.doc.pdf, CIA (maybe), (U) Rain Maker 1.0 User's Guide, but has SECRET//20350629 markings, 10 pages.
  83. RANCID-Configuration Changes.doc.pdf, CIA (maybe), How To Add a Device to RANCID, local instructions?, includes the default password, 2 pages.
  84. RANCID-Installation.doc.pdf, CIA (maybe), RANCID Server 3.1 Installation and Operation Overview, more passwords, 4 pages.
  85. release_notes-2015-05-18.docx.pdf, CIA (maybe), Tyrant Release Notes, Lockheed Martin, no classification markings, 3 pages.
  86. repo.pdf, CIA (maybe), Repository script, two PGP keys, 14 pages.
  87. role_permissions.txt.pdf, CIA (maybe), two lines, 17 characters total, your guess is as good as mine, 1 page.
  88. rootless_whitelist_10.11.2.txt.pdf, CIA (maybe), appears to be a partial directory listing, 3 pages.
  89. SHELLCODE_51.html.pdf, CIA (maybe), HTML source for shellcode documentation?, 2 pages.
  90. slice2.py.pdf, CIA (maybe), template for a command line python script, 7 pages.
  91. slice.py.pdf, CIA (maybe), template for a command line python script, surprise!, these really are different, starting on page 5, 7 pages.
  92. (S-NF) Independent_Review_EDG_Test_Programs_7NOV14.docx.pdf, CIA (maybe), (S-NF) Independent_Review_EDG_Test_Programs_7NOV14.docx.pdf, Independent Review of EDG Test Programs(?), I constructed the title, document lacks a cover page and proper classification markeings, 41 pages.
  93. sourcetree.license.pdf, CIA (maybe), Apple license string?, 1 page.
  94. syslog.c.pdf, CIA (maybe), Structure for passing sockets between the threads, this looks like sample code, 5 pages.
  95. target-aliases.txt.pdf, CIA (maybe), two export commands, 1 page.
  96. TDIW_Schema_Guide_for_Version_2_3_v1_0_3.pdf.pdf, CIA (maybe), TAO Data Item Wrapper (TDIW)Schema Documentation Guide For TDIW version 2.3, 31 pages.
  97. test.dat.pdf, CIA (maybe), code dump, 1 page.
  98. TestNetwork.pdf, CIA (maybe), test network diagrams, 3 pages.
  99. ToolTemplate vX.X.X User Guide Rev A.doc.pdf, CIA (maybe), (U) Tool Template vX.XUser’s Guide, 5 pages.
  100. Tremor+Weekly+Report.doc.pdf, CIA (maybe), appears to be a stylesheet for Confluence export, 5 pages.
  101. Triclops 2015 - BillOfMaterial.pdf, CIA (maybe), 2 pages.
  102. Triclops 2015 - ECHOMOON.pdf, CIA (maybe), 1 page.
  103. Triclops 2015 - Entitlements Dump.pdf, CIA (maybe), 248 pages.
  104. Triclops 2015 - Home.pdf, CIA (maybe), 1 page.
  105. Triclops 2015 - KAMIKAZE.pdf, CIA (maybe), 1 page.
  106. Triclops 2015 - _Library_MusicUISupport_js_index.pdf, CIA (maybe), 1 page.
  107. Triclops 2015 - nsurlsessiond.pdf, CIA (maybe), 1 page.
  108. Triclops 2015 - Other.pdf, CIA (maybe), 2 pages.
  109. Triclops 2015 - Patch Guard.pdf, CIA (maybe), 2 pages.
  110. Triclops 2015 - PREDUX.pdf, CIA (maybe), 3 pages.
  111. Triclops 2015 - Saline.pdf, CIA (maybe), 1 page.
  112. Triclops 2015 - Securing Our Equity.pdf, CIA (maybe), 1 page.
  113. Triclops 2015 - Status.pdf, CIA (maybe), 2 pages.
  114. Triclops 2015 - The Syslog and how to forward it.pdf, CIA (maybe), 1 page.
  115. Triclops 2015 - TinyScheme.pdf, CIA (maybe), 4 pages.
  116. trusty-sources.list.txt.pdf, CIA (maybe), repository script, 1 page.
  117. turnAllLedsOff.bsh.pdf, CIA (maybe), another Bash LED script, 1 page.
  118. turnAllLedsOff.pdf, CIA (maybe), another Bash LED script, 1 page.
  119. usb_utils.diff.pdf, CIA (maybe), USB erasure script?, 6 pages.
  120. UsersGuide.pdf, CIA (maybe), (U) Hive 2.6.2 User's Guide, 27 pages.
  121. Utility.pdf, CIA (maybe), 3rd page of zeroes, identical to enterprise_certs.pdf and ns-Release-v3.0-b19.pdf, 1 page.
  122. utopic-sources.list.txt.pdf, CIA (maybe), Ubuntu 14.10 repository script, 1 page.
  123. WindowsUpdate_DevLAN_settings.reg.pdf, CIA (maybe), Two Windows HKEYS, 1 page.
  124. xsdf.key.pdf, CIA (maybe), a private key, 1 page.
  125. xsdf.net.crt.pdf, CIA (maybe), a certificate, 1 page.