Playing around with NSA’s hacking tools

Playing around with NSA’s hacking tools

DearBytesBlogKwetsbaarheidPlaying around with NSA’s hacking tools

zaterdag 15 april 2017

On Friday April 14th 2017 ShadowBrokers leaked a new bunch of hacking tools, supposedly obtained from equation group (suspectedly tied to the NSA). Like many I decided to have a look at what’s in the package, and play around with it a little. Here are my initial findings.

Several exploits

The package contains quite a few exploits, targeting Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS and Microsoft Exchange. The relation between most of the found exploits is that they are used to infiltrate a Windows Endpoint. As opposed to the earlier leaks by ShadowBrokers targeting Network and Linux infrastructure. Most of the exploits are zerodays: bugs that have never been seen before. 

It seems Microsoft had early access to the dump or it’s an extremely lucky break for Microsoft. All SMB (Server Message Block) exploits seem to have been patched: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/. The fact that Microsoft published patches a month earlier means users are able to protect themselves. My experience as a penetration tester is that a lot of internal networks and/or systems will not receive patches for a long time. Therefore, this development could have major impact on business environments, without anyone consciously noticing.

SMB exploits

Especially the exploits targeting SMB (Server Message Block) and NetBios protocol stand out. SMB is a network file sharing protocol that allows applications on a computer to read and write (in)to files and request services from server programs in a computer network. It is basically the default way computers are remotely managed in any environment, so a vulnerability in has huge impact.

Comparable to MS08-067 (Conficker vulnerability)

I would say that the SMB exploit in this package falls in the same category as MS08-067, the infamous vulnerability in Netapi emerging toward the surface after being used by Conficker, a well-known type of malware. Back in 2008-2009 this malware led to chaos and even years after MS08-067 remained a popular attack vector for hackers. The difference is that a patch is available this time…

With the help of  Shodan I quickly found that 15.000 systems (Windows XP, 7 and 8) are currently publishing SMB on the public internet and therefore are wide open for exploitation right now. Someone else claims the amount of public SMB is much higher: 2 Million.

FuzzBunch

One of the elements in the ShadowBrokers data dump, is Fuzzbunch. Fuzzbunch can be compared to MetaSploit but is written in Python instead of Ruby. It’s an easy to use framework for the operator in order to launch exploits and interact with the implants. The FuzzBunch framework contains several ready to use exploits are available, each for specific types of targets:

  • Easybee-1.0.1.exe
  • Easypi-3.1.0.exe
  • Eclipsedwing-1.5.2.exe 
  • Educatedscholar-1.0.0.exe
  • Emeraldthread-3.0.0.exe
  • Emphasismine-3.4.0.exe 
  • Englishmansdentist-1.2.0.exe
  • Erraticgopher-1.0.1.exe
  • Eskimoroll-1.1.1.exe
  • Esteemaudit-2.1.0.exe
  • Eternalromance-1.3.0.exe
  • Eternalromance-1.4.0.exe
  • Eternalsynergy-1.0.1.exe
  • Ewokfrenzy-2.0.0.exe 
  • Explodingcan-2.0.2.exe
  • Eternalblue-2.2.0.exe
  • Eternalchampion-2.0.0.exe

Trying out EternalBlue

So I decided to testrun EternalBlue, the exploit targeting SMB. (Note: EternalBlue seems to be patched with MS17-010, it’s an SMB bug that impacts Windows XP up to Windows 10 and Windows Server 2016).

Step 1: DELIVERY – FuzzBunch as launching platform

I setup a system and installed FuzzBunch on it. It’s a python based command-line toolkit, looking something like this:

Step 2: EXPLOITATION – Win7 SP1 using EternalBlue

The EternalBlue exploit targets Windows XP through 2008 R2. A successful exploitation installs a backdoor called DoublePulsar. I was able to successfully exploit a Windows 7 SP1 system, which gave me access to the system via the DoublePulsar implant/backdoor.

Step 3: INSTALLATION – Using DoublePulsar to launch an additional Backdoor

The DoublePulsar backdoor allows to inject and run any DLL (Dynamic Link Library), that way compromising the computer and using it for whatever purpose. I was able to load a DLL into LSASS.EXE spawning calc.exe as a POC. But this off course could just as well have been something malicious. (Meterpreter, Empire, Beacon).

Step 4: COMMAND & CONTROL – DanderSpritz

Earlier I loaded my own DLL into the machine using DoublePulsar, DanderSpritz could be used to manage other implants such as PeddleCheap and ExpandingPulley. DanderSpritz is a Java-Based management console from which compromised computers can be managed (a Remote Access Tool / RAT, also part of the ShadowBrokers dump). It also offers some more exploits which I haven’t looked into yet. For now I have concluded that it can be used to control the PeddleCheap/ExpandingPulley implant. It also looks pretty cool!

Persistence

Also it appeared that WMI ActiveScriptConsumers is used for persistence. This is a popular technique to automatically run a script following a certain criterium (e.g. user logs on, computer starts, time passes, etc.). I’ve written about this technique earlier https://d.uijn.nl/2016/05/09/wmi-some-persistence-ideas/, later I received feedback from @x0rz that this technique was also used in Stuxnet.

Fuzzbunch can be used to implement a MOF using the MofConfig, the default settings can be used as an IOC.

Starting the payload is interesting, they use “control.exe” to load and start a DLL. I’ve never seen this before and feel it’s an unkown Windows feature. It’s as easy as: control.exe <filename>.<randomextension>.  At this time it’s still not clear how the trigger mechanism works, starting the backdoor seems to rely on an “InstanceCreationEvent” referencing a “MSClassConsumer” need to figure out how that works.

It seems the persistence also has a  built in safety mechanism with the ability to remove the DLL, EventFilter and ActiveScriptConsumer the moment the  “control.exe” process closes.

The EventFilter and ActiveScript filter names seem to be random however the EventFilters seem to start with “IE”, the ActiveScriptConsumers seem to start with “ACE” and “AVE” respectively.

Conclusion

This was a brief look at the leak, expect more details the coming days and weeks. It’s early to to conclude anything and I feel the we’ll all learn allot the coming days/weeks. There’s a good chance there are some more cool things in this dump. Especially the implants/payloads seem promising, information about those could allow organisation to detect breaches. It could also be used to implicate the NSA in breaches that have been investigated earlier but where investigators were unable to determine the actor.

Seeing the NSA tools makes me envious those are some well funded, skilled attackers. The exploits are very cool especially Eternalblue(MS17-010) which will be a popular way in for pentesters for a long time to come. I feel external systems will be either patched or pwned. The internal networks will remain, as often happens unpatched.

The fact that Microsoft patched most of the SMB related vulnerabilities feels strange to me. It’s almost too much of a coincidence. I’ve seen the following options pass me by on Twitter:

  • Shadowbrokers warned Microsoft
  • NSA warned Microsoft
  • Microsoft bruteforced an earlier dump

Don’t know about that last option as these files came in a new package, im unsure if there is one file containing all equation group data. Option one would not seem beneficial to an external entity as this dump would cause more havoc (and gain attention) if nothing was patched. So i feel the NSA may have tipped off Microsoft.

This third dump shows allot of Windows endpoint based exploits, at this moment its important that organizations keep the security patches up-to-date (intall MS17-010!). Next to this organizations must ask themselves whether they can be seen as a target of a nation state. Seeing the tools released in these dumps I can only conclude that if they want to they will get in. Preventing the initial breach is incredibly hard. By employing monitoring and extensive segmenation you could be able to detect any lateral movement. Invest in compartmentalizing your network and monitoring for suspicious behaviour (maybe use a honeypot :).