NSA Firewall Hacking Toolkit.
Contains some nice Python Scripts, as well as tutorials for the installation and operation of the exploits contained therein as used by our friends at the NSA.
File contents:
“Without a doubt, they’re the keys to the kingdom,†one former NSA employee told The Washington Post. http://www.foxnews.com/politics/2016/08/17/nsas-website-goes-down-amid-hacking-fears.html*tee-hee*
I'm sure they have a lot of documented zero-day attacks for a lot of vendors (Cisco, Fortinet, Juniper, etc..), especially the most popular commercial IOS's. That's why I like open source IOS's because you can implement or patch anything you find yourself and recompile the image and flash it to the systems memory; you have more control with what you have and a better chance of having an exploit they have already patched.
- The device returns wacky, invalid ETags sometimes. This file just records
- the "normal" looking parts (without "" and other characters). E.g.:
- device ETag | this file
- ———————|——————
- "e8-569-46b6b873" | e8-569-46b6b873
- "3991-583-4727f5a3" | 3991-583-4727f5a3
- W/"55b-583-47958bb3" | 55b-583-47958bb3
- W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8
- W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7
- W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f
- ETags
- desired format is five fields:
- ETAG = <ETag> : 0x<stack addr> : <hw model> : <gen> : <firmware generation is 3 or 4 or 4nc
- four fields legacy format (default firmware generation 3):
- ETAG = <ETag> : 0x<stack addr> : <hw model> : <firmware>
- two fields legacy format (default firmware generation 3):
- ETAG = <ETag> : 0x<stack addr>
- if line has # BLATSTING comment, implant is available
There's are exploits in there for installing new NSA versions of your ios, so they can take back that control.
Its also interesting that a lot of the exploits target web servers on the remote devices. Many of them, such as EGBL and ELBO, seem to use ETags (which are returned in http responses) to identify or fingerprint the software/firmware versions running on the remote device and to verify whether or not an exploit has been successful.
From ELBO:
The device returns wacky, invalid ETags sometimes. This file just records
the "normal" looking parts (without "" and other characters). E.g.:
device ETag | this file
———————|——————
"e8-569-46b6b873" | e8-569-46b6b873
"3991-583-4727f5a3" | 3991-583-4727f5a3
W/"55b-583-47958bb3" | 55b-583-47958bb3
W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8
W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7
W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f
There are config files linking ETags to different hardware/firmware versions, and specifying (depending on the exploit) different parameters for the exploit, such as url or stack address.
EGBL.config:
#########################################################
ETags
desired format is five fields:
ETAG = <ETag> : 0x<stack addr> : <hw model> : <gen> : <firmware generation is 3 or 4 or 4nc
four fields legacy format (default firmware generation 3):
ETAG = <ETag> : 0x<stack addr> : <hw model> : <firmware>
two fields legacy format (default firmware generation 3):
ETAG = <ETag> : 0x<stack addr>
if line has # BLATSTING comment, implant is available
#########################################################
which is followed by long lists of ETAGS:
model 80C
ETAG = 4a4a955b : 0xbffff270 : 80C : 3 : 0744 # BLATSTING ETAG = 4ace863a : 0xbffff270 : 80C : 3 : 0750 # BLATSTING ETAG = 4b3185d6 : 0xbffff270 : 80C : 3 : 0752 # BLATSTING
These are then presumably used by the scripts to automatically identify the correct version of the exploit to use.
There's enough crap in here to keep me occupied for months , compelling stuff man.
I have Etags disabled on my server for that reason. Yeah, a lot of their vulnerability searching is just done through scanning vendor like tags. It is faster to do it that way & they would be able to scan the masses through an automated system that would create logs of all server IP's that would be vulnerable.
lol at the IP address in the BookishMute scripts, interestingly it also has a log cleaning entry with a date stamp from 2007
perl -n -e "print if (=~s/(fw_sys.exe|autoexec.bat|ngfw.dat|fw_lic.dat|kernel|loadlin.exe|\.o$|xxxxx\.[01]|fw_run|fw_init|rootfs|fw_servd|fw_upd|fw_servd|fw_auth|fw_env|fw_log|fwsyslogd|iked|cert)/-get \1/)" /current/down/Firewall.159.226.209.125.find.sorted.timem http://www.ipgeni.com/all/159.226.209
Some nice rambling broken English lols from everyone's favourite pretend Russians… the ShadowBrokers can be read here: https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.rqqs7gxnj
It also contains a link to another data dump which includes 352 distinct IP addresses and 306 domain names compromised by the NSA over the past 10 years. https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ https://yadi.sk/d/NCEyJQsBxrQxz Password = payus
And some analysis from researchers can be read here for people too paranoid to download the files. https://www.flashpoint-intel.com/shadow-brokers-trick-treat-leak/ https://www.myhackerhouse.com/hacker-halloween-inside-shadow-brokers-leak/
Some of those sites were compromised as far back as 2000, so the chances are the backdoors were long gone before these IP'S were made public.
Those servers were probably used as staging posts for the NSA to launch further attacks, probably internally as well as externally, so if those IP'S appear anywhere in your old company or university logs, then chances are they were targeting you as well.