Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

NSA Firewall Hacking Toolkit.


gobzi's Avatar
Member
10 0

kewl


Scar0ptics's Avatar
Member
0 0

I'm sure they have a lot of documented zero-day attacks for a lot of vendors (Cisco, Fortinet, Juniper, etc..), especially the most popular commercial IOS's. That's why I like open source IOS's because you can implement or patch anything you find yourself and recompile the image and flash it to the systems memory; you have more control with what you have and a better chance of having an exploit they have already patched.


Huitzilopochtli's Avatar
....
10 9

There's are exploits in there for installing new NSA versions of your ios, so they can take back that control.

Its also interesting that a lot of the exploits target web servers on the remote devices. Many of them, such as EGBL and ELBO, seem to use ETags (which are returned in http responses) to identify or fingerprint the software/firmware versions running on the remote device and to verify whether or not an exploit has been successful.

From ELBO:

The device returns wacky, invalid ETags sometimes. This file just records

the "normal" looking parts (without "" and other characters). E.g.:

device ETag | this file

———————|——————

"e8-569-46b6b873" | e8-569-46b6b873

"3991-583-4727f5a3" | 3991-583-4727f5a3

W/"55b-583-47958bb3" | 55b-583-47958bb3

W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8

W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7

W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f

There are config files linking ETags to different hardware/firmware versions, and specifying (depending on the exploit) different parameters for the exploit, such as url or stack address.

EGBL.config:

#########################################################

ETags

desired format is five fields:

ETAG = <ETag> : 0x<stack addr> : <hw model> : <gen> : <firmware generation is 3 or 4 or 4nc

four fields legacy format (default firmware generation 3):

ETAG = <ETag> : 0x<stack addr> : <hw model> : <firmware>

two fields legacy format (default firmware generation 3):

ETAG = <ETag> : 0x<stack addr>

if line has # BLATSTING comment, implant is available

#########################################################

which is followed by long lists of ETAGS:

model 80C

ETAG = 4a4a955b : 0xbffff270 : 80C : 3 : 0744 # BLATSTING ETAG = 4ace863a : 0xbffff270 : 80C : 3 : 0750 # BLATSTING ETAG = 4b3185d6 : 0xbffff270 : 80C : 3 : 0752 # BLATSTING

These are then presumably used by the scripts to automatically identify the correct version of the exploit to use.

There's enough crap in here to keep me occupied for months , compelling stuff man.


Scar0ptics's Avatar
Member
0 0

I have Etags disabled on my server for that reason. Yeah, a lot of their vulnerability searching is just done through scanning vendor like tags. It is faster to do it that way & they would be able to scan the masses through an automated system that would create logs of all server IP's that would be vulnerable.


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

lol at the IP address in the BookishMute scripts, interestingly it also has a log cleaning entry with a date stamp from 2007

perl -n -e "print if (=~s/(fw_sys.exe|autoexec.bat|ngfw.dat|fw_lic.dat|kernel|loadlin.exe|\.o$|xxxxx\.[01]|fw_run|fw_init|rootfs|fw_servd|fw_upd|fw_servd|fw_auth|fw_env|fw_log|fwsyslogd|iked|cert)/-get \1/)" /current/down/Firewall.159.226.209.125.find.sorted.timem http://www.ipgeni.com/all/159.226.209


Huitzilopochtli's Avatar
....
10 9

Some nice rambling broken English lols from everyone's favourite pretend Russians… the ShadowBrokers can be read here: https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.rqqs7gxnj

It also contains a link to another data dump which includes 352 distinct IP addresses and 306 domain names compromised by the NSA over the past 10 years. https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ https://yadi.sk/d/NCEyJQsBxrQxz Password = payus

And some analysis from researchers can be read here for people too paranoid to download the files. https://www.flashpoint-intel.com/shadow-brokers-trick-treat-leak/ https://www.myhackerhouse.com/hacker-halloween-inside-shadow-brokers-leak/


SuQuay_FuQuay's Avatar
Member
0 0

Whats the point of making those IP's public ? Surely the owners will now remove the 'backdoors" and so buying the tools to take control of them will be pointless.


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

Some of those sites were compromised as far back as 2000, so the chances are the backdoors were long gone before these IP'S were made public.

Those servers were probably used as staging posts for the NSA to launch further attacks, probably internally as well as externally, so if those IP'S appear anywhere in your old company or university logs, then chances are they were targeting you as well.