Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Playing with fuzz bunch and danderspritz

Download as PPTX, PDF
Deepanshu Gajbhiye
Deepanshu Gajbhiye

A short presentation on the Latest dumb of nsa tools by Shadowbroker hacker group. How to attack how to prevent the attack. Also about the new ransomware wanna cry 2.0

Related slideshows

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
1 of 46
Playing with FuzzBunch and Danderspritz -By deepanshu
$whoami • Certified android developer(udemy) • 2nd year UIT RGPV student • Member of juliar foundation • can code in Java, python, juliar, c • L33t at cybrary.it
What to expect • Who are shadowbroker? • What did they do? • Brief intro to lost in translation(5th leak) • Playing with fuzzbunch and danderspritz • Clever ways these tools are being used now
Who are shadowbroker? • A hacker group they published some National Security Agency (NSA)'s equation group hacking tools. • First appeared in mid of august 2016 • However I have found reasons to believe that its just 2 people who use to work for nsa as a private contractor.
How did they do it? 1. They found creators of stuxnet , flame kaspersky called themselves Equation Group 2. They followed Equation Group traffic 3. They found Equation Group source 4. We find many many Equation Group cyber weapons They explained the attack in layman's terms -
They make it looks so easy ;)
What does the experts say?
Final leak “Lost in Translation” • windows: contains Windows exploits, implants and payloads • swift: contains operational notes from banking attacks, docs, excel files, ppt of some attacks • oddjob: is an implant builder that can deliver exploits for Windows 2000 and later. Key feature is that it is fully undetectable (FUD)
These nsa exploits can target cisco Firewalls, Windows OS, Windows Server, Solaris boxes running versions 6 to 10, RedHat 7.0,
Infected Solaris boxes
However we will be focusing on windows exploitation
What is fuzzbuch and danderspritz?
Fuzzbunch • It is like metasploit written in python, xml and java. • It’s framework to launch exploits and interact with the implants.
Fuzzbunch Interface (Actually a CLI )
Danderspritz • Java-Based console from which compromised computers can be managed. • So Basically it’s a Remote Administration tool(RAT). • I have used it to make malicious dll files, control the PeddleCheap / ExpandingPulley implant.
UI of danderspritz
Setting up fuzzbunch DEMO https://youtu.be/LrI8mjCm_H0
Important Directories and files
What are we exploiting? • The Server Message Block (SMB) protocol • It is a network file sharing protocol(practically used for storing configuration file of virtual machine) • CERTCC released information on a Server Message Block (SMB) vulnerability affecting Microsoft Windows • Fuzzbunch uses this vulnerability to install backdoor, inject dll, inject shellcode, etc
How we are going to do? 1. Make malicious dll with danderspritz. 2. Use eternalblue(special) to make backdoor. 3. Use doublepulsar(payload) to inject dll. 4. Use Danderspritz to listen to connections
For the demo we have 1 attacker machine and 1 victim 1. Windows 7 attacker 2. Windows 7 victim
Enough theory lets start with another DEMO
Clever ways these exploits are used 1. Eternalblue without fuzzbunch 2. Making DoublePulsar and EternalBlue modules Standalone like msfvenom 3. python script that uses EternalBlue to run msfvenom output directly without ever installing DoublePulsar 4. DoublePulsar detection script 5. Using Eternalblue in WannaCry v 2.0 ransomware
Using auxiliary smb_ms17_010
Meterpreter shell..!!
Playing with fuzz bunch and danderspritz
Wannacry ransomware • First appeared on feb 2017 • Now there is a follow-up version which uses the SMBv2 remote code execution vulnerability • Same vulnerability is used by eternalblue • It encrypts with rsa-2048 encryption private key is created then sent to attacker and then gets deleted from the victim machine
Heat map https://intel.malwaretech.com/botnet/wcrypt
Playing with fuzz bunch and danderspritz
Accidental hero finds a kill switch • Problem with this is that attacker can change the domain and reuse it • So its not very effective • However there are ways to find out the kill switch domain in every sample
How to fix this issue 1. Installing security update MS17-010 windows (best way) 2. Disable smb on your windows machine(ok way) 3. Blocking all incoming SMB traffic on port 445 4. Backup all your data in some external device
Microsoft says -
But they haven't given ms17-010 Security update for some older version of windows. So your best option is to use other 2 methods
2.Disable smb on your windows machine • Go to control panel > Programs and features • Go to turn ON/OFF windows features • Uncheck the box SMB 1.0
Playing with fuzz bunch and danderspritz
• However disabling smb protocol in not recommended • But its safer to do it when patches are not available • Blocking smb can only prevent the ransomware from speading but patching machine will make system resistant to attack
3. Blocking all incoming SMB traffic on port 445 Different wifi routers have interface but they offer same functionality • Go to 192.168.1.1 • Enter username password • And find Application filter
Blocking all incoming SMB traffic on port 445
https://www.youtube.com/watch?v=ANbSctZVn eQ&t=47s Video demo on how to disable smb protocol and block all traffic from port443 on wifi
What to do if already infected? • Wait... • Eventually someone will find a decryption key(you get 7 days) • If one machine is infected then take it offline or block incoming SMB traffic on port 445 to stop it from spreading
Should you pay the ransom? • Well most users opt to pay • Everytime a victim pays the malware creator gets funded • Some of this money is reinvested making ramsomware smarter, more effective • This is a vicious cycle
So what to do?
• Keeping in mind that prevention is better than cure • Install latest updates • Make offline backup of all your data • And lastly use your brain lol don’t just open every attachment you get
src • https://technet.microsoft.com/library/security/MS17- 010#KBArticle • https://gist.github.com/rain- 1/989428fa5504f378b993ee6efbc0b168 • https://medium.com/@shadowbrokerss • https://github.com/x0rz/EQGRP/issues/16 • https://medium.com/@shadowbrokerss/theshadowbr okers-message-3-af1b181b481 • https://blogs.technet.microsoft.com/mmpc/2017/05/1 2/wannacrypt-ransomware-worm-targets-out-of-date- systems/ • https://blogs.technet.microsoft.com/msrc/2017/05/12 /customer-guidance-for-wannacrypt-attacks/
Questions?
Thank You for your time and attention!

More Related Content

Playing with fuzz bunch and danderspritz

  • 1. Playing with FuzzBunch and Danderspritz -By deepanshu
  • 2. $whoami • Certified android developer(udemy) • 2nd year UIT RGPV student • Member of juliar foundation • can code in Java, python, juliar, c • L33t at cybrary.it
  • 3. What to expect • Who are shadowbroker? • What did they do? • Brief intro to lost in translation(5th leak) • Playing with fuzzbunch and danderspritz • Clever ways these tools are being used now
  • 4. Who are shadowbroker? • A hacker group they published some National Security Agency (NSA)'s equation group hacking tools. • First appeared in mid of august 2016 • However I have found reasons to believe that its just 2 people who use to work for nsa as a private contractor.
  • 5. How did they do it? 1. They found creators of stuxnet , flame kaspersky called themselves Equation Group 2. They followed Equation Group traffic 3. They found Equation Group source 4. We find many many Equation Group cyber weapons They explained the attack in layman's terms -
  • 6. They make it looks so easy ;)
  • 7. What does the experts say?
  • 8. Final leak “Lost in Translation” • windows: contains Windows exploits, implants and payloads • swift: contains operational notes from banking attacks, docs, excel files, ppt of some attacks • oddjob: is an implant builder that can deliver exploits for Windows 2000 and later. Key feature is that it is fully undetectable (FUD)
  • 9. These nsa exploits can target cisco Firewalls, Windows OS, Windows Server, Solaris boxes running versions 6 to 10, RedHat 7.0,
  • 11. However we will be focusing on windows exploitation
  • 12. What is fuzzbuch and danderspritz?
  • 13. Fuzzbunch • It is like metasploit written in python, xml and java. • It’s framework to launch exploits and interact with the implants.
  • 15. Danderspritz • Java-Based console from which compromised computers can be managed. • So Basically it’s a Remote Administration tool(RAT). • I have used it to make malicious dll files, control the PeddleCheap / ExpandingPulley implant.
  • 19. What are we exploiting? • The Server Message Block (SMB) protocol • It is a network file sharing protocol(practically used for storing configuration file of virtual machine) • CERTCC released information on a Server Message Block (SMB) vulnerability affecting Microsoft Windows • Fuzzbunch uses this vulnerability to install backdoor, inject dll, inject shellcode, etc
  • 20. How we are going to do? 1. Make malicious dll with danderspritz. 2. Use eternalblue(special) to make backdoor. 3. Use doublepulsar(payload) to inject dll. 4. Use Danderspritz to listen to connections
  • 21. For the demo we have 1 attacker machine and 1 victim 1. Windows 7 attacker 2. Windows 7 victim
  • 22. Enough theory lets start with another DEMO
  • 23. Clever ways these exploits are used 1. Eternalblue without fuzzbunch 2. Making DoublePulsar and EternalBlue modules Standalone like msfvenom 3. python script that uses EternalBlue to run msfvenom output directly without ever installing DoublePulsar 4. DoublePulsar detection script 5. Using Eternalblue in WannaCry v 2.0 ransomware
  • 27. Wannacry ransomware • First appeared on feb 2017 • Now there is a follow-up version which uses the SMBv2 remote code execution vulnerability • Same vulnerability is used by eternalblue • It encrypts with rsa-2048 encryption private key is created then sent to attacker and then gets deleted from the victim machine
  • 30. Accidental hero finds a kill switch • Problem with this is that attacker can change the domain and reuse it • So its not very effective • However there are ways to find out the kill switch domain in every sample
  • 31. How to fix this issue 1. Installing security update MS17-010 windows (best way) 2. Disable smb on your windows machine(ok way) 3. Blocking all incoming SMB traffic on port 445 4. Backup all your data in some external device
  • 33. But they haven't given ms17-010 Security update for some older version of windows. So your best option is to use other 2 methods
  • 34. 2.Disable smb on your windows machine • Go to control panel > Programs and features • Go to turn ON/OFF windows features • Uncheck the box SMB 1.0
  • 36. • However disabling smb protocol in not recommended • But its safer to do it when patches are not available • Blocking smb can only prevent the ransomware from speading but patching machine will make system resistant to attack
  • 37. 3. Blocking all incoming SMB traffic on port 445 Different wifi routers have interface but they offer same functionality • Go to 192.168.1.1 • Enter username password • And find Application filter
  • 38. Blocking all incoming SMB traffic on port 445
  • 39. https://www.youtube.com/watch?v=ANbSctZVn eQ&t=47s Video demo on how to disable smb protocol and block all traffic from port443 on wifi
  • 40. What to do if already infected? • Wait... • Eventually someone will find a decryption key(you get 7 days) • If one machine is infected then take it offline or block incoming SMB traffic on port 445 to stop it from spreading
  • 41. Should you pay the ransom? • Well most users opt to pay • Everytime a victim pays the malware creator gets funded • Some of this money is reinvested making ramsomware smarter, more effective • This is a vicious cycle
  • 42. So what to do?
  • 43. • Keeping in mind that prevention is better than cure • Install latest updates • Make offline backup of all your data • And lastly use your brain lol don’t just open every attachment you get
  • 44. src • https://technet.microsoft.com/library/security/MS17- 010#KBArticle • https://gist.github.com/rain- 1/989428fa5504f378b993ee6efbc0b168 • https://medium.com/@shadowbrokerss • https://github.com/x0rz/EQGRP/issues/16 • https://medium.com/@shadowbrokerss/theshadowbr okers-message-3-af1b181b481 • https://blogs.technet.microsoft.com/mmpc/2017/05/1 2/wannacrypt-ransomware-worm-targets-out-of-date- systems/ • https://blogs.technet.microsoft.com/msrc/2017/05/12 /customer-guidance-for-wannacrypt-attacks/
  • 46. Thank You for your time and attention!