A quick look at the NSA exploits & Dander Spiritz trojan by@MisterCh0c

A quick look at the NSA exploits & Dander Spiritz trojan

April 16th 2017 4,529 reads
Read on Terminal Reader
react to story with heart
react to story with light
react to story with boat
react to story with money
image
@MisterCh0c HackerNoon profile picture

@MisterCh0c

By that time you are probably aware that theshadowbrokers have leaked hacking tools from the NSA. In this blog post I’m going to play NSA agent and show you how a hacking OPS from the NSA would look like. We’re going to use exploits to take over a Windows 7 host and see what we can do with the Dander Spritiz tool from there.

If you want a list of the exploits & tools (to be updated) you can head over my Github page:


misterch0c/shadowbroker_shadowbroker - The Shadow Brokers "Lost In Translation" leak_github.com

I setup a lab with 2 Windows 7 machines (32 Bit but should wokr on 64 too), one for the attacker and one for the victim. I am using the FIZZBUNCH tool from the leak which is some kind of exploit framework kinda like metasploit. Basically you use it to run exploits. Let’s use the ETERNALBLUE (MS07–10) exploits to take over the victim machine

image

After that we have several option. We can run shellcode on the machine or any .dll or .exe. In this case I wanted to try out the Dander Spiritz tool. It came with “pc_prep” another utility to generate payloads for Dander Spiritz A.K.A. PEDDLECHEAP.

image

complete output

Now that we have our dll payload we can start the listener in Dander Spiritz:

image

Upload our payload to the target using DOUBLEPULSAR:

image

And now we have a connection:

image

Just after the connection an automatic “survey” is launched. It basically collects information about the system, tries to crack passwords, look for “PSP” (Personal Security Products) etc and saves everything into log files.

image

PSP found

After the connection is made you have different options with Dander Spiritz GUI such as taking screenshots, browsing files, managing processes etc.

But the most interesting parts are the plugins in the “Terminal” window.

Here are some of them:

  • logedit : edit Windows event logs
  • YAK: install keylogger
  • ripper: steal information from Skype, Firefox & Chrome
  • runassystem: does what it says

Here’s a

Voilà, that was just a quick overview. There are a lot more exploits and files to look into and I’m sure what researchers will find in the future will be interesting (:

image

YAK Keylogger in action

image

Taking a screenshot of the victim’s desktop

react to story with heart
react to story with light
react to story with boat
react to story with money
L O A D I N G
. . . comments & more!