A quick look at the NSA exploits & Dander Spiritz trojan

Written by MisterCh0c | Published 2017/04/16
Tech Story Tags: programming | hacking | infosec | nsa | shadowbrokers

TLDRvia the TL;DR App

By that time you are probably aware that theshadowbrokers have leaked hacking tools from the NSA. In this blog post I’m going to play NSA agent and show you how a hacking OPS from the NSA would look like. We’re going to use exploits to take over a Windows 7 host and see what we can do with the Dander Spritiz tool from there.

If you want a list of the exploits & tools (to be updated) you can head over my Github page:

misterch0c/shadowbroker_shadowbroker - The Shadow Brokers "Lost In Translation" leak_github.com

I setup a lab with 2 Windows 7 machines (32 Bit but should wokr on 64 too), one for the attacker and one for the victim. I am using the FIZZBUNCH tool from the leak which is some kind of exploit framework kinda like metasploit. Basically you use it to run exploits. Let’s use the ETERNALBLUE (MS07–10) exploits to take over the victim machine

After that we have several option. We can run shellcode on the machine or any .dll or .exe. In this case I wanted to try out the Dander Spiritz tool. It came with “pc_prep” another utility to generate payloads for Dander Spiritz A.K.A. PEDDLECHEAP.

complete output https://gist.github.com/misterch0c/ec4b10cebabd9ba6ec0df8fb21822498

Now that we have our dll payload we can start the listener in Dander Spiritz:

Upload our payload to the target using DOUBLEPULSAR:

And now we have a connection:

https://gist.github.com/misterch0c/d75509a699ec1f518b6978ab0968af54

Just after the connection an automatic “survey” is launched. It basically collects information about the system, tries to crack passwords, look for “PSP” (Personal Security Products) etc and saves everything into log files.

PSP found

After the connection is made you have different options with Dander Spiritz GUI such as taking screenshots, browsing files, managing processes etc.

But the most interesting parts are the plugins in the “Terminal” window.

Here are some of them:

  • logedit : edit Windows event logs
  • YAK: install keylogger
  • ripper: steal information from Skype, Firefox & Chrome
  • runassystem: does what it says

Here’s a full list of all the commands

Voilà, that was just a quick overview. There are a lot more exploits and files to look into and I’m sure what researchers will find in the future will be interesting (:

YAK Keylogger in action

Taking a screenshot of the victim’s desktop

Published by HackerNoon on 2017/04/16
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy