A quick look at the NSA exploits & Dander Spiritz trojan

4,311 reads

By that time you are probably aware that theshadowbrokers have leaked hacking tools from the NSA. In this blog post I’m going to play NSA agent and show you how a hacking OPS from the NSA would look like. We’re going to use exploits to take over a Windows 7 host and see what we can do with the Dander Spritiz tool from there.

If you want a list of the exploits & tools (to be updated) you can head over my Github page:

I setup a lab with 2 Windows 7 machines (32 Bit but should wokr on 64 too), one for the attacker and one for the victim. I am using the FIZZBUNCH tool from the leak which is some kind of exploit framework kinda like metasploit. Basically you use it to run exploits. Let’s use the ETERNALBLUE (MS07–10) exploits to take over the victim machine

After that we have several option. We can run shellcode on the machine or any .dll or .exe. In this case I wanted to try out the Dander Spiritz tool. It came with “pc_prep” another utility to generate payloads for Dander Spiritz A.K.A. PEDDLECHEAP.

complete output https://gist.github.com/misterch0c/ec4b10cebabd9ba6ec0df8fb21822498

Now that we have our dll payload we can start the listener in Dander Spiritz:

Upload our payload to the target using DOUBLEPULSAR:

And now we have a connection:

Just after the connection an automatic “survey” is launched. It basically collects information about the system, tries to crack passwords, look for “PSP” (Personal Security Products) etc and saves everything into log files.

PSP found

After the connection is made you have different options with Dander Spiritz GUI such as taking screenshots, browsing files, managing processes etc.

But the most interesting parts are the plugins in the “Terminal” window.

Here are some of them:

logedit : edit Windows event logs

YAK: install keylogger

ripper: steal information from Skype, Firefox & Chrome

runassystem: does what it says

Here’s a full list of all the commands

Voilà, that was just a quick overview. There are a lot more exploits and files to look into and I’m sure what researchers will find in the future will be interesting (:

YAK Keylogger in action

Taking a screenshot of the victim’s desktop

Tags