Not too long ago the security community was rocked with yet another leak from the #ShadowBrokers; causing an impact worldwide with point and click Domain Admin vulnerabilities. Affecting nearly all dominant Windows operating systems and causing havoc with ransomware adapting this code to propagate worldwide! While some focused on the exploits, we took time to understand the Tactics, Techniques, and Procedures (TTP’s) and how the owner of this toolkit operated within a given environment.
In this series we are going to cover the following:
- Environment setup and configuration
- Walk through an exploit scenario and tutorial
- Cover tradecraft and the advanced nature of the DanderSpritz agent
- Additional deep dive into components
This post will only cover portion one (1) as the material and setup are dense. The core purpose of this blog post is beyond just speculation who’s tooling these where, but understanding how they conducted operations as a nation-state. It may glean light on how Red Teams can improve and defense can evolve moving forward. As catching the next Zero-Day can be a bit hard 🙂
Windows Dump Lingo
If you have not been hip on the lingo, lets cover what each of these mean and their primary role in the toolkit:
Think advanced Metasploit framework, written in Python it allows for module loading, exploit patching and deployment of those modules. We will be using this to launch EternalBlue, an SMBv1 Remote Code Execution (RCE) vulnerability. A vulnerability that allows code execution in the Windows Kernal.
A set of exploits that targeted Windows operating systems and seems to be limited to SMB protocol exploitation, hence the name “Eternal” maybe? This tool naming schema is science, and only the creators can explain the code name “Banana.”
Of course, with exploits comes the Command & Control (C2) element of using such code. DoublePulsar provides the capability of actually implanting the target. Detailed analysis is way out of the scope of this post, but trust me it’s an elegant implant that allowed for x86_x64 kernel mode patching. This implant allowed for a crafted packet to execute user-mode core from kernel space, making this type of development easy to extend with secondary payloads of choice.
While DoublePulsar is an implant, it was a bind based stager built to allow for a more heavyweight implant to be loaded for interactive operations. PeddleCheap (PC) serves the purpose to allow an operator to go either interactive or for a more long-term sustainment engagement. Many of the features support monitoring and seem to imply long-term persistence within an environment.
Like a good Whisky done neat, DanderSpritz (DS) is an acquired taste; its 2005 Java GUI feel is rustic yet powerful in the right hands! But, there is quite a learning curve as this thing is loaded with options! DS servers as the Listening Post (LP) and interactive component of the toolkit, to extend the operator an easy to use CLI.
To properly setup for using these toolsets it requires a specific environment and I highly recommend you following the setup process to the mark, as I have had to rebuild a few times. Before setup you will need the following:
- VMware, Hyper-V, or any other hypervisor will most likely do
- Two Windows 7 VMs (unpatched)
I highly recommend the use of VMware as using linked VMs will help reduce space and reduce the time of setup as both the OP station and target use Windows 7.
Windows 7 Configuration
It’s quite simple to setup the Win7 Target host, just download from MSDN or other trusted source, of course, an initial release of the Win7-ISO and install with default configuration.
- Windows 7
- Turn off Windows Updates at install
- Windows firewall disabled
- Windows 7
- Turn off windows Updates at install
- Windows firewall disabled
Once this image is configured and is networked you will need to install the following on the OP station:
- Python2.6.6: https://www.python.org/download/releases/2.6.6/
- Place Python directory in ENV Path
- Install Pywin2.6: https://sourceforge.net/projects/pywin32/files/pywin32/Build 221/pywin32-221.win32-py2.6.exe/download
- Download the following: https://github.com/fuzzbunch/fuzzbunch
- Create a D:\ drive to host the OPs disk using a simple volume.
- Create the LP folder required:
D:\>mkdir listening posts
- Follow the following setup step-by-step as shown bellow with your IPs:
D:\>dir Volume in drive D is OPSDisk Volume Serial Number is 362F-0058 Directory of D:\ 11/05/2017 03:48 PM <DIR> Bin 04/26/2017 11:57 PM 1,204 configure_lp.py < ----- SNIP ----- > 04/26/2017 11:57 PM 53 user.defaults.replay 15 File(s) 66,803 bytes 11 Dir(s) 692,101,120 bytes free D:\>python fb.py --[ Version 3.5.1 [*] Loading Plugins [*] Initializing Fuzzbunch v3.5.1 [*] Adding Global Variables [+] Set ResourcesDir => D:\DSZOPSDISK\Resources < ----- SNIP ----- > [?] Default Target IP Address  : 192.168.251.136 [?] Default Callback IP Address  : 192.168.251.131 [?] Use Redirection [yes] : no [?] Base Log directory [D:\logs] : [?] Project  : Index Project ----- ------- 0 Create a New Project [?] Project  : 0 [?] New Project Name : PROJECT [?] Set target log directory to 'D:\logs\project\z192.168.251.136'? [Yes] : [*] Initializing Global State [+] Set TargetIp => 192.168.251.136 [+] Set CallbackIp => 192.168.251.131 [!] Redirection OFF [+] Set LogDir => D:\logs\project\z192.168.251.136 [+] Set Project => project fb >
- Install Java 1.6: http://www.oldversion.com/windows/java-platform/
- Run the following to test execution of DP:
Please stick around for Part  which will cover usage and exploitation.
- https://github.com/misterch0c/shadowbroker ↩︎
- https://blog.rapid7.com/2017/04/18/the-shadow-brokers-leaked-exploits-faq/ ↩︎
- https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html ↩︎
- https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/ ↩︎
- https://www.offensive-security.com/metasploit-unleashed/payload-types/ ↩︎
- https://research.kudelskisecurity.com/2017/05/18/the-equation-groups-post-exploitation-tools-danderspritz-and-more-part-1/ ↩︎
- https://gist.github.com/thomhastings/4cddfc1d00c43e1b0b60bd6076c6c0a3 ↩︎