1.
Playing with FuzzBunch
and Danderspritz
-By deepanshu

2.
$whoami
• Certified android developer(udemy)
• 2nd year UIT RGPV student
• Member of juliar foundation
• can code in Java, python, juliar, c
• L33t at cybrary.it

3.
What to expect
• Who are shadowbroker?
• What did they do?
• Brief intro to lost in translation(5th leak)
• Playing with fuzzbunch and danderspritz
• Clever ways these tools are being used now

4.
Who are shadowbroker?
• A hacker group they published some National
Security Agency (NSA)'s equation group
hacking tools.
• First appeared in mid of august 2016
• However I have found reasons to believe that
its just 2 people who use to work for nsa as a
private contractor.

5.
How did they do it?
1. They found creators of stuxnet , flame
kaspersky called themselves Equation Group
2. They followed Equation Group traffic
3. They found Equation Group source
4. We find many many Equation Group cyber
weapons
They explained the attack in layman's
terms -

6.
They make it looks so easy ;)

7.
What does the experts say?

8.
Final leak “Lost in Translation”
• windows: contains Windows exploits,
implants and payloads
• swift: contains operational notes from
banking attacks, docs, excel files, ppt of some
attacks
• oddjob: is an implant builder that can deliver
exploits for Windows 2000 and later. Key
feature is that it is fully undetectable (FUD)

9.
These nsa exploits can target cisco Firewalls,
Windows OS, Windows Server, Solaris boxes
running versions 6 to 10, RedHat 7.0,

10.
Infected Solaris boxes

11.
However we will be focusing on
windows exploitation

12.
What is fuzzbuch and danderspritz?

13.
Fuzzbunch
• It is like metasploit written in python, xml and
java.
• It’s framework to launch exploits and interact
with the implants.

14.
Fuzzbunch Interface (Actually a CLI )

15.
Danderspritz
• Java-Based console from which compromised
computers can be managed.
• So Basically it’s a Remote Administration
tool(RAT).
• I have used it to make malicious dll files,
control the PeddleCheap / ExpandingPulley
implant.

16.
UI of danderspritz

17.
Setting up fuzzbunch
DEMO
https://youtu.be/LrI8mjCm_H0

18.
Important Directories and files

19.
What are we exploiting?
• The Server Message Block (SMB) protocol
• It is a network file sharing protocol(practically
used for storing configuration file of virtual
machine)
• CERTCC released information on a Server
Message Block (SMB) vulnerability affecting
Microsoft Windows
• Fuzzbunch uses this vulnerability to install
backdoor, inject dll, inject shellcode, etc

20.
How we are going to do?
1. Make malicious dll with danderspritz.
2. Use eternalblue(special) to make backdoor.
3. Use doublepulsar(payload) to inject dll.
4. Use Danderspritz to listen to connections

21.
For the demo we have 1 attacker machine and 1
victim
1. Windows 7 attacker
2. Windows 7 victim

22.
Enough theory lets start with another
DEMO

23.
Clever ways these exploits are used
1. Eternalblue without fuzzbunch
2. Making DoublePulsar and EternalBlue modules
Standalone like msfvenom
3. python script that uses EternalBlue to run
msfvenom output directly without ever installing
DoublePulsar
4. DoublePulsar detection script
5. Using Eternalblue in WannaCry v 2.0 ransomware

24.
Using auxiliary smb_ms17_010

25.
Meterpreter shell..!!

26.
Wannacry ransomware
• First appeared on feb 2017
• Now there is a follow-up version which uses
the SMBv2 remote code execution
vulnerability
• Same vulnerability is used by eternalblue
• It encrypts with rsa-2048 encryption private
key is created then sent to attacker and then
gets deleted from the victim machine

27.
Heat map
https://intel.malwaretech.com/botnet/wcrypt

28.
Accidental hero finds a kill switch
• Problem with this is that attacker can change the domain
and reuse it
• So its not very effective
• However there are ways to find out the kill switch domain in
every sample

29.
How to fix this issue
1. Installing security update MS17-010 windows
(best way)
2. Disable smb on your windows machine(ok way)
3. Blocking all incoming SMB traffic on port 445
4. Backup all your data in some external device

30.
Microsoft says -

31.
But they haven't given ms17-010 Security
update for some older version of windows.
So your best option is to use other 2 methods

32.
2.Disable smb on your windows
machine
• Go to control panel > Programs and features
• Go to turn ON/OFF windows features
• Uncheck the box SMB 1.0

33.
• However disabling smb protocol in not
recommended
• But its safer to do it when patches are not
available
• Blocking smb can only prevent the
ransomware from speading but patching
machine will make system resistant to attack

34.
3. Blocking all incoming SMB traffic
on port 445
Different wifi routers have interface but they
offer same functionality
• Go to 192.168.1.1
• Enter username password
• And find Application filter

35.
Blocking all incoming SMB traffic on port 445

36.
https://www.youtube.com/watch?v=ANbSctZVn
eQ&t=47s
Video demo on how to disable smb protocol and
block all traffic from port443 on wifi

37.
What to do if already infected?
• Wait...
• Eventually someone will find a decryption
key(you get 7 days)
• If one machine is infected then take it offline
or block incoming SMB traffic on port 445 to
stop it from spreading

38.
Should you pay the ransom?
• Well most users opt to pay
• Everytime a victim pays the malware creator
gets funded
• Some of this money is reinvested making
ramsomware smarter, more effective
• This is a vicious cycle

39.
So what to do?

40.
• Keeping in mind that prevention is better than
cure
• Install latest updates
• Make offline backup of all your data
• And lastly use your brain lol don’t just open
every attachment you get

41.
src
• https://technet.microsoft.com/library/security/MS17-
010#KBArticle
• https://gist.github.com/rain-
1/989428fa5504f378b993ee6efbc0b168
• https://medium.com/@shadowbrokerss
• https://github.com/x0rz/EQGRP/issues/16
• https://medium.com/@shadowbrokerss/theshadowbr
okers-message-3-af1b181b481
• https://blogs.technet.microsoft.com/mmpc/2017/05/1
2/wannacrypt-ransomware-worm-targets-out-of-date-
systems/
• https://blogs.technet.microsoft.com/msrc/2017/05/12
/customer-guidance-for-wannacrypt-attacks/

42.
Questions?

43.
Thank You for your time and attention!