Successfully reported this slideshow.
Your SlideShare is downloading. ×

Playing with fuzz bunch and danderspritz


Check these out next

1 of 46 Ad

Playing with fuzz bunch and danderspritz

Download to read offline

A short presentation on the Latest dumb of nsa tools by Shadowbroker hacker group. How to attack how to prevent the attack. Also about the new ransomware wanna cry 2.0

A short presentation on the Latest dumb of nsa tools by Shadowbroker hacker group. How to attack how to prevent the attack. Also about the new ransomware wanna cry 2.0


More Related Content

Slideshows for you (20)

Similar to Playing with fuzz bunch and danderspritz (20)


Recently uploaded (20)

Playing with fuzz bunch and danderspritz

  1. 1. Playing with FuzzBunch and Danderspritz -By deepanshu
  2. 2. $whoami • Certified android developer(udemy) • 2nd year UIT RGPV student • Member of juliar foundation • can code in Java, python, juliar, c • L33t at
  3. 3. What to expect • Who are shadowbroker? • What did they do? • Brief intro to lost in translation(5th leak) • Playing with fuzzbunch and danderspritz • Clever ways these tools are being used now
  4. 4. Who are shadowbroker? • A hacker group they published some National Security Agency (NSA)'s equation group hacking tools. • First appeared in mid of august 2016 • However I have found reasons to believe that its just 2 people who use to work for nsa as a private contractor.
  5. 5. How did they do it? 1. They found creators of stuxnet , flame kaspersky called themselves Equation Group 2. They followed Equation Group traffic 3. They found Equation Group source 4. We find many many Equation Group cyber weapons They explained the attack in layman's terms -
  6. 6. They make it looks so easy ;)
  7. 7. What does the experts say?
  8. 8. Final leak “Lost in Translation” • windows: contains Windows exploits, implants and payloads • swift: contains operational notes from banking attacks, docs, excel files, ppt of some attacks • oddjob: is an implant builder that can deliver exploits for Windows 2000 and later. Key feature is that it is fully undetectable (FUD)
  9. 9. These nsa exploits can target cisco Firewalls, Windows OS, Windows Server, Solaris boxes running versions 6 to 10, RedHat 7.0,
  10. 10. Infected Solaris boxes
  11. 11. However we will be focusing on windows exploitation
  12. 12. What is fuzzbuch and danderspritz?
  13. 13. Fuzzbunch • It is like metasploit written in python, xml and java. • It’s framework to launch exploits and interact with the implants.
  14. 14. Fuzzbunch Interface (Actually a CLI )
  15. 15. Danderspritz • Java-Based console from which compromised computers can be managed. • So Basically it’s a Remote Administration tool(RAT). • I have used it to make malicious dll files, control the PeddleCheap / ExpandingPulley implant.
  16. 16. UI of danderspritz
  17. 17. Setting up fuzzbunch DEMO
  18. 18. Important Directories and files
  19. 19. What are we exploiting? • The Server Message Block (SMB) protocol • It is a network file sharing protocol(practically used for storing configuration file of virtual machine) • CERTCC released information on a Server Message Block (SMB) vulnerability affecting Microsoft Windows • Fuzzbunch uses this vulnerability to install backdoor, inject dll, inject shellcode, etc
  20. 20. How we are going to do? 1. Make malicious dll with danderspritz. 2. Use eternalblue(special) to make backdoor. 3. Use doublepulsar(payload) to inject dll. 4. Use Danderspritz to listen to connections
  21. 21. For the demo we have 1 attacker machine and 1 victim 1. Windows 7 attacker 2. Windows 7 victim
  22. 22. Enough theory lets start with another DEMO
  23. 23. Clever ways these exploits are used 1. Eternalblue without fuzzbunch 2. Making DoublePulsar and EternalBlue modules Standalone like msfvenom 3. python script that uses EternalBlue to run msfvenom output directly without ever installing DoublePulsar 4. DoublePulsar detection script 5. Using Eternalblue in WannaCry v 2.0 ransomware
  24. 24. Using auxiliary smb_ms17_010
  25. 25. Meterpreter shell..!!
  26. 26. Wannacry ransomware • First appeared on feb 2017 • Now there is a follow-up version which uses the SMBv2 remote code execution vulnerability • Same vulnerability is used by eternalblue • It encrypts with rsa-2048 encryption private key is created then sent to attacker and then gets deleted from the victim machine
  27. 27. Heat map
  28. 28. Accidental hero finds a kill switch • Problem with this is that attacker can change the domain and reuse it • So its not very effective • However there are ways to find out the kill switch domain in every sample
  29. 29. How to fix this issue 1. Installing security update MS17-010 windows (best way) 2. Disable smb on your windows machine(ok way) 3. Blocking all incoming SMB traffic on port 445 4. Backup all your data in some external device
  30. 30. Microsoft says -
  31. 31. But they haven't given ms17-010 Security update for some older version of windows. So your best option is to use other 2 methods
  32. 32. 2.Disable smb on your windows machine • Go to control panel > Programs and features • Go to turn ON/OFF windows features • Uncheck the box SMB 1.0
  33. 33. • However disabling smb protocol in not recommended • But its safer to do it when patches are not available • Blocking smb can only prevent the ransomware from speading but patching machine will make system resistant to attack
  34. 34. 3. Blocking all incoming SMB traffic on port 445 Different wifi routers have interface but they offer same functionality • Go to • Enter username password • And find Application filter
  35. 35. Blocking all incoming SMB traffic on port 445
  36. 36. eQ&t=47s Video demo on how to disable smb protocol and block all traffic from port443 on wifi
  37. 37. What to do if already infected? • Wait... • Eventually someone will find a decryption key(you get 7 days) • If one machine is infected then take it offline or block incoming SMB traffic on port 445 to stop it from spreading
  38. 38. Should you pay the ransom? • Well most users opt to pay • Everytime a victim pays the malware creator gets funded • Some of this money is reinvested making ramsomware smarter, more effective • This is a vicious cycle
  39. 39. So what to do?
  40. 40. • Keeping in mind that prevention is better than cure • Install latest updates • Make offline backup of all your data • And lastly use your brain lol don’t just open every attachment you get
  41. 41. src • 010#KBArticle • 1/989428fa5504f378b993ee6efbc0b168 • • • okers-message-3-af1b181b481 • 2/wannacrypt-ransomware-worm-targets-out-of-date- systems/ • /customer-guidance-for-wannacrypt-attacks/
  42. 42. Questions?
  43. 43. Thank You for your time and attention!