Hacking Book | Free Online Hacking Learning

 Home

nsa danderspiritz test guide - trojan generation and testing - 3gstudent - good in study, attitude and health

Posted by bassolino at 2020-03-04
all

0x00 Preface

Danderspritz is an interface remote control tool of NSA. Based on the fuzzbunch framework, it can be started by executing start.jar

In the actual test process, due to the lack of documentation, there are many problems encountered, and some details are also worth in-depth study

Therefore, this paper will help you to answer questions, share test experience, and analyze defense ideas with the characteristics of Trojans

0x01 introduction

This article will introduce the following:

0x02 actual test

Test environment:

Install the following tools:

1、 Download fuzzbunch

Reference link:

https://github.com/3gstudent/fuzzbunch

Note:

I fork the open fuzzbunch project (https://github.com/fuzzbunch/fuzzbunch), add some content and solve a bug. The specific content will be introduced later

2. Run start.jar directly

Pictured

To set startup parameters, log directory needs to be set to a fixed format: C: \ logs \ XXX (any name of XXX)

Otherwise, an error will be reported, as shown in the following figure

Note:

Some analysis articles on the internet think that we should first use fb.py to generate a log file, and then start.jar points to the directory. In fact, we don't need to, as long as the path format is correct

3. Execute PC prep configuration Trojan

Enter PC? Prep to get the echo, as shown below

Note:

When testing, many people find that the input PC ﹣ prep cannot get the echo, as shown in the following figure

Reason:

You can download the following links freely:

https://github.com/x0rz/EQGRP_Lost_in_Translation

Missing file, causing the error

Correct download location:

https://github.com/fuzzbunch/fuzzbunch

However, after downloading, you need to complete the missing files in order to use them properly

I fork the above projects and complete the missing files. Download my GitHub to solve the above problems. The address is as follows:

https://github.com/3gstudent/fuzzbunch

Supplement:

In the previous test process, the bug version was used. Although PC prep could not get echo, PC 2.2 prep could generate Trojans

pc_prep pc2.2_prep

Following chart

But Trojans can't connect

Guess why:

PC is higher than PC 2.2, and the lower version is no longer used

View \ resources \ pc2.2 \ version.xml and display: peddlecheck 2.2.0.2

\Resources\Pc2.2\Version.xml PeddleCheap 2.2.0.2

Indicates that the peddlecheck version corresponding to pc2.2 is 2.2.0.2

View \ resources \ PC \ version.xml and display: peddlecheck 2.3.0

\Resources\Pc\Version.xml PeddleCheap 2.3.0

Indicates that the peddlecheck version corresponding to PC is 2.3.0

Note:

Peddleheap is used to operate the communication with Trojan horse, which is displayed on the main panel of danderspritz

4. Trojan classification

The types of Trojans that can be selected are as follows:

By platform:

Differentiate by file format:

According to communication protocol:

By function:

By level:

Note:

According to the actual test, level represents the back connection mode

Level 3 indicates reverse connection. The control end listens to the port and waits for connection back

Leve4 indicates forward connection. The target host listens to the port and waits for the active connection of the control end

5. Trojan test

Select representative to test

(1) Level3, select 3) - Standard TCP (i386 WinNT level3 exe)

Operation is the same as normal reverse connection Trojan

Note:

Generate 2 files PC level 3 exe.base and PC level 3 exe.configured under the log file

PC_Level3_exe.base PC_Level3_exe.configured

PC? Level3? Exe.base is a template file from \ resources \ PC \ level3 \ i386 WinNT \ release

\Resources\Pc\Level3\i386-winnt\release

PC? Level3? Exe.configured is a file with configuration parameters

The two files are the same size, but there are differences in specific locations, as shown in the following figure

(2) Level3, select 6) - HTTP proxy (x64 WinNT level3 sharedlib)

Generate PC? Level3? HTTP? Dll.configured according to the configuration (not detailed here, refer to other articles)

Loading mode:

1. Use doublepulsar to load DLL

(not specifically introduced here, refer to other articles)

2. Manually load DLL

Use dumpbin to view the DLL's export function, as shown below

The DLL export function with coordinate 1 is named rst32

That is to say, we can try to load the DLL directly through rundll32

The command line code is as follows:

rundll32 PC_Level3_http_dll.configured,rst32

rundll32 PC_Level3_http_dll.configured,rst32

Normal connection of Trojan

Note:

For the Trojan horse of HTTP protocol, remember to select HTTP when setting the listen protocol

(3) Level4, select 17) - Standard TCP (i386 WinNT level4 exe)

Generate PC? Level4? Exe.configured according to the configuration (advanced mode can be used to specify the fixed listening port)

After launching exe, execute netstat - ano to see that the fixed port is opened

At the danderspiritz control end, select peddlecheck connect, select IP, and fill in the port corresponding to level 4

Forward connection

(4) Level4, select 9) - Standard TCP generic (i386 WinNT level4 sharedlib)

Generate PC level 4 dll.configured according to configuration (advanced mode can be used to specify fixed listening port)

View its export function, as shown below

In other words, loading directly through rundll32 is not supported

Guess:

Level 4 Trojans should always run in the background. Considering the concealment, this function is not supported

A test method of DLL loading is given: by APC injection

As shown in the figure below, load successfully and open the listening port

Reference code:

https://github.com/3gstudent/Inject-dll-by-APC/blob/master/test.cpp

Note:

The injected program needs administrator permission, otherwise the listening port cannot be opened due to permission problem

Another test method of DLL loading: through application compatibility shims

Please refer to the following links:

https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims/

As shown in the figure below, load successfully and open the listening port

(5) Level4, select 11) - Standard TCP appcompat enabled (i386 WinNT level4 sharedlib)

According to the literal meaning, it is speculated that application compatibility ships is supported

Compare the differences between generic and appcompat enabled:

The two are the same size, that is, appcompat enabled has an additional export function gethookapis

Following chart

0x03 Trojan function

After the successful connection of Trojan horse, information collection will be started automatically, and various detailed information will be returned

The more user-friendly design is to automatically ask the user whether to raise the right

After environment security is detected, users will be asked if they need to export hash

When information collection is complete, enter help for supported operations

Note:

Help is incomplete. Enter aliases to get more instructions

Help + command can get specific command operation introduction

For example, enter help eventlogedit to echo as shown in the figure

1. Log operation function

The commands for log operations are as follows:

The specific functions are as follows:

eventlogquery:

Statistics log list, query all log information, including time, number

You can query the log information of the specified category, including time and number. The command is as follows:

eventlogquery -log Setup

eventlogquery -log Setup

This operation is equivalent to

wevtutil.exe gli setup

wevtutil.exe gli setup

Note:

Wevtutil.exe operating system contains by default

eventlogfilter:

View the log content of the specified category

The command is as follows:

eventlogfilter -log Setup -num 19

eventlogfilter -log Setup -num 19 wevtutil qe /f:text setup

eventlogedit:

Delete a single log

You can delete a single log. The command is as follows:

eventlogedit -log Setup -record 1

eventlogedit -log Setup -record 1

Note: record serial number can be obtained through eventlogfilter

There is no public tool support for this command

eventlogclear:

Delete all contents of this type of log

The command is as follows:

eventlogclear -log Microsoft-Windows-Dhcpv6-Client/Admin

eventlogclear -log Microsoft-Windows-Dhcpv6-Client/Admin

This operation is equivalent to

wevtutil cl Microsoft-Windows-Dhcpv6-Client/Admin

wevtutil cl Microsoft-Windows-Dhcpv6-Client/Admin

0x04 thinking of killing Trojan horse

Danderspritz's Trojan is generated as follows:

Save template files in folders \ resources \ PC \ level3 and \ resources \ PC \ level4, reserve parameter configuration information in fixed location, and write configuration information to template files when they are actually generated

At present, antivirus software has successfully identified and killed these template files. At the same time, the code of these template files is not open-source, which will also raise the threshold of malicious use

It is recommended to ordinary users:

It can prevent the attack of the tool

Summary of 0x05

This article shared the test experience of dander spiritz, hoping to help you have a better understanding of it in technical research, omitting some specific use details and chapters, so as to prevent the tool from being abused

LEAVE A REPLY

© 2023