legal contact rss
 

NSA / CIA

From:

What we know the NSA can do so far:

PRISMTemporaBoundless Informant, xKeyscore

  • It can track the numbers of both parties on a phone call, as well location, time and duration. (More)
  • It can hack Chinese phones and text messages. (More)
  • It can set up fake internet cafes. (More)
  • It can spy on foreign leaders' cell phones. (More)
  • It can tap underwater fiber-optic cables. (Clarification: Shane Harris explains that there were reports the NSA was trying to tap directly into cables using submarines, but is now more likely trying to intercept information once it has reached land.) (More)
  • It can track communication within media organizations like Al Jazeera. (More)
  • It can hack into the UN video conferencing system. (More)
  • It can track bank transactions. (More)
  • It can monitor text messages. (More)
  • It can access your email, chat, and web browsing history. (More)
  • It can map your social networks. (More)
  • It can access your smartphone app data. (More)
  • It is trying to get into secret networks like Tor, diverting users to less secure channels. (More)
  • It can go undercover within embassies to have closer access to foreign networks. (More)
  • It can set up listening posts on the roofs of buildings to monitor communications in a city. (More)
  • It can set up a fake LinkedIn. (More)
  • It can track the reservations at upscale hotels. (More)
  • It can intercept the talking points for Ban Ki-moon’s meeting with Obama. (More)
  • It can crack cellphone encryption codes. (More)
  • It can hack computers that aren’t connected to the internet using radio waves. (Update: Clarification -- the NSA can access offline computers through radio waves on which it has already installed hidden devices.) (More)
  • It can intercept phone calls by setting up fake base stations. (More)
  • It can remotely access a computer by setting up a fake wireless connection. (More)
  • It can install fake SIM cards to then control a cell phone. (More)
  • It can fake a USB thumb drive that's actually a monitoring device. (More)
  • It can crack all types of sophisticated computer encryption. (Update: It is trying to build this capability.) (More)
  • It can go into online games and monitor communication. (More)
  • It can intercept communications between aircraft and airports. (More)
  • (Update 1/18) It can physically intercept deliveries, open packages, and make changes to devices. (More) (h/t)
  • (Update 1/18) It can tap into the links between Google and Yahoo data centers to collect email and other data. (More) (h/t)
  • (Update 4/2) It can monitor, in real-time, Youtube views and Facebook "Likes." (More)
  • (Update 4/2) It can monitor online behavior through free Wi-Fi at Canadian airports. (More)
  • (Update 4/2) It can shut down chat rooms used by Anonymous and identify Anonymous members. (More)
  • (Update 4/2) It can use real-time data to help identify and locate targets for US drone strikes. (More)
  • (Update 4/2) It can collect the IP addresses of visitors to the Wikileaks website. (More)
  • (Update 4/2) It can spy on US law firms representing foreign countries in trade negotiations. (More)
  • (Update 4/2) It can post false information on the Internet in order to hurt the reputation of targets. (More)
  • (Update 4/2) It can intercept and store webcam images. (More)
  • (Update 4/2) It can record phone calls and replay them up to a month later. (More)
  • (Update 6/2) It can harvest images from emails, texts, videoconferencing and more and feed it into facial recognition software. (More)

Exploits:

  • EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit
  • EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.
  • ECHOWRECKER remote Samba 3.0.x Linux exploit.
  • EASYBEE appears to be an MDaemon email server vulnerability
  • EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6
  • EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
  • EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
  • EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
  • ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
  • EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
  • EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
  • EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
  • ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
  • EPICHERO 0-day exploit (RCE) for Avaya Call Server
  • ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
  • ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
  • ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
  • ETERNALCHAMPION is a SMBv1 exploit
  • ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
  • ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
  • ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
  • ETRE is an exploit for IMail 8.10 to 8.22
  • ETCETERABLUE is an exploit for IMail 7.04 to 8.05
  • FUZZBUNCH is an exploit framework, similar to MetaSploit
  • ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors
  • EXPIREDPAYCHECK IIS6 exploit
  • EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release
  • EASYFUN WordClient / IIS6.0 exploit
  • ESSAYKEYNOTE
  • EVADEFRED

Utilities:

  • PASSFREELY utility which "Bypasses authentication for Oracle servers"
  • SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE
  • ERRATICGOPHERTOUCH Check if the target is running some RPC
  • IISTOUCH check if the running IIS version is vulnerable
  • RPCOUTCH get info about windows via RPC
  • DOPU used to connect to machines exploited by ETERNALCHAMPIONS
  • NAMEDPIPETOUCH Utility to test for a predefined list of named pipes, mostly AV detection. User can add checks for custom named pipes.

Firewall tools

  • The “Equation” firewall tools that have been “gathered” aka leaked from the NSA tools box:
  • EGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability. It affects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This is not CVE-2006-6493 as detected by Avast.
  • ELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. The attack vector is unknown but it has an XML-like payload that starts with .
  • ELIGIBLEBOMBSHELL A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1. Version detection by ETag examination.
  • WOBBLYLLAMA A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.002.030.8_003.
  • FLOCKFORWARD A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.005.066.1.
  • HIDDENTEMPLE A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.2.8840.1.
  • CONTAINMENTGRID A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.3.005.066.1.
  • GOTHAMKNIGHT A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.2.100.010.8_pbc_27. Has no BLATSTING support.
  • ELIGIBLECANDIDATE A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1.
  • ELIGIBLECONTESTANT A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST parameter injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after ELIGIBLECANDIDATE.
  • EPICBANANA A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password: cisco). Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX versions 711, 712, 721, 722, 723, 724, 804.
  • ESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that injects code via the ifconfig command.
  • EXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target's uptime and software version.
  • BOOKISHMUTE An exploit against an unknown firewall using Red Hat 6.0.
  • FALSEMOREL Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall (likely Cisco) and obtains privileged level access using only the hash of the "enable" password. Requires telnet to be installed on the firewall's inside interface.
  • Implants
  • BLATSTING A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC).
  • BANANAGLEE A non-persistent firewall software implant for Cisco ASA and PIX devices that is installed by writing the implant directly to memory. Also mentioned in the previously leaked NSA ANT catalogue.
  • BANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE).
  • BEECHPONY A firewall implant that is a predecessor of BANANAGLEE.
  • JETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.
  • SCREAMINGPLOW Similar to JETPLOW.
  • BARGLEE A firewall software implant. Unknown vendor.
  • BUZZDIRECTION A firewall software implant for Fortigate firewalls.
  • FEEDTROUGH A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls. Also mentioned in the previously leaked NSA ANT catalogue.
  • JIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE.
  • BANNANADAIQUIRI An implant associated with SCREAMINGPLOW. Yes, banana is spelled with three Ns this time.
  • POLARPAWS A firewall implant. Unknown vendor.
  • POLARSNEEZE A firewall implant. Unknown vendor.
  • ZESTYLEAK A firewall software implant for Juniper NetScreen firewalls that is also listed as a module for BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.
  • SECONDDATE A packet injection module for BANANAGLEE and BARGLEE.
  • BARPUNCH A module for BANANAGLEE and BARGLEE implants.
  • BBALL A module for BANANAGLEE implants.
  • BBALLOT A module for BANANAGLEE implants.
  • BBANJO A module for BANANAGLEE implants.
  • BCANDY A module for BANANAGLEE implants.
  • BFLEA A module for BANANAGLEE implants.
  • BMASSACRE A module for BANANAGLEE and BARGLEE implants.
  • BNSLOG A module for BANANAGLEE and BARGLEE implants.
  • BPATROL A module for BANANAGLEE implants.
  • BPICKER A module for BANANAGLEE implants.
  • BPIE A module for BANANAGLEE and BARGLEE implants.
  • BUSURPER A module for BANANAGLEE implants.
  • CLUCKLINE A module for BANANAGLEE implants.

Tools

  • BILLOCEAN Retrieves the serial number of a firewall, to be recorded in operation notes. Used in conjunction with EGREGIOUSBLUNDER for Fortigate firewalls.
  • FOSHO A Python library for creating HTTP exploits.
  • BARICE A tool that provides a shell for installing the BARGLEE implant.
  • DURABLENAPKIN A tool for injecting packets on LANs.
  • BANANALIAR A tool for connecting to an unspecified implant (likely BANANAGLEE).
  • PANDAROCK A tool for connecting to a POLARPAWS implant.
  • TURBOPANDA A tool that can be used to communicate with a HALLUXWATER implant. Also mentioned in the previously leaked NSA ANT catalogue.
  • TEFLONDOOR A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first encrypted with a key.
  • 1212/DEHEX Converts hexademical strings to an IP addresses and ports.
  • XTRACTPLEASING Extracts something from a file and produces a PCAP file as output.
  • NOPEN A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is installed on the target machine.
  • BENIGNCERTAIN A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response.

Background Information

Original EQGRP Auction post

NSA Ant Catalog - Firewalls


WikiLeak Vault7/8

NSA (CIA) = Equation Group ?!

https://securityaffairs.co/wordpress/50375/cyber-warfare-2/analyzing-equation-group-hack.html

Wannacry = Eternalblue = NSA ?

https://en.wikipedia.org/wiki/EternalBlue

NSA scandal “EIKONAL” in Germany

Selectors proving industry espionage of the NSA in Germany

http://www.spiegel.de/politik/deutschland/bnd-affaere-weitere-listen-mit-brisanten-suchbegriffen-a-1035018.html