Danger-free?

[Dawnspire3000]

My Antivirus keeps putting certain binaries into quarantine. Does anyone use all the binaries? Are they really safe? I mean, this is legit but would that stop dangerous files from being in there?

[ghost]

Nothing in here is "danger free" if you are going to execute random binaries you downloaded from a random github repository you are going to be in a world of pain

[Dawnspire3000]

Well that's true but again, this appears to not just be some random repository. I just wanted to know if anyone had bad experiences with them or if its working fine

[peterpt]

Some of the binaries are probably to be planted on victim system and are not exploits . This means that those binaries have already a backdoor implemented .

Other wise it makes no sense antivirus popup warnings on these files if they are only exploits .

Some of these tools are data retrieval tools , this means that victim machine was already prepared before with the backdoor binaries .

A quick look into the shell scripts code give you an idea of what the tool does . Some tools target specific directories on victim machines .

Running the binaries is not advised if you do not want your system compromised . Do not thrust in code that you can not read .

[ghost]

Oh dear.

[Ekultek]

You should reverse engineer the binary first before you execute them

[Dawnspire3000]

Good idea, I'll work on it

[Tbone-grady]

As @Ekultek said reverse engineering is a good idea, as peterpt formentioned about executing random binaries on your machine as TAO standard procedure states they use a staging server to access their tools integrity and whether or not they need further development. I use an old Linux laptop to access and identify their functions.

I invested in Danderspritz; specific binaries use LP (Listening Post) to connect to Implants. The NSA TAO branch seems to operate like the military and I do suppose it is directly tied too US Cyber command. I went through TAO SOP and to run any operations they have MIT install most of the prerequisites. A Solaris/Windows server 2008 standalone OS for FA servers. But I theorize they mainly use either Solaris or Apache according to the leak during August last year.

[Ekultek]

What you should really do if you don't want to take time to reverse engineer, is sandbox a virtual machine and run each one, make a custom app that will record all the differences made from start to finish and then figure out what each one does from there.

However what @Tdog21 said is a brilliant idea, but if you're just looking to get them run, sandbox it, run each one and discover the backtrace of what each one does.

[Tbone-grady]

@Ekultek The only issue is virtual boxes tend to be harder to work with due to their high memory usage and unreliability and Advanced Persistent threats can target the box. But I see your point. Watch the Cisco SIO: Defence in depth on youtube. It involves the castle approach and talks about threat evolution

[Ekultek]

@Tdog21 you are correct, but at the same time, you can always get rid of a VM and it's easier to do so then to completely reformat your hard drive. And with a sandbox around it, nothing will get out, unless as you said it's extremely advanced. Which in this case, most of them don't look to advanced

[Tbone-grady]

@Ekultek good point although I never mentioned its extremely advanced, for me doing it on a different machine allows me to listen to the machines port and see what going on. Plus I do have a slow internet connection where I live, So deleting a VM with up-to-date drivers and software isn't a option for me.

[Ekultek]

Fair enough, either way most of these scripts don't even work. I think we're missing something from them, to be honest. Either way none of this was made by the NSA lol

[Tbone-grady]

@Ekultek I might be able to provide insight into this question I'm planning on a summer internship with their cyber division

[Ekultek]

@Tdog21 which question would that be? And how did you manage to land that internship?

[peterpt]

Most tools do a call to jl.command which executes the compiled binary connect.so .

So , reversing the connect.so to original source code will give you an idea how the exploit works , or even if it is an exploit .

if you all look inside this example script : https://github.com/x0rz/EQGRP/blob/master/archive_files/bin/decftp.sh

at the end of the script jl.command executes that binary to a supposed port 10402 . basically for what i can see , this tool will retrieve the file pmgrd.Z from a specific server after jl.command is executed . And if you still look closely to the script , you will see that you already have to know the base directory to where this tool will get that data .

The data will be in an hidden directory inside your base directory that you must specify on executing the script . Line 26 shows the location of hidden directory inside your base directory line 32 start ftp and in line 36 is picked up the file from server .

I did not had much time yet to look into these tools more carefully , but you all should be carefull using any tool inside bin directory , because all of them make an execution call to jl.command which uses a pre-compiled binary with extension .so which we do not know nothing about it .

[Tbone-grady]

@Ekultek I didn't "land it" yet I looked their their career and internship programs and I'm still deciding and

[Ekultek]

@Tdog21 what's there to decide man? That's an awesome opportunity, take it with both hands or someone else will bro! Imagine how much you already know, and then imagine what you could learn.

[Tbone-grady]

@Ekultek Good point I might as well apply

[Tbone-grady]

@peterpt good point and yes the NSA have their own file extensions for their CNE/CNA branch

[peterpt]

My guess to all these tools is that should be executed inside victim machine and not from outside .

This way have logic why they got them from a compromised system . Otherwise they had to hack NSA directly .

[Ekultek]

@peterpt either that or we're missing a distro server or something, executing these inside a machine doesn't really make sense, you would need to know the exact layout of their machine in order to work efficiently. However if you executed it from a server, then these might just be the tools to exploit the Cisco servers that got patched

[Ekultek]

So my guess is, these are either bullshit and they threw them together to scare someone, or, we're missing something. However Snowden himself did say something about these and we can't discredit (even though he's very unreliable) Snowden just yet.

[peterpt]

Ekultek , there could be mixed stuff . We will know in next weeks . When i get some time here i will look more closely , in mean while i believe that a new batch of files will be updated . Maybe some cool stuff come along on next batch of files .

[Ekultek]

I say fuck it guys. @peterpt @Tdog21 let's hack the NSA, give them a taste of their own medicine.

[peterpt]

hacking NSA exploit repository would be the same thing as winning the lottery . Unless you worked there and you have a backdoor login , then it will be a very difficult job to hack them . Most of what can be achieved to NSA is a ddos , but that will take you to nowhere .

Anyway , if you give a job to 2 persons where each person must do it individually , then you will get different results . This mean many of the released 0day exploits on exploit-db , NSA did not know about them , they probably have a different approach to a specific program witch uses a different exploit technique . Te difference between both is that 0day exploits on exploit-db are patched by software companies , while NSA are not patched because software companies do not know yet about that vulnerability .
This way it gives NSA a very big leverage . However , if you look into github codes you will see that many people create code to violate other persons privacy , while others on github build code to protect those persons . Only this way i believe things can evolute in programming .

[Ekultek]

@peterpt well I work for the government, I can tell you this much, they are really big on keeping things secure and really like to find what's wrong with everyone else, but when they do find it, they don't really fix it for themselves. Example all those Cisco switches, they may have patched it for everyone else, but did they patch it for their government that didn't tell them about the exploits in the first place? They are under no legal binding contract to not patch them for the NSA. Just because something seems impossible doesn't mean it is. A 12 year old got 400k from Google for finding an exploit once.

[peterpt]

See it this way . Got an open port , if you have an exploit for that service running on that port then you can get in and do whatever you want , otherwise forget it . Usually hacking on the fly is done by SQL injection points on some webserver , but by default the good stuff is not on the same subnet of the webserver . Without even mention that you have to route your connection to multiple proxys to not be detected , which these days it is not difficult to bypass to get your rel public ip address . However , i believe that this subject should not be discussed here on github , but just to finish the comment , a good sysadmin never uses the original firmware of his router , firewall or switch , open source firmwares are the best solution in every perspective . Again , by default Governments always use original firmwares on their network hardware , which make things more easier to hack . Most sophisticated attacks to networks are made by multiple people at same time , where 2 or 3 are doing the job to get in while the other 17 are sending controlled dos attacks or testing the website just to fill up the firewall log so the work of those 3 could not be detected easily on realtime . After those 3 or 1 of them get in , then the first thing they do is to clear the log file from firewall or server so the sysadmin have no idea how did they got inside , and then after their job is done on the victim , they clean the log again . When sysadmin get a look into server or firewall logs , he will not find anything and at same time he was hacked . Hackers using this technique , next time they will do it the same way they did before because that vulnerability that they found was not patched because sysadmin have no idea how did they do it .

[Tbone-grady]

@peterpt and your point is...

[Far00K]

But if you want to hack NSA you must find the vulnerability they found. If that was that you wanted? And if you want to clean the log you need admin that can take a while and the time you are trying to get root access they will already see the log.

You need to get root access very fast... maybe do some Reconnasissance/ Footprinting and see how often they look on there system to see how much time you have.

Or you hack them without making any strange so the sysadmin react and sees it

[Ekultek]

That's a valid point however, usually when you're in a system you only have a certain amount of time until you'll be caught. And the proxy thing, use a chain proxy with a VPN, and a Tor connection. Problem solved.

On Apr 9, 2017, at 4:35 PM, Tdog21 notifications@github.com wrote:

@peterpt and you point is...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[Ekultek]

We should probably stop talking about hacking the NSA on an apparent NSA repo.

On Apr 9, 2017, at 5:00 PM, Farook notifications@github.com wrote:

But if you want to hack NSA you must find the vulnerability they found. If that was that you wanted? And if you want to clean the log you need admin that can take a while and the time you are trying to get root access they will already see the log.

You need to get root access very fast... maybe do some Reconnasissance/ Footprinting and see how often they look on there system to see how much time you have.

Or you hack them without making any strange so the sysadmin react and sees it

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[Ekultek]

What I find the strangest is that all these scripts seem to have version numbers.. that indicates a type of VCS..

On Apr 9, 2017, at 5:00 PM, Farook notifications@github.com wrote:

But if you want to hack NSA you must find the vulnerability they found. If that was that you wanted? And if you want to clean the log you need admin that can take a while and the time you are trying to get root access they will already see the log.

You need to get root access very fast... maybe do some Reconnasissance/ Footprinting and see how often they look on there system to see how much time you have.

Or you hack them without making any strange so the sysadmin react and sees it

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[Far00K]

That is a good idea

[Tbone-grady]

@Ekultek Lets not talk about hacking the NSA

[Far00K]

ya... for example eleganteagle-1.0.0.3, eleganteagle-1.0.0.3

[Far00K]

I mean eleganteagle-1.0.0.6 and eleganteagle-1.2.0.1

[Far00K]

This is just a theory but if they have different versions of a software in the same place it can mean that is all the hacking tools, or is it just a one piles of tools for one specified type of hacking or hacking a type of victim.

[marctmiller]

anyone scouring this code thinking that it's out here cuz muh russian hacker or shadow brokerage duped nsa is delusional

they are years if not decades ahead of github twerps and the rest of the open source community

waste more time learning and being constructive than watever the fuck this shit thread is

On Apr 9, 2017 17:31, "Farook" notifications@github.com wrote:

This is just a theory but if they have different versions of a software in the same place it can mean that is all the hacking tools, or is it just a one piles of tools for one specified type of hacking or hacking a type of victim.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292818360, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIgpma1wmrIDAsEhYbPb5S2zyW7vQZks5ruVxQgaJpZM4M4BOL .

[Far00K]

Then... what is this?

[marctmiller]

it's watever the fuck you want it to be

be an autodidact

On Apr 9, 2017 17:48, "Farook" notifications@github.com wrote:

Then... what is this?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292819177, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIgrQ1_gPSkRJzpZqpqCUjk02DgOMpks5ruWA3gaJpZM4M4BOL .

[Far00K]

You now that the shadow brokers used github and other sites to post this files so i dont think wee are not so far behinde as a decades

[Ekultek]

Decades behind who? I don't understand what you're referring to?

On Apr 9, 2017, at 5:56 PM, Farook notifications@github.com wrote:

You now that the shadow brokers used github and other sites to post this files so i dont think wee are not so far behinde as a decades

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[marctmiller]

there you go!

making your own assumptions!

congrats!

empirical decision making here you come!

On Apr 9, 2017 17:56, "Farook" notifications@github.com wrote:

You now that the shadow brokers used github and other sites to post this files so i dont think wee are not so far behinde as a decades

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292819607, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIgmZioIIE0jVZJbMQGpvyo2RMSrFoks5ruWIigaJpZM4M4BOL .

[Far00K]

how do you that is my own assumption?

[marctmiller]

this shotty code wouldn't be here lest they wanted it to be

think of it, at a minimum, as their (if it's even wat you assume it to be) way of forcing a step-up in their own game

On Apr 9, 2017 18:02, "Thomas Perkins" notifications@github.com wrote:

Decades behind who? I don't understand what you're referring to?

On Apr 9, 2017, at 5:56 PM, Farook notifications@github.com wrote:

You now that the shadow brokers used github and other sites to post this files so i dont think wee are not so far behinde as a decades

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292819892, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIguzRPlTy6jClp5sYL0OZU5WMyY52ks5ruWN3gaJpZM4M4BOL .

[Ekultek]

@marctmiller was that directed towards me?

[Far00K]

no it was directed to @marctmiller

[marctmiller]

You now that the shadow brokers used github and other sites to post this files so i dont think wee are not so far behinde as a decades

i don't shit and you assumed for me

stop that

On Apr 9, 2017 18:05, "Farook" notifications@github.com wrote:

how do you that is my own assumption?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292820070, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIgt0kIxwJ8eMuTe8sH5u2KUXpZOnmks5ruWQygaJpZM4M4BOL .

[Tbone-grady]

@Far00K and @marctmiller zip this horseshit it's getting irritating. Go create a new thread and talk about it in their

[marctmiller]

are we not talking about turning off av?

and danger free?

are we in the danger zone, tdog?

On Apr 9, 2017 18:09, "Tdog21" notifications@github.com wrote:

@Far00K https://github.com/Far00K and @marctmiller https://github.com/marctmiller zip this horseshit it's getting irritating. Go create a new thread and talk about it in their

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/x0rz/EQGRP/issues/10#issuecomment-292820276, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmIgpfB4jsoDQyiELi-D_Qg0-aCFV_cks5ruWULgaJpZM4M4BOL .