Want to know how NSA snoops on you? Here are some tools it uses

Here are some of the NSA snooping tools leaked by Shadow Broke

In what could be the hack of this decade, a hacking group called Shadow Brokers claims to have hacked NSA and has access to some of the most scariest hacking and snooping tools.

Shadow Brokers are willing to sell this tools to the highest bidder according to various news reports. As of now, Shadow Brokers say they dumped 60 percent of all the stolen files, and started an auction, promising to give the winner access to the other 40 percent.

The veracity and authenticity of the NSA hacking tools has been confirmed by multiple sources. Security researchers from Kaspersky have confirmed the leaked data is similar to what they have seen from past Equation Group malware. Another investigative website, The Intercept, with the help of Snowden documents, has tied the leaked malware with actual NSA cyber-weapons.

At the time of writing this articles, most of the URLs where Shadow Brokers dumped details about their operation (GitHub, Tumblr, PasteBin) have been taken down.

NSA snooping tools

Softpedia has compiled a list of NSA hacking and snooping tools which uses for surveillance and hacking. Softpedia says that they “used different analysis provided by Risk Based Security, Mustafa Al-Bassam, Matt Suiche, RST Forums, and other researchers”

Here is a table of NSA snooping tools compiled by NSA

NameTypeDescription
1212/DEHEXToolTool for converting hex strings to IP addresses and ports
BANANABALLOTImplantBIOS implant
BANANAGLEEImplantFirewall implant that does not persist across reboots. Works on Cisco ASA and PIX.
BANANALIARToolConnects to an (currently) unknown implant
BANNANADAIQUIRIImplantUknown, has associations with SCREAMINGPILLOW.
BARGLEEImplantUnconfirmed Juniper NetScreen 5.x firewall implant
BARICEToolShell for deploying BARGLEE
BARPUNCHImplantBANANAGLEE and BARGLEE module
BBALLImplantBANANAGLEE module
BBALLOTImplantBANANAGLEE module
BBANJOImplantBANANAGLEE module
BCANDYImplantBANANAGLEE module
BEECHPONYImplantFirewall implant (BANANAGLEE predecessor)
BENIGNCERTAINToolTool for extracking VPN keys from Cisco PIX firewalls.
BFLEAImplantBANANAGLEE module
BILLOCEANToolExtracts seral numbers from Fortinet Fortigate firewalls (possible others).
BLATSTINGImplantFirewall implant for deploying EGREGIOUSBLUNDER and ELIGIBLEBACHELOR
BMASSACREImplantBANANAGLEE and BARGLEE module
BNSLOGImplantBANANAGLEE and BARGLEE module
BOOKISHMUTEExploitExploit against unknown firewall
BPATROLImplantBANANAGLEE module
BPICKERImplantBANANAGLEE module
BPIEImplantBANANAGLEE and BARGLEE module
BUSURPERImplantBANANAGLEE module
BUZZDIRECTIONImplantUnconfirmed Fortinet Fortigate firewall implant
CLUCKLINEImplantBANANAGLEE module
CONTAINMENTGRIDExploitReady-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1.
DURABLENAPKINToolTool for packet injection on LAN connections
EGREGIOUSBLUNDERExploitRCE for Fortinet FortiGate firewalls. Affected models: 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A
ELIGIBLEBACHELORExploitExploit on TOPSEC firewalls running TOS operating system versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030.
ELIGIBLEBOMBSHELLExploitRCE for TOPSEC firewalls affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1
ELIGIBLECANDIDATEExploitRCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1
ELIGIBLECONTESTANTExploitRCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1. Must be run only after ELIGIBLECANDIDATE
EPICBANANAExploitPrivilege escalation on Cisco ASA (versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832) and Cisco PIX (versions 711, 712, 721, 722, 723, 724, 804)
ESCALATEPLOWMANExploitPrivilege escalation on WatchGuard products. Company says this won’t work on newer devices.
EXTRABACONExploitRCE on Cisco ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844 (CVE-2016-6366)
FALSEMORELExploitCisco exploit that extracts the “enable” password if Telnet is active on the device.
FEEDTROUGHImplantPersistent implant on Juniper NetScreen firewalls for deploying BANANAGLEE and ZESTYLEAK.
FLOCKFORWARDExploitReady-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1.
FOSHOToolPython library for crafting HTTP requests used in exploits
GOTHAMKNIGHTExploitReady-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.100.010.8_pbc_27.
HIDDENTEMPLEExploitReady-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.8840.1.
JETPLOWImplantCisco ASA and PIX implant used to insert BANANAGLEE in the device’s firmware
JIFFYRAULImplantBANANAGLEE module for Cisco PIX
NOPENToolPost-exploitation shell (client used by the attacker, server installed on targeted device)
PANDAROCKToolFor connecting to POLARPAWS implants
POLARPAWSImplantFirewall implant for unknown vendor
POLARSNEEZEImplantFirewall implant for unknown vendor
SCREAMINGPLOWImplantCisco ASA and PIX implant used to insert BANANAGLEE in the device’s firmware
SECONDDATEToolPacket injection on WiFi and LAN networks. Used with BANANAGLEE and BARGLEE
TEFLONDOORToolSelf-destructing post-exploitation shell
TURBOPANDAToolTool for connecting to previosuly-leaked HALLUXWATER implant.
WOBBLYLLAMAExploitReady-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.002.030.8_003.
XTRACTPLEASINGToolConverts data to PCAP files
ZESTYLEAKImplantJuniper NetScreen firewall implant

If you want to view the files published by Shadow Brokers, please visit Softpedia article here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here