Here are some of the NSA snooping tools leaked by Shadow Broke
In what could be the hack of this decade, a hacking group called Shadow Brokers claims to have hacked NSA and has access to some of the most scariest hacking and snooping tools.
Shadow Brokers are willing to sell this tools to the highest bidder according to various news reports. As of now, Shadow Brokers say they dumped 60 percent of all the stolen files, and started an auction, promising to give the winner access to the other 40 percent.
The veracity and authenticity of the NSA hacking tools has been confirmed by multiple sources. Security researchers from Kaspersky have confirmed the leaked data is similar to what they have seen from past Equation Group malware. Another investigative website, The Intercept, with the help of Snowden documents, has tied the leaked malware with actual NSA cyber-weapons.
At the time of writing this articles, most of the URLs where Shadow Brokers dumped details about their operation (GitHub, Tumblr, PasteBin) have been taken down.
NSA snooping tools
Softpedia has compiled a list of NSA hacking and snooping tools which uses for surveillance and hacking. Softpedia says that they “used different analysis provided by Risk Based Security, Mustafa Al-Bassam, Matt Suiche, RST Forums, and other researchers”
Here is a table of NSA snooping tools compiled by NSA
| Name | Type | Description |
|---|---|---|
| 1212/DEHEX | Tool | Tool for converting hex strings to IP addresses and ports |
| BANANABALLOT | Implant | BIOS implant |
| BANANAGLEE | Implant | Firewall implant that does not persist across reboots. Works on Cisco ASA and PIX. |
| BANANALIAR | Tool | Connects to an (currently) unknown implant |
| BANNANADAIQUIRI | Implant | Uknown, has associations with SCREAMINGPILLOW. |
| BARGLEE | Implant | Unconfirmed Juniper NetScreen 5.x firewall implant |
| BARICE | Tool | Shell for deploying BARGLEE |
| BARPUNCH | Implant | BANANAGLEE and BARGLEE module |
| BBALL | Implant | BANANAGLEE module |
| BBALLOT | Implant | BANANAGLEE module |
| BBANJO | Implant | BANANAGLEE module |
| BCANDY | Implant | BANANAGLEE module |
| BEECHPONY | Implant | Firewall implant (BANANAGLEE predecessor) |
| BENIGNCERTAIN | Tool | Tool for extracking VPN keys from Cisco PIX firewalls. |
| BFLEA | Implant | BANANAGLEE module |
| BILLOCEAN | Tool | Extracts seral numbers from Fortinet Fortigate firewalls (possible others). |
| BLATSTING | Implant | Firewall implant for deploying EGREGIOUSBLUNDER and ELIGIBLEBACHELOR |
| BMASSACRE | Implant | BANANAGLEE and BARGLEE module |
| BNSLOG | Implant | BANANAGLEE and BARGLEE module |
| BOOKISHMUTE | Exploit | Exploit against unknown firewall |
| BPATROL | Implant | BANANAGLEE module |
| BPICKER | Implant | BANANAGLEE module |
| BPIE | Implant | BANANAGLEE and BARGLEE module |
| BUSURPER | Implant | BANANAGLEE module |
| BUZZDIRECTION | Implant | Unconfirmed Fortinet Fortigate firewall implant |
| CLUCKLINE | Implant | BANANAGLEE module |
| CONTAINMENTGRID | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1. |
| DURABLENAPKIN | Tool | Tool for packet injection on LAN connections |
| EGREGIOUSBLUNDER | Exploit | RCE for Fortinet FortiGate firewalls. Affected models: 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A |
| ELIGIBLEBACHELOR | Exploit | Exploit on TOPSEC firewalls running TOS operating system versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. |
| ELIGIBLEBOMBSHELL | Exploit | RCE for TOPSEC firewalls affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1 |
| ELIGIBLECANDIDATE | Exploit | RCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1 |
| ELIGIBLECONTESTANT | Exploit | RCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1. Must be run only after ELIGIBLECANDIDATE |
| EPICBANANA | Exploit | Privilege escalation on Cisco ASA (versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832) and Cisco PIX (versions 711, 712, 721, 722, 723, 724, 804) |
| ESCALATEPLOWMAN | Exploit | Privilege escalation on WatchGuard products. Company says this won’t work on newer devices. |
| EXTRABACON | Exploit | RCE on Cisco ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844Â (CVE-2016-6366) |
| FALSEMOREL | Exploit | Cisco exploit that extracts the “enable” password if Telnet is active on the device. |
| FEEDTROUGH | Implant | Persistent implant on Juniper NetScreen firewalls for deploying BANANAGLEE and ZESTYLEAK. |
| FLOCKFORWARD | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1. |
| FOSHO | Tool | Python library for crafting HTTP requests used in exploits |
| GOTHAMKNIGHT | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.100.010.8_pbc_27. |
| HIDDENTEMPLE | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.8840.1. |
| JETPLOW | Implant | Cisco ASA and PIX implant used to insert BANANAGLEE in the device’s firmware |
| JIFFYRAUL | Implant | BANANAGLEE module for Cisco PIX |
| NOPEN | Tool | Post-exploitation shell (client used by the attacker, server installed on targeted device) |
| PANDAROCK | Tool | For connecting to POLARPAWS implants |
| POLARPAWS | Implant | Firewall implant for unknown vendor |
| POLARSNEEZE | Implant | Firewall implant for unknown vendor |
| SCREAMINGPLOW | Implant | Cisco ASA and PIX implant used to insert BANANAGLEE in the device’s firmware |
| SECONDDATE | Tool | Packet injection on WiFi and LAN networks. Used with BANANAGLEE and BARGLEE |
| TEFLONDOOR | Tool | Self-destructing post-exploitation shell |
| TURBOPANDA | Tool | Tool for connecting to previosuly-leaked HALLUXWATER implant. |
| WOBBLYLLAMA | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.002.030.8_003. |
| XTRACTPLEASING | Tool | Converts data to PCAP files |
| ZESTYLEAK | Implant | Juniper NetScreen firewall implant |
If you want to view the files published by Shadow Brokers, please visit Softpedia article here.
