├── EquationSmasher.py └── README.md /EquationSmasher.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | # coding: utf-8 3 | import shodan 4 | 5 | print """ 6 | ________ __ __ 7 | / | / | / | 8 | $$$$$$$$/ ______ __ __ ______ _$$ |_ $$/ ______ _______ 9 | $$ |__ / \ / | / | / \ / $$ | / | / \ / \ 10 | $$ | /$$$$$$ |$$ | $$ | $$$$$$ |$$$$$$/ $$ |/$$$$$$ |$$$$$$$ | 11 | $$$$$/ $$ | $$ |$$ | $$ | / $$ | $$ | __ $$ |$$ | $$ |$$ | $$ | 12 | $$ |_____ $$ \__$$ |$$ \__$$ |/$$$$$$$ | $$ |/ |$$ |$$ \__$$ |$$ | $$ | 13 | $$ |$$ $$ |$$ $$/ $$ $$ | $$ $$/ $$ |$$ $$/ $$ | $$ | 14 | $$$$$$$$/ $$$$$$$ | $$$$$$/ $$$$$$$/ $$$$/ $$/ $$$$$$/ $$/ $$/ 15 | $$ | 16 | $$ | 17 | $$/ 18 | ______ __ 19 | / \ / | 20 | /$$$$$$ | _____ ____ ______ _______ $$ |____ ______ ______ 21 | $$ \__$$/ / \/ \ / \ / |$$ \ / \ / \ 22 | $$ \ $$$$$$ $$$$ | $$$$$$ |/$$$$$$$/ $$$$$$$ |/$$$$$$ |/$$$$$$ | 23 | $$$$$$ |$$ | $$ | $$ | / $$ |$$ \ $$ | $$ |$$ $$ |$$ | $$/ 24 | / \__$$ |$$ | $$ | $$ |/$$$$$$$ | $$$$$$ |$$ | $$ |$$$$$$$$/ $$ | 25 | $$ $$/ $$ | $$ | $$ |$$ $$ |/ $$/ $$ | $$ |$$ |$$ | 26 | $$$$$$/ $$/ $$/ $$/ $$$$$$$/ $$$$$$$/ $$/ $$/ $$$$$$$/ $$/ 27 | 28 | Using the SHODAN API to identify NSA/Equation APT C&C Servers.""" 29 | 30 | 31 | SHODAN_API_KEY = "" # your key here 32 | api = shodan.Shodan(SHODAN_API_KEY) 33 | try: 34 | # Search Shodan 35 | results = api.search('Microsoft-IIS/7.5 401 Content-Length: 1293 -X-Powered-By -NTLM -WWW-Authenticate Cache-Control: no-cache -private -public') 36 | 37 | # Show the results 38 | print '{+} NSA C&C FOUND: %s' % results['total'] 39 | for result in results['matches']: 40 | print '{!} NSA C&C DISCOVERED: %s' % result['ip_str'] 41 | # you could add a function to own them here ;) 42 | except shodan.APIError, e: 43 | print 'Error: %s' % e # we shouldn't ever get here. but then again... Shodan's API does tend to flake out every so often. 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EquationSmasher 2 | NSA EquationGroup C&C Hunter using the Shodan API 3 | 4 | Ala [The Italian Job](https://github.com/0x27/TheItalianJob) with regards to HackingTeam, this one hunts down NSA "Equation Group" C&C servers. All of them are dead now, NSA pulled them down after getting 0wn3d 4nd 3xp0z3d and all that, but they *were* valid on 2015-02-23. Below is a paste of some C&C servers identified. I am uploading it now for historical reasons, and also because, well, the "Italian Job" is now public after Phineas rekt HT. 5 | 6 | This work would not be possible without the inputs of various security researchers, especially [that magnificent bastard March (the rootkit wizard)](https://twitter.com/_ta0) 7 | 8 | Dump of DDoS numbers Enumerated back in Febuary. 9 | ``` 10 | 87.255.34.242 11 | 66.175.120.181 12 | 80.77.4.3 13 | 209.59.37.180 14 | 87.255.34.242 15 | 66.175.120.181 16 | 80.77.4.3 17 | 209.59.37.180 18 | 85.112.21.213 19 | 87.255.34.242 20 | 66.175.120.181 21 | 80.77.4.3 22 | 209.59.37.180 23 | 85.112.1.83 24 | 85.112.21.213 25 | 87.255.34.242 26 | 66.175.120.181 27 | 80.77.4.3 28 | 209.59.37.180 29 | 85.112.1.83 30 | 85.112.21.213 31 | 87.255.34.242 32 | 66.175.120.181 33 | 80.77.4.3 34 | 209.59.37.180 35 | 85.112.1.83 36 | ``` 37 | 38 | Again, you will need a [Shodan](https://shodan.io) API key and the Shodan python module. 39 | ``` 40 | $ pip install shodan # this installs the shodan module :) 41 | ``` 42 | 43 | Basically how all this works is, these scumbags C&C servers behave "wierdly" and send strange headers, which are easy to identify. No matter how "legit looking" they try be, we will always be able to locate them :) 44 | 45 | Remember, those who would spy on us, try fuck with us, and generally be scumbags: Mess with the best, die like the rest. There are more of us than you, and we will not take your fuckery lightly <3 46 | 47 | Licence: WTFPL 48 | --------------------------------------------------------------------------------