12.15.2017

Bad information

I recently found some blogs about various anonymous functions online which appear to be seeding bad information. Either by being wrong, misleading, or inadequate. To start with, here's one I saw that people were sharing in a forensics group.

https://vallejo.cc/2017/11/11/using-gathering-information-tools-through-tor-network/

Yes you can totally do an nmap scan over tor with proxychains, yes these particular copypasta scans can work. However lets discuss why a bit further. Yes, there are limitations on scanning capabilities on what can/will go through socks, there is also limitations on what scans can do what functions. As a test, I used tcpdump on the server being attacked with a monitor of my own ip address. If there was even a single packet to or from my attacking ip, it was a complete failure.


nmap attempt Results (did it hide our ip)
proxychains nmap -Pn -sT -sV -O -p80 {MY HOST} Failed when added os detection (+O)
proxychains nmap -Pn -sT -sV -T5 -p80 {MY HOST} Success, despite T5 being known to have issues hiding
proxychains nmap -Pn -sV -p80 {MY HOST} Failed when -sT was removed
proxychains nmap -Pn -sS -sV -p80 {MY HOST} sS fails
proxychains nmap -Pn -sA -sV -p80 {MY HOST} sA fails
proxychains nmap -Pn -sW -sV -p80 {MY HOST} sW fails
proxychains nmap -Pn -sM -sV -p80 {MY HOST} sM succeeds
proxychains nmap -Pn -sM -T5 -sV -p80 {MY HOST} Still succeeds despite issues with T5
proxychains nmap -Pn -sM -O -sV -p80 {MY HOST} os detection fails again
proxychains nmap -Pn -sM -T5 -f -sV -p80 {MY HOST} Success despite issues with -f
proxychains nmap -Pn -sM -T5 -f -D 127.0.0.1 -sV -p80 {MY HOST} success despite issues with decoys
 proxychains nmap -Pn -sT -T5 -D 127.0.0.1 -sV -p80 {MY HOST} success
proxychains nmap -P0 -T5 -D 127.0.0.1 -sV -p80 {MY HOST} Failed despite claims of functional equivilence of PNnand P0. 
proxychains nmap -P0 -T5 -D 127.0.0.1 -sV -p443 --script ssl-enum-ciphers {MY HOST} Failed. Despite options, common nmap scripts will fail because they are not geared to work in a socks environment.


The setup for a tor proxy as a wireless ap, the reasons why it didn't work from what I've tested seems to be because the tutorial they used mentions to create the prerouting setup but nothing else... like.. idk... forwarding? You also see on that tutorial they used that their output of iptables -L is actually not matching their saved file.

Edit: a worthy mention about segfaults:
- Scanning more than one or two ports seems to end in seg faults for various reasons, gdb or strace that it looks like it's getting hung up waiting. I think there is an option for that in nmap because of the delay times. Haven't tested on my end to see if it's useful. This also coincides with refresh times for tor, so it may be that because nmap doesn't directly deal with tor, the connections are timing out and dying along with that.
- Example of segfaults during run scanning all ports on a single host similar happens with too many hosts for my scan:


Other ways to do what they were attempting:
- Scapy: using torsocks or proxychains to a scapy scanning script works even for os detection, syn, and ack scans. I'm sure there are some ways that escape it, such as atm traffic and protocols of that sort maybe, haven't enumerated all possibilities of scapy by any means. As best I can figure from looking into this, it works while other scripts don't because the way scapy handles packet creation isn't the same way a standard C program (library requirements?) would, generating the entire packet as capable to load into sock5 chain (can we do a test development of a socks proxy exploit using scapy maybe? maybe?).
- Script your own scanners? massscan? etc... you get my point.
- USING A FUCKING VM: People seem to have no idea how important vms can be do this type of work. I'll explain more in my next rant.
- Modding/compiling your own copy of torsocks: tor socks actually does have a known correction public that isn't part of it's standard code source that will properly bind interfaces instead of crashing, and also utilizes proper dns queries. (for the record, my host was a sub host for my domain, and the ns server is on the same system, making this evident that using proxychains didn't leak ip info when doing dns lookups)


Now that's not to harass that person for their post or bug out about them in any way, this is more just something I noticed because it seems there was a chain of bad/lacking information that they got their info from to have created that post. Because of this, there is a distinct lack of information for those who want to do it in the future.

I leave information out of my own posts too and sometimes it seems it's not worth it, other times it seems legality may step in somewhere. Either way, this is a catastrophic problem in our world. Its good people share, but we should all make an effort to test information first as well as explore other options.

Example 2:

So, there was another example on a forum (leaving out due to having posted in the forum's post), where a self proclaimed hacker was boasting their setup and their tool sets. Needless to say this is a bad idea for anyone who wants to claim to be a hacker, but lets dive into why.
  1. They detailed that people should use one vm and route the traffic through their tor socket on their host machine. 
    1. pushing into a socket on a different kernel isn't necessary
    2. The entire purpose is supposed to be anonymity, they're saying everyone should do this for attacking via c2 infrastructure
    3. they clearly don't understand what their own infrastructure is
    4. they don't understand anonymity. 
  2. They detailed that using metasploit was a "real hacker" thing more than using paid malware was. 
    1. metasploit has a paid version
    2. metasploit is a toolkit, not really hacker versus non more of a research versus real attacker automation tools. Which most will create themselves leveraging everything from paid malware to metasploit.
    3. Again shows a lack of information or understanding about attacker landscape
    4. again doesn't seem to understand anonymity, or for that matter, disassociative properties. 
So, my founding principle for this is an argument of lets have attacker versus attacker. Lets act like rules don't mean anything, since they don't anyway, and have one on one attacks. The attacks would be based on information of our c2 found in the a launched sample. This would make us attacker v. attacker on the battle grounds of infrastructure versus infrastructure. I've been making allusions to this in many comments online but it's pretty easy to note this isn't a new thing for hackers to do and yet so few of them are willing to do this. It's almost sad actually that it's avoided so much. But then researchers are all liek "blah blah blah white hat blah blah we can't be using hack back infrastructures blah blah." So, lets bring this to light a little in a scenario designed to specifically mock their own infrastructure. 
  1. Using two vms, one with ubuntu and tor, the other with windows and comodo (you'll see why). With docker also on the ubuntu box and the docker cli on the windows one. 
    1. Setup the ubuntu one as the default route (via host only adapter) of the windows one. 
    2. Setup tor and appropriated routing (google it) for ebtables and iptables (yes, it's important). Hell setup i2p too for shits and giggles and helping out the cause. 
    3. On windows, load any generic, free, easily detected piece of shit malware using comodo's sandbox feature and generate a few thousand samples. (docker for this task? why not. ;), keep the c2 panel up on that system ) 
    4. Setup your network as (ubuntu box <- ssh tunnel with remote side listening (you can use tor to proxy this too)-> public host you spin up {no no, no need to pay just grab a valid card number anywhere and move along}, this creates your public connection) <-> php script to proxy ports on various servers to the domain and port you're listening on for your public host. Now your public infrastructure is running, you just need to setup that domain. So rush on over to hijack someone's domain creds (brute? free leak? whatever it doesn't matter)  and use their ns to spin up several hundred subdomains you change to various ips at random remotely based on a remote connection saying (see my rant about domain ip rotations), or alternatively use ddns services (theres plenty of them). 
      1. This is a lot so basically it's from the c2 side: c2 panel::windows <-> ubuntu <-> tor || reverse proxy (i mention this as || (or) because if the proxy were to fail or something along the chain does fail (including panel itself accidentally having exploitable features), we want any secondary traffic or altered traffic to not leak our ip so we can just revert state and move forward again) <-> the public ip we do actually control (we want to be able to ditch this too at a moments notice, so we can all agree to use cloud providers, they're good for this) <-> php proxies scattered around the net <-> payload/stub/malware::infected host. 
    5. Now that we have our structure setup, go spin up some more malware with the correct hosts in place, and go ahead and start your sending scripts wherever you have those hosted, clearly not on your vm host you dumb piece of shit.  #justsayin. 
    6. Since there is very little protections in this structure yet, you could spend the time to make antiforensics tools, drive and system wipes, remote databases for exfiltrated information, really whatever you'd want. 
  2. Spin up another windows box with no connections and your favorite decompiler to identify and attack their scripts. 
    1. You will need to be able to identify anything they launch and the pattern of encoding/decoding over the net. 
    2. You will need to be able to find common abuse traits, such as when you see the host request information but the request data may not be validated, check it. test it from somewhere, like maybe your ubuntu box? scapy/tcpreplay/etc... is your friend. 
  3. make sure they know which ones are yours and how they can get a copy, and get theirs for your own. 
  4. Laugh uncontrollably when you find their real ip by trashing their socks connection. 
    1. WHAT?
      1. Well, you see, why do you think some scans work and some don't? Different packet data responds differently. 
      2. Sometimes, this means you will adjust the windowing on your side and watch their responses from a public host magically correlate with where they're from. 
    2. What if they used a vpn?
      1. looooooooooool
        1. People rely on vpns a lot but when push comes to shove, you can smash a vpn provider's connections and have them time out, so if they try to attack yours or respond to yours, it's going to come from the right place. ;) 
  5. be sure to leave a friendly reminder about how stupid their structure is on the way out. 
This is attacker versus attacker architecture planning, or as many may call it, attack back architecture. Now, I might like this plan of action and have referenced portions of this in several ways before, this is just play things. This is a toy architecture in this scenario. 

My purpose in bitching about this is pretty simple: This person was given really bad information and reflected is as boasting their own knowledge of the way things work. Because of this, when it comes to them posting their malware anywhere or someone stumbling across is, they're prone for attacks from various entities including governments and other attackers. On both sides, from whitehat nonsense to self proclaimed blackhat kiddies, information spreads under the guise of "don't bother looking for the correct way" and I just wanted to throw it out there that we should say it under the guidance of "I tried to study this, this is what I found," or alternatively "I've been recently finding..."

Now some error codes to make this page have a picture on it. People say the picture makes people want to look at your page. hehe.



-Ferasdour
https://keybase.io/ferasdour

12.11.2017

Training

You must train for the worst; prepare for the worst, and hope for the best. training for what you have going right now is not apt for training. you must do what you need right now /and/ train for the future.

That's my belief anyhow.

12.06.2017

Data Data Data


Data data data. Data data data data, data data. Data data data data data data data.

Developers developers de... oh whoops, wrong one. Data data data.

I wanted to talk a bit on data, it's perceptions, and how it is used or misused. So, to uphold this conversation, I would like people to look at the first too lines of this post. To a computer, specifically an ai, this may appear as a sequence representing some choice in lexical ambiguity or it may see it as simply some ascii strings with which we could map to known words, which we could map to known usage and habitual usage to find most likely meaning. In either case we think about this, a computer may see the first sentence by itself and assume one situation, then the second and assume it is another, or both together and assume it's a 3rd. This is a fundamental issue with data, even to a computer: perception changes how we investigate, diagnose, or define it.

Now lets say that I wanted to run this data myself, how would I figure out the meaning. I find the first one, and seems stupid so I pass it over because it becomes illogical for known trends of thought. Then I see the second one and see this could be referencing something, so I attempt to remember or look up what that reference could be. Eventually finding the rant turned into a fancy musical meme. But, I'm still left to deduce it's relevance to a topic about data. So I look back real quick, I see it's using the term data in place of developers, the rant before was about the importance of developers, so in a split second of deduction I found that this was going to be a topic about the importance of data.

"Is this how you see the world too my friend?"

Data, can be represented in many ways, come from many sources, stored in various ways, and analyzed in various ways. In the infosec side of the world I too often see people unwilling, or unable, to take data and expand it into an understanding of the world around us. Maybe it's cause infosec people stake claims of whitehats and defenders, further criminalizing those who aren't with them. But maybe there are other reasons too. I've grown up in a weird timeframe and I was told what you do online and who hurts you online and how much information you put online is up to you, now i'm told to tell my children to be worried about bullies saying mean words online. I was told the internet was the future and it was all about techies and businesses, while today i'm told to tell my children that the internet is a highly regulated, highly managed, multiple provider network where we should be scared to assert data.

"Ding ding ding, we have a wiener!"

Social constructs appear to be a huge damage to the ways we've grown up. We were told information was free and should be free because to criminalize data was against humanity. Now we have freedom fighters telling others to stop posting everything from political banter and hate speech, all the way to personal feelings or technical manuals they didn't purchase. Freedom my ass. Freedom of information was such a big win, we told the government to politely tell us things they did once it becomes irrelevant, but only what can't be redacted. But damn it we slapped the title freedom on that bill and it's sure to make everyone reference that as soon as you say information isn't free in america. In fact, information is criminal. A friend links a post showing data containing someone's social security number, then the cops raid your computer for any reason they choose to give, bam felony charge. You then have to defend yourself and hope for time served plus an ankle monitor for 9 months. Hope you can keep your job. Worse yet, you find that it's a frequent thing to look at pastebin pages where people got doxxed, and save them because you want to help solve issues with doxing. Oh snap, cops saw it, they don't like you, they decide to press charges of 20-life per social security number saved willingly. oh, but you made a script to do it, so it was functionally just cache? well good luck defending that with the assistance of the careless state of americans being your jury.

 "To live, is to commit a crime."

So, we've seen social corruption and governmental corruption, lets take this back a step or two. Data, can be any perceivable idea. I dream of demons ripping the flesh off everyone I know and dropping them from 200ft to let them splatter and try to struggle breathing. This is data. Every, single word. It's what we do with data that counts right? Well, sort of. But no. We need every bit of data, we need to be able to parse and analyze it, and we need to understand how this is done. While people sit here with their $20,000 platform that underperforms to expectations, they think it takes a large development team to do this work and it be effective enough for analysis and if they can't do it then we have no hope and blah blah blah blah blah. To all of this, I would like to mention the life lesson that rings true many many ways for me: "With all of our technology, we operate everything at a rudimentary level." I say this, because I find this true in everything. We use 120+ year old capacitor concepts to power industrial machines and war time weaponry. We use signals of true or false to identify traits which are other patterns of true or false to use massive computing architectures. We use linux cron jobs to power many "industry standard" tools that keep everyone safe. But really they just parse data like they're told, the way they're told. Without an understanding of how that data is used, we have no idea what it's reporting. But we can totally read the manual! That'll tell us! RIGHT!? fuckers. NO! We are at a stage where our "professionals" either hacked their way in or went to school and learned very little. Some times, we do find some who went to school and hacked their way in. But the essential problem remains that data is being parsed under our noses. We don't even spend the time to look anymore.

Storage gets bigger, data gets smaller, learning becomes less.

Data, in the eyes of humans, can be many many things and used many many ways. But we have to revert back to arbitrary notions before we understand what it really is. Someone says they're going to the store, but you realize they can't go to the store because the store is out of their way and their habits define a pattern directly against going to that particular store. So, to enumerate better possibilities and to enrich the data that you already have (they doesn't seem likely to go there). You go to the store, you find their car is not there. You ask the cashier if they've seen them, and that person says no. you message them, to which the response is that they are still at the store, will be back shortly. You go back, find them there before you. This little bit of data can judge a range of drive time and distance assuming regulations such as speed laws are in place. You proceed to call them out for it and they show you a receipt from the atm at that particular location. However, since that atm is only accessible of the cashier sees you, there is a functional flaw here. Further, the atm receipt was dated 2 hours before. their excuse is that this was due to dst.  By this point you don't believe it, you know they're lying but how do you prove it without just telling them to gtfo? well for one you should tell them to gtfo. But also, the amount of enrichment you do on your daily live's data can aid in identifying problems like this. You simply say, "I went there, i proved you weren't there, you made it here before me, from within a range of (blah), which coorelates to x number of friends you have." Cheating people hate being told who they're cheating with and how. It's almost funny. You can watch them struggle to find a new excuse or to change the lies they already told. It's great actually. But back from the data view point, this is all very minor data points enriched to solve a problem that many people have.

How can we do the same with our every day data as analysts for any form of infosec studies though? can we turn enrichment into an actually useful tool? Well several tools are made to enrich data, mostly doing the same basic functions. Like resolving domains, caching domain resolutions, storing large lists of data believed to be linked one way or another, etc... But none of these things need some multiple million dollar tool for this, any hacker with any system can pull this off.

"Review of time and place"

We need to teach people how to use data. Data is the key, not the toolset. Understanding how a mbr can be changed by changing the 16bit asm versus understanding that a tool shows deviance between known good versions, makes the world of difference when trying to identify bad actors, habits, or otherwise, activities.




x'hI5)cfx>uc4a}96w":*$u75tAZ~?pcy$+87$&>*w_=y>qhy$+87$&?~t5g4>8Ay$+87$&>*w_=y>qhy$+87$&>*w_=y=hD

12.04.2017

PlasmaRat: why use shitty malware?

     I wanted to discuss some issues I find in the realm of choosing malware and why its perfectly fine to use bad software once in a while. In this, I will detail a plan of action to leverage multiple sets of well known/easily detected malware for various purposes. So lets begin with a soft story. You people love story time right? In this story a threat actor, before they become a studied attack profile by major organizations, was just a young nooblet looking to see what they could do. While developing their plans and their chess game, they found tools. Now, immediately you're probably thinking script kiddie and fundamentally you'd be right. These people used what was available to them rather than learning what it took to do it themselves. Eventually, the habbits and traits learned by doing this turned into an actionable plan and money was made. When money was made, people stop trying to perfect an art and start looking to more free answers. Instead, our protagonist decides he will learn to do more. This, a crucial turning point, is what makes the difference. He stops doing shit jobs that pay 100% with shitty risks and using other people's code, and turns to developing his own attack strategy. This is where our story of WHY comes into play.

    The point in our story where we stopped to explain is the same situation where many people may have an issue with others using other people's code. But lets think about this, both as a business and as an art. Lets try to define why people would want to do this.

     First for the business side. If your business relies on stealing data for profit setting up a botnet to leverage when stealing money, or if your business relies on disassociation from you as a person versus you as an actor; for all of these traits one thing is true, if you go to jail or have anything happen, you have to rebuild to come back. So, as a plan of action, you need your business capable of withstanding the test and trials of time and courts. To be frank, you need your operations to continue without you present. Now, many people do this by spinning bot after bot to control subsections of bots, other people do this by assigning people to various places and having each of them act as a burnable resource. But if you're using your own code every time, especially if your business is more than just yourself (orgs/syndication/mobs/militia/whatever), you can't really afford that sort of downtime. So you're going to want to hide your code for post infection, lessen the chance of detecting of your group and increase the detection of popular malware. Why? The more they detect it the more you can see who has the money to stop you. Some big businesses detecting some cheap rat you pulled out of your ass for $20 is a significant win for them according to them, but it's also a win for you. Because you know their detection capabilities. You know it either launched, failed, got stopped before calling back. You know this because you pay attention.  So your next move, could be to slowly try other rats to see what doesn't detect, try other droppers, see what happens. Slow moves at no cost are only an expense of time. If you can spend the time to do things right, your business will profit from it. Furthermore, accepting an 80% gain or 80% loss should be defined in your business. you spent $20 to get a rat, and get $40 in return from an expected $400. You need to accept it and move forward. yes that's a loss you may not have been wanting, but it wasn't a complete loss so pick up your shit and move along. You have 20 people working for you, each of 10 of them is tasked with getting $300/month from this. You get 7 of them getting $150 each. They keep less of the money because they performed worse, but the company still has funds so it works out. Well, if it's only 20 people, and 10 of them spent a full month failing to get $300, then you still need a way to feed them and the other 10. Businesses, like families, have to be ran with care. The more people you have, the more mouths need to be fed. For them, for their families. So instead of putting half your staff on getting less than expected, or pushing them to make more, you can split it up. Have your highest performing 3 of that 7 that actually got anything, set to make as much as they can doing this. Then you send another 2 to find new resources to back up those 3. Then you send another 5, split into two groups, to hunt new targets and pick off the easy fruit before handing it over to those higher performing folks. Now you have 3 people making $4k/m a piece. Now this leaves the entire group with about $600 assuming performance stays up to par. That's not good enough for min wage. You need to raise this up a bit more. If you split your entire staff into two sections of 10 doing the same thing you will get everyone about $1200/m but is that really enough? What if someone fails or gets sick? Instead, setup a single trainer, and a manager/lead. then, you may have 5 people making 4k/m, 2 business function positions, 5 people looking for new venues, and 2 looking for resources for the 5 making money. total utilization of work force, what? 14 of 20 people. gets everyone about 1k/m, but the benefit there is there is continuity. You don't need the higher pay if you have a functional continuity. If you have even two people not utilized for daily counts, everything they do is profit. These are your adhd kids, your scientists, your researchers. These leftovers should be the ones able to do the other jobs but have fun doing all sorts of shit. Because that's how businesses work. 20 people, set job schedules, steady life, and everyone earns their part. If they need more, there is two ways to get it, from the boss or from working for everyone. This idea, almost communistic, works for smaller companies. If you expand too much, you need to have a commune/tribe of leaders that handle this, then inside their ranks have them handle whatever way is best for their people. But at a large functional position, you need your company to work like this. Which is why you need the resources to be minimal. Every free rat that comes out, make those guys looking for helpful resources go and try them out, write a manual about them, then ship the generator and the manual up stream. In some environments, just ship them a new vm snapshot to include a running version of it with listening ports defined. Let the users of those handle how they get the network to those vms and hopefully your people are smart enough to handle this task.

Now, from an art side. As an artist, you may look into finding new ways to do the same things, or to leverage someone else's ideas to make them your own. This does go well with common hacking philosophy so it's not really that much of a variance that artists indulge in hacking. But it's usually those ones who make it their primary art that are so fun and full of joy. Still, with so many deviance, it's harder to define a sub-classification for the art. Their art may be in managing a large complex structure of loosely integrated systems. Their art may be in defining code that uses other code to build code from. These are things you need to ask yourself when asking if they are artists or script kiddies. Using another tool, or 1,000 other tools, but then you fail to see the artistry in what they do because you think they're useless because they used other tools. See a problem there?

Now, additional/honorable mentions that are worth noting. On the business side, you should probably dedicate at least two people to monitoring/maintenance of botnets/structures/services/etc... a botnet admin is essential if you want each botnet to live. Further, don't rely on just one network structure. Make multiple, build them, maintain them as you build more, segregate and either drop or rebuild the old ones. you may have a large amount of cash flowing, or be desperate for cash, but on either side of that criminal activities need to be kept separated from your desires and left to the business. If your business is around artists, then you need the business to support their own activities which then also aids in disassociating yourself from the easily recognized habitual patterns of your workers. Same too, on the art side, when you work with others you must understand it's not about you. you are being allowed to work with a group to provide for the group. You are not special here, you are one of everyone here. Instead, to maintain your character and your artisan, remember that it's not about you when you're working, but the things you do for you will help everyone in your work. Like custom designs, pushing the limits or perceptions of common protocols and behaviors. That is your place as an artist in a group setting, specifically when it's involved in criminal hacking. As well, many businesses use rats that are easy to detect (like plasmarat, which holds its own name in every proper generation), if you want to lower detection you simply pop those sorts of data with new/generated data and magically you go from 30 second detection to 30 day detection. Or, on the other side, you spread it thin enough so the detection rate versus collection rate, is along the lines of 80:20, and you've still got 20% of a proposed attempt at a botnet. For the ease of finding emails and chats and everything else as methods of launching, if 20% isn't good enough for your, then you're in the wrong damn business.

So, as we dive back into our story telling, this young man knows how to find common rats and common tools to get the money to keep everyone running together. He also knows how to identify traits and behaviors of other people in the game because he's had to separate himself from the game. So, where do we put him in a business? Do we leave him as an artist? can we profit from him?

So you ask yourself why people want to use shitty malware, the answer is simple: as leverage. Not as something fancy, not as something to take pride in. No, instead it's something to move forward. A tool, or capability.

12.01.2017

Lets play a game.

http://0daz.io/index.boogiepop


Rules:

  • I give you a private and public key pair when you access the page. It's up to you to understand how to use them. 
  • This is a programming game. 
  • You are given my public key (same one for keybase) for when you find answers. Send your answers on keybase (chat:answers are pgp encrypted or won't be accepted), or as a get request to the server(preferred). Answers should be in the notion of http://0daz.io/boogiepop.phantom?answer={username:code}. You will get a 404, and winners will be updated to the original page along with timestamps of when they sent winning data. (future updates, I intend to make it show date since you got your username used for the challenge calculable in milliseconds, as well as time since the challenge was posted. this is not yet a feature)
  • This is not a ctf, but if you hack my shit, the worse you can do is get it flagged or shutdown, best you can do is fix my code. I won't be hurt either way in these regards. PS: if someone does shut me down, sorry but lulzkillerbot ruined mah fun. 
  • Data used for making this game is taken from textual references and allusions made in public documents. Alternatively, it may be understanding based. The key point here is to challenge you to script against things you have no possible way of knowing where the source will be from. Good luck. 
  • No further hints will be given. I've give you too much as it is. (Eventually it's intended that every challenge will be generated. This too, is not yet functional.)

11.30.2017

scopin'

Unrelated ranting

So, I wrote this earlier elsewhere, but I feel I need to expand on it more so let me tell you a story:

Once upon a time people could say that things would never happen, it's all just some people's wild imagination. People thought things would never happen, are the same who built paths towards the rejection of belief in orwellian or similar dystopian existences. Can you believe it? A day existed where people could challenge this with arbitrary means and be considered right?

I guess some examples are in order. We would never burn books en masse, we would never absorb ourselves so much that we don't understand functional principles of life, we would never be stuck with governance over our minds and thoughts and it would never be illegal to think about things that don't fit in with the masses. Governments wouldn't poison their own people, that would make them look bad and hence they wouldn't do it. Governments wouldn't spy on their own people or fraudulently report data to cause panic, there's too much time and effort involved and governments wouldn't waste their time. Governments wouldn't add pathogens to a lake that uses it for water supply. Governments wouldn't bomb other nations under the guise of their mutual enemy. That's all beyond the capabilities of governments so therefor you would be insane to believe it. Our governments control the air itself blocking transmissions that they don't like and regulating who can decrypt what data.

Governments manipulating what information is taught to the children to gear the next generation of belief structures? That's crazy talk. Evil russians must be the only ones capable of that. Our government is pure and true, so clearly only russians do that. clearly. clearly. clearly.

"That would never happen," said those people who fell into the trap. The belief that governments that act out on people's whims are trustworthy with any of this is absolutely disgusting. What's worse, now that we know our government has done every bit of this, people sit back and trust them going into the future because a different figure head distracts them every couple years. A new stooge for a foolish system. Computers attacking computers to take down nuclear silos while people sit back and bitch about the latest tool in office. We are at war, iconic and ironic, a war of the worlds between those people who pay any attention at all, and everyone else. Those people who declare themselves woke because they read some philosophy once versus the people who collect bits to stay alive. I'm not talking about a futuristic dystopia any more guys, I'm talking about 10 years ago. We've passed it and we're letting this shit continue.

It's hard to imagine if 1920s or earlier writers knew it was happening then and therefor had to explain it so people now could try to stop it instead of explaining it to the masses who ignored it originally; or if they just wanted to make a work of art with vivid imagination. Its quite hard to tell. What's worse, trying to imagine knowing that information at the time and everyone thinking you're making things up all the while 50 years later the government releases documents saying it's true it's true. They wait so long to build trust by releasing it, but this is all just a test to see how complacent we are as a society. It's a test to see how long it takes before someone puts pen to paper and calls them out for it again. This test, would be conclusive only if people cared. We're going on 40+ years of no one caring that bad things happened to them or their families 50 years ago. Do you see the association here? Well you don't need to because associations aside, our government has blocked knowledge sharing, has attacked it's citizens and military, drugged citizens and military, coerced publishing companies to putting manipulated data into print for childrens school books and learning materials, they even poisoned the well (quiet literally) by releasing uncontrollable pathogens into the lake water.

Well anyway, now we're here.

Whatever will we do?

We'll keep living, like we always did I suppose.

Slowly feeding away at our resources until something comes down and rids us of our silly existence.

11.29.2017

Dear self

do you think that people understand when you make allusions to anything? Pop culture to dark humor, sometimes it seems like no one will ever get it. But, allusions are so fun sometimes because of the things you can say with them. Like building a story that shortens sentences or paragraphs as it progresses so that you can identify a rushing or crumbling ideology. Or like references of situations that are built of the situations, one after another/in sequence to each other, in the idea of showing a common pattern of events without ever stating a single event only references to them. These are the joys of communication but sometimes people just never bother to pay attention. In a world full of those who refuse to pay attention, I guess it could be assumed this will never have a place in people's hearts or minds.

Oh well, lets go back to drinking. That's one way to waste time.

Apathetically.

Ferasdour
https://keybase.io/ferasdour

away from the tech

You know, I find myself often curious about the world. I find myself wondering what topology is used to inform the state about car specifics so they can print a little tag for you. I find myself curious how to poll cell towers for gps locations of people at another tower. I find myself curious about the atm protocol and how atms (machines/systems) work. I find myself picking apart nfc devices to find what their data is and wanting to write these to something else. If these activities seem criminal to you, then I guess I am a criminal. Oh, you want me to get licensed to be able to do these things with a magnifying glass waiting for me to fuck up? Why allow myself to be beaten out of existence?

At a young age, I found myself interested in taking things apart and studying them. As a kid it seems like innocent curiosity and no one cares when a kid makes a new method for absorption and storage of ambient/static energy. Well, some people cared, but only because people pushed it under their face. If an adult did such experiments they would be jailed. This is the sad reality of the world we live in. The modern era.

As a young child I read the words of people like mentor and all the blackgate archives. I wasn’t quite versed enough in modem commands for my family's win3.11 to be able to connect before it was shut down. I didn’t have access to the technology or the books or the resources to do it myself. I needed to hunt and i would always wind up short.

Modern ages, I spend more time on telnet bbs than on facebook, several implementations have dumped ssl over telnet for a sense of privacy and that’s a pretty sexy setup. Some use ssh and jail tf out of it. Others use php,js,etc... for web forums and bulletin boards. I don’t have nearly the same trouble finding information now as I once did, my issues now are how to search for it and banging my head on the desk to reword my query until it works.

Modern ages, I am treated as blackballed from multiple groups not for political affiliation but because my desire to learn is not bound by local laws. Everyone wants to boast about whites hats vs black hats but they dont realize that to be a blackhat means to be blackballed from their petty groups. Their thugs are law abiding enough to stay paid while ours just look to survive. Grey hat was invented so it made the distinction that everyone assumed true in that blackhat meant definitively criminal and grey hat was a white hat willing to bend the rules. Make no mistake, if you aren’t a thug for the white hats, you are cast aside. Your information pool is sparse. Innovate or die.

Modern ages, I find myself thinking differently than other people in my field. I'd rather have the information than the credentials, I'd rather have the data than the money or the fancy blog. But here we are. I am clearly weaponized with a blog, as you read this. To take someone out of the blackballed masses and give them a job, there is a certain level of problems you must understand.

I am loyal to those who hired me, as they pay for my family.

I am unwavering on the idea that money may be nice but the work is better. Sorry for all you who say never work for free, sometimes people enjoy their work.

Employers of mine are informed that I am not some pre-scripted bot and that my methods functionally evolve with every investigation into anything. Like every human. This is the power that we hold. Not some heavily regulated unarticulated nonsense script for the braindead to follow.

Oh, your infosec groups need more people? You can't keep up with attacks? Ever once think that is because your kind blackballed us for so long we simply don’t care?

For the future of mankind, we will continue to provide free information until all information is up the the person who chooses to parse or absorb it.

For the future of the internet: $25/sdr, $40/pi3, $20(ish)/sd card. The future of the internet is distributed control back to operators and away from isps. If you don't want to be left behind, go earn $100 and get these supplies and some booze.

The future of cryptonets/darknets: we will prevail.

That is all.

- Ferasdour
https://keybase.io/ferasdour













Now lets dump some images, why not? I mean, the internet is not a big truck right? It's not something you just dump stuff on. It's a series of tubes.










11.27.2017

Passive Intelligence

Now, I'm not some fancy big shot who wanted to define things my way and tell everyone else to piss off. However, I don't entirely understand how other people claim passive intelligence the way they do. So, as an example, I continue on my dive into finding various notions from data within comparing unique malware domain resolutions. In this case, over on http://0daz.io/useful.log I found several domains were being built on a common provider (000webhostapp). The domains that were shown on that, were found to be malicious and put on the malware domains list of domains (http://malwaredomains.lehigh.edu/files/domains.txt). So, first thoughts would be that there is some unique design on how malwaredomains finds those specifically while very few, if any, no-ip and similar sites are on there. Regardless, I took the approach of how much I can find about 000webhostapp based on these.

curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq|wc -l
221

I found 221 unique ips from this list, after this has been building for only 2 days. Meaning several of these have a change default ipv4 address at least. If this is anything malicious or just the way that hosting provider acts, isn't really the discussion. The discussion right now is how many /28 i can make out of these ips, maybe I can map their publicly available/usable network space? well,

$ curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq >> 000webhostappips.log
$ cat 000webhostappips.log |whois `head -n 1`|grep -i route|ipcalc `awk '{print $2}'`
Address:   145.14.144.0         10010001.00001110.1001000 0.00000000
Netmask:   255.255.254.0 = 23   11111111.11111111.1111111 0.00000000
Wildcard:  0.0.1.255            00000000.00000000.0000000 1.11111111
=>
Network:   145.14.144.0/23      10010001.00001110.1001000 0.00000000
HostMin:   145.14.144.1         10010001.00001110.1001000 0.00000001
HostMax:   145.14.145.254       10010001.00001110.1001000 1.11111110
Broadcast: 145.14.145.255       10010001.00001110.1001000 1.11111111
Hosts/Net: 510                   Class B

 Now, all we really have is just some lame ass data we can't really do much with right? So we would generally go back and dig into the next thing passing it up right here. But this is a blog post on passive intelligence so we need to be extremely passive right? lmao.

First, lets do some routing fun!

mtr 145.14.144.1 -r -c 100 |grep -iv "???"|tail -n 1|awk '{print $2}'
74.112.174.249
I'll leave it to you to understand why this is useful for the most part, but i'll tell you after a chain of commands, I did add "route add -net 145.14.144.0 netmask 255.255.254.0 gw 74.112.174.249" for shits and giggles. Not that anyone needs a static route when dynamic routing is in place... or do they? People may even say that you "can't just do that with public routes" but you can. "What happens when your static route disagrees with their automatic route" well now you're gettin' somewhere. lol. Anyway, enough play time with that.

Next, lets play with searching shodan, I hear people like doing that:
cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplist; for i in `strings /tmp/iplist`; do curl -A "" -X GET  "https://api.shodan.io/shodan/host/"$i"?key=L9VKwKTdXH1cP35YnIPMUW658XEC2eFe";echo ""; sleep 30; done >> shodansearch.log; rm /tmp/iplist
While we wait for that result, lets also run virustotal scans.

cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplistvt; for i in `strings /tmp/iplistvt`; do ./ipscan-vt.py $i;echo ""; sleep 15; done >> virustotalsearch.log; rm /tmp/iplistvt
(I just made the ip field of the example python script into sys.argv[1]  so I could run it like this)

So now I have a new set of domains, urls, ips, etc... I also have a list of ips that are not used, telling me that they possibly do subnet this structure further than their /23, into more like /28 groups.

Now we can dump all our results to a database and start again!
curl http://0daz.io/useful.log 2>/dev/null|awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp
This time around we're digging through the same compiled list to see what does not have unique entities in this list. Since the list is originally unique domains and ip mixture, pulling just the domains and only displaying duplicate ones, would give us domains that have had more than one ip resolution for it. 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `head -n 1` useful.log
029999.com 112.90.252.102
029999.com 23.225.139.82 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `tail -n 1` useful.log > /tmp/lol; for i in `cat /tmp/lol`; do echo $i; whois $i|grep -i "cidr\|netname\|route\|OriginAS"; done
zebrezebre.com
50.63.202.61
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
zebrezebre.com
50.63.202.63
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
A smart person, or someone who cares, might want to start dumping this sort of data into a database somewhere instead of flat files. This is easily done and i'll leave you to it. This is just for example purposes to dive into processes that are entirely scriptable but people don't bother doing so, even for easy one person diving into one set of actors. All whois and domain lookup functions are available as easily grabbed python modules, and parsing examples in bash are much harder than properly parsing with python. So deal with it guise.

Why this is important:
  • People consider passive intelligence information that's provided to them without any alteration or deviance. 
  • Passive intelligence is and should include refining information provided. While you probably shouldn't abuse antiquated router issues for fun and profit, you can and should begin archiving these issues and refining data that comes to you. 
  • Intelligence isn't provided to you. You must do something. If your platform is something like virustotal, you still require (lul who pays for this anyway?) all data you consume still should be processed for leverage points and parse-able information. Data enrichment is essential to functional intelligence. 
Yes yes, not all data is useful to every person, but it needs to be there. I can't tell you how many ways people evade detection based on connections people throw away. 7 layers deep and still nothing to be seen, you're probably throwing away too much. That seems to be the biggest argument threat intelligence people give is that too much data is cumbersome so it slows people down. There is nothing that should slow you down. Parse out every way you can proceed the first time. The data represented here is data that anyone with any computer could do, they could parse this better and use the information with their own threat platforms (maltego, as well as several threat intel providers, allow functional use of csvs, which can be parsed directly from what I've given without any rewrite, so stfu and do it). Now I need everyone to quit saying passive intelligence is functionally just data given to you.

Maybe then you'd understand what active intelligence is.

K thnx.
Ferasdour
https://keybase.io/ferasdour



11.24.2017

Malware Domains and Botnet Jacking

Okay, now some of you white hat "the rules make ethics" types may not like anyone discussing it, but lets do this. Domain and botnet jacking, as it pertains to not only threat actors but for blueteamers as well. In this thread, we discuss how a simple script can find domains to take over, how to monitor changes in botnets, and identify how people build their domain resolution pools. Protip: a lot of people just fake it. That 200 bot domain is actually more like 4 and a vpn, at best. But we're not actually messing with that yet.


We start today with this little bit of nonsense. It's simple python script designed to create a webpage based on domain resolution tracking. The page shows numerous domains and how they change.

lists=[ 
]
filetowrite="/var/www/html/index.html"
failedtowrite="./faileddomains.log"
initialinfo="<html><head><title>DomainTracking</title></head><body>Begin Run<br>Domain ip loggedtime<br>"
open(filetowrite, "wb").write(initialinfo)
open(failedtowrite,'wb').write("")
while True:
 for i in lists:
  try:
   open(filetowrite,'a').write(i+" "+str(dns.resolver.query(i,'A')[0])+" "+time.strftime("%T-%x")+"<br>")
  except:
   open(failedtowrite,'a').write(str(i)+"\n")
   pass
  time.sleep(5)
 time.sleep(30)


Then, we have a cronjob (every 15 minutes) for the following. This grabs the information (left as curl instead of just grabbing from the file to express that this can be pulled from a remote repository as well, hint hint). The data is seperated into lines, then only the domain and resolution are collected (leaving time out of it).
 */15 *  * * *   root    curl http://localhost/|sed s/"<br>"/"\n"/g|awk '{print $1, $2}'|grep -iv "<html\|Domain ip"|sort |uniq > /var/www/html/useful.log
Image of that page:


Being able to see the variance in different domains between multiple ips is important. As it helps us identify the range of use for each domain or group of domains. It's a tool not just for researchers, but for bad actors as well. Having some form of automated visibility into everyone else's actions is key for most people and you can do it with a super easy setup. Now for the next piece, seeing which of those domains is available. There is a number of ways to do this so you're on your own to find those, but I did catch an easy way to determine their prior usage, which may lead to changes in how the domain is able to be leveraged by you, for good or evil.


In this situation, I compared this versus the malwaredomains blacklist, as it specifies why the domain was blacklisted.

You can also check virustotal, hybridanalysis, etc... etc... for these domains. You'd be surprised how many people are still infected years later from some domains (such as free-inet-help, or abandoned no-ip domains).

When I say that only malware authors, criminals, or attacking governments are comfortable hijacking domains out from malware usage.

You can also generate your list of domains once a week or so from hybridanalysis or malwr, or any repo really that shows c2s, if you want c2 takeovers. Phishing campaigns pre-configured and ready to launch at a moment's notice, those are there too. This is actually a common thing between criminal world and for some white hats. We're just catching up to par quickly by automating the dumb stuff.



Final word:

If you're going to randomize ips between domains for fun and profit, use other malware domains and help out those actors too.

-Ferasdour
https://keybase.io/ferasdour

11.21.2017

Fancy toys

Now that I finally got me some fancy toys and a fancy blog, I guess all that's left to do is brag about my fancy toys.

The wifi pinapple sucks.

There, I fucking said it.

But it's not like it's hardware sucks, it's just the people who put it together (hak5?) shouldn't do this anymore. Needs more space, needs better control, needs package management that works, needs to alert on conflicts instead of silently failing, don't need to log it as much as it needs any details of what happened, though logging would be nice too.

The modules and setup for web interface is almost not worth having, might as well skip that for just an interactive shell. Pineap? This is like if a pi had better wifi hardware and someone didn't know how to setup a malicious ap. "Push the configure button" "no wait, not that one, the other one hidden behind a drop down you can't see and don't really know what it's there anyway." If this is years of design please just stop guys. Make people use kali on a pi like everyone else.

on that note, I'm fairly upset that kali is still using outdated tools that don't actually worth with full up-to-date software in regard to functionality. Such as the wifi including some of it's standard wifi tools. Latest version -> 10+yr old software that had to be compiled then moved in place to even pretend to work and even then only partially. Kali, former backtrack, has become the bastard off spring of the infosec world and people don't go a day without relying heavily on it.

How does that reflect on the linux community?

Can we even still do cdma/gsm decryption with these outdated ass scripts that people have? Do we need to rebuild? Can we even?

Maybe someone else can answer these questions, I'm just here to start trouble.

- Ferasdour
https://keybase.io/ferasdour

Easy Start

Lets start this off easy by saying, hi my name is irrelevant and everything should stay disassociative, however if you spent 30 seconds of google, especially because of using a google service, you can find me and I encourage it. I have no ill-will towards those who want to spend the effort to learn something, even the trivial things. That is what we do, as a species and as the infosec/hacking community. We live to peer into things you would rather hide, we see things others would rather lie about. No reason to sugar coat it, laws are irrelevant and only the truth exists. It's the "white hat" community that gave the title of blackhats and whitehats and this (ugh) claim of grey hats. By blackballing people who were willing to commit crimes you segregated the world into black and white instead of accepting that they do the same things you do but use it for other purposes. With that said, if anyone is still paying attention, today I've been playing with a few rats and wanted to discuss some usage and features.

Before we get into the usage I would like to discuss a trait I find common and have long past seen in the "neophytes" learning section. For real, I can't believe so many infosec people don't understand this shit, but I'll get into that momentarily. When you, as a person/criminal/actor/perpetrator, decide you want access to something you usually have a motivation. When psychologists tell you that you have to have desire, they expect this to be true in all things and that all people have a motivating force for every interaction they do. If your motivation is greed, or gluttony or lust, your purpose is easy to define. Hence everyone in the general ecrime world is considered to have greed as their purpose. It's never a "they're literally just trying to survive" it's "they want moar because moar." The issue here is that many times, as a person of the hacking mentality, you will be asked to help someone right away with technologies you may not actually know very well. You may be asked to do things that you don't see a reason to do. You may also see reason why information needs to be available. These are realistic motivations in the eye of the actors that the infosec community misses. They don't believe digital anarchy artists exist, they're extremists whos views go against their governing bodies. Art over war. When you are asked to do things, you need information fast: don't be a buffoon and go asking for data on "how does I hax" in an open forum where police might stay. This isn't for the protection of those around you, it's for your own protection. If they help you, they could be liable in some countries. But for you, you could be targeted by feds yourself. Not going to do you any good to get arrested before you accomplish your goal. It's just not. If you do work with a tight nit group or a loosely relevant but tightly controlled group, you can reasonably ask freely for questions like this. If you are wanting to learn for educational purposes, or wanting to learn to do things you couldn't before in a non-criminal stance, you can ask for these things under these guises but sadly people are too worried about getting arrested themselves to help. There are plenty of bulletin boards available to ask questions but the same situation happens in most. If you're willing to shell out some money up-front you can get prepared a little quicker. You can also do things like buying and reading the fucking manual. That IS a thing you can do (plox share, we can't get all the manuals online unless everyone shares. Some people can't shell out the money or are too young to work for the money for this. K thnx). When you get involved in this world, you need to remember two things: judging your chances should be an instant response more than 4 moves ahead of the present activities, and anonymity is not security. Some other basic lessons that are literally on every neophyte guide:
  • Yes sometimes it means busting your ass at a dead end job to have the money to get the information and learn the system in order to break it. 
  • Yes, sometimes you will get arrested and you need to be able to cover your assets. 
  • Yes, backup of backup plans is a must, and a wee bit of complete paranoia is essential. Those kids beating you up as a child came in handy now didn't it? you learn to respond in a  functionally more adaptable way. This has helped you seek information, helped you seek truth. But truth is a crime. Might as well learn that now. 
One setup I've been playing with lately for my virtual machines (VMs) is to spend the cash to spin up a few services/servers/port-controllable php space and burn through rotations of dns resolutions. For the dns part, I made a quick script to setup multiple sets of no-ip domains. After got many of those running, I went back and made a flat file list for the usernames/passwords/domainnames. Then, to resolve those domains, I have a script that rotates (python random.randrange) repeatedly between each of the domains then each of the ips. It changes a domain to a different ip every (again python randrange) 3-300 seconds. From that, have functionally 30 or so no-ip domains to play with (script can also change other domains, but notably leaving this as no-ip for the purpose of this discussion). The ip list can have servers I control, servers other attackers control, servers that are fair game or federal government servers. It's just a dns resolution. Why would anyone but me be playing with it anyway? Can we track people who track no-ip domains? Can we track when it's sent across facebook to an "encrypted" chat and redacted (changing : to [:] for example) then suddenly it's hit not just by facebook when you control both accounts? Is our communication at risk? Lets not actually get into that right now. Would be a dangerous slope to go down, don't want to start a fight here. Anyway, so multiple domains each at semirandom intervals changing ips, and only maybe 5 of those are connecting back to anything I control the ports for. Which is where the malware would need to point back to right? So lets point it to those, and move forward.

Speaking on forwarding, public server :9001 -> ssh to other public server via tor forwarding 9001 to 9001 of the next system <-> over ssh reverse proxy from your vm over tor and a vpn as well (yolo?) -<-> port forward to the other vm over host only adapter. All of these series of ssh-ing can be automated as well (honestly python, clusterssh, bash, if y'all can't figure out ssh key auth, i'm not going to be the one to help you folks today).

This effectively makes the premise of the vm that's used as a c2 being behind multiple proxies, multiple rotations, multiple systems, and is in a host only network. Of course, if you have a laptop you can drop in a public place, power, and remotely access with network access and vms spooled up, that would be nice, but lets be real nobody's got time to go do drop offs at their local hotels or whataburgers. hehe. Instead, there is the risk that in that chain your tor useage would have a fairly unique signature and be trackable. So at least use the neighbor's wifi or something right? Whatever, anyway I've been playing with this architecture design lately because it lets me do 30 second drops and runs without losing investment into most services. With the infosec reliance on gathering iocs the WRONG WAY, you can pretty much bet that after 3 minutes if you're in and out, you're pretty much golden. So it's worth it to also prepare yourself with a file or two that destroys everything (python can 0fill files, delete file, then burn diskspace and delete that, making an effective tool for a burner virtual server). People don't like antiforensics but it's easy to forge and destroy with just a little scripting. I'll do another blog post about forensic forging at some point I'm sure, but for now, easy mode is just 0, trash, overwrite allocation. Lets use a cloud hosting company, we'll call supercloudB. It's a subpar cloud hosting company, which means their time to detection is way too high and their time to analysis is even worse. Then lets remember that if someone tries to shut us down, they need to be able to prove to that company's abuse team why it's shutting down.

Now, we still haven't gotten to the rats yet, this is on purpose. We need to analyze our field of vision before an attack is used. We still haven't even discussed possible delivery methods. We can spam everyone in the world on a massive spam list, but you'll only catch a few of them and it's easily detectable. Spam scripts need to automate various methods of attempts, like hosting publicly and directing them to it via link, creating malicious document then using googledocs to load it on the email's open, do the same with some images and run them through bit.ly (because tracking opens versus infections allows analysis for next round). You may need a driveby download and hit people on forums or social media otherwise, maybe you need it to be driveby you expect them to load on their email loading (do they really allow js in their emails? maybe if they're a webhosted email?). I won't speak on best methods for this idea, but with the automation in place, a single python script can scrape together methods for all of these and templates can be built and set in place. If you haven't figured it out by now, i'm giving you the keys to a platform that can be weaponized if some ass hole wants to make it. Without giving you the code, I'm just an influencing factor maybe? Regardless, this isn't something of a malicious code, more of a platform for running testing environments over open internet space.

Now, you have an infrastructure, you have a delivery method, you have some extra tools, lets go ahead and say all of this was placed into a single folder. With scripts capable of referencing each other and made interactive. So you look and see your 30 domains constantly changing, 5 actual servers, 40 email templates with optional spaces set for randomized or semi-randomized data to be added, and 2 vms. You could even preselect places to upload to, such as slack (public files), dropbox, box, etc.. etc... or even in some hijacked cms sites (if you're the kind who plays games with cms and makes plugins purposely supporting rfi, this entire process may seem pretty straight forward to you).  It's almost like you could dockerize this entire thing and add cleanup scripts into it itself as well? maybe. anyway so all that's left is for the malware. I, like many people, would use rats because peering into things. Right? Well sometimes people do it for control, but honestly I don't want control or power or money. I just want whats true. That's my weakness. Truth. It's a crime these days. So, with a quick in and out, we could actually easily make our own or run with someone else's. The reasons to run with someone else's is really for longevity. Use a paid or free generator and hit 10,000 people, and after 2 weeks 30 of them are still alive, on those 30 you can dump your own knowing you have a backdoor available for you if yours gets killed or found. So just spin up some free malware that can do what you want. The good part is, by stealing creds you can then sell them for money for better rats and continue your campaign (if you were a criminal type who wanted to do this all the time), or you could start a database somewhere for further leverage purposes.

Oh, that's another thing we should talk about: leverage. Hacking is an art of leveraging. You have a fork, you take that fork and use the butt end to stir your chocolate milk because you weren't given a spoon or straw or something better suited to stir with. Hacking is functionally accepting what you're given and using a series of leveraging. Every technique a hacker has is designed not as a one shot, but as a leveragable chain. It's when people mass produce these one shots (here's lookin' at metasploit) that people begin to think it's all about using the software or making your own, or limited to just computer related hacking. For my examples today, I will be using malware collected from rekings.com or github, or wherever I found the rest. Rekings is site known for selling malware, tons of free shit, most of which people will argue it's infected then they'll say prove it, and no one will. Lets be real folks, if it's not infected, you're doing something wrong. haha. You must accept what you're given and adapt. If you can't burn your pieces when you're done, you shouldn't have been playing chess. That's why I suggest a vm as the proxy out, via proxy network, being separate from the vm that is host only adapter that can communicate with the proxy one. Your proxy can stay back, while you load and reload your c2 vm. easy enough right?  

So after long enough torture:

  • Winderps Malware
    • Notes: 
      • Almost all of them have a builder function on the panel. 
      • If it can spy and do administrative functions, face it, it's a rat.
      • There is plenty of them
      • Many of them are under the guidance (via eula) that the liability is on you if you choose to use it for malicious purposes. Yay software licensing. 
    • XtremeRat 3.7:
      • Uses connection password (large field, use a large key, because you can), this on most things isn't really useful and could be replaced with a file by file generated pgp key pair. But, hey, it's free. 
      • Modular (add your own dlls, this version came with bromasc.dll to add to it). These functions are highly marketable and when written right can be sold for more than the fully functioning malware itself. 
      • adjustable mutex, dns/ip:port setup, adds additional malware payloads (might as well dump a meterpreter shell here, or dump a real executable already binded with meterpreter. Hell, for our purposes, lets dump ccleaner or whatever the latest version of adobe reader is. Why? because these are common tools that have a set path on where they're going to be downloaded from, find it, script it, always provide the latest. ;) 
    • Babylon RAT
      • Has traffic key, dns and port setup when building
      • Several features for installation of builder, but mostly normal shit
      • Cache of all recovered passwords, cache of all socks proxies able to be setup through clients (huge benefit for further leveraging)
      • functions available are geared towards real control. Like cmd or remove webcam, versus arbitrary command like function and small screen captures as some of these rats do. 
    • Hakops
      • pretty normal shit, nice interface, which it had more languages. 
      • nothing really else to say about this.
    • Plasma Rat
      • One of my favorites, works REALLY well for this type of setup where I need to be killing off my services after only a few minutes.
      • designed to have command by command waiting for the bots to check in
      • many infosec monitoring tools work the same way this does, but this gives you control over it
      • pre-define a set of commands for every bot to do and log results, including mining tasts, keylogging, downloading, etc..
      • Good replacement for pony if people would start automating this, or dump this to a web interface so people on that side of the market can use it. 
    • pandora rat:
      • My favorite for several reasons most of which we probably won't discuss. 
      • pre-define commands, multiple ports, etc.. etc.. usual crap
      • has a downloader part of it's generation scheme
      • you can build your own bot functions
      • you can build your own plugin functions (again, back to modular sales)
      • detected by just about everything so may need crypting
      • Expected almost 95% detection rates, so out of 10,000 successfully downloaded, you're looking at maybe 500 of those staying on for a few days, which will drop to about 80 after a week. Those 80 may stay for 6 months or so and dwindle down to (assuming numbers here btw) around 15 for long term infections. But that's okay because %.15 or less is still leverageable for a timeline that's more than the amount of jail time people would get.  Meaning as a contingency plan, pandora rat works wonders that many people don't think exists. 
    • Dozens of others:
      • I've covered with these ones the gist of my thoughts about these rats and most rats function the same or similarly. It's worth investing the time in testing or studying them where possible to understand what works for what leverage and when. 
  • Android Malware
    • AhMyth
      • I don't like anything that insists it needs to be installed to the c2 to be used. No one likes this. 
      • Effectiveness depends greatly on the permissions it gets
      • worth it to bind a meterpreter shell with this so you can add custom functions such as priv escalations. 
      • Good enough to spy on a few dozen people at a time, not much more (memory whore)
      • osx-style look, works well for the c2 being able to be on mac, lin, or win. So the ui doesn't exactly suck, but it's pretty white for the average users. They should go back to their day job as frontend web and app developer. 
    • Androrat
      • compile yourself
      • still sucks
      • oh gawd why does this suck
    • BetterAndroRat (github):
      • Web based (rfi and load load load)
      • easy setup
      • functions still pretty much suck, but if you can script a permission escalation that works for the latest android, you could take over dozens for a brief period of time, or set one out to get minimal permissions until you want to use cooler toys. 
      • target almost has to have root to use this anyways, which sucks but at least almost everyone roots android phones. 
    • Droidjack
      • easy to use java interface
      • building, binding, running works comparible to winderps rats
      • relies heavily on apktool, which doesn't compensate for the latest updates, so unless this will continue to be updated, this has a shelflife
      • permissions issues happen, and easily detectable by everything under the sun. 
    • Spynote
      • My favorite of the general android stuff
      • functions similar to windows rats
      • can be bound with other tools to get permissions elevated easily
      • functions actually work. Geebuz christ this is a thing I must stress. It works, so long as permissions are given. Try it out on a vm, load up call, sms, file, or account manager and run with it,
    • TheFatRat
      • works to bind any of these to eachother or anything else just about (try with ccleaner latest, it works better than you'd expect)
      • uses metesploit scripts
      • apparently doesn't understand what the fuck a space is (if you have a space in your directory tree, you know what i'm bitching about)
      • may have to run it on different systems to get all functions working, I've rat it on several and dear lord it's trash. 
  • Linux/unix Malware
    • Honestly you don't really need super specialized malware to hit a linux box so long as you can pop a shell. 
      • via browser -> works. 
      • via email -> works if you know what you're targetting
      • random servers just exploit remotely if plausible
      • Your best reverse shell will always be abusing /dev/tcp/, vnc, or ssh. Since these are always used by admins, defining difference would only be if they could determine you from them. And with a connect back ssh session, such as from an apache module location instead of the actual file (just have it open in it's new location when you move it, it'll be fine) is usually apt. Such as, idk, just throwing one out there, libphp5.so.
      • Every ctf in the world tests hackers ability to leverage linux, so this shouldn't be hard at this point guys.
    • jrat
      • Works pretty well, has limits, to me it seems like a good way to hop from web browser to disk, then get something else to give more permanent connect back functionality. 
    • any available scripting language (lol)
  • Mac/ios Malware
    • While there are a few, here's a particularly cute notion I found:
      • https://github.com/neoneggplant/EggShell
      • and https://github.com/mosca1337/OSX-Peristant-BackDoor
      • OR https://github.com/checkyfuntime/iMessagesBackdoor

Lets just stock pile these and randomize what we send to who and when, and like everything else, targeted but randomized allows multiple targeting attempts. So, lets take a step back here. We want to see multiple aspects of our playing field and we have enumerated so lets dive from a different view. Targets get email, or sms, or hit infected site, or join chat site and click link because people in tech like games (lul discord/slack/twitch) -> user via one means or another, all of which can be automated or randomized between them, gets infected -> infected hosts all query for various dns entries at various intervals -> when the correct ip lines up the communication path will be (infected host -> server -> tor -> other server -> tor -> vm -> c2 vm (if you're thinking this could cause time outs, yes, yes it can,but thats okay)). Now lets think about it again from our attacker standpoint. We need somewhere to launch all this that can control the vms, control the various hosts, control the dns, control the email sending, etc... well, I'd pick the proxy vm for the coordination efforts. But that's just me. I say that because it would allow the full thing to be automated in a bastardized attempt at a spying (rat) botnet structure standup and monitoring. If you did everything right, your vm, or vms really, that you want to use for the c2 structure, could even be over tor or i2p and not at the same host as your other machine, but then your connection would be so slow nothing would touch it ever. so we have on our (attacker) side, need to manually spin up a few servers on an hourly basis, update and run this part (generate ssh keys, setup ssh key authentication, remotely chain ssh sessions), load our additional scripts such as file destruction scripts wherever we need them (scp, again automatable probably through just a bash script), spinup our already scripted (remember i said this earlier) command panel so we can see everything running and connections and all that. then select the files, templates, domains, and ips, to choose from and let it churn. If you keep your actual ips out of the mix long enough, you can check back on it in a few weeks and see what you have left or what you can leverage. It sends that out, you get responses back, you interact as you wish because your wishes are probably different than mine.

So, what is the purpose of this post? 
A. I wanted to introduce myself and my way of thinking as a simple example of bitching at the general hacking culture including the infosec world. Wanted to rant a bit about how shitty generic software was and the way people think about hacking. To be frank, I wanted an introduction to who I am. My name is meaningless, my title is classless, and my function is visionless. But I can make countless literary and cultural references while typing that people may have overlooked. Lets be real, I speak in allusions. 

With love,
- Ferasdour.
https://keybase.io/ferasdour

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...