11.30.2017

scopin'

Unrelated ranting

So, I wrote this earlier elsewhere, but I feel I need to expand on it more so let me tell you a story:

Once upon a time people could say that things would never happen, it's all just some people's wild imagination. People thought things would never happen, are the same who built paths towards the rejection of belief in orwellian or similar dystopian existences. Can you believe it? A day existed where people could challenge this with arbitrary means and be considered right?

I guess some examples are in order. We would never burn books en masse, we would never absorb ourselves so much that we don't understand functional principles of life, we would never be stuck with governance over our minds and thoughts and it would never be illegal to think about things that don't fit in with the masses. Governments wouldn't poison their own people, that would make them look bad and hence they wouldn't do it. Governments wouldn't spy on their own people or fraudulently report data to cause panic, there's too much time and effort involved and governments wouldn't waste their time. Governments wouldn't add pathogens to a lake that uses it for water supply. Governments wouldn't bomb other nations under the guise of their mutual enemy. That's all beyond the capabilities of governments so therefor you would be insane to believe it. Our governments control the air itself blocking transmissions that they don't like and regulating who can decrypt what data.

Governments manipulating what information is taught to the children to gear the next generation of belief structures? That's crazy talk. Evil russians must be the only ones capable of that. Our government is pure and true, so clearly only russians do that. clearly. clearly. clearly.

"That would never happen," said those people who fell into the trap. The belief that governments that act out on people's whims are trustworthy with any of this is absolutely disgusting. What's worse, now that we know our government has done every bit of this, people sit back and trust them going into the future because a different figure head distracts them every couple years. A new stooge for a foolish system. Computers attacking computers to take down nuclear silos while people sit back and bitch about the latest tool in office. We are at war, iconic and ironic, a war of the worlds between those people who pay any attention at all, and everyone else. Those people who declare themselves woke because they read some philosophy once versus the people who collect bits to stay alive. I'm not talking about a futuristic dystopia any more guys, I'm talking about 10 years ago. We've passed it and we're letting this shit continue.

It's hard to imagine if 1920s or earlier writers knew it was happening then and therefor had to explain it so people now could try to stop it instead of explaining it to the masses who ignored it originally; or if they just wanted to make a work of art with vivid imagination. Its quite hard to tell. What's worse, trying to imagine knowing that information at the time and everyone thinking you're making things up all the while 50 years later the government releases documents saying it's true it's true. They wait so long to build trust by releasing it, but this is all just a test to see how complacent we are as a society. It's a test to see how long it takes before someone puts pen to paper and calls them out for it again. This test, would be conclusive only if people cared. We're going on 40+ years of no one caring that bad things happened to them or their families 50 years ago. Do you see the association here? Well you don't need to because associations aside, our government has blocked knowledge sharing, has attacked it's citizens and military, drugged citizens and military, coerced publishing companies to putting manipulated data into print for childrens school books and learning materials, they even poisoned the well (quiet literally) by releasing uncontrollable pathogens into the lake water.

Well anyway, now we're here.

Whatever will we do?

We'll keep living, like we always did I suppose.

Slowly feeding away at our resources until something comes down and rids us of our silly existence.

11.29.2017

Dear self

do you think that people understand when you make allusions to anything? Pop culture to dark humor, sometimes it seems like no one will ever get it. But, allusions are so fun sometimes because of the things you can say with them. Like building a story that shortens sentences or paragraphs as it progresses so that you can identify a rushing or crumbling ideology. Or like references of situations that are built of the situations, one after another/in sequence to each other, in the idea of showing a common pattern of events without ever stating a single event only references to them. These are the joys of communication but sometimes people just never bother to pay attention. In a world full of those who refuse to pay attention, I guess it could be assumed this will never have a place in people's hearts or minds.

Oh well, lets go back to drinking. That's one way to waste time.

Apathetically.

Ferasdour
https://keybase.io/ferasdour

away from the tech

You know, I find myself often curious about the world. I find myself wondering what topology is used to inform the state about car specifics so they can print a little tag for you. I find myself curious how to poll cell towers for gps locations of people at another tower. I find myself curious about the atm protocol and how atms (machines/systems) work. I find myself picking apart nfc devices to find what their data is and wanting to write these to something else. If these activities seem criminal to you, then I guess I am a criminal. Oh, you want me to get licensed to be able to do these things with a magnifying glass waiting for me to fuck up? Why allow myself to be beaten out of existence?

At a young age, I found myself interested in taking things apart and studying them. As a kid it seems like innocent curiosity and no one cares when a kid makes a new method for absorption and storage of ambient/static energy. Well, some people cared, but only because people pushed it under their face. If an adult did such experiments they would be jailed. This is the sad reality of the world we live in. The modern era.

As a young child I read the words of people like mentor and all the blackgate archives. I wasn’t quite versed enough in modem commands for my family's win3.11 to be able to connect before it was shut down. I didn’t have access to the technology or the books or the resources to do it myself. I needed to hunt and i would always wind up short.

Modern ages, I spend more time on telnet bbs than on facebook, several implementations have dumped ssl over telnet for a sense of privacy and that’s a pretty sexy setup. Some use ssh and jail tf out of it. Others use php,js,etc... for web forums and bulletin boards. I don’t have nearly the same trouble finding information now as I once did, my issues now are how to search for it and banging my head on the desk to reword my query until it works.

Modern ages, I am treated as blackballed from multiple groups not for political affiliation but because my desire to learn is not bound by local laws. Everyone wants to boast about whites hats vs black hats but they dont realize that to be a blackhat means to be blackballed from their petty groups. Their thugs are law abiding enough to stay paid while ours just look to survive. Grey hat was invented so it made the distinction that everyone assumed true in that blackhat meant definitively criminal and grey hat was a white hat willing to bend the rules. Make no mistake, if you aren’t a thug for the white hats, you are cast aside. Your information pool is sparse. Innovate or die.

Modern ages, I find myself thinking differently than other people in my field. I'd rather have the information than the credentials, I'd rather have the data than the money or the fancy blog. But here we are. I am clearly weaponized with a blog, as you read this. To take someone out of the blackballed masses and give them a job, there is a certain level of problems you must understand.

I am loyal to those who hired me, as they pay for my family.

I am unwavering on the idea that money may be nice but the work is better. Sorry for all you who say never work for free, sometimes people enjoy their work.

Employers of mine are informed that I am not some pre-scripted bot and that my methods functionally evolve with every investigation into anything. Like every human. This is the power that we hold. Not some heavily regulated unarticulated nonsense script for the braindead to follow.

Oh, your infosec groups need more people? You can't keep up with attacks? Ever once think that is because your kind blackballed us for so long we simply don’t care?

For the future of mankind, we will continue to provide free information until all information is up the the person who chooses to parse or absorb it.

For the future of the internet: $25/sdr, $40/pi3, $20(ish)/sd card. The future of the internet is distributed control back to operators and away from isps. If you don't want to be left behind, go earn $100 and get these supplies and some booze.

The future of cryptonets/darknets: we will prevail.

That is all.

- Ferasdour
https://keybase.io/ferasdour













Now lets dump some images, why not? I mean, the internet is not a big truck right? It's not something you just dump stuff on. It's a series of tubes.










11.27.2017

Passive Intelligence

Now, I'm not some fancy big shot who wanted to define things my way and tell everyone else to piss off. However, I don't entirely understand how other people claim passive intelligence the way they do. So, as an example, I continue on my dive into finding various notions from data within comparing unique malware domain resolutions. In this case, over on http://0daz.io/useful.log I found several domains were being built on a common provider (000webhostapp). The domains that were shown on that, were found to be malicious and put on the malware domains list of domains (http://malwaredomains.lehigh.edu/files/domains.txt). So, first thoughts would be that there is some unique design on how malwaredomains finds those specifically while very few, if any, no-ip and similar sites are on there. Regardless, I took the approach of how much I can find about 000webhostapp based on these.

curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq|wc -l
221

I found 221 unique ips from this list, after this has been building for only 2 days. Meaning several of these have a change default ipv4 address at least. If this is anything malicious or just the way that hosting provider acts, isn't really the discussion. The discussion right now is how many /28 i can make out of these ips, maybe I can map their publicly available/usable network space? well,

$ curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq >> 000webhostappips.log
$ cat 000webhostappips.log |whois `head -n 1`|grep -i route|ipcalc `awk '{print $2}'`
Address:   145.14.144.0         10010001.00001110.1001000 0.00000000
Netmask:   255.255.254.0 = 23   11111111.11111111.1111111 0.00000000
Wildcard:  0.0.1.255            00000000.00000000.0000000 1.11111111
=>
Network:   145.14.144.0/23      10010001.00001110.1001000 0.00000000
HostMin:   145.14.144.1         10010001.00001110.1001000 0.00000001
HostMax:   145.14.145.254       10010001.00001110.1001000 1.11111110
Broadcast: 145.14.145.255       10010001.00001110.1001000 1.11111111
Hosts/Net: 510                   Class B

 Now, all we really have is just some lame ass data we can't really do much with right? So we would generally go back and dig into the next thing passing it up right here. But this is a blog post on passive intelligence so we need to be extremely passive right? lmao.

First, lets do some routing fun!

mtr 145.14.144.1 -r -c 100 |grep -iv "???"|tail -n 1|awk '{print $2}'
74.112.174.249
I'll leave it to you to understand why this is useful for the most part, but i'll tell you after a chain of commands, I did add "route add -net 145.14.144.0 netmask 255.255.254.0 gw 74.112.174.249" for shits and giggles. Not that anyone needs a static route when dynamic routing is in place... or do they? People may even say that you "can't just do that with public routes" but you can. "What happens when your static route disagrees with their automatic route" well now you're gettin' somewhere. lol. Anyway, enough play time with that.

Next, lets play with searching shodan, I hear people like doing that:
cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplist; for i in `strings /tmp/iplist`; do curl -A "" -X GET  "https://api.shodan.io/shodan/host/"$i"?key=L9VKwKTdXH1cP35YnIPMUW658XEC2eFe";echo ""; sleep 30; done >> shodansearch.log; rm /tmp/iplist
While we wait for that result, lets also run virustotal scans.

cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplistvt; for i in `strings /tmp/iplistvt`; do ./ipscan-vt.py $i;echo ""; sleep 15; done >> virustotalsearch.log; rm /tmp/iplistvt
(I just made the ip field of the example python script into sys.argv[1]  so I could run it like this)

So now I have a new set of domains, urls, ips, etc... I also have a list of ips that are not used, telling me that they possibly do subnet this structure further than their /23, into more like /28 groups.

Now we can dump all our results to a database and start again!
curl http://0daz.io/useful.log 2>/dev/null|awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp
This time around we're digging through the same compiled list to see what does not have unique entities in this list. Since the list is originally unique domains and ip mixture, pulling just the domains and only displaying duplicate ones, would give us domains that have had more than one ip resolution for it. 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `head -n 1` useful.log
029999.com 112.90.252.102
029999.com 23.225.139.82 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `tail -n 1` useful.log > /tmp/lol; for i in `cat /tmp/lol`; do echo $i; whois $i|grep -i "cidr\|netname\|route\|OriginAS"; done
zebrezebre.com
50.63.202.61
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
zebrezebre.com
50.63.202.63
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
A smart person, or someone who cares, might want to start dumping this sort of data into a database somewhere instead of flat files. This is easily done and i'll leave you to it. This is just for example purposes to dive into processes that are entirely scriptable but people don't bother doing so, even for easy one person diving into one set of actors. All whois and domain lookup functions are available as easily grabbed python modules, and parsing examples in bash are much harder than properly parsing with python. So deal with it guise.

Why this is important:
  • People consider passive intelligence information that's provided to them without any alteration or deviance. 
  • Passive intelligence is and should include refining information provided. While you probably shouldn't abuse antiquated router issues for fun and profit, you can and should begin archiving these issues and refining data that comes to you. 
  • Intelligence isn't provided to you. You must do something. If your platform is something like virustotal, you still require (lul who pays for this anyway?) all data you consume still should be processed for leverage points and parse-able information. Data enrichment is essential to functional intelligence. 
Yes yes, not all data is useful to every person, but it needs to be there. I can't tell you how many ways people evade detection based on connections people throw away. 7 layers deep and still nothing to be seen, you're probably throwing away too much. That seems to be the biggest argument threat intelligence people give is that too much data is cumbersome so it slows people down. There is nothing that should slow you down. Parse out every way you can proceed the first time. The data represented here is data that anyone with any computer could do, they could parse this better and use the information with their own threat platforms (maltego, as well as several threat intel providers, allow functional use of csvs, which can be parsed directly from what I've given without any rewrite, so stfu and do it). Now I need everyone to quit saying passive intelligence is functionally just data given to you.

Maybe then you'd understand what active intelligence is.

K thnx.
Ferasdour
https://keybase.io/ferasdour



11.24.2017

Malware Domains and Botnet Jacking

Okay, now some of you white hat "the rules make ethics" types may not like anyone discussing it, but lets do this. Domain and botnet jacking, as it pertains to not only threat actors but for blueteamers as well. In this thread, we discuss how a simple script can find domains to take over, how to monitor changes in botnets, and identify how people build their domain resolution pools. Protip: a lot of people just fake it. That 200 bot domain is actually more like 4 and a vpn, at best. But we're not actually messing with that yet.


We start today with this little bit of nonsense. It's simple python script designed to create a webpage based on domain resolution tracking. The page shows numerous domains and how they change.

lists=[ 
]
filetowrite="/var/www/html/index.html"
failedtowrite="./faileddomains.log"
initialinfo="<html><head><title>DomainTracking</title></head><body>Begin Run<br>Domain ip loggedtime<br>"
open(filetowrite, "wb").write(initialinfo)
open(failedtowrite,'wb').write("")
while True:
 for i in lists:
  try:
   open(filetowrite,'a').write(i+" "+str(dns.resolver.query(i,'A')[0])+" "+time.strftime("%T-%x")+"<br>")
  except:
   open(failedtowrite,'a').write(str(i)+"\n")
   pass
  time.sleep(5)
 time.sleep(30)


Then, we have a cronjob (every 15 minutes) for the following. This grabs the information (left as curl instead of just grabbing from the file to express that this can be pulled from a remote repository as well, hint hint). The data is seperated into lines, then only the domain and resolution are collected (leaving time out of it).
 */15 *  * * *   root    curl http://localhost/|sed s/"<br>"/"\n"/g|awk '{print $1, $2}'|grep -iv "<html\|Domain ip"|sort |uniq > /var/www/html/useful.log
Image of that page:


Being able to see the variance in different domains between multiple ips is important. As it helps us identify the range of use for each domain or group of domains. It's a tool not just for researchers, but for bad actors as well. Having some form of automated visibility into everyone else's actions is key for most people and you can do it with a super easy setup. Now for the next piece, seeing which of those domains is available. There is a number of ways to do this so you're on your own to find those, but I did catch an easy way to determine their prior usage, which may lead to changes in how the domain is able to be leveraged by you, for good or evil.


In this situation, I compared this versus the malwaredomains blacklist, as it specifies why the domain was blacklisted.

You can also check virustotal, hybridanalysis, etc... etc... for these domains. You'd be surprised how many people are still infected years later from some domains (such as free-inet-help, or abandoned no-ip domains).

When I say that only malware authors, criminals, or attacking governments are comfortable hijacking domains out from malware usage.

You can also generate your list of domains once a week or so from hybridanalysis or malwr, or any repo really that shows c2s, if you want c2 takeovers. Phishing campaigns pre-configured and ready to launch at a moment's notice, those are there too. This is actually a common thing between criminal world and for some white hats. We're just catching up to par quickly by automating the dumb stuff.



Final word:

If you're going to randomize ips between domains for fun and profit, use other malware domains and help out those actors too.

-Ferasdour
https://keybase.io/ferasdour

11.21.2017

Fancy toys

Now that I finally got me some fancy toys and a fancy blog, I guess all that's left to do is brag about my fancy toys.

The wifi pinapple sucks.

There, I fucking said it.

But it's not like it's hardware sucks, it's just the people who put it together (hak5?) shouldn't do this anymore. Needs more space, needs better control, needs package management that works, needs to alert on conflicts instead of silently failing, don't need to log it as much as it needs any details of what happened, though logging would be nice too.

The modules and setup for web interface is almost not worth having, might as well skip that for just an interactive shell. Pineap? This is like if a pi had better wifi hardware and someone didn't know how to setup a malicious ap. "Push the configure button" "no wait, not that one, the other one hidden behind a drop down you can't see and don't really know what it's there anyway." If this is years of design please just stop guys. Make people use kali on a pi like everyone else.

on that note, I'm fairly upset that kali is still using outdated tools that don't actually worth with full up-to-date software in regard to functionality. Such as the wifi including some of it's standard wifi tools. Latest version -> 10+yr old software that had to be compiled then moved in place to even pretend to work and even then only partially. Kali, former backtrack, has become the bastard off spring of the infosec world and people don't go a day without relying heavily on it.

How does that reflect on the linux community?

Can we even still do cdma/gsm decryption with these outdated ass scripts that people have? Do we need to rebuild? Can we even?

Maybe someone else can answer these questions, I'm just here to start trouble.

- Ferasdour
https://keybase.io/ferasdour

Easy Start

Lets start this off easy by saying, hi my name is irrelevant and everything should stay disassociative, however if you spent 30 seconds of google, especially because of using a google service, you can find me and I encourage it. I have no ill-will towards those who want to spend the effort to learn something, even the trivial things. That is what we do, as a species and as the infosec/hacking community. We live to peer into things you would rather hide, we see things others would rather lie about. No reason to sugar coat it, laws are irrelevant and only the truth exists. It's the "white hat" community that gave the title of blackhats and whitehats and this (ugh) claim of grey hats. By blackballing people who were willing to commit crimes you segregated the world into black and white instead of accepting that they do the same things you do but use it for other purposes. With that said, if anyone is still paying attention, today I've been playing with a few rats and wanted to discuss some usage and features.

Before we get into the usage I would like to discuss a trait I find common and have long past seen in the "neophytes" learning section. For real, I can't believe so many infosec people don't understand this shit, but I'll get into that momentarily. When you, as a person/criminal/actor/perpetrator, decide you want access to something you usually have a motivation. When psychologists tell you that you have to have desire, they expect this to be true in all things and that all people have a motivating force for every interaction they do. If your motivation is greed, or gluttony or lust, your purpose is easy to define. Hence everyone in the general ecrime world is considered to have greed as their purpose. It's never a "they're literally just trying to survive" it's "they want moar because moar." The issue here is that many times, as a person of the hacking mentality, you will be asked to help someone right away with technologies you may not actually know very well. You may be asked to do things that you don't see a reason to do. You may also see reason why information needs to be available. These are realistic motivations in the eye of the actors that the infosec community misses. They don't believe digital anarchy artists exist, they're extremists whos views go against their governing bodies. Art over war. When you are asked to do things, you need information fast: don't be a buffoon and go asking for data on "how does I hax" in an open forum where police might stay. This isn't for the protection of those around you, it's for your own protection. If they help you, they could be liable in some countries. But for you, you could be targeted by feds yourself. Not going to do you any good to get arrested before you accomplish your goal. It's just not. If you do work with a tight nit group or a loosely relevant but tightly controlled group, you can reasonably ask freely for questions like this. If you are wanting to learn for educational purposes, or wanting to learn to do things you couldn't before in a non-criminal stance, you can ask for these things under these guises but sadly people are too worried about getting arrested themselves to help. There are plenty of bulletin boards available to ask questions but the same situation happens in most. If you're willing to shell out some money up-front you can get prepared a little quicker. You can also do things like buying and reading the fucking manual. That IS a thing you can do (plox share, we can't get all the manuals online unless everyone shares. Some people can't shell out the money or are too young to work for the money for this. K thnx). When you get involved in this world, you need to remember two things: judging your chances should be an instant response more than 4 moves ahead of the present activities, and anonymity is not security. Some other basic lessons that are literally on every neophyte guide:
  • Yes sometimes it means busting your ass at a dead end job to have the money to get the information and learn the system in order to break it. 
  • Yes, sometimes you will get arrested and you need to be able to cover your assets. 
  • Yes, backup of backup plans is a must, and a wee bit of complete paranoia is essential. Those kids beating you up as a child came in handy now didn't it? you learn to respond in a  functionally more adaptable way. This has helped you seek information, helped you seek truth. But truth is a crime. Might as well learn that now. 
One setup I've been playing with lately for my virtual machines (VMs) is to spend the cash to spin up a few services/servers/port-controllable php space and burn through rotations of dns resolutions. For the dns part, I made a quick script to setup multiple sets of no-ip domains. After got many of those running, I went back and made a flat file list for the usernames/passwords/domainnames. Then, to resolve those domains, I have a script that rotates (python random.randrange) repeatedly between each of the domains then each of the ips. It changes a domain to a different ip every (again python randrange) 3-300 seconds. From that, have functionally 30 or so no-ip domains to play with (script can also change other domains, but notably leaving this as no-ip for the purpose of this discussion). The ip list can have servers I control, servers other attackers control, servers that are fair game or federal government servers. It's just a dns resolution. Why would anyone but me be playing with it anyway? Can we track people who track no-ip domains? Can we track when it's sent across facebook to an "encrypted" chat and redacted (changing : to [:] for example) then suddenly it's hit not just by facebook when you control both accounts? Is our communication at risk? Lets not actually get into that right now. Would be a dangerous slope to go down, don't want to start a fight here. Anyway, so multiple domains each at semirandom intervals changing ips, and only maybe 5 of those are connecting back to anything I control the ports for. Which is where the malware would need to point back to right? So lets point it to those, and move forward.

Speaking on forwarding, public server :9001 -> ssh to other public server via tor forwarding 9001 to 9001 of the next system <-> over ssh reverse proxy from your vm over tor and a vpn as well (yolo?) -<-> port forward to the other vm over host only adapter. All of these series of ssh-ing can be automated as well (honestly python, clusterssh, bash, if y'all can't figure out ssh key auth, i'm not going to be the one to help you folks today).

This effectively makes the premise of the vm that's used as a c2 being behind multiple proxies, multiple rotations, multiple systems, and is in a host only network. Of course, if you have a laptop you can drop in a public place, power, and remotely access with network access and vms spooled up, that would be nice, but lets be real nobody's got time to go do drop offs at their local hotels or whataburgers. hehe. Instead, there is the risk that in that chain your tor useage would have a fairly unique signature and be trackable. So at least use the neighbor's wifi or something right? Whatever, anyway I've been playing with this architecture design lately because it lets me do 30 second drops and runs without losing investment into most services. With the infosec reliance on gathering iocs the WRONG WAY, you can pretty much bet that after 3 minutes if you're in and out, you're pretty much golden. So it's worth it to also prepare yourself with a file or two that destroys everything (python can 0fill files, delete file, then burn diskspace and delete that, making an effective tool for a burner virtual server). People don't like antiforensics but it's easy to forge and destroy with just a little scripting. I'll do another blog post about forensic forging at some point I'm sure, but for now, easy mode is just 0, trash, overwrite allocation. Lets use a cloud hosting company, we'll call supercloudB. It's a subpar cloud hosting company, which means their time to detection is way too high and their time to analysis is even worse. Then lets remember that if someone tries to shut us down, they need to be able to prove to that company's abuse team why it's shutting down.

Now, we still haven't gotten to the rats yet, this is on purpose. We need to analyze our field of vision before an attack is used. We still haven't even discussed possible delivery methods. We can spam everyone in the world on a massive spam list, but you'll only catch a few of them and it's easily detectable. Spam scripts need to automate various methods of attempts, like hosting publicly and directing them to it via link, creating malicious document then using googledocs to load it on the email's open, do the same with some images and run them through bit.ly (because tracking opens versus infections allows analysis for next round). You may need a driveby download and hit people on forums or social media otherwise, maybe you need it to be driveby you expect them to load on their email loading (do they really allow js in their emails? maybe if they're a webhosted email?). I won't speak on best methods for this idea, but with the automation in place, a single python script can scrape together methods for all of these and templates can be built and set in place. If you haven't figured it out by now, i'm giving you the keys to a platform that can be weaponized if some ass hole wants to make it. Without giving you the code, I'm just an influencing factor maybe? Regardless, this isn't something of a malicious code, more of a platform for running testing environments over open internet space.

Now, you have an infrastructure, you have a delivery method, you have some extra tools, lets go ahead and say all of this was placed into a single folder. With scripts capable of referencing each other and made interactive. So you look and see your 30 domains constantly changing, 5 actual servers, 40 email templates with optional spaces set for randomized or semi-randomized data to be added, and 2 vms. You could even preselect places to upload to, such as slack (public files), dropbox, box, etc.. etc... or even in some hijacked cms sites (if you're the kind who plays games with cms and makes plugins purposely supporting rfi, this entire process may seem pretty straight forward to you).  It's almost like you could dockerize this entire thing and add cleanup scripts into it itself as well? maybe. anyway so all that's left is for the malware. I, like many people, would use rats because peering into things. Right? Well sometimes people do it for control, but honestly I don't want control or power or money. I just want whats true. That's my weakness. Truth. It's a crime these days. So, with a quick in and out, we could actually easily make our own or run with someone else's. The reasons to run with someone else's is really for longevity. Use a paid or free generator and hit 10,000 people, and after 2 weeks 30 of them are still alive, on those 30 you can dump your own knowing you have a backdoor available for you if yours gets killed or found. So just spin up some free malware that can do what you want. The good part is, by stealing creds you can then sell them for money for better rats and continue your campaign (if you were a criminal type who wanted to do this all the time), or you could start a database somewhere for further leverage purposes.

Oh, that's another thing we should talk about: leverage. Hacking is an art of leveraging. You have a fork, you take that fork and use the butt end to stir your chocolate milk because you weren't given a spoon or straw or something better suited to stir with. Hacking is functionally accepting what you're given and using a series of leveraging. Every technique a hacker has is designed not as a one shot, but as a leveragable chain. It's when people mass produce these one shots (here's lookin' at metasploit) that people begin to think it's all about using the software or making your own, or limited to just computer related hacking. For my examples today, I will be using malware collected from rekings.com or github, or wherever I found the rest. Rekings is site known for selling malware, tons of free shit, most of which people will argue it's infected then they'll say prove it, and no one will. Lets be real folks, if it's not infected, you're doing something wrong. haha. You must accept what you're given and adapt. If you can't burn your pieces when you're done, you shouldn't have been playing chess. That's why I suggest a vm as the proxy out, via proxy network, being separate from the vm that is host only adapter that can communicate with the proxy one. Your proxy can stay back, while you load and reload your c2 vm. easy enough right?  

So after long enough torture:

  • Winderps Malware
    • Notes: 
      • Almost all of them have a builder function on the panel. 
      • If it can spy and do administrative functions, face it, it's a rat.
      • There is plenty of them
      • Many of them are under the guidance (via eula) that the liability is on you if you choose to use it for malicious purposes. Yay software licensing. 
    • XtremeRat 3.7:
      • Uses connection password (large field, use a large key, because you can), this on most things isn't really useful and could be replaced with a file by file generated pgp key pair. But, hey, it's free. 
      • Modular (add your own dlls, this version came with bromasc.dll to add to it). These functions are highly marketable and when written right can be sold for more than the fully functioning malware itself. 
      • adjustable mutex, dns/ip:port setup, adds additional malware payloads (might as well dump a meterpreter shell here, or dump a real executable already binded with meterpreter. Hell, for our purposes, lets dump ccleaner or whatever the latest version of adobe reader is. Why? because these are common tools that have a set path on where they're going to be downloaded from, find it, script it, always provide the latest. ;) 
    • Babylon RAT
      • Has traffic key, dns and port setup when building
      • Several features for installation of builder, but mostly normal shit
      • Cache of all recovered passwords, cache of all socks proxies able to be setup through clients (huge benefit for further leveraging)
      • functions available are geared towards real control. Like cmd or remove webcam, versus arbitrary command like function and small screen captures as some of these rats do. 
    • Hakops
      • pretty normal shit, nice interface, which it had more languages. 
      • nothing really else to say about this.
    • Plasma Rat
      • One of my favorites, works REALLY well for this type of setup where I need to be killing off my services after only a few minutes.
      • designed to have command by command waiting for the bots to check in
      • many infosec monitoring tools work the same way this does, but this gives you control over it
      • pre-define a set of commands for every bot to do and log results, including mining tasts, keylogging, downloading, etc..
      • Good replacement for pony if people would start automating this, or dump this to a web interface so people on that side of the market can use it. 
    • pandora rat:
      • My favorite for several reasons most of which we probably won't discuss. 
      • pre-define commands, multiple ports, etc.. etc.. usual crap
      • has a downloader part of it's generation scheme
      • you can build your own bot functions
      • you can build your own plugin functions (again, back to modular sales)
      • detected by just about everything so may need crypting
      • Expected almost 95% detection rates, so out of 10,000 successfully downloaded, you're looking at maybe 500 of those staying on for a few days, which will drop to about 80 after a week. Those 80 may stay for 6 months or so and dwindle down to (assuming numbers here btw) around 15 for long term infections. But that's okay because %.15 or less is still leverageable for a timeline that's more than the amount of jail time people would get.  Meaning as a contingency plan, pandora rat works wonders that many people don't think exists. 
    • Dozens of others:
      • I've covered with these ones the gist of my thoughts about these rats and most rats function the same or similarly. It's worth investing the time in testing or studying them where possible to understand what works for what leverage and when. 
  • Android Malware
    • AhMyth
      • I don't like anything that insists it needs to be installed to the c2 to be used. No one likes this. 
      • Effectiveness depends greatly on the permissions it gets
      • worth it to bind a meterpreter shell with this so you can add custom functions such as priv escalations. 
      • Good enough to spy on a few dozen people at a time, not much more (memory whore)
      • osx-style look, works well for the c2 being able to be on mac, lin, or win. So the ui doesn't exactly suck, but it's pretty white for the average users. They should go back to their day job as frontend web and app developer. 
    • Androrat
      • compile yourself
      • still sucks
      • oh gawd why does this suck
    • BetterAndroRat (github):
      • Web based (rfi and load load load)
      • easy setup
      • functions still pretty much suck, but if you can script a permission escalation that works for the latest android, you could take over dozens for a brief period of time, or set one out to get minimal permissions until you want to use cooler toys. 
      • target almost has to have root to use this anyways, which sucks but at least almost everyone roots android phones. 
    • Droidjack
      • easy to use java interface
      • building, binding, running works comparible to winderps rats
      • relies heavily on apktool, which doesn't compensate for the latest updates, so unless this will continue to be updated, this has a shelflife
      • permissions issues happen, and easily detectable by everything under the sun. 
    • Spynote
      • My favorite of the general android stuff
      • functions similar to windows rats
      • can be bound with other tools to get permissions elevated easily
      • functions actually work. Geebuz christ this is a thing I must stress. It works, so long as permissions are given. Try it out on a vm, load up call, sms, file, or account manager and run with it,
    • TheFatRat
      • works to bind any of these to eachother or anything else just about (try with ccleaner latest, it works better than you'd expect)
      • uses metesploit scripts
      • apparently doesn't understand what the fuck a space is (if you have a space in your directory tree, you know what i'm bitching about)
      • may have to run it on different systems to get all functions working, I've rat it on several and dear lord it's trash. 
  • Linux/unix Malware
    • Honestly you don't really need super specialized malware to hit a linux box so long as you can pop a shell. 
      • via browser -> works. 
      • via email -> works if you know what you're targetting
      • random servers just exploit remotely if plausible
      • Your best reverse shell will always be abusing /dev/tcp/, vnc, or ssh. Since these are always used by admins, defining difference would only be if they could determine you from them. And with a connect back ssh session, such as from an apache module location instead of the actual file (just have it open in it's new location when you move it, it'll be fine) is usually apt. Such as, idk, just throwing one out there, libphp5.so.
      • Every ctf in the world tests hackers ability to leverage linux, so this shouldn't be hard at this point guys.
    • jrat
      • Works pretty well, has limits, to me it seems like a good way to hop from web browser to disk, then get something else to give more permanent connect back functionality. 
    • any available scripting language (lol)
  • Mac/ios Malware
    • While there are a few, here's a particularly cute notion I found:
      • https://github.com/neoneggplant/EggShell
      • and https://github.com/mosca1337/OSX-Peristant-BackDoor
      • OR https://github.com/checkyfuntime/iMessagesBackdoor

Lets just stock pile these and randomize what we send to who and when, and like everything else, targeted but randomized allows multiple targeting attempts. So, lets take a step back here. We want to see multiple aspects of our playing field and we have enumerated so lets dive from a different view. Targets get email, or sms, or hit infected site, or join chat site and click link because people in tech like games (lul discord/slack/twitch) -> user via one means or another, all of which can be automated or randomized between them, gets infected -> infected hosts all query for various dns entries at various intervals -> when the correct ip lines up the communication path will be (infected host -> server -> tor -> other server -> tor -> vm -> c2 vm (if you're thinking this could cause time outs, yes, yes it can,but thats okay)). Now lets think about it again from our attacker standpoint. We need somewhere to launch all this that can control the vms, control the various hosts, control the dns, control the email sending, etc... well, I'd pick the proxy vm for the coordination efforts. But that's just me. I say that because it would allow the full thing to be automated in a bastardized attempt at a spying (rat) botnet structure standup and monitoring. If you did everything right, your vm, or vms really, that you want to use for the c2 structure, could even be over tor or i2p and not at the same host as your other machine, but then your connection would be so slow nothing would touch it ever. so we have on our (attacker) side, need to manually spin up a few servers on an hourly basis, update and run this part (generate ssh keys, setup ssh key authentication, remotely chain ssh sessions), load our additional scripts such as file destruction scripts wherever we need them (scp, again automatable probably through just a bash script), spinup our already scripted (remember i said this earlier) command panel so we can see everything running and connections and all that. then select the files, templates, domains, and ips, to choose from and let it churn. If you keep your actual ips out of the mix long enough, you can check back on it in a few weeks and see what you have left or what you can leverage. It sends that out, you get responses back, you interact as you wish because your wishes are probably different than mine.

So, what is the purpose of this post? 
A. I wanted to introduce myself and my way of thinking as a simple example of bitching at the general hacking culture including the infosec world. Wanted to rant a bit about how shitty generic software was and the way people think about hacking. To be frank, I wanted an introduction to who I am. My name is meaningless, my title is classless, and my function is visionless. But I can make countless literary and cultural references while typing that people may have overlooked. Lets be real, I speak in allusions. 

With love,
- Ferasdour.
https://keybase.io/ferasdour

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...