Bad information

I recently found some blogs about various anonymous functions online which appear to be seeding bad information. Either by being wrong, misleading, or inadequate. To start with, here's one I saw that people were sharing in a forensics group.


Yes you can totally do an nmap scan over tor with proxychains, yes these particular copypasta scans can work. However lets discuss why a bit further. Yes, there are limitations on scanning capabilities on what can/will go through socks, there is also limitations on what scans can do what functions. As a test, I used tcpdump on the server being attacked with a monitor of my own ip address. If there was even a single packet to or from my attacking ip, it was a complete failure.

nmap attempt Results (did it hide our ip)
proxychains nmap -Pn -sT -sV -O -p80 {MY HOST} Failed when added os detection (+O)
proxychains nmap -Pn -sT -sV -T5 -p80 {MY HOST} Success, despite T5 being known to have issues hiding
proxychains nmap -Pn -sV -p80 {MY HOST} Failed when -sT was removed
proxychains nmap -Pn -sS -sV -p80 {MY HOST} sS fails
proxychains nmap -Pn -sA -sV -p80 {MY HOST} sA fails
proxychains nmap -Pn -sW -sV -p80 {MY HOST} sW fails
proxychains nmap -Pn -sM -sV -p80 {MY HOST} sM succeeds
proxychains nmap -Pn -sM -T5 -sV -p80 {MY HOST} Still succeeds despite issues with T5
proxychains nmap -Pn -sM -O -sV -p80 {MY HOST} os detection fails again
proxychains nmap -Pn -sM -T5 -f -sV -p80 {MY HOST} Success despite issues with -f
proxychains nmap -Pn -sM -T5 -f -D -sV -p80 {MY HOST} success despite issues with decoys
 proxychains nmap -Pn -sT -T5 -D -sV -p80 {MY HOST} success
proxychains nmap -P0 -T5 -D -sV -p80 {MY HOST} Failed despite claims of functional equivilence of PNnand P0. 
proxychains nmap -P0 -T5 -D -sV -p443 --script ssl-enum-ciphers {MY HOST} Failed. Despite options, common nmap scripts will fail because they are not geared to work in a socks environment.

The setup for a tor proxy as a wireless ap, the reasons why it didn't work from what I've tested seems to be because the tutorial they used mentions to create the prerouting setup but nothing else... like.. idk... forwarding? You also see on that tutorial they used that their output of iptables -L is actually not matching their saved file.

Edit: a worthy mention about segfaults:
- Scanning more than one or two ports seems to end in seg faults for various reasons, gdb or strace that it looks like it's getting hung up waiting. I think there is an option for that in nmap because of the delay times. Haven't tested on my end to see if it's useful. This also coincides with refresh times for tor, so it may be that because nmap doesn't directly deal with tor, the connections are timing out and dying along with that.
- Example of segfaults during run scanning all ports on a single host similar happens with too many hosts for my scan:

Other ways to do what they were attempting:
- Scapy: using torsocks or proxychains to a scapy scanning script works even for os detection, syn, and ack scans. I'm sure there are some ways that escape it, such as atm traffic and protocols of that sort maybe, haven't enumerated all possibilities of scapy by any means. As best I can figure from looking into this, it works while other scripts don't because the way scapy handles packet creation isn't the same way a standard C program (library requirements?) would, generating the entire packet as capable to load into sock5 chain (can we do a test development of a socks proxy exploit using scapy maybe? maybe?).
- Script your own scanners? massscan? etc... you get my point.
- USING A FUCKING VM: People seem to have no idea how important vms can be do this type of work. I'll explain more in my next rant.
- Modding/compiling your own copy of torsocks: tor socks actually does have a known correction public that isn't part of it's standard code source that will properly bind interfaces instead of crashing, and also utilizes proper dns queries. (for the record, my host was a sub host for my domain, and the ns server is on the same system, making this evident that using proxychains didn't leak ip info when doing dns lookups)

Now that's not to harass that person for their post or bug out about them in any way, this is more just something I noticed because it seems there was a chain of bad/lacking information that they got their info from to have created that post. Because of this, there is a distinct lack of information for those who want to do it in the future.

I leave information out of my own posts too and sometimes it seems it's not worth it, other times it seems legality may step in somewhere. Either way, this is a catastrophic problem in our world. Its good people share, but we should all make an effort to test information first as well as explore other options.

Example 2:

So, there was another example on a forum (leaving out due to having posted in the forum's post), where a self proclaimed hacker was boasting their setup and their tool sets. Needless to say this is a bad idea for anyone who wants to claim to be a hacker, but lets dive into why.
  1. They detailed that people should use one vm and route the traffic through their tor socket on their host machine. 
    1. pushing into a socket on a different kernel isn't necessary
    2. The entire purpose is supposed to be anonymity, they're saying everyone should do this for attacking via c2 infrastructure
    3. they clearly don't understand what their own infrastructure is
    4. they don't understand anonymity. 
  2. They detailed that using metasploit was a "real hacker" thing more than using paid malware was. 
    1. metasploit has a paid version
    2. metasploit is a toolkit, not really hacker versus non more of a research versus real attacker automation tools. Which most will create themselves leveraging everything from paid malware to metasploit.
    3. Again shows a lack of information or understanding about attacker landscape
    4. again doesn't seem to understand anonymity, or for that matter, disassociative properties. 
So, my founding principle for this is an argument of lets have attacker versus attacker. Lets act like rules don't mean anything, since they don't anyway, and have one on one attacks. The attacks would be based on information of our c2 found in the a launched sample. This would make us attacker v. attacker on the battle grounds of infrastructure versus infrastructure. I've been making allusions to this in many comments online but it's pretty easy to note this isn't a new thing for hackers to do and yet so few of them are willing to do this. It's almost sad actually that it's avoided so much. But then researchers are all liek "blah blah blah white hat blah blah we can't be using hack back infrastructures blah blah." So, lets bring this to light a little in a scenario designed to specifically mock their own infrastructure. 
  1. Using two vms, one with ubuntu and tor, the other with windows and comodo (you'll see why). With docker also on the ubuntu box and the docker cli on the windows one. 
    1. Setup the ubuntu one as the default route (via host only adapter) of the windows one. 
    2. Setup tor and appropriated routing (google it) for ebtables and iptables (yes, it's important). Hell setup i2p too for shits and giggles and helping out the cause. 
    3. On windows, load any generic, free, easily detected piece of shit malware using comodo's sandbox feature and generate a few thousand samples. (docker for this task? why not. ;), keep the c2 panel up on that system ) 
    4. Setup your network as (ubuntu box <- ssh tunnel with remote side listening (you can use tor to proxy this too)-> public host you spin up {no no, no need to pay just grab a valid card number anywhere and move along}, this creates your public connection) <-> php script to proxy ports on various servers to the domain and port you're listening on for your public host. Now your public infrastructure is running, you just need to setup that domain. So rush on over to hijack someone's domain creds (brute? free leak? whatever it doesn't matter)  and use their ns to spin up several hundred subdomains you change to various ips at random remotely based on a remote connection saying (see my rant about domain ip rotations), or alternatively use ddns services (theres plenty of them). 
      1. This is a lot so basically it's from the c2 side: c2 panel::windows <-> ubuntu <-> tor || reverse proxy (i mention this as || (or) because if the proxy were to fail or something along the chain does fail (including panel itself accidentally having exploitable features), we want any secondary traffic or altered traffic to not leak our ip so we can just revert state and move forward again) <-> the public ip we do actually control (we want to be able to ditch this too at a moments notice, so we can all agree to use cloud providers, they're good for this) <-> php proxies scattered around the net <-> payload/stub/malware::infected host. 
    5. Now that we have our structure setup, go spin up some more malware with the correct hosts in place, and go ahead and start your sending scripts wherever you have those hosted, clearly not on your vm host you dumb piece of shit.  #justsayin. 
    6. Since there is very little protections in this structure yet, you could spend the time to make antiforensics tools, drive and system wipes, remote databases for exfiltrated information, really whatever you'd want. 
  2. Spin up another windows box with no connections and your favorite decompiler to identify and attack their scripts. 
    1. You will need to be able to identify anything they launch and the pattern of encoding/decoding over the net. 
    2. You will need to be able to find common abuse traits, such as when you see the host request information but the request data may not be validated, check it. test it from somewhere, like maybe your ubuntu box? scapy/tcpreplay/etc... is your friend. 
  3. make sure they know which ones are yours and how they can get a copy, and get theirs for your own. 
  4. Laugh uncontrollably when you find their real ip by trashing their socks connection. 
    1. WHAT?
      1. Well, you see, why do you think some scans work and some don't? Different packet data responds differently. 
      2. Sometimes, this means you will adjust the windowing on your side and watch their responses from a public host magically correlate with where they're from. 
    2. What if they used a vpn?
      1. looooooooooool
        1. People rely on vpns a lot but when push comes to shove, you can smash a vpn provider's connections and have them time out, so if they try to attack yours or respond to yours, it's going to come from the right place. ;) 
  5. be sure to leave a friendly reminder about how stupid their structure is on the way out. 
This is attacker versus attacker architecture planning, or as many may call it, attack back architecture. Now, I might like this plan of action and have referenced portions of this in several ways before, this is just play things. This is a toy architecture in this scenario. 

My purpose in bitching about this is pretty simple: This person was given really bad information and reflected is as boasting their own knowledge of the way things work. Because of this, when it comes to them posting their malware anywhere or someone stumbling across is, they're prone for attacks from various entities including governments and other attackers. On both sides, from whitehat nonsense to self proclaimed blackhat kiddies, information spreads under the guise of "don't bother looking for the correct way" and I just wanted to throw it out there that we should say it under the guidance of "I tried to study this, this is what I found," or alternatively "I've been recently finding..."

Now some error codes to make this page have a picture on it. People say the picture makes people want to look at your page. hehe.




You must train for the worst; prepare for the worst, and hope for the best. training for what you have going right now is not apt for training. you must do what you need right now /and/ train for the future.

That's my belief anyhow.


Data Data Data

Data data data. Data data data data, data data. Data data data data data data data.

Developers developers de... oh whoops, wrong one. Data data data.

I wanted to talk a bit on data, it's perceptions, and how it is used or misused. So, to uphold this conversation, I would like people to look at the first too lines of this post. To a computer, specifically an ai, this may appear as a sequence representing some choice in lexical ambiguity or it may see it as simply some ascii strings with which we could map to known words, which we could map to known usage and habitual usage to find most likely meaning. In either case we think about this, a computer may see the first sentence by itself and assume one situation, then the second and assume it is another, or both together and assume it's a 3rd. This is a fundamental issue with data, even to a computer: perception changes how we investigate, diagnose, or define it.

Now lets say that I wanted to run this data myself, how would I figure out the meaning. I find the first one, and seems stupid so I pass it over because it becomes illogical for known trends of thought. Then I see the second one and see this could be referencing something, so I attempt to remember or look up what that reference could be. Eventually finding the rant turned into a fancy musical meme. But, I'm still left to deduce it's relevance to a topic about data. So I look back real quick, I see it's using the term data in place of developers, the rant before was about the importance of developers, so in a split second of deduction I found that this was going to be a topic about the importance of data.

"Is this how you see the world too my friend?"

Data, can be represented in many ways, come from many sources, stored in various ways, and analyzed in various ways. In the infosec side of the world I too often see people unwilling, or unable, to take data and expand it into an understanding of the world around us. Maybe it's cause infosec people stake claims of whitehats and defenders, further criminalizing those who aren't with them. But maybe there are other reasons too. I've grown up in a weird timeframe and I was told what you do online and who hurts you online and how much information you put online is up to you, now i'm told to tell my children to be worried about bullies saying mean words online. I was told the internet was the future and it was all about techies and businesses, while today i'm told to tell my children that the internet is a highly regulated, highly managed, multiple provider network where we should be scared to assert data.

"Ding ding ding, we have a wiener!"

Social constructs appear to be a huge damage to the ways we've grown up. We were told information was free and should be free because to criminalize data was against humanity. Now we have freedom fighters telling others to stop posting everything from political banter and hate speech, all the way to personal feelings or technical manuals they didn't purchase. Freedom my ass. Freedom of information was such a big win, we told the government to politely tell us things they did once it becomes irrelevant, but only what can't be redacted. But damn it we slapped the title freedom on that bill and it's sure to make everyone reference that as soon as you say information isn't free in america. In fact, information is criminal. A friend links a post showing data containing someone's social security number, then the cops raid your computer for any reason they choose to give, bam felony charge. You then have to defend yourself and hope for time served plus an ankle monitor for 9 months. Hope you can keep your job. Worse yet, you find that it's a frequent thing to look at pastebin pages where people got doxxed, and save them because you want to help solve issues with doxing. Oh snap, cops saw it, they don't like you, they decide to press charges of 20-life per social security number saved willingly. oh, but you made a script to do it, so it was functionally just cache? well good luck defending that with the assistance of the careless state of americans being your jury.

 "To live, is to commit a crime."

So, we've seen social corruption and governmental corruption, lets take this back a step or two. Data, can be any perceivable idea. I dream of demons ripping the flesh off everyone I know and dropping them from 200ft to let them splatter and try to struggle breathing. This is data. Every, single word. It's what we do with data that counts right? Well, sort of. But no. We need every bit of data, we need to be able to parse and analyze it, and we need to understand how this is done. While people sit here with their $20,000 platform that underperforms to expectations, they think it takes a large development team to do this work and it be effective enough for analysis and if they can't do it then we have no hope and blah blah blah blah blah. To all of this, I would like to mention the life lesson that rings true many many ways for me: "With all of our technology, we operate everything at a rudimentary level." I say this, because I find this true in everything. We use 120+ year old capacitor concepts to power industrial machines and war time weaponry. We use signals of true or false to identify traits which are other patterns of true or false to use massive computing architectures. We use linux cron jobs to power many "industry standard" tools that keep everyone safe. But really they just parse data like they're told, the way they're told. Without an understanding of how that data is used, we have no idea what it's reporting. But we can totally read the manual! That'll tell us! RIGHT!? fuckers. NO! We are at a stage where our "professionals" either hacked their way in or went to school and learned very little. Some times, we do find some who went to school and hacked their way in. But the essential problem remains that data is being parsed under our noses. We don't even spend the time to look anymore.

Storage gets bigger, data gets smaller, learning becomes less.

Data, in the eyes of humans, can be many many things and used many many ways. But we have to revert back to arbitrary notions before we understand what it really is. Someone says they're going to the store, but you realize they can't go to the store because the store is out of their way and their habits define a pattern directly against going to that particular store. So, to enumerate better possibilities and to enrich the data that you already have (they doesn't seem likely to go there). You go to the store, you find their car is not there. You ask the cashier if they've seen them, and that person says no. you message them, to which the response is that they are still at the store, will be back shortly. You go back, find them there before you. This little bit of data can judge a range of drive time and distance assuming regulations such as speed laws are in place. You proceed to call them out for it and they show you a receipt from the atm at that particular location. However, since that atm is only accessible of the cashier sees you, there is a functional flaw here. Further, the atm receipt was dated 2 hours before. their excuse is that this was due to dst.  By this point you don't believe it, you know they're lying but how do you prove it without just telling them to gtfo? well for one you should tell them to gtfo. But also, the amount of enrichment you do on your daily live's data can aid in identifying problems like this. You simply say, "I went there, i proved you weren't there, you made it here before me, from within a range of (blah), which coorelates to x number of friends you have." Cheating people hate being told who they're cheating with and how. It's almost funny. You can watch them struggle to find a new excuse or to change the lies they already told. It's great actually. But back from the data view point, this is all very minor data points enriched to solve a problem that many people have.

How can we do the same with our every day data as analysts for any form of infosec studies though? can we turn enrichment into an actually useful tool? Well several tools are made to enrich data, mostly doing the same basic functions. Like resolving domains, caching domain resolutions, storing large lists of data believed to be linked one way or another, etc... But none of these things need some multiple million dollar tool for this, any hacker with any system can pull this off.

"Review of time and place"

We need to teach people how to use data. Data is the key, not the toolset. Understanding how a mbr can be changed by changing the 16bit asm versus understanding that a tool shows deviance between known good versions, makes the world of difference when trying to identify bad actors, habits, or otherwise, activities.



PlasmaRat: why use shitty malware?

     I wanted to discuss some issues I find in the realm of choosing malware and why its perfectly fine to use bad software once in a while. In this, I will detail a plan of action to leverage multiple sets of well known/easily detected malware for various purposes. So lets begin with a soft story. You people love story time right? In this story a threat actor, before they become a studied attack profile by major organizations, was just a young nooblet looking to see what they could do. While developing their plans and their chess game, they found tools. Now, immediately you're probably thinking script kiddie and fundamentally you'd be right. These people used what was available to them rather than learning what it took to do it themselves. Eventually, the habbits and traits learned by doing this turned into an actionable plan and money was made. When money was made, people stop trying to perfect an art and start looking to more free answers. Instead, our protagonist decides he will learn to do more. This, a crucial turning point, is what makes the difference. He stops doing shit jobs that pay 100% with shitty risks and using other people's code, and turns to developing his own attack strategy. This is where our story of WHY comes into play.

    The point in our story where we stopped to explain is the same situation where many people may have an issue with others using other people's code. But lets think about this, both as a business and as an art. Lets try to define why people would want to do this.

     First for the business side. If your business relies on stealing data for profit setting up a botnet to leverage when stealing money, or if your business relies on disassociation from you as a person versus you as an actor; for all of these traits one thing is true, if you go to jail or have anything happen, you have to rebuild to come back. So, as a plan of action, you need your business capable of withstanding the test and trials of time and courts. To be frank, you need your operations to continue without you present. Now, many people do this by spinning bot after bot to control subsections of bots, other people do this by assigning people to various places and having each of them act as a burnable resource. But if you're using your own code every time, especially if your business is more than just yourself (orgs/syndication/mobs/militia/whatever), you can't really afford that sort of downtime. So you're going to want to hide your code for post infection, lessen the chance of detecting of your group and increase the detection of popular malware. Why? The more they detect it the more you can see who has the money to stop you. Some big businesses detecting some cheap rat you pulled out of your ass for $20 is a significant win for them according to them, but it's also a win for you. Because you know their detection capabilities. You know it either launched, failed, got stopped before calling back. You know this because you pay attention.  So your next move, could be to slowly try other rats to see what doesn't detect, try other droppers, see what happens. Slow moves at no cost are only an expense of time. If you can spend the time to do things right, your business will profit from it. Furthermore, accepting an 80% gain or 80% loss should be defined in your business. you spent $20 to get a rat, and get $40 in return from an expected $400. You need to accept it and move forward. yes that's a loss you may not have been wanting, but it wasn't a complete loss so pick up your shit and move along. You have 20 people working for you, each of 10 of them is tasked with getting $300/month from this. You get 7 of them getting $150 each. They keep less of the money because they performed worse, but the company still has funds so it works out. Well, if it's only 20 people, and 10 of them spent a full month failing to get $300, then you still need a way to feed them and the other 10. Businesses, like families, have to be ran with care. The more people you have, the more mouths need to be fed. For them, for their families. So instead of putting half your staff on getting less than expected, or pushing them to make more, you can split it up. Have your highest performing 3 of that 7 that actually got anything, set to make as much as they can doing this. Then you send another 2 to find new resources to back up those 3. Then you send another 5, split into two groups, to hunt new targets and pick off the easy fruit before handing it over to those higher performing folks. Now you have 3 people making $4k/m a piece. Now this leaves the entire group with about $600 assuming performance stays up to par. That's not good enough for min wage. You need to raise this up a bit more. If you split your entire staff into two sections of 10 doing the same thing you will get everyone about $1200/m but is that really enough? What if someone fails or gets sick? Instead, setup a single trainer, and a manager/lead. then, you may have 5 people making 4k/m, 2 business function positions, 5 people looking for new venues, and 2 looking for resources for the 5 making money. total utilization of work force, what? 14 of 20 people. gets everyone about 1k/m, but the benefit there is there is continuity. You don't need the higher pay if you have a functional continuity. If you have even two people not utilized for daily counts, everything they do is profit. These are your adhd kids, your scientists, your researchers. These leftovers should be the ones able to do the other jobs but have fun doing all sorts of shit. Because that's how businesses work. 20 people, set job schedules, steady life, and everyone earns their part. If they need more, there is two ways to get it, from the boss or from working for everyone. This idea, almost communistic, works for smaller companies. If you expand too much, you need to have a commune/tribe of leaders that handle this, then inside their ranks have them handle whatever way is best for their people. But at a large functional position, you need your company to work like this. Which is why you need the resources to be minimal. Every free rat that comes out, make those guys looking for helpful resources go and try them out, write a manual about them, then ship the generator and the manual up stream. In some environments, just ship them a new vm snapshot to include a running version of it with listening ports defined. Let the users of those handle how they get the network to those vms and hopefully your people are smart enough to handle this task.

Now, from an art side. As an artist, you may look into finding new ways to do the same things, or to leverage someone else's ideas to make them your own. This does go well with common hacking philosophy so it's not really that much of a variance that artists indulge in hacking. But it's usually those ones who make it their primary art that are so fun and full of joy. Still, with so many deviance, it's harder to define a sub-classification for the art. Their art may be in managing a large complex structure of loosely integrated systems. Their art may be in defining code that uses other code to build code from. These are things you need to ask yourself when asking if they are artists or script kiddies. Using another tool, or 1,000 other tools, but then you fail to see the artistry in what they do because you think they're useless because they used other tools. See a problem there?

Now, additional/honorable mentions that are worth noting. On the business side, you should probably dedicate at least two people to monitoring/maintenance of botnets/structures/services/etc... a botnet admin is essential if you want each botnet to live. Further, don't rely on just one network structure. Make multiple, build them, maintain them as you build more, segregate and either drop or rebuild the old ones. you may have a large amount of cash flowing, or be desperate for cash, but on either side of that criminal activities need to be kept separated from your desires and left to the business. If your business is around artists, then you need the business to support their own activities which then also aids in disassociating yourself from the easily recognized habitual patterns of your workers. Same too, on the art side, when you work with others you must understand it's not about you. you are being allowed to work with a group to provide for the group. You are not special here, you are one of everyone here. Instead, to maintain your character and your artisan, remember that it's not about you when you're working, but the things you do for you will help everyone in your work. Like custom designs, pushing the limits or perceptions of common protocols and behaviors. That is your place as an artist in a group setting, specifically when it's involved in criminal hacking. As well, many businesses use rats that are easy to detect (like plasmarat, which holds its own name in every proper generation), if you want to lower detection you simply pop those sorts of data with new/generated data and magically you go from 30 second detection to 30 day detection. Or, on the other side, you spread it thin enough so the detection rate versus collection rate, is along the lines of 80:20, and you've still got 20% of a proposed attempt at a botnet. For the ease of finding emails and chats and everything else as methods of launching, if 20% isn't good enough for your, then you're in the wrong damn business.

So, as we dive back into our story telling, this young man knows how to find common rats and common tools to get the money to keep everyone running together. He also knows how to identify traits and behaviors of other people in the game because he's had to separate himself from the game. So, where do we put him in a business? Do we leave him as an artist? can we profit from him?

So you ask yourself why people want to use shitty malware, the answer is simple: as leverage. Not as something fancy, not as something to take pride in. No, instead it's something to move forward. A tool, or capability.


Lets play a game.



  • I give you a private and public key pair when you access the page. It's up to you to understand how to use them. 
  • This is a programming game. 
  • You are given my public key (same one for keybase) for when you find answers. Send your answers on keybase (chat:answers are pgp encrypted or won't be accepted), or as a get request to the server(preferred). Answers should be in the notion of http://0daz.io/boogiepop.phantom?answer={username:code}. You will get a 404, and winners will be updated to the original page along with timestamps of when they sent winning data. (future updates, I intend to make it show date since you got your username used for the challenge calculable in milliseconds, as well as time since the challenge was posted. this is not yet a feature)
  • This is not a ctf, but if you hack my shit, the worse you can do is get it flagged or shutdown, best you can do is fix my code. I won't be hurt either way in these regards. PS: if someone does shut me down, sorry but lulzkillerbot ruined mah fun. 
  • Data used for making this game is taken from textual references and allusions made in public documents. Alternatively, it may be understanding based. The key point here is to challenge you to script against things you have no possible way of knowing where the source will be from. Good luck. 
  • No further hints will be given. I've give you too much as it is. (Eventually it's intended that every challenge will be generated. This too, is not yet functional.)

New wordpress site. yes, seriously

 So, I made myself a little wordpress site over (http://hello.0daz.io/see-also/). It's running on docker, with goreplay setup to propaga...