5.22.2018

You say you want syndication kid? Well whoop-de-do


Okay, so I know I've discussed it before a few times, but it really annoys me when kids are all uppity about wanting to be gangsters, or their idea of gangsters rather. Yes, now days thugs come in dweebie little twitter thugs posting on zone-h thinkin' they're the hottest act around, all the way to hoodlums arrested 6 times for armed robbery of the exact same store. lol. If this is your idea of gangster life, you're in for a rude awakening. For that matter, if everyone over 30, including every other thug who's ever walked your neighborhood, avoids you and your friends like the plague, you're in for a rude awakening. So lets discuss syndication as it applies to criminal world, and compare those ideals to the "thug life" trivialities.

I would like to start with the obvious errors first, gangsters versus thugs. Gangsters are people who join together for an organized effort, a gang of people if you will, and focus their lives heavily on their group. A thug on the other hand, as history teaches us, refers to criminal actors who steal, harm, or otherwise violently enact their, or their group's will. Yes, thugs can be gangsters, and yes, gangsters are often thugs. But here's where we bring ourselves, at what point does syndication become relevant? What does that even mean to the common people?

I'll take a step back to explain. A carpenter, jack of all trades, etc... is hard on his luck, troubles keeping long term jobs, has a family to feed, whatever, and his friends who have recently been in similar situations, decide to help each other out by offering referrals when business is okay so they can pass off some assistance to each other. This wouldn't be fair unless of course they got some compensation still for referrals, so they do this at a 90% split with 10 going to the referring person. This is a few people helping eachother out, but it is also the essence of the criminal world you kids so admire. Its not about stealing, or cheating, or thugging. Your business is your business, you do what you need to, we do ours. We all just help each other out when we're down on our luck so we can all move forward together. Oh shit, your neighbor just lost his job, how're you going to help him? Well, lets turn this idea over a little, how can you help everyone who may need it, that's helpful to you? you do the same things, or other fully legal activities, that often involve hard work and not being lazy slobs, effectively you bust your ass to help everyone you can. You even make a collection pool when you're doing good enough financially so any funds go back into keeping this running. You even go so far as to build a model based on 80% loss for any agreement. If the expectation is repayment 100%, but you only get 20% cost back, it's okay, you planned for it, it won't hurt us any. But for those few people who don't even get the 20% back, man that's fucked up, why not? okay well this guy is cheating the company trying to use it for personal gain and making off with money any chance he can. Money that could go into little miss debbie down the way, who's only 4 and needs surgery. This person stood in the way of your own son or daughter getting food for a night because he decided he was more important by himself than everyone else put together. Would you go after him? Would you put an end to it? Most people would, and frankly that's the key point where syndicate groups get their violent notions from. They stop this shit from fucking it up for everyone.

So, if we called these people in syndicate groups mobsters, as is more common these days than to call then gangsters (rightfully so I guess with how petty the word gangster has become), it would be fairly accurate. Well but why do these mobsters always get represented as being some big badass with a kingpin status and blah blah blah right? Well, you can only assume to teach what you know, and you can only assume to learn what you're taught. If mobsters teach mobsters the wrong things, their placement, their goals, they begin to believe this is all that will ever be. In many cases, they don't even know why the organization was started to begin with. Oh look it, cops caught this big badass... 4th generation of the org. Oh look it, cops were able to catch this guy, 12th generation. Lets be real fellas, cops have found that the way to combat and issue like this isn't to combat it at all, but overload it. By asserting more people into groups, by keeping people in where they want to pick off the thugs and the real dangers to society, eventually when the cops feel they can control it themselves they overstep and shut down what could have continued helping for many more years. How does this work? Well lets take our scenario earlier. 3 guys, one helped the other, 6 months later resources from both of them were used to help the third person. Now each of these 3 people who've agreed to do this for eachother also have family. Up to 10 people each. You have 30 people to watch over and protect if needed. If they add more people, you'll eventually have 30 direct people, and 10 each, so 300 people. The associations to those 300 people, anyone who decides to get up and seek out this type of help gets help in the group, now you have 40 people and again assuming 10 each -1 right? well.... 10 each -cop. That is the part cops can fill. By overrunning the org with cops, tweekers, whatever, you become able to deconstruct large organizations with simple commands in a matter of only a few years. So, all they have to do is put more people in place, make them keep their traps shut, if things don't go their way, snap, it's done. You've strangled the beast.

Now days there is several skills and traits and monitors to aid in preventing this but discussing that isn't really the point. The goal in this rant is to discuss the fact that little thugs want to seem powerful and rich, but the mark of a gangster is someone who does the work to help others.

If you want to be a gangster, get off your ass, help your community, help your neighbors and help your friends. Doesn't seem so glamorous now does it? You kids play too much GTA. 

5.03.2018

More on domain tracking

I decided I'd spend some time today revisiting malicious domain tracking. Because why not right?  So lets start off with appending to what we have:

https://pastebin.com/raw/vRZvsFWD

As you'll note, this pulls from 0daz.io/ddns.txt. If we look back on a few other posts about this (https://nday.0daz.io/2017/11/passive-intelligence.html || https://nday.0daz.io/2017/11/malware-domains-and-botnet-jacking.html) I have previously setup scripts to pull bits of information from various places on a frequent basis. Some relevant cron entries:

* */3      * * *   user    curl "http://mirror1.malwaredomains.com/files/dynamic_dns.txt"|grep -iv "##"|awk '{print $1}' > /var/www/html/ddns.txt
Basically, taking the dynamic dns list and parsing into my own file. Simple, easy, moving on. I also have several other scripts to pull from other sources, however this will be the easiest way to express the idea. Don't use my scripts obviously, just there for concept art at best. In this case though, I am pulling my pre-parsed list and acting on it by attempting a domain lookup, designed for use with proxychains/torsocks/etc... and saving them to a database. This database will not update the latest copy, it will simply add a new entry for each time this happens. So, for this particular usage, its only good for searching for one of the domains, changes it has to it's resolutions, etc..

Now, to change it a bit further, because we want something newer. Something like hybrid-analysis' data set for their public feeds. Well luckily I'm lazy and have a cron job do the work for me so I don't have to login and pull it myself! Instead, I pull from my cached copy:

https://pastebin.com/raw/azruh6Vb

In this case, the idea is to proceed by collecting data, building the domain list to check from that data. This being in multiple functions will allow us to expand later. In the collection part of the script, I collect the feed data, write it to disk for searching for later, mostly for debugging or expanding. I don't want to append it when it reruns because I just want the last data in the raw file. Then it returns the lists of domains, ips, and file details. I use that to make a single database with all those points, cause those are all relevant. Than I use the domain list to do what we did originally: host lookups, into database.

At this point I'll leave the example scripts and propose an idea to play around with. This could be easily transformed to make databases such as the domains that no longer do resolve. If you could add that, and the md5 if relevant, you could theoretically find domains for the taking that already have traffic ready to go. You could also take it another route, using these domain lookups, build your own feed to pull from and host this on a docker instance somewhere, writing the data back to you multiple times per day. Maybe even integrate this into a siem for the most up-to-date /and/ historic domain resolutions. For that matter, create size limits for the database, setup logrotate to swap out these frequently to avoid spacial issues, track your own threat actors this way.

Now, relevance becomes tracking only a subsection of threat actors and only through their use of domains, perhaps you could take the md5s and make a system pull those down for more specialized analysis. Maybe take the ip and do a quick port scan (where applicable). Or use the ip addresses and run some osint such as passive dns, virustotal lookups, etc... to try to get some idea of range and scope of each part of what we picked out. Or maybe throw it all away because it's garbage. Maybe set it all to a stats engine (machine learning?) to build analysis pools it finds, such as timelines that changes happen which could better associate character traits of actors and managers of the c2 infrastructure? Regardless, with some degree of care/effort, you can use this as yet another tool to monitor with.

On another side of things:
- nmap and keras: because machine learning geared towards resolving most applicable/inapplicable ports/services/protocols
- miasm2, z3, and keras: because machine learning geared towards identifying traits in programming, using z3 to test the alternative methods, this could get ugly.
- you can expose people's ip when they search for a domain if the index page needing to be cached by google is larger than a specific amount. My 50mb index page lets me see when people google my domain. Correlating that to a specific user is largely based on abilities to see input, timelines, and repetition of the test. Using mewe and twitter and posting some links here and there, I believe I have found the home address of several people based on these factors. Not really relevant to much, just sort of neat to identify based on trivialities of influential factors. Best part is, researchers often fall victim to googling instead of accessing, but their googling is never hidden/proxied because they're too lazy to do the check. Pretty amusing actually.
- exposing calendar schedules of people can be done based on their ability to walk past you so long as their phones attempt to connect to bluetooth or wifi and openly probe for known wifi. In some cases, gsm/cdma/etc.. can be used instead. Cell phones are such fun tracking devices, even when not using phone services themselves to track the cell phones.
- phishing/marketing tricks can be used to get someone's location information from their phone without needing a gps lookup. Because allusions, websites, suggestive notions, and simple 0 pixel  tracking gifs. Who needs sdr to track someone anyway? :D
- simple reverse shell logic can be applied to other things. As such, in the format of classic bash reverse shells. You run the command interactive with the data of the interactive shell piped to a tcp connection to a host on a specific port, then pipe response data back into the interactive shell. You apply that to people for instance. with some expectation of humans being humans, you can largely still assume they will attempt to deceive or manipulate you because most people do these days. With that in place, you have your interactive internal dialog into their head. You have your pathway in, now what are you going to pipe into it? If you just pipe your own bullshit directly, it will probably refuse it because they block requests this way. So why not make a connection that you control, that they trust the activity of? If you really want control, a trick I learned from a very manipulative woman once upon a time: you don't have to play into people's desires, or their fears or angers, these are all too noticeable; you simply play into their personal activities that they think nothing about. For this, think about people drinking tea. They drink their tea every day. You have a stance to control their activities if you can get that tea before them. They are willing to put something caffeinated into their bodies every day, why not exchange it for something decaf? their reactions will be that same trigger state you wanted them in, but you controlled the occurrence of it. No need to wait or play shitty games. The person who taught me this used her being female as the trait she played most into because people are desperate for attention from such people. highly targeted human watering hole attacks are by far the very definition of sociopathic.
- I get bored and post things at this point mostly to appease a slight side of me that wants to see the world burn. I enjoy security but not preventing access. I love granting access to those who fight for it. I am okay with having someone else access my services, my facebook, my twitter, my computers. Its amusing sometimes. Just want them to be polite about it. ;)
- I will continue to argue that hacking is more than just breaking in, or breaking out. Forgive my 90s ideals but knowing about the world around you is much cooler than bragging about breaking into a server no one was paying attention to. Challenges? maybe 1v1 on public internet with public services? No? But people want things to be real world yet they only want to red team? This is the systemic problem with hacking cultures today as I see it. People want to break in, or break out, while learning, altering, negating, controlling, abusing, or monitoring seems to be outside of these "hackers'" mindset. If you really want to learn cyber security, you can your friends setup servers and hack eachother, every way you can learn how. forward shells, reverse shells, rootkits, whatever. get it, make it happen, learn how every piece works. Just like you would if you and your friends got an nes in 1984 and you can't afford another game yet. 2018 and your switch, your xbox one, your ps4, all sit there either uncracked, unused, or using the same public exploits someone else released. But that's okay, you hack to learn. It's part of the learning cycle. This is the essence of hacking, not some bullshit legal terminology.
- What? blackhats? why the fuck do people still use this term the way they do. I can understand people who abuse moral grounds to being blackballed by those who don't. But lets be real, have you see white hats? "grey hats?" Its no longer about the morality of their actions, it's about their legal stance. This argument dates back as far back with blackgate bbs at least, if not substantially further. Legality does not make morality. Moral judgement is part of human development and not some legal hammer to be swung around. Yet we see here, if someone goes to jail for breaking into something they wanted to learn about, we now days call them blackhats, as well as blacklist every activity they've ever done. Every site they've been on that doesn't fit in with normal clearnet publicity: blackhat, underground, etc... etc... Why do we call them black hats when they have no need to be blackballed? Or do people not understand the terminology of using black in this context? (re: I saw a twitter where a guy tried to say blackhat just like blackball was a negative connotation to black people, so I honestly believe many people do not understand the concept). Even if they do understand, "dem black hat haxxors sellin' card info and blah blah blah" okay experian, tell me again about these blackhats selling my stuff when you sold it to them first. Oh, validation and accreditation are really just cliches used to make people think a compliance check means they're trust worthy. blah. Just please people, stop using terms of hats. Whitehats are insanely immoral as part of their day to day and they get praised like kings and queens. For everyone else, they try to uphold a moral ground and get arrested, fired, threatened, or physically harmed for doing so. When you tell me a blackhat is immoral I can honestly say I know more trustworthy and respectful individuals flagged as blackhat than I do who claims a white hat.
- I wonder if there is a repository of machine learning identifications of program characteristics somewhere. Hmm.... That would be pretty sweet.

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...