More on domain tracking

I decided I'd spend some time today revisiting malicious domain tracking. Because why not right?  So lets start off with appending to what we have:

https://pastebin.com/raw/vRZvsFWD

As you'll note, this pulls from 0daz.io/ddns.txt. If we look back on a few other posts about this (https://nday.0daz.io/2017/11/passive-intelligence.html || https://nday.0daz.io/2017/11/malware-domains-and-botnet-jacking.html) I have previously setup scripts to pull bits of information from various places on a frequent basis. Some relevant cron entries:

* */3      * * *   user    curl "http://mirror1.malwaredomains.com/files/dynamic_dns.txt"|grep -iv "##"|awk '{print $1}' > /var/www/html/ddns.txt
Basically, taking the dynamic dns list and parsing into my own file. Simple, easy, moving on. I also have several other scripts to pull from other sources, however this will be the easiest way to express the idea. Don't use my scripts obviously, just there for concept art at best. In this case though, I am pulling my pre-parsed list and acting on it by attempting a domain lookup, designed for use with proxychains/torsocks/etc... and saving them to a database. This database will not update the latest copy, it will simply add a new entry for each time this happens. So, for this particular usage, its only good for searching for one of the domains, changes it has to it's resolutions, etc..

Now, to change it a bit further, because we want something newer. Something like hybrid-analysis' data set for their public feeds. Well luckily I'm lazy and have a cron job do the work for me so I don't have to login and pull it myself! Instead, I pull from my cached copy:

https://pastebin.com/raw/azruh6Vb

In this case, the idea is to proceed by collecting data, building the domain list to check from that data. This being in multiple functions will allow us to expand later. In the collection part of the script, I collect the feed data, write it to disk for searching for later, mostly for debugging or expanding. I don't want to append it when it reruns because I just want the last data in the raw file. Then it returns the lists of domains, ips, and file details. I use that to make a single database with all those points, cause those are all relevant. Than I use the domain list to do what we did originally: host lookups, into database.

At this point I'll leave the example scripts and propose an idea to play around with. This could be easily transformed to make databases such as the domains that no longer do resolve. If you could add that, and the md5 if relevant, you could theoretically find domains for the taking that already have traffic ready to go. You could also take it another route, using these domain lookups, build your own feed to pull from and host this on a docker instance somewhere, writing the data back to you multiple times per day. Maybe even integrate this into a siem for the most up-to-date /and/ historic domain resolutions. For that matter, create size limits for the database, setup logrotate to swap out these frequently to avoid spacial issues, track your own threat actors this way.

Now, relevance becomes tracking only a subsection of threat actors and only through their use of domains, perhaps you could take the md5s and make a system pull those down for more specialized analysis. Maybe take the ip and do a quick port scan (where applicable). Or use the ip addresses and run some osint such as passive dns, virustotal lookups, etc... to try to get some idea of range and scope of each part of what we picked out. Or maybe throw it all away because it's garbage. Maybe set it all to a stats engine (machine learning?) to build analysis pools it finds, such as timelines that changes happen which could better associate character traits of actors and managers of the c2 infrastructure? Regardless, with some degree of care/effort, you can use this as yet another tool to monitor with.

On another side of things:
- nmap and keras: because machine learning geared towards resolving most applicable/inapplicable ports/services/protocols
- miasm2, z3, and keras: because machine learning geared towards identifying traits in programming, using z3 to test the alternative methods, this could get ugly.
- you can expose people's ip when they search for a domain if the index page needing to be cached by google is larger than a specific amount. My 50mb index page lets me see when people google my domain. Correlating that to a specific user is largely based on abilities to see input, timelines, and repetition of the test. Using mewe and twitter and posting some links here and there, I believe I have found the home address of several people based on these factors. Not really relevant to much, just sort of neat to identify based on trivialities of influential factors. Best part is, researchers often fall victim to googling instead of accessing, but their googling is never hidden/proxied because they're too lazy to do the check. Pretty amusing actually.
- exposing calendar schedules of people can be done based on their ability to walk past you so long as their phones attempt to connect to bluetooth or wifi and openly probe for known wifi. In some cases, gsm/cdma/etc.. can be used instead. Cell phones are such fun tracking devices, even when not using phone services themselves to track the cell phones.
- phishing/marketing tricks can be used to get someone's location information from their phone without needing a gps lookup. Because allusions, websites, suggestive notions, and simple 0 pixel  tracking gifs. Who needs sdr to track someone anyway? :D
- simple reverse shell logic can be applied to other things. As such, in the format of classic bash reverse shells. You run the command interactive with the data of the interactive shell piped to a tcp connection to a host on a specific port, then pipe response data back into the interactive shell. You apply that to people for instance. with some expectation of humans being humans, you can largely still assume they will attempt to deceive or manipulate you because most people do these days. With that in place, you have your interactive internal dialog into their head. You have your pathway in, now what are you going to pipe into it? If you just pipe your own bullshit directly, it will probably refuse it because they block requests this way. So why not make a connection that you control, that they trust the activity of? If you really want control, a trick I learned from a very manipulative woman once upon a time: you don't have to play into people's desires, or their fears or angers, these are all too noticeable; you simply play into their personal activities that they think nothing about. For this, think about people drinking tea. They drink their tea every day. You have a stance to control their activities if you can get that tea before them. They are willing to put something caffeinated into their bodies every day, why not exchange it for something decaf? their reactions will be that same trigger state you wanted them in, but you controlled the occurrence of it. No need to wait or play shitty games. The person who taught me this used her being female as the trait she played most into because people are desperate for attention from such people. highly targeted human watering hole attacks are by far the very definition of sociopathic.
- I get bored and post things at this point mostly to appease a slight side of me that wants to see the world burn. I enjoy security but not preventing access. I love granting access to those who fight for it. I am okay with having someone else access my services, my facebook, my twitter, my computers. Its amusing sometimes. Just want them to be polite about it. ;)
- I will continue to argue that hacking is more than just breaking in, or breaking out. Forgive my 90s ideals but knowing about the world around you is much cooler than bragging about breaking into a server no one was paying attention to. Challenges? maybe 1v1 on public internet with public services? No? But people want things to be real world yet they only want to red team? This is the systemic problem with hacking cultures today as I see it. People want to break in, or break out, while learning, altering, negating, controlling, abusing, or monitoring seems to be outside of these "hackers'" mindset. If you really want to learn cyber security, you can your friends setup servers and hack eachother, every way you can learn how. forward shells, reverse shells, rootkits, whatever. get it, make it happen, learn how every piece works. Just like you would if you and your friends got an nes in 1984 and you can't afford another game yet. 2018 and your switch, your xbox one, your ps4, all sit there either uncracked, unused, or using the same public exploits someone else released. But that's okay, you hack to learn. It's part of the learning cycle. This is the essence of hacking, not some bullshit legal terminology.
- What? blackhats? why the fuck do people still use this term the way they do. I can understand people who abuse moral grounds to being blackballed by those who don't. But lets be real, have you see white hats? "grey hats?" Its no longer about the morality of their actions, it's about their legal stance. This argument dates back as far back with blackgate bbs at least, if not substantially further. Legality does not make morality. Moral judgement is part of human development and not some legal hammer to be swung around. Yet we see here, if someone goes to jail for breaking into something they wanted to learn about, we now days call them blackhats, as well as blacklist every activity they've ever done. Every site they've been on that doesn't fit in with normal clearnet publicity: blackhat, underground, etc... etc... Why do we call them black hats when they have no need to be blackballed? Or do people not understand the terminology of using black in this context? (re: I saw a twitter where a guy tried to say blackhat just like blackball was a negative connotation to black people, so I honestly believe many people do not understand the concept). Even if they do understand, "dem black hat haxxors sellin' card info and blah blah blah" okay experian, tell me again about these blackhats selling my stuff when you sold it to them first. Oh, validation and accreditation are really just cliches used to make people think a compliance check means they're trust worthy. blah. Just please people, stop using terms of hats. Whitehats are insanely immoral as part of their day to day and they get praised like kings and queens. For everyone else, they try to uphold a moral ground and get arrested, fired, threatened, or physically harmed for doing so. When you tell me a blackhat is immoral I can honestly say I know more trustworthy and respectful individuals flagged as blackhat than I do who claims a white hat.
- I wonder if there is a repository of machine learning identifications of program characteristics somewhere. Hmm.... That would be pretty sweet.

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Comments

Popular posts from this blog

Lessons

You say you want syndication kid? Well whoop-de-do

How I see the world