How I see the world

Ferasdour
April 9, 2019

I would like to express a few minor words in the only format I know how. Plain text. If you're here for infosec stuff, I'll get to that towards the bottom. Philosophy before technology.

When talking with people recently, a feat I rarely perform anymore, I found myself questioning why they would consider me smart. I have no college degree, I am not a master in some form or fashion. I'm just another kid who studied the world around him. In retrospect, when you know more than the people around you, one topic or many, you appear wiser than you are. As for me, I see that the only way to live life is without the mindset to mimic or clone. People say the smarter many can use less words and in this I am vastly closer towards idiotic. But I have a problem with leaving things unexplained. In one example, I was asked to explain an issue. To most this seems like no problem, they just explain what they know. For me, I explain what I know and how I know it, ways to prove and ways to resolve. This isn't whats wanted. I am not a corporate person, I am a real person. I say corporate as a reference to one of the common reasons to explain in the best format is to keep getting the best jobs. But this isn't for me, I am not a reporting type. Being told from childhood to remove or falsify evidence, smile and wave, doesn't sit well with log everything, report in format. While I have no intention on going back to where I once was, corporate things aren't my fancy. I support i2p over tor and clustering over load balancing. If that makes any sense, I don't even know.

I was asked about calanders, the seasons, and how people once tracked seasons if various places have deviant seasonal or even daylight timelines. To answer this, I first went to explain that they need to first stop believing our calendar system is factually accurate. The scientific basis of any part of our clocks, calendar, or even days of the week is more a reference to fact that was set as a standard, instead of maintaining factual records and keeping people up to date on that. In primary schools, we do not teach people these things and this is largely held as an academia practice to start people learning that everything they've been taught wasn't necessarily true but instead accepted as true. Our calendar system used for most of the world today is not the first, last, or most accurate system. Further, when it was developed, we knew much less about the earths rotations or its orbital pattern compared to now. Knowing that the arch in which earth orbits the sun, or the fluctuation in speed of it's own spinning, wasn't known when developing any part of our measuring time today, is the first step to knowing how people understood seasons before they became standardized the way this is today. Then I used reference back to greek mythology and common works like the iliad. When voyaging in greek times, either by boat or by land, it was common to blame gods for sudden storms, a land that was forever dark, etc... These references we can see today and ask ourselves if that could have been due to the axis change at the time placing the area they found in darkness or if it was actually some act of a deity that caused the exact same situation as what could be described better today as common. In such places, there must be a change in what crops are planted compared to places that have more sunlight or places that have more heat. Before standardized calendars farmers took into account many aspects, changes in trees, waters (tastes, tides, fish population, rain, etc...), in order to choose what would work best to keep the most crops alive. So while some understanding of cycles in the world may be present back then and to this day the most accurate way to understand seasonal changes is to do farm work. Because the accuracy is based on many more traits than just a day that some people set as the "official start of ____." Now, the biggest reasons for that many of us know because the equinox, or equator matching sun comparison, however go check out the accuracy of that determination. You will find that there are numerous scholars to this day debating this because there are a variety of changes to the earth's spinning like a crooked top in space. lmao. It's never been only one cycle, it's shifting. This continues to cause people problems and many mathematicians have given corrected calculations based on latest info. Still, if it's actually march 21st at 8pm on whatever time zone, and its calculated to be a 4pm on the same day, that's a reasonable degree of accuracy because we already have a standardized clock system, and calendar system, we'll just place it wherever it fits best.

Now i'm not trying to mock anyone's profession but at a core level all things are this basic. My intention in explaining this is to show that I do see things as this basic level in even astrophysics. Explaining a different example, I was having a night time discussion with a close friend and we were discussing how vacuum cleaners aren't as useful anymore. Due to this, we discussed where the motor and blades sit in order to pull air. He mentioned having multiple fans in the hose line that would allow it to work better with the design idea of move air into tube to create the suction. At first I believed he was saying to put them all in line with each other and went over how the air from one would need distance or to be power-offset from the other or the next blade wouldn't really be doing anything to benefit the amount of pressure on the hose in line. So my idea was to apply electric motor theory (see wikipedia I guess) but with the air-gap being instead thin plastic, to place the actual motor in the line and impact air flow that way. We discussed this a bit and made fun of old 70s vacuums as being still better today than newer ones despite the lessened need for belts these days. As you can potentially see, these types of conversations just sort of happen, frequently, by comparison to the amount of conversations I have. Everything from intercepting satellites because we're bored, multiplexing cable lines, or quantum physics. Ps, quantum physics is philosophy of physics fight me.

I've spent a lot of my time in my life on bbs, i2p (freenet before that), or other things typically hidden. I like to learn little things here and there about everything. The most common conclusion for any topic is that it isn't hard to understand, but takes effort to master. My goal was never to be a master of any tradecraft, or a mentor of any knowledge. But knowledge today is damned near illegal. So here's a series of interesting facts.

  • Red oleander can be ground up and used as poison. One specific study estimated around 82mg of the chemical oleandrin, which was for their test about 6 inches worth of root ground up to extract, would be enough to kill an average 200lbs man regardless of dilution. 6 inches of oleander root grows in nearly per month if you don't want to kill the tree, prior to that if it's okay to damage the tree. it's spunky, it will return even if you chop it down. don't worry. 
    • While oleander poisoning is ridiculously obvious, it and most poisonous plants aren't actually tested for unless you mention you have these plants around. Go on, eat a leaf, puke up your guts, go to the hospital and get some pepto. This is america's medical system. 
    • oleandrin decays rapidly, if killed from it, you have to nearly hope mucus bound a sample somewhere to prove it after a week of say, dropping a body and their boat into a lake because of sabotaged boats and not expecting them to make it back to shore. 
    • Using things like aloe (plant), you can make a container for this chemical which will slowly absorb into the body but not rapidly enough to be found a problem. you'll have lots of stomach issues like I did as a kid (not to blame poisoning on the reasons why I had all sorts of issues as a kid, but you know... I don't not suspect it), but you don't die until it builds up enough then have a sudden spike. 
  • Jimsonweed or as I always called them, moon lillies (they open up for the moon, what did you expect?), much like red oleander, can be found all over the united state yet not immediately tested for unless the first round of medications they give didn't work. So, fatal overdosing once is enough to not be questioned. 
  • The perfect spot to kill someone is from the spouse stand point. After all sorts of csi and shit like that everyone sees omg they'll blame the spouse every time. Problem is they would have to want to investigate it. Someone throwing up a lung because various alkanoids were put into their line of breathing is a terrible thing. Sadly, with no children or relatives who care, such as for druggies, it will be assumed blamed on the meth and you collect life insurance. wait about a month after the death certificate to ask the insurance company anything. for good measure. 
  • They say you can immunize yourself from poisons in a manner that's effectively homeopathic. While I don't know the truth of that, I loved the smell of jimsonweed growing up.
  • Muliplexing a cable line to bring cable to you as well, you run the issue of still needing a device that matches an expected device on the network. So go say hi to your neighbor and eyeball their router. 
    • To detect someone cloning and multiplexing a line, they may see double registration times to the network. So cut off your neighbor's network and plug yours in. Then bring them both back up at the same time. same time frame, appears more as a duplicate request because first one failed. They may try to push a router update to you. Luckily you fake that because you don't use their real routers. Right? 
    • They can still tone the lines and find the multiplexer, if they tone from there to find your shit, stealing cable is a federal crime yo. 
  • Satellite! So, take any dish and hook it up to a tv tuner or sdr, because you sure as hell don't want to play with the old card-based boxes right? Maybe the newer ones you can do eeprom flash to? whatever. Get control and point it toward the equator and scan. Many people where I live say approx 4 fingers up from the south horizon. Now that you know where I live because of that lets move on. 
    • cards were always easy to hack, just tell it to approve things. The reader they gave workers are out there but you can use your own almost the same way you can a credit card
    • eeprom is eeprom. Go to any diy site. you'll understand. 
    • decryption >:( 
      • service based decryption is a pain in the dick. luckily, z3 and computer vision has come to our rescue. Using the service setup on any box from (pick your service), you can find whatever service you want and test until you find which possibilities work with input to get a picture that's recognized as potentially something known (where computer vision comes in). 
      • disclosure: pretty sure you can still be tracked by this, ask your local ham radio operator and they will discuss how stupid this idea is.
      • also: fuck it, do it anyway. Except i'm not actually encouraging that because in some places that would be illegal. Take this as a joke. 
  • I probably should have said this first, reverse engineering isn't a single technique but a manner of thinking about or understanding things. Take the satellite example, in order to know how to decrypt we have to identify the decryption scheme. Luckily, it's given to us all we need to do is basically brute it with constraints. How do we know how to use the cable lines to get cable or how to spoof to get them to not notice? How do we clone cell phones or abuse towers to track people's movements between active towers? We learn how it functions. In many cases, this is reflective. We see the results and have to find a way to deduce the origin in order to replicate.
  • Espionage: because reversing is hard yo! hehe. The benefits of spying, stalking, monitoring, etc... other than cheep voyeur thrills or making money, is that you can learn a lot by simply letting things happen and seeing them. With humanity by seeing the way people act when no one is watching, with computers by letting them run, with new technology by watching how its controlled, or with software by watching it through a debugger. It's all functionally the same in the end. you have access to something and are spying on it. Don't you secretly love it?
Okay I've sort of gotten off track but you get the point right? right? Well, let me restate, this is the way I think about life. everything in life. Even math is easy because 73-28=(-5)+5(0 don't forget to add zeros to match the place value)=45. This is easier for me than 73-28=(13-8=5),(6-2=4)=45. Which is still easier than kids are taught now which is (70+3)-(20+8), (70-20=50)-(8-3=5). If that last one looks stupid to you, it did to my kid too. Because it is.

Now here's where I fail, there is a lot of math ideas and mechanisms that I don't know. Because it is still a growing field I do hope people can continue learning it. There have been many mechanisms and theorems overwritten several times due to being able to eventually be disproven as completely functional in all situations. The part that bothers me about that however, is unless you're monitoring white papers and doing research frequently, you don't know the latest and most up-to-date studies and techniques. This is true of the medical profession, psychology, computer science, chemistry to some extent, whatever. While I have seen people brag about their scholarly time, they forget to keep themselves updated in the academia. Others who do keep themselves there, occasionally find themselves looking down on those who don't. It is to this point I would like to discuss another topic. Virii. 

When I was a wee lad, or well, like 10 lol, I came across some bulletin boards that discussed writing viruses. At the time, the reference they had was a particular bbs server that also had open-to-all irc, including making channels. So of course, irc virii right? Well, my first few attempts were largely batch files that dumped data it found then loaded it into series of comments, with my side holding onto the comments. absolutely 0 encryption or obfuscation, or anything. Then again, I'd never actually heard the term obfuscation until I had a real job. Prior to, it was all about krypting, which seemed like more effort than it was worth usually. After reading a few more long winded text files, I added in some features, like waiting for specific user to respond with commands to perform. But I always hated to batch start: end: nonsense, I basically just caused it to reopen itself and run the same like 6 things including one attempt at (run whatever the latest command in chat was, from command.com). You can see why this would have been an absolutely trash way of doing things especially by the time this was still being used in the winderps xp days. I actually made more batch script virii, including ones that propagated in fun manners, than I had anything else. I've tried c, c++, visual foxpro, python (2 and more recently 3), java, etc... never really liked c#/vb/vbs though and java... I don't do that again. but it was just easy to make a quick one time batch virus and run it then and there. At one point, there was a keylogger that was written for windows 2000 that I found out ran on windows 98 better, but I want to say that was like back in old packetstorm days. Back when wilw0rm was important. haha. Anyway back then, people liked using the phrase virii instead of virus being plural or saying viruses and to this day I'd like to remember that as the important days of virus writing. When a batch script meant you had access to anything from banks to major businesses to cameras showing corruption at your local schools.

Why is this such an importance? Because today scholars, businesses, and researchers otherwise are using powershell for viruses and still calling virus writers evil scum of the earth. Welcome to 1998 boys and girls. Today, we will be writing a very basic backdoor in go, then compiling to wasm. For example purposes that is. Nothing more.

I've actually been meaning to give a good example of the ease of this at some point anyway, so lets do this.

Steps:
  • To start with, we're going to quickly google because we don't know shit about this language other than it compiles to wasm, so lets google for "go reverse shell"
  • We don't give a shit about being script kiddies (thats why you've made it this far in my babbling isn't it?), so lets go ahead and just straight up clone their script. 
    • I'm going to use nano, and open test.go as my file to write this to. 
    • going to change the net.dial part to be my host:7000 because it seems like a fun number.
  • Uh oh, I don't know how to compile to wasm, back to google. 
    • I'm making this super easy for ya: https://www.sitepen.com/blog/compiling-go-to-webassembly/
    • okay so I need to install go via brew. Damn it, brew isn't installed, luckily I get this pretty little warning that says to run "apt install linuxbrew-wrapper"
    • damn it can't run as root, but that's the only user I have!?!?!
      • I checked /etc/passwd, apparently postgres has a shell associated. Fuck it, i'll compile with postgres
        • ps: don't do this, make a new user for fucks sake, or google how to run brew as root.
        • there are other ways to install go as well, google harder.
      • I should say, I just did this the more appropriate way and used the tar file, ran from extracted version
        • root@docker:/test# GOOS=js GOARCH=wasm go/bin/go build -o test.wasm
        • root@docker:/test# ls
        • go  go1.12.3.linux-amd64.tar.gz  test.go  test.wasm
  • Next we're going to load this into a webpage, luckily for all of us, we already have the reference for that over on the sitepen site. Which basically says go comes with premade version. There are other (google it) and easier ways to load wasm (again for the love of god google it), but this is easy mode example.
    • root@docker:/test# cp go/misc/wasm/wasm_exec.* /var/www/html/
    • root@docker:/test# mv test.wasm /var/www/html/
    • root@docker:/test# nano /var/www/html/wasm_exec.html (in case you need to change the was file pointed to, default I believe is test.wasm)
  • now to test it by going with a browser to this
    • the default one didn't work for me, run function failed. I edited it to force the run function to always run. 
    • had to wrestle with a series of script blockers I had too so I just went to my phone instead
  • https://www.virustotal.com/#/file/d5491b3122cd22dd64a3c8f2220adec29534d34bf606588f0f5ef6143d92cfa9/detection
There you go everyone, easy, cheap, backdoor everything. (disclaimer, permissions limit the capability of this working, script blockers that block wasm will keep this from working, script blockers that block js will keep this from working, etc... but lets face it, the importance here is that I can get limited shells on cellphones with nearly 0 effort. haha

This sort of shitty virus writing is important for a number of reasons when investigating malware. 
  • Many malware samples you'll find, including people bragging about their super custom fud blah blah blah, do this exact pattern in order to add on features they feel is needed. Sometimes, playing with python, I add features like sniffing instead of port binding, or import data downloaded from c2 so i can always customize on the fly (also keeps filesize down. python is big). but sometimes, I'll see msf or puppy have features I like in their interface, so needless to say I just grab it. Not even the same language? who cares, it's all about functionality that i'm jacking for what i'm doing now. 
  • scripting languages are able to be bound to other languages, so a 20 line script turns into 20 byte shellcode, or 3mb wasm. (lol)
  • pretending like virus writing itself is hard, is foolish. Its a matter of implementing techniques for your audience that's the kicker. a file that 0fills itself and drops a completely unique version next time is sweet, but what if you never have to have a file to begin with and either update someone else's file (like registry persistence updates registry files) or maintain a network persistence that lets you rejoin when you want (like hijacking the ram on a printer to do your dirty work every time it sees the computer rejoin the network). 
But now here's the fun part. With time, the file I uploaded to virus total will be available to everyone through their sharing services. you can find my c2. You can find lots of other goodies, if you dare. So with that, I'll leave this alone on a final thought. If we know how different services and operating systems setup packets deviantly, such as through nmap or p0f, if someone had a copy of scapy, whats the chances they could just fake everything. fake os, fake ftp, fake webserver but real content, hmm... What if one file simply ran all of these things as a reason to fuck with you? Can you detect it? You'll normally know best when exploits work, because only the real ones should give you the right responses back I'd assume. honeypot methods to play with some other time, but I guess, what if you intentionally provided services to get responses that tested os fingerprint techniques? Almost as fun as testing if nmap is scanning versus masscan.   

Comments

Popular posts from this blog

Lessons

You say you want syndication kid? Well whoop-de-do