lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7157921.20050314233512@phreaker.net>
From: mastah at phreaker.net (Egoist)
Subject: Botnets and tracking and busting
	scriptkiddies

Hello Dominique,

Monday, March 14, 2005, 11:13:33 PM, you wrote:

DD> I think it was a great paper and very informative on the basics .I have
DD> had some experience with tracking down bot-nets and have found some
DD> techniques and methods that are very usefull when it comes to shutting
DD> down a bot net and tracking offenders.

DD> On a few occasions I have used the following tracking and stalking
DD> methods 
DD> To hunt the script kiddie in its natural habitat.Keep in mind these are
DD> very basic but usefull.
 



DD> Detection 
DD> The second you notice network traffic that is over irc ranges of ports 
DD> 6000-7000 or suspect a bot  .A sniffer is your friend Ethereal is a good

Smile here.

DD> choice to use to obtain the address of the destination hacked server as
DD> well as channel passes ,While normaly I would recommend dissaembly of
DD> the infected file /bot More and more bot authors are using things like
DD> morphine and custom cooked up encryption schemes /packers to keep their
DD> bots from being taken apart thus keeping you from the juicy hardcoded
DD> passwords and channel keys within .

DD> So 9 times out of 10 the best way to capture the ip-address of the
DD> master server and the channel names and passwords is via sniffer .Now
DD> once you have the ip address of the master server (the irc server all
DD> the bots are reporting to) the best thing to do is do an arin 
DD> http://www.arin.net

DD> lookup and see who owns it most of the time you will find it is a third
DD> party who has also been hacked and has no idea why their server is
DD> running so slow. Immediately contacting abuse for their net provider is
DD> a must.

DD> After and only after contacting the proper authorities and the company
DD> that actually owns the machine being used as a master controller. If you
DD> have the permission of the second victim company to gain access to their
DD> server to help with tracking the offender you best bet for gathering
DD> intel is to impersonate one of the bots in question!!!! 

DD> To do this you will need the following 
DD> 1.a good irc client 
DD> http://www.mirc.com  
DD> make sure to turn logging and time stamping for both channels and
DD> private conversations 

DD> 2.The server ip nick the bot is using when it logs in 
DD> As well as the channel key and channel name 
DD> These can be obtained by sniffing out going traffic 


DD> Now here comes the fun part 

DD> Power off the bot_infected machine and assume its ip address
DD> Do a /server victim ip server 
DD> Now Pay attention to the messege of the day 
DD> make sure your nick is set to that of the bot 

DD> This will give you the irc server version 
DD> How many users ,how long its been up (i.e how long has this machine been
DD> owned) What commands it supports ,and most importantly whether or not it
DD> masks ip addresses In the case of masked ip addresses i.e some versions
DD> of unreal ircd there are crackers and ways around this 

DD> Now simply do a /join #badguyschan key 
DD> The first thing you want here is the topic which will tell you what the
DD> Handel of the attacker is and what date he set up this bot net 
DD> If he is in channel do a /uwho and a /dns to get his ip to hand over to
DD> the victim companies and or the feds  for a quick crucifiction ,

DD> If said bad guy is not there do a /list to see other channs 
DD> To join also putting him on /notify is a good idea 
DD> Other useful ideas are a /whowas 

DD> However if you get something like a masked ip which will look like
DD> badguy@...34tnefgnei4t garbage string here you have 3 options 

DD> Leave it to the sys admins to look through their logs for connections to
DD> that port range at that time or

DD> Look for an an exploit that allows you to unmask the ip`s 
DD> Unreal ircd has been known to have a few of these, or try a little
DD> legwork 
DD> join several of the larger irc servers like efnet,dalnet,undernet etc in

DD> Separate instances of mirc witrh the bad guys nick on notify and keep
DD> doing /whowas for his and variations of the bot nicks
DD> With his nick notify for all of em from here its just a matter of
DD> waiting for his login to dalnet or efnet which don't have ip masking to
DD> coincide with his login to the infected system then get do a /dns on the
DD> other network and viola you got em.

DD> However if there is no ip masking on the victim machines irc server 
DD> You just do a /who badguy  and then a /who *bootnamevaraint because 
DD> Bots usually end up sequentially numbered after their initial name 
DD> Ie flooder12234 flooder 122345 and so on and not only have you caught
DD> the script kiddies in question but you also now have the ip`s of all the
DD> folks who are infected as well to help the proper authorities clean up
DD> the mess
 
  

DD> Dominique Davis aka Mister Mojo 
DD> PivX Solutions, Inc.


DD> Qwik Fix Pro is now available for purchase:
DD> http://www.pivx.com/qwikfixPurchase/

DD> -----Original Message-----
DD> From: full-disclosure-bounces@...ts.grok.org.uk
DD> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of phased
DD> Sent: Monday, March 14, 2005 9:22 AM
DD> To: full-disclosure@...ts.grok.org.uk
DD> Subject: Re: [Full-disclosure] Re: Know Your Enemy: Tracking
DD> Botnets(ThorstenHolz)


DD> no they didnt, shit paper, nothing new, absolute crap just publicity
DD> bollocks

DD> -----Original Message-----
DD> From: David Jungerson <david-jungerson@....de>
DD> To: full-disclosure@...ts.grok.org.uk
DD> Date: Mon, 14 Mar 2005 16:26:39 +0100
DD> Subject: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets
DD> (ThorstenHolz)

>> 
>> You guys did a tremendous job!
>> 
>> (Go away, trolls!)
>> 
>>     David Jungerson
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://www.secunia.com/
>> 
DD> _______________________________________________
DD> Full-Disclosure - We believe in it.
DD> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
DD> Hosted and sponsored by Secunia - http://www.secunia.com/
DD> _______________________________________________
DD> Full-Disclosure - We believe in it.
DD> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
DD> Hosted and sponsored by Secunia - http://www.secunia.com/

pivx again. shit i will never even look at your "solutions" after this
so "professional" article.

-- 
Best regards,
 Egoist                            mailto:mastah@...eaker.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ