03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

03/1/13

Currency of the Cyber Economy

gAtO tHiNk- the bad evil hackers are the least of your worries, the real bad guys are the corporate geeks that want every click, every nuance of your digital life and they tell you it’s to give you a better web experience. WoW I didn’t know that selling all my information as I go from site to site is a good thing for me. How about if I’m sick and search for my medical problems will my insurance company want that information to raise my payments. You betcha they do!!!

I’m doing some Tor work now so I’m away from the hump and grind but I been changing my search engines because like google they know what I look for and they give me the same crap and then I switch to yahoo and soon the have me profiled then Bing, whoa!!! what a mistake but I expected very little from them anyway. They were robbing us blind back before Netscape days.

Think about those high tech security geeks they get paid big bucks to guard the hen house and you hear about a new hack every other day why because if you understand the “book” the same one every security geek get’s all those certification all teach the same old done thing and that’s their job to take the masses and control them but the ones that think for themselves are the true pioneers, the ones that dance to a different drum. Look I don’t have any certifications anymore and I know more today about the Tor network than most people around. That’s what interest me and that’s what I like.

The currency of information economy is going swell and the big corporate boys are all for selling everything you do so use Tor and be safe and have a little privacy. Be different and use the tools that work for you and keep your digital breadcrumbs to yourself. I know your not doing anything wrong and you don’t have to prove it to anybody. People say if I use Tor then people will think that I’m a bad guy. Oh Me, Oh My do you really care about other’s control of you. It’s a propaganda war just to keep you afraid of Tor because with it they cannot sell your data. Don’t sell your click for free make them earn them -gATO OuT

11/6/12

Dutch government to give law enforcement authorities the power to hack into computers. This also means hidden servers on tor

gAtO ThInK - It’s time to fight back and tighten the security!

The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations.

The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations.

In a letter that was sent to the lower house of the Dutch parliament on Monday, the Dutch Minister of Security and Justice Ivo Opstelten outlined the government’s plan to draft a bill in upcoming months that would provide law enforcement authorities with new investigative powers on the Internet.

According to the letter, the new legislation would allow cybercrime investigators to remotely infiltrate computers in order to install monitoring software or to search them for evidence. Investigators would also be allowed to destroy illegal content, like child pornography, found during such searches.

These investigative powers would not only cover computers located in the Netherlands, but also computers located in other countries, if the location of those computers cannot be determined.

However, if the investigators can establish that a computer of interest is located in a foreign country, they will have to ask for assistance from the authorities in that country.

In his proposal, Opstelten used a case in which investigators from the Dutch National Police infiltrated “hidden” Tor websites that hosted child pornography, as an example of a situation in which the geographical location of the computers couldn’t be determined.

The Tor network allows its users to set up so-called “hidden services” that are only accessible from within the network using special addresses. When accessing such a service, a user’s connection is routed through several random Tor nodes, which prevents him from determining the real Internet Protocol (IP) address of the server hosting the service.

The Dutch police investigation referenced by Opstelten in his letter took place in August 2011 and two of the infiltrated Tor websites were hosted on servers located in the U.S.

The new legislation will provide strict safeguards for the proposed investigative powers, Opstelten said. Law enforcement authorities will only be able to exercise such powers when investigating offenses that carry a maximum prison sentence of four years or more and only after obtaining authorization from a judge, he said. Furthermore, all such actions will be automatically logged and the logs will be accessible for later review.

Cybercrime is a serious problem that needs to be tackled, but the proposed measures are not the right ones and they pose a serious risk to cybersecurity, Ot van Daalen, the director of Dutch digital rights organization Bits of Freedom, said Friday.

First of all, allowing police investigators to hack computers in other countries might encourage other governments to introduce similar legislation, but not necessarily with the same limitations, van Daalen said. “This could escalate into a digital arms race.”

The proposed legislation would create an incentive for governments to keep software vulnerabilities secret because they would need to exploit those vulnerabilities to attack systems used by cybercriminals, van Daalen said.

There are already security companies and independent researchers that sell zero-day exploits — exploits for unpatched vulnerabilities — to governments instead of reporting the vulnerabilities to vendors. In addition, some governments have openly admitted to developing military cyberoffensive capabilities.

Van Daalen believes that expanding the potential use of such exploits by law enforcement agencies will help the zero-day exploit market grow, which in turn will result in fewer vulnerabilities being reported and patched.

Governments could also pressure vendors to delay fixing vulnerabilities, van Daalen said. An example of this was when the Dutch government convinced Microsoft to delay the blacklisting of the DigiNotar digital certificates on Windows computers in the Netherlands for a few days in order to allow the government to take measures, despite the fact that the issue represented a security risk for all Windows users in the country, he said.

“There’s no doubt that there’s already a growing (and disquieting) market in the for-fee disclosure and exploitation of vulnerabilities, and this proposal could certainly further legitimize it: the possible advantages in terms of action against criminals (leaving aside ethical objections) have to be balanced against the likely, deleterious effects on the community of Internet users as a whole,” said David Harley, a senior research fellow at antivirus vendor ESET, via email on Friday.

Harley agrees with van Daalen that the proposed legislation could have a global impact. “It’s not possible to guarantee that the effects of these measures will be restricted to criminal elements: if the proposal succeeds in its present form, collateral damage in terms of the application of monitoring and attack technologies could be worldwide,” he said.

“Is it really feasible to take this approach effectively without breaching the sovereignty of other states? Even if agreement could be reached with other states on international legislation, does this proposal take into account the quid pro quo of giving foreign agencies such sweeping rights of access to the systems of its own citizens?,” Harley asked. “It seems to me that there’s a parallel here with the fact that many in the U.S. seem quite happy with alleged cyberespionage and sabotage against Iran yet show surprise and discontent that those claims have been used as justification for similar action by other nations.” - gATO OuT

 

09/24/12

Dark Heart botnet ToR-C2 BULLET proof server collector

gAtO fOuNd - this –// it’s crook selling to crooks take it at face value -/ but it does have some interesting ideas on what is out there in criminals hands and what is going on in the dark web. Now these are 10,000 yes 10k botnets can work in the clearWeb as well as Tor and i2p anonymized networks should cause some concern because normally we don’t monitor them.  Tor Domain-flux for both clearWeb and Tor – ( Tor Domain-flux- this is so easy to do but it’s a big feature) – VPN then Tor that will make this harder to find the botMaster. But the coolest feature is the i2p connection. Sorry boy’s and Ladies but Tor is getting old, i2p is beginning to glow and it’s a little different but very safe. It goes after (scanning)  WiFi and GPS tracking – So people sync your phone data to your computers data please…C&C and // one- BULLET proof server collector -

It not very hard to do this but – C&C and // one- BULLET proof server collector – is the sales pitch anyway I have obfuscated some links and names -find it your self – I know gAtO can build this so anyone can with some light reading – that comes out to .80 cents per bot for 10,000 bots -0ne c&c panel for $8,000 bucks – pretty cheap – oh yeah the readme comes in english too.

This modified Dark Heart bots and c&c in Tor ?12p ? 256-EAS encryption- We already have reports of it by different names but this was posted around Aug 7 2012.   Here is the –/ poor mans –Tor Domain-flux is so easy when you generate a hidden service it produces a key for your address in Tor onion land / just move the key to another directory and generate your new net key and so on and so on… Some of this is really well though out —/ but I don’t trust anyone and it’s so easy to build from scratch- gAtO oUt

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

Dark Heart botnet— NOT – for sale $8000

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (Beta)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)

Each Panel is hwid

1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players -  for sale $8000 -bitcoin – (obfuscated )1A9nBLgdhf4NJadXiBppqqU96AhbMBQrgV -

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

 

08/6/12

Anti Forensic Tales from the gAtO

gAtO iS -a gRaY hAt thinker- so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator – working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt

References:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..

 

Today with a simple TorProject.org Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.