npts
DESCRIPTION
BSides Boston and RI 2013 Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)TRANSCRIPT
![Page 1: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/1.jpg)
The Noob Persistent
Threat
June 15, 2013
![Page 2: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/2.jpg)
Who are we?
Allison Nixon (@nixon.nixoff)
• Security Consultant
• Pentesting, Incident response
• Host on the Pauldotcom podcast
• SANS GCIA Gold certified
Brandon Levene (@seraphimdomain)
• Incident Handler/Incident Response for a Cloud Provider
• Malware + Vuln analysis
• Independent Security Researcher
• SANS Certified Pentester
![Page 3: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/3.jpg)
What is this Noob Persistent Threat?
• Script kiddies o Sometimes financially motivated
o Sometimes hacking out of curiosity
o The lowest level of the criminal underground
o Low technical skills
o Often poor opsec
o Often frequent hacking forums
o Often American or EU citizens
![Page 4: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/4.jpg)
...but I don't have anything worth
stealing...
Do you have any of the following:
• Credit or Debit Card
• Bank Account
• Paypal Account
• Medical Records
• Social Media Profile
• Computer
• Digital Delivery Account(s) (Steam, Origin, Xbox)
http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf
![Page 5: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/5.jpg)
The Noob
Renaissance
2011
Discussion Topics
Beginner Hacking/Tutorials - 25%
Hacking Tools/Programs - 22%
Website/Forum Hacking - 21%
2012 Discussion Topics • Beginner Hacking/Tutorials - 28%
• *Hacking Methods - 5% (This is in
ADDITION to Beginner content)
• Hacking Tools/Programs - 21%
• Website/Forum Hacking - 21%
Source:
http://www.imperva.com/resources/hacker_intelligence.asp
![Page 6: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/6.jpg)
A Smattering of Services List of Services Offered on the Underground
![Page 7: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/7.jpg)
Recognize
![Page 8: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/8.jpg)
Homework Service
![Page 9: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/9.jpg)
Ewhoring (GIRL = Guy In Real Life)
![Page 10: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/10.jpg)
Cash for Sale
...If you can get it
![Page 11: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/11.jpg)
Want some
credit cards?
![Page 12: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/12.jpg)
Mattfeuter.ru Arrests
http://www.scmagazine.com/police-arrest-mattfeuter-site-operators-
break-up-200m-carder-racket/article/296609/
![Page 13: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/13.jpg)
Carder Shops
• Just like any other shopping web app o Shopping cart features
o Ticket system
• Buy credit card details, Paypal accounts
• Proxies are sold to bypass region limitations
![Page 14: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/14.jpg)
Bootershells
![Page 15: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/15.jpg)
Power of the Gods
![Page 16: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/16.jpg)
Fun for all Ages
![Page 17: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/17.jpg)
PedoStresser Rebranding
• Same Staff
• Same Paypal account
• Same font used in logo
• Crosslinked Ads to PedoStresser
![Page 18: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/18.jpg)
Booter source code
![Page 19: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/19.jpg)
Ragebooter
Comedy
Hour
![Page 20: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/20.jpg)
Going
legit?
![Page 21: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/21.jpg)
![Page 22: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/22.jpg)
![Page 23: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/23.jpg)
Technical Analysis of Ragebooter
-Half the functions of the site didn't work
-C&C infrastructure could be discovered
-Username transmitted within
attack data for no reason
![Page 24: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/24.jpg)
Sample
Flood Packets
POST Flood
ARME
CVE-2011-3192
Username is transmitted for no reason
X-forwarded-for information leakage
Obvious use of open proxies
Most flood options resulted in no traffic
![Page 25: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/25.jpg)
Asylumstresser
• Another booter on the market (Deceased)
• Largely nonfunctional o Only capable of reflected DNS and UDP flooding
• Made thousands of dollars anyways
• Accepts Paypal
• Protected by Cloudflare
• Run by children
![Page 26: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/26.jpg)
Asylumstresser Earnings Report
Earnings by month:
Oct-11 $26.25
Nov-11 $477.28
Dec-11 $884.69
Jan-12 $1,243.02
Feb-12 $1,614.64
Mar-12 $1,349.52
Apr-12 $855.14
May-12 $1,438.89
Jun-12 $1,658.80
Jul-12 $1,403.94
Aug-12 $1,666.36
Sep-12 $1,812.30
Oct-12 $2,662.95
Nov-12 $3,915.85
Dec-12 $3,983.47
Jan-13 $4,109.29
Feb-13 $3,403.34
Mar-13 $2,875.81
Grand total: $35,381.54
• $23,604 earned in 2012 split between the
owner and several support staff.
• The database did not record any
chargebacks, fraud, fees, or server costs, so
the take home pay is much lower
• Conclusion: get a real job
![Page 27: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/27.jpg)
Asylumstresser Earnings Report
• Analysis of customer base
o Many gaming server admins o Ironically, some of these admins have blogged about getting DDOSed.
Are they taking up arms themselves and starting a cyber-war?
o Self-described gamers
o Very elite hackers
o I even found one connected to a police officer in
Florida
No e-mails will be be published because we have not ruled out stolen paypal accounts
![Page 28: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/28.jpg)
Additional Services
Cloudflare "resolver"
Oh, you mean the nmap
dns-brute script?
nmap --script dns-brute
www.foo.com
http://nmap.org/nsedoc/scripts/dns-
brute.html
![Page 29: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/29.jpg)
Skype Resolver (API)
Searching for Skype resolver
"source" will generally result in
something akin to the script above.
![Page 30: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/30.jpg)
The "api" consists of
a modified Skype
binary (cleartext
logging enabled)
located on a http
accessible server,
generally a cheap
VPS.
Here's the script
that parses the
API request and
pulls the results
from the plaintext
logs.
![Page 31: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/31.jpg)
twBooter (aka Bootertw)
• This one made the news several months ago
• Allegedly used by hacker 'Phobia' to ddos
krebsonsecurity.com while he swatted its owner
• Database was leaked containing evidence of
the launched attack
• Database contained logs of 48,844 attacks
launched in two month's time
![Page 32: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/32.jpg)
twBooter (aka Bootertw)
• We were able to correlate different parts of the
database to find out:
• Which account was used
• Their IP
• Their user-agent
• When the
attacks occurred
![Page 33: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/33.jpg)
Jacking
• Identify gamertag
• Identify owner
• Use sites like spokeo or ssndob.ru to find owner's details
• Call service provider in order to reset password
• ???
• Profit
This technique can be used to social engineer any company and abuse their customers.
Famous case: Mat Honan August 2012. "How Apple and Amazon Security Flaws Led to My Epic Hacking"
![Page 34: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/34.jpg)
The Krebs Cycle
1. You SWAT Brian Krebs.
2. Brian Krebs finds out everything about you,
your family, and your friends.
3. SWAT team visits your house. (optional: DDOS his website because he made you mad)
![Page 35: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/35.jpg)
The Krebs Cycle
• We were informed that 'Phobia' was suspected
• Phobia left a lot of information laying around
• Youtube channel full of bragging. "RealTeamHype" o Full of information leakage
o Allowed us to find some of his friends
o Profile the programs, operating systems they use
o Profile them by voice
o Their VPN providers
• Phobia has been doxed before
• E-mails can be linked to Facebook
• Hackforums.net, Forumkorner profiles
![Page 36: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/36.jpg)
Counter Booters?
![Page 37: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/37.jpg)
OSINT for
Bads...
...or why I love poor
OPSEC
![Page 38: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/38.jpg)
Maltego
is
Awesome
![Page 39: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/39.jpg)
![Page 40: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/40.jpg)
Abuse of Legitimate
Services
Paypal “While we cannot share specifics on our
customers’ accounts due to our privacy policy,
we can confirm that we will review suspicious
accounts for malicious activity and work with
law enforcement to ensure cyber criminals are
reported properly. We take security very
seriously at PayPal and we do not condone
the use of our site in the sale or dissemination
of tools, which have the sole purpose to attack
customers and illegally take down web sites.”
-Paypal
(In response to Brian Krebs' article) http://krebsonsecurity.com/2013/05/ddos-services-
advertise-openly-take-paypal/
Cloudflare "I do find it troubling when there are extralegal
measures taken to determine what is and is
not going on," he said, in an apparent
reference to the investigation by Krebs, Nixon
and Levene. "How far do you go with that, if
someone assumes XYZ shouldn't be on the
Internet? Should Google remove them from
their search index?" he asked.
"We believe in due process," said Prince.
-Cloudflare CEO (Matthew Prince) http://www.itworld.com/it-management/357306/legitimate-
online-services-enabling-ddos-attacks-hire-sites
![Page 41: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/41.jpg)
“Extralegal?”
![Page 42: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/42.jpg)
TOP SECRET
Its like PRISM, but lame.
![Page 43: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/43.jpg)
Tying it Together
![Page 44: NPTs](https://reader034.vdocuments.us/reader034/viewer/2022042715/5598999f1a28abfc0d8b457e/html5/thumbnails/44.jpg)
Questions?
Allison's perfect specimen