Reverse hacking "botnet"

[Bountyhunter50]

Hey all!

So, Shenanigans as usual. Have any of you gotten the random Instant message"

Hey! So I love you , but I want to give you a gift on cam. Here is my url.. " and so on and so forth, or some horsecrap similar to such?

I'm wanting to try and "Reverse" hack them, and see who the... person is and give them a taste of their own. not sure if this is a topic-appropriate discussion, figured it was worth seeing if it was.

Any ideas would be great.

[digip]

Chat program in question or protocol in use? Depending on what is used, you can try wireshark to see if you get the other persons IP, but in most cases, you only get the chat programs server IP that you both connect to or proxy over.

Best bet is to not reply at all though(since its just straight up spam), or block their nick, since some attacks, only require viewing the message or profile, for them to be able to attack you over some clients, so just reading the message or viewing their profile to see who they are, can trigger an attack. Back in the day, spamming people on AIM was rampant, and for the most part benign unless you clicked links they sent you, but if you thought to go view their profile, there were some tricks like "aol:somelinkstuff" type links you could add to your profile that when a victim went and viewed it, triggered and executed code on your machine, so just be careful whatever you do. Best to block, or report the username if anything, since these are usually drive by, random name generator spam bots, that don;t care what you reply to them and won't really get you anywhere.

When you first mentioned bots, I was thinking like botnets or something, but instant message chat bots that spam, are pretty common and unless its a real person at the other end intentionally screwing with you, its like hitting your head against a brick wall. Painful not to smart to play along. Not a whole lot you can do. Depending on the chat program though, some of them have old school punt programs, that can kill a users connection or knock them off the chat, but most of the time, they end up being viruses or backdoors to your own computer, so wouldn't recommend trying one that claims to punt users off chat clients. You'd be better served researching the chat clients protocol, and finding bugs in the chat client itself and seeing if its possible to fuzz it with data to make it crash, and if so, see if it can be done remotely, like between two virtual machines with the same chat client and having them speak to one another, try sending data to the one VM and see if you can crash the other client with data sent to it using the same chat protocol.

[GuardMoony]

At least if you wanne try something like this. Use a VM that you can delete afterwards. And make sure its on its own ip range and such. Mayby run a wireshark on the trafic of the VM ( from a other box not the vm itself ) Mayby that way you can try and catch the connection the virus will make towards his C&C and partly the protocol. The only real way to get inside a botnet is to crack the communication protocol they use. And nowadays it isnt done in 1,2,3.

[Pwnd2Pwnr]

AOL was fun... :)

[Bountyhunter50]

Chat program in question or protocol in use? Depending on what is used, you can try wireshark to see if you get the other persons IP, but in most cases, you only get the chat programs server IP that you both connect to or proxy over.

Best bet is to not reply at all though(since its just straight up spam), or block their nick, since some attacks, only require viewing the message or profile, for them to be able to attack you over some clients, so just reading the message or viewing their profile to see who they are, can trigger an attack. Back in the day, spamming people on AIM was rampant, and for the most part benign unless you clicked links they sent you, but if you thought to go view their profile, there were some tricks like "aol:somelinkstuff" type links you could add to your profile that when a victim went and viewed it, triggered and executed code on your machine, so just be careful whatever you do. Best to block, or report the username if anything, since these are usually drive by, random name generator spam bots, that don;t care what you reply to them and won't really get you anywhere.

When you first mentioned bots, I was thinking like botnets or something, but instant message chat bots that spam, are pretty common and unless its a real person at the other end intentionally screwing with you, its like hitting your head against a brick wall. Painful not to smart to play along. Not a whole lot you can do. Depending on the chat program though, some of them have old school punt programs, that can kill a users connection or knock them off the chat, but most of the time, they end up being viruses or backdoors to your own computer, so wouldn't recommend trying one that claims to punt users off chat clients. You'd be better served researching the chat clients protocol, and finding bugs in the chat client itself and seeing if its possible to fuzz it with data to make it crash, and if so, see if it can be done remotely, like between two virtual machines with the same chat client and having them speak to one another, try sending data to the one VM and see if you can crash the other client with data sent to it using the same chat protocol.

Bummer, yeah I figured there wasn't much I could really do, that would be worth any time that is. I guess if I want to have any fun (Like how you said) I could Wireshark them and fuzz like a wild animal and see what happens. Not much if any. regardless, thought it was worth a shot :)

AOL was fun... :)

Original Shenanigan days? That's where I started learning about computers! Result of those days: Learned how to build firewalls and port scanning B) Many other things....but that's a different story.

[digip]

Yeah, I'd say, setup two VM's, see if you can intercept the traffic, and if you can push any data onto the receiving end and what it does to the receiving VM chat client. Only issue, is if they connect to a central chat server, might get blocked or filtered if not in the expected protocol, user agent, and format they want, so requires some digging into it. Most chat clients these days also encrypt most everything except for a few older clients and protocols, although some have addons for secure talk over the same client platforms. For example, AIM used to be sent in the clear, today I think its encrypted(haven't used it in a while) but I know pidgin implements the aim chat protocol but I think lets you also chat with encryption on if the other person is also using pigin.(don't quote me on that) https://developer.pidgin.im/wiki/ThirdPartyPlugins#SecurityandPrivacy

[Bountyhunter50]

Yeah, I'd say, setup two VM's, see if you can intercept the traffic, and if you can push any data onto the receiving end and what it does to the receiving VM chat client. Only issue, is if they connect to a central chat server, might get blocked or filtered if not in the expected protocol, user agent, and format they want, so requires some digging into it. Most chat clients these days also encrypt most everything except for a few older clients and protocols, although some have addons for secure talk over the same client platforms. For example, AIM used to be sent in the clear, today I think its encrypted(haven't used it in a while) but I know pidgin implements the aim chat protocol but I think lets you also chat with encryption on if the other person is also using pigin.(don't quote me on that) https://developer.pi...urityandPrivacy

That's what I'm gonna try to do, I have a Win7 VM , I'll get a BT5 VM going (Backtrack 5, too many abbreviations there) and play around with it. On the brighter side: I did get wireshark to function on my iMac (OS X Lion) and I was able to snag an ip. The protocol was pretty much encrypted going out, except for a few messages here and there. However: did a whois on the ip and it came back as a local ip (Local being within my city) so either they're spoofing or part of a trace route to hide their backs.

By the way, I'm trying to do this VIA Yahoo IM, but I'm running Adium on my iMac. Should have probably disclosed sooner.

[digip]

Its possible you saw your own IP..lol

Check it against ipchicken.com to be sure ;)

[Bountyhunter50]

Definitely not mine :)

[GuardMoony]

prob a local server. And make sure you dont connect tru a proxy.

[bwall]

I read the topic to this and was immediately interested. I am a big fan of hunting botters. Some of them make it really easy too. The number one thing you want to do is honey pot and sandbox anything you can get your hands on from the botnet. Get as much intelligence from them as you can, because they always do thoughtless things like hardcode a password into the bots, or connect to a C&C that isn't public.

This topic also reminded me of a video I put out through Ballast Security a little while back, about exploiting a pBot RCE to destroy a whole botnet. DigiP did the music for this one I'm pretty sure.

[digip]

I read the topic to this and was immediately interested. I am a big fan of hunting botters. Some of them make it really easy too. The number one thing you want to do is honey pot and sandbox anything you can get your hands on from the botnet. Get as much intelligence from them as you can, because they always do thoughtless things like hardcode a password into the bots, or connect to a C&C that isn't public.

This topic also reminded me of a video I put out through Ballast Security a little while back, about exploiting a pBot RCE to destroy a whole botnet. DigiP did the music for this one I'm pretty sure.

Yeah, thats "Menace on the Blue", a song we recorded back in like 1998. Its on our CD - http://www.cdbaby.com/cd/twistedpair

Edited January 10, 2013 by digip