Jump to content
Hak5 Forums
No_Body

So I pissed off the feds ...

Recommended Posts

That is a long story, but now I am in some mindfuck program, these guys  are like nothing I could ever even contemplate, but they are funny, which I mean they're gonna kill me might as be humorous about it. So what they do is watch you a while then in no uncertain terms let you know they have been watching, some of the stuff they do is actually pretty funny. Like one time I fired up Wireshark, then all this shit started pouring out like I was being hacked all these names of well known exploits and then even more obvious shit like in big bold upper case letters "***KERNEL PANIC***, etc. I freaked for a split second and then was like wait a while, Wireshark doesn't report exploit names and kernel panic and all this other shit. Then I noticed they had put my Wireshark in random packet mode and were inputting packets from a named pipe. Fuckers. But they do it just to let you know they are right there beside you on your computer to fuck with you. 

So another thing they want me to think is that they put cameras in my place. So I nmap my network and lo and behold 4 unknown devices with port 554 (rtsp) and 7070 (realstreamer) open, must be IP cameras. So I head into monitor mode and fire up airmon-ng, no radio traffic from these devices. Traceroute said 2 of the 4 were directly connected to my router and the other 2 went through a defense contractor who shall remain nameless, I saved a ZenMap scan of it and they edited the nameless defense contractor out, and then stopped any of those servers from responding to ICMP requests. They edited the contractor right out so it looked like all 4 IP cameras were directly connected to my network then shut off my internet, when it came back all of a sudden traceroute wouldn't return anything beyond my router. So I bought a Raspberry Pi and have been using that, but still they own me and enjoy fucking with me, but I think they want me to get the hint that maybe my demise might be accelerated if I share who is watching. 

So onto the question, I nmapped 192.168.*.* and found my devices and the 4 alleged IP cameras. However when I add the -Pn switch and scan 192.168.*.* I get about 37MB of results all looking like this (recently they just added Skype port (1863)).

It seems setting --max-retries 1 gets you good solid wide scan to get a good sense of the network, don't know if --min-parallelism helps, might be superstition, but with this I can scan 192.168.*.* in a couple minutes on a Raspberry Pi.  

nmap -sS -T4 -v -Pn --min-parallelism 500 --max-retries 1 192.168.*.*

I find the above combo doesn't get "stuck" like you see sometimes when you do wide range scan that usually gets hung on a small 64 or 128 address block like this after a while... 

SYN Stealth Scan Timing: About 35.61% done; ETC: 09:35 (0:53:39 remaining)
SYN Stealth Scan Timing: About 36.66% done; ETC: 09:43 (0:57:50 remaining)
SYN Stealth Scan Timing: About 37.91% done; ETC: 09:53 (1:02:26 remaining)
SYN Stealth Scan Timing: About 39.47% done; ETC: 10:04 (1:07:30 remaining)

So the result is just 50 some odd megabytes of ...

Nmap scan report for 192.168.255.157
Host is up (0.0082s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
554/tcp  filtered rtsp
1863/tcp filtered msnp
7070/tcp filtered realserver

Nmap scan report for 192.168.255.158
Host is up (0.0061s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
554/tcp  filtered rtsp
1863/tcp filtered msnp
7070/tcp filtered realserver

Nmap scan report for 192.168.255.159
Host is up (0.013s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
554/tcp  filtered rtsp
1863/tcp filtered msnp
7070/tcp filtered realserver

 

Yes thousands and thousands of devices allegedly looking like IP cameras ( and now running Skype on 1863 for some reason, they weren't at first ). But its not just these, in the lower ranges I see some normal boxes scattered about, por ejemplo:

Nmap scan report for 192.168.53.128
Host is up (0.0060s latency).
Not shown: 973 filtered ports
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
53/tcp   closed domain
80/tcp   closed http
110/tcp  closed pop3
111/tcp  closed rpcbind
113/tcp  closed ident
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
143/tcp  closed imap
199/tcp  closed smux
256/tcp  closed fw1-secureremote
443/tcp  closed https
445/tcp  closed microsoft-ds
554/tcp  open   rtsp
587/tcp  closed submission
993/tcp  closed imaps
995/tcp  closed pop3s
1025/tcp closed NFS-or-IIS
1720/tcp closed h323q931
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
7070/tcp open   realserver
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook

 

And now the moment you have been anxiously awaiting for, is 192.168.*.* always considered my network? All my devices seem to be on 192.168.1.1-5. 

Consider the alternatives:

1.) They are fucking with me, they have a long storied history of fucking with me.

2.) I'm a retard and think 192.168.*.* is my network. I'm really just scanning random addresses. *But* then why are they all IP cameras with just 554,1863,7070 open? Are really the vast majority of random IP addresses cameras? I don't think so. I don't think. Like 99.9% of these have just 554, 1863, and 7070 open. 

3.) I really am on a network with thousands of IP cameras and some serious shit is going down.

Much fuckery is afoot is all I've managed to ascertain up until this point. So if some other grime sdobber wishes to step in and provide direction I'd be much obliged.

Share this post


Link to post
Share on other sites

I'd burn it all down and move house, sounds like they've got you well and truly in their grasp and are unlikely to let go.

With pin hole cameras there could be one in every nail and screw head in your apartment and you'd never know unless the doors fell off the cupboards because they used cameras instead of nails, that might give it away.

I'd also stay off the Raspberry Pi, did you know that if you sum up the ASCII values of all the letters in the name you get 745 which is the year Kulun Beg died and I think we all know what that means.

  • Like 1
  • Upvote 3

Share this post


Link to post
Share on other sites

Starting to think we need a creative writing section on the forums...

  • Like 3

Share this post


Link to post
Share on other sites

Definitly freaky stuff. mind fu**ery is there middlename. on anothernote every week i set a mousetrap i catch a mouse there still seems to be a new one every week.

Edited by Bigbiz

Share this post


Link to post
Share on other sites
On 9/14/2018 at 5:26 AM, No_Body said:

That is a long story, but now I am in some mindfuck program

I know im going to regret the lost hours of reading.... but I'm a curious soul.... so here goes...

What did you do to receive such treatment?

Edited by Just_a_User

Share this post


Link to post
Share on other sites

Dismantle everything with circuitry; wrap in foil; put in giant box wrapped in foil, as far away from you as possible; keep an eye under your car; buy new phones with cash, no name attached; Never use a USB stick on two different systems or after 7 days; SD cards with physical locking levers are your friend; so are friends with CD burners; walmart and office-depot computers/laptops with cash; before setup, remove BLE/WIFI chips; startup them up away from home (library, mall, panera bread); return within two weeks for refund; make sure to change out vehicle headunit; anything with UsB ports; move if possible; cancel internet if possible; all those parts in foil, liquidate it all; start a new hobby like photography; wait 2-6 months; rebuild your life with a smarter perspective. 

..This too shall pass..

Edited by Spoonish

Share this post


Link to post
Share on other sites

If they aren't cabled you could just constantly spam deauth packets..that is, until they program them to ignore the packets.

On 9/16/2018 at 11:40 AM, Spoonish said:

Dismantle everything with circuitry; wrap in foil; put in giant box wrapped in foil, as far away from you as possible; keep an eye under your car; buy new phones with cash, no name attached; Never use a USB stick on two different systems or after 7 days; SD cards with physical locking levers are your friend; so are friends with CD burners; walmart and office-depot computers/laptops with cash; before setup, remove BLE/WIFI chips; startup them up away from home (library, mall, panera bread); return within two weeks for refund; make sure to change out vehicle headunit; anything with UsB ports; move if possible; cancel internet if possible; all those parts in foil, liquidate it all; start a new hobby like photography; wait 2-6 months; rebuild your life with a smarter perspective. 

..This too shall pass..

A life of hiding..I do not envy the person who does this daily.

The thing is, the OP suggests he's currently connected to a massive WAN. We all know what we can do when we're on a network, right..

FREE INTERNET! (I knew someone was thinking it - but no).

I think one of the biggest stuff-ups they could make at this point would be making every camera they have get their IP from DHCP. I mean, can you imagine plugging your own DHCP server into their network and sitting back and observing the chaos..

Side-note: What kind of feds would do something this radical? Russian feds? English feds? Chinese feds?

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites

Also, just FYI -

If you're concerned about speaking their company name or whatever and they specialise in IP cameras why would you

1. Scan your network with Nmap/ZenMap

2. Pull out an AP to put into monitor mode

3. Pull out a Raspberry Pi

All of the above is telling them "Hey, he suspects something".

It's not quite as dangerous as blurting out to the world who is doing this but it's still up there.

AND ANOTHER QUESTION:

How did you see anything on their network with Wireshark? You have to already be on their network to see traffic on their network, don't you? So how did you see any traffic at all to be suspicious in the first place?

Share this post


Link to post
Share on other sites

This user is a drive by poster... 

 

  • CONTENT COUNT 1

    1
  • JOINED September 13

    September 13
  • LAST VISITED September 13

    September 13

Share this post


Link to post
Share on other sites
9 hours ago, i8igmac said:

This user is a drive by poster... 

 

  • CONTENT COUNT 1

    1
  • JOINED September 13

    September 13
  • LAST VISITED September 13

    September 1

Doesn't mean much - it probably makes his post more legit honestly. Think about it, you get hacked you go post on a hacking forum to figure out what's going on.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×