Introduction:
As you know, it's been a while since I wrote a tutorial. And the Hackers group rules says, that we all need to make an effort a little bit more, so I decided to make one usefull tutorial out here.
Ok, enough talking, let's get started!
I will show you how to analyse a virus, in order to obtain the desired information (in this case: IP adress, Port, no-ip and other usefull informations) which can help you to track down the "Hacker", and perform a Counter Attack on him.
Required:
SandBoxie:
Sandboxie is a sandbox-based isolation program developed by Invincea, for 32- and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing.
Process Hacker:
Process Hacker is a free and open source process viewer. This multi-purpose tool will assist you with debugging, malware detection and system monitoring. It includes powerful process termination, memory viewing/editing and other unique and specialized features.
Network Miner:
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
Ok, now I assume that you already have a virus (Infected file - server). Right click on it, and press "Run Sandboxed".
![[Image: image.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQN9fwUfLGsxE7nPhaokBj2XA67evrfFxfHcAezgxKOfoiyeUpsQ1hu-NAIKBzpSFMbm4Sc_2AULpHRx-BMtfrkA3MaiFz-KSTt_QZLg=s0-d)
After that, go to SandBoxie window, and you will see a dropped file named "vbc.exe"
![[Image: image.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sU24nNd1VkwKon0pn2DId5LCTY2QfhXtFAJvuiev8EOcQucaxpRJjBKBJqEpOchyoJQK28kruCcbsMocS5BWP-ZkBtI9ZJBtPOpnof=s0-d)
Next, open Resource Hacker, and go to Network tab. Scroll down a little, and you will see a file named vbc.exe (backdoor). Thats exactly what we needed!
Now you will see a port number: 642
So we found a port, now we need to find an IP adress, and then we can start our counter attack!
![[Image: image.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vxayKxOrUeL6LTIBOVzG0jcBknoqxslgMev97f2WAwhxkc4_mRWBZ6F2-qnppfCC-lc41sa8MB8I_TOAgooxYGC_l1PPcRONtwc1Hm=s0-d)
To find a IP adress, open Network Miner and click start. After a few minutes click stop, and look at list bellow to find suspicious host or IP adress.
Now we found a IP adress and no-ip host.
IP: 115.253.111.204
Host:denis01.no-ip.info
![[Image: image.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sIpcYf4za4RuZMJ45G-bCCeh4ezKOSPT2XZmEOSmWCUhvqh6pH8V_aToGhdHqFnB1G8rIBrQ-VPAhW7xNNhAC4PjWnMuEhimrvjlczgg=s0-d)
Now with all those informations we can do 2 things:
1. Reporting his no-ip host to administrator:
No-IP takes abuse on its network seriously. To report a violation of our Terms of Service, please email abuse@no-ip.com.
Give them as much informations as you have, like his no-ip host, IP adress, and if you can take a picture for a good proof.
Note: Please only submit one report. Multiple requests may not be responded to.
2. Performing a Counter Attack:
Note: If you want to perform a successful Counter Attack with RAT slaves, then you must have a lot slaves. Remember, more slaves, more damage will be made!
For example, if you have Dark Comet RAT like I do, you will go right click on your slaves and: Extra Broadcast Commands>DDOS Functions>UDP Flood .
The small window will appear, in which you need to add IP adress and PORT. And ofcource, we have all those informations! Now type 115.253.111.204:642 and click OK, next you type how much seconds you want to DDOS and thats it!
Well done, you performed a Counter (DDOS) Attack!
But if you dont have any RAT, or slaves, I suggest you obtain a good DDOSer.
Thank you for reading this tutorial!
-=_ Cyber Warrior _=-
As you know, it's been a while since I wrote a tutorial. And the Hackers group rules says, that we all need to make an effort a little bit more, so I decided to make one usefull tutorial out here.
Ok, enough talking, let's get started!
I will show you how to analyse a virus, in order to obtain the desired information (in this case: IP adress, Port, no-ip and other usefull informations) which can help you to track down the "Hacker", and perform a Counter Attack on him.
Required:
- SandBoxie (Download here!)
- Process Hacker (Download here!)
- RAT or some DDos tool (You'll have to find this on your own.)
- Network Miner (Download here!)
- Brain
ABOUT:
SandBoxie:
Sandboxie is a sandbox-based isolation program developed by Invincea, for 32- and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and web surfing.
Process Hacker:
Process Hacker is a free and open source process viewer. This multi-purpose tool will assist you with debugging, malware detection and system monitoring. It includes powerful process termination, memory viewing/editing and other unique and specialized features.
Network Miner:
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
Ok, now I assume that you already have a virus (Infected file - server). Right click on it, and press "Run Sandboxed".
After that, go to SandBoxie window, and you will see a dropped file named "vbc.exe"
Next, open Resource Hacker, and go to Network tab. Scroll down a little, and you will see a file named vbc.exe (backdoor). Thats exactly what we needed!
Now you will see a port number: 642
So we found a port, now we need to find an IP adress, and then we can start our counter attack!
Image has been scaled down 32% (870x674). Click this bar to view original image (1270x983). Click image to open in new window.
To find a IP adress, open Network Miner and click start. After a few minutes click stop, and look at list bellow to find suspicious host or IP adress.
Now we found a IP adress and no-ip host.
IP: 115.253.111.204
Host:denis01.no-ip.info
Now with all those informations we can do 2 things:
- Report his no-ip host to administrator for abusing, so all his bots on RAT will be gone!
- Perform Counter Attack, and ddos him (With some powerfull ddoser, or with RAT slaves).
1. Reporting his no-ip host to administrator:
No-IP takes abuse on its network seriously. To report a violation of our Terms of Service, please email abuse@no-ip.com.
Give them as much informations as you have, like his no-ip host, IP adress, and if you can take a picture for a good proof.
Note: Please only submit one report. Multiple requests may not be responded to.
2. Performing a Counter Attack:
Note: If you want to perform a successful Counter Attack with RAT slaves, then you must have a lot slaves. Remember, more slaves, more damage will be made!
For example, if you have Dark Comet RAT like I do, you will go right click on your slaves and: Extra Broadcast Commands>DDOS Functions>UDP Flood .
The small window will appear, in which you need to add IP adress and PORT. And ofcource, we have all those informations! Now type 115.253.111.204:642 and click OK, next you type how much seconds you want to DDOS and thats it!
Well done, you performed a Counter (DDOS) Attack!
But if you dont have any RAT, or slaves, I suggest you obtain a good DDOSer.
Thank you for reading this tutorial!
-=_ Cyber Warrior _=-
0 Comments:
Post a Comment