User Controls
How many requests is to much?
-
2018-11-06 at 12:26 AM UTCYou need a giant bot net. Basically, what you do is portscan IP ranges looking for ports which can be either hacked to gain root, or are already wide open from some previous attack. Once you have several hundred of these boxes under root access control, you can setup hidden services and programs and servers and such on those "mules" and "pipe" the traffic between your own box and all the third-party mules. That way each machine is unique, and there is no way to draw any correlations. It's very easy to do.
-
2018-11-06 at 12:29 AM UTCI have used an automated program to make thousands of accounts in a short amount of time.
-
2018-11-06 at 12:31 AM UTC
Originally posted by -SpectraL You need a giant bot net. Basically, what you do is portscan IP ranges looking for ports which can be either hacked to gain root, or are already wide open from some previous attack. Once you have several hundred of these boxes under root access control, you can setup hidden services and programs and servers and such on those "mules" and "pipe" the traffic between your own box and all the third-party mules. That way each machine is unique, and there is no way to draw any correlations. It's very easy to do.
Do you keep a stack of flash cards with generic infosec words and phrases on your desk for these occasions? -
2018-11-06 at 12:34 AM UTCThings really haven't changed all that much. There's still literally millions of machines out there which are wide open. It's amazing the things you find while scanning.
-
2018-11-06 at 12:46 AM UTC
Originally posted by -SpectraL Things really haven't changed all that much. There's still literally millions of machines out there which are wide open. It's amazing the things you find while scanning.
>current year
>scanning yourself
There's 10 IoT/web scanning services online. In fact there's an NSE script that takes your Shodan API key as argument and checks Shodan before even touching anything else when you run an Nmap scan.
You're not wrong. But i doubt you are capable of doing what you describe. It's your lucky day though, i made a thing, it scrapes 3 of those services for IPs related to anything you might like. Have an API key on me bro. You can find the thing where i keep all my cool things.
-
2018-11-06 at 1:30 AM UTCMy method is so much easier. Using a high-speed port scanner with "half-open" capability, you can scan literally thousands of IP addresses on multiple ports and get a very nice results list. Most compromised machines are running under known TCP/UDP port numbers.
-
2018-11-06 at 2:01 AM UTC
Originally posted by -SpectraL My method is so much easier. Using a high-speed port scanner with "half-open" capability, you can scan literally thousands of IP addresses on multiple ports and get a very nice results list. Most compromised machines are running under known TCP/UDP port numbers.
Everyone has Masscan. Using your Shodan/Censys/ZE account is much quicker, it doesn't even have to be your account, i gave you an API key for ZE.
What does ''' "half-open" capability ''' even mean. -
2018-11-06 at 8:38 AM UTC
Originally posted by Sophie I just realized that if you have a bot create thousands of accounts on some website and have it mirror those accounts in a DB you keep locally you could probably scam some DB traders by selling the "unique" DB to them.
Hah, I wonder if that's how they verify it, like by cross checking the delivered DB against users you can look up through the UI. It seems like your buyer would catch on real quick when all the email addresses are temp addressed or one of a small number of addresses or something. Or that all the users in the DB dump you're selling have zero activity on the site in question. -
2018-11-06 at 11:34 AM UTC
Originally posted by esbity If I ran a program that registered accounts on a web application(likely creating SQL entries), at what point and frequency would the admin stop my shit?
Honestly, for most sites, almost never. Computer programs are just dumb pipes, and the tooling generally just isn't in place for admins to monitor that sort of thing even if they wanted to spare the time. -
2018-11-06 at 2:22 PM UTC
Originally posted by Sophie Everyone has Masscan. Using your Shodan/Censys/ZE account is much quicker, it doesn't even have to be your account, i gave you an API key for ZE.
What does ''' "half-open" capability ''' even mean.
Google is your friend...
https://searchnetworking.techtarget.com/definition/SYN-scanning
SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. SYN scanning is also known as half-open scanning. -
2018-11-06 at 2:53 PM UTC
Originally posted by -SpectraL Google is your friend…
https://searchnetworking.techtarget.com/definition/SYN-scanning
SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. SYN scanning is also known as half-open scanning.
Yeah i'm familiar with the textbook definition. Why not just call it a SYN scan, all modern port scanners are able to do this so saying '''' "half-open" capability ''' just makes the semantics of the process sound unnecessarily convoluted. I know you like to be vague and mysterious but can we just call things by their technical names.
Also, good luck performing a DoS with SYN packets. If your target has any sort of firewall in place, it's going to drop all requests coming from your IP/s if you flood it with SYN packets at any sort of rate that might potentially cause a disruption to the service.
FYI, you don't keep 'compromised boxes under known TCP/UDP ports'. That's not how this works, i know what you are trying to say, but ports are related to specific services. I know if there is X malware that uses port 1337 for C2 traffic, you can just check to see if there is a service running under that port for any target you might line up for your port scanner.
If you're going to be SYN scanning, you might want to put some rate limiting in place on your end, in case of firewalls. If you wanna go hard and go fast i'd reckon sending FIN packets and checking for RST responses would be your best bet. But again, there's online services that have done all this work for you. Often times they even do OS and/or service finger printing, and all you need to provide is a search term to get exactly what you are looking for. And since you mentioned DoS, UDP reflection is still where it's at. -
2018-11-06 at 3:09 PM UTC
Originally posted by Lanny Hah, I wonder if that's how they verify it, like by cross checking the delivered DB against users you can look up through the UI. It seems like your buyer would catch on real quick when all the email addresses are temp addressed or one of a small number of addresses or something. Or that all the users in the DB dump you're selling have zero activity on the site in question.
That would seem to me the simplest way of verifying if any accounts you get are legit. Considering the large volume of accounts that are usually present in a given DB, i would imagine the seller, just offering a sample of the DB to the prospective buyer so they can verify before the purchase. If you're a serious data-broker you probably have your own scripts where you can plug in a list of credentials to check a bunch of accounts for their legitimacy automatically. I would imagine if they check the sample N accounts with their script and they all come back as verified to work on the site in question they'd probably buy it. If you make your fake DB somewhat cheaper than the going rate for DB's of that size they'll buy it off you because data-brokers really are just looking to turn a profit. As far as i understand it, DBs get pooled to be sold as a big batch for the spammers, or they get sold on with a mark up. -
2018-11-06 at 3:39 PM UTCYou and Lanny are wayyyy too fixated on "how things sound", rather than the practical aspect of anything. It's all ego and looking in the mirror with you two. Try to have some actual substance for once, you know?
You don't flood it, you use the half-open scan to probe for open service ports without being detected. -
2018-11-06 at 3:49 PM UTCNah man all you need is a captcha auto filler and they are easy to come by.
Mine still works -
2018-11-06 at 4:18 PM UTC
Originally posted by -SpectraL You and Lanny are wayyyy too fixated on "how things sound", rather than the practical aspect of anything. It's all ego and looking in the mirror with you two. Try to have some actual substance for once, you know?
For once i'm not trying to 'school you' on anything, i am just having a conversation with you. There's a lot of substance to my post and the things i discussed are related to the overall theme of what we were discussing.
Originally posted by -SpectraL You don't flood it, you use the half-open scan to probe for open service ports without being detected.
I never told you to flood the target with SYN packets when trying to perform a scan, in fact i explicitly said rate-limiting might be a good idea in case there's a firewall on your target that drops SYN packets if they're coming in too fast. You brought up the topic of DoS and i told you sending SYN packets for DoS won't work all too well. Even shitty standard ISP provided routers drop SYN packets because the generic firewall interprets a bunch of those coming in as a DoS attempt.
I even suggested a better alternative if you're trying to be stealthy. A FIN scan.
An even better alternative is using an online service that scans the whole damn internet, since no matter how intrusive their scans are, you are not the person launching the scans yet you still get to benefit from the data they collected for you.
If you were actually interested in becoming a better and more efficient hacker you'd take my points to heart. But the way in which your acting tells me that you only care about being perceived as a good hacker. Drop the act for once and you may just learn something dude. -
2018-11-06 at 4:21 PM UTCThis post has been edited by a bot I made to preserve my privacy.
-
2018-11-06 at 4:42 PM UTC
Originally posted by Sophie For once i'm not trying to 'school you' on anything, i am just having a conversation with you. There's a lot of substance to my post and the things i discussed are related to the overall theme of what we were discussing.
I never told you to flood the target with SYN packets when trying to perform a scan, in fact i explicitly said rate-limiting might be a good idea in case there's a firewall on your target that drops SYN packets if they're coming in too fast. You brought up the topic of DoS and i told you sending SYN packets for DoS won't work all too well. Even shitty standard ISP provided routers drop SYN packets because the generic firewall interprets a bunch of those coming in as a DoS attempt.
I even suggested a better alternative if you're trying to be stealthy. A FIN scan.
An even better alternative is using an online service that scans the whole damn internet, since no matter how intrusive their scans are, you are not the person launching the scans yet you still get to benefit from the data they collected for you.
If you were actually interested in becoming a better and more efficient hacker you'd take my points to heart. But the way in which your acting tells me that you only care about being perceived as a good hacker. Drop the act for once and you may just learn something dude.
Actually, you would launch the scans from the mules, not from your own box. -
2018-11-06 at 4:44 PM UTCAre the shoe-posters making new accounts manually in order to pass captcha?
-
2018-11-06 at 8:44 PM UTCLuckily this site has no captcha...yet.
I came across one with a captcha that was deployed incorrectly though.