Your SlideShare is downloading. ×
  • Like
  • Save
Bh mirror image-public
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Bh mirror image-public

  • 2,304 views
Published

Black Hat.

Black Hat.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,304
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Attrition.org MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member
  • 2. Attrition.org * This is an informal discussion * Feel free to ask questions * These slides are 183% different than the ones in your BH Bible. Take notes accordingly. * Feel free to shower us with money and booze * Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child
  • 3. Attrition.org MIRROR::IMAGE Introduction • Who Are We (Passionate Masochists) • jericho • mcintyre • munge • null • What is Attrition.org (Clusterf...) • Hobby website • Free resource • Raw information, little presentation
  • 4. Attrition.org MIRROR::IMAGE Jericho • Security Curmudgeon • jericho@attrition.org • ...internet villain!
  • 5. Attrition.org MIRROR::IMAGE Mcintyre • Least bitter of us • mcintyre@attrition.org • ...before breast augmentation!
  • 6. Attrition.org MIRROR::IMAGE Munge • Data Munger • munge@attrition.org • ...with dinner and date!
  • 7. Attrition.org MIRROR::IMAGE Introduction • What is the Mirror • What is a Defacement • The How-To of “Taking a Mirror” • Walking the Fine Line of Neutrality • This could be an hour long discussion on ethics alone
  • 8. Attrition.org MIRROR::IMAGE Defacements…priceless!
  • 9. Attrition.org MIRROR::IMAGE Self-Induced Neutrality • Who can run a mirror? • Hackers can’t – self glorification • Security companies can’t – they’ll profit • Hobby site – perfect • Commentary and notification as non-biased news feed
  • 10. Attrition.org MIRROR::IMAGE Notification • “I stumbled across this site..” (18 times) • “I’ll send them 5 mails to make sure they get it..” • “I’ll send it to them before I run my script to deface the site..” • “I’ll hit all the virtual domains on this server and send one email per vhost...” • I could only hack domain.com NOT www.domain.com • I could only hack index.html Not the Root Document (eg: default.htm)
  • 11. Attrition.org MIRROR::IMAGE Notification Complications • IRC – Insipid Relay Chat • Incriminate selves (legally bind us to report them) • Sending to channel when no one was watching • Chatting from home IP • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
  • 12. Attrition.org MIRROR::IMAGE What We Received • Free Server Defacements • Hoaxes (go styleproject.com!) • Mail Servers (smtp, mail, etc) • DNS Servers (ns1, ns2, etc) • PC Dialups, DSL boxes, Cable modems • Corporate nodes (e8320.company.com) Despite being posted, this goes toward showing the real extent of computer intrusions.
  • 13. Attrition.org MIRROR::IMAGE Attrition Get (aget) • 1000+ line shell script • 3 Types of an OS Fingerprint • actually mirroring the Site (wget) • Labeling the Site (whois, google cache, etc..) • Categorizing the Site (adult, security, church, youth org, etc..) • 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
  • 14. Attrition.org MIRROR::IMAGE The Administrators • What We Sent Them • Defaced. Report it. We offer FREE advice. • Thank You (fairly rare) • Fuck You and Legal Threats (plentiful, see “going postal”) • Reporting to FBI and Other LE • Contacting our ISP (chain of command)
  • 15. Attrition.org MIRROR::IMAGE The Monitors & Response • CERT (‘R’ is for REJECTED) • NIPC • FedCIRC • NASIRC • Foreign CERTs (hello Brazil?) • iDefense/TruSecure etc (hi gimps)
  • 16. Attrition.org MIRROR::IMAGE The Media • Inability to Understand (or lack of desire to?) • Misquoting Stats (munge@attrition for kickass commentary/details) • Misquoting Attrition Staff • Asking Us to Call THEM – Long Distance and Global • Fluff, FUD and other undesirables
  • 17. Attrition.org MIRROR::IMAGE The Media • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”) • Not verifying claims before printing them (deadline matters, facts don’t) • Hyping It Up (Wag the Delio)
  • 18. Attrition.org MIRROR::IMAGE The Ambulance Chasers • One of our biggest Pet Peeves • Pitching products/services to recently defaced • Some used Attrition name and implied it was solicitation on our behalf • Lead to modification of warning e-mail sent to admins
  • 19. Attrition.org MIRROR::IMAGE The Thieves • One of our biggest Pet Peeves • Stealing Statistics • not citing us • claiming as their own • Stealing Mirrors Without Credit • Stealing Information • Blacklist -> Errata
  • 20. Attrition.org MIRROR::IMAGE Trends and Incidents • Military and Government trends • Foreign Web site trends • sadmind/iis thingy • US vs. China • Israel vs. Palestine • Pakistan vs. India • Media-made and perpetuated trends/incidents (Wag the Delio)
  • 21. Attrition.org MIRROR::IMAGE From “Hacker Site” to “Security Site” • 2 years ago: Evil Hackers • 1 year ago: Mix of hacker group and security site • Last six months: Respected Security Site • We didn’t change... • Who Quoted Us • Who Wouldn’t (gimps)
  • 22. Attrition.org MIRROR::IMAGE Tracking Hackers • Why We Didn’t (not our job d00d) • Why We Could (moron defacers) • X-Originating IP, legit account, admitting guilt, etc • Web Logs (href-tail and IP tracking) • Only 2 Subpoenas • #1 flipz/fuqrag • #2 pimpshiz
  • 23. Attrition.org MIRROR::IMAGE href-tail.pl
  • 24. Attrition.org MIRROR::IMAGE Automation • No CGI/Webform • No Auto-Retrieval from Email • Lack of Time to Program (concept easy, making it kidiot proof hard) • Issue of Manual Mirrors (wget isn’t fullproof) • Bottom line: Way too easy to abuse automated systems
  • 25. Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Greetz Chart (x defacement greets defacer y) • Controlled Dialogue with defacers • Anonymous surveys/questionnaires w/ defacers • Delusions of grandeur • Any real purpose? • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
  • 26. Attrition.org MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Exchanging notes with Honeynet (we had dealings with same kids) • Further analysis of statistics and trends • Defacement duration (admin response time) • Compare normal vs when admin notified • Defacement views (via href to attrition image) • Many defacements used images on attrition
  • 27. Attrition.org MIRROR::IMAGE Who follows.. • Two other well known mirrors • Alldas (defaced.alldas.de) • Safemode (www.safemode.org) • Numerous offers to fund us.. • .. From various people • .. For various reasons • .. Why we said no
  • 28. Attrition.org MIRROR::IMAGE FIN • What’s Next? • Commentary and Stats • Lots of Errata • Newbie Security Texts • More articles • Continued Bitterness, Sarcasm, and Sharp Wit
  • 29. Attrition.org MIRROR::IMAGE FIN, part too >=) • What’s Next? • This presentation a precursor to a larger more detailed paper on the mirror. • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
  • 30. Attrition.org MIRROR::IMAGE• We PROMISE to get this stuff done soon...
  • 31. Attrition.org MIRROR::IMAGE Questions, comments and all that crap • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much. • Comments/suggestions. We DO listen. We just pretend to ignore you.
  • 32. Attrition.org MIRROR::IMAGE Other Resources • Mirror Archive (http://attrition.org/mirror/attrition) • Errata (http://attrition.org/errata) • Commentary (http://attrition.org/security/commentary) • News (http://attrition.org/news/) • This Presentation (http://attrition.org/security/blackhat) • Going Postal (http://attrition.org/postal/)
  • 33. Attrition.org MIRROR::IMAGE Go forth, cause havoc...