Your SlideShare is downloading. ×
  • Like
  • Save
Bh mirror image-public
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Bh mirror image-public


Black Hat.

Black Hat.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. MIRROR::IMAGE Black Hat Briefings 2001 – July 12, 2001 Written by Jericho, Founder Assisted by Mcintyre, Staff Member
  • 2. * This is an informal discussion * Feel free to ask questions * These slides are 183% different than the ones in your BH Bible. Take notes accordingly. * Feel free to shower us with money and booze * Mcintyre has not seen 50% of these slides, harass him like you were harassed as a child
  • 3. MIRROR::IMAGE Introduction • Who Are We (Passionate Masochists) • jericho • mcintyre • munge • null • What is (Clusterf...) • Hobby website • Free resource • Raw information, little presentation
  • 4. MIRROR::IMAGE Jericho • Security Curmudgeon • • ...internet villain!
  • 5. MIRROR::IMAGE Mcintyre • Least bitter of us • • ...before breast augmentation!
  • 6. MIRROR::IMAGE Munge • Data Munger • • ...with dinner and date!
  • 7. MIRROR::IMAGE Introduction • What is the Mirror • What is a Defacement • The How-To of “Taking a Mirror” • Walking the Fine Line of Neutrality • This could be an hour long discussion on ethics alone
  • 8. MIRROR::IMAGE Defacements…priceless!
  • 9. MIRROR::IMAGE Self-Induced Neutrality • Who can run a mirror? • Hackers can’t – self glorification • Security companies can’t – they’ll profit • Hobby site – perfect • Commentary and notification as non-biased news feed
  • 10. MIRROR::IMAGE Notification • “I stumbled across this site..” (18 times) • “I’ll send them 5 mails to make sure they get it..” • “I’ll send it to them before I run my script to deface the site..” • “I’ll hit all the virtual domains on this server and send one email per vhost...” • I could only hack NOT • I could only hack index.html Not the Root Document (eg: default.htm)
  • 11. MIRROR::IMAGE Notification Complications • IRC – Insipid Relay Chat • Incriminate selves (legally bind us to report them) • Sending to channel when no one was watching • Chatting from home IP • Fed Warning – our nicks showed up in channel logs being used in investigations. During China ‘cyberwar’, they sure didn’t have a problem with it. (hypocrites)
  • 12. MIRROR::IMAGE What We Received • Free Server Defacements • Hoaxes (go!) • Mail Servers (smtp, mail, etc) • DNS Servers (ns1, ns2, etc) • PC Dialups, DSL boxes, Cable modems • Corporate nodes ( Despite being posted, this goes toward showing the real extent of computer intrusions.
  • 13. MIRROR::IMAGE Attrition Get (aget) • 1000+ line shell script • 3 Types of an OS Fingerprint • actually mirroring the Site (wget) • Labeling the Site (whois, google cache, etc..) • Categorizing the Site (adult, security, church, youth org, etc..) • 3rd Party Notification (CERTs, NIPC, NIC contact, mail lists)
  • 14. MIRROR::IMAGE The Administrators • What We Sent Them • Defaced. Report it. We offer FREE advice. • Thank You (fairly rare) • Fuck You and Legal Threats (plentiful, see “going postal”) • Reporting to FBI and Other LE • Contacting our ISP (chain of command)
  • 15. MIRROR::IMAGE The Monitors & Response • CERT (‘R’ is for REJECTED) • NIPC • FedCIRC • NASIRC • Foreign CERTs (hello Brazil?) • iDefense/TruSecure etc (hi gimps)
  • 16. MIRROR::IMAGE The Media • Inability to Understand (or lack of desire to?) • Misquoting Stats (munge@attrition for kickass commentary/details) • Misquoting Attrition Staff • Asking Us to Call THEM – Long Distance and Global • Fluff, FUD and other undesirables
  • 17. MIRROR::IMAGE The Media • Requesting Info Hours Before Deadline (“answer these 18 essay questions, provide a breakout of this group and call me before noon”) • Not verifying claims before printing them (deadline matters, facts don’t) • Hyping It Up (Wag the Delio)
  • 18. MIRROR::IMAGE The Ambulance Chasers • One of our biggest Pet Peeves • Pitching products/services to recently defaced • Some used Attrition name and implied it was solicitation on our behalf • Lead to modification of warning e-mail sent to admins
  • 19. MIRROR::IMAGE The Thieves • One of our biggest Pet Peeves • Stealing Statistics • not citing us • claiming as their own • Stealing Mirrors Without Credit • Stealing Information • Blacklist -> Errata
  • 20. MIRROR::IMAGE Trends and Incidents • Military and Government trends • Foreign Web site trends • sadmind/iis thingy • US vs. China • Israel vs. Palestine • Pakistan vs. India • Media-made and perpetuated trends/incidents (Wag the Delio)
  • 21. MIRROR::IMAGE From “Hacker Site” to “Security Site” • 2 years ago: Evil Hackers • 1 year ago: Mix of hacker group and security site • Last six months: Respected Security Site • We didn’t change... • Who Quoted Us • Who Wouldn’t (gimps)
  • 22. MIRROR::IMAGE Tracking Hackers • Why We Didn’t (not our job d00d) • Why We Could (moron defacers) • X-Originating IP, legit account, admitting guilt, etc • Web Logs (href-tail and IP tracking) • Only 2 Subpoenas • #1 flipz/fuqrag • #2 pimpshiz
  • 24. MIRROR::IMAGE Automation • No CGI/Webform • No Auto-Retrieval from Email • Lack of Time to Program (concept easy, making it kidiot proof hard) • Issue of Manual Mirrors (wget isn’t fullproof) • Bottom line: Way too easy to abuse automated systems
  • 25. MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Greetz Chart (x defacement greets defacer y) • Controlled Dialogue with defacers • Anonymous surveys/questionnaires w/ defacers • Delusions of grandeur • Any real purpose? • Heavy examination of HTML (meta tags, style, html generator, embedded image comments)
  • 26. MIRROR::IMAGE Where we failed • So many things we could have done given time and resources while running the mirror • Exchanging notes with Honeynet (we had dealings with same kids) • Further analysis of statistics and trends • Defacement duration (admin response time) • Compare normal vs when admin notified • Defacement views (via href to attrition image) • Many defacements used images on attrition
  • 27. MIRROR::IMAGE Who follows.. • Two other well known mirrors • Alldas ( • Safemode ( • Numerous offers to fund us.. • .. From various people • .. For various reasons • .. Why we said no
  • 28. MIRROR::IMAGE FIN • What’s Next? • Commentary and Stats • Lots of Errata • Newbie Security Texts • More articles • Continued Bitterness, Sarcasm, and Sharp Wit
  • 29. MIRROR::IMAGE FIN, part too >=) • What’s Next? • This presentation a precursor to a larger more detailed paper on the mirror. • Don’t ask when! It will be finished when I get off my lazy ass, quit playing Everquest and motivate myself to finish it……
  • 30. MIRROR::IMAGE• We PROMISE to get this stuff done soon...
  • 31. MIRROR::IMAGE Questions, comments and all that crap • Questions about ANYTHING related to Attrition. Really, we aren’t hiding anything. Well, not much. • Comments/suggestions. We DO listen. We just pretend to ignore you.
  • 32. MIRROR::IMAGE Other Resources • Mirror Archive ( • Errata ( • Commentary ( • News ( • This Presentation ( • Going Postal (
  • 33. MIRROR::IMAGE Go forth, cause havoc...