Category Bash Scripting

Part 1: BotNets – What Are They and What Is Their Purpose?

What Are Botnets?

A botnet is a network of compromised computers or devices, known as “bots” or “zombies,” which are controlled remotely by an attacker, often referred to as a “botmaster” or “bot herder.” These botnets can be used to perform a variety of malicious activities, typically without the knowledge of the device owners.

Evolution of Botnets

1. Early Days:
   • IRC-Based Botnets (1990s): The earliest botnets used Internet Relay Chat (IRC) to command infected machines. These bots were often created for fun or minor pranks but set the stage for more serious threats.
   • Example: The “Sub 7” and “Back Orifice” trojans were among the first to create such networks.
2. 2000s – Rise of Complexity:
   • Peer-to-Peer (P2P) Networks: Botnets evolved to use P2P networks to avoid centralized control and improve resilience.
   • Example: The “Storm Worm” utilized a P2P architecture to distribute commands.
3. 2010s – Advanced Botnets:
   • Botnets as a Service: The commercialization of botnets turned them into a service for hire.
   • Example: The “Mirai” botnet, which primarily targeted IoT devices, became infamous for its scale and impact.
4. 2020s – Sophisticated and Distributed Attacks:
   • Targeted Attacks and Cryptojacking: Modern botnets often focus on specific targets or exploit devices for cryptojacking.
   • Example: “Emotet” and “TrickBot” are known for their sophisticated modularity and targeted attacks.

Common Uses of Botnets

1. Distributed Denial of Service (DDoS) Attacks:
   • Overwhelm a target server or network with traffic to make it inaccessible.
2. Spam and Phishing:
   • Distribute large volumes of spam emails or phishing attempts to harvest personal information.
3. Data Theft:
   • Steal sensitive information from compromised systems.
4. Cryptojacking:
   • Utilize infected devices to mine cryptocurrency without the user’s consent.
5. Click Fraud:
   • Automate clicks on online ads to generate fraudulent revenue.

Key Terminology

• Botmaster/Bot Herder: The individual who controls the botnet.
• Command and Control (C2): The server or infrastructure used to send commands to the bots.
• Infection Vector: The method by which the botnet malware is spread (e.g., phishing, exploit kits).
• Zombies/Bots: Infected devices within the botnet.

Popular Variants

1. Mirai:
   • Known for its large-scale attacks using IoT devices.
   • Exploits default passwords on IoT devices.
2. Emotet:
   • Initially a banking trojan, evolved into a modular botnet used for a variety of malicious activities.
   • Known for its resilience and ability to distribute other malware.
3. Zeus/Zbot:
   • A banking trojan that evolved into a powerful botnet for stealing financial credentials.
4. Conficker:
   • One of the largest and most infamous botnets, known for its ability to spread through vulnerabilities in Windows operating systems.

Part 2: A Basic Example of a Botnet

Overview

Let’s look at a simple Python script example to demonstrate the concept of a botnet. This example is for educational purposes only and should not be used for any malicious activities.

Basic Botnet Example in Python

# Example BotNet In Python:

import socket
import threading

# This is the bot (client) code.

def connect_to_server():
    server_ip = "127.0.0.1"  # IP of the command and control server (for demonstration)
    server_port = 12345      # Port of the command and control server

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        s.connect((server_ip, server_port))
        print("Connected to server")
        
        while True:
            command = s.recv(1024).decode('utf-8')
            if command == "shutdown":
                print("Shutting down...")
                break
            else:
                # Execute command
                print(f"Received command: {command}")
                # For security reasons, this part is left out in this example.
                # You could use os.system(command) to execute commands.
        
    except Exception as e:
        print(f"Error: {e}")
    finally:
        s.close()

def main():
    # Create multiple threads to simulate multiple bots
    for i in range(5):  # Simulating 5 bots
        t = threading.Thread(target=connect_to_server)
        t.start()

if __name__ == "__main__":
    main()

Explanation

1. Socket Setup:
   • The socket library is used to create a network connection. The bot connects to a predefined IP address and port number of the command and control (C2) server.
2. Connection Handling:
   • The connect_to_server() function establishes a connection to the C2 server and listens for commands.
3. Command Execution:
   • The bot waits for commands from the C2 server. If it receives a command (e.g., “shutdown”), it performs the action. In a real-world scenario, commands could be anything, including executing system commands or sending data.
4. Multithreading:
   • Multiple threads are created to simulate multiple bots connecting to the C2 server concurrently. Each thread represents an individual bot.
5. Error Handling:
   • Basic error handling is in place to catch and display any exceptions that occur during the connection or execution process.

Note

This example demonstrates a simplified version of a botnet client. In real-world scenarios, botnets are more complex and include additional features such as encryption, obfuscation, and advanced command structures. This script is provided for educational purposes to understand the basic principles of how botnets operate.

Related Links:
Home Network Router Attacks
BotNet Archive – For Educational Purposes Only!

Senya 1.0 Cross Domain WordPress Data Mining Utility

Сеня 1.0 – K0NxT3D 2024
Back End WordPress Utility

Features:

• Edit WordPress Database.
• Edit WordPress User Tables.
• Edit WordPress User Information.
• Display WordPress Domain and Associated Admin Email Addresses Across Multiple Domains.

A simple and easy to use PHP/HTML Based MySQL Back End Connection Utility with Editing Capabilities and Email Harvesting across Multiple Domains.

Download

SSH-Snake, a self-modifying worm that leverages SSH credentials.

Original Article : The Hacker News

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

“SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández said.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a “powerful tool” to carry out automatic network traversal using SSH private keys discovered on systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.

“It’s completely self-replicating and self-propagating – and completely fileless,” according to the project’s description. “In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can.”

BotNet CNC Control Hacker Infiltrates & Exploits Vulnerabilities Vie SSH TCP Both Hardware Software Exploited

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

How Does It Work?

These attacks involve active exploitation of known security vulnerabilities in Apache ActiveMQ and Atlassian Confluence instances in order to gain initial access and deploy SSH-Snake.
“The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread,” Hernández said. “It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold.”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to “discover the attack paths that exist – and fix them.”

“It seems to be commonly believed that cyber terrorism ‘just happens’ all of a sudden to systems, which solely requires a reactive approach to security,” Rogers said. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”

Netcat file transfer chat utility. Easily Send & Receive Files Local & Remote.

“If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can’t be replicated across thousands of others.”

Rogers also called attention to the “negligent operations” by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.

“If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker,” Rogers added.

“Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place.”

The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.

The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.
As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.

“The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services,” security researcher Nitzan Yaakov said.

Apache Vulnerability Update Available!

“Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them.”

Hacker News:
Russian Hackers Have Infiltrated U.S. Household and Small Business Routers, FBI Warns
Original Article: MSN News

The FBI has recently thwarted a large-scale cyberattack orchestrated by Russian operatives, targeting hundreds of routers in home offices and small businesses, including those in the United States.

These compromised routers were used to form “botnets”, which were then employed in cyber operations worldwide.

The United States Department of Justice has attributed this cyberattack to the Russian GRU Military Unit 26165. Countermeasures undertaken by authorities ensured that the GRU operators were expelled from the routers and denied further access, ABC News reported.

The GRU deployed a specialized malware called “Moobot,” associated with a known criminal group, to seize control of susceptible home and small office routers, converting them into “botnets” — a network of remotely controlled systems.

The Justice Department, in an official statement, explained, “Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

Utilizing this botnet, Russian hackers engaged in various illicit activities, including extensive “spearphishing” campaigns and credential harvesting campaigns against targets of intelligence interest to the Russian government, such as governmental, military, security and corporate entities in the United States and abroad.

Botnets pose a significant challenge for intelligence agencies, hindering their ability to detect foreign intrusions into their computer networks, Reuters notes.

In January 2024, the FBI executed a court-approved operation dubbed “Operation Dying Ember” to disrupt the hacking campaign. According to the Department of Justice, the FBI employed malware to copy and erase the malicious data from the routers, restoring full access to the owners while preventing further unauthorized access by GRU hackers.

FEDOR was designed as an android able to replace humans in high-risk areas, such as rescue operations,” Andrey Grigoriev, director of Russia’s Advanced Research Fund, said.

Quick Nmap Scanning Utility Framework

This script provides a basic framework for a quick and easy Nmap scanning utility. Designed for rapid security checkups, it leverages the Zenity tool to create a graphical user interface (GUI) that simplifies the process of running common Nmap scans. This script does not require sudo privileges, making it suitable for environments where elevated permissions are restricted. However, it does have a minor bug that affects user interaction with the script descriptions.

• Options Array: Defines a list of common Nmap scan options, each associated with a descriptive label.
• Zenity Dialogs:
  • The zenity --list command presents a GUI list for selecting Nmap options.
  • The zenity --entry command prompts the user to input a URL.
• Command Execution:
  • Constructs the full Nmap command using the selected options and entered URL.
  • Uses eval to execute the constructed Nmap command.
  • Displays the command being executed using another Zenity dialog.

The Code:

#!/bin/bash
# Quick Nmap - K0NxT3D
# Here's The Framework For A Project I Put
# Together For Quick Response Security Checkups.
# BUGS: Clicking The Description Will Process As Command.
# Click The Actual Command In This Example & Then The URL.

# Function to display error message and exit
    show_error() {
    zenity --error --text="$1" --title="Error"
    exit 1
}

# Function to display Nmap options list and prompt for URL
    get_nmap_options() {
# List of Nmap options
    options=(
    "[Ping Remote Host]" " -p 22,113,139" \
    "[Quick scan]" " -F" \
    "[Intense scan, all TCP ports]" " -p 1-65535 -T4 -A -v" \
    "[Scan all TCP ports (SYN scan)]" " -p- -sS -T4 -A -v" \
    "[Scan UDP ports]" " -sU -p 1-65535" \
    "[Full Scan, OS Detection, Version]" " -A" \
    "[Scan All Ports On Host]" " -sT -n -p-" \
    "[Scan with default NSE Scripts]:" " -sC" \
    "[TCP SYN port scan]" " -sS" \
    "[UDP Port Scan]" " -sU" \
    "[Scan For HTTP Vulnerabilities]" " -Pn -sV -p80 --script=vulners" \
    "[Nmap Help]" " -h")

# Display list of options and prompt for selection
    selected_option=$(zenity --list --title="Quick Nmap - K0NxT3D" --column="Options" "${options[@]}" --height 500 --width 500 --text="Select Options:")
        [ -z "$selected_option" ] && show_error "No Option Selected."

# Prompt for URL
    url=$(zenity --entry --title="Enter URL" --text="Enter URL To Scan:")
        [ -z "$url" ] && show_error "URL Not Provided."

# Execute Nmap command
    nmap_command="nmap $selected_option $url"
    echo "Executing Command: $nmap_command"
    zenity --info --text="Executing Nmap command:\n$nmap_command"
    eval "$nmap_command"
}

# Display GUI for Nmap options and URL input
get_nmap_options

Bug Description

• Description Bug: The script’s current implementation has a bug where clicking on a description in the Zenity list triggers an attempt to run the description as a command first. This results in an error message being displayed before the actual Nmap command is executed. While this does not significantly affect the performance or functionality of the script, it is noted as a minor inconvenience.

Advanced Usage

• Enhanced Functionality: Users who are familiar with Nmap can modify and extend this framework to include additional scanning options or integrate more advanced features.
• Proxy and Anonymity: The script is compatible with tools like torsocks and proxychains for executing Nmap scans through proxies, enhancing privacy and bypassing geographical restrictions.

This script serves as a convenient starting point for running common Nmap scans with a user-friendly interface, while also allowing for customization and enhancement based on individual needs.

Apache Security Update Jammy Apache2 Php Linux Ubuntu/Raspberry Pi x64 | x32 RPI 3 – 4

I certainly get a lot of attacks and nothing is ever really “Secure”.
That being said, there are some serious vulnerabilities running around, you might want to do some updating to your Apache Servers and Php.
After a recent batch of installs, I was able to exploit both Apache2 and Php pretty easily, so this will be common.

To test for the recent list of vulnerabilities and open exploits on Your Own Machines, you can run:

nmap -Pn -sV -p80 --script=vulners -oN output.txt 127.0.0.1

If you’re running several hosts:
nmap -Pn -sV -p80 –script=vulners -oN output.txt 192.168.1.0/24
This will scan your local network for any vulnerable hosts and sure enough, the new upgrades had some issues.

The Fix:

Linux Ubuntu (x64):

sudo add-apt-repository ppa:ondrej/apache2
sudo add-apt-repository ppa:ondrej/php

sudo apt update -y
sudo apt upgrade -y

This will work in just about every case – Except with the RPI3 Series.
This one’s a little longer, but it works and you can thank me later.

RPI 3B+ (x32/Jammy)

sudo apt-get install software-properties-common

Just In Case..

Apply Fix:

curl https://packages.sury.org/php/apt.gpg | sudo tee /usr/share/keyrings/suryphp-archive-keyring.gpg >/dev/null

echo "deb [signed-by=/usr/share/keyrings/suryphp-archive-keyring.gpg] https://packages.sury.org/php/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sury-php.list

curl https://packages.sury.org/apache2/apt.gpg | sudo tee /usr/share/keyrings/suryapache2-archive-keyring.gpg >/dev/null

echo "deb [signed-by=/usr/share/keyrings/suryapache2-archive-keyring.gpg] https://packages.sury.org/apache2/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/sury-apache2.list

sudo apt update -y
sudo apt upgrade -y

sudo systemctl restart apache2

Resources:
Sury.ORG (Highly Recommended)
https://sury.org/

NMap: (Do You Even Web?)
https://nmap.org/

Knowledge For Life Volume I

The Omniverse Library:
A diverse reading list from several topics.
The Omniverse Library boasts an extensive collection of resources covering a wide range of subjects, including science, history, philosophy, and the occult. Users can access a plethora of articles, books, research papers, manuscripts, and multimedia content curated from reputable sources worldwide.

Continuous Enrichment: The Omniverse Library is a dynamic platform continually enriched with new additions and updates. With regular contributions from experts, scholars, and content creators, the library remains a vital source of knowledge, fostering intellectual growth and exploration in an ever-evolving world.

Join the Quest for Knowledge: Embark on a journey of discovery and enlightenment with The Omniverse Library—an unparalleled digital repository where the boundaries of human understanding are transcended, and the pursuit of truth knows no bounds.

American & World History – Science – Philosophy – The Occult – Survival & Of Course.. some Miscreant Materials.
Carl Sagan – Isaac Newton – Nikola Tesla – Sun Tzu – Aleister Crowley – Karl Marx – Anarchist Cookbook – Bushcraft

Main Menu

Bionic Backdrop

Bionic Backdrop Digital Video Screen Media – Events, Rock Shows, DJ, Performances of Any Kind.
New Features Include A Hidden Drop Down Menu
(Mouse Over or Tap In The Top Black Header)
With Casting Support from Desktop or Mobile.
Tested on Chromium (Solid) and Firefox(Not Recommended)
Lyrics Library is active and still Beta (Opens in new window).
Binary Output is Currently Disabled (Beta Only)

Bionic Home Page

DSX Version 7-1.2.5 (DS7) “Pure SEO” Content Management System. (Release Update V7-1.2.5)

While this CMS is considered “Black Hat”, it is what it is and it works.
Search Engines have priorities in what ranks and what doesn’t rank and
the single most important things anyone who wants the Top Ten knows are,
that your pages have to load fast, your content has to be abundant, thick and most
of all Hypertext Links.

DSX Delivers on all aspects of Fast Ranking “Pure SEO” tactics that I’ve developed
over the last 20+ years as a Professional SEO Expert and I stand behind my work.
I’m offering DSX 7-1.2.5 at a Very affordable price because it’s very small at this
point and that makes it relatively easy for you to make more of it or if you’re patient,
wait for the next version with far more features.

Installation & Troubleshooting.

View Demo