Hunting Cyber Criminals

Prologue xxv Chapter 1 Getting Started 1 Why This Book is Different 2 What You Will and Won’t Find in This Book 2 Getting to Know Your Fellow Experts 3 A Note on Cryptocurrencies 4 What You Need to Know 4 Paid Tools and Historical Data 5 What about Maltego? 5 Prerequisites 5 Know How to Use and Configure Linux 5 Get Your API Keys in Order 6 Important Resources 6 OSINT Framework 6 OSINT.link 6 IntelTechniques 7 Termbin 8 Hunchly 9 Wordlists and Generators 9 SecLists 9 Cewl 10 Crunch 10 Proxies 10 Storm Proxies (Auto-Rotating) 10 Cryptocurrencies 101 11 How Do Cryptocurrencies Work? 12 Blockchain Explorers 13 Following the Money 15 Identifying Exchanges and Traders 17 Summary 18 Chapter 2 Investigations and Threat Actors 19 The Path of an Investigator 19 Go Big or Go Home 20 The Breach That Never Happened 21 What Would You Do? 22 Moral Gray Areas 24 Different Investigative Paths 25 Investigating Cyber Criminals 26 The Beginning of the Hunt (for TDO) 27 The Dark Overlord 27 List of Victims 28 A Brief Overview 29 Communication Style 30 Group Structure and Members 30 Cyper 31 Arnie 32 Cr00k (Ping) 35 NSA (Peace of Mind) 36 The Dark Overlord 38 Summary 41 Part I Network Exploration 43 Chapter 3 Manual Network Exploration 45 Chapter Targets: Pepsi.com and Cyper.org 46 Asset Discovery 46 ARIN Search 47 Search Engine Dorks 48 DNSDumpster 49 Hacker Target 52 Shodan 53 Censys (Subdomain Finder) 56 Censys Subdomain Finder 56 Fierce 57 Sublist3r 58 Enumall 59 Results 60 Phishing Domains and Typosquatting 61 Summary 64 Chapter 4 Looking for Network Activity (Advanced NMAP Techniques) 67 Getting Started 67 Preparing a List of Active Hosts 68 Full Port Scans Using Different Scan Types 68 TCP Window Scan 70 Working against Firewalls and IDS 70 Using Reason Response 71 Identifying Live Servers 71 Firewall Evasion 73 Distributed Scanning with Proxies and TOR 73 Fragmented Packets/MTU 74 Service Detection Trick 74 Low and Slow 76 Bad Checksums, Decoy, and Random Data 76 Firewalking 79 Comparing Results 79 Styling NMAP Reports 81 Summary 82 Chapter 5 Automated Tools for Network Discovery 83 SpiderFoot 84 SpiderFoot HX (Premium) 91 Intrigue.io 95 Entities Tab 96 Analyzing uberpeople.net 99 Analyzing the Results 104 Exporting Your Results 105 Recon-NG 107 Searching for Modules 111 Using Modules 111 Looking for Ports with Shodan 115 Summary 116 Part II Web Exploration 119 Chapter 6 Website Information Gathering 121 BuiltWith 121 Finding Common Sites Using Google Analytics Tracker 123 IP History and Related Sites 124 Webapp Information Gatherer (WIG) 124 CMSMap 129 Running a Single Site Scan 130 Scanning Multiple Sites in Batch Mode 130 Detecting Vulnerabilities 131 WPScan 132 Dealing with WAFs/WordPress Not Detected 136 Summary 141 Chapter 7 Directory Hunting 143 Dirhunt 143 Wfuzz 146 Photon 149 Crawling a Website 151 Intrigue.io 152 Summary 157 Chapter 8 Search Engine Dorks 159 Essential Search Dorks 160 The Minus Sign 160 Using Quotes 160 The site: Operator 161 The intitle: Operator 161 The allintitle: Operator 162 The fi letype: Operator 162 The inurl: Operator 163 The cache: Operator 165 The allinurl: Operator 165 The fi lename: Operator 165 The intext: Operator 165 The Power of the Dork 166 Don’t Forget about Bing and Yahoo! 169 Automated Dorking Tools 169 Inurlbr 169 Using Inurlbr 171 Summary 173 Chapter 9 WHOIS 175 WHOIS 175 Uses for WHOIS Data 176 Historical WHOIS 177 Searching for Similar Domains 177 Namedroppers.com 177 Searching for Multiple Keywords 179 Advanced Searches 181 Looking for Threat Actors 182 Whoisology 183 Advanced Domain Searching 187 Worth the Money? Absolutely 188 DomainTools 188 Domain Search 188 Bulk WHOIS 189 Reverse IP Lookup 189 WHOIS Records on Steroids 190 WHOIS History 192 The Power of Screenshots 193 Digging into WHOIS History 193 Looking for Changes in Ownership 194 Reverse WHOIS 196 Cross-Checking All Information 197 Summary 199 Chapter 10 Certificate Transparency and Internet Archives 201 Certificate Transparency 201 What Does Any of This Have to Do with Digital Investigations? 202 Scouting with CTFR 202 Crt.sh 204 CT in Action: Side-stepping Cloudflare 204 Testing More Targets 208 CloudFlair (Script) and Censys 209 How Does It Work? 210 Wayback Machine and Search Engine Archives 211 Search Engine Caches 212 CachedView.com 214 Wayback Machine Scraper 214 Enum Wayback 215 Scraping Wayback with Photon 216 Archive.org Site Search URLs 217 Wayback Site Digest: A List of Every Site URL Cached by Wayback 219 Summary 220 Chapter 11 Iris by DomainTools 221 The Basics of Iris 221 Guided Pivots 223 Configuring Your Settings 223 Historical Search Setting 224 Pivootttt!!! 225 Pivoting on SSL Certificate Hashes 227 Keeping Notes 228 WHOIS History 230 Screenshot History 232 Hosting History 232 Bringing It All Together 234 A Major Find 240 Summary 241 Part III Digging for Gold 243 Chapter 12 Document Metadata 245 Exiftool 246 Metagoofil 248 Recon-NG Metadata Modules 250 Metacrawler 250 Interesting_Files Module 252 Pushpin Geolocation Modules 254 Intrigue.io 257 FOCA 261 Starting a Project 262 Extracting Metadata 263 Summary 266 Chapter 13 Interesting Places to Look 267 TheHarvester 268 Running a Scan 269 Paste Sites 273 Psbdmp.ws 273 Forums 274 Investigating Forum History (and TDO) 275 Following Breadcrumbs 276 Tracing Cyper’s Identity 278 Code Repositories 280 SearchCode.com 281 Searching for Code 282 False Negatives 283 Gitrob 284 Git Commit Logs 287 Wiki Sites 288 Wikipedia 289 Summary 292 Chapter 14 Publicly Accessible Data Storage 293 The Exactis Leak and Shodan 294 Data Attribution 295 Shodan’s Command-Line Options 296 Querying Historical Data 296 CloudStorageFinder 298 Amazon S3 299 Digital Ocean Spaces 300 NoSQL Databases 301 MongoDB 302 Robot 3T 302 Mongo Command-Line Tools 305 Elasticsearch 308 Querying Elasticsearch 308 Dumping Elasticsearch Data 311 NoScrape 311 MongoDB 313 Elasticsearch 314 Scan 314 Search 315 Dump 317 MatchDump 317 Cassandra 318 Amazon S3 320 Using Your Own S3 Credentials 320 Summary 321 Part IV People Hunting 323 Chapter 15 Researching People, Images, and Locations 325 PIPL 326 Searching for People 327 Public Records and Background Checks 330 Ancestry.com 331 Threat Actors Have Dads, Too 332 Criminal Record Searches 332 Image Searching 333 Google Images 334 Searching for Gold 335 Following the Trail 335 TinEye 336 EagleEye 340 Searching for Images 340 Cree.py and Geolocation 343 Getting Started 343 IP Address Tracking 346 Summary 347 Chapter 16 Searching Social Media 349 OSINT.rest 350 Another Test Subject 355 Twitter 357 SocialLinks: For Maltego Users 358 Skiptracer 361 Running a Search 361 Searching for an Email Address 361 Searching for a Phone Number 364 Searching Usernames 366 One More Username Search 368 Userrecon 370 Reddit Investigator 372 A Critical “Peace” of the TDO Investigation 374 Summary 375 Chapter 17 Profile Tracking and Password Reset Clues 377 Where to Start (with TDO)? 377 Building a Profile Matrix 378 Starting a Search with Forums 379 Ban Lists 381 Social Engineering 381 SE’ing Threat Actors: The “Argon” Story 383 Everyone Gets SE’d—a Lesson Learned 387 The End of TDO and the KickAss Forum 388 Using Password Reset Clues 390 Starting Your Verification Sheet 391 Gmail 391 Facebook 393 PayPal 394 Twitter 397 Microsoft 399 Instagram 400 Using jQuery Website Responses 400 ICQ 403 Summary 405 Chapter 18 Passwords, Dumps, and Data Viper 407 Using Passwords 408 Completing F3ttywap’s Profile Matrix 409 An Important Wrong Turn 412 Acquiring Your Data 413 Data Quality and Collections 1–5 413 Always Manually Verify the Data 415 Where to Find Quality Data 420 Data Viper 420 Forums: The Missing Link 421 Identifying the Real “Cr00k” 422 Tracking Cr00k’s Forum Movements 423 Timeline Analysis 423 The Eureka Moment 427 Vanity over OPSEC, Every Time 429 Why This Connection is Significant 429 Starting Small: Data Viper 1.0 430 Summary 431 Chapter 19 Interacting with Threat Actors 433 Drawing Them Out of the Shadows 433 Who is WhitePacket? 434 The Bev Robb Connection 435 Stradinatras 436 Obfuscation and TDO 437 Who is Bill? 439 So Who Exactly is Bill? 440 YoungBugsThug 440 How Did I Know It Was Chris? 441 A Connection to Mirai Botnet? 442 Why Was This Discovery So Earth-Shattering? 444 Question Everything! 445 Establishing a Flow of Information 446 Leveraging Hacker Drama 447 Was Any of That Real? 448 Looking for Other Clues 449 Bringing It Back to TDO 450 Resolving One Final Question 451 Withdrawing Bitcoin 451 Summary 452 Chapter 20 Cutting through the Disinformation of a 10-Million-Dollar Hack 453 GnosticPlayers 454 Sites Hacked by GnosticPlayers 456 Gnostic’s Hacking Techniques 457 GnosticPlayers’ Posts 459 GnosticPlayers2 Emerges 461 A Mysterious Third Member 462 NSFW/Photon 463 The Gloves Come Off 464 Making Contact 465 Gabriel/Bildstein aka Kuroi’sh 465 Contacting His Friends 467 Weeding through Disinformation 468 Verifying with Wayback 468 Bringing It All Together 469 Data Viper 469 Trust but Verify 472 Domain Tools’ Iris 474 Verifying with a Second Data Source 475 The End of the Line 476 What Really Happened? 476 Outofreach 476 Kuroi’sh Magically Appears 477 What I Learned from Watching Lost 477 Who Hacked GateHub? 478 Unraveling the Lie 479 Was Gabriel Involved? My Theory 479 Gabriel is Nclay: An Alternate Theory 479 All roads lead back to NSFW 480 Summary 481 Epilogue 483 Index 487