Uses Shodan to locate HackingTeam C&C Servers.

Posted on Posted in Hacker News, Hacking Team, Tutorial's

TheItalianJob

Uses Shodan to locate HackingTeam C&C Servers.

Only releasing the fingerprints because they are burned to the fucking ground now. Fuck those HackingTeam Scumlords. It now returns no valid results due to C&C server shutdown, but releasing for historical reasons.

screenshot

Examples of past C&C servers…

124.217.245.26
65.111.181.108
124.217.245.26
65.111.181.108
124.217.245.26
65.111.181.108

Licence: WTFPL.

More fingerprints to add now that their sekret sauce is public thanks to our lord and saviour. If you go looking at other state surveillance malwares though, you can fingerprint their C&C servers just as easily. Most of them use either a wierdly configured webserver, or a fake webserver that presents a particular banner as the C&C service. Hence, are easy to locate via shodan or by zmapping the internet.

Requirements: Shodan python module, Shodan API key from Shodan, obviously

pip install shodan
#!/usr/bin/python2
# coding: utf-8
import shodan

print """
 /$$$$$$$$ /$$                       /$$$$$$ /$$               /$$ /$$                              /$$$$$           /$$      
|__  $$__/| $$                      |_  $$_/| $$              | $$|__/                             |__  $$          | $$      
   | $$   | $$$$$$$   /$$$$$$         | $$ /$$$$$$    /$$$$$$ | $$ /$$  /$$$$$$  /$$$$$$$             | $$  /$$$$$$ | $$$$$$$ 
   | $$   | $$__  $$ /$$__  $$        | $$|_  $$_/   |____  $$| $$| $$ |____  $$| $$__  $$            | $$ /$$__  $$| $$__  $$
   | $$   | $$  \ $$| $$$$$$$$        | $$  | $$      /$$$$$$$| $$| $$  /$$$$$$$| $$  \ $$       /$$  | $$| $$  \ $$| $$  \ $$
   | $$   | $$  | $$| $$_____/        | $$  | $$ /$$ /$$__  $$| $$| $$ /$$__  $$| $$  | $$      | $$  | $$| $$  | $$| $$  | $$
   | $$   | $$  | $$|  $$$$$$$       /$$$$$$|  $$$$/|  $$$$$$$| $$| $$|  $$$$$$$| $$  | $$      |  $$$$$$/|  $$$$$$/| $$$$$$$/
   |__/   |__/  |__/ \_______/      |______/ \___/   \_______/|__/|__/ \_______/|__/  |__/       \______/  \______/ |_______/
                                     Using the SHODAN API to identify HackingTeam C&C Servers.
"""

SHODAN_API_KEY = "" #API Key Here
api = shodan.Shodan(SHODAN_API_KEY)
try:
    # Search Shodan
    results = api.search('Apache/2.4.4 (Unix) OpenSSL/1.0.0g 290')

    # Show the results
    print '{+} ITALIANS FOUND: %s' % results['total']
    for result in results['matches']:
            print '{!} ITALIAN DISCOVERED: %s' % result['ip_str']
            # hack(result['ip_str'].strip()) # h4v3 j00 th3 0bay w4r3z?! 
except shodan.APIError, e:
    print 'Error: %s' % e

Link: hackingtem_hunter GitHub

Quelle: hackingteam_hunter

Facebooktwittergoogle_plus