Hexboy
Member
- Jul 16, 2015
- 28
- 37
- 48
So I noticed that this was bare and decided to do something about it and started to do some hunting.
This is what I did and I think I have found a few.
What you will need:
Linux
Masscan (https://github.com/robertdavidgraham/masscan)
My attached scripts (Python for windows)
An Irc Client (mirc)
Sterilizer:
Banner Grabber:
What to do:
1.Run masscan (check out the git for more info on the commands.)
2.Once complete, run your file through the sterilizer, be sure to set the input and output files in the script.
3.Then set the port,inputfile and outputfile in bannergrab and launch.
I have been opening the result file in notepad++ as it alerts when the file changes so you can monitor it for update aka BOTNETS(maybe).
Here is an example of what I got when I ran 1/4 of the hosts from the above results:
It's pretty dirty, I did all this in maybe 30 minutes, I'll get around to doing it in c# maybe tonight or tomorrow and make a video.
When you find one, it's mostly a matter of connecting with your IRC Client and attempting to sniff out the commands, you could also make/use a bot to do this and attempt to steal the zombies at some point.
Anyway hope this wasn't too scrappy and makes some sense
Peace!
This is what I did and I think I have found a few.
What you will need:
Linux
Masscan (https://github.com/robertdavidgraham/masscan)
My attached scripts (Python for windows)
An Irc Client (mirc)
Sterilizer:
Code:
import time,re,sys,os,socket
fname = "botnets.txt"
outputfile = "clean_botnets.txt"
def Main():
# STERALISZE RAW MASSCAN LOG INTO SINGLE IP PER LINE WITH \N
with open(fname) as f:
for line in f:
if not "address addr=" in line:
continue
else:
# tcp on (.*):
ip = re.findall(r'address addr="(.*)" add',line)
#print ip[0]
with open(outputfile, 'a') as cleanfile:
cleanfile.write(ip[0] + "\n")
print "Done."
Main()Banner Grabber:
Code:
import time,re,sys,os,socket
import threading
from threading import Thread
filename = "clean_botnets.txt"
resultFile = "results_botnets.txt"
port = 6667
def main(x):
with open(filename) as f:
lines=f.readlines()
newline = lines[x+1].rstrip("\r\n")
grab_banner(newline)
def file_len():
with open(filename) as f:
for i, l in enumerate(f):
pass
return i + 1
def grab_banner(currentIp):
try:
s=socket.socket()
s.settimeout(1)
s.connect((currentIp,port))
s.settimeout(1)
banner = s.recv(1024)
#print currentIp + ':' + banner
with open(resultFile, 'a') as results:
results.write(currentIp + ':' + banner + "\n")
results.close()
except:
e = sys.exc_info()[0]
#print currentIp + ":" + str(e) + "\n"
countOfLines = file_len()
for x in range(0, countOfLines):
thread = Thread(target=main, args=[x])
thread.start()What to do:
1.Run masscan (check out the git for more info on the commands.)
Code:
masscan 103.42.224.42/16 -p6665-6667 --banners -oX botnets.txt2.Once complete, run your file through the sterilizer, be sure to set the input and output files in the script.
3.Then set the port,inputfile and outputfile in bannergrab and launch.
I have been opening the result file in notepad++ as it alerts when the file changes so you can monitor it for update aka BOTNETS(maybe).
Here is an example of what I got when I ran 1/4 of the hosts from the above results:
203.28.168.228::whitecore-sim.org NOTICE AUTH :*** Looking up your hostname...
:whitecore-sim.org NOTICE AUTH :*** Checking Ident
203.28.168.228:ERROR :Trying to reconnect too fast.
203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.144.4.132:
203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Found your hostname (cached)
203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.198.160.233::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.45.199.110:
203.126.147.121:
203.47.6.6:SSH-2.0-OpenSSH_3.9p1
203.144.4.132:
203.144.4.132:
203.198.185.118::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.180.170.190:SSH-1.5-Server
203.58.93.40:NOTICE AUTH :*** Processing connection to irc1.riverwillow.net.au
203.183.46.41::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.80.251.70::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:whitecore-sim.org NOTICE AUTH :*** Checking Ident
203.28.168.228:ERROR :Trying to reconnect too fast.
203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.144.4.132:
203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Found your hostname (cached)
203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.198.160.233::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.45.199.110:
203.126.147.121:
203.47.6.6:SSH-2.0-OpenSSH_3.9p1
203.144.4.132:
203.144.4.132:
203.198.185.118::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
203.180.170.190:SSH-1.5-Server
203.58.93.40:NOTICE AUTH :*** Processing connection to irc1.riverwillow.net.au
203.183.46.41::irc.prime100.com NOTICE * :*** Looking up your hostname...
203.80.251.70::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
It's pretty dirty, I did all this in maybe 30 minutes, I'll get around to doing it in c# maybe tonight or tomorrow and make a video.
When you find one, it's mostly a matter of connecting with your IRC Client and attempting to sniff out the commands, you could also make/use a bot to do this and attempt to steal the zombies at some point.
Anyway hope this wasn't too scrappy and makes some sense
Peace!
