Hacking John Doe:
A fictional tutorial about social engineering, recon, exploitation, and a complete lack of ethics. By @Ninja243
It’s a cold, dark night in your room. You know you shouldn’t be up this late, but you are, yet again. To pass time, and to wait for the erratic buzz of caffeine to wear off, you unlock your phone and open Kik (or some unofficial client) to see what’s new:
The messages start flowing in.
Of the three hundred lag messages from groups owned by the self-titled Kik God and his henchmen, one stood out: it was a message from an old friend, with whom you lost contact ages ago.
“I wonder what he wants,” you silently muse.
You read the message and his motives become clearer. One of your mutual friends seems to have been harassed yet again by one of the “Gods”, but – this time – one user went overboard and started issuing death threats.
After assuring your friend that all will be okay, you text your mutual friend to advise her to block the assailant. Next, you take a look at the information given to you. Although your friend is no specialist, he tried his best to dox the target. All he got was a list
of usernames the assailant used.
-- Dox --
Names: ?
Usernames: @Sm9obiBEb2U=
@akRhd2c=
@Sm9obm55RA==
Static IP: ?
Location: ?
The second you read the usernames, you see a pattern. The equal signs at the end of each username look extremely suspicious. After doing some research, you try deciphering them (base64).
You copy and paste the usernames into your search engine. Gibberish is returned. Next, you decide to separate the usernames from the ‘at’ signs.
@Sm9obiBEb2U= --> Sm9obiBEb2U=
@akRhd2c= --> akRhd2c=
@Sm9obm55RA== --> Sm9obm55RA==
Bingo.
Sm9obiBEb2U= --> John Doe
akRhd2c= --> jDawg
Sm9obm55RA== --> JohnnyD
Knowing his alias, you decide to say hi and try to get some more info out of him. You don’t want to scare him off or let him
know who you are, so you make another account (by getting an email address from another provider like Iway or Gmail) for messaging him.
Once logged in, your profile rich with misinformation, you send the message, “Hey x.”
Within mere seconds, he replies and you two start chatting. You boot up your laptop and go to an IP logging service. After following the onscreen prompts, you get a link. To avoid arousing suspicion, you head onto the Google URL Shortener.
To avoid false-positives, you look at the clicks on your logging URL and notice that two Google services have clicked on it.
You write down those IP addresses to avoid messing with the wrong servers. Finally, you send the link to John Doe.
“Lmao, a logger? Really?” is the reply.
You block John Doe and decide to retry the social engineering approach.
You make another account with a new email and alias. This time, you pick another logging service with a less conspicuous name and almost no trace on Google. You do this by getting an old device running Apache (computer or phone (in chrooted Kali), depending on if you know what you’re doing or not) and by buying an inconspicuous domain like ‘UrbanDicktionary.com’. Your homepage (index.php) looks like this:
<!-- This runs the Python3 script -->
<?php
$ip = $_SERVER['REMOTE_ADDR'];
echo exec("SuperCoolPythonScript ".$ip);
?>
<!-- This redirects the assailant to the real site -->
<script type="text/javascript">window.location="http://urbandictionary.com"</script>
The homepage first takes the visitor’s IP, then runs a Python script (called SuperCoolPythonScript) with the visitor’s IP as an argument.
The Python Script looks like this:
#! /usr/bin/python3
import sys, socket, os, urllib.request, requests
#global skid_ip, Location, x, URLDERP, locale
def Grab_IP():
try:
os.system('cls' if os.name == 'nt' else 'clear')
print("-----------------------------------------------------------------------------------")
print(" Mweya's Doxing Service")
print("-----------------------------------------------------------------------------------\r\n")
if sys.argv[1] == "":
print("[!] No arguments given!\r\n Usage: ./Derpify {SkidDNS}")
else:
skid = sys.argv[1]
skid_ip = socket.gethostbyname(skid)
print("[Grabber:] The skid's IP is: "+skid_ip+"\r\n")
URLDERP = "http://ipinfo.io/"+skid_ip
global skid_ip, URLDERP
except Exception as e:
print("\r\n[!] "+str(e)+"\r\n")
def PortScan(port):
try:
con = s.connect((skid_ip, port))
return True
except:
return False
def GeoLocate():
try:
Location = requests.get(URLDERP)
SimpleLocation = Location.json()
locale = SimpleLocation['loc']
org = SimpleLocation['org']
city = SimpleLocation['city']
region = SimpleLocation['region']
country = SimpleLocation['country']
print("\r\n[Tracker:] Skid's GPS coordinates are "+locale)
print("[Tracker:] Skid's ADSL lane is owned by "+org)
print("[Tracker:] Skid seems to live in "+city+", "+region+", "+country+"\r\n")
global locale, city, region, country, org
except Exception as e:
#print("\r\n[Tracker:] Couldn't track skid")
print("\r\n[Tracker:] "+str(e))
def Log():
try:
AppendFile = open("/var/www/html/PrivTemp/Skids.txt", 'a')
AppendFile.write("\r\n[Skid:] IP: "+skid_ip)
AppendFile.write(" GPS: "+locale)
AppendFile.write(" City: "+city)
AppendFile.write(" Region: "+region)
AppendFile.write("\r\n")
AppendFile.close()
except Exception as e:
# print("\r\n[!] Error writing to file!")
print("\r\n[!] "+str(e))
def Log2():
try:
with open("/var/www/html/PrivTemp/Skids.txt", "a") as skids:
skids.write("[Skid:] IP: "+skid_ip)
skids.write(" GPS: "+locale)
skids.write(" City: "+city)
skids.write(" Region: "+region+"\r")
# skids.close()
except Exception as e:
print("\r\n[!] "+str(e))
def main():
Grab_IP()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
for x in range(1, 65500):
if PortScan(x):
print("[PortScan:] Port ",x," is open")
# else:
# print("[PortScan:] Port ",x," is closed")
GeoLocate()
try:
Format()
except:
pass
Log2()
def Format():
if len(skid_ip)<14:
skid_ip+=" "*(14-len(skid_ip))
if len(locale)<16:
locale+=" "*(16-len(locale))
if len(city)<32:
city+=" "*(32-len(city))
if len(region)<32:
region+=" "*(32-len(region))
The Python script takes the IP passed to it as an argument and then proceeds to use a free JSON service (ipinfo.io) to look it up before performing a primitive port scan. The results are logged in a file called “Skids.txt”.
After setting everything up, you decide to shift your conversation to weird redirects like loser.com and UrbanDicktionary.com
He is reluctant at first, but eventually clicks the link. The IP address and his GPS coordinates are saved.
“That’s weird,” you think as you paste his GPS coordinates into Google Maps.
While making sure that your info is accurate, using Shodan, and making sure you didn’t pick up the wrong IP by means of a “whois”, you realize that you got very lucky. John Doe is using mobile data, and the location of the IP is not his ISP’s server.
John Doe seems to be in a house a few blocks away from you. Therefore, you decide to pay him a visit.
You grab your car keys, laptop and an AirCrack-ng-compatible WiFi card. You drive past his house before parking a block away.
To avoid being detected, you turn off your car’s lights. Then, you turn your head and stare into the inky night at what might be John’s house. The house looks like a typical, two-story suburban house with white walls, a large fence-less yard and an American flag flying from the second floor.
You press the power button and wait for your laptop to boot into WeakerThan 7. Once it boots, you plug in your network card, make sure it’s detected by running ip link, and then start WarCarrier. You follow the on-screen prompts to start scanning, wait for the onboard GPS to connect and start the slow drive around the block. You pass the expected house, but knowing how inaccurate GeoIP is, you keep circling the block. You pass every house you can see before looking
at the time – it’s 1 AM; you go home.
The next day you look at the data collected by WarCarrier. It picked up multiple SSIDs and a couple of Bluetooth phones, one which was called “J0hn Ph0ne”. The phone’s icon on the map was very close to one access point, one which seemed isolated from the rest. The house of the SSID seemed to be as expected, with it’s white walls and fence-less garden.
The network’s security is WPA2, so you decide to pay John another visit. You park the car two blocks away and then wait for nightfall. Then, you disembark and lock the car before walking towards his house, stopping just before. You find a secluded spot and pull out your rooted Android cellphone with Debian and AirCrack-ng installed.
You find your wordlist, get comfortable and wait until you find the hash. (Although it could be easier if you get this working…)
Once you see the "WPA Handshake: " prompt, you revert the changes made to your network card and SSH into the server you used previously. After installing Aircrack-ng with a quick apt-get install aircrack-ng, you upload your hash using
an SFTP program, and you start cracking the hash. You leave your spot and drive home for the meantime.
As you arrive, you get a notification that the hash has finished cracking; The password is, “hackme”. Now, you set up a Raspberry Pi with a network card and power supply. You await sundown before visiting John once more.
This time, you connect your Pi and phone to the WiFi using the freshly-cracked credentials. You spoof your MAC addresses and look for a login page to the router. Finding it, you log in using the password from the access point. From the web menu, you
forward port 22 to your Raspberry Pi. You then set up an SSH Server, make sure your PI won’t run out of power, and then leave it there.
You decide to make an SSH tunnel and use the router’s settings to mess with his internet connection, delete his ADSL login details, and then change the router’s password.
After all this strenuous work, you send a single text to your old friend:
“I got him. He won’t be a problem anymore.”
The End
Referring to the story, in this case you could still get his location through an browser exploit or social engineering (e.g. sending him a link to a website which has a valid reason to retrieve his location 