Hacking John Doe


(Mweya Ruider) #1

Hacking John Doe:

A fictional tutorial about social engineering, recon, exploitation, and a complete lack of ethics. By @Ninja243

It’s a cold, dark night in your room. You know you shouldn’t be up this late, but you are, yet again. To pass time, and to wait for the erratic buzz of caffeine to wear off, you unlock your phone and open Kik (or some unofficial client) to see what’s new:

The messages start flowing in.

Of the three hundred lag messages from groups owned by the self-titled Kik God and his henchmen, one stood out: it was a message from an old friend, with whom you lost contact ages ago.

“I wonder what he wants,” you silently muse.

You read the message and his motives become clearer. One of your mutual friends seems to have been harassed yet again by one of the “Gods”, but – this time – one user went overboard and started issuing death threats.

After assuring your friend that all will be okay, you text your mutual friend to advise her to block the assailant. Next, you take a look at the information given to you. Although your friend is no specialist, he tried his best to dox the target. All he got was a list
of usernames the assailant used.

	-- Dox --

Names:		?
Usernames:	@Sm9obiBEb2U=
Static IP:	?
Location:	?

The second you read the usernames, you see a pattern. The equal signs at the end of each username look extremely suspicious. After doing some research, you try deciphering them (base64).

You copy and paste the usernames into your search engine. Gibberish is returned. Next, you decide to separate the usernames from the ‘at’ signs.

	@Sm9obiBEb2U=       -->     Sm9obiBEb2U=
	@akRhd2c=	    -->     akRhd2c=
	@Sm9obm55RA==       -->	    Sm9obm55RA==


Sm9obiBEb2U=       -->     John Doe
akRhd2c=	   -->     jDawg
Sm9obm55RA==       -->	   JohnnyD

Knowing his alias, you decide to say hi and try to get some more info out of him. You don’t want to scare him off or let him
know who you are, so you make another account (by getting an email address from another provider like Iway or Gmail) for messaging him.

Once logged in, your profile rich with misinformation, you send the message, “Hey x.”

Within mere seconds, he replies and you two start chatting. You boot up your laptop and go to an IP logging service. After following the onscreen prompts, you get a link. To avoid arousing suspicion, you head onto the Google URL Shortener.

To avoid false-positives, you look at the clicks on your logging URL and notice that two Google services have clicked on it.
You write down those IP addresses to avoid messing with the wrong servers. Finally, you send the link to John Doe.

“Lmao, a logger? Really?” is the reply.

You block John Doe and decide to retry the social engineering approach.

You make another account with a new email and alias. This time, you pick another logging service with a less conspicuous name and almost no trace on Google. You do this by getting an old device running Apache (computer or phone (in chrooted Kali), depending on if you know what you’re doing or not) and by buying an inconspicuous domain like ‘UrbanDicktionary.com’. Your homepage (index.php) looks like this:

<!-- This runs the Python3 script -->


echo exec("SuperCoolPythonScript ".$ip);


<!-- This redirects the assailant to the real site -->
<script type="text/javascript">window.location="http://urbandictionary.com"</script> 

The homepage first takes the visitor’s IP, then runs a Python script (called SuperCoolPythonScript) with the visitor’s IP as an argument.
The Python Script looks like this:

#! /usr/bin/python3

import sys, socket, os, urllib.request, requests

#global skid_ip, Location, x, URLDERP, locale

def Grab_IP():
                os.system('cls' if os.name == 'nt' else 'clear')
                print("                               Mweya's Doxing Service")
                if sys.argv[1] == "":
                        print("[!] No arguments given!\r\n    Usage: ./Derpify {SkidDNS}")
                        skid = sys.argv[1]
                        skid_ip = socket.gethostbyname(skid)
                        print("[Grabber:] The skid's IP is: "+skid_ip+"\r\n")
                        URLDERP = "http://ipinfo.io/"+skid_ip
                        global skid_ip, URLDERP
        except Exception as e:
                print("\r\n[!] "+str(e)+"\r\n")

def PortScan(port):
                con = s.connect((skid_ip, port))
                return True
                return False

def GeoLocate():
                Location = requests.get(URLDERP)
                SimpleLocation = Location.json()
                locale = SimpleLocation['loc']
                org = SimpleLocation['org']
                city = SimpleLocation['city']
                region = SimpleLocation['region']
                country = SimpleLocation['country']
                print("\r\n[Tracker:] Skid's GPS coordinates are "+locale)
                print("[Tracker:] Skid's ADSL lane is owned by "+org)
                print("[Tracker:] Skid seems to live in "+city+", "+region+", "+country+"\r\n")
                global locale, city, region, country, org

        except Exception as e:
                #print("\r\n[Tracker:] Couldn't track skid")
                print("\r\n[Tracker:] "+str(e))

def Log():
                AppendFile = open("/var/www/html/PrivTemp/Skids.txt", 'a')
                AppendFile.write("\r\n[Skid:]      IP: "+skid_ip)
                AppendFile.write("            GPS: "+locale)
                AppendFile.write("           City: "+city)
                AppendFile.write("         Region: "+region)
        except Exception as e:
        #       print("\r\n[!] Error writing to file!")
                print("\r\n[!] "+str(e))

def Log2():
                with open("/var/www/html/PrivTemp/Skids.txt", "a") as skids:
                        skids.write("[Skid:]      IP: "+skid_ip)
                        skids.write("            GPS: "+locale)
                        skids.write("           City: "+city)
                        skids.write("         Region: "+region+"\r")
                #       skids.close()
        except Exception as e:
                print("\r\n[!] "+str(e))

def main():
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        for x in range(1, 65500):
                if PortScan(x):
                        print("[PortScan:] Port ",x," is open")
        #       else:
        #               print("[PortScan:] Port ",x," is closed")

def Format():
        if len(skid_ip)<14:
                skid_ip+=" "*(14-len(skid_ip))
        if len(locale)<16:
                locale+=" "*(16-len(locale))
        if len(city)<32:
                city+=" "*(32-len(city))
        if len(region)<32:
                region+=" "*(32-len(region))

The Python script takes the IP passed to it as an argument and then proceeds to use a free JSON service (ipinfo.io) to look it up before performing a primitive port scan. The results are logged in a file called “Skids.txt”.

After setting everything up, you decide to shift your conversation to weird redirects like loser.com and UrbanDicktionary.com
He is reluctant at first, but eventually clicks the link. The IP address and his GPS coordinates are saved.

“That’s weird,” you think as you paste his GPS coordinates into Google Maps.

While making sure that your info is accurate, using Shodan, and making sure you didn’t pick up the wrong IP by means of a “whois”, you realize that you got very lucky. John Doe is using mobile data, and the location of the IP is not his ISP’s server.

John Doe seems to be in a house a few blocks away from you. Therefore, you decide to pay him a visit.

You grab your car keys, laptop and an AirCrack-ng-compatible WiFi card. You drive past his house before parking a block away.
To avoid being detected, you turn off your car’s lights. Then, you turn your head and stare into the inky night at what might be John’s house. The house looks like a typical, two-story suburban house with white walls, a large fence-less yard and an American flag flying from the second floor.

You press the power button and wait for your laptop to boot into WeakerThan 7. Once it boots, you plug in your network card, make sure it’s detected by running ip link, and then start WarCarrier. You follow the on-screen prompts to start scanning, wait for the onboard GPS to connect and start the slow drive around the block. You pass the expected house, but knowing how inaccurate GeoIP is, you keep circling the block. You pass every house you can see before looking
at the time – it’s 1 AM; you go home.

The next day you look at the data collected by WarCarrier. It picked up multiple SSIDs and a couple of Bluetooth phones, one which was called “J0hn Ph0ne”. The phone’s icon on the map was very close to one access point, one which seemed isolated from the rest. The house of the SSID seemed to be as expected, with it’s white walls and fence-less garden.

The network’s security is WPA2, so you decide to pay John another visit. You park the car two blocks away and then wait for nightfall. Then, you disembark and lock the car before walking towards his house, stopping just before. You find a secluded spot and pull out your rooted Android cellphone with Debian and AirCrack-ng installed.

You find your wordlist, get comfortable and wait until you find the hash. (Although it could be easier if you get this working…)

Once you see the "WPA Handshake: " prompt, you revert the changes made to your network card and SSH into the server you used previously. After installing Aircrack-ng with a quick apt-get install aircrack-ng, you upload your hash using
an SFTP program, and you start cracking the hash. You leave your spot and drive home for the meantime.

As you arrive, you get a notification that the hash has finished cracking; The password is, “hackme”. Now, you set up a Raspberry Pi with a network card and power supply. You await sundown before visiting John once more.

This time, you connect your Pi and phone to the WiFi using the freshly-cracked credentials. You spoof your MAC addresses and look for a login page to the router. Finding it, you log in using the password from the access point. From the web menu, you
forward port 22 to your Raspberry Pi. You then set up an SSH Server, make sure your PI won’t run out of power, and then leave it there.

You decide to make an SSH tunnel and use the router’s settings to mess with his internet connection, delete his ADSL login details, and then change the router’s password.

After all this strenuous work, you send a single text to your old friend:

“I got him. He won’t be a problem anymore.”

The End

Cracking WPA - exploiting poor design techniques
IP Grabbing: Best Domain Names?
(Mweya Ruider) #2

Big thanks to @oaktree, @Abriaco and James Reed for reading through this and correcting the many errors it had :slight_smile:

(Not a N00b, but still learning) #3

One question: If you run a geolocation on a cell phone IP, would you ever be able to get the location of it? That would be a very serious privacy issue! And, though I know it’s only a story and you maybe wanted to keep your post short, only a skiddy would mess up the routers settings, when you could do so much more when you have access to the victims network! Altogether, nice and well written story! :slight_smile:

(Mweya Ruider) #4


About the phone, it happens every once in a while. I tried tracking my own phone using GeoIP on Mobile data, and I can confidently say that you do get the location of it if the phone is in Namibia. As soon as you go to South Africa though, GeoIP returns the carrier’s location, so the short answer is, it depends :slight_smile:

(Not a N00b, but still learning) #5

Hope this won’t happen in europe! :grin: Referring to the story, in this case you could still get his location through an browser exploit or social engineering (e.g. sending him a link to a website which has a valid reason to retrieve his location through the HTML5 geolocation API)

(Mweya Ruider) #6

Aah, I didn’t think about that, thanks

(Command-Line Ninja) #7

Ohhh mannn! This is so good. I literally love this so much. I would pay to read something like this. Once I picked it up I couldn’t put it down.

Nice work!


Man oh man! I’m really glad you’ve decided to take this project forward! Very well written, like @pry0cc said, when you start reading, you can’t put it down!


Just what I’ve been looking for! Keep it up!

(pico) #10

REMOTE_ADDR is the main variable to check for a client IP, but when connecting through a proxy server it will contain the proxy IP. Depending on the proxy server, another variables may be set. As far as I know, you should check in order:


(Mweya Ruider) #11

Thanks, I’ll look into that


@0x00pf You are right however, those variables can be easily spoofed so, their relevance can be questionable.


(pico) #13

Sure, it just increase your chances to get the IP…


Perhaps you could create something like this where you go after Jane Doe, John Doe’s sister except she’s smart and happens to use Tor with a VPN while having her MAC spoofed. Although it’s truly easier said than done.

(Command-Line Ninja) #15

I don’t mean to be impatient, but can we expect another one of these soon? They’re so badass and I’m itching xD

(Mweya Ruider) #16

Unfortunately not due to the fact that I’m extremely busy with school and after school tutors, so I simply don’t have the time.

But if you (or anyone else) would like to add to this, make a second installment or use this elsewhere, then please do!

(Left) #17

Whenever you get free time, add on to this. It is so goooood and well written!


Rather then urbandiktionary, a name like www.mircosoft.com is way harder to notice the error.
Check the following sentence

i wnet sohpping whit smoe freinds at the mall wihle tehre are spleling mistkaes its qutie easy to raed.

This is because all the letters are in the words and the first and last letters are correct.

(Mweya Ruider) #19

That’s pretty good!

I stared at the link for longer than I’m proud of (trying to figure out what was wrong), so, I’m pretty confident your approach would work. Thanks for the share!

(Command-Line Ninja) #20

You know. Spelling Matters.