# I bought a PHISHING website from the DARKWEB. Here's what I found... ## Метаданные - **Канал:** cybercdh - **YouTube:** https://www.youtube.com/watch?v=SMKHIPEcKx8 - **Источник:** https://ekstraktznaniy.ru/video/38674 ## Транскрипт ### Segment 1 (00:00 - 05:00) [] so it's no secret that the dark web is a hotbed of criminal activity more than half of the websites on the dark web relate to illicit content you can buy drugs credit card details hacked accounts also you can buy malware which will help you break into the computers of major organizations but there are of course legitimate uses for the dark web legit content is served on it you can even access stuff like facebook through their very own dedicated online dark web onion site but today i'm going to share with you the experience i had when i bought some code to host a fishing website from a dark web marketplace known as whm white house market it's a pretty interesting experience what i got for my money wasn't really what i expected so let's dive in and take a look okay let's just get some terminology out of the way firstly the regular internet that we all know and love is also referred to as the surface web and being on the surface means that everyone can see the content and this is stuff which is indexed by search engines such as google so you can just see the results without having to go through any kind of authentication next we've got the deep web and the deep web is where stuff behind authentication sits so you might have to log in to view the information you might have to pay so stuff like your online banking which is not searchable not indexed by a google search engine for example and then you have the dark web and this area of the internet is part of the deep web it also requires some special software to make the connection to this part of the internet and that software will use techniques to hide the true origin of your web traffic and it also the websites that operate on the dark web will operate under the tld the top level domain of dot onion but you can still browse the clearweb or the surface web whatever you want to call it using the dark web so all the terminology gets a bit messy but just know that there are these three portions of the internet so you can see what i bought here this is a nat west fishing page and natwest is a popular uk bank you can also see the details of the vendor this vendor is gold apple they have 93 percent positive ratings and over a thousand sales you can also see the price as well which is in monero 0. 02 monero which equates to about five us dollars okay so once i order the efficient page i'm instructed to send a very specific amount of monero to a particular wallet the wallet in question is encrypted with pgp and i need to use the seller's key to decrypt it first before i know where to send it once i've done that i then use my binance account to trade some bitcoin for some monero and then use my binance account again to send the specific amount to that particular wallet of the sender when i do i get some automated messages back from white house market to tell me that the transaction is complete and what i end up with is a message from the seller which just decrypts to a download link which is meant to be the phishing kit and also a tutorial okay so let's take a look at what the fishing page should look like this is the genuine natwest online banking services login page hopefully the fishing kit that i've bought looks a little bit similar to this and so what i've got here is my virtual machine i've got the php code which i've downloaded from the adversary and what i'm going to do is run a php web server navigate to my local host and lo and behold i don't see anything but some errors so we need to zoom in and pick this apart okay so here we are in my virtual machine here and we can see the errors that are being thrown so you can see that i've got an error in line two of my php page for index. php and the problem is an undefined constant t so something is not loading so let's take a look here i've got the code in my text editor here in sublime text and we can see index. php we also can see the rest of the files we've got some images some gif some css etc which we'll cover shortly let's focus on index for now we can see that there's this variable echo which looks like it's just a string that's being concatenated with the time and date but this is the variable t that the php interpreter doesn't like but it looks like the intention is just to redirect the user to default. php so maybe php has moved on a little bit and how it requires these variables to be declared i'm no php expert but it doesn't look quite right to me so what we'll do is we'll just try and go to default. php ourselves and see what happens and we can see again we don't get anything so i'm a little bit disappointed as a customer if i'd bought this as a genuine product on a genuine marketplace i might be a little bit annoyed right now because i've got something which is not what it seems to be i didn't get this tutorial that they promised me and i'm just getting some blank screens and some errors okay so here's ### Segment 2 (05:00 - 10:00) [5:00] what the fishing page should actually look like you can see that the look and the feel is pretty dated it looks pretty lame if i'm honest it doesn't look really sophisticated but maybe it'll trick some victims who knows but if i'm honest this seems like a really old website from like the 90s or something like that it doesn't feel like a sophisticated fishing kit which is what i kind of expected from buying from the dark web but let's take a browse through the php code to begin with right so we've got quite a few files here default details index login etc and the one that sticks out at me is hitman. php i want to kind of know what's in this particular file just by its actual name and you can see if we have a look at this there's a place in here for me to enter my own email address and that will generate an email to me with the stolen credentials using this message here but you can also see as well there is a couple of other mail commands here so my email address is going to get stored in the variable send but there's a couple of other email addresses here that's going to get stored in the apache variable and also the vps variable so we need to see who else is going to get a copy of this information that i'm meant to be stealing and nobody else so that's a bit weird so let's have a look for the variable apache and if we go back into details. php we can see that the apache variable is written from passing content within another file which is this nav netwest logo. gif file and this looks a little bit convoluted but it's relatively easy to understand we have a call to pack and so pack is going to pack the given argument into a binary string according to the format that you specify in this particular case the format is a capital h which means it's going to be treated as a hexadecimal string with the highest nibble first and so what we need to do is have a look in natwest logo. gif you can see that there's a substring of that particular file being taken the substring is going to start at the position where it finds the string id underscore and then it's going to read the next 36 characters so let's flip over into our terminal window here and what we can do is cut the file out we can then see the text here in the middle of that file output we can just copy that out and we can use something like cyber chef to decode the content as hexadecimal and in fact in this particular case we can see that it is in fact an email address that's what we kind of expected given it's being fed to the mail command so now we've got the email address at least one of them that the bad guy is going to receive a copy of my stolen credentials let's have a look for the other variable which was dollar vps and so if we have a look in default. php we can't actually find dollar vps but where it's actually located it's hidden away a little bit so in this particular case we can see if we have a little poke around the code there is a call to a base64 decoding routine which is disguised as a user defined function called check data so check data just returns the base64 decoded content of whatever you feed it and so we can see here that we've got a call to check data with some input which looks like it's base64 and so we can use cyber chef again to see what that decoded content equates to and in this particular case that is the variable vps which is yet another email address as expected and if we have a look again where that code is being used that's actually going to get written to the top of hitman. php so the file is going to be overwritten with this variable atop the code so next i also noticed at the top of default. php we can see that these php pages or files are being set to variables at the top of the code and also i noticed that there's a gif in amongst this group as well and if we have a look and see where that gif is used or referenced we can see that it's actually included ie imported as if it's another php file so that's a bit weird so let's flip over to our terminal window again we'll navigate to the images folder we can see if we run file against that particular gif we can see that is in fact a php file and not a gif file after all so let's cut that file out and we can see again that this is hexadecimal encoded content which is packed again and what we can then do is extract that content we can see that is passed to eval which will then run the content so we can use trustee cyber chef again to decode the content and yet again this is another email address of another bad guy who's going to receive a copy of my stolen credentials this next backdoor is a little bit more tricky to find and to be honest i felt like i needed to split myself in two in order to understand the necessary moving parts of this one but thanks ### Segment 3 (10:00 - 15:00) [10:00] okay so back in default. php we're going to see here on line 107 that we've got a function called to get errors and get errors if we scroll up a little bit to see where it's actually referenced we can see that in turn that calls multiple other user-defined functions so the first one being clean and we'll see what that is in just a second and then also end of line which is fed into clean as an argument so we need to work out what both of those do we can see if we have a look at clean which is defined just a few function calls up here we can see that it takes a string and creates a function using that string and the return value of the function is the output of this call to get s and we need to know what get s is all about because we see a couple of steps down here that is another user defined function and what that looks like it takes three parameters and it works with a global variable dollar d if you have a quick look and see what global dollar d equates to that is in fact details. php so it's going to take details. php and it's going to get a substring of that particular file itself we can see there's a quick call to get c itself is just going to return the contents of that particular file that you feed it so it's going to take in details. php and return the actual contents of it and then it's going to take a substring in get s of details. php it's going to start the substring at the string position where it finds dollar a and dollar a is the first argument that you give to the call to get s so this is convoluted i told you i needed to kind of split my brain in half to work out what's going on here but you can see if we have a look in clean the first argument that's passed to get s is in fact this open bracket one comma and so what we need to do is go into details. php and search for that string ourselves we can do that and we can actually see that the next four characters after that string are in fact the string eval and so what that means is the function clean itself is going to actually equate to the function eval and it's quite a nifty way that of hiding away the actual purpose of that particular function i quite like it we now know what clean does let's look at what end of line does because that's obviously going to be what's going to be fed into clean evolved itself so end of line we can see that we've got another call to get s here which is stored in the variable end and we've just worked out what get s is all about it's just going to search for the first argument and then take the next however many characters you feed it in dollar c so we can see here it's gonna search for the string open bracket two comma and it's gonna read three characters past it and then read for the next four characters and so end in this particular case we can see if we look in details. php equates to the string pack and we've already seen an example of what pac does so it's going to return a binary string in whatever format that you specify so we'll see what format is going to be specified we can have a look here at dollar end line we can see that end line equals end which is pack so he's starting to use end now as the variable for the function called pac and that is fed the input to end so what's being packed here the first argument is going to be the format and you can see here that is the output of get s where it's going to search for open bracket 3 comma in details. php if we have a look for that we can see that is in fact lowercase h asterisks and so the lowercase h means that it's going to treat the input as hexadecimal but the lowest nibble is going to be first so the lowest nibble first means the endianness of the bytes are actually going to be swapped so that's one for us to be aware of and then you can see the second parameter to pack is going to be the content that's going to be packed obviously that content it's going to search in details. php for the open bracket open bracket and we can see that in fact is the name of images nwb underscore style. css and that's going to be first pass to getsee which is going to return the contents of that file so it's just ah convoluted mess here this is very clever backdoor which took me a little bit to notice first off and you can kind of see why because there's nothing obvious here without having to analyze every single command and every single function here but let me just break it down and hopefully simplify it a little bit what's happening here is these particular functions are going to get the contents of nwbstyle. css and then it's going to pass that as hexadecimal but with the endianness of that hexadecimal flipped and then it's going to send that to eval so we're probably looking here at a css file which has got some interest in content and in fact what we can do if we have a quick look at this ### Segment 4 (15:00 - 18:00) [15:00] nwbstyle. css in our text editor window we can see the majority of this looks like css just looks all like valid css code but if we keep scrolling and scroll scroll eventually what we'll find is that here on line 1800 we can see some weird and wonderful characters definitely not css code to me and so what we need to do is flip back to our terminal window we can use said to dump out just that particular line itself so we'll feed it line 1800 and we'll dump that out and we can see we've got this hex encoded content let's highlight all of this and then what we can do is go back into our trusty cyber chef command window here remember we need to swap the endiness though and we can see if we copy that output put that back into our text editor we have yet another back door here where another bad guy in fact several email addresses here we have an array of them in dollar brain are actually going to receive a copy of my stolen credentials again so this one was really well written back door and you know it might be the case that if you've spotted the other ones you think you've got rid of them all and unless you analyze every single line of code here it's quite tricky to pick up on this particular one it's well hidden but actually really powerful backdoor that's going to steal the data from me okay so what have we learned through this whole process well firstly buying from the dark web was actually a pretty slick process but ultimately we're dealing with criminals here and there was no honor amongst thieves what i got was an 11 year old fishing kit it ultimately didn't work even if it did work it was completely backdoored it was designed to rip me off and steal the credentials that i was ultimately meant to have been stealing in the first place so not a great experience overall efficient though is obviously an enormous issue it's a challenge for individuals and also large organizations alike i think it's inevitable that in some shape or form our usernames and our passwords will end up in the wild for all to see therefore if you're serious about protecting yourself and your organizations against mission you should consider a hardware token personally i use the fido 2 security key from fatian this one is compatible with an iphone i've been using it for some time now and i absolutely love the experience also you can use the biopass 502 key as well this gives you an added layer of protection with a fingerprint sensor built into it as well the technology in these devices is amazing it's super secure ultimately it's going to help us all move away from passwords and weak two-factor authentication methods going forward so i definitely encourage you to check them out as an added bonus you can also get 20 off either of these products if you use the code colin-20 at the fighting checkout process and i'll put a link in the description of this video so please go and check that out because it will help support this channel so thank you for watching this video i look forward to your comments please smash like if you enjoyed the content and also please subscribe as well i look forward to carrying on the conversation you can check me out on twitter as well at cybercdh until next time peace out you