Shifty Lander V1

Here is a small sideproject that I had wanted to do for awhile, but hadn’t made the effort until I got some downtime in a hotel.

Problem:
Creating a unique URl/address/lander/etc that you can find easily, but is hard to locate for a outside party even if they have access to full packet capture (albeit not likely analyzing realtime).

Solution:
Not inventing the wheel here, but I hadn’t made it myself so why not learn. This same sort of tactic is used by people that hardprogram malware to beacon out to a generated list of domains which shifts according to time. My personal idea for this one is that you have a command and control login page you don’t want people brute forcing, or maybe you are just storing data scraped from cookies on a server and you don’t want it to be static. This allows you to very easily have a resource changing it’s name in a way which you can figure out from any computer that has access to sha1sum. Because you can go to http://www.sha1-online.com/ that is every device with a NIC interface….

Problems:
Obviously if you use this on blahblah.com/crazyuniqueid.php anyone on the defense side worth a darn will write a rule to block or trigger any callouts to blahblah.com.

If you use this generator to make subdomains like 2341321#@@E@E.blahblah.com the same tactics apply. That being said, what if you use this code with a smtp library to send an email out to randombunchofcrap@gmail.com and this changes every 24 hours? A bit more difficult to detect.

This is V1, I hope it will grow in capabilities.

Rundown:
On the server with your landing page run this script. python nameofscript.py “secret code” path/to/file filename.php
Set it and forget it.

Then wherever you are and you want to login, or check hash dumps that are being posted, etc.
type into your command *nix prompt echo -n “YEAR-MONTH-DAY:secret code” | sha1sum
take that sha1sum output and slap a .php on there and go to your url. login and rejoice that google isn’t indexing it.

This is what it looks like when you run it initially on the server……..
Screenshot from 2015-02-24 19:10:57

This is how you find your landing page wherever you are. Or through an online sha1sum creator…
Screenshot from 2015-02-24 19:09:45

NOTE: I used system calls for hashing, etc. This will not run on a non *nix server. So if you are running this on windowz it is most likely going to have to use python libs and be compiled by the likes of pyexec. If you’ve gone that far you might as well duplicate this functionality in powershell and then post it here 🙂

#!/usr/bin python

from datetime import date
import datetime
import time
import sys
import os

print '''
 __ _     _  __ _           __                 _                    _ 
/ _\ |__ (_)/ _| |_ _   _  / /  __ _ _ __   __| | ___ _ __  /\   /\/ |
\ \| '_ \| | |_| __| | | |/ /  / _` | '_ \ / _` |/ _ \ '__| \ \ / /| |
_\ \ | | | |  _| |_| |_| / /__| (_| | | | | (_| |  __/ |     \ V / | |
\__/_| |_|_|_|  \__|\__, \____/\__,_|_| |_|\__,_|\___|_|      \_/  |_|
                    |___/                                             


'''

if len(sys.argv) == 4:
	code = sys.argv[1]
	path = sys.argv[2]
	page = sys.argv[3]
	
	print "------------------------------------------------keyzer[at]penetrate.io---------------------------------------------"
	print "This version changes the landing page every day. You can edit it as you see fit, I wouldn't go under hourly for sure"
	print "The point of this method is that packet monitoring won't give up the landing page unless the analysis is near realtime"
	print "This same method can be used to create subdomains, or exfill to a unique rotating email account (HINT HINT: yopmail.com)"
	print "---------------------------------------------------use legally -----------------------------------------------------"
	print "Your secret code is: %s" %(code)
	print "The page that will act shifty is: %s/%s" %(path,page)
	print "To find your lander from a remote computer type: echo -n \"YEAR-MONTH-DATE:CODE\" | sha1sum"
	print "Remember to use the timestamp of the server hosting your website..... Or edit this to be GMT"
else:
	print "Oops!  Proper format (3 args( is as follows...."
	print "python shifty_lander.py \"secret code\" /absolute/path/ filename.php"
	sys.exit()


def codecruncher():
	#current format is YEAR-MONTH-DATE  ...... remember this is according to the server time
	currentdatewithcode = str(date.today())
	#current format is YEAR-MONTH-DATE:CODE
	currentdatewithcode += ":"+code
	formatstring = "echo -n %s | sha1sum" %(currentdatewithcode)
	hashcode = os.popen(formatstring).read()
	#strips out spaces and "-" at the end of hash output... may vary ?
	hashcode = hashcode[:-4]
	hashcode =hashcode+".php"
	return hashcode

#get the ball rollin before the loop
hashcodeold = codecruncher()
mvstring = "mv %s/%s %s/%s" %(path,page,path,hashcodeold)
print "%s is now: %s" %(page,hashcodeold)
os.popen(mvstring).read()


hashcodenew = hashcodeold

while True:
	if hashcodeold == hashcodenew:
		hashcodenew = codecruncher()
		#tests to see if the date has changed every minute
		time.sleep(60)
	else: 
		hashcodenew = codecruncher()
		mvstring = "mv %s/%s %s/%s" %(path,hashcodeold,path,hashcodenew)
		print "filename is: %s" %(hashcodenew)
		os.popen(mvstring).read()
		hashcodeold = hashcodenew