‘There’s a large mustard-mine near here. And the moral of that is — The more there is of mine, the less there is of yours.’ – The Duchess (Alice in Wonderland)
As many of you will have noticed, there haven’t been a lot of ‘TANGO DOWNS’ over the last few months. There is a reason for this. I decided that I should concentrate a little more on targeted intelligence gathering and a little less on the violent internet smackdown that is XerXeS and others.
I needed a way to get undisputable evidence as to the real world identity of ‘the mark’ – whatever the ‘mark’ or target was, be it Anons, Jihadist bomb plotters or forum admins, or whoever. Over the last few months I have been running ‘Project Looking Glass’.
So what is it?
The Looking Glass is based upon the open source Browser Exploitation Framework – I used this as its truly modular framework lends itself well to me modifiying and hacking it to pieces in order to get it to do what I want it to, without losing direction or straying from the confines of the original mission spec or waste time re-inventing the wheel. One of the bonuses of open-source code right?
The entire project comprises of the ‘looking glass’ server, which I will be talking about here, and numerous other ‘bait’ servers which have the the ‘hook code’ embedded in certain pages that they serve up. Once a target hits the page they immediatley pop up on the looking glass HUD and information starts getting logged and a profile of the ‘mark’ starts to form. I am not going into much more detail on this for obvious reasons. But I will say the highly targeted nature of how the hook code is served up to the ‘mark’ leaves very little room for error, mistaken identity or false positives.
Here’s a screenshot of the moment @joshthegod of #UGNazi stumbled through the looking glass after being on the target list for only two days prior. (Click for fullsize) and here’s the tweet I posted that same day (June 14) – https://twitter.com/th3j35t3r/status/213281821704732672
Those of you familiar with BeEF will notice some differences in the screenshot above, yes Looking Glass Logs a whole bunch of stuff right from the get go and it’s searchable.
So what else is different?
Well after making a few changes to the core I was in a position to start creating some funky new intelligence gathering modules, that would live in the modules tree within it’s own separate section called – ‘Project Looking Glass’. These modules would seriously boost the effectiveness of this hybrid beast turning it into a formidable force for good (in this case).
So currently there are 12 new modules in Project Looking Glass and they are pretty nasty if you get caught on the end of one or more of them. The names are fairly self explanatory and you will notice they are all good to go with a green traffic light in this case against Firefox/Linux. (click for fullsize):
So why would I let this out of my bag?
I haven’t actually given away any operational details, they key to this is in the delivery of the hook code, location of ‘bait servers’ etc. The hook code, by the way, can also be injected using XSS into any vulnerable 3rd party website, so the target doen’t even have to hit one of my ‘bait boxes’.
Project Looking Glass is not available or downloadable to the public, although I am sure within a few hours there will be claims you can download it here there and everywhere, as was the case with XerXeS. Please be advised I never released XerXeS and I won’t be releasing Project Looking Glass. If some one says they have it, they are lying to you and most likely try to infect you with malware.
So there it is, and make no mistake bad guys, it is out there, and you won’t see it coming. Today you have seen what I can see, I tell you this as a warning. Again bad guys, Project Looking Glass has been running for months now, and not without success as we have seen. There’s nothing you can do about it, as you have no idea how many hook code snippets are out there, where they are…….
…….or indeed whether or not you have already accidentally stumbled through the looking glass.
Happy 4th July.
There’s an unequal amount of good and bad in most things. The trick is to figure out the ratio and act accordingly.
PS: #IamNotTomRyan #SoDropItAlready
UPDATE JULY 5 2012
As usual the usual suspects have attempted to pass my screenshots (scroll back up) above off as photoshop mockups. Well I decided this would never do. So decided, without equivocation, to ask a respected third party to log into Project Looking Glass (via a domain name now defunct for opsec reasons) to see what they could see. Before the usuals start on the predictable troll-fest, be advised Mr Jeff Bardin is a highly respected member of the infosec community (google him). Here’s what he said via his website:
PS – the trolls that troll him, go on the list. How far up or down on the list is up to you. But it never ends pretty.