Beware of scammers on the dark web and in Telegram groups (I)

Details of scammed transactions

"Cheat can lie, cheat very" now the Internet is a liar too much, China is also a variety of strong regulation of telecommunications fraud network, but it was still a steady stream of bait, where "ODN(" to the telegram group @anwangxia cheated warning users of a lower alert would like dark net, telegram find out where the group of netizens!

It is said that a netizen "Xiao Xia" met a "master" in the telegram group, named "Zhao Zilong" (using two usernames: @smartpulss, @sinian10000), this person is known as "technical bull" and "retired hacker", let’s take a look at some of its replies to boasting technology:

1. The professional "DDOS advertising" released by it : check and file data, DDOS and sell attack, send package, scan meter intrusion, and stand out first-hand gambling, chess and page server game app data on the day of attack.
In addition, a limited-time paid apprentice can infiltrate a teacher to infiltrate the library, DDOS ransomware, and virus-free tutorials.
Look for retired old members of the China Red Guest Alliance
[Pay for work, do not disturb]
Another DIY customized telegram advertising group sender
For more details, add channel:
paid departure charter or channel, evening peak and uplink all have 300MB/s, non-evening peak uplink can reach up to 500MB/s, and the traffic superimposed by reflection amplification is even more unimaginable.
By the way, paid to teach DDOS, with complete technology, from entry to proficiency, attacking various websites to blackmail weapons, and the strength to go to the world.

2. The so-called "DDOS Free Tips"
Reflective Amplified DDoS The
Reflective Amplified DDoS uses a device or server with configuration vulnerabilities in the network to send a specially constructed request packet to it, replacing the source IP of the packet It is the IP of the victim, so that the server will return the response packet to the victim host, thus consuming the victim's network resources. The principle is shown in the figure. Since normal requests are sent through intermediate devices or servers to return packets to victims, it is more difficult to trace the source. Combining reflective DDoS and botnets can simultaneously generate a large number of response packets and hide the attacker, greatly improving the efficiency and concealment of the attack.
Reflective amplification DDoS is divided into two parts: [Reflection] and [Amplification]:
①Reflection means that the attacker forges the IP address of the attacked target to send a constructed request message to some servers with open special services on the Internet, and the server will reply the message. Reply to the attacked target;
②Amplification means that the server responds to the message several times the request message sent by the attacker, which indirectly forms a DDoS attack on the victim.
Selling telegram 0day and customized remote control
. Work after payment.

3. The "free little knowledge about hackers" published by it.
I always believe that opportunities are reserved for those who are prepared. If you work hard, you will have more opportunities. Write a little bit of ideas and tricks for penetration. The free version mainly talks about ideas, so it won’t be too detailed.
If you want to contact @h4cker3 for more advanced system studies, you can teach you the actual combat, and it can even take you to dig 0day.
(1) Regarding the website program, the server is not considered. 1. Look for injection, pay attention to whether the database user authority and the site library are in the same service. 2. Find XSS. Blind typing is very popular recently. Anyway, our purpose is to enter the background. 3. Find uploads, some pages that can be uploaded, such as applying for a friend chain, member avatar, and some sensitive pages, etc., pay attention to check whether the verification method can be bypassed, and pay attention to combining the parsing characteristics of the server, such as typical IIS6.0, Azerbaijan Pachi et al. Fourth, find the editor, more typical ewebeditor, fckeditor and so on. 5. Find management programs such as phpmyadmin, you can try weak passwords, or find vulnerabilities. Sixth, Baidu, Google search program disclosed vulnerabilities. 7. Guess the file. If we know that a certain file is admin_login.php, we can try to see if the admin_add.php and admin_upload.php files exist, or Google search inurl:edit, etc. Many times we can find some sensitive File, and then see whether to verify permissions or whether to bypass verification, this is like Bingfeng said advanced grammar. Eight, member registration, modification, deletion, comment and other places that need to operate the database, remember to add single quotes and the like to check whether there are insert, update and other types of injection. 9. After logging in, members or low-privileged management can capture and analyze packets, try to modify the password of the super administrator, and increase the privileges. X. For sites that usually have download functions, we can try to modify the URL file name to see if we can download sensitive files on the site, such as database configuration files. If the database cannot be connected externally, we can try to log in to the background with the database password, or download, upload, and log in. Perform code audits on documents such as verification. 11. Backup files and backdoors. There are sub-sites in some sub-directories of the main site, such as We can try to see whether compressed files such as exist. It may be The source code of the substation. There are also some stations like this, which are usually old stations in the past, usually the old stations are easier to get. There are database backups, backdoors of predecessors, etc. The specific contents of these directories depend on your dictionary. Twelve, 0day loopholes, whether they are given to you by others or dug by yourself, just use them well. Thirteen,. . . 
(2) For the server 1. Generally, scan the open ports of the server first, and then consider countermeasures. Second, the more common parsing vulnerabilities, such as IIS6.0, Apache, nginx/IIS7.0 (php-fpm) parsing vulnerabilities, etc., there are parsing such as cer, asa, and .htaccess file parsing configuration. 3. Weak passwords and everyone permissions, first scan the open ports of the server, such as 21 corresponding to FTP, 1433 corresponding to MSSQL, 3306 corresponding to MYSQL, 3389 corresponding to remote desktop, 1521 corresponding to Oracle, etc., usually you can collect more dictionaries , Sometimes the effect is good (usually when cain is sniffing, you can often smell other people's constant hurts). Fourth, overflow, this depends on the system patch and the software used by the server, etc., such as FTP and other tools, not detailed here. Five, for some server management programs, such as tomcat, jboss, etc., this is more common in large and medium-sized site servers. Six, IIS, apache and other vulnerabilities, this should be paid more attention to. Seven, catalog browsing, the server configuration is improper, you can browse the catalog directly. Eight, share... Nine. . .
(3) For people, social workers usually have amazing effects in infiltration. The main thing is to take advantage of people's weaknesses. They are broad and profound. I will not discuss them in detail here. Pay attention to reading more social engineering articles and learn some ideas and skills. 
(4) Roundabout tactics, marginal notes and C paragraph one, marginal notes, for side stops, we can apply the methods mentioned above, not much here. Second, section C, basically think of section C will think of cain, for the site and server of section C, combined with the above-mentioned ideas for target stations, servers, people, and side stations, one reason, of course, if your purpose is only black If you are standing, you might as well try NetFuke. three,…
(5) Common methods for escalation of rights 1. Use system overflow and escalation EXP. This is the most commonly used in privilege escalation, and the methods used are mostly the same, such as the more common Brazilian barbecue, pr, etc., overflow rights are usually also used on Linux Use more, pay attention to collect more EXP. Second, third-party software privileges mainly use third-party software installed on the server to have relatively high permissions, or software overflow vulnerabilities, such as typical mssql, mysql, serv-u, etc., as well as various remote control software , Such as pcanywhere, Radmin, etc. 3. Hijacking and raising rights. Speaking of this, I must think of tools such as lpk.dll. Sometimes when Dantong can't add the account, you can try hijacking shift, adding boot and other ideas. Fourth, weak password skills, we can see what hacks, or hidden accounts, etc., generally this kind of user passwords are relatively simple, you can try weak passwords, as well as the various databases and remote controls mentioned before Software and FTP software have weak passwords. When you can’t do anything, go and try your luck. Fifth, information collection, pay attention to turn down various documents on the hard disk, maybe various passwords are inside. When infiltrating the internal network, information collection is very important. Remember to take down the server and GET the plaintext password. The German mimikatz is good, and there are domains and ARP. . . Looks like a digression. 6. Social workers...not much to say. Summarizing here for the time being, the penetration is broad and profound, and it is not clear with just a few paragraphs. The specifics still depend on the specific situation and adapt to circumstances. We must develop a good habit of collecting information during the infiltration process, especially for large and medium-sized sites. Pay attention to collecting sensitive information such as sub-site domain names, directories, passwords, etc. This is very useful for our subsequent infiltrations. Intranets often have weak passwords. More with the same password. In many cases, perhaps a master station will die on a small loophole in the substation.

4. The so-called "network security" released by it.
Recently, the keyboard man half-bucket hacker: "Programming Random Thinking" was caught. I would like to take this opportunity to talk about information security from a technical perspective:
you use a domestic website/chat software/ The server, even if you delete it right away, the database also has log/mirror backups. The answer is: it can be completely restored, which is well-known nonsense.
If you were more savage, you broke into the main computer room and smashed all the servers to pieces with a hammer. In fact, you can still recover. This is a military technology.
Unless you burn the hard drive, but you didn't wait for it to become slag, the fire was extinguished by the sprinkler system, and then you were also pushed to the ground.
So abroad? Aside from the small and medium-sized computer room companies that have capital cooperation and support relationships with China, take the famous independent free telegram platform as an example, and most of the information can still be saved. What's going on? The answer is: [Crawler] and [Operator]
Crawler means: Use a code program to load the content on the Internet like a human, and then crawl and save it locally. As shown in the figure, there are too many tutorials and the threshold is lowered. Down to the script kid can copy the code, up to the enterprise/organization/public department/national security agency project work, it is easy to hang the program in the background to scan and archive messages for 24 hours, not to mention the telegram web page, the web crawler is too simple .
Why does telegram stretch so much? Because groups and channels are not end-to-end encrypted, nor are they [ordinary private chats] with individual users! For details, please see the two explanations in the FAQ on the official website of telegram: What is the difference between encrypted chats? Why can't all chats be encrypted? 
Therefore, it is easy to crawl and archive public group channel messages, and private link groups can also be leaked through the clipboard.
Then there is the aspect of users' ordinary chat that can be passed through the broadband operator. This is a bit cryptic, and it is not appropriate to talk about it publicly, because it is misleading or even wrong.
As shown on the right side of the figure, I finally researched and customized a ten times more secure end-to-end asymmetric encryption software & server construction. The principle is the same as that used by NSA, Terrorist and national intelligence organizations. They also build their online and offline intelligence. The exchange of a pair of end-to-end, asymmetric double ratchets, the principle is the same, and the mobile phone number and mailbox registration are not required.
If you want [paid], contact @h4cker3 to teach/customize/register/build, because it is not a one-click script, you need to accurately calibrate every function & variable like a craftsman

Fifth, the seemingly fair "sneer of the black product" released by it
said, this kind of black product and silly cunt will go straight.
I am busy with the Red Team offensive and development projects during the day, and I have to take students with me at night. Even if you don't understand Chinese social rules, you have to smoke a cigarette even if you go out to talk to your brother. Now I think about using hackers for free, and TM is a job for illegal cybercrime.
Sorry, please search Wikipedia for the definition of "hacker" first.
If you don’t have the strength, don’t be a black product.
From now on, you will block [black product] personnel. Don’t disturb 🖐🏻
Infiltrate online gambling lottery website orders. Work first and work later. Don’t disturb the silly dog. There is a lot of business and time is precious. ==================================
Everyone was locked up in the room during the epidemic, but this was only due to the outbreak of online gambling platforms around the time. It also saved the life of another gambler's loan shark family by helping a customer to infiltrate the online gambling platform to change the amount of money.
[Remind again] Internet gambling makes people ruined, please stay away from this stuff, because water It's too deep. Old gamblers know that it's too common for damn gambling websites to kill pigs, freeze, and lose.

Insiders summed up a sentence: It looks like a B, but in fact it's a shit ! "ODN(" learned that this person probably pieced together some content found on the Internet, and then took it out and sent it to the group to cheat! However, someone believed it and gave it a payment of 0.087ETH (about 200 USDT at the time), the address is , the screenshot is as follows:

screenshot of coinbase

Looking at the chat records at the time, we can see the cunning, eagerness and rogue of the liar:

Eager to teach transfers
After arriving at the account and not acknowledging it, and then giving a new address for a new transfer

Let's look at this person's face again, and be careful:

The username used by the scammer @smartpulss
The username used by the scammer @sinian10000

The usernames used by the scammer are: @h4cker3 , @smartpulss, @sinian10000
The Telegram channel promoted by the scammer :
The ETH address of the scammer: 0x7a6a2a3680cd140afbab0d2528c32c01790731c2
Please carefully identify and take precautions!

Finally, "ODN(" need to sum up, if the Internet community, WeChat, QQ, etc., one or two out of ten is a scammer, then the community in the dark web, Telegram should be five or six out of ten is a scammer, but regardless of the Internet or the dark network, all claims of "first payment after the goods", "first payment after the service" must be scammers! If you want to avoid being scammed, please stay away from the dark web and Telegram!

From:On DarkNet – Dark Web News and Analysis
Copyright of the article belongs to the author, please do not reproduce without permission.

<<Pre Post
Next Post>>