The Revolution Will Not Be Televised - It'll Be Printed
If you have the tools and the patience to look, you can find all sorts of crazy stuff going on out there on the Internet. Seriously… it rarely fails to disappoint.
Here’s an example:
It starts with a little recon…
PacketTime:2021-12-19 04:13:06.179491 Len:60 IPv4/TCP 168.100.10.91:49260 -> 9100 ID:53613 TOS:0x0, TTL:238 IpLen:20 DgLen:40 ****S* Seq:0xb7a61da1 Ack:0x0 Win:0x400 TcpLen:20 Resp:SA
PacketTime:2021-12-19 04:13:06.389039 Len:60 IPv4/TCP 168.100.10.91:49260 -> 9100 ID:0 TOS:0x0, TTL:47 IpLen:20 DgLen:40 ***R** Seq:0xb7a61da2 Ack:0x0 Win:0x0 TcpLen:20 Resp:
The attacker, having established that there is likely a willing target printer listening (‘cause it’s talking to port 9100/TCP), slips on their faded Che Guevara t-shirt (despite the fact that they probably can’t even name three of his hit songs…) and does their best to stoke the flames of revolution:
PacketTime:2021-12-19 04:13:07.528188 Len:74 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10905 TOS:0x0, TTL:47 IpLen:20 DgLen:60 ****S* Seq:0x812f4896 Ack:0x0 Win:0xfaf0 TcpLen:40 Resp:SA
PacketTime:2021-12-19 04:13:07.653741 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10906 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A**** Seq:0x812f4897 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:
PacketTime:2021-12-19 04:13:07.653893 Len:293 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10907 TOS:0x0, TTL:47 IpLen:20 DgLen:279 *AP*** Seq:0x812f4897 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:A
00000000 0d 0a 0d 0a 3d 3d 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d |....============|
00000010 3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 0d 0a 4e 45 57 20 |==========..NEW |
00000020 59 45 41 52 27 53 20 52 - 45 53 4f 4c 55 54 49 4f |YEAR'S RESOLUTIO|
00000030 4e 53 0d 0a 3d 3d 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d |NS..============|
00000040 3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 0d 0a 0d 0a 31 2e |==========....1.|
00000050 20 48 69 74 20 74 68 65 - 20 47 79 6d 0d 0a 32 2e | Hit the Gym..2.|
00000060 20 44 65 6c 65 74 65 20 - 46 61 63 65 62 6f 6f 6b | Delete Facebook|
00000070 0d 0a 33 2e 20 4f 52 47 - 41 4e 49 5a 45 20 41 20 |..3. ORGANIZE A |
00000080 55 4e 49 4f 4e 0d 0a 0d - 0a 0d 0a 4c 65 61 72 6e |UNION......Learn|
00000090 20 4d 6f 72 65 3a 0d 0a - 3d 3d 3d 3d 3d 3d 3d 3d | More:..========|
000000a0 3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 3d 3d 3d 0d 0a 72 |=============..r|
000000b0 65 64 64 69 74 2e 63 6f - 6d 2f 72 2f 61 6e 74 69 |eddit.com/r/anti|
000000c0 77 6f 72 6b 0d 0a 3d 3d - 3d 3d 3d 3d 3d 3d 3d 3d |work..==========|
000000d0 3d 3d 3d 3d 3d 3d 3d 3d - 3d 3d 3d 0d 0a 0d 0a 0d |===========.....|
000000e0 0a 0d 0a 0d 0a 0d 0a 0d - 0a 0d 0a 0d 0a 0d 0a |............... |
PacketTime:2021-12-19 04:13:07.654029 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10908 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A***F Seq:0x812f4986 Ack:0x93d71e15 Win:0xfaf0 TcpLen:20 Resp:FA
PacketTime:2021-12-19 04:13:07.771993 Len:60 IPv4/TCP 168.100.10.91:33324 -> 9100 ID:10909 TOS:0x0, TTL:47 IpLen:20 DgLen:40 *A**** Seq:0x812f4987 Ack:0x93d71e16 Win:0xfaef TcpLen:20 Resp:
Ok.
So maybe “stokes the flames of revolution” is a bit of an overstatement.
A wannabe revolutionary lazily slings TCP packets into the aether in hopes of… getting someone to read Reddit
Nah.
A basement-dwelling socialist poser sticks it to the capitalist oligarchy and exploits the tools of production to… well… print something.
Oh, nevermind.
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter: @tliston
December 19, 2021
Addendum: So apparently, masscan and netcat are the tools of the revolution (who knew?). A little recon uncovered that the following script was running the show:
#!/bin/bash
while true
do
masscan --conf masscan.conf 2>/dev/null | \
while read line
do
cat "$(ls payload/*.txt | shuf -n 1)" | ncat -v -C -i 10 -w 10 $(echo "$line" | awk '{ print $6 }') 9100 &
done
done
The payload directory contained an assortment of messages like the one above.