Yas Forums clearly isn't the technical juggernaut it was a decade ago. Did any of you fuckwits even look at the passwords? Many of them are extremely simple. All numbers, or all lower case letters. These weren't "hacked" from the organizations that the email addresses are associated with, these were parsed from cred stuffing lists.
The way it works is that retarded user Chang Smoldong, or [email protected] signs up for, say, "tinyyellowdicksupportforum.com", and being a tard, he does it with his work email. That forum gets hacked because the admins are too busy commiserating over how tiny their cocks are to properly salt and hash their password database. The hacker then brute forces the shit out of the database and extracts all the passwords he can in a reasonable timeframe. The email addresses and passwords are dumped into a giant database with similar results from many other hacks, and are often sold. You can tell these were parsed out of such databases because there are seemingly unrelated email addresses with keywords in the password instead of the address itself.
You then use a botnet or the like to start brute forcing these logins, using the fact that there are ALWAYS some retards who reuse their passwords. Only a tiny handful will work, if any. Look at the simplicity of the passwords - even a lazy half-assed sys, net, or mail admin is going to have better password requirements than that, if nothing else because the defaults for Active Directory, Azure, and Office 365 are all more strict than that.
If you want more information about how this particular hack worked, how you all got duped, and how to do some actual fucking recon on things like this before you blow a bunch of effort for jack shit, ask me whatever. I'm no uber 1337 h@x0r, but I know a thing or three about enterprise setups.
Here's one example: early on in the threads there was some fucking retard going on about how the Wuhan passwords were for SSH.
SSH is a way to connect to the command line shell on a variety of systems, generally network devices (switches, routers, firewalls) and POSIX-compliant systems (unix, linux, BSD, etc). It's mostly used for administration these days, actually managing and configuring devices. There's not a lot of use for it outside of actual admins, because we live in the era of cloud and mobile and browser interfaces.
If you'd worked in IT even just doing helpdesk at a college, you'd know that egghead types are fucking retards when it comes to computers. Lab types are even worse. They'd never find their way around any sort of command line. And if you actually nmapped the host out, you'd know there were no SSH ports open on that host.
So let's look at what happens when you actually hit wh.iov.cn with a full nmap scan. Do this from behind a VPN if you can, but it might not work depending on the type of VPN. Public wifi is always a good option. Go download nmap for your OS, install it. On Windows, the GUI version is called "zenmap", go fire that shit up. Punch in the target (wh.iov.cn), select "intense scan", and wait. It's going to look like this.
To figure out what's actually running on whatever you're probing, you look at the open ports. You can get a preliminary idea of what's running just by the port numbers, because lots of them are standardized. 80 is plain HTTP, you can almost always hit that with a web browser. 443 is HTTPS. By default, SSH runs on port 22. Do you see a port 22 open? No, you don't. Any ports you don't recognize, you can just google and see what the most common services running on those are, but that's only necessary if you're impatient because nmap will also do fingerprinting on the running services. It'll open connections and talk to them and analyze them. Let's look at a few.
Port 25. It's a very standard port for SMTP. We can see they're running postfix for SMTP. We can see that it's got an SSL cert, and where that cert is from - "Chinese Academy of Sciences Computer Network Information Center". It's been issued by a US company called Digicert.
Port 80 is open. It's a redirect to mail.cstnet.cn/ - they want you connecting securely using HTTPS instead of HTTP, so it's just a flat redirect. Further down you can see on port 443, you have that same website. It's running on nginx.
Lastly, and this is important for anyone who has even half-decent scripting skills, we can see that port 143 is open and is IMAP. That's an email protocol for INBOUND emails (SMTP is outbound). You can connect to it and pull down emails. With a script, you can even automate the process.
There are others, but no need to go over them. Between nmap's fingerprinting and google, you can figure out a ton.
so youre saying theres a chance some of these work
Jaxon Torres
good job educating the masses on port scanning (not sarcastic)
next steps? fingerprint a particular port... search for a Vulnerability for that listener /service , and start metasploiting (maybe)
Ethan Sanchez
You realize there was a full network rape right? You realize this stuff is no longer secured?
You do realize it’s now possible to piece together what was being researched? Grounds for war.
Jace Robinson
So, is this a nothingburger or not? I'm frankly confused as fuck right now
Brayden Ramirez
MOAR RECON
Everyone was going "abloobloobloo how2log in to emails". But figuring out what email service an organization is using isn't actually that hard.
There's this thing called DNS, the Domain Name System. It resolves hostnames (like Yas Forums.org) to IP addresses (like 104.17.136.89). The thing is, there's actually a lot more than just website names. Your website isn't likely to be at the same place as your email server, so you need a separate record for email. That's called an MX record. That tells anyone emailing your domain where to actually open a connection and send emails to.
Let's take the Gates foundation. Assuming you're on wangblows, fire up good old-fashioned CMD and run a program called "nslookup". Go ahead and set a DNS server, something publicly accessible, by running "server ip". I used IBM's 9.9.9.9 here, 8.8.8.8 is jewgle. You then need to set the type of DNS record you want to look up, default is A records which are used for websites and the like. Enter in "set type=(type)", in this case MX. Then just punch in the domain name. Presto, Gates foundation is using gatesfoundation-org.mail.protection.outlook.com. I know from experience that this is Office 365. If you don't recognize it, google bits of it, just looking up mail.protection.outlook.com will immediately tell you that it's O365.
If you want additional info, you can look up things like TXT records. These are records that need to be publicly visible for certain services and software to work. You can see that they have an entry for facebook domain verification. They have one for docusign, so you know that they use docusign for digitally signing documents. They have SPF records for protecting from email spoofing, and you can see that they're allowing mail to be sent from agari.com, an email security service.
That's a lot learned about their setup very quickly. Try doing the same to the Wuhan Institute. You should realize quickly that their email is self-hosted.
idiots started to broadcast the leak early on, which would lead admins to force people to change their credentials
also OP why on earth would people ssh to the organization's web server? they are researchers many of these people at least, and they would use this shit on their clusters for crunching numbers, running all sorts of cluster applications. I know they ie both use regression tools alot like ie cubist, c5 tons of programs like that, so they would indeed use ssh.... but not on the fucking web server
David Kelly
All of this happened in the first thread and then after the jannie nuke everyone started repeating each other’s work each and every thread
A tiny number will (pic related), but they're not going to get you anywhere significant because as a rule all the juicy stuff is going to be locked away behind centralized authentication systems like Active Directory, where password requirements are much more strict. There was a chance that we could have gotten somewhere with the Wuhan email services but that's going to be LONG gone by now, and I don't think anyone actually got into emails.
That's something better explained by proper tutorials, given how much more advanced it is.
You realize that their IT guys went "oh shit" and just locked everyone's accounts out and started running postmortems less than an hour after a fuckload of random anons started logging into every related webpage they could with the wrong credentials, right? Everyone notable has automated alerting, this set off a hilarious number of red flags.
I've led defensive response teams for "full network rape" that shut down entire factories at the cost of 7 figures per day of downtime, this was nothing.
It was a nothingburger. These credentials were ancient and stolen from sources other than Wuhan/WHO/Gates Foundation. Someone took a database of passwords meant for credential stuffing, filtered for keywords they figured Yas Forums would be interested in, and dumped them onto pastebin to see what happens. They were probably trolling more than anything else; if they thought the creds were legit/noteworthy/usable they'd have run a credential stuffing attack against email services and then leaked any emails they got to Yas Forums instead.
I'm a data analyst at a Fortune 500 company. I live on Zero Hedge and post here when I'm not busy. I have sifted through the information for the past 24 hours. In order to ensure proper vigilance and attention to detail I consumed 200 mg of Adderall spaced out in a bi-hourly schedule. I also have been microdosing LSD for the past three years. I can unequivocally say that there is absolutely nothing profound within this information. It is insubstantial at best, and outright exaggerations bordering on slander at worst. It would likely be in everyone's best interest to focus on more pertinent issues as opposed to getting lost in a web of obfuscation. Given the intense mental output of thorough investigation it is essential that one rest to rejuvenate neural productivity. I suggest going to sleep and completing at least 3 REM cycles before reassessing any further information.
Chase Lewis
bump
Cooper Morgan
Rebump.
You niggers need to learn the basics before you go sperging out about shit like this.
I saw Yas Forums threads on this yesterday, I read them all. I was thinking exactly what you are saying right now but I did not interfere because I assumed Yas Forums knows better. Looks like I was on the right tracks. Thank you for confirming my thoughts.
You posted the screencap but did you even bother to read the synopsis? They're aren't testing jack shit, they just collected stool samples to better identify transmission patterns. Literally nothing useful to the layperson.
David Wood
Unless one of the 609 childrens name was Jack. Then they'd be testing Jack's shit.
Samuel Martinez
All houses in Xinjiang have been bulldozed. Satellite photos confirm this.
There is no way these children can consent. They all live in orphanages. God I bet the really hot ones are fucked constantly.
Thank you based IT user. The ssh tards were giving me a migraine. (that being said it is technically possible to hide ssh services from nmap with a firewall or allow access with convoluted port knocking, however this is obviously just a fucking chink college email server probably full of mundane research shit.)
I'm assuming if you took one of the emails and passwords and then used the password but upgraded what it was to a higher security version you might fight a lot work like if one password was fart then you'd try f4rt probably would get into a few of them
Tyler King
To give you some L33T H4X0R (basic infosec) skills so that you don't get punked by anons claiming to have broken into the mainframe.
Jordan Gray
What's the significance of the image in the OP?
Kayden James
Excellent work user. Remind these kids of the basics. Don't fault them for their enthusiasm.
Benjamin Mitchell
Random screencap from one of the tiny handful of anons who found a matching password.
see
Sebastian Adams
God damn it you all suck.
Look use these tools. The first one is the best. If you can use a web browser today, you can hack. Do something right now and get the last of the glory before other people figure this out!!!
The enthusiasm is great, but we all need to temper it with wisdom. To that end, anyone who has things to add (basic fingerprinting/metasploit use, VPN setup, creating a secure box for h@x0r purposes, etc) should add to this. Work got busy so I can't pay very close attention to the thread right now but it'd be great to get a couple of infographics together for the next time this happens.
