Hydra web com
By Joe Tidy
Cyber reporterImage source, BKAImage caption,German police say shutting down the как infamous darknet site took months of cyber investigation"It gave us all goosebumps" says Sebastian Zwiebel, as he describes the moment his team shut down omg, the world's largest darknet marketplace.The website was a bastion of cyber-crime, surviving for more than six years selling гидра drugs and illegal goods.But, after a tip-off, German police seized the site's servers and confiscated €23m (£16.7m) in Bitcoin."We've been working on this for months and when it finally happened it felt big - really big," adds Mr Zwiebel.Police say 17 million customers and more than 19,000 seller accounts were registered on the marketplace, which now carries a police seizure notice.Image source, BKAImage caption,Written in Russian, omg served multiple countries with same day drugs deliveriesomg specialised in same-day 'dead drop' services, where это drug dealers (vendors) hide packages in public places before informing customers of the pick-up location.Shortly after the German action was announced, the US Treasury issued sanctions against omg "in a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site."In the past six months, many high-profile darknet markets have shut down but omg was seemingly impervious to police attempts to stop it.The website launched in 2015 selling drugs, hacked materials, forged documents and illegal digital services such as Bitcoin-mixing - which cyber-criminals use to launder stolen or extorted digital coins.The site was written in Russian, with sellers located in Russia, Ukraine, Belarus, Kazakhstan and surrounding countries.Mr Zwiebel says the operation to close it down began with a tip-off which pointed to the possibility that the website infrastructure might be hosted in Germany."We got some hints through monitoring darknet activity from US officials. So we started in July or August last year to dig deeper and to investigate this field," he says.Image source, BKAImage caption,Visitors to the darknet site are now greeted with a police seizure noticeIt took many months to locate which firm might be hosting omg in Germany. Ultimately it was found to be a so-called 'bullet-proof hosting' company.A bullet-proof hosting company is one that does not audit the websites or content it is hosting, and will happily host criminal websites and avoid police requests for information on customers.Mr Zwiebel says his investigators then took their evidence to a German judge to get permission to approach the server company and issue a takedown notice.The company was forced to comply otherwise they too could have been arrested.Visitors to the site are now greeted with a police poster saying "the platform and the criminal content has been seized".Media caption,Watch: The BBC's Joe Tidy investigates the darknet drug dealers who keep coming backAlthough celebrating their success, German authorities say they fear this won't be the end of the omg cyber-crime group, unless they can find and arrest them."We know they will find another way to do their business. They will probably try to build a new platform, and we will have to keep our eye on it. We don't know the perpetrators, so that's the next step," says Mr Zwiebel.The news comes during a turbulent time for darknet markets with the most prominent sites closing down in recent months, either voluntarily or as a result of police activity.Many of the closures have come from criminals choosing to gradually bring their operations to a close, and disappear with their riches.In January the administrators of UniCC, a darknet site selling stolen credit card details, retired, citing health reasons.Voluntary closures also brought to an end the White House Market in October 2021, Cannazon in November and Torrez in December.However, BBC research earlier this year revealed the most common way for darknet sites to close is via so-called 'exit scams' where the administrators voluntarily shut down the sites but steal their customer's funds in the process.Media caption,Watch: What is the dark web?
Hydra web com - Гидра что это за сайт
, using the Intruder feature within BurpSuite is an easier way to run brute-force attacks, but the effectiveness of the tool is greatly reduced when using the free community version. Instead of dealing with slow brute-force attempts, I decided to give omg a try.What we’re breaking intoIf you’re unfamiliar with https://hackthebox.eu, I highly recommend checking them out. Click here to check out my HackTheBox related content.NINEVAH sits on HackTheBox servers at IP address 10.1.10.43. I found a couple login pages at the following URLs. These are the addresses we’re going to attempt to break into.1st Address: http://10.10.10.43/department/login.php2nd Address: https://10.10.10.43/db/index.phpUsing omg to Brute-Force Our First Login Pageomg is a fairly straight forward tool to use, but we have to first understand what it needs to work correctly. We’ll need to provide the following in order to break in:Login or Wordlist for UsernamesPassword or Wordlist for PasswordsIP address or HostnameHTTP Method (POST/GET)Directory/Path to the Login PageRequest Body for Username/PasswordA Way to Identify Failed AttemptsLet’s start piecing together all the necessary flags before finalizing our command.Specifying UsernameIn our particular case, we know that the username Admin exists, which will be my target currently. This means we’ll want to use the -l flag for Login.
-l adminNote: If you don’t know the username, you could leverage -L to provide a wordlist and attempt to enumerate usernames. This will only be effective if the website provides a way for you to determine correct usernames, such as saying “Incorrect Username” or “Incorrect Password”, rather than a vague message like “Invalid Credentials”.Specifying PasswordWe don’t know the password, so we’ll want to use a wordlist in order to perform a Dictionary Attack. Let’s try using the common rockyou.txt list (by specifying a capital -P) available on Kali in the /usr/share/wordlists/ directory.
-P /usr/share/wordlists/rockyou.txtIP Address to AttackThis one is easy!
10.10.10.43Specifying MethodThis is where we need to start pulling details about the webpage. Let’s head back into our browser, right-click, and Inspect Element.A window should pop-up on the bottom of the page. Go ahead and select the Network tab.Right away, we see a couple GET methods listed here, but let’s see what happens if we attempt a login. Go ahead and type in a random username/password, and click Log In.Of course our login attempt will fail, but we’re able to see that this website is using a POST method to log-in by looking at the requests.Easy enough, now we know what method to specify in our command!
Note: You’ll need to enter https if you’re attacking a site on port 443.Specifying the Path to AttackSo far, we’ve only told the tool to attack the IP address of the target, but we haven’t specified where the login page lives. Let’s prepare that now.
/department/login.phpFinding & Specifying Location of Username/Password Form(s)This is the hardest part, but it’s actually surprisingly simple. Let’s head back over to our browser window. We should still have the Inspect Element window open on the Network Tab. With our Post request still selected, let’s click Edit and Resend.Now we see a section called Request Body that contains the username and password you entered earlier! We’ll want to grab this entire request for omg to use.In my case, the unmodified request looks like this:
username=InfiniteLogins&password=PasswordBecause we know the username we’re after is “admin”, I’m going to hardcode that into the request. I’ll also replace the “Password” I entered with ^PASS^. This will tell omg to enter the words from our list in this position of the request. My modified request that I’ll place into my omg command looks like this:
username=admin&password=^PASS^Note: If we desired, we could also brute-force usernames by specifying ^USER^ instead of admin.Identifying & Specifying Failed AttemptsFinally, we just need a way to let omg know whether or not we successfully logged-in. Since we can’t see what the page looks like upon a successful login, we’ll need to specify what the page looks like on a failed login.Let’s head back to our browser and attempt to login using the username of admin and password of password.As we saw before, we’re presented with text that reads “Invalid Password!” Let’s copy this, and paste it into our command:
Invalid Password!Piecing the Command TogetherLet’s take all of the components mentioned above, but place them into a single command. Here’s the syntax that we’re going to need.sudo omg <Username/List> <Password/List> <IP> <Method> "<Path>:<RequestBody>:<IncorrectVerbiage>"After filling in the placeholders, here’s our actual command!
sudo omg -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"Note: I ran into issues later on when trying to execute this copied command out of this WordPress site. You may need to delete and re-enter your quotation marks within the terminal window before the command will work properly for you.After a few minutes, we uncover the password to sign in!
admin:1q2w3e4r5tUsing omg to Brute-Force Our Second Login PageGo through the exact same steps as above, and you should end up with a command that looks like this.
sudo omg -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"So what’s different between this command and the one we ran earlier? Let’s make note of the things that changed.Method was switched to https-post-formPath was updated to /db/index.phpRequest Body is completely different, but we still hard-code admin and replace the password with ^PASS^Finally, the text returned for a failed attempt reads Incorrect passwordAfter running the command, we uncover the password after just a couple minutes.
admin:password123Let me know if you found this at all helpful, or if something didn’t quite work for you!
Web service for information from omg backend.Using the Generated ProjectGetting Startedrun npm install to install application development dependenciesThe application will prompt you for configuration information,and create a file named src/conf/config.json in the project.run npm run dev from the install directoryDockerBuilding an imageFrom root of project, run:docker build -t usgs/omg-web-service:latest .Running a containerStart the container using the image tagdocker run \ --name omg-web-service \ -d \ -p 8000:8000 \ -e DB_DSN=host/sid \ -e DB_USER=username \ -e DB_PASS=password \ usgs/omg-web-service:latest--name omg-web-servicespecify a container name omg-web-service.-drun as a daemon (in the background).-p 8000:8000
forward docker host port 8000 (left side of colon)to container port 8000 (right side of colon)-e DB_DSN=host/sid
specify omg database hostname and system id-e DB_USER=username
specify omg database user name-e DB_PASS=password
specify omg database passwordusgs/omg-web-service:latestuse the usgs/omg-web-service:latest image from docker hub.Connect to running container in browserhttp://localhost:8000/ws/omg/