Netstalking: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 6: Line 6:
Nesca is a '''Ne'''twork '''Sca'''nning tool, used to scan IP addresses, ports associated with said addresses, as well as do minimal bruteforcing on the found protocols.
Nesca is a '''Ne'''twork '''Sca'''nning tool, used to scan IP addresses, ports associated with said addresses, as well as do minimal bruteforcing on the found protocols.
It was created by the group “Iskopazi” (Russian “Ископази”). The group itself was founded around the year 2010, and the sources claim that the key to original version of Nesca was available on the imageboard d3w.org - /b/ board, which, by 4chan standards, is probably  a random board.
It was created by the group “Iskopazi” (Russian “Ископази”). The group itself was founded around the year 2010, and the sources claim that the key to original version of Nesca was available on the imageboard d3w.org - /b/ board, which, by 4chan standards, is probably  a random board.
The link right now is dead and neither can archives of the site be found, unlike 4chan.<ref>[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref> This unfortunately means that we don’t have a clear date of nesca’s publishing, but the repository with earliest commits can be dated to 8th of August of 2012.<ref>[https://bitbucket.org/emopidor/nesca/src/master/]"Oldest repository of Nesca". Retrieved 05.05.2021</ref>
The link right now is dead and neither can archives of the site be found, unlike 4chan.<ref name="handbook">[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref> This unfortunately means that we don’t have a clear date of nesca’s publishing, but the repository with earliest commits can be dated to 8th of August of 2012.<ref>[https://bitbucket.org/emopidor/nesca/src/master/]"Oldest repository of Nesca". Retrieved 05.05.2021</ref>


One detrimental feature that it had in the past, was that it used to send all the scanned ports and usage data to d3w.org<ref>[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref>, but since the source code is widely available now, that feature seems to be optional. It was also suspected that Nesca was a possible trojan vector<ref>[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref>, but according to the most recent github readme, a partial audit was done on Nesca, and it can be considered as safe as anyone considered any application on which a ''partial'' audit was done by some Russian guy.<ref>[https://github.com/enemy-submarine/nesca_audit]"The Nesca audit"</ref>
One detrimental feature that it had in the past, was that it used to send all the scanned ports and usage data to d3w.org<ref name="handbook">[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref>, but since the source code is widely available now, that feature seems to be optional. It was also suspected that Nesca was a possible trojan vector<ref name="handbook">[https://codernet.ru/books/hacking/oznakomitelnoe_rukovodstvo_po_netstalkingu/]"The Netstalking Handbook". Retrieved 12.03.2021</ref>, but according to the most recent github readme, a partial audit was done on Nesca, and it can be considered as safe as anyone considered any application on which a ''partial'' audit was done by some Russian guy.<ref>[https://github.com/enemy-submarine/nesca_audit]"The Nesca audit"</ref>
From this information we can infer that the date that we have above - 08/08/2012 - is probably a later publication than the original release, because suspicions wouldn’t have been so rampant about the source code. At any rate, hackers shouldn’t be worried about application’s security when the source code is right in front of them.
From this information we can infer that the date that we have above - 08/08/2012 - is probably a later publication than the original release, because suspicions wouldn’t have been so rampant about the source code. At any rate, hackers shouldn’t be worried about application’s security when the source code is right in front of them.



Revision as of 03:32, 5 May 2021


Nesca

Older interface of Nesca

Nesca is a Network Scanning tool, used to scan IP addresses, ports associated with said addresses, as well as do minimal bruteforcing on the found protocols. It was created by the group “Iskopazi” (Russian “Ископази”). The group itself was founded around the year 2010, and the sources claim that the key to original version of Nesca was available on the imageboard d3w.org - /b/ board, which, by 4chan standards, is probably a random board. The link right now is dead and neither can archives of the site be found, unlike 4chan.[1] This unfortunately means that we don’t have a clear date of nesca’s publishing, but the repository with earliest commits can be dated to 8th of August of 2012.[2]

One detrimental feature that it had in the past, was that it used to send all the scanned ports and usage data to d3w.org[1], but since the source code is widely available now, that feature seems to be optional. It was also suspected that Nesca was a possible trojan vector[1], but according to the most recent github readme, a partial audit was done on Nesca, and it can be considered as safe as anyone considered any application on which a partial audit was done by some Russian guy.[3] From this information we can infer that the date that we have above - 08/08/2012 - is probably a later publication than the original release, because suspicions wouldn’t have been so rampant about the source code. At any rate, hackers shouldn’t be worried about application’s security when the source code is right in front of them.

Features

For the design of its time, Nesca has a very “hackery”-y design, and comes with several features, most of which we already mentioned - that would be Scanning IP address and port combinations, and bruteforcing them. One more function is scanning DNS addresses and port combinations and bruteforcing those - which is essentially the same but can help by saving time on lookups, plus a lot of sites have API or other endpoints associated with same IP as their website, due to old-school monolithic design of sites, and general hosting costs. It also needs to be stated that during the earliest versions of Nesca, microservices architecture wasn’t nearly as ubiquitous as it is today.

As already mentioned, Nesca does bruteforcing on our behalf. This functionality can be adjusted in several ways - IP addresses can be read from a file or inputted directly, number of threads which will be used to bruteforce the logins can be adjusted, and the login/password sheets that we can provide to it. How are we doing this? Number of threads is pretty self-evident - it’s right there on the interface. IP address range is quite an easy parameter to give - just give start and end addresses of the range, or input IP address ranges separated by comma. As mentioned, a list can also be imported through Import->Import&Scan, through which we can choose a .txt file in which the IPs will be listed. Passwords list can’t be edited from the application, but looking at the contents of the repository, after some head scratching and inspecting the code, it can be safely said that files in the “pwd_lists” directory, such as ftplogin.txt and its complement - ftppass.txt, can be edited to include relevant usernames and passwords.

The interface of the tool also has several nifty features for discovery analysis: ME2 mode shows the frequency of several types of addresses discovered: Cameras, Basic Auth, Other, Overloads and Alive connections. This seems like a bit lackluster, however QoS and Pie Statistics mode also provide information on the amount of SSH hosts. While this might seem interesting, SSH is often secured by public keys, which can not just be bruteforced by some tool, hence it makes sense that SSH part was ignored, and only cameras and ftps, which are understandably insecure, are actually considered as targets - most of the search results on “как использовать Nesca” (“How to use Nesca” - Russian, because the tool is not as popular outside of Post-Soviet lands).

One more interesting and probably more important feature: Nesca also generates a hefty report HTML file in the same folder it is run in, complete with the same style of interface as Nesca itself. This helps us not scan the whole IP address range again every time we want to dig for information. Final use-case of Nesca, which is probably the most used one, considering what segment of Russian population does hacking for fun with third party tools, is leaving it overnight to do its job, and coming back the following morning to collect the spoils.

What Nesca lacks for being more than just a hacking-as-a-hobby tool, is a CLI, through which it could be deployed to several devices, through which more sophisticated and evenly spread scans could have been executed, as well as updated UI and ungodly degree of incompatibility with linux - it completely ignores the maximum height of the screen and refuses to be resized.

Nesca looks like a very old tool, even though the audit was done two years ago and some Russian github dweller decided to pick the tool up and “optimize” it, godspeed to him, the youngest significant contribution to the tool is already four years old. Other than that, the design and intent of the tool gives it’s age away. As already pointed out, it really is a hacking-as-a-hobby tool, because the main use of Nesca, judging first by functionality and subsequently by the traffic that the Russian internet has generated around it, its main use-case is scanning for Cameras or ftps, and then “lurking” there, with the intent of collecting information.

For all intents and purposes, Nesca should not be taken seriously by any serious security researcher, but for Netstalking, it is perfect - Netstalking isn’t just about collecting mass data and analyzing it the Facebook way - to then sell it. No, Netstalking entails in itself collection of data just for the sake of collecting it, and this vividly reflects the activity most engaged by the Post-Soviet working class in their free time - looking out of their windows, silently observing the world, but in a bit more digitalized way.

  1. 1.0 1.1 1.2 [1]"The Netstalking Handbook". Retrieved 12.03.2021
  2. [2]"Oldest repository of Nesca". Retrieved 05.05.2021
  3. [3]"The Nesca audit"