My DokuWiki

User Tools

Site Tools

Trace:
functionality_overview

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
functionality_overview [2023/01/28 13:07]
kaduuwikiadmin 		functionality_overview [2023/05/22 20:40] (current)
Line 1: Line 1:
-====== Functionality Overview ======+====== KADUU MAIN FEATURES OVERVIEW ====== 
 + 
 +In most areas, passive monitoring takes place. Thus, we do not actively scan for vulnerabilities or open ports. We use Kaduu to show what a hacker can learn about an organization. This includes leaked data, shadow IT, any sensitive information on hacker forums or the deep web, etc.  Thus, most searches are past-oriented and show the consequence of security incidents. However, there are also functions that serve to prevent security incidents. For example, domain monitoring helps to detect phishing and malware attacks in preparation.  
 + 
 + 
 +---- 
  
 ===== DOMAIN MONITORING ===== ===== DOMAIN MONITORING =====
Line 74: Line 80:
  
 ===== Hacker Forum Monitoring ===== ===== Hacker Forum Monitoring =====
 +
  
 **What is the threat?** **What is the threat?**
Line 104: Line 111:
  
 ===== Telegram Monitoring ===== ===== Telegram Monitoring =====
 +
  
 **Introduction** **Introduction**
Line 133: Line 141:
 ---- ----
  
-====== Bucket and Cloud Storage Monitoring ======+===== Bucket and Cloud Storage Monitoring ===== 
  
 **Introduction** **Introduction**
Line 161: Line 170:
 ---- ----
  
-====== Github Monitoring ======+===== Github Monitoring ===== 
  
 **Introduction** **Introduction**
Line 187: Line 197:
 ---- ----
  
-====== Google Dork Monitoring ======+===== Google Dork Monitoring ===== 
  
 **Introduction** **Introduction**
Line 216: Line 227:
  
 ===== Certificate Transparency Log Monitoring ===== ===== Certificate Transparency Log Monitoring =====
 +
  
 Many certificate services automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, the issuer does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, the issuer will not revoke certificates. As a result, many phishing websites are secured with SSL certificates, spoofing the legitimate clients name. By monitoring the certificate logs, you can detect if your organizations name gets spoofed on SSL certificates. The reason why this is possible is that the issuer submits all of the certificates into a certificate transparency log. This is a mechanism designed to increase public transparency into the activities of CAs. The logs can be accessed by Kaduu. Many certificate services automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, the issuer does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, the issuer will not revoke certificates. As a result, many phishing websites are secured with SSL certificates, spoofing the legitimate clients name. By monitoring the certificate logs, you can detect if your organizations name gets spoofed on SSL certificates. The reason why this is possible is that the issuer submits all of the certificates into a certificate transparency log. This is a mechanism designed to increase public transparency into the activities of CAs. The logs can be accessed by Kaduu.
Line 257: Line 269:
   * Sectigo RSA Domain Validation Secure Server CA   * Sectigo RSA Domain Validation Secure Server CA
  
 +**More information**
 +
 +Please click [[certificate_monitoring|here]] for more information on the search syntax.
  
 ---- ----
  
 ===== Paste Site Monitoring ===== ===== Paste Site Monitoring =====
 +
  
 Pastebin allows users to share text in the form of public posts called "pastes." Since the launch of Pastebin,many similar web applications called "paste sites" have developed. Pastebin sites are usually used for sharing code. However, any data in text form can also be uploaded and shared. The Pastebin search tool allows users to find relevant content based on keywords. Pastebin also relies on users to report abuse, which means non-compliant ones are rarely removed. This allows hackers to easily and anonymously penetrate data in an accessible location. Pastebin and similar websites are hosted on the Deep Web. This means that they can be viewed in a normal Internet browser, but the content is not indexed by Google and other traditional search engines. Users have to use the internal keyword search function to find specific content, or get paste links directly from other users. There are also paste sites on the dark web that offer increased anonymity via a Tor browser and are focused exclusively on illegal activities. For example, DeepPaste on the Dark Web is mainly used for advertising illegal goods or services. So, hackers use paste sites to prepare attacks or even to anonymously publish data from successful attacks. Therefore, it is important to monitor them. Pastebin allows users to share text in the form of public posts called "pastes." Since the launch of Pastebin,many similar web applications called "paste sites" have developed. Pastebin sites are usually used for sharing code. However, any data in text form can also be uploaded and shared. The Pastebin search tool allows users to find relevant content based on keywords. Pastebin also relies on users to report abuse, which means non-compliant ones are rarely removed. This allows hackers to easily and anonymously penetrate data in an accessible location. Pastebin and similar websites are hosted on the Deep Web. This means that they can be viewed in a normal Internet browser, but the content is not indexed by Google and other traditional search engines. Users have to use the internal keyword search function to find specific content, or get paste links directly from other users. There are also paste sites on the dark web that offer increased anonymity via a Tor browser and are focused exclusively on illegal activities. For example, DeepPaste on the Dark Web is mainly used for advertising illegal goods or services. So, hackers use paste sites to prepare attacks or even to anonymously publish data from successful attacks. Therefore, it is important to monitor them.
Line 293: Line 309:
  
  
 +**More information**
 +
 +Please click [[paste_git_monitoring|here]] for more information on the search syntax.
 +
 +
 +----
 +
 +===== Credit Card Monitoring =====
 +
 +**How are credit cards leacked to the darknet?**
 +
 +Credit card information can be leaked to the darknet in a variety of ways, some of the common methods include:
 +
 +  * Data breaches: Hackers can gain unauthorized access to a company's databases and steal sensitive information, including credit card numbers. This information can then be sold on the darknet.
 +  * Phishing scams: Hackers may use phishing scams to trick individuals into providing their credit card information. This information can then be sold on the darknet.
 +  * Skimming: Hackers may use small devices called skimmers to steal credit card information from point-of-sale terminals. This information can then be sold on the darknet.
 +  * Malware: Hackers may use malware to infect a computer or a mobile device and steal credit card information that is stored on it. This information can then be sold on the darknet.
 +  * Insider threats: Employees or contractors with access to sensitive information may steal credit card information and sell it on the darknet.
 +  * Physical card theft: credit card information can be stolen by physically stealing a credit card and using it or selling the information to a third party.
 +
 +Once the credit card information is obtained, it can be sold on darknet marketplaces, as well as on other forums, chat groups, and hidden services. Darknet marketplaces are a platform where illegal goods and services are traded, and credit card information is one of the most common types of items sold on these marketplaces.
 +
 +**How do we obtain credit card info?**
 +
 +We try to collect mainly freely available credit card log dumps. Those dumps might not have the very latest card data which are ususally sold for a high price, but still can help owners identify if their card was affected by a leak in the past. Occiasionally we also buy dumps and make them available in elastic search DB from kaduu.
 +
 +**How much does it cost if you had to buy stolen credit card data on the darknet?**
 +
 +The cost of buying stolen credit card information on the darknet varies depending on a number of factors, including the type of card, the card's issuing country, and the amount of information that is included with the card.
 +
 +Typically, a single credit card number, known as a "dumps," can be sold for a few dollars. A "dumps" is the information on the magnetic strip of a credit card, which can be used to make fraudulent purchases in-store.
 +
 +On the other hand, a full package of information for a credit card, known as "fullz," which includes the cardholder's name, address, date of birth, social security number and other personal information, can be sold for $10-$50. These fullz are used to make fraudulent purchases online, open bank accounts, apply for loans, and for other financial frauds.
 +
 +It is important to note that these prices are just an estimate and the cost may vary depending on the source and the quantity of data available. It's also worth noting that the prices are subject to change over time, and the prices may be different based on the location and the vendor.
 +
 +**How can you find credit cards in Kaduu?**
 +
 +The credit card data published comes from leaks that have already been published on the darknet. New cards are added continuously. The database is updated weekly or daily for major leaks. You find the Credit Card Search in the expert mode only. On this page you can search in a database of indexed credit card leaks. Credit cards are displayed in masked form and when you are searching the database. You may search using first 6 and last 4 digits and replace all middle digits with "X" - thus you will not expose your credit card number to the system. Otherwise, the number gets hashed with SHA-256 algorithm before being sent to our server.
 +
 +**More information**
 +
 +Please click [[credit_card_search|here]] for more information on the search syntax.
 +
 +
 +----
 +
 +===== Ransomware Site Monitoring =====
 +
 +
 +**Introduction**
 +
 +Ransomware hackers have escalated their extortion strategies by stealing files from victims before encrypting their data. These stolen files are then used as further leverage to force victims to pay. Many ransomware hackers have created data leak sites to publicly shame their victims and publish the files they stole. Those are called "hall of shame" websites. Ransomware hall of shame websites are websites that publicly list the organizations and companies that have been victims of ransomware attacks. These websites typically include the names of the organizations, the date of the attack, and the amount of ransom demanded by the attackers. Some sites may also include information about the type of ransomware used in the attack, and whether or not the victim paid the ransom.
 +
 +The main goal of these websites is to raise awareness about the growing threat of ransomware and to encourage organizations to take steps to protect themselves from these types of attacks. These sites also serve as a warning to other organizations and individuals about the dangers of not applying proper cyber security measures in place.
 +
 +It's important to note that the inclusion of a company or an organization in a Ransomware Hall of Shame website doesn't mean that the victim didn't have any cyber security measures in place, but it could be that the attackers found a way to bypass them. Also, some organizations may choose not to publicize the attack, in which case the attack may not be listed on these websites.
 +
 +**Why is it useful to monitor this?**
 +
 +One would expect that the company affected by a ransomware attack would be the first to know about it. However, there are scenarios why this should be monitored:
 +
 +  * Some companies are decentralized with different subsidiaries. The flow of information to a central location does not always work. In such cases, monitoring helps to keep track of the situation, even if a remote office abroad is affected by an attack.
 +  * It makes sense to also include suppliers and partners in the monitoring. For example, if a partner is hit by a ransomware attack, the company itself may also be affected. In the data of the attacked company (price lists, email communication, contracts, etc.), the own company can also be mentioned.
 +  * It can also make sense for organizations to monitor ransomware hall of shame websites as a way to stay informed about the latest ransomware attacks and trends. By monitoring these websites, organizations can gain insight into the types of attacks that are being carried out, the industries and types of organizations that are being targeted, and the ransom demands that are being made. This information can help organizations to better understand the threat landscape and to take steps to protect themselves from similar attacks.
 +  * Additionally, monitoring these websites can also help organizations to identify potential indicators of compromise, such as specific ransomware variants or attack methods that are being used. This information can be used to improve the organization's incident response and incident management capabilities.
 +
 +**More information**
 +
 +Please click [[ransomware_site_monitoring|here]] for more information on the search syntax.
 +
 +----
 +
 +
 +===== Bot Monitoring =====
 +
 +
 +**What is a bot or a botnet?**
 +
 +Malware bots and Internet bots are a type of malware that can be programmed to hack into user accounts, search the Internet for contact information, send spam, or develop other malicious activities. To disguise the origin of such attacks, attackers can also distribute malicious bots through a botnet - that is, a bot network. A botnet consists of a number of devices connected to the Internet and running one or more bots without the knowledge of the respective device owner. Because each device has its own IP address, botnet traffic originates from a variety of IP addresses, making it harder to spot and block its point of origin. Botnets also self-propagate to more devices, which can then send out spam and in turn infect more machines.
 +
 +If an IP, host name oder username pops up in the Kaduu logs, it means it has been infected with a malicious bot.
 +
 +**Where can you obtain botnet logs in the darknet?**
 +
 +Botnet logs can be obtained in various darknet marketplaces, forums, and websites. These marketplaces and forums are typically used by cybercriminals to buy and sell stolen data, malware, and other illegal goods and services. Some examples include:
 +
 +  * Tor-based marketplaces: Tor is a anonymity network that allows access to hidden services on the darknet. Some marketplaces, like the now-defunct Dream Market, have offered botnet logs for sale.
 +  * Hacking forums: Some hacking forums, like the now-defunct Hackforum or Exploit, have a section dedicated to the sale of botnet logs.
 +  * Darknet chat rooms: Some hackers use chat rooms or chat apps like Telegram to sell botnet logs.
 +
 +It's important to note that access to these sites and marketplaces can be challenging and they are often hidden and may require specific software or knowledge to access them. Additionally, these sites and marketplaces are often taken down by law enforcement, or go offline for other reasons, so the availability of botnet logs on the darknet may vary over time.
 +
 +It's also important to note that accessing these sites and attempting to purchase botnet logs is illegal in most countries, and could lead to serious consequences such as civil or criminal charges. Additionally, these sites may host malware, so accessing them could also put your device at risk.
 +
 +
 +**What type of devices are more likely to be infected with bots?**
 +
 +Malicious bots, also known as malware bots or botnets, can infect a wide range of devices, including personal computers, servers, and mobile devices. However, certain types of devices and users are more likely to be targeted than others. It is much more unlikely that public servers are infected with bots opposite to private computers. Here are the most exposed device types:
 +
 +  * Personal computers: Home users are often targeted by botnets because they may have weaker security protections in place than organizations. Additionally, botnets can spread through infected email attachments, infected software downloads and infected webpages, which are all common for home users.
 +  * Servers: Businesses and organizations that operate servers are also at risk of botnet infections, particularly those that have a significant online presence, such as e-commerce websites or web hosting companies.
 +  * Internet of Things (IoT) devices: The increasing popularity of IoT devices, such as smart cameras, routers, and home automation systems, has led to a rise in botnet infections targeting these devices. IoT devices often have weaker security protections and are easily compromised, making them a prime target for botnet operators.
 +  * Mobile devices: Mobile devices can also be infected with botnets, particularly those that run on older or unpatched versions of the operating system. This can happen through infected apps, which are downloaded from non-official stores, or through infected webpages which are visited using the mobile browser.
 +
 +
 +**How are bot logs accessible in Kaduu?**
 +
 +There are two search pages:
 +
 +  - **Bot Record Search:** On the bot records search page you can search in a database of indexed stealer bot records. The information is collected from stealer (trojan) logs distributed on hacker forums and marketplaces. This index is different from bot search, as it indexes separate records.
 +  - **Bot Search:** On this page you can search in a database of indexed stealer bot records. The information is collected from stealer (trojan) logs distributed on hacker forums and marketplaces.  This index is different from bot record search, as it indexes bots and not separate records.
 +
 +
 +**Bot Record Details**
 +
 +If you want to see the details of the bot records, please click on the IP address. You will the see the path of the file, that lead to the malware infection. More details about the user, the internet history and web calls will be also visible.
 +
 +**More information**
 +
 +Please click [[bot_search|here]] for more information on the search syntax.
 +
 +
 +----
 +
 +===== Darknet .Onion & I2P Live Search =====
 +
 +**What can you discover on .onion websites in the darknet?**
 +
 +Onion websites are websites that are hosted on the Tor network, a network that is designed to provide anonymity and privacy for its users. These websites are not accessible through regular web browsers and can only be accessed using the Tor Browser or another tool that is capable of connecting to the Tor network.
 +
 +On .onion websites, you can find a wide range of illegal and illicit goods and services, including:
 +
 +  * Stolen credit card and personal information
 +  * Illegal drugs and weapons
 +  * Hacking tools and services
 +  * Counterfeit goods
 +  * Fraudulent services such as phishing and scams
 +  * Child pornography
 +  * Ransomware-as-a-service
 +  * Additionally, some .onion websites may also host forums or chat rooms where cybercriminals can share information and exchange tips on hacking, malware, and other illegal activities.
 +
 +**How reliable is a darknet search on onion websites and how much fata can you actually find?**
 +
 +Searching the darknet, specifically the Tor network, can be challenging and the reliability of the information found on .onion websites can vary greatly. Because the darknet is not indexed by traditional search engines, finding specific information or sites can be difficult without knowing the exact web address or a specific link to follow.
 +
 +Additionally, many .onion websites are scams, or set up by law enforcement to catch criminals, so it's important to be cautious when interacting with these sites. Even if you find a site that appears to be legitimate, the information or goods being offered may not be what they seem.
 +
 +As for the amount of data you can find, it depends on what you are looking for. Some .onion websites may have a lot of information available, while others may be more limited. Additionally, as with any underground marketplaces, the availability of certain goods or services can change over time and may not always be available
 +
 +**How to use Live Search in Kaduu?**
 +
 +On the Kaduu dashboard live search page you can search multiple (10+) darknet and clearnet search engines in live mode. Words you enter in the query field will be directly forwarded to multiple external search engines, so we suggest using only simple phrases - a company, person or domain name.
 +Set "Validate Results" option in order to verify each found result and check whether it contains the exact search phrase. This option may be useful only when searching 1-word queries, otherwise search results may be inaccurate.
 +
 +It may take up to a few minutes to get all results, as we will be requesting multiple external resources over proxy servers, TOR and I2P networks, which may be very slow.
 +
 +**Were do we search?**
 +
 +We use a number of proxies and darknet search engines to search for the term. The respective search engine is displayed after entering the search term.
 +
 +**What does it mean if my company or keyword shows up in the search?**
 +
 +The fact that your organization is mentioned on a darknet site does not necessarily mean that you are at risk. Some legitimate news and websites are mirrored on the darknet. However, the mention of your organization may indicate the preparation of an attack or even a successful attack. We therefore ask you to investigate the above-mentioned results and, if necessary, take the necessary steps
 +
 +**More information**
 +
 +Please click [[live_search|here]] for more information on the search syntax.
 +
 +
 +----
 +
 +===== E-Mail Monitoring =====
 +
 +
 +**Introduction**
 +
 +A phishing attack against your employees is usually preceded by a short phase of reconnaissance of the targets. In targeted spear phishing attacks, fraudsters often take data from employees’ social media profiles. There are also email lists offered in hacker forums, and lastly, there are a number of hacking tools that search the Internet and Dark Web for information on the targets.
 +
 +Higher-ranking CEOs & C-suite executives are usually more exposed to the public (their profile can often be found on the organization’s website), making them easier targets. For all other departments and employee types, it is difficult to assess the steps an attacker has to take to gather the information they need to reach their target. Only if you venture to perform the same information gathering as the hacker, can you assess the risk of your employees getting exposed to phishing attacks. The greater an employee’s exposure on the Internet or Dark Web, the higher the likelihood of them becoming a victim of a social engineering attack, like phishing. Employees who register with their names and business email accounts on private websites put the whole organization at risk as this gives the hacker a bigger attack surface.
 +
 +**What is monitored?**
 +
 +In Kaduu, we measure each employee’s exposure on the Internet and note where indications of activities related to the specific email account can be found. We try to find the employee’s email address on the Internet, Deep Web or Dark Net and list the according email references from the websites where we found the account. We then try to investigate how often the email is referenced in different unique sources. The more sources, the bigger the exposure.
 +
 +**What is the benefit?**
 +
 +Everything that helps you reduce your attack surface can also limit future breaches. If you find any employee’s business email account on private websites, you will be able to create targeted user awareness training that helps them understand the consequences of such an exposure.
 +
 +**How does it work?**
 +
 +We have two type of searches:
 +
 +  * (1) Database search: Kaduu runs a crawler in the background collecting any email adress it finds. This crawler is not looking for any specific email domain, but collects everything. Therefore the data set might be very limited to a specific account.
 +  * (2) External Search: The external Search will connect to an external authenticated API that will query specificly the domain you entered. You will find more results using the external search.
 +
 +In both cases you need to enter the company domain with the syntax "domain.com". Please use the TLD used for your email accounts.
 +
 +----
 +
 +
 +===== Discord Monitoring =====
 +
 +
 +Discord is a popular communication platform designed for online communities and gamers. It offers a variety of features including text, voice and video chat, file sharing, and gaming integrations. Discord is available as a browser-based web app, a desktop app for Windows, MacOS, Linux and as mobile apps for iOS and Android. The platform allows users to create and join virtual servers (also called "Discord servers") to connect with others based on common interests.
 +
 +**How is Discord used by hackers?**
 +
 +Discord can be used by hackers in various ways, including:
 +
 +  * Sharing hacking tools and tutorials: Discord servers can be used as platforms to share hacking tools and tutorials with other individuals.
 +  * Coordinating attacks: Hackers can use Discord channels to coordinate and execute attacks on websites, networks, or other targets.
 +  * Phishing and scamming: Hackers may use Discord to phish personal information or scam users through fake giveaways or other deceitful means.
 +  * Spreading malware: Hackers can spread malware through links or files shared on Discord servers, infecting other users' devices.
 +
 +**How many channels exist?**
 +
 +It's not possible to determine the exact number of Discord channels that exist, as the platform allows for an unlimited number of servers and channels to be created. The number of Discord channels continues to grow as new servers are created and existing servers add new channels. Discord has over 150 million monthly active users, so there are likely a large number of channels across all the servers on the platform.
 +
 +**What channels do we monitor?**
 +
 +  * "Blackhats underground": https://discord.gg/k8Jxuu66gX- dumps
 +  * "PirateShips CCs Shop": https://discord.gg/kVv58B63g2 - credit cards
 +  * "DarkSec": https://discord.com/invite/wTQa64JhJY - Hacking group
 +  * "A9 Market": https://discord.gg/a9market - credit cards
 +  * "Rent 8 hacker": https://discord.gg/cUTadTRNh9 - Rent a hacker
 +  * "sPlug": https://discord.gg/pzYzqcJtzz - PII data
 +  * "DarkCat.exe": https://discord.gg/2aW8KBEKxt
 +  * "Anonymity": https://discord.gg/2trMf94kPB
 +  * "Evil Empire": https://discord.gg/QVQA4duZ9M - Phishing, stealer logs
 +  * "Alka Tim": https://discord.gg/PrnUNDgRAN -  Turkish hacking team
 +  * "Dark Matter Market": https://discord.gg/VTWxZhDEvG
 +  * "Trisoft vlan": https://discord.gg/ErDj63yY - ;Malware talks
 +  * "Anon Cyber Team": https://discord.gg/jac3w4sGXq
 +  * "Netcat hacking": https://discord.gg/2rU7t5bEY5
 +  * "Backward Development": https://discord.gg/8gRcfgvtVK
 +  * "Oversec": https://discord.gg/cwxvPWtdsj - another turkish hacking group
 +  * "Christian Hacking club": https://discord.gg/qJyzCTEAkC - mostly news from cybersec world
 +  * and many more
 +
 +
 +----
 +
 +===== Passive Vulerability Detection =====
 +
 +In Kaduu we use a passive vulnerability detection approach. Passive Vulnerability Detection and Active Vulnerability Detection are two methods used to identify security vulnerabilities in a network or system.
 +
 +  * Passive Vulnerability Detection is a method of identifying vulnerabilities without actively interacting with the system or network being tested. This is typically done by analyzing system logs, network traffic, or other passively generated data. In case of Kaduu we query databases in the deep web that may contain data on the target. The advantage of passive vulnerability detection is that it doesn't disrupt the normal operation of the system and can be done without the target's knowledge. However, passive detection may miss some vulnerabilities that can only be detected through active interaction with the system.
 +  * 
 +  * Active Vulnerability Detection, on the other hand, involves actively interacting with the system or network being tested to identify vulnerabilities. This typically involves running scans, probes, or penetration tests to identify potential security weaknesses. The advantage of active vulnerability detection is that it can provide a more comprehensive view of the system's vulnerabilities and can help confirm the findings from passive detection. However, active vulnerability detection can be disruptive to the system's normal operation and may require prior permission from the target.
 +
 +**How to use this feature?**
 +
 +For the infrastructure search we need the domain (example.com and not www.example.com) as input. You can't search for IP's or other elements, because based on the domain we first find out via databases, which subdomains all belong to the main domain. We get data from Dnsdumpster, Shodan but also Certificate transparency logs. We thus recreate the infrastructure as a hacker will see it, without performing active scans. For all elements found, we then search the deep web again to see if any information about open ports or vulnerabilities can be found. Again, no scans take place.
 +
 +
 +**How do we present the data?**
  
 +For every host we find we do a reverse DNS lookup and query databases like Shodan in order to find information about open ports, used applications or vulnerabilities (CVE).
  
  
functionality_overview.1674907675.txt.gz · Last modified: 2023/05/22 20:40 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki