Cyber Security: Hacker
Web and Shodan
MIS 510 Ali Hassan Alenizi, Farah J Jafar,
Nikhar Shah, Yirong Zhu
Introduction/ Background
•
•
•
Hacker Web:
o Database of hacking forums
o Russian, Chinese, Arabic, English, Persian
o Tracks forums and types of hacking communities are interested in
Shodan:
o APIs for extracting data regarding cyber vulnerability
o Huge amount of information on network devices could be accessed
through Python methods
Research:
o Research questions formulated to extract data and analyze it giving
meaning to the data from the two databases
Research Questions
1. Do cultural differences trickle down to hacking, hacking topics, and hacking techniques? What are
the cultural implications found through the research? What is the probability that an Arabic
hackers forum and an English hackers forum will discuss the same topics?
2. Given the increasing threat of social media attacks, attackers such as Syrian Electronic Army are
increasingly using phishing and spamming attacks on different websites that are against the
Syrian Government in the Syrian Civil War. My hypotheses question involves looking at the trend
related to phishing attacks compared to other traditional types of security threats such as SQL
injection.
3. The recent research posted on github reflects the backdoor of routers on Port 32764. From this
Port, hackers would more likely be able to intrude because of the natural vulnerability on this port.
So, from the global view, which countries or area are facing this same issue? Which areas suffer
the most or have more potential risks and what does the distribution look like?
4. In this question, we would dig deeper into the 3rd question. What are the devices of these IP
addresses really accessible for attacking and be able to intrude into right now. What are the
locations distributed out there and how many devices for each country could be intrude through
Question 1: Excel - Vctool
Top 30 ranked
threads for
Vctool with
weighted %.
Question 1: Excel - Arhack
Top 30 ranked
threads for
Arhack with
weighted %.
Question 1: Probabilities
VcTool
threadID
1170
10290
1141
10102
107
11355
1045
10353
threadID
10016
10286
10591
1125
11409
1121
1148
title
How to view Private Facebook Pics
Live Jasmin Credit Added, Account Maker, #Free Password List
[Source] Rainerstoff Crypter 3.2b
[Get] Face Dominator (Cracked)
MSN Password Hacker (NEW 2009)
Monster Crypter - Private Crypter , 0/37 + Full soruce - OUT !!!
MW2 Aimbot and ESP Source Code for Compiling
7-13-12 Crypter
numOfView
6723
3905
3367
3280
2382
2271
2173
2088
numOfPosts
22
12
17
10
26
13
9
2
tot in common:
Arhack
title
numOfView
numOfPosts
‫اليوم راح اشرحلكم كيفيت اختراق البوكر الفيس بوك من شرحي الخاص‬
7020 30
‫برنامج فك باسووردات الــ ***** مع الشرح‬
4663 72
‫ مقدمه عن عالم اللتشفير‬- ‫الدرس الاول‬
4453 0
google ‫ كود للختراق‬300 ‫أكثر من‬
4199 6
) ‫[دورة في الهندسة العكسية] كسر البرامج وعمل سيريالات لها صنع كراكات البرامج (ادخل‬
3886 59
_-_-_ ‫_ نظرة عامة عن اختراق البريد الالكتروني‬-_-_ : ‫الدرس الاول‬
9145 208
_-_-_‫_الدرس الثالث من دورة اختراق البريد الكتروني‬-_-_
7725 89
tot in common
Probability of both occuring:
% of views
5.68440277
3.30173923
2.84685172
2.77329185
2.01401865
1.9201664
1.83730585
1.765437
22.1432135
% of views
2.94316176
1.95498053
1.86693723
1.76044676
1.62922031
3.83407611
3.2387357
17.2275584
3.81473503
Question 1: Analysis
•
Arhack:
o Focus on Social Hacking with few Organizational Hacking threads
o emails, social networks, sql injections, password hacking … etc
● Vctool:
○ Focus on Organizational Hacking with few Social Hacking threads
○ DDoS, botnet/bots, crypting, software cracks, coding ... etc
3.8% chance that Arhack members and Vctool members will talk about the
same hacking conepts. Most of these are crypting, and social hacking.
Question 2:Extracted
Dataset
Some of the
extracted using
the MySQL
query
Question 2: Word Schema
Word
Schema
used to find
related
thread
topics
Question 2:Mined Dataset
Some of the
data mined
dataset from
the extracted
dataset
Question 2: Analysis
800
700
600
500
400
300
200
100
0
Number of Views Per Post
31-12-2009 29-11-2009 30-10-2009 31-12-2012 30-11-2012 29-10-2012
DATES
Number of Posts Phishing
Number of Posts SQL Injections
Final Analysis:
• Increasing Phishing related Threads
• Increased Discussion of Phishing related activities
• Arab Spring also changing hackers ideologies
POST/VIEWS
POSTS
Moving Trend Based On # of
Posts
100
90
80
70
60
50
40
30
20
10
0
31-12-2009 29-11-2009 30-10-2009 31-12-2012 30-11-2012 29-10-2012
DATE
Phishing Threads: Views Per Post
SQL Injection Threads: Views Per Post
Question 3: Data Extraction
Question 3: Country Details
Question 3: 100 Vul_IPs
100 Vulnerable IP Addresses Due to Port 32764 All Over the World
Question 3: Compared to What
Shodan Map API Does
Shodan Map API Analyzes Port 32764 Based On Thousands of IP and Charges
$19 !
Distributions Are
Similar !!!
Prove Accuracy of
Our Analysis!
Question 4: Deeper
Analysis
•
•
55 Out Of the 100 Vulnerable IP Addresses of Port
32764 Could be truly attacked
Within the 55 IP Addresses, 31 Devices Are
Available For Locating Visual Positions
Question 4: Core Code
1. Get the Host Of Each Of the 100 Vulnerable IP Addresses
2. Test If the Port == 80 That Is Open To Public
3. Then Get the Host IP
4. At Last, If Able to Locate, Get the Latitude And Longitude
Question 4: 31 Target Devices
31 Visual Devices That Could Be Targeted At In 100 Vulnerable IP
Addresses
Question 3 & 4：Summary
•
•
•
Among All Of Vulnerable IP Addresses With Port
32764, About Half Could Be Intruded
⅓ Of the Host Port Could Be Visually Located On The
Map
The Top Three Areas Exposed To the Vulnerability Are
United States, China, European Areas
References
[1] Peterson, L. (n.d.). Hacking Diversity.Latoya Peterson. Retrieved February 25, 2014, from
http://latoyapeterson.com/presentations/hacking-diversity/
[2] Feuer, A. (2011, November 20). Culture Hacking. Adam Feuer. Retrieved February 25, 2014, from
http://adamfeuer.com/blog/2011/11/20/culture-hacking/
[3] John Matherly, (2014, February 18). Shodan Blog. Introducing Shodan Maps, from
http://shodanio.wordpress.com/2014/02/18/introducing-shodan-maps/
[4] Michael Horowitz (2014, January 24). How and why to check port 32764 on your router, from
http://blogs.computerworld.com/network-security/23443/how-and-why-check-port-32764-your-router
[5] John Scott-Railton (2013, June 19). A Call to Harm: New Malware Attacks Target the Syrian Opposition,
from
http://www.academia.edu/4231059/A_Call_to_Harm_New_Malware_Attacks_Target_the_Syrian_Opposition
[6] Mohamed N. El-Guindy (2013, December 25). Middle East Cyber Security Threat Report 2014, from
http://www.academia.edu/5522905/Middle_East_Cyber_Security_Threat_Report_2014