(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for November 2015

isdratetp4donyfy.onion The Da’esh Darknet Propaganda Site: Down But Still Telling Tales

leave a comment »

Screenshot from 2015-11-15 16:46:15

The Isdarat Onion and the MoD Address:

After posting my second piece on the da’esh propaganda site in the darknet (under the hood) it wasn’t long before the darknet site was down for the count. Interestingly though, before it went down some information could be gleaned as to perhaps it’s IP address as well as what it was running. I had already mentioned that it was running a WordPress frontend but behind everything was a bit more interesting. When a whatweb was carried out on the url it came back with an IP address that on the face of it was just another IP. However, when Googled, the IP had a nice little hit that shed some light on perhaps what may have been going on before I got there.

Whatweb -v

http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country databTEXTase from Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     :

UncommonHeaders ————————————————————http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country database from Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     :

UncommonHeaders ————————————————————
Description: Uncommon HTTP server
Description: Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at
String     : link (from headers)

nginx ———————————————————————-
Description: Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server. – Homepage:
Version    : 1.8.0

x-pingback —————————————————————–
Description: A pingback is one of three types of linkbacks, methods for
Web authors to request notification when somebody links to
one of their documents. This enables authors to keep track
of who is linking to, or referring to their articles. Some
weblog software, such as Movable Type, Serendipity,
WordPress and Telligent Community, support automatic
String     : http://isdratetp4donyfy.onion/ar/xmlrpc.php

Once you Googled the IP address alone you got some usual stuff but one thing stood out. and index of logs for that IP and another. What was this? Well, it was a site holding the logs for a keylogger by DarkZhyk a Russian keylogger RAT. So, it seems that this IP address as of February 28th 2015 had a RAT/Kelogger on the box that had the IP at the time. Now, the question is was this IP a static box that held the onion or was this somehow the box that the webserver sat on? I really would have to do some more digging but let’s just leave that for now because it is the second address that is the interesting bit. It seems that belongs to the Ministry of Defense in the U.K.

Screenshot from 2015-11-24 14:42:06

Screenshot from 2015-11-24 14:42:58

Screenshot from 2015-11-24 14:44:25

That’s right kids, in February of this year that IP address cited from that whatweb was logged into by the MoD. Quite the interesting tidbit huh? I did not poke around the MoD at all but I have told some peeps to keep their eyes open and maybe wink wink nudge nudge some folks about this. Could this be a sign that the site was already compromised? The box itself compromised? That the MoD knew about this box and already had been inside it? One wonders. I do know thought that the clearnet RSS feed was a Windows box as well and in all it took no time whatsoever for the kiddies to take this site down. It’s pretty much as I intoned in the last piece that this site was pretty poorly secured.

So let the games begin!

But wait, there’s more!

Screenshot from 2015-11-25 13_54_33

In the interim as the site was down I decided to do all the OSINT work on the players involved. See, unlike Anonymous or goatsec I actually do research on targets before I do any kind of reporting. In looking at these guys it became clear that not only were their sites all over the place but also that they are in fact Indonesian in origin. It seems that these guys spend quite a bit of time buying domains anonymously to RSS feed this shit to the world under the “Isdarat” moniker. Isdarat by the way is “to spread” in Arabic so basically to spread the word so to speak. While anonymous has been trying to swat all these sites down they have just gone back to backup sites as usual with no real effect on their ability to stream videos and push the propaganda levers for da’esh.

Screenshot from 2015-11-29 12_30_43

Isdarat Admin: —————–>



Screenshot from 2015-11-29 12_33_40

Screenshot from 2015-11-29 12_31_58

Screenshot from 2015-11-29 12_31_21


Screenshot from 2015-11-29 12_27_28


Screenshot from 2015-11-29 11_56_07


Screenshot from 2015-11-29 11_21_42


Screenshot from 2015-11-29 11_19_14


Yep, these guys are all over the place. So far I have yet to get a lock on any real names. So far all the pseudonyms come back to either nonsense or in one case the name of a famous Indo jihadi who died back in 2009. The upshot here is that not too many people talk about the Malay or Indo areas where Jihad and da’esh are concerned. These players have been around for a long time and I used to see a lot of activity by them for AQ. Piradius, the hosting/internet company was the Mos Eisley of the internet back in the day and it may be time to circle back to that neck of the woods again and take a look around.

Oh well, I am sure the KDI/daulahislamiyyah guys will be back with main sites again to go along with all the other ones they have hidden around.

Anonymous/goatsec 0

daulahislamiyyah 1



Written by Krypt3ia

2015/11/29 at 21:42

Posted in Da'esh, DARKNET

Daesh Darknet: Under The Hood

leave a comment »

Screenshot from 2015-11-15 16:46:15

After having mirrored the new “unofficial” official da’esh darknet site I have some more insight into who may have done this as well as where the data is coming from. First off a mea culpa of sorts that this site claims to be the “unofficial” source for the darknet but they are using feeds from official sources. So really I guess unless you really don’t understand da’esh you could say it is unofficial but the reality is they will claim just about anything as a win and at their behest so make of that what you will. In either case this site exists, it is using approved da’esh propaganda from Al-Hayat, and thus to me it’s still pretty official.

So back to the under the hood look at this new darknet propaganda tool…

Screenshot from 2015-11-17 08-50-02

Once I started looking at the site code the following became apparent:

  • It’s a wordpress site
  • It’s got a backend feed in the clear
  • It’s a re-hash of a site out on the clearnet called
  • It’s an amateur job at darknet security

Since this story hit all the news sites many people called into question whether or not this was a ‘real’ site because… Well I have no idea why people would call it into question really. Anyway, the fact of the matter is that this was put up by an acolyte of da’esh who at least has enough wherewithal to get a host in the darknet and forward a clearnet feed to it. The fact that they are using WordPress 4.3 is another interesting tidbit. Perhaps they are not as mental genius as some people, maybe the ones calling this site into question in the first place might have been thinking. You see kids, these guys are not all mental geniuses ok? They make mistakes all the time and most of the time they are rookie stupid ones at that.

That said, here is the data I pulled from the site:

<guid isPermaLink=”false”></guid&gt;;

inetnum: –
netname:        US-CHOOPA-20150320
descr:          Choopa, LLC
country:        FR
org:            ORG-CL301-RIPE
admin-c:        CN3183-RIPE
tech-c:         CN3183-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MAINT-AS20473
mnt-routes:     MAINT-AS20473
mnt-domains:    MNT-CHOOPA
created:        2015-03-20T07:30:59Z
last-modified:  2015-03-30T17:31:46Z
source:         RIPE # Filtered

organisation:   ORG-CL301-RIPE
org-name:       Choopa, LLC
org-type:       LIR
address:        100 Matawan Rd. Suite 420
address:        NJ 07747
address:        Matawan
address:        UNITED STATES
phone:          +19738490500
fax-no:         +17325661268
mnt-ref:        MAINT-AS20473
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2015-03-19T08:30:22Z
last-modified:  2015-03-23T12:14:27Z
source:         RIPE # Filtered

person:         Choopa Network
address:        100 Matawan Rd. Suite 420 Matawan, NJ 07747
phone:          +1-973-849-0500
nic-hdl:        CN3183-RIPE
mnt-by:         MAINT-AS20473
created:        2015-03-11T16:38:19Z
last-modified:  2015-03-11T16:38:20Z
source:         RIPE # Filtered

As you can see the site in the clearnet is hosted out of Choopa LLC which has it’s HQ in New Jersey. However, when you start to dig on this you also get information that the server actually resides in Amsterdam.

Screenshot from 2015-11-18 08:06:16

Screenshot from 2015-11-18 07:52:23

Either way, the system behind this data feed is in fact a windows box and could be vulnerable to some attacks as you can see from this Nmap:

Nmap scan report for ( ———-> is a virtual hosting connected to choopa
Host is up (0.11s latency).
Not shown: 995 closed ports
22/tcp   open     ssh
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
1720/tcp filtered H.323/Q.931

All this data leads me to believe that the end user can be tracked down easily enough by authorities but I also think that without that, I can still track down who set this up without having to attack an onion site like the FBI. Besides, I don’t have a million dollars to give to a university to deanonymize anything. So let’s look at it from another angle. When you look at the onion site, if you look carefully, at the bottom right corner of the pages you see the following address: Let’s have a closer look at that and see what we find shall we?


EsdaratReturn is a re-spelling of “Isdarat” which was a site put together by da’eshbags in the past to be the alternative to YouTube as you can see below. This site is presently offline it seems and my guess is that this person(s) wanted to re-kindle that flame in the darknet because their site went boom boom. Isdarat started in May it seems and I am not fully up to speed on it’s history. That will be for my next blog post. I plan on continuing the backtrace to accounts on twitter that mentioned not only Isdarat, but also esdarat. Once I backtrack I believe I will be able to come up with the who and more of the why this site came to be in the darknet.

Screenshot from 2015-11-18 08:24:58

In the meantime though, I suspect that this post will cause a stir in the jimmies not only to the creator of the onion site but also all those keen watchers out there who wanna take things down like esdarat or isdarat or whatever shingle the daeshbags hang to serve their propaganda from. Since the rss box is in the clearnet and the content seems to be coming from Google, I expect to see a site in the darknet soon without any real content on it if you know what I mean… Have fun kids!

Make it so.


UPDATE: Seems the daeshbag onion has fallen down and gone boom already!

Screenshot from 2015-11-18 09:49:24

UPDATE 2 11/23/2015

Now both of the sites are down. The onion site and the backend RSS in the clearnet.

Fall down… Go boom.

Written by Krypt3ia

2015/11/18 at 13:57

Posted in Da'esh, DARKNET

The First Official Da’esh DARKNET Bulletin Board Has Arrived

with 4 comments

Screenshot from 2015-11-15 16:46:15

The Al-Hayat media group (daesh) has posted a link and explanation on how to get to their new darknet site today on the Shamikh forum (jihadi bulletin board in the clearnet) and linked it to Twitter as well to search for how to’s and links.

 بسم الله الرحمن الرحيم نظراً للتضييق الشديد على موقع #إصدارات_الخلافة بحيث أنه يتم حذف أي نطاق جديد بعد نشره نعلن إنطلاق الموقع على “Dark web” *وسيعمل لمُستخدمي الTor وللمستخدمين العاديين رابط مستخدمي الTor : XXXXXXXXXX رابط المستخدمين العاديين : XXXXXXX ونعدكم بأننا مستمرون فى مُحاولة الحصول على نطاق جديد عادي وسننشره إن شاء الله عند الحصول عليه بجانب نطاق الTor {ولله العزة ولرسوله وللمؤمنين}

I have redacted the site from the post but the right people are in the know now as to the location. The site mirrors many of the other standard bulletin boards that the jihadi’s have had over the years replete with videos and sections in all languages. Given that this site has popped up today in the darknet just post the attacks in Paris, one has to assume that an all out media blitz is spinning up by Al-Hayat to capitalize on the situation.

Screenshot from 2015-11-15 17:44:23

As you can see from the picture here they have also included their (semi) new encrypted chat/messaging  program of choice (Telegram) which they used in their claim on the Paris attacks. There are several accounts as well as other new ones I have seen popping up on jihadi Twitter accounts as well as Facebook. The rub in this Telegram service is that it is run by ex-pat Russians.

(correction: The Russian government has no control it seems over the owners and the physical location of the company is Germany. Also within the time since the original post here they have started to drop accts that daesh were using for propaganda)

Oddly enough today POTUS met with Vladimir Putin for about thirty minutes to have a serious discussion about Syria and the Paris attacks. I would like to see Putin and the FSB do a little work on the Telegram company to get some intel but yeah, then it strays into that whole privacy thing that we are all upset about. It’s a hard game to play and unfortunately with da’esh using this it will be hard to break.

Another problematic thing about da’esh now having a real site in the darknet is that all the videos and files that they want to upload and have users access will also be in some backend on the darknet. This means that trying to intercept them or tamper with the supply chain is going to be all the much more hard. Of course given the recent turn of events with the exploit against the darknet by UM and the FBI this all may be moot enough if they employ their new attack against this site. I would expect that soon this site will b e attacked anyway by various players and in the end may be exposed for backend IP addresses and raids thereafter.

The site is still being explored and mirrored so once I have more on it I will post.


Written by Krypt3ia

2015/11/15 at 23:56

Posted in Da'esh, DARKNET

Lights Out: A Modern Tragicomedy

leave a comment »


I had heard that Ted Koppel was making the rounds on TV trying to pimp his book on the end of the world as well know it through cyber. Of course I instantly knew it would be utter trash, a tissue of assertions and half ass reporting relying on government and beltway bandit quotes that likely would enrage me. How little did I know about the true scope of fuckery and rage that would ensue from reading its breathlessly penned pages about our coming Armageddon. Once again we have a reporter who does not really do his homework and takes the word of people with interests over the realities of those who work in the industry at the scene of the crime.

From the first pages we are being told that the grid is vulnerable to attack. Not just physical attack, no, worse, more scary, the dreaded CYBER attack. Of course as you delve deeper in to the book you do not get any kind of technical interviews with white hat hackers or security experts other than those bottom feeders such as former NSA directors and Richard Clarke. All of these players who worked (past tense) in the government that failed to secure all the things and who now offer services as board members and pitch men. You see, no one interviewed in this book actually has hacked anything.

But trust us.. The grid will go down if attacked by the CYBER.

I will not bore you with recalling the rest of this awful book. Truly, do not buy it and certainly do not read it if you want to know anything about the potential for the power going out more permanently. Instead, I would like to give you a primer on how hard it would be to actually take the whole grid down. I would also like to show you just how hard it would be to take great sections of it out as well. Neither of these scenarios is easy and neither of them is something we will not recover from. All of the bullshit around the bugaboo that the grid could be taken out by Da’esh is fantasy for the most part and a tool to scare the public by halfwits looking for clicks or book sales.

Are there issues with the grid? Yes, there are. Could damage be done that could cause a lot of consternation and perhaps even deaths? Yes this could happen in pockets of our society. These things are true but a systemic outage across the whole of the country that would cause severe, unrecoverable damage to the grid as a whole is not probable. In fact, it may not even be possible and I plan on telling you here why. By going through the internet and seeking out data from experts, governmental files, and papers by doctoral candidates as well as those who own and operate the power systems I can give you the data you need to see what the truth of the matter is.

However, let me break this down into small consumable bullet points for you.

  • Even a nation state with capable hackers could not own every system effectively enough to take them all down simultaneously
  • Even if systems are hacked and malware like stuxnet implanted, it still takes a kinetic attack to damage many of the systems out there that transmit the power as well as generate it. Malware alone will not kill the grid.
  • Current activities in gridsec and grid technologies are making these scenarios even harder to implement due to the nature of the diaspora that is power generation and transmission
  • Certainly sections of the grid could be taken down and have in the past. All you need do is Google Squirrel+blackout and you will see how their kinetic attacks caused systemic failures that caused outages.
  • Frankly, an X-Flare has a higher probability of taking out the grid as a whole should one hit the US. This should be a real concern and the companies and government should be looking to shield against EMP but they aren’t.

So all the bleak punditry about how the grid could be taken down by hackers using Shodan is really just sensationalistic bunkem. Of course there have been a couple of interesting theories, one that made some news back in 2008 I believe was a paper by a student on a cascade effect that could black out the grid. This possible attack might be the only one that would work but the control over the disparate systems involved to make it happen is almost impossible really. Another theory was one put forth by the government itself when they performed the AURORA experiment. This particularly relies on attacking nine points on the grid (power gen and transfer) that could be the genesis of a cascade attack.

Screenshot from 2015-11-06 14:27:18

It is the cascade attack that should trouble people but this is not really explained by most of the purveyors of FUD like Koppel. The real scary point about the cascade effect though is that the attack, if successful would take out the LPT’s and those by their nature are costly and take years to build. They are also on backorder so there is that too. If you take these out, and there are no replacements then you are pretty much stuck in the 19th century in certain areas until you get one replaced. Now once again I will tell you that to take them all out at one time is damn near impossible unless you have an X-Flare that covers the whole grid with an EMP.

Screenshot from 2015-11-02 11:15:47

So where does that leave us? Well, that leaves us with scary scary ideas but little follow through on actual means to that end. Of course now the big scary scary is over the CYBER right? And when they say CYBER they really mean SCADA, ICS, and HMI technologies that monitor and control the big hardware that generates and transfers the power from the generation plant to you. Now consider that there were as of 1996, 3,195 electric companies in the US that handle generation and transmission of power. That is a lot of targets to get into and control effectively, in tandem, to create a super grid blackout. All of this is going to be done by attacking their SCADA? Are there really that many of these things that are internet rout-able anyway? This means that the adversary would have to really hack the majority of them and have major footholds in all to access the networks to get at the systems that may not be networked to their non air gapped networks.

Think this through people.

Screenshot from 2015-11-02 11:08:50

Screenshot from 2015-11-02 11:08:26

This is just not a real tenable plan to start with and then you have to consider just who would try to pull this off and why. If you take out the grid in the US sure you cause mayhem but we have military bases all over the globe. We have ships and subs at sea. We have the capacity to bomb the shit out of anyone we think carried off such an attack. So really, unless you attempt this a la some scenario like “Red Dawn” with planes in the air and boots on the ground, you pretty much don’t win. Many of these scare pieces don’t go into the semantics of attack and counter attack, they only cry havoc about how we are CYBER doomed and the grid is a scary scary thing. It makes my ass tired even thinking about all these idiots out there talking to the likes of Richard “Dr. Cyberlove” Clark and believing them.

Stop the madness.

In the end yes, sections of the grid could go down and yes, they could be down for a while because of the nature of the hardware and it’s replacement. It would be inconvenient but it would not be the end of the world. It also would likely be more the action of Squirrels or tree limbs rather than a clandestine hacker attack on our SCADA systems. So everyone needs to just calm the fuck down and breathe. What you really should worry about is some form of EMP that melts everything and puts the whole of the country down, and really once again, that is the only scenario I buy into on this matter. If we have another Carrington Event, we are well and truly fucked.

Anyway, don’t give Koppel any money…



UPDATE: I left a review of this book on Amazon and the one response back was this:

Screenshot from 2015-11-09 11:07:53

I guess I am no Dick Clarke so meh, nevermind.

Written by Krypt3ia

2015/11/06 at 19:51


leave a comment »



Written by Krypt3ia

2015/11/03 at 11:41