Here are the rules:
Setting up irssi to connect via tor:
$ tmux $ doas pkg_add tor torsocks irssi $ doas rcctl enable tor $ doas rcctl start $ torsocks irssi /set real_name <realname> /set user_name <username> /set nick <nick> /set ctcp_userinfo_reply mIRC 7.61 /set ctcp_version_reply mIRC 7.61 /set autolog on /save
You can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.
In order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.
Use a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but…be subtle, be subtle! I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!
First, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:
Document everything.
Your biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.
For example, suppose you found the IP 70.39.99.207 is hosting an IRC command and control botnet for crime. You can run:
$ whois 70.39.99.207 Sharktech SHARKTECH-INC (NET-70-39-64-0-1) 70.39.64.0 - 70.39.127.255 Sharktech ST-DEN (NET-70-39-64-0-2) 70.39.64.0 - 70.39.127.255
This tells you that the server is hosted with Sharktech. So, you head over to Sharktech's website and go to their abuse page and contact them. Send them an email to support@ or abuse@sharktech.net, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.
Suppose you realize that the domain merantau.org is being used for the illegal botnet:
$ whois merantau.org Domain Name: MERANTAU.ORG Registry Domain ID: D402200000005816262-LROR Registrar WHOIS Server: Registrar URL: http://www.planetdomain.com.au Updated Date: 2020-05-06T00:41:36Z Creation Date: 2018-04-15T05:08:12Z Registry Expiry Date: 2021-04-15T05:08:12Z Registrar Registration Expiration Date: Registrar: PlanetDomain Pty Ltd Registrar IANA ID: 240 Registrar Abuse Contact Email: feedback@netregistry.com.au Registrar Abuse Contact Phone: +61.299340501 Reseller: Domain Status: ok https://icann.org/epp#ok Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registrant Organization: sem Registrant State/Province: samarinda Registrant Country: ID Name Server: NS1.NETREGISTRY.NET Name Server: NS2.NETREGISTRY.NET DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/) >>> Last update of WHOIS database: 2020-05-07T13:23:58Z <<<
This tells us that the domain merantau.org was registered by sem with the registrar http://www.planetdomain.com.au, and that abuse should be reported to feedback@netregistry.com.au. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call – do whatever it takes to get their attention to take the server offline. In this particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.
Suppose you see one of the criminals joining like this:
14:25 -!- jasad [jasad@gprs1.telecom.ronsor.pw] has joined #meRANTAU
Based on his vhost mask, you can tell that he's connecting from gprs1.telecom.ronsor.pw . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case jasad) and not just the nick. The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:
$ dig gprs1.telecom.ronsor.pw ; <<>> DiG 9.4.2-P2 <<>> gprs1.telecom.ronsor.pw ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39025 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;gprs1.telecom.ronsor.pw. IN A ;; ANSWER SECTION: gprs1.telecom.ronsor.pw. 300 IN A 45.79.78.155 ;; Query time: 295 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 7 22:01:41 2020 ;; MSG SIZE rcvd: 57
This tells you that the IP address for the server is 45.79.78.155. So you then run:
$ whois 45.79.78.155 OrgName: Linode OrgId: LINOD Address: 249 Arch St City: Philadelphia StateProv: PA PostalCode: 19106 Country: US RegDate: 2008-04-24 Updated: 2019-06-28 Comment: http://www.linode.com Ref: https://rdap.arin.net/registry/entity/LINOD OrgNOCHandle: LNO21-ARIN OrgNOCName: Linode Network Operations OrgNOCPhone: +1-609-380-7304 OrgNOCEmail: support@linode.com OrgNOCRef: https://rdap.arin.net/registry/entity/LNO21-ARIN OrgAbuseHandle: LAS12-ARIN OrgAbuseName: Linode Abuse Support OrgAbusePhone: +1-609-380-7100 OrgAbuseEmail: abuse@linode.com OrgAbuseRef: https://rdap.arin.net/registry/entity/LAS12-ARIN OrgTechHandle: LNO21-ARIN OrgTechName: Linode Network Operations OrgTechPhone: +1-609-380-7304 OrgTechEmail: support@linode.com OrgTechRef: https://rdap.arin.net/registry/entity/LNO21-ARIN
This shell provider uses a Linode VPS. So, contact Linode's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Linode and the shell provider close the guilty accounts.
Sometimes you have an IP but you don't know who owns it. You can run this:
$ dig -x 45.79.78.155 ; <<>> DiG 9.4.2-P2 <<>> -x 45.79.78.155 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;155.78.79.45.in-addr.arpa. IN PTR ;; ANSWER SECTION: 155.78.79.45.in-addr.arpa. 86400 IN PTR gprs1.telecom.ronsor.pw. ;; Query time: 4943 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 7 22:05:55 2020 ;; MSG SIZE rcvd: 80
This tells you that the domain name is gprs1.telecom.ronsor.pw.
Once you get this basic information, use a search engine to gather more. Search their name, their network, their websites – look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.
In your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.
Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to rahab@ircnow.org so our team can take a look.
When you start filing reports, make sure you go in this order:
There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and irc servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.
The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the ircd for further spying. Afterwards, we can cause netsplits by taking down the irc servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.