Project Greenwave: Difference between revisions

This raid received Media Coverage It may contain anti-semitics, racists, hackers, steroids, and Fox 11

• For breaking news, and to access details on the rest of the project, see Portal:Project Greenwave.
• To discuss the project use the talk page. More subpages can be found here

Voter fraud in Iran. Ahmadinejad is the purported winner who probably rigged the thing in the first place. The opposition candidate Mousavi has been placed under house arrest, political leaders in the Ahmadinejad's crew have called the election a sham, massive riots broke out in Tehran despite police brutality. Reports have been coming in through Twatter on what's been going on, and the Iranian government is working overtime to do something about it including cutting internet access to the whole country and v&ing rogue twatters.

Details[edit]

There are some seriously epic fucking lulz to be had here. I think we know a thing or two about internet security, no?

See http://888chan.org/iran/res/94674.html http://888chan.org/iran/

Raid[edit]

Primary Target: gerdab.ir hosting protestor images[edit]

Iran's government is putting pictures of targeted protestors on the web for the Basij to identify and harass, arrest, or worse. These individuals could be jailed, or worse, dead by tomorrow. This website needs to die.

Note that if gerdab.ir goes down, all other sites (shahabnews and others) which link to their images won't function properly either.

Slowloris[edit]

1. Load up SlowLoris on a Shell http://ha.ckers.org/slowloris/
2. Point your loris at 81.12.13.144 a.k.a. gerdab.ir (use -httpready and -timeout 500 for maximum effect)
3. SLOWLORIS IS SLOW and MAXICUTE
4. ????
5. PROFIT!

If you don't have linux, get the Backtrack LiveCD, faggots! It won't work under wintendo.
There is a windows version of Slowloris, but windows is limited to open 130 sockets. It has yet to be confirmed if it's really effective, so I guess I should not have even put it here lawl.

Here's another version of Slowloris: http://sourceforge.net/projects/pyloris/
Usage:

python pyloris-1.7.py -l -r POST -s 500000 -g "/fa/pages/?cid=407" www.gerdab.ir

If you want to prevent the server from noticing you're using pyloris, you can pretend to be using, say, uh, Chrome on Windows, by adding:

-u "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.31 Safari/530.5"

gerdab.ir is currently up and responding a bit slow - need moar loris! KEEP FIRING!
Do not try to bandwidth-DoS the gerdab.ir site, as it is physically in Iran and you might overload the country. Slowloris or a syn-flood on port 25 is an option.

For sites within Iran like gerdab.ir and shahabnews.com (links to protestor pics hosted on gerdab), use a tool like slowloris that consumes server threads, not bandwidth. For gerdab.ir, use -httpready and -timeout 500. For shahabnews.com, just -timeout 500.

Related threads with moar Slowloris/Pyloris targets and infos:
http://iran.whyweprotest.net/help-iran-online/2247-site-showing-pictures-protesters-11.html
http://iran.whyweprotest.net/help-iran-online/2310-task-force-i-ran-electronic-attack-guidelines-tools-links.html

Mail Aids[edit]

They appear to have taken down the form and are now requesting email to info@gerdab.ir. Drowning them in noise is still a good tactic.

• If nothing else, sign up for every sketchy sweepstakes, porn site and diet plan with that email, and trust the spammers to pass it around.
• Do not try to bandwidth-DoS the site, as it is physically in Iran and you might overload the country. A syn-flood on port 25 is an option.

PHP Script to automatically fill out forms to report immoral websites to gerdib.ir:

• http://trancy.net/iran/inf/pack.tgz (source - also includes some wordlists which other scripters might find useful)
• http://www.yergez.com/foto/2008/08/08/index.php (use this if you don't want to install the script)
• Use this Firefox Addon to hide your referrer: https://addons.mozilla.org/en-US/firefox/addon/1999

Ruby Script to spam/DOS gerdib.ir SMTP Server:

• http://anonymous.pastebay.com/24007 (source)
• http://github.com/sporkmonger/smtpwn/tree/master (better way of doing this)

NOTE: Don't bother WOT-ing the site. Iranians all fuck their camels anyway, so it's likely they don't give a shit about safe internets.

LOL MAILAIDS
Probably the best option for lazy fags is to use an automatic mailbomber.

• http://sidecode.net/?php=MailBomb such a mailbomber that wins eats cocks hard. -tested on mailinator and no mails were sent! Needs to be confirmed this is a working script!
  • The password is "pvpguise" witout the quotes.
  • The limmit is 200 sends at one time, so send 200 emails over9000 times. Also, change up the field information so that the spam filteres don't catch on.
• To further deceive the mail filters, use this random wordlist generator in order to fill out the body, sender, and subject fields with differing data: http://www.wordlistgenerator.net/

Site Information[edit]

Sensitive Info/Login Pages[edit]

http://english.khamenei.ir/index.php?option=com_login&Itemid=76 - Joomla - no obviously vulnerable modules on that site
https://mail.iran.ir/wm/src/login.php - Squirrelmail login?
http://english.iribnews.ir/NewsBody.aspx?ID=3246%27 - Error for possible SQL Injection
https://81.12.13.133:2381/cpqlogin.htm?RedirectUrl=/&RedirectQueryString= HP System Management Homepage v2.1.7.168
http://webmail.basij.ir/horde/imp/
http://81.12.13.151/mokhatab/ - interesting information
http://www.iribnews.ir/FRONT_vmk.ASP?Day='%20or%201=(SELECT%20TOP%201%20COLUMN_NAME%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME='front_ar_sp'%20%20and%20COLUMN_NAME%20NOT%20IN%20(%20'ID'%20,%20'Style'%20))-- someone from Iran gave this to me. apparently this request gets blocked by a firewall. maybe it would help to use Iranian proxies.
https://81.12.13.155/squirrelmail/contrib/decrypt_headers.php - Squirrelmail weird page
https://81.12.13.155/squirrelmail/src/login.php - Squirrelmail login
https://81.12.13.155:2233/ - DirectAdmin Login
http://91.99.97.162/ - Control Panel Login page on same server than obash.info (shows faces of protesters too and is hosted in Iran by parsonline)

• Websites which are hosted on the same IP as gerdab.ir: (hack that shit)

Iranxiran.com avizoon.com gerdab.ir gholi.com iranxiran.com www.avizoon.com www.firekos.com xpersia.com

• Nessus scan of gerdab.ir and related IPs:http://rs667.rapidshare.com/files/248005071/gerdab.html

(quite a few high severity problems found)

• moar scans of the Iranian cyberspace: http://drop.io/LongOwl
• Valid addresses on the same range as gerdab.ir. Prefereablly r00t, not ddos or anything. The Nessus scan for the ip range shows a metric fuckton of exploits for all these sites.

81.12.13.133
81.12.13.143
81.12.13.150
81.12.13.151
81.12.13.189
81.12.13.187 has BOF vuln. its already been raped. connect to it on port 4444. heres the exploit used. http://milw0rm.com/exploits/5248 nessus scan is good.. almost all are vuln for BOFs. they work. have fun.

• A deeper look at the Iranian firewall (interesting information, maybe useful for people who setup proxies) http://asert.arbornetworks.com/2009/06/a-deeper-look-at-the-iranian-firewall/
• Iranian Telecommunications Corporation internal documents, Jun 2009: http://secure.wikileaks.org/wiki/Iranian_Telecommunications_Corporation_internal_documents%2C_Jun_2009

Secondary Targets[edit]

• TARGET: http://www.information.is-the-coolest.com and http://www.r.ieves.com (59.167.214.254)

Someone is spamming those links on Twitter (http://twitter.com/rst325), pretending that it's anonymizers or breaking news. They're probably collecting IP's.
PHP script to spam twitter (use from commandline) : http://anonymous.pastebay.com/26292

• TARGET: http://khodkar.ir - Very laggy but still up, need more lasers on this one.

This gov-friendly news website is hosted in the Netherlands.

• TARGET: https://smsmonitoring.itrc.ac.ir

This is one of the SMS monitoring computers for the IRTC. Find a way to take it down. Reported as open ports on 22/ssh and 443/https. There is a generic SSL certificate being used. Its running RHEL 5 on kernal 2.6.x.

• TARGET: http://www.bultannews.com/pages/?cid=14164 got raepd.

A website located in Dallas, TX had pictures of supposed protesters/leaders and was asking for information leading to the arrests of said individuals. Since the website was not located within Iranian borders, a resulting DDoS attack did nothing to lessen the information escaping Iran.
May bultannews.com RIP.

• TARGET: http://shahabnews.com/vdccxoqs.2bq0o8laa2.html#iranelections

Another website which links to the images from gerdab.ir

• AHMADS FAILBOOK: http://www.facebook.com/pages/Mahmud-Ahmedinejad/8613283977?ref=nf

This fanclub is run by some Abbas A. Bhatti, likely this fag -> http://www.youtube.com/user/mukhtargi mukhtargi@hotmail.com

• TARGET: filter@dci.ir - that's the email where Iranians can complain about blocked websites

• If you're frustrated because you can't DOS gerdab.ir with one single Slowloris, you can DOS these websites for teh lulz:

http://www.president.ir
http://www.leader.ir
http://www.irib.ir (propaganda news)
http://www.mod.ir (Ministry Of Defence)

• This site: http://tom4235236.posterous.com/ lists the hosts of various and sundry pro-regime/propaganda news sites. theplanet.com hosts the majority of them.

theplanet.com easy-dox: Address: 315 Capitol, Suite 205 - Houston, TX 7702 Phone numbers: Abuse - 281-714-3560 NOC - 281-714-3555 Tech Support - 214-782-7800

Management team: CEO - Douglas J Irwin Direct work phone: (281) 714-3000

VP, Network Operations - Stan O. Barber

The rest of the management team is here, look them up if you want moar lulz: http://www.theplanet.com/management/ (lol their accountant worked for Arthur Anderson)

They all need to hear your opinion on their hosting of Iranian pro-regime websites, other measures may be taken too.

Break into Web Servers[edit]

• Sites like this are a cancer and blight of the internet: gerdab.ir

• It's advised and completely acceptable to break into these sites and post pictures of the Ayatollah fucking a pig, Mahmoud Amadinnerjacket being his queer self:[1][2].

• Post pictures of women in the act of triple or quadruple penetration if you don't feel like shopping those old pedophiles with barnyard animals.

• Shop faces of the Basijj onto protector faces or just replace the pictures with fakes.

http://www.gerdab.ir/fa/pages/?cid=407 (images hosted here)

Tools[edit]

• Dangerous Kitten (contains EFC): http://rapidshare.com/files/223465979/Britchan_Dangerous_Kitten.rar
• PROXY HOWTO: [3]
• Free Tampons: [4]
• Free Bibles:[5]
• Send Mormon Missionaries - HOLY FUCKING SHIT THEY'LL DO IT INTERNATIONAL. :[6]
• Free Condoms:[7]
• Slowloris - low-bandwidth, http-only DoS:[8]

To Do[edit]

• Digg up videos like that

http://digg.com/world_news/7_year_old_beaten_by_Basiji_in_Iran

• Somefag make a macro to Digg videos, make Iranian twitter accounts to distract censors

• SETUP AND DISTRIBUTE PROXIES TO IRANIAN CITIZENS. This is paramount. Make sure that the sandfags can get their crap to Facebook and Twitter.

• Hack Iranian Government websites ([9][10]) and replace all images with Muhammad Epic Fail Guy [11] and hardcore porn.

• Assert our Dominance on the internetz and over the inferior camel-fucker Iranian SysAdmins.

• DO THE WORKS ON IRANIAN EMBASSIES. Pizza, email bombs, white canes, the works, sign them up for IRL junk mail, black fax.

• Massive influx of trolling; Mailbombs, comment spamming on all Iranian Government sites, demanding total un-fuckage of Iranian internet.

• Accuse Ahmenijad of being a faggoty buttfukker. Shewp to prove.

• Get some DOX on Mahmoud Ahmadinejad's private life and exploit him like we did the Olsen twins

• Lulzy reaction from Iran's leadership including bitching and crying.

• Complete destabilization of Iranian government information systems.

• Reduce or destroy the reputability, validity and all over credibility of Iranian Gov't public records

• Make global news. Aim for Reuters.

• Have Epic Lulz—This is SRS BSNSS But no SRS BSNSS is to be had without Lulz.

• ???

• The Profit Muhammed. Profit.

• GOAL: Show Iranfags who really rules the tubes. We are Anonymous.

Victories[edit]

Butthurt mullahs: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&u=http://74.125.155.132/search?q=cache:X_Nz4wnaHFkJ:www.gerdab.ir/fa/pages/%3Fcid%3D399+http://gerdab.ir/fa/pages/%3Fcid%3D399&cd=1&hl=en&ct=clnk&gl=us
Moar butthurt mullahs: tinyurl dot com/kteuct

Irib got hacked: http://img184.imagevenue.com/img.php?image=27109_iribhacked_123_1109lo.jpg

Blowback -> moar lazorz: http://tinyurl dot com /lzyubl

Butthurt gerdab.ir admins (translation):
After the publication of photos identifying a number of operators who seem the main causes of this movement, there was chaos on whirlpool site. They are afraid of this and hire a number of American and Canadian hackers to prevent publication of pictures with disturbance attacks to the web site and email to whirlpool.

Media Coverage[edit]

• http://cyberinsecure.com/iranian-opposition-launches-organized-cyber-attack-against-government-sites/
• http://www.businesspundit.com/anonymous-joins-fight-against-tyranny-in-iran
• http://www.nowpublic.com/culture/anonymous-iran-pirate-bay-and-anonymous-back-iran-activists
• http://www.reddit.com/r/reddit.com/comments/8upvk/help_reddit_this_website_takes_pictures_of/
• http://isc.sans.org/diary.html?storyid=6583 Iranian hacktivism
• http://isc.sans.org/diary.html?storyid=6622 Slowloris and Iranian DDoS attacks

Project Greenwave is part of a series on Projects.

Constructive: The Book of Anon • History • Le /i/nsurgency • Lulz: A Corruption of LOL (soundtrack) • The Well-Cultured Anonymous Destructive: Baylout • Savior • Skynet Software: Longcat Death Star • Meshnet • F/i/rekipz • L/i/nux • W/i/ndows