TEAM

Editor-in-Chief

Joanna Kretowicz 

[email protected]

Editors:

Marta Sienicka

[email protected]

Marta Strzelec

[email protected]

Proofreader:
Lee McKenzie

Senior Consultant/Publisher: 

Paweł Marciniak 

CEO: 

Joanna Kretowicz 

[email protected] 

Marketing Director: 

Joanna Kretowicz 

[email protected]

DTP 

Marta Sienicka

[email protected]

Cover Design
Hiep Nguyen Duc

Publisher 

Hakin9 Media Sp. z o.o.

02-676 Warszawa

ul. Postępu 17D 

Phone: 1 917 338 3631 

www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!

We would like to present you with something special today. This ebook

is like nothing we published before, and we do hope that you enjoy its

content. What’s it about? In short, it’s a penetration report written by

our instructor Chrissa Constantine, where she presented her findings in

great detail.

Enjoy the issue,

Hakin9 Team
Acknowledgements

I want to gratefully acknowledge the following people who supported me on this

journey:

Thanks to Chandra Majumdar who first approached me to research this data and to

ElevatedPrompt for providing me access to DET3CT.

Thanks to Aries Security, who hosted the Packet Capture Villiage.

Thanks to Hakin9 for publishing this ebook and for supporting this project. 

Thanks to all of the others who provided support and encouragement for this

project!

3
 Chrissa Constantine
Chrissa is a web application pentester at Micro Focus
and has a Master of Science in Information Security,
CISSP and CE|H certifications. She held positions as a
consultant at Apple and for a Silicon Valley start-up as a
penetration tester. Chrissa enjoys hacking competitions,
meeting new people, and learning new things.
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

In September 2018, Chandra Majumdar, co-founder and CTO of ElevatedPrompt Cybersecurity Solutions, approached
me to investigate network traffic from DEF CON 26, which took place August 8–12, 2018. ElevatedPrompt, in
partnership with Aries Security, LLC, had captured and performed a preliminary analysis of close to one Terabyte of
data over three (3) days of Internet-bound traffic from the convention, and I was asked to examine the packets.

DEF CON is considered the world’s largest hacker convention and has a hostile wireless network. The attendees
include hackers, security professionals, journalists, students, various governments’ employees, and newcomers (a.k.a.
noobs). The event has various tracks of speakers along with challenges and competitions. The contests are varied and
include lockpicking, tamper challenges, robotics-related contests, scavenger hunts, and Capture the Flag (CTF).

I started my investigation by reviewing DEF CON 26’s network traffic. My biggest challenge was to not get
overwhelmed by such a vast quantity of data. There is no experience like seeing DEF CON traffic, where so many
participants are on one network.

The DEF CON 26 Transparency Report estimated the number of participants at 28,000+ people. According to Aries
Security, the Packet Hacking Village had over 10,000 participants during the four-day convention. Imagine how much
traffic is flowing over the network and you can get an idea of how daunting a task it is to review this quantity of data. 

Parsing the Data

To  parse  DEF CON  data,  I used a variety of tools,  but the  primary tool I used was DET3CT,  a  Kibana dashboard
custom-built by  ElevatedPrompt.  DET3CT  enabled me to  get an  overview of  unfiltered data, including  datatypes,
software, IDS signatures, unique MAC addresses, IPs, or alerts, and by files downloaded or HTTP traffic. In short, I
discovered so much traffic that I did not know where to begin. And with this much data, I began to wonder what the
participants could possibly have endeavored to do during the convention.

I used DET3CT to search for areas of interest such as malware indicators, hits against government agencies, and data
dumps. One search revealed internal conference IP addresses that seemed to be targeting external hosts with unusual
domain names, such as 0hd4y53c[.]tk — a good starting point for this journey. 

In DET3CT, I initially filtered HTTP traffic (port 80), which was a goldmine of information. I examined user-agents
and looked at keywords  like  login  or  admin,  or anything that looked suspicious. This approach helped me discover
what appeared to be an automated attack tool  such as  DirBuster being used against the following domain:
0hdaysec[.]cf.

There are two prominent issues at play when looking at the traffic. One is the challenge of watching a large quantity of
live traffic  and  then to  methodically extract  meaning from so much data. The other issue is that  at  DEF
CON many attendees are trying out tools and working on various non-malicious challenges, such as “Capture the Flag”

5
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

(CTF).  As such,  network traffic for DEF CON  is quite unlike the network traffic one would expect at a regular,
non-hacking conference. 

The key, therefore, was to figure out what traffic constituted the conference-initiated challenges and what constituted

live attacks against outside hosts not affiliated with the conference. 

My investigative  research  to find meaning in the data  began  when I saw an unusual domain, 0hdaysec[.]cf, in the
HTTP traffic in DET3CT, where it looked like a small number of IP addresses from the 10 NET at the conference
were using DirBuster on August 11, 2018, to attack what appeared to be an external host. Was this an attack or was it a
CTF? My first thought was that the traffic was an attack, but the analysis would require much more digging to
understand what was happening.  Google and other search-engine searches did not match any documents for DEF
CON 26 “spacey_dump” or other variants on this theme.  It is important to note that I only used freely available
resources and never attempted to scan or otherwise attack these hosts from the data dump to obtain other
information.

I did not know much about the domain  I  had  found in the DET3CT data, so I searched to discover more about  .cf,
which  is the internet country code top-level domain (ccTLD) for the Central African Republic. As
of  December  28,  2018, the .cf  domain was listed  by  SpamHaus  as one of the  “10  most  abused  top-level  domains”
(DomainGang, 2018) with a relatively high “badness index, ” as shown in Figure 1.

Figure 1. Screenshot of .cf’s ranking among top-level domains being abused, according to SpamHaus (2018).

I started searching VirusTotal  (VT) to find information for the host 0hdaysec[.]cf,  which resolved to the IP
167.99.25[.]119 and had a nameserver (Figure 2). The preliminary search on VT showed a list of passive DNS entries
and other entries like meetn[.]com. I had no idea what I was looking at from the initial review of DET3CT traffic and
VT, so I used other tools and online services to try to find out more about these IP addresses and domain names.  

Following are two VT links to one of the external targets of the 10 NET DEF CON IP addresses (Figure 2): 

• https://www.virustotal.com/en/domain/0hdaysec.cf/information/

• https://www.virustotal.com/en/ip-address/167.99.25.119/information/

6
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 2. VirusTotal IP address details for the domain 0hdaysec[.]cf

My next step was to go to urlscan.io, a site that analyzes websites and resources, shows requests, details about
protocol, server status, IP address, and location. Urlscan.io also shows the domains that interact with the scanned site
and can detect various website technologies along with various other useful information. It turns out that urlscan.io
had information on the name server for 0hdaysec (Figure 3):

Figure 3. urlscan.io information about the nameserver

7
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

A scan on August 11, 2018 at 10:29 pm, showed additional details about the nameserver in the submission entry on the
live scan for 167.99.25[.]119. When I was reviewing the traffic from DEF CON, this site was already down, so having
the content on urlscan.io was helpful for my research.

Refer to the following links to review some scans for the host at 167.99.25[.]119:

• https://urlscan.io/result/842a9b56-15fd-4cf0-81fb-e37542868846/content/

• https://urlscan.io/result/6a4bbbd8-aeb8-40c1-9498-969d8deed0a3/

Additional links to scan data are found in the Appendix of this report.

Further research using urlscan.io found that whoever launched the scans was seeking something within the
/SpaceY_Dump/ directory on the target site; they were seeking what appeared to be an Excel spreadsheet called
“apps.xlxs” (Figure 4 and Figure 5). This information was useful because it helped me expand my searches for
attempts against this host in DET3CT, specifically for .xlxs files. This did raise questions about how the internal 10
NET IP addresses knew to look for these Excel files named “apps” and “employees.xlsx.”

Figure 4. urlscan.io showing scan for an Excel spreadsheet.

Figure 5. Screenshot from urlscan.io of an attempt to access the /SpaceY_Dump/ directory.

I looked at all of the launched scans on urlscan.io and reviewed the screenshots, which were useful to try to
understand more about this host. With this in mind, I also decided to go to archive.org, a.k.a. the Wayback Machine,
for more details about the 0hdaysec[.]cf host. I did not go directly to the URL 0hdaysec[.]cf, because I had no idea
what was happening nor did I know why the IPs in question were attempting what appeared to be automated attacks
against both the IP address and domain name.

Searches on the Internet Archive (archive.org) did not provide much; however, the date August 11, 2018, showed
0hdaysec[.]cf had one snapshot. There is a summary on archive.org for the .cf site.

8
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

The summary shows a snapshot on August 11, 2018, at 19:41:10 GMT, which is a one-page view of a black page with
what appears to be green text at the bottom. The image was so hard to identify that I opened the developer tools in my
browser and selected the element to try to see if there was anything of relevance in the code. The snapshot from
August was my first look at the ASCII art of the skull (Figure 6).

Figure 6. The Internet Archive a.k.a. Wayback Machine capture of the site 0hdaysec[.]cf.

The title of the page indicated Microsoft IIS, but this is not a default Microsoft page. Searches of all of the text for this
skull led to a paste on Pastebin from November 15, 2018 (Figure 7). This ASCII art skull had German text at the
bottom that may translate (using Google Translate) to “Death to Reza, Freedom for Freimann,” which has no
relationship that I could find in the DEF CON dataset. There were only a few examples online of the same ASCII art
skull, and Epic Browser was able to take a copy of the entire ASCII skull for a search. (Google searches using Chrome
truncated the data.)

9
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 7. Epic Browser search on ASCII from .119 site.

Other searches in the Epic Browser found the skull on GitHub ASCII art collections. As well, it can be found in relation
to a SQLi exploit for Web Wiz Forum on Packet Storm.

However, unlike the other links of this ASCII art, the one of interest had the domain name explicitly created to go with
the image.

Figure 8 shows the skull ASCII art and a title for Microsoft IIS 6 Default Landing Page for 0hdaysec[.]cf, obtained by
researching the .cf domain at archive.org. Other 404 File Not Found, and 403 Forbidden pages were also fingerprinted
and showed up as Apache Ubuntu server pages. IIS 6 was on Windows Server 2003 and default server pages have no
relationship to this skull placed on the .cf host.

10
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 8. Page from 0hdaysec[.]cf on August 11, 2018.

After completing these searches, I went back to DET3CT to try to find the files that were being scanned on urlscan.io
and to try to find out more from the people who were trying to attack 0hdaysec[.]cf.

DET3CT showed a few conference 10 NET IP addresses scanning and fuzzing for directories and files named
SpaceY_Dump, so I queried for that term, which turned up alternate IPs and domains. Note that any query I ran had
to exclude data for the film actor Kevin Spacey, which turned up extraneous information in the searches, especially in
Google or other search engines.

Table 1 shows several IP addresses when searching packets for the directory SpaceY. All of the searches yielded some
interesting variants on the original .cf domain.

11
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Table 1. List of IP Addresses When Searching All Traffic for SpaceY

IP Addresses Descending Count

167.99.25[.]119 30

65.61.198[.]201 4

159.89.196[.]13 3

216.139.36[.]4 2

I used VirusTotal to look for files that may have come from the domain spacey[.]agency. Also, the PCAP files were
examined using network miner to determine if anything came from the internal IP addresses trying to capture SpaceY
data.

When the person(s) searching for this information were looking for Excel spreadsheets, they obtained one download
from going directly to the IP address, not from the domain. Based on the packet data and in DET3CT, these
individuals ran various automated tools to target the .tk domain and fuzzed file names to try to get spreadsheets.

Some of the internal 10 NET IPs were targeting .tk, which is the ccTLD for Tokelau, a territory of New Zealand, and
happens to be displayed as the linked website on the tweet for the SpaceY data dump. Now, since .tk domains are free,
they are attractive to anyone who wants to stand up web infrastructure for malicious behavior. Not surprisingly, then,
according to an article in 2011, the .tk domain was “rated one of the worst in the world for sheltering a high percentage
of criminal domains” (Pauli, 2011). If this is the case, it is possible that the linked website on @)hd4y53c’s profile is
also malicious.

When looking at the data in DET3CT, all of the queries for uppercase-named files failed. Only one internal 10 NET IP
downloaded the file employees.xlsx (Figure 9). Although a few others did try simultaneously during one day, August
11, of the conference, they failed to obtain the “employees” file. It is also possible that these scans and download
attempts against the targets had stemmed from one or two people using multiple devices, such as a phone and a
laptop.

Figure 9. Screenshot showing successful download of SpaceY data.

12
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

I ran several queries in DET3CT to aggregate hosts and IPs. The query results from DET3CT are compiled in Tables 2
to 5, showing IP addresses and domains that a few internal 10 NET IPs searched during DEF CON. The DNS queries
included domain names with both the letter “O” and the numeral zero (0).

Table 2. Query in DET3CT for SpaceY

query: *SpaceY* NOT *kevin* Count

spacey[.]agency 148

0hdaysec[.]cf/spacey_dump 8

0hdaysec[.]cf/spacey_dump.owifi65.onsite.DEF CON.org 8

http://ns1.0hdaysec[.]cf./spacey_dump 8

http://ns1.0hdaysec[.]cf./spacey_dump.owifi65.onsite.DEF CON.org 8

Ohdaysec[.]cf/spacey_dump 8

Ohdaysec[.]cf/spacey_dump.owifi65.onsite.DEF CON.org 8

http://0hdaysec[.]cf/spacey_dump/employees.xlsx 4

Table 3. Query in DET3CT for 0hday

query: *0hday* Count

0hdaysec[.]cf 352

ns1.0hdaysec[.]cf 84

0hdaysec[.]cf/spacey_dump 8

0hdaysec[.]cf/spacey_dump.owifi65.onsite.DEF CON.org 8

http://ns1.0hdaysec[.]cf./spacey_dump 8

http://ns1.0hdaysec[.]cf./spacey_dump.owifi65.onsite.DEF CON.org 8

http://0hdaysec[.]cf/spacey_dump/employees.xlsx 4

13
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Table 4. Query in DET3CT for 0hd4y

query: *0hd4y* Count

0hd4y53c[.]tk 264

www.0hd4y53c[.]com 224

www.0hd4y53c[.]com.owifi65.onsite.DEF CON.org 224

www.0hd4y53c[.]cf 52

www.0hd4y53c[.]cf.owifi65.onsite.DEF CON.org 48

0hd4y53c 32

0hd4y53c[.]cf 32

0hd4y53c[.]cf.owifi65.onsite.DEF CON.org 32

0hd4y53c[.]owifi65.onsite.DEF CON.org 32

0hd4yz[.]com 32

0hd4yz[.]com.owifi65.onsite.DEF CON.org 32

www.0hd4yz[.]com 32

www.0hd4yz[.]com.owifi65.onsite.DEF CON.org 32

Table 5. List of Domains From the SpaceY Query in DET3CT

host: *SpaceY* NOT *kevin* Count

0hdaysec[.]cf 26

0hd4y53c[.]tk 2

167.99.25[.]119 2

president[.]com 2

website[.]com 2

www.website[.]com 2

I alternated searching DET3CT for various domains and targets by the primary IP addresses on the 10 NET and using
online searches. My goal was in finding more archived information in hopes of seeing images from the site when it was
live. When I attempted to look for online domains in February 2019, these sites were down. Searches were at

14
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

urlscan.io and the Internet Archive and in Figure 10, the 0hd4y53c[.]tk domain shows default material from Digital
Ocean taken from one capture at the Internet Archive.

Figure 10. 0hd4y53c[.]tk showing default Digital Ocean sammy.png with Animatrix quote.

The Internet Archive had four captures from October 14, 2018, for the 0hd4y53c[.]tk site, including a robots page and
a contact_us.php page. The site appeared to be live from August 11, 2018, through October 14, 2018, and then there
were no more captures. On August 11, 2018, the robots.txt file came up as a 404 File Not Found (Figure 11), but on
October 14, 2018, the file displayed (Figure 12).

Figure 11. Robots.txt for 0hd4y53c[.]tk gives 404 File Not Found.

Figure 12. Robots.txt for 0hd4y53c[.]tk gives 200 OK.

15
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Twitter

Concurrently, I performed a general search on the internet for anything related to 0hdaysec or 0hd4y53c. During this
general search, I discovered a Twitter user with the alias 0hd4753c (Figure 13).

Figure 13. Epic Browser search on 0hd4y53c.

After a look at the Twitter account with the username 0hd4y53c (synonymous with the alias @0hd4y53c), the most
eye-opening item was the image for the SpaceY_Dump, which appeared to match what a couple of DEF CON internal
10 NET IPs were trying to target. The 0hd4y53c[.]tk domain in DET3CT and the Twitter link on the left of Figure 14
match.

Figure 14. Screenshot of 0hd4y53c’s Twitter profile.

The next phases included trying to figure out more about the data dump, the user who had posted to Twitter, and the
people who were at DEF CON searching for the data.

16
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

A screenshot (Figure 15) shows the directory /SpaceY_Dump/ and HTTP, which looks as if the site data was just over
port 80. All of the file names are obfuscated in the original, as are the domain names. The file names all appear to end
in .xlsx, namely an Excel spreadsheet extension.

Figure 15. Image from the August 4, 2018, tweet about the data dump.

In Twitter, the next step involved looking at the tweet that contained details about SpaceY_Dump to determine if there
were comments or anything notable. It turned out there were two likes and two comments for the SpaceY_Dump
tweet. One comment was from @m_sabraoui, who goes by Polojojo on Twitter, and the other from @Bl4ckTurb4n,
who goes by F.A (Figure 16). Further review of Twitter profiles showed a tweet from @m_sabraoui (Polojojo) about
attending DEF CON 26.

17
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 16. Screenshot displaying the replies to the original tweet by @0hd4y53c.

The user @0hd4y53c had an IP for location (1.3.3[.]7) in his Twitter profile. Polojojo’s (@m_sabraoui) August 11
comment was “Somebody inform the president.” Someone at DEF CON looked for president[.]com (which is likely
linked to the “inform the president” comment by @m_sabraoui) and for the 1.3.3[.]7 IP address as well. The IP
10.65.255.180 went to look at the website www.president[.]com several times, possibly in response to the tweet from
@m_sabraoui.

Some of the research I conducted was to understand the relationships between the original poster of the tweet
(@0hd4y53c) and the people who liked it. I used Maltego to map the relationships (Figure 18), which can be
summarized as follows:

18
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

• F.A tweeted in response to @0hd4y53c’s original data dump tweet and asked to be followed for a private DM.

• One follower was @b1902361, who is now no longer on Twitter. @b1902361 had followed the other users from
the original dump tweet.

• Before the account @b1902361 disappeared from Twitter, it had followed both F.A (@Bl4ckTurb4n) and
Polojojo (@m_sabraoui). Both F.A and Polojojo had liked the original dump tweet from @0hd4y53c and
commented.

Figure 17. A Maltego-generated map showing relationship between Twitter users associated with the original SpaceY_Dump tweet.

19
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 18. A Maltego-generated map of b1902361’s Twitter relationship to users relevant to 0hd4y53c’s dump tweet.

Review of @m_sabraoui (Polojojo) tweets in April 2019 has gaps. Also, a user who liked the dump tweet was
@konukoii (Pedro M. Sosa), and this user attended DEF CON 26 (Figure 20).

20
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 19. @konukoii, the user who liked the @0hd4y53c tweet about the SpaceY_Dump

In March 2019, a new user with a Russian user name on Twitter liked the tweet (Figure 20). I performed minor recon
on the URL affiliated with the tweet, but it does not seem to relate to the original people who liked the tweet from
@0hd4y53c. Refer to the VT link for details: https://www.virustotal.com/en/domain/www.20sexy.pw/information/

Figure 20. The new user following on the dump tweet.

21
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Following online leads, I arrived at several other names for @0hd4753c, such as ChaosxSilencer, Jimmy, and Bob
Arctor (Figure 21). None of these aliases are the user’s real name, but these names are related or connected on social
media accounts. I discovered that several online accounts are affiliated to the Twitter user @0hd4y53c, including
GitHub (https://github.com/0hdaysec) (Figure 22) and Keybase.io accounts (Figure 23), both of which mention Bob
Arctor and the slogan “The scanner sees only darkly.”

The “scanner . . . darkly” statement is a reference to a 1977 novel by Philip K. Dick titled A Scanner Darkly, which was
also portrayed as a film in 2006. The story is about an undercover cop who is addicted to drugs and is attempting to
track an addictive substance. The protagonist, Bob Arctor, when not undercover, is an agent who reports his findings
and reviews surveillance footage used to gather evidence on his friends and associates (Bell, 2006). This slogan in
0hd4ysec’s GitHub and Keybase.io accounts is a short quotation of a more extensive statement by the fictional
character Bob Arctor: “Because, he thought, if the scanner sees only darkly, the way I myself do, then we are cursed,
cursed again and like we have been continually, and we’ll wind up dead this way, knowing very little and getting that
little fragment wrong too” (Dick, 2015).

User 0hdaysec’s GitHub profile features the same profile image as on the Keybase.io account. Note, as well, the
similarities between Keybase and GitHub taglines. Also, intriguingly, the IP is the reverse of the one in the Twitter
account. On Twitter it shows as 1.3.3[.]7, and on these other two pages it’s reversed to 7.3.3[.]1.

Figure 21. Mutually connected names gathered from online searches, shown in Maltego.

22
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 22. GitHub account for 0hdaysec.

Figure 23 @0hd47sec’s Twitter feed has a link to keybase.io (https://t.co/aExqSaCiyf) that validates the user as both 0hd4y53c and
0hdaysec.

As I looked further into Twitter user @0hd4y53c, I found that he had posted two prior tweets, one on July 22 and the
other on July 28, 2018 (Figure 24), communicating some level of personal concern and paranoia. The latter post
containing the statement “I feel scared”—which was posted six days after asking, “Do you ever get that feeling like
you’re being watched”—made me curious. Why did he state he was feeling scared? Did he get caught or almost get
caught doing something?

23
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 24. @0hd4y53c tweets prior to the SpaceY_Dump tweet.

Further, when we look at the GitHub profile for 0hdaysec (https://github.com/0hdaysec), the six tools and
repositories displayed are from May and July 2018. There is PowerSploit (a pentesting tool), DARKSURGEON
(Windows packer for incident response, forensics, and network defense), ARPPD (a script to protect against ARP
attacks on Linux), nmap (network mapper), and dezalgonator. The last one, dezalgonator, has a test Python script
containing a string “I don’t know how long they have been watching but I suspect my day is coming soon” (Figure
25). The script was committed by 0hdaysec on GitHub.

Figure 25. Dezalgonator string from python script on July 23, 2018.

One post of note is when @0hd4y53c mentions seeding information. The implication could be that there are
numerous fake accounts created by this user to throw others off his track. There are various tweets and retweets from

24
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

@0hd4y53c about zero day exploits on his timeline, including one on June 24, where he posts a personal note
regarding Microsoft exploits “If you only knew…” He then tweeted the following month about setting up a fuzzing
farm, which could potentially be used to attack various hosts. This is all followed by the mildly paranoid commentary
about being watched.

To summarize the activity for @0hd4y53c, a timeline may be helpful:

• May 15, 2018: Verification on Keybase.io — Tweet displays on the @0hd4y53c timeline

• May 21, 2018: Tweet — “…Seeding information is so hard”

• June 24, 2018: Tweet — Microsoft Office Zero Day – “If you only knew . . .”

• July 12, 2018: Tweet — “Just finished setting up my #FuzzingFarm . . .”

• July 22, 2018: Tweet — “. . . that feeling like you’re being watched”

• July 23, 2018: Created files on GitHub account

• July 28, 2018: Tweet — “. . . I feel scared . . .”

• August 4, 2018: — Tweet – SpaceY Dump

• August 11, 2018: — F.A replies to tweet from 0hd4y53c to follow and DM.

• August 11, 2018: — Polojojo tweet about informing the “president”

• August 11, 2018: — DEF CON is in session, and much of the hacking activity in question went on during this
time.

Let’s now return to the attempts that were made to retrieve the employees.xlsx file.

DEF CON IPs and the “Employees” File

Out of all of the DEF CON IPs that made attempts to get data, only 10.65.255.180 was able to obtain the
employees.xlsx file (Figure 27) by directly accessing the IP address 167.99.25[.]119, whose domain is 0hdaysec[.]cf.
Let’s look at some of what happened.

I obtained a copy of the downloaded employees.xlsx from a PCAP file named capture-08-11-18-07-18.pcap (the file
name conveys date and time ). The employees.xlsx spreadsheet had 468 entries and contained job titles, names, email
addresses, phone numbers, locations, and employment status.

25
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

When I wanted to find copies of the files from the SpaceY dump in the DEF CON data, it was challenging because the
spreadsheet names from the Twitter user @0hd4y53c were obfuscated. It was only after finding urlscan.io data that I
could see what file names were searched for by conference participants.

The curious part of the searches in DEF CON data is how the three primary 10 NET IP addresses found the
employees.xlsx spreadsheet. Was it just good guesswork, or was one of the participants told a file name? Perhaps the
Twitter user F.A who requested a “follow for DM” from @0hd4y53c was at DEF CON and was told a file name. Or
perhaps the user who liked the SpaceY dump tweet and tweeted that he was going to DEF CON found the file. To be
clear, I do not know who took the file or who downloaded the file while at DEF CON.

Metadata analysis on the employees.xlsx showed that it was created on May 30, 2018, and modified on June 1 by
Heather Combs (Figure 26). Combs is listed in the spreadsheet as a senior software engineer, but why would a
software engineer have an employee spreadsheet containing details such as employment status?

Figure 26. Spreadsheet metadata showing creator/modifier of document.

26
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 27. DET3CT showing download of the employees.xlsx file by 10.65.255.180 on August 11, 2018.

Below is an overview of types of traffic found in the packets. Let’s look at this from the perspective of each IP in the 10
NET from DEF CON.

IP Address 10.65.248.120

The individual who had the IP 10.65.248.120 had a small amount of traffic on August 10, 2018. And once I filtered out
DNS queries and captive portal, there were about 320 hits in DET3CT. However, the bulk of the traffic fell on the next
day, August 11, 2018.

On August 10, this IP address had a non-relevant traffic, going to Verizon, showing some Google queries, NPR, a
brewery, and Protonmail. This IP also went to pages like
http://www.googleguide.com/advanced_operators_reference.html.

This is interesting because it shows the person doing these searches seems to have needed help figuring out how to do
better queries for data.

Despite all of the effort from 10.65.248.120, this IP did not manage to download the file.

August 11, 2018, Traffic Breakdown

● 10.65.248.120 used a cURL User-Agent for an attempt to target 167.99.25[.]199 (0hdaysec[.]cf).

● 10.65.248.120 attempted to target the following URLs:

o 0hd4y53c[.]tk,

o www.0hd4y53c[.]cf, and

o 0hd4y53c[.]cf

27
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

o And, 10.65.248.120 made 14,386 attempts on 0hd4y53c[.]tk on 8/11/18 starting at 13:23

● 10.65.248.120 used www.domaincrawler.com to examine 0hdaysec[.]cf and also started looking for
ns1.0hdaysec[.]cf. In addition, this IP also went to 53c[.]tk, and www.53c[.]tk.

● 10.65.248.120 DNS traffic shows many attempts to brute force directories on 0hd4y53c[.]tk with no success
( F i g u r e 2 8 ) .




Figure 28. 10.64.248.120 brute-force attack on 0hd4y53c[.]tk.

● 10.65.248.120 went to 0hday on two dates, August 10 and 11, 2018.

● Other traffic of note includes Tor IP address 209.141.60[.]238 on at 21:25:33.008 for *justaguy* on August

10.

● 10.65.248.120 went to mail.protonmail.com at 22:13:04.

● Icanhazip[.]com (69.162.69[.]149) at 22:13:06 using the following user agent - curl/7.58.0. This
means the user was trying to find his/her public IP address.

● 10.65.248.120 went to Protonmail, an end-to-end encrypted email service that also has self-destruct timers

for email. This service was initially founded in 2013 and was by invitation only, but by 2016 it opened to public
use. The servers are in Switzerland, outside of both EU and US jurisdiction.

28
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

● 10.65.248.120 went to the IP from the profile of Twitter user @0hd4y57c (1.3.3[.]7)

Figure 29. IP 10.65.248.120 going to 1.3.3.7 and to additional internal IP addresses.

To see fuzzing login attempts from 10.65.248.120 against the .tk domain, refer to Figure 35.

IP Address 10.65.255.180

For all of the efforts between these two IP addresses, it appears only one obtained the file employees.xlsx, and it was
10.65.255.180. Note that after getting the file, there was traffic to Google documents by this IP address possibly to
upload the file.

August 11, 2018, Traffic Breakdown

● IP 10.65.255.180 searched on president[.]com, which gave 404 File Not Found for the directory
/SpaceY_Dump/ (Figure 30).

Figure 30. IP 10.65.255.180 on August 11, 2018, at president[.]com.

● 10.65.255.180 tried to target website[.]com to find the same /SpaceY_Dump directory, but a 301 Moved

Permanently response was returned.

o Also tried president[.]com

29
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

● 10.65.255.180 made attempts to identify hosts with variants on the theme of alias for @0hd4y53c, such as

o www.0hd4y53c[.]com,

o 0hd4yz[.]com,

o 0hd4y53c,

o www.0hd4yz[.]com and 0hd4y53c[.]tk, a.k.a. 159.89.196.13., and

o 0hdaysec[.]cf.

Figure 31. 10.65.255.180 DET3CT showing traffic to Gmail, upload.docs.google.com, and anti-hacker-alliance.com.

30
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 32. IP 10.65.255.180 activity with respect to anti-hacker-alliance.com.

The internal 10.65.255.180 IP went to anti-hacker-alliance. com (Figure 35) to possibly gain intel on sites related
to Space Y. This IP also did random searches on a theme of the name from the original tweet (Figure 33). There was a
lot of traffic from this internal IP to various sites.

Figure 33. IP 10.65.255.180 grasping for anything with .tk domains, as seen in the right-hand column.

31
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Various 10 NET IP Addresses Searching

Three other 10 NET IP addresses, excluding .120 or .180, attempted to go to the .tk and .cf domains (Figure 34):

● 10.65.249.31 (user agent iPhone OS 11_4_1) hit 0hd4y53c[.]tk (159.89.196[.]13) and 0hdaysec[.]cf.

o Went to sendspace.com, which is a large file upload service

o Went to keybase.io

● 10.65.248.139 had 20 DNS queries in DET3CT for 0hdaysec[.]cf on August 11, 2018, 12:45:09.518

● 10.65.247.28 had 12 DNS queries in DET3CT for 0hdaysec[.]cf on August 11, 2018, 13:50:51.178

Figure 34. DET3CT table showing various IP addresses looking at 0hdaysec[.]cf (167.99.25[.]119) on August 11, 2018, at 16:35.

Darksite26 Slack Channel

The IPs from Figure 35 went to a darksite26.slack.com Slack channel on August 11, 2018. It is around the time of the
Slack channel activity in DET3CT that there was more coordinated searching activity against space.agency and SpaceY.

The IP addresses from this Slack Channel are:

src_ip: Count
Descending
10.65.250.187 496
10.65.255.180 42
10.65.248.120 40
10.65.247.136 38
10.65.252.32 10
10.65.249.31 8
10.65.254.84 4

32
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 35. 10 NET IPs at Slack Channel darksite26.slack.com.

● 10.65.250.187 – had 148 hits in DET3CT for spacey.agency on August 11, 2018, at 12:00.

o Went to other internal IPs – 10.65.252.192, 10.65.247.174

o join.slack.com

o files.slack.com

o chat in slack

● 10.65.255.180 — searches for SpaceY

● 10.65.248.120 — searches for SpaceY

● 10.65.247.136 — on August 11 had DNS queries for the domains www.website[.]com and website[.]com and
the IP for www.website[.]com — 65.61.198[.]201

o 10 NET internal IPs 10.65.252.192 and 10.65.247.174 went to the website[.]com over port 80

(HTTP) at the same time .180 was searching this site, and going to sub-directory /SpaceY_Dump

● 10.65.249.31 — searches for 0hd4y53c[.]tk on 8/11/18 at 15:23

o Apple/iTunes

o Outlook 365

● 10.65.252.32 — internal port 80 – 10.65.247.174

33
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

● 10.65.254.84 — internal port 80 – 10.65.247.174

o Side note on what 10.65.247.174 is doing, looks like running scans against all 10.65.x.x IP

addresses over port 80.

Various IPs Not in Slack — Searching on .cf

Some of the internal DEF CON IP addresses did not show up in the Slack traffic, but did perform minor searches on
the same domains as the others looking for the dump files.

● 10.65.248.139 — DNS queries for .cf domain 0hdaysec[.]cf on 8/11/18 around 12:45

● 10.65.247.28 went to 0hdaysec[.]cf (four (4) DNS queries) on August 11th 2018, 13:49:14.251

o Slack

o Login.live

o MS downloads

Figure 36. Omnipeek dashboard of 10.65.248.120 attacking 0hd4y53c[.]tk

I tried to determine if any of these internal 10 NET IPs were working together. I located traffic via the same named
Slack channel (darksite26) and the identical general searches by external IP and domain on the same day (August 11,

34
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

2018) at the same time. I discovered that both 10.65.248.120 and 10.65.255.180 went to 1.3.3[.]7 on that
day at 14:00. The IP 1.3.3[7] is the IP from the Tweet of the user who had the SpaceY_Dump image. Note that the
.180 did not use Tor for these attempts.

The internal 10 NET IP addresses made many failed attempts using various spellings of the domain to try and
download or obtain SpaceY Dump data, presumably as a result of finding the tweet about the dump. Table 6 shows
various domains that the 10 NET IP addresses tried to target.

Table 6. The domains and Internal 10 NET IP addresses that targeted them

Domain
Who? When? IP Address Query
Name
.TK Domain
It appears that McAfee blacklisted 0hd4y53c[.]tk. This domain is in threatminer.org with malware hashes from
2015/2016 and then nothing until 8/11/2018 with .120, .180 and .31

The DNS info for this 159.89.193[.]13/0hd4753c(.)tk : NS1.0HDAYSEC[.]CF and NS2.0HDAYSEC[.]CF

https://www.virustotal.com/en/domain/0hd4y53c.tk/information/
Same person running multiple domains from a single hosting account.

10.65.248.1 8/11/18 0hd4y53c[.]tk 159.89.196[. 14,121 hits to fuzz directories by IP and domain
20 13:23 – ]13 name.
15:09
10.65.255.1 8/11/18 0hd4y53c[.]tk 159.89.196[. 40 total hits
80 13:21 – ]13
15:09

 8/11/18 0hd4y53c[.]tk 159.89.196[. 7 total hits
10.65.249.3 ]13
1 13:24
.CF Domain
10.65.248.1 8/11/18 ns1.0hdaysec[ 167.99.25[.] 3,517 hits to DNS and IP. 14,121 hits by domain
20 13:40 – .]cf 119 name.
14:58
and File transfer attempt, but failed to get
0hdaysec[.]cf file via IP @ 14:42:39.473 - /
SpaceY_Dump/employees.xlsx
10.65.248.1 8/11/18 ohdaysec[.]cf Spelled with letter “O” not zero
20 /spacey_dump
14:47 DNS queries – returned NXDOMAIN – invalid
and domain
ns1.ohdaysec[
.]cf

10.65.248.1 8/11/18 0hd4y53c[.]cf DNS queries – returned NXDOMAIN – invalid
20 and domain
15:08:16
– www.
15:08:31 0hd4y53c[.]cf

35
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

10.65.255.1 8/11/18 ns1.0hdaysec[ 167.99.25[.] 197 hits - domain names and /SpaceY_Dump/
80 13:40 – .]cf 119 Employees.xlsx
18:09
and /SpaceY_Dump
0hdaysec[.]cf
/SpaceY_Dump/*
/SpaceY_Dump/ - 403 Forbidden
File xfer via IP @ 18:07:52 - /
SpaceY_Dump/employees.xlsx
10.65.247.2 8/11/18 0hdaysec[.]cf 167.99.25[.] 44 hits to DNS and domain (port 80)
8 119
13:49-13:
56
10.65.248.1 8/11/18 0hdaysec[.]cf 167.99.25[.] 10 hits to DNS and domain (port 80)
39 12:45 119
10.65.249.3 8/11/18 0hdaysec[.]cf 167.99.25[.] 7 hits
1 119
14:42
.COM Domain
10.65.255.1 8/11/18 0hd4yz[.]com DNS queries – returned NXDOMAIN – invalid
80 domain
13:33:00 And www.
0hd4yz[.]com

10.65.248.1 8/11/18 1.3.3[.]7 3 hits – tried to ping the host

20
15:38-15:
10.65.255.1 40
80
DNS or other Queries
10.65.250.1 8/11/18 Darksite26 DNS queries for spacey.agency
87 and
12:00-20: spacey.agency Why? 169.99.108.101
00
Darksite2
6
10.65.250.1 8/11/18 Darksite26 91 hits to this slack URL
80
12:00-20:
00
10.65.248.1 8/11/18 Darksite26 83 hits to this slack URL
20
12:00-20:
00
10.65.247.1 8/11/18 Darksite26 77 hits to this slack URL
36 and
12:00-20:
00 www.website[.
]com
(65.51.198[.]
201)

36
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

DNS or other Queries

10.65.252. 8/11/18 Darksite26 21 hits to this slack URL
32
12:00-20:
00
10.65.252. 8/11/18 Darksite26 21 hits to this slack URL
31
12:00-20:
00
10.65.254. 8/11/18 Darksite26 Telnet to 10.65.242.192
84
12:00-20: Not able to see much. VPN traffic.
00



Table 7 shows the external hosts by domain name and includes information from online services such as Shodan.io or
archival sites.

It is noteworthy that @0hd4y53c has the domain 1.3.3[.]7 other than it appears to be a play on the word “leet” this IP
hosted numerous ghostsecurityteam[.]com domains, which may be linked to a group of hackers. There is even a
Twitter account from October 2018 which appears to show botnets for hire and Mirai botnet activity -
https://twitter.com/ghostsecurteam?lang=en (This activity may or may not be related to our hacker @0hd4y53c).

37
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 37 Many ghostsecurityteam[.]com domains are hosted by 1.3.3[.]7

Table 7. Details about each Domain that was attacked or searched

Domain Name IP Address Host Details Ports Misc

0hd4y53c[.]tk 159.89.196[. Richmond, 80 First seen admin@0hd4y53[.]tk first
]13 Canada 7/22/18 seen 7/22/18 and last seen
9/3/18
Either IP or Last seen
Domain name 8/11/18
gave 200 OK
0hdaysec[.]cf 167.99.25[.] Fort Worth, First seen: 22, 8080, 80
119 TX 5/27/18
Digital Ocean Last seen:
9/26/18
ns1 and 167.99.25[.] Fort Worth, First seen: 22, 8080, 80
ns2.0hdaysec[.] 119 TX 8/11/18
cf "server": "Apache/2.4.18
Digital Ocean Last seen: (Ubuntu)"
9/26/18

38
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Domain Name IP Address Host Details Ports Misc

0hd4y53c[.]cf
and No online
www. presence
0hd4y53c[.]cf
www.
0hd4y53c[.]com NXDOMAIN
Numerous –
including
ghostsecuritytea
1.3.3[.]7 China Ping attempted
m[.]com domains

SpaceY Agency

Since one of the DEF CON attendees had downloaded the /SpaceY_Dump/employees.xlsx file, I used Network Miner
to obtain a copy of the file. Because the traffic from the download attempt was over an unencrypted connection on port
80 (HTTP), everything for that download was visible in the PCAP files.

Discovery of the “employees” file was after reviewing online information, which showed the resolved domain name
hosted via Digital Ocean and it showed a meetn domain. I thought that domain initially might have something to do
with the data dump mentioned in the Tweets, but this did not appear to be the case. However, the review of the PCAP
for a meetn invite file led to the detection of the employees.xlsx file.

After obtaining a copy of the SpaceY Agency Employees Excel spreadsheet, I searched for the domain listed in the
employee emails. I was able to find a website at spacey[.]agency and a second one at
spacey[.]agency.s3-website-us-west-1[.]amazonaws.com. These are both hosted over port 80 and have some
characteristics that required further examination.

Figure 39 shows the spacey[.]agency website, with limited details about Space Y revealed on an About Us.

Searching for SpaceY_Dump using Google, lead to discovered images from URLscan.io, which are included in this
report.

39
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 38. Google searches on SpaceY_Dump led to discovery of numerous scans. https://www.google.com/search?q=SpaceY_Dump –
“kevin spacey”.

Figure 39. Home page for spacey[.]agency

40
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

The spacey[.]agency site’s About Us page describes a founder and CEO named Helon Frusk, who purportedly worked
for NASA. However, my numerous searches for Helon Frusk or variants on this name did not yield any information. If
Frusk held any administrative position for NASA, it probably would be publicly available in various searches and on
NASA pages for officials, so the utter absence of any mention whatsoever of Helon Frusk is odd, to say the least. It led
me to wonder whether Helon Frusk is a play on Elon Musk’s name or a misspelling of an actual prior employee of
NASA.

The spacey.agency site states that Space Y Industries received Series E funding. Series E funding exists but it is rare for
a company to reach that level as it can take up to six (6) years to attain. Furthermore, reaching this level of funding
would implicate a high profile. It would yield internet chatter, and yet nothing emerges when doing free online
searches. I examined who funded the well-known SpaceX aerospace company and began digging through records to
determine if there was a Series E round of funding for a presumably new company called Space Y, but nothing came up
in my searches. SpaceX partnered with the venture capital firms Draper Fisher Jurvetson, Founders Fund, Valor
Equity Partners, and Capricorn. However, none of these firms listed any funding rounds for Space Y.

Space Y’s About Us page mentions a brokered deal with NASA. However, the nasa.gov website, which has a
Commercial Partners page, https://www.nasa.gov/offices/c3po/partners/ccdev_partners.html, has no mention of
partnership with Space Y but does show partnership with Blue Origin and with SpaceX:
https://www.nasa.gov/content/cots-commercial-partners. Other NASA pages show partnerships with commercial
companies for Lunar Payload Services (CLPS), but nothing turned up for Space Y Industries.

The spacey[.]agency page has links to the real pages for Blue Origin, Virgin Galactic, and NASA, which prompted me
to perform more searches on Twitter, yielding a tweet linking Jeff Bezos to Blue Origin:
https://twitter.com/JeffBezos/status/1050136574090825728

Blue Origin has a Launch Services Agreement (LSA) with the US Air Force:
https://www.blueorigin.com/news/air-force-selects-blue-origin-for-launch-services-agreement. The agreement
describes launches from Vandenberg Air Force Base. It appears that Blue Origin wants to use the new Glenn rocket for
this work, which is different than the rockets mentioned in the “employees” spreadsheet.

Another link on Space Y’s About Us is to Virgin Galactic, which has connections to The Spaceship Company (TSC),
manufacturer of advanced space vehicles. All of these searches were an attempt to find out how these related to the
About Us claims of partnering with the US government and various agencies and corporations in the space industry.
However, no amount of probing and digging turned up any company by the name of Space Y in a partnership or alone
for these claims of partnership.

The final paragraph of the text on the spacey[.]agency website is about a rocket named the Malcon Y series. I was
unable to find any information on a Malcon Y series rocket, but there are Falcon series rockets and Dragon series
spacecraft. Maybe this is another play on words? The Dragon series was in the Blue Origin launches. Also, the

41
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

spreadsheet has Falcon 9 (also abbreviated as F9) rockets listed in job titles. Merlin 1D engines are also on the
spreadsheet.

The other interesting thing about the spacey[.]agency domain is that there is a secondary domain. This URL is:
http://spacey[.]agency.s3-website-us-west-1[.]amazonaws.com. Note that these are on two different IP addresses, and
have minor differences, mostly in the source code of the pages. The IP address for spacey[.]agency is 52.219.28.35
and the IP for the AWS URL is 162.255.119.126. The AWS URL has the following Meta Tags: <meta
name="author" content="SpaceY Dev Team"> and a Title: <title>SpaceY Industries</title>.
The other URL for spacey[.]agency does not have this information in the source code.

Namecheap is the registrar for spacey.agency as of May 13, 2018, and the site is using a redirect service via
Namecheap. Note that SpaceX is on AWS with the registrar Network Solutions and is using Drupal CMS. This Space Y
site is remarkably different in that it has no certificates (not on 443) and has no links to or references for the SpaceX
program.

Other research for the employees spreadsheet included looking at names and phone numbers. The phone numbers
listed on the spreadsheet all have area codes for 822, which is a future toll-free number. This number is not currently
in use at the time of this report (2019). There does not appear to be accessible information online for most of the
C-suite executives. If these were real people running a space industry program with ties to the US government, I would
expect to find some link between this company and their social media profiles.

More in-depth searches on social media do seem to align with two or three names on the spreadsheet, but it was
difficult to find anything useful, and it is possible the links to these people are false positives.

Figure 40. 10.65.250.187 searching for spacey.agency.

42
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

I did not validate that the data dumped was data from any specific organization mentioned on the Space Y About Us
page, as this project was not about determining the validity of the files downloaded.

Additionally, I saw traffic going over port 53 (DNS) for spacey.agency from 10.65.250.187. Looking into that URL lead
to information about the dump and my next question. Who is part of Space Y Agency?

Looking at more online searches and going directly to the domain spacey.agency gave important information. It turns
out that Jeff Bezos and Elon Musk along with various US government agencies are involved in partnerships and
collaborations for various space programs. Let’s look closer at the IP addresses and data.

Both 10.65.250.187 and 10.65.255.180 went to look for Space Y data. The DNS queries were for items like:

• http://0hdaysec[.]cf/spacey_dump/employees.xlsx,

• spacey[.]agency and,

• http://ns1.0hdaysec[.]cf./spacey_dump.

Figure 41. More searches for .TK domains by 10.65.255.180

The IP 10.65.255.180 started to query for various domains including www[.]53c[.]tk and hiyh[.]tk. When looking
at the IP mentioned on Twitter (1.3.3[.]7), a look at VirusTotal shows that this was scanned on 9/24/18 and has
detection of 1/67:

https://www.virustotal.com/en/url/bcece26d94a45c425b7389a8591d602ee0d87da0406791a3ccf1d837aa7bccfb/anal
ysis/

Other searches by this small handful of DEF CON attendees were performed to try to determine how long the domains
were up, such as 0hdaysec[.]cf, which according to Figure 42, were only up from 8/11/18 to 8/24/18.

43
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 42. Robtex search on the IP for the employee file

All of the traffic looks like a specific attempt to gain files from a data dump and is all very targeted during DEF CON
for one day of the event. The internal IP addresses all work at approximately the same times and make attempts to
attack or scan these hosts primarily on August 11, 2018. Refer to Figure 43 to see an overview of the main DEF CON
IPs: 10.65.255.180, 10.65.248.120 and 10.65.249.31 all working at about the same times on the same day of
the conference.

To understand the relationship of the three primary IP addresses from the 10 NET at DEF CON, I pulled up all traffic
in DET3CT for the entire conference from 8/8/18 through 8/12/18 for 10.65.255.180, 10.65.248.120 and the
10.65.249.31 address. They all appear in the dataset starting on August 10 through August 11, 2018. Moreover, all
three seem only to be actively searching for the SpaceY dump during August 11, 2018 around the same time.

44
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 43. The three primary IPs working at the same date/similar times.

Figure 44 shows all three IP addresses working together at targeting 167.99.25[.]119, with 10.65.248.120
generating the most traffic in DET3CT.

Figure 44. The three primary 10 NET IPs (.120, .180 and .31) targeting 167.99.25[.]119 - same day/times

Mismatches

There are things about the “hack” that do not add up. The site for spacey[.]agency lists Helon Frusk from NASA, but is
the only place I found that name. Even after searching for it in NASA site pages.

45
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Other random traffic include the 10.65.249.10 and 10.65.250.180 IP addresses going to the following URL:
https://eyes.jpl.nasa.gov/.

Figure 45. Traffic in DET3CT showing 10.65.255.180 going to a NASA site

Further research on “employees” identified in the spreadsheet leads to many dead ends. It was difficult to find
anything online about these employees, which could be a factor when working on secretive or government projects. In
cases such as sensitive projects, it would be reasonable for employees to limit online exposure to avoid being targeted.
The secrecy would make sense for a group working on space-related industrial design or a “SpaceY” group involved in
government projects.

I did attempt to identify whether employees, such as a Material Engineer from the spreadsheet, were real people. I
searched and found a person located in CA who works for a company specializing in Geotechnical Engineering,
Environmental Engineering, and Materials Testing and Inspection Services. It’s possible that the individual who works
at this firm is also engaged on a project for Space Y Industries. Another person on the spreadsheet worked for Avionics
and other related firms for Mechanical/Industrial Engineering.

Spreadsheet job titles and locations match up, but names are hard to find online with free searches. For example, the
job title: PRODUCTION MANAGER _ MERLIN _ PROPULSION ASSEMBLIES comes up in job searches and
openings at SpaceX https://en.wikipedia.org/wiki/Merlin_(rocket_engine_family) or jobs on the spreadsheet for
INTEGRATION TECHNICIAN - ADVANCED SUBASSEMBLIES (F9 ROCKET) also show up for SpaceX openings:

https://lensa.com/integration-technician-advanced-subassemblies-f9-rocket-jobs/hawthorne/jd/b6b76fb2ed3c2f82a
d16a5abcaacfba4

Many spreadsheet entries use precise locations like the Cape Canaveral Air Force Station Space Launch Complex
(SLC-40), which appears to be a legitimate location. Cape Canaveral Air Force Station Space Launch Complex 41, and

46
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Kennedy Space Center Launch Pad SLC-40 are also listed and appear to be legitimate places. Other general locations
include McGregor TX or Hawthorne CA. Space Exploration Technologies (aka SpaceX) is located at 1 Rocket Road in
McGregor TX and matches spreadsheet data.

Other things don’t add up on the external data. However, enough pieces came together to conclude the file exfiltrated
from an external host that appears to have legitimate data linked to a company possibly affiliated with space-related
companies, such as SpaceX.

Conclusion

After investigating the 1TB of DEF CON 26 data in DET3CT, a Kibana dashboard custom built by ElevatedPrompt, I
discovered various scanning and hacking activity against .cf and .tk domains that seemed suspicious. The DEF CON
data led me to discover a tweet about a data dump (Space Y Dump) that led me back to DET3CT to determine if
internal IPs at the conference obtained a file.

One 10 NET IP address at the conference downloaded an Excel spreadsheet from an external host over port 80, which
meant that I had access to the file by reviewing the PCAP. The employees.xlsx spreadsheet had 468 entries and
contained job titles, names, email addresses, phone numbers, locations, and employment status.

Metadata analysis on the employees.xlsx file showed that it was created on May 30, 2018, and modified on June 1 by
Heather Combs, identified as a software engineer in the spreadsheet.

Further analysis showed a Twitter user with the alias @0hd4ys53 who identified the dump and had obfuscated the
domain and file names in a photo posted online. What did display on the tweet was the file extension. Further
research revealed a public website obtained from employee email addresses. The data from the spreadsheet and the
website are from space-related industries.

Some things do not add up for this research, such as identifying Helon Frusk from the spacey[.]agency website or
finding evidence of any company called Space Y or Space Y Industries. However, the traffic coming from DEF CON
internal 10 NET IP addresses does appear to be a legitimate attack against external hosts. This belief stems from the
fact that only three (3) IP addresses made multiple targeted attempts to the domains that presumably had Space Y
data. If this were a DEF CON contest, CTF or challenge, some information on the official DEF CON website or
writeups would have been found published online, and more than three (3) primary 10 NET IP addresses would have
targeted the external sites.

The DEF CON attendees who did the most work to try and obtain documents from the original tweet were IPs
10.65.248.120 and 10.65.255.180. There was traffic showing everything from automated attacks against the
host to whois lookups and urlscan.io scanning. The private IP addresses for these attendees even showed searches on
variants of the 0hdaysec name, such as www.53c[.]tk, as shown in Figure 41.

47
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Only one IP obtained the spreadsheet and succeeded at downloading it, which is how I obtained a copy via PCAP files
showing traffic over port 80. The employees.xlsx spreadsheet had 468 entries and contained job titles, names, email
addresses, phone numbers, locations and employment status.

How did the three primary 10 NET IP addresses search for the employees.xlsx spreadsheet? Was it just good
guesswork, or was one of the participants told a file name. Perhaps the twitter user F.A who requested a DM from
@0hd4753c was at DEF CON and was told a file name. Perhaps the user who liked the tweet and tweeted that he was
going to DEF CON found the file.

I do not know who the people were that took the file or who downloaded the file while at DEF CON. Also, how did they
also know to search for other .xlsx files such as apps.xlsx? Was it due to a DM as indicated in a tweet between F.A and
0hd4y54c or a good guess? Perhaps the Twitter user F.A who requested a “follow for DM” from @0hd4y53c was at
DEF CON and was told a file name. Or perhaps the user who liked the SpaceY dump tweet and tweeted that he was
going to DEF CON found the file. To be clear, I do not know who took the file or who downloaded the file while at DEF
CON.

There are many mysteries about the data, but one thing is sure. There is a Space Y spreadsheet that contains enough
data to be believable, and that pertains to SpaceX-related rockets and engines, such as Falcon 9.

Appendix

This appendix has various outputs from DET3CT, OmniPeek, and online tools as supplemental information.

Participants at DEF CON went to URLscan.io and scanned the .cf site repeatedly. The following links are for the scans
in question:

• https://urlscan.io/result/d9957a07-d60e-473a-8621-cb430c085154
• URL: http://0hdaysec[.]cf/SpaceY_Dump/ Submission: On August 11 via manual August 11th 2018, 7:38:41 pm.
Summary HTTP 1 Behaviour IoCs. Similar DOM…

• https://urlscan.io/result/fd860c70-2151-49be-859d-d0eabfa19bbe
• URL: http://0hdaysec[.]cf/SpaceY_Dump/ Submission: On August 11 via manual August 11th 2018, 8:21:27 pm.
Summary HTTP 1 Behaviour IoCs. Similar DOM…

• https://urlscan.io/result/c166d19b-4892-4faf-82ad-f984f555e01b
• URL: http://0hdaysec[.]cf/SpaceY_Dump/ Submission: On August 11 via manual August 11th 2018, 7:18:51 pm.
Summary HTTP 1 Behaviour IoCs. Similar DOM…

• https://urlscan.io/result/6a4bbbd8-aeb8-40c1-9498-969d8deed0a3

48
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

• URL: http://0hdaysec[.]cf/SpaceY_Dump/apps.xlxs. Submission: On August 11 via manual August 11th 2018,

10:18:53 pm. Summary HTTP 1 Behaviour IoCs.

• https://urlscan.io/result/68aebb59-7ee4-4fa2-95e7-b8d416f06d40
• This website contacted 1 IPs in 1 countries across 1 domains to perform 1 HTTP transactions. The main IP is
167.99.25.119, located in Fort Worth, United States…

• The other domain was scanned four (4) times: https://urlscan.io/search/#0hd4y53c.tk

• https://urlscan.io/ip/167.99.25.119
• 11 Aug 2018 ... 167.99.25.119, 5 months ago, 2 KB, 1, 1, 1. ns1.0hdaysec.cf, 5 months ago, 2 KB, 1, 1, 1.
0hdaysec.cf/SpaceY_Dump/apps.xlxs, 5 months ago…

• https://urlscan.io/search/#page.ip:%22167.99.25.119%22 – there were 16 scans for the primary URL on urlscan.io.

All were launched manually.

Figure 46. 13 Queries from urlscan.io for 0hdaysec[.]cf – note the number of scans launched at the same time

49
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 47. Query by IP on urlscan.io for 167.99.25[.]119

• It appears that the .cf domain was only up for a brief period of time that overlaps part of DEF CON 26 conference
dates: August 11–24, 2018. https://www.robtex.com/private/html?revh=167.99.25.119

50
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 48. 167.99.25[.]119 – the employees.xlsx file was downloaded from this IP

The DEF CON participants did a variety of searches for data. It appears that they also used a Slack channel for private
communications at darksite26.slack.com. Some internal IPs did 40 minutes of port scanning against external hosts.
Others did searches using the Wayback machine (archive.org). The internal traffic was noisy and since a lot of it was
over port 80, exposed, which lead to my access to one of the dump files (Figure 48).

51
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 49. The other attack vector was against 0hd4753c[.]tk. Note the email – admin@.

There were also hits against the .tk domain for files (Figure 49). Note that in the Maltego screenshot the IPs are often
just parked and have nothing to do with the real site that I was seeking.

Figure 50. Maltego data of the Tweet from @0hd4y53c

Finding the original site, leads to a Google search that lead to the tweet about popping something big, which lead to
these other domains within the DEF CON data. I never found the apps.xlxs file or any other .xlsx files, just the
employees.xlsx file which I was able to obtain a copy by downloading it from the PCAP file (Figure 50).

52
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

I examined the EXIF data on the employees.xlsx file for details, and it is possible to view dates and times, the user
operating system, and a line for Creator and Last Modified by that corresponds to a name in the employees.xlsx file
(Figure 51).

$ exiftool employees.xlsx

ExifTool Version Number : 10.80

File Name : employees.xlsx

Directory : .

File Size : 45 kB

File Modification Date/Time : 2018:12:30 16:32:15-05:00

File Access Date/Time : 2019:01:13 21:39:12-05:00

File Inode Change Date/Time : 2019:01:17 08:06:52-05:00

File Permissions : rw-rw-r--

File Type : XLSX

File Type Extension : xlsx

MIME Type :
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Zip Required Version : 20

Zip Bit Flag : 0x0006

Zip Compression : Deflated

Zip Modify Date : 1980:01:01 00:00:00

Zip CRC : 0x689dee62

Zip Compressed Size : 350

Zip Uncompressed Size : 1168

Zip File Name : [Content_Types].xml

Title :

53
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Subject :

Creator : Heather Combs

Keywords :

Description :

Last Modified By : Heather Combs

Create Date : 2018:05:30 23:55:26Z

Modify Date : 2018:06:01 16:24:09Z

Category :

Application : Microsoft Macintosh Excel

Doc Security : None

Scale Crop : No

Heading Pairs : Worksheets, 1

Titles Of Parts : employees

Manager :

Company :

Links Up To Date : No

Shared Doc : No

Hyperlink Base :

Hyperlinks Changed : No

App Version : 16.0300

Figure 51. EXIF data from the dumped employees.xlsx File

The next several figures show additional proof of the internal IP addresses targeting the external hosts in an attempt to
download or obtain SpaceY dump data.

54
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

In Figure 52, the dashed line going to the IP 10.65.248.120 shows various types of traffic directed at the external
host, which is the 167.99.25[.]119, the location of the dump employees.xlsx file.

Figure 52. Peer Map of 10.65.248.120 attacking 167.99.25[.]119 with breakout of type of traffic

The peer map from the packet capture (PCAP file) shows the IP addresses from DEF CON attacking 167.99.25[.]119,
which was the location for the data dump file employees.xlsx. Figure 52 has various types of traffic hitting the external
host, and shows numerous packets coming from both 10.65.255.180 and 10.65.248.120 at 167.99.25[.]119.
The dashed line in Figure 52 depicts a large quantity of various types of traffic from one internal IP to the external
host, such as HTTP, SSH, etc.

Figure 53. Protocols for 167.99.25[.]119 on 8/11/18

55
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

The PCAP in Figure 54 displays the variety of protocols aimed at the external host on a particular date, August 11,
2018. Note that the duration found in the top right of the image shows 3 hours and 26 minutes of traffic aimed at the
167.99.25[.]119 IP address.

Figure 54. The nodes (aka internal IPs) that hit 167.99.25[.]119

As seen in Figure 54, 167.99.25[.]119 was targeted by several internal IP addresses, with the bulk of the traffic
coming from 10.65.248.120 and 10.65.255.180.

Figure 55. The downloaded file - employees.xlsx – only one IP got this file (.180)

Even though other examples show a great deal of traffic going to the external host from 10.65.248.120, only one
internal IP address was able to download a file – 10.65.255.180.

56
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 56. The traffic from 10.65.255.180 to 167.99.25[.]119 with 200 OK for file download

The internal IP 10.65.255.180 targeted 167.99.25[.]119 with various queries, and eventually downloaded a file. Other
external IP addresses were hit by the same couple of internal IPs on 8/11/18. In the screenshot for Figure 57,
159.89.196[.]13 was targeted with a lot of HTTP traffic on 8/11/18 at 15:21-17:08.

Figure 57. PCAP files showing 159.89.196[.]13 getting hit by HTTP traffic from three internal IPs - .180, .31 and .120

The 10.65.248.120 IP is shown in the PCAP as heavily targeting the 159.89.196[.]13 IP address for 1 hour and 46
minutes, which is why the line is shown as thicker than other lines hitting the external target for the other two 10 NET
IPs.

57
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 58. View of PCAP data for .31, .120 and .180 hitting 159.89.196[.]13

In Figure 58, the dropdown by IP address in the middle screen shows HTTP traffic on the 159.89.196[.]13 IP for the
SpaceY_Dump directory. These attempts against the external host only yielded 404 File Not Found.

Figure 59. Fingerprint the DEF CON IPs

One theory I had was that the individuals hitting these external IP addresses to obtain the dump files were using
multiple devices, such as mobile phones and laptops. The Figure 59 shows PCAP information from Network Miner
that attempts to identify OS of the devices in question.

58
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 60. View of .120 hitting 1.3.3[.]7

The internal IP 10.65.246.120 also went to 1.3.3[.]7 with both ICMP echo requests and HTTP traffic. This is probably
due to seeing 1.3.3[.]7 on the profile page of the twitter user @0hd4y53c.

Figure 61. Twitter user profile - 1.3.3[.]7

PCAP of 10.65.248.120 spending time at 1.3.3[.]7, which has numerous domain names including the
ghostsecurityteam[.]com, which may be cover for the hacker who posted the original dump tweet, @0hd4y53c.

59
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 62. 0hd4753c[.]tk and ns1.0hdaysec[.]cf

The server view of 0hd4753c[.]tk and ns1.0hdaysec[.]cf show 10.65.255.180, 10.65.248.120 and
10.65.249.31 attempting to target directories like /SpaceY_Dump/ and other pages that may contain dump data.

Figure 63. ns1.0hdaysec[.]cf getting hit with traffic from .180 and .120

60
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

The internal 10 NET IPs of 10.65.248.120 and 10.65.255.180 hitting the nameserver for 0hdaysec[.]cf for 2
hours and 23 minutes on 8/11/18. Note that the PCAP shows more traffic from the .180 IP (Figure 63).

Figure 64. Coordinated hits on 0hd4753c[.]tk, president[.]com, website[.]com and searching archive.org

0hd4753c[.]tk was targeted by 10.65.249.31, 10.65.248.120, and 10.65.255.180. The 10.65.255.180

internal IP also went to president[.]com and website[.]com and searched archive.org.

Other traffic from two of our primary 10 NET IPs include a lot of traffic to 52.33.147[.]213 (Figure 65).

Figure 65.The IP 52.33.147.213 has a login panel – DET3CT table showing traffic to it.

61
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 66. Internal IPs hit this site at AWS – 52.33.17[.]213, but the purpose is unclear.

During the hour that all of this traffic was happening, some of the same 10 NET IPs attempted to scan the Amazon site,
but it is unclear why there were attempts here. Attempts were to the IP address, the IP resolved to this which had a
certificate for TRX. Maybe this login was not live at the time of DEF CON.

All of the IPs that went to the admin login page for the 52.33.17.213 site - .187 was scanning this IP -
https://ec2-52-33-17-213[.]us-west-2.compute.amazonaws[.]com/login?path=/admin

All of these IP addresses were shown in the DET3CT dashboard at darkspace26.slack.com. They hit 167.99.108[.]101
and the above URL. Note how many ports the IP 10.65.250.187 scanned on the 167.99.108[.]101 host. There was a
connection to slack just before this traffic.

Figure 67. 10.65.250.187 going to AWS and then to .101

10.65.246.31 also went to the slack channel.

62
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Figure 68. darksite26.slack.com used by .31, .187, etc.

Tools

I cannot emphasize enough how many awesome tools are available for free. Below is a list of the tools that were
invaluable in the search and aggregation of information about what was happening on one day (8/11/18) during the
DEF CON 26 conference.

• NetworkMiner (https://www.netresec.com/?page=networkminer)

• Wireshark (https://www.wireshark.org)

• Kali Linux (https://www.kali.org/downloads/)

• Maltego (https://www.paterva.com/web7/downloads.php)

• Urlscan.io (https://urlscan.io/)

• Twitter (https://twitter.com)

• Epic Search (https://www.epicbrowser.com)

• Tor (https://2019.www.torproject.org/projects/torbrowser.html.en)

63
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

• Talos Intelligence Feed (https://www.talosintelligence.com)

• VirusTotal (https://www.virustotal.com/#/home/upload)

• The Wayback Machine a.k.a. the Internet Archive (https://archive.org)

• Shodan.io (https://www.shodan.io/)

• AlienVault (https://otx.alienvault.com)

• Threatminer (https://www.threatminer.org/)

• ThreatCrowd (https://www.threatcrowd.org/)

• Intel Techniques by Michael Bazzell (https://inteltechniques.com/menu.html)

64
 Space Y Dump: Penetration Testing Report By Chrissa Constantine

Works Cited

1. Bell, V. (2006, August 14). Neuropsychology and Psychosis in ‘A Scanner Darkly’. Retrieved from Mind Hacks:
https://mindhacks.com/2006/08/14/neuropsychology-and-psychosis-in-a-scanner-darkly/

2. DEF CON. (n.d.). DEF CON Transparency Report. Retrieved from

https://www.defcon.org/html/links/dc-transparency.html

3. Dick, P. K. (2015, July). Goodreads. Retrieved from Philip K. Dick > Quotes > Quotable Quote:
https://www.goodreads.com/quotes/371583-what-does-a-scanner-see-he-asked-himself-i-mean

4. DomainGang. (2018, December 28). #Spamhaus December 2018 update : The 10 most abused #TLDs. Retrieved
from DomainGang:
https://domaingang.com/domain-news/spamhaus-december-2018-update-the-10-most-abused-tlds/

5. Pauli, D. (2011, April 27). Pacific atoll a phishing haven. Retrieved from ZDNet:
https://www.zdnet.com/article/pacific-atoll-a-phishing-haven/

65