On th3j35t3r's Project Looking Glass

Thursday, July 05, 2012

ʞɔopuooq ʇuıɐs


"There’s a large mustard-mine near here. And the moral of that is — The more there is of mine, the less there is of yours." – The Duchess (Alice in Wonderland)

As many of you will have noticed, there haven’t been a lot of ‘TANGO DOWNS’ over the last few months. There is a reason for this. I decided that I should concentrate a little more on targeted intelligence gathering and a little less on the violent internet smackdown that is XerXeS and others.

I needed a way to get undisputable evidence as to the real world identity of ‘the mark’ – whatever the ‘mark’ or target was, be it Anons, Jihadist bomb plotters or forum admins, or whoever.

Over the last few months I have been running ‘Project Looking Glass’.

So what is it?

The Looking Glass is based upon the open source Browser Exploitation Framework – I used this as its truly modular framework lends itself well to me modifying and hacking it to pieces in order to get it to do what I want it to, without losing direction or straying from the confines of the original mission spec or waste time re-inventing the wheel. One of the bonuses of open-source code right?

The entire project comprises of the ‘looking glass’ server, which I will be talking about here, and numerous other ‘bait’ servers which have the the ‘hook code’ embedded in certain pages that they serve up. Once a target hits the page they immediately pop up on the looking glass HUD and information starts getting logged and a profile of the ‘mark’ starts to form.

I am not going into much more detail on this for obvious reasons. But I will say the highly targeted nature of how the hook code is served up to the ‘mark’ leaves very little room for error, mistaken identity or false positives.

Here’s a screenshot of the moment @joshthegod of #UGNazi stumbled through the looking glass after being on the target list for only two days prior, and here’s the tweet I posted that same day (June 14) – https://twitter.com/th3j35t3r/status/213281821704732672

(click image to enlarge)

Those of you familiar with BeEF will notice some differences in the screenshot above, yes Looking Glass Logs a whole bunch of stuff right from the get go and it’s searchable.

So what else is different?

Well after making a few changes to the core I was in a position to start creating some funky new intelligence gathering modules, that would live in the modules tree within it’s own separate section called – ‘Project Looking Glass’. These modules would seriously boost the effectiveness of this hybrid beast turning it into a formidable force for good (in this case).

So currently there are 12 new modules in Project Looking Glass and they are pretty nasty if you get caught on the end of one or more of them. The names are fairly self explanatory and you will notice they are all good to go with a green traffic light in this case against Firefox/Linux:

(click image to enlarge)


So why would I let this out of my bag?

I haven’t actually given away any operational details, they key to this is in the delivery of the hook code, location of ‘bait servers’ etc. The hook code, by the way, can also be injected using XSS into any vulnerable 3rd party website, so the target doesn't even have to hit one of my ‘bait boxes’.

Project Looking Glass is not available or downloadable to the public, although I am sure within a few hours there will be claims you can download it here there and everywhere, as was the case with XerXeS. Please be advised I never released XerXeS and I won’t be releasing Project Looking Glass. If some one says they have it, they are lying to you and most likely try to infect you with malware.

So there it is, and make no mistake bad guys, it is out there, and you won’t see it coming. Today you have seen what I can see, I tell you this as a warning. Again bad guys, Project Looking Glass has been running for months now, and not without success as we have seen.

There’s nothing you can do about it, as you have no idea how many hook code snippets are out there, where they are…….

…….or indeed whether or not you have already accidentally stumbled through the looking glass.


There’s an unequal amount of good and bad in most things. The trick is to figure out the ratio and act accordingly.

Cross-posted from Jester's Court

Possibly Related Articles:
Information Security
Jester Attacks Exploits Cross Site Scripting th3j35t3r Anonymous jihadist Cyber Intelligence Project Looking Glass
Post Rating I Like this!
Anthony M. Freed For those who doubt: Treadstone71's Jeff Bardin has independently confirmed Project Looking Glass's validity it seems... https://www.treadstone71.com/index.php/news-info-whitepapers/news/110-plg-th3j35t3r-t71
Marc Quibell I need a looking glass to even look at those screen shots....
Ben Keeley What happens to the data or session if a non-target triggers the plg/beef hook?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.