Discord OSINT: Using the Power of Empathy

talk on Discord ENT using the power of FC banana so a little bit about myself my name is Zach I go by Uber Zac attack online any PSU alums in here one okay um for my day job I work as a pentester I specialize mainly in fishing engagements and campaigns so a quick overview of the talk I'll give a preface um how osen can be applied in Discord overview of the osen methods some case studies um how it can be scaled we're world examples of this Lessons Learned my Approach hypothetically with that um some protections that you can use and some random things that I found while going through this so for the preface my opinion Discord oent is

currently underu Iz and has potential however there's a lot of investment needed to do those and effectively in Discord and there's also a lot of risk and consequences involved the last two points won't really be clear until halfway through the presentation also side note I'm presenting in a way so I'm assuming most of you have a some basic understanding of Osa and most importantly Discord if you don't really understand Discord that's a little awkward but move on so o and Discord so with this presentation it's mainly on how to track people of interest and I'm here to tell you that you can search for personally identifiable information someone's interests in occupation accounts tied to their real

name uh the location that they live in and information that could be used against the person interest so current methods um there's a really great article from this ENT curious. us or I and curious for short so with through that article the main points brought up were searching for Discord servers through Google um using like a built-in explore feature through Discord to search for various servers like Call of Duty discords and through third parties like Discord b or Discord um another big key of the article was Finding users of importance so these would be identifying the owners administrators and moderators of those servers so the methods that I'll focus on are chat history and like the search

function within Discord linked accounts uh server nicknames and mutual servers so with the Discord search function this is very similar to Google Dorking for anyone familiar with that it has search operators it can easily narrow down your search for example you can search for someone's username in a specific Channel such as like General chat so here's like a full list of The Operators the main ones I want to focus on are mainly from has an in so from like it says it's for specific users so for a person of interest you can use that to narrow down their username and search through any chat history or messages that they sent has is also a very powerful one that's of importance

this can help instead of going through tons of chat messages you can use has to narrow down if someone sent a link uh embed a file video and images stuff like that and in is also a very important one as well since it can narrow down specific channels so instead of going across 20 or 50 channels that the person chatted in you can just focus on one and for those that don't really know empathy banana is an Easter egg built into Discord so if you search for someone and there's no results empy banana is one of the Easter eggs that you can find and with operators the example that you could use is search for someone's

username and then password to see if password comes up as a keyword so notable examples that I found during my time doing this um first one uh someone posted a full picture of themselves exposed their face um the university that they graduated at and it's all tied to their username the second one here that I wanted to point out was for a single user within a server they sent over 10,000 messages so hence why operators would be very important for narrow down search results and then last bit there it might be hard to read but essentially that was in response to someone posting a picture of their company badge in the channel so they had to remind them that you

shouldn't do that within a hacking Discord so the next one I want to cover is linked accounts this is probably like the easiest way to find someone's real name through Discord essentially way you can do is link your account like it says in the name to your Discord account so it shows where you might also be at social media was like I said this is extremely useful So within this example as you can see we have the Discord user their original username for Discord and throughout their linked accounts we get a total of three different usernames tied to this account so we have their disc Discord username their second username that they use for League of Legends and stuff like that a

third username that they use for PlayStation epic games and then their real name which was tied to their GitHub account and Spotify account so through this we have a total of three online aliases that we can search for including a real name that we can tie to all this the next one is uh server nicknames uh very similar to the linked accounts but somewhat different essentially within each server that you can you're in you can set a specific nickname for that server so the common use case is for gaming servers let's say you have your Discord username you join a gaming server for Xbox you would set your server nickname to your Xbox handle make

it easier and then these two examples you can see we have the original username for the first person and they have a server nickname for both TCM security and tryck me and the reason why this is also useful is sometimes people can set their server nickname to their real name so on the right you can see this person set the real name for two servers specifically so a quick lesson on student hubs uh basically allows University students to connect with each other through servers initial roll out was in Fall 2021 I personally added my cyber security club to this so I was a part of the Penn State soon Hub example what it looks like you're

dropped into this kind of um search area so you basically have like the home screen you can search through the clubs uh classes and subjects um social hangout places and random ones so at the top with newest these are mainly like location based or like Niche communities such as like branch campuses and then at the bottom it just lists the top servers by uh population the one note here is that the top three have no related uh PSU affiliation they're not a part of Penn State So in theory uh either server moderator or admin had a valid PSU email had enough admin rights to add these servers to the Penn State student Hub another note here too on the far

right most of the Discord users have set their real names as their servant nickname for the student Hub so like I was saying before we can easily tie the real name to their Discord username so with this student Hub this essentially allowed for a link view through mutual servers so essentially I could join the student Hub join certain servers through the student Hub and then see um people that were a part of that as well so like what I was saying before there's people that had the real name set from the stud Hub so essentially I got their real name and Discord username and was able to see that there within that hub and since

it's all Penn State related it's all focused on one Community which made it really easy to sort of combine everything sorry for skipping ahead so this essentially sped an idea of what if what if I replace student hubs with cyber security at large if you think about it student hubs the main three things are class majors and subjects clubs social Hangouts and gaming servers and for cyber security it's specific field subjects specific platforms at end servers owned by celebs or companies what stays the same between these two are that there's the personalities such as mods and key people ethos and goals of the server and then target target audience and community so if you're just starting out

with trying to get initial visibility through or for cyber security then start off small so for example you'd probably go after something really big like Defcon then after a while your visibility improves by joining more and more cybercity related Discord servers so with this um it's important to analyze which one that you're in so keep it simple it's like the five ws what is the server who owns it what's the point of it like it's is there anything specific to it like certain field or job occupation so this is what it would look like with two case studies so for the first one the main Discord servers of interest that I saw through this profile were uh cyber walks

academy uh security blue team and blue team Labs online and then hack the box so if we go through each server and analyze it um for cyber walks Academy it's owned by day cyber walks also known as day Johnson it's mainly Focus towards uh students and people they have courses relating to entry level cyber security stuff like saw Cloud engineering threat detection and it's assumed to be a be beginners and intermediates based on a specific target audience that are interested in defensive security and cloud and then security blue team and blue te team Labs online they're pretty much the same but slightly different it's essentially the training on defensive security and so processes assumed to be beginners and

intermediates interested in defense of security for those that don't know security blue team and blue team Labs online is essentially The Blue Team um hack the box but more blue team stuff and then we got hacked box with the main platform of their labs and machines that SP up their Academy platform with courses inserts and their own CTF platform this is also assumed to be beginners all the way to Advanced professionals so through that analysis looking at it alog together heavy emphasis on training that's aimed towards beginners and intermediates heavy bias with defensive security and for the specific person of interest they're most likely a beginner intermediate level within their career and most likely interested in defensive

security and certifications so for case study number two is there anyone interested in trying to guess this one at all based on the

servers that's part of it it's a little more specific

this might be hard since some of the platforms are smaller scale than TCM or hack the box so with this one the main three that popped out were the jadex Discord uh pen tester labs and kaido so for Jason hadex he very big online um he has a course on bug bounty hunting and with this it's assumed to be intermediates and professionals within web app security and then pentester Labs they're mainly a web app pent testing uh training platform uh they focus on O's top 10 all the way to code review so with this it's beginners all the way to professionals within web app security like I said not as well known but essentially hack the box but more web

stuff and I'll try my best not to relate everything to hack box then with kaido uh this is very niche web security tool essentially it's burp uh sweep built and Russ so looking at it looking at it all together heavy emphasis on web applications uh training aimed towards intermediates and professionals so for the person interest this is most likely someone at the professional level with heavy interest in web app security with all this it's important to confirm these assumptions and inferences that you make through mutual servers so this is where you go back through chat history looking for keywords uh looking through their linked accounts any online presence that kind of confirm inferences that you make so

for example this guy web app pentester he had decade of QA before that and this could be applied to other things so this is where location ties in you can join Discord servers tit on location look through mutual servers of people of interest and if there's a common theme then you can kind of assume the general area that they live in though conferences like bsides not might not be the best example since people travel to them but generally this is just an example but still fairly useful so some other notable examples that I wanted to uh bring up um with mutual servers is important that you're looking for something that's Niche specific and might have

requirements so the first two um break Dev red and evil Jinx Mastery um these servers are owned by kubba Gretzky he made a tool known as uh evil Jinx um for break Dev red its application invite base only for offs professionals that work work within the red teaming space another thing with that is that since it's like invite only it's more private though once you join your real name is set as your server nickname so makes it very easy for oen opportunities and then for evil Jinx Mastery the only way to gain access to the server is by purchasing the course uh kaido going back to what I was saying very Niche web app tool

for security purposes I'm not assuming a lot of people know about kaido so if someone's within the kaido server then that's where the assumption would come in that this person is most likely someone that works in the web app pent testing space uh the next one is mald Academy similar to evil Jinx Mastery the only way to gain access to the server is by purchasing the training and then to uh cap it off we have student hubs so this one fills a server that's NE specific and has requirements so since it's specific to each University and you need a valid school email and then it can become Niche based on like branch campuses classes and

subjects so there's one problem with all this though all these methods were done through one account and if we want to scale this we'll have to deal with the Discord server cap so the server cap it's 100 Discord servers for free users and then you can join up to 200 for Nitro users um you cannot use Discord Bots like MI6 since they have to be manually added by admins and given permissions so we actually have to use actual accounts which are also known as self Bots which is essentially a game of visibility but with this there's other issues that we have to consider such as self Bots are against the Discord TOs um there's a lot of math involved to

understand why this would be an issue and all the methods I've shown all the methods and techniques that I've shown are manually intensive however uh spy pet came into the picture uh around April 17th 2024 within one of these articles the owner specifically brought up how it could be used for open source intelligence which pequ my interest so of course I gain access to the platform just see what it could do so at its peak I had about 14,000 servers being tracked uh six about 600 million users being tracked as well as four billion messages locked so one of the main functions of uh spy pet was looking at server info for for example for hack the box it

would bring up like the bio for the server and stickers and emojis it also show like the STS of the server so how many members are in the server as well as like how many would be online it'll also show server bands and you can also look at specific users see where they're banned at somewhat useful but not really for our purposes until you get to the user info section so essentially this was all the methods that I just shown shown on one page so going through the process of looking at each user going through the mutual service tab chat history it was all here fortunately I don't have any connected accounts so mine was pretty

bare but so part of the suit was that it would also have specific info on specific user so it would show when it the user was first seen so when the bot for spy pet joined the server and first saw the user it would also show like the nicknames for various servers um really interesting part about spy pet was that it also showed which users uh or which servers users left highlighted in Red so someone joined a server and left if the bot was within that server during that time frame then it would track it and then the main selling point was that it would uh track um chat history and even capture messages that before

they were deleted so I went through the hack the Box Discord uh chat history uh there was the export function through the website um it was like a simple Excel thing and matched it up just to make sure it worked fine so for me personally um the me messages highlighted in green I'll bring up later on since they're very interesting but the one in red I actually posted this message in the wrong Channel and deleted this message within under a minute so it definitely proved that it could captur deleted messages instantly though however the fund came to a stop um since Discord got notified and it shut down everything so then the story spyed got

shut down site owner unknown and then Discord had to last left so what lessons could we learn from this uh the main lesson for for number one is OBC I'm not spare you to details but essentially uh online community was able to track this person's uh GitHub account um their Madan account and their Discord um user profile also didn't help that the person was also in the same Discord server that was investigating him publicity is the second lesson so spy pet was actually set up on October 30th 2023 and it didn't get attention until April um some people theorized that the admin wanted to make more money so he started advertising it through various news

sites and it was up for about five months until it got publicized and it was taken down within nine days uh another lesson the gdpr violations so not only did spy pet violate discords to but also gdpr added bonus was that the owner potentially stored miners chat history through the platform and it was mainly advertised for people working on AI models and federal agents if they wanted sources Intel so the last thing through Wayback machine um the owner's intentions were actually more nefarious essentially the whole point of spy pet was that it would um track people and with the main selling point of capturing deleted messages is actually being used to bully people such as trans people as well as

people varing political beliefs and I would have to double check but apparently it's very common for political servers delete chat history but through spyed it was being abused so that it would attack people of Interest so later the site owner tried to save face by changing the purposes of what the site was for and as well as the um the panel for where you could request service to be tracked so what did it do technically right well it was able to track what servers people were in even when users were left uh the infrastructure seemed to work well until didn't and it was able to view Discord user information so my Approach hypothetically of course uh there has to be a plan of what

servers to join and how many accounts to use which involves math probably the biggest headache here uh build better infrastructure that won't be Det protected as well as OPC so with the math after doing some research and Analysis there's about like 1.9 million servers of interest and realistically you join servers around 250 to 300 people um following dunbar's number which essentially a fancy term that dictates the amount of people uh a person can remember so within the figure the example is like that a single person can only really remember up to 150 people after that it gets a lot harder for people to remember specific people and such on top of that there would be a few

Discord servers that we'd be interested in so for the finale um if we cut 50% of that total to about 1 million that we'd be interested in trying to cut out the noise it would take about 9,000 or 10,000 Discord accounts and if you wanted to use Nitro to boost up the server cap then it would be about 5,000 but this would cost a lot close to 50 Grand a month then if you want to be opsc safe you you would have to practice good sock sock puppet uh rules uh and set up Cloud instances and also use multiple network interace interfaces and IPS for the sock puppets so for a perspective spyed had at least 143 accounts for the

platform and then build out fully functional tool a lot of this is buzzwords but the main three things I want to focus on are the tagging system to categorize the servers that you want to join some type of check system where it checks invite links that have been collected and checked to see if accounts were removed from the servers a query system to send queries for information utilizing the search function within Discord to spare you the time it's pretty much uh botnet and it just spy pet it better so opset tip number one so for the green messages those were actually times that I joined a server twice so with this it's important not to

join servers through like an authenticated session so using a private window and not having Discord open like I was just saying use like a private window and then with this we could reference dunbar's number since invites they all show like the server population where the number like 2 50 and 300 people comes into play is that we're trying not to get recognized by the server admins and moderators so the second tip to avoid someone using the methods that I just shown against the Bots that we would use we would do something where instead of having one bot join every cyber security server would split it between the bots so each bot would have like one

or two cyber security servers so instead of looking at our bot and seeing that it has like six or seven Mutual servers shared between us it' be about like one or three depending so this wouldn't raise suspicions that someone's being tracked for the third tip to avoid Discord finding out that we set up a botet to collect data um focus on the sock puppets especially on the IPS since probably raise a lot of eyebrows if they saw 9,000 accounts coming from one public IP so for those that are paranoid now and want to take action at the user level uh take note of what accounts you link to your profile through display on profile uh be mindful of what you post

in Discord uh privacy and safety uh this allow direct messages from server message or server members enable message requests from server me members who may not know that should be disabled and then at the server level for the any Discord admins or moderators ensuring that the verification level is at the highest so each user account has a verified phone number tied to her account and then disabling showing the members in the channel list which essentially the members on the right side whenever you're in a channel so for the random stuff that I came across while going through all this one of the things that you might be confused about is why should you not accept messages or message requests and

this is mainly for the cases of when someone has your Discord username but they can't find any chat history what they could do is get your Discord username hope that you're a part of one server that they're in you can um start a conversation with them by typing in their Discord username have it open but they won't get notified since you haven't set a message yet so you can then through that open message click on through their profile and look through mutual servers that they're in number two this is way out of scope for the presentation but you could also consider social engineering so using server boosts which would also cost a lot of of money or playing the LA game

and befriending the admins in hopes that you join private admin channels more access the private channels within the server and random thing number three for OBC be wary of leaving a server as well in this example this person left the server multiple times and the admins took note of it since this very common occurrence so wrapping it up overall Discord OS is feasible if you focus on the chat history linked accounts server nicknames and mutual servers however to scale it requires a lot of preparation and involvement you might get caught it's definitely illegal um the most important note is that spy pet was not the first um the first one was actually one called discool and it was discovered

with in 2020 it was similar story to spy pet it was publicly released in 2020 and within a week Discord shut it down so and then to end it all off I need to give a couple shout outs to Brandon no text of speech and Anthony G this presentation wouldn't be what it is without them so thanks and here's where you can find me I have my main website ubber arch. XYZ all my socials on there and yes you can trust the QR code and that's everything [Applause]