Recommendations for the Hacktivist Community

a guest Nov 4th, 2014 9,244 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  2. Hash: SHA512
  6. ________________________________________________________________________________
  7. ________________________________________________________________________________
  10.                          R E C O M M E N D A T I O N S  
  12.                                  F O R   T H E  
  14.                     H A C K T I V I S T   C O M M U N I T Y
  16.                                      - - -                
  18.                 Released on this day of November the 5th, 2014
  20.                          Penned by The Humble Observer
  22. ________________________________________________________________________________
  23. ________________________________________________________________________________
  27. Statement of Purpose
  31. I have been observing the hacker and hacktivist communities, at times very
  32. closely, for many years. The exact definition of “hacker” and “hacktivist”
  33. varies from author to author, so I shall make my interpretation of these words
  34. very clear. Let us define a “hacker” as someone who utilizes their knowledge of
  35. computers and of computer networks to make money via illegitimate means. Let us
  36. define a “hacktivist” as someone who utilizes their knowledge of computers and
  37. of computer networks to do justice when justice is not done by the state. I
  38. have found that these two communities are inextricably linked, yet remain
  39. completely separate entities. Many hackers double as hacktivists in their spare
  40. time, although most hacktivists do not fancy themselves hackers.
  42. Although hackers turned hacktivists have the very best of intentions, and their
  43. input and expertise is of great value to the hacktivist community, they have
  44. inadvertently suppressed the potential of the very community they are trying to
  45. aid. The get-in-get-the-goods-get-out methodology of the stolen credit card
  46. driven hacker community that has been transfered to the hacktivist community
  47. via ideological osmosis has tragically affixed blinders to it. It has caused
  48. the hacktivist community to think linearly and strive to do nothing more than
  49. to blindly infiltrate target organizations and immediately leak whatever data
  50. they happen to stumble across. This must change. Stealing and leaking data
  51. makes a point, but it is sometimes necessary to do more than just make a point,
  52. to inflict real, measurable damage. In certain, extreme cases an organization's
  53. disregard for human rights warrants its immediate and complete obliteration.
  55. In this essay, I will discuss a multitude of ideological, operational, and
  56. technical changes that ought to be made to the hacktivist community. These
  57. proposed changes have been derived from my personal observations. Some will
  58. find the ideas contained within this document to be the product of common
  59. sense. I have found these people to be few in number. If the community accepts
  60. my suggestions it will not only become more effective, but the risks associated
  61. with participating in it will be drastically lowered. My intent in writing this
  62. is not to aid criminals, but rather to aid people who wish to do battle with
  63. governments and corporations that have become criminals. If freedom is to
  64. remain on this earth, its people must be willing and able to take arms to
  65. defend it, both physical and digital.  
  69. Personal Security
  73. Sound operational security is the foundation from which all effective
  74. cyber-offensives are launched. You should, at all times, put your own, personal
  75. security above the success of your operations and interests. The security
  76. precautions taken by most hacktivists I have met are mediocre at best, and
  77. needlessly so. Maintaining sound personal security is by no means difficult. It
  78. requires much caution but very little skill. I have devised a series of
  79. security precautions that hactivists should take and divided them up into six
  80. main categories: environmental, hardware, software, mental, pattern related,
  81. and archaeological. We shall examine each individually.
  83. (1) Environmental:
  85. There are but two places you can work: at home or in public. Some people insist
  86. that working at home is best and others insist that working in public is best.
  87. The proper working environment debate has been raging on in the hacker
  88. community for quite some time now, and has great relevance to the hacktivist
  89. community, as most governments view hackers and hacktivists as one in the same.
  90. Proponents of the “work in public” argument claim that by always working at a
  91. different public location, you significantly lower your chances of being
  92. apprehended. They argue that even if the authorities are able to trace many of
  93. the cyber-attacks you took part in back to the public places where you took
  94. part in them from, that does not bring them any closer to finding you. Most
  95. retail stores and coffee shops do not keep surveillance footage for more than a
  96. year at the most, and even if the authorities are able to get a photo of you
  97. from some security camera, that does not necessarily lead them directly to your
  98. front door, especially if you wore a hoody the entire time you where working
  99. and the camera never got a clear shot of your face. On the other hand,
  100. proponents of the “work at home” argument argue that the risk of being seen and
  101. reported, or merely recorded while working in a public place far outweighs the
  102. benefits of the significantly large increase in anonymity that working in
  103. public provides. Both sides have legitimate points, and I urge you to consider
  104. both of them.
  106. If you decide to work in public, the number one threat you face is other
  107. people. Numerous large criminal investigations have been solved using the
  108. observations of average everyday citizens who just happened to remember seeing
  109. something suspicious. If people sense that you are trying to hide something,
  110. they will watch you more closely than they would otherwise. It is important to
  111. always “keep your cool” as the old saying goes. Always try to sit in such a way
  112. that your screen is facing away from the majority of the people in the room you
  113. are sitting in. Corners are your friend. Try to blend in with the crowd. Dress
  114. in plain cloths. Draw no attention. If you are in a coffee shop, sip some
  115. coffee while you work. If you are in a burger joint, buy a burger. If you are
  116. in a library or book store, set a few books beside your laptop. Also, be very
  117. aware of security cameras, both inside the establishment you are working in as
  118. well as on the street near it. Being captured on film is alright as long as the
  119. camera can not see what is on your screen. Some store cameras are watched by
  120. actual people who will undoubtedly report you if they find out what you are
  121. doing. More and more governments are starting to place very high quality CCTV
  122. cameras on their streets to monitor their citizens, and these devices can be a
  123. problem if they are peering over your shoulder through a window you are sitting
  124. beside. When working in public, it is possible that you may have to confront a
  125. law enforcement officer face to face. Law enforcement officers can smell
  126. uneasiness from a mile away, and if you look like you are up to no good it is
  127. possible that a cop will come and talk to you. Always have some sort of cover
  128. story made up before you leave home to explain why you are where you are. If
  129. you are forced to confront a law enforcement officer you should be able to talk
  130. your way out of the situation.
  132. If you decide to work at home, the number one threat you face is your own ego.
  133. Just because you are at home does not mean that your working environment is
  134. secure. Be aware of windows in close proximity to your computer as well as your
  135. security-illiterate or gossipy family members. Security issues in relation to
  136. network configuration begin to come into play when you work at home. If your
  137. computer were to somehow get compromised while you are working at home,
  138. perhaps by your government, it would be nearly impossible for the person or
  139. group of people rummaging around inside of your system to get your actual IP
  140. address (provided that you adhere to the software security guidelines that we
  141. will discuss later). However, if your wi-fi password (or the name of your
  142. printer, or the name of another computer on the network) contains your actual
  143. last name and part of your address, tracking you down becomes very easy. A lot
  144. of people name their network devices and structure their network passwords in
  145. this way.
  147. It is also possible that if an attacker that has infiltrated your computer
  148. notices other machines on your network they can pivot to them (infect them with
  149. malware using your computer as a spring board of sorts) and use them to get
  150. your IP address. A lot of Internet enabled household devices have cameras on
  151. them (your smart TV, your Xbox, and your high tech baby monitor to name a few)
  152. and said cameras can potentially be leveraged against you. It is in your best
  153. interest to not have any other machines running on your home network while you
  154. are working. Also, change your wi-fi password every once in awhile and make
  155. sure that the password on the administrative interface of your router is
  156. something other than the out-of-the-box default. If your computer gets
  157. compromised, logging into your router using username “admin” and password
  158. “admin” is elementary for a moderately skilled attacker. Most modern routers
  159. list their WAN IP address on their control panels.
  161. Regardless of where you decide to work, be aware of mirrors and glass picture
  162. frames near your workplace. In the right light, both of these items have the
  163. potential to reflect crystal clear images of your screen to onlookers across
  164. the room. In addition to this, understand that modern cell phones are your
  165. worst enemy. Not only are they always going to be the weakest link in your
  166. security setup, but if they are somehow compromised they are equipped with a
  167. camera and microphone. Recent studies suggest that it is possible for smart
  168. phones to listen to the high pitched noise your CPU makes and deduce your PGP
  169. private key. Furthermore, the metadata collected by your phone coupled with
  170. pattern analysis techniques could potentially allow your government to link
  171. your real life and online personas together after some time. We will discuss
  172. this in depth later. Leave your phones at home and if possible keep all phones,
  173. yours or otherwise, far away from your computer. Other portable devices such as
  174. iPods and tablets potentially pose the same risk that phones do and should be
  175. treated the same.
  177. (2) Hardware:
  179. Modern computers come equipped with microphones, speakers (which can be used as
  180. microphones under the right circumstances), and cameras. All of these features
  181. can potentially be leveraged to identify you if your computer is compromised.
  182. To mitigate these risks, these features should be physically removed. Your
  183. computer's microphone and speakers should be ripped out of it, but you should
  184. not rip out your web cam, as it will alter the outward appearance of your
  185. computer and potentially draw attention to you. Instead, open your computer's
  186. screen and snip the wires that connect to your web cam. Wrap the ends of the
  187. wires in electrical tape so sparks do not jump in between them. If you must
  188. listen to an audio file while working, use headphones. Only keep your
  189. headphones plugged into your computer when you are using them. The computer you
  190. use for your hacktivist activities also should not contain a hard drive, as
  191. they are unnecessary for our purposes.
  193. (3) Software:
  195. Always use a TOR enabled Linux live system when working. At the present moment,
  196. Tails (The Amnesiac Incognito Live System) is by far the best live distribution
  197. for your purposes. You can read more about TOR at and you
  198. can read more about acquiring, setting up, and using Tails at
  199. The Tails operating system lives on a USB flash drive. Every time you start up
  200. your computer, you must first insert your Tails flash drive into it. The Tails
  201. website will guide you through making said flash drive. Tails will
  202. automatically direct all of your outgoing traffic into the TOR network in an
  203. effort to hide your IP address. If you use Tails you will be completely
  204. anonymous and be able to work with impunity provided that:
  206.         * You keep your Tails USB up to date. New versions of the Tails
  207.           operating system are released every few months.
  209.         * You do not login into your “real world” accounts while using Tails.
  210.           Do not check your Twitter feed while you are working.
  212.         * You do not use Tails to create an account with an alias that you have
  213.           used before. If you have been “0pwn” for the past seven years, now
  214.           is a good time to stop being 0pwn.
  216.         * You do not alter Tails' default security settings. They are the way
  217.           they are for a reason.
  219.         * You do not use Tails to create an online account with a password that
  220.           you have used before. Doing this only makes deanonymizing you easier.
  222.         * You do not install and use random packages that “look cool”; they
  223.           could be miscellaneous. Only use packages and scripts that you trust.
  224.           Tails is not bullet proof.
  226.         * If you decide to set a sudo password when starting up Tails, make
  227.           sure that it is very strong.
  229.         * You stay conscious of metadata analysis techniques. We will discuss
  230.           these later.
  232.         * You switch exit nodes every ten to fifteen minutes. This can be done
  233.           by double clicking the little green onion in the upper right hand
  234.           corner of your Tails desktop and hitting the “Use a New Identity”
  235.           button.
  237.         * You follow the communication guidelines laid out later in this
  238.           document.
  240. More information can be found on the Tails warning page:
  241. doc/about/warning/index.en.html. Be aware that it is very easy for your ISP
  242. (which is probably working closely with your government) to tell that you are
  243. using both TOR and Tails. It is probably in your best interest to use something
  244. called “TOR bridge mode”. You can read more about how to configure Tails to
  245. use TOR bridges here:
  246. bridge_mode/index.en.html.
  248. Tails is unique in that it has a special feature that wipes your computer's
  249. memory before it shuts down. This is done in order to mitigate risks associated
  250. with the dreaded “cold boot attack” (a forensics method in which a suspects RAM
  251. is ripped out of his or her computer and then thrown into a vat of liquid
  252. nitrogen to preserve its contents for later analysis). This feature is also
  253. triggered if you pull your Tails flash drive out of your computer while you are
  254. working. If while you are working you ever feel that the authorities are about
  255. to move in on you, even if you have a seemingly irrational gut feeling, yank
  256. your Tails flash drive out of your computer. Tails also has a feature that
  257. allows it to disguises itself as a Windows desktop. Using this feature in
  258. public will reduce your risk of capture significantly.
  260. (4) Mental:
  262. A skilled attacker is well disciplined and knows that he must keep his actions
  263. and skills a secret in order to remain safe from harm. Do not flaunt the fact
  264. that you are dissatisfied with your government, a foreign government, or a
  265. particular corporation. Do not attend protests. Do not publicly advertise the
  266. fact that you have an above average aptitude for computer security offensive or
  267. otherwise. And whatever you do, do not tell anyone, even someone you think you
  268. can trust, that you are planning to launch an organized cyber-attack on any
  269. organization, big or small. If you draw attention to yourself no amount of
  270. security precautions will keep you safe. Keep your “real” life mentally
  271. isolated from your “hacktivist” life. One lapse in operational security could
  272. end you.
  274. Be alert and focused. Remain mentally strong. Come to terms with the illegality
  275. of your actions and what will happen to you if you are apprehended. As a wise
  276. man once said, “A warrior considers himself already dead, so there is nothing
  277. to lose. The worst has already happened to him, therefore he's clear and calm;
  278. judging him by his acts or by his words, one would never suspect that he has
  279. witnessed everything.” It is perfectly acceptable to be paranoid, but do not
  280. let that paranoia consume you and slow your work. Even if you are extremely
  281. cautious and follow this document's advice to the letter, you still may be
  282. hunted down and incarcerated, tortured, or killed. Some countries do not take
  283. kindly to hacktivists. It is best that you be honest with yourself from the
  284. beginning. In order to operate effectively you must be able to think clearly
  285. and see the world as it actually is.
  287. (5) Pattern Related:
  289. When your online persona is active your real life persona ceases to exist, and
  290. an observant adversary can use this to their advantage. If your ISP, bank, and
  291. mobile phone provider are “cooperating” with your government and allowing them
  292. to browse through all of their records (a fair assumption in this day and age)
  293. then, eventually, they will be able to deduce your real identity by comparing
  294. everyone's data to information about your online persona. If the government
  295. looks backs on all of the records they have collected in the past year and
  296. notice that you never make a credit card purchase, watch Netflix, go on your
  297. Facebook, Google, or Twitter account, or change your physical location while
  298. 1337Hax0r64 is online on some anti-government forum on the deep web, they will
  299. assume that you are 1337Hax0r64. Even information about your home network's
  300. bandwidth usage can give away your real identity.
  302. Luckily, performing the type of metadata analysis attack described above takes
  303. time, usually many months. It is very important that you change aliases often,
  304. preferably every three or four months. Shed your old names like a snake sheds
  305. its skin. When you do change your online name, make sure your new identity
  306. can not be tied back to your old one.
  308. DO NOT not launch cyber-attacks from your own computer. Launch attacks only
  309. from hacked servers, servers purchased with washed bitcoins, or free shell
  310. accounts. Certain types of cyber-attacks produce a large amount of traffic over
  311. a short amount of time. If the bandwidth usage of your home network spikes at
  312. the same instant that a government or corporate server is attacked, the time it
  313. takes to deanonymize you is reduced significantly. This is especially true if
  314. you launch multiple attacks on multiple occasions. Launching attacks in this
  315. way can be mentally exhausting. Configuring a new attack server with your tool
  316. set every time your old attack server is banned (an inevitable occurrence) can
  317. be a tedious task indeed. I personally recommend creating a bash script to
  318. automatically install your favorite tools to make this transition process
  319. easier. Most hackers and offensive security professionals use under thirty
  320. non-standard tools to do their job, so configuring a new server with everything
  321. you need should not take very long if you know what you are doing. Consider
  322. equipping your server with TOR and a VNC server (for tools that require GUIs
  323. such as most popular intercepting proxies) as well.
  325. (6) Archaeological:
  327. You must insure that there is no forensics evidence of your actions, digital or
  328. otherwise. If the government breaks into your house and rummages through your
  329. things, they should find nothing interesting. Make sure that you never make any
  330. physical notes pertaining to your hacktivist activities. Never keep any
  331. computer files pertaining to your hacktivist activities in your home. Keep all
  332. of your compromising files, notes, scripts, and unusual attack tools (the ones
  333. that can not be installed with apt-get or the like), and stolen information in
  334. the cloud. It is recommended that you keep all of your files backed up on
  335. multiple free cloud storage providers so that in the event that one of the
  336. providers bans your account you still have all of your data. Do not name your
  337. cloud accounts in such a way that they can be connected back to your online
  338. persona. Never, under any circumstances, mention the names or locations of your
  339. cloud accounts to the people you work with.  Always hit the “Use New Identity”
  340. button on your TOR control panel after accessing your cloud storage solutions.
  341. Every time you shed your old alias, shed your old cloud accounts.
  345. Security of Communications
  349. The majority of hacktivists I have met communicate via public IRC. Using IRC is
  350. fine for meeting other hacktivists, but as soon as you muster a team of other
  351. hacktivists who wish to attack the same target as you, move to another more
  352. secure form of communication. Some means of communication are more secure than
  353. others, but completely secure communication does not exist. The following
  354. guidelines are meant to work in conjunction with the personal security
  355. guidelines that where discussed in the previous section. If proper personal
  356. security measures are implemented effectively, compromised communication will
  357. result in operational failure at worst and not complete deanonymization. Since
  358. operational failure may very well set you and your cause back several months,
  359. it is in your best interest to attempt to communicate securely:
  361.         * Remember that any of the people you meet on the clearnet, deep web,
  362.           or public IRC channels who claim to be on your side could actually
  363.           be government agents trying to sabotage your operations.
  365.         * If possible, communicate mainly via  privacy friendly email accounts
  366.           (not Gmail, Yahoo, AT&T, etc.) and encrypt all of your messages with
  367.           PGP. When a cyber-attack is being carried out it is often necessary
  368.           to be able to communicate with your accomplices instantaneously.
  369.           Since encrypting, sending, receiving, and decrypting messages by hand
  370.           takes time, using PGP in time sensitive situations like this is not
  371.           feasible. If you have to confer in an IM environment, use a program
  372.           like TorChat that uses its own form of asymmetric encryption to send
  373.           and receive messages instantly.
  375.         * Use strong passwords for all of your online accounts. The best way to
  376.           make a strong password is to pick eight or nine random words and
  377.           string them together. Passwords like this are easy to remember but
  378.           hard to guess.
  380.         * Never give away any personal information (such as country, interests,
  381.           hobbies, health, etc.) or give insight into your feelings or
  382.           emotions. Your fellow hacktivists are not your friends and should
  383.           never be talked to as such. Giving away this sort of information will
  384.           make tracking you easier.
  386.         * When you receive messages, do not retain them, even if they are
  387.           encrypted. Read them, make note of any hard to remember details
  388.           (like long server passwords for example), and then delete them.
  389.           Having a mile long digital paper trail can not lead to anything good.
  390.           In some cases deleted messages on email serves can be recovered via
  391.           computer forensics, but deleting messages quickly may reduce the odds
  392.           that they can be.
  394.         * When typing messages, do so in a word processor on your computer.
  395.           Never write your message inside of a communication program (such as
  396.           an online email client, forum PM box, etc.). People have been known
  397.           to accidentally send unencrypted messages before. The effects of such
  398.           an error can be devastating.
  400.         * If you find yourself writing large swaths of text intended for public
  401.           release (like essays or manifestos) use a tool like Anonymouth to
  402.           obscure your writing style. Your writing style is as unique as a
  403.           finger print and can be used to identify you.
  405.         * Never, under any circumstances, execute a file on your computer or on
  406.           your server that has been given to you by a fellow hacktivist. You
  407.           should never run into a situation where doing this is necessary.
  409.         * Do not disclose information about your involvement in previous
  410.           hacktivist operations to people who where not also part of the same
  411.           operation.
  413.         * If one of the people that you are working with gets captured, assume
  414.           that the people who have captured them know everything that they do.
  418. Philosophy of Attacking
  422. The hacktivist community, like every community, has its own unique set of
  423. philosophical musings, taboos, and dogmas. While I do not advocate the severe
  424. alteration of the principles and philosophies on which the community was built,
  425. I do wish to point out a number of flaws in certain aspects of their
  426. composition. These flaws serve only to hold back the community and should be
  427. openly discussed.
  429. (1) When hacktivists target an organization, their goal is more often than not
  430. to force said organization to stop functioning permanently, or at least for the
  431. longest time possible, in an effort to stall unjust actions from being carried
  432. out or to seek retribution for unjust actions done in the past. Leaking
  433. databases, DoXing influential individuals, defacing websites, and launching
  434. massive DDoS campaigns, four of the modern hacktivist community's favorite
  435. activities, accomplish this goal - to an extent. Infiltrating a target
  436. organization and sowing discord within its ranks is magnitudes more effective
  437. than leaking credit card numbers or putting a CEO's social security number on
  438. Pastebin, yet it is rarely, if ever, considered to be a viable course of
  439. action. Subtly and silently fostering suspicion and distrust inside of your
  440. target will have a longer lasting impact than simply pointing out that its
  441. security policy has some weak points.
  443. (2) Hacktivists crave publicity, yet they are the most effective when they
  444. operate undetected. Stay hidden. Although it may seem tempting at times, do not
  445. destroy large amounts of information on your target's computers or servers.
  446. Doing so will announce your arrival inside of your target's network rather
  447. loudly. Flashy, public displays of power have no place in the hacktivist
  448. community. Just because you are hiding behind TOR does not mean that you should
  449. not make an effort to cover your tracks. Conceal your attack not to mask your
  450. identity, but to convince your target that no attack was carried out in the
  451. first place.
  453. (3) Once your hacktivist collective has decided to attack an organization,
  454. strike fast and strike hard. Overwhelm your target. A well disciplined and well
  455. organized team of attackers can penetrate most networks within a few hours.
  456. Far too often I have seen hacktivist collectives declare all out war on someone
  457. and then attack them slowly and gain entry into their network days, sometimes
  458. even weeks later. By attacking slowly, you give your target time to react and
  459. strengthen their defenses. Detecting an attack from a large hacktivist
  460. collective is a trivial task, but as history has shown detecting the presence
  461. of one inside of a network, especially a large network, can be tricky.
  463. (4) Cyber-attacks seldom go as planned. If you are attempting to do anything
  464. that involves the coordination of more than two people, keep this in mind. It
  465. is not uncommon for tools to stop working in the middle of an attack. It is not
  466. uncommon for reverse shells to die unexpectedly. It is not uncommon for
  467. seemingly simple actions to take hours to perform. You must be ready to think
  468. on your feet and quickly adjust your attack plan to accommodate the ever
  469. changing conditions within the network you are attacking. Predefined
  470. contingency plans are mostly useless.
  472. (5) Remember that no system is impenetrable. On more than one occasion I have
  473. seen hacktivists give up on trying to infiltrate a target network because their
  474. Nessus scan did not yield any useful results. As a hacktivist, you are not
  475. bound by the typical constraints of a pentester. If you can not successfully
  476. attack a website, try attacking its hosting provider. Try attacking the
  477. administrator's email account. Try going after random social accounts belonging
  478. to the administrator's family. Try planting iframes in websites you suspect the
  479. administrator frequents in an effort to infect him. If you cause extensive
  480. collateral damage, who cares? It is not your problem. Sometimes the ends
  481. justify the means. Be creative.
  483. (6) Many hacktivists possess unrealistic, self-constructed mental images of the
  484. ideal cyber-attack. In the majority of these movie-induced delusions, the ideal
  485. attack utilizes numerous 0days, an arsenal of home made tools, and highly
  486. advanced, unimaginably complex network intrusion techniques. In reality, this
  487. type of thinking is incredibly dangerous and causes some hacktivists to attempt
  488. to perform convoluted, elaborate attacks to gain the respect of their peers.
  489. When breaking into highly secured networks, such attacks only draw unnecessary
  490. attention. The best attacks are the ones that work. They are usually simple and
  491. take little time to execute. Using sqlmap to spawn a shell on your target's
  492. server by exploiting a flaw in their website's search feature is a viable if
  493. not ideal attack. It allows you to access the inside of your target's network.
  494. Exploiting a vulnerable FTP daemon on one of your target's servers using public
  495. exploit code is a viable if not ideal attack. It allows you to access the
  496. inside of your target's network. Using Metasploit in conjunction with a fresh
  497. Gmail account to launch a phishing campaign against your target's employees is
  498. a viable if not ideal attack. It allows you to access the inside of your
  499. target's network. The media hates it when hacktivists use open source software
  500. to do their work. Whenever a hacker or hacktivist is arrested for doing
  501. something that involved using “someone else's” tools, they are publicly
  502. shammed. “Anyone could have done that” they say. “He's just an unskilled script
  503. kiddie” they say. Claiming that someone is less of a hacker solely because they
  504. partially depend on someone else's code borders on absurd. It amounts to
  505. claiming that Picasso is a bad artist because he did not carve his own brushes,
  506. synthesize his own paints, and weave his own canvas. Do not shy away from using
  507. open source tools and publicly available information to accomplish your goals.
  508. Hacking is an art, and nmap is your brush.
  512. Organization and Formation
  516. Most of the hacker and hacktivist groups I have observed are unorganized and
  517. undisciplined. They claim to perform actions as a collective, yet when it comes
  518. time to actually launch an attack they attempt to infiltrate their targets as
  519. individuals, each member launching attacks of their own without making the
  520. faintest attempt to coordinate their actions with others. Here I shall describe
  521. a schema that could be easily adopted by any hacktivist collective to allow it
  522. to facilitate highly coordinated attacks involving large numbers of attackers
  523. with great ease. It will be presented as a series of steps.
  525. Step One: Organize yourselves into multiple small groups. These groups shall be
  526. referred to as strike teams. The ideal strike team is composed of three parts
  527. attack specialists, two parts social engineering specialists. Attack
  528. specialists should at least be able to identify and competently exploit
  529. potential vulnerabilities in websites and be able to exploit vulnerable or
  530. misconfigured services. Social engineering specialists should have at least
  531. some real world experience before participating in a strike team. Attack
  532. specialists should only concern themselves with launching attacks and social
  533. engineering specialists should only concern themselves with social engineering.
  534. Well-defined roles are the key to a strike team's success. This configuration
  535. will often create an abundance of social engineering specialists, and that is
  536. perfectly acceptable. Having the capability to immediately launch multiple well
  537. planned social engineering campaigns is crucial. The size of a strike team
  538. will be determined by the skill of its members. Highly skilled individuals
  539. should work in very small strike teams (five member teams are acceptable)
  540. whereas unskilled individuals should work in larger strike teams (up to a few
  541. dozen). The organization of strike teams should be coordinated as a collective.
  542. No one person should be given the authority to sort people themselves. Strike
  543. teams should function as “sub collectives” and be autonomous. Hacktivist
  544. collectives are composed of people around the world, most of whom can not be
  545. online all the time. This means that all strike teams should set themselves up
  546. knowing that their members will pop on and offline and that it is possible new
  547. members will have to be annexed at a later time.
  549. Step Two: Within each strike team, agree upon a stratagem; a broad, realistic,
  550. nonspecific plan of action that aims to accomplishes one, very specific goal.
  551. Strike teams should only execute one stratagem at a time. Multiple strike teams
  552. within the same hacktivist collective can execute different stratagems at the
  553. same time in an effort to accomplish some sort of final goal (perhaps to
  554. destabilize an organization or to acquire trade secrets). The next section of
  555. this essay is devoted solely to exploring the concept of stratagems and how to
  556. best form and use them. Strike teams should be allowed to do what they want,
  557. but their initial stratagem should be approved by the collective so that no two
  558. strike teams attempt to do the same thing at the same time.
  560. Step Three: As a strike team, map your target's attack surface. If multiple
  561. strike teams are all attacking the same network, they should share information
  562. very closely in this step. It is very possible that multiple strike teams
  563. working together to accomplish the same goal could actually be attacking
  564. different networks, in which case mapping should be done within individual
  565. strike teams. Each member of a given strike team should attempt to map the
  566. target network themselves, and then members should compare information. It is
  567. very unlikely that anything will be overlooked by every single member of the
  568. team.
  570. Step Four: Divide your target network up into manageable chunks and assign
  571. certain individuals within your team to each one of those chunks. Efficient
  572. devision of labor is key to launching speedy attacks. Here is an example
  573. involving a network composed of four servers (two SQL servers, a DNS server,
  574. and a web server hosting a feature rich corporate site) and a strike team
  575. composed of six attack specialists and four social engineering specialists:
  577.         * Have one attack specialist attack the SQL and DNS servers.
  579.         * Have one attack specialist attack the website's multistage user
  580.           registration mechanism and login mechanism.
  582.         * Have one attack specialist attack the contact and session management
  583.           mechanism.
  585.         * Have one attack specialist attack any forms not assigned to other
  586.           attack specialists as well as any other potentially exploitable
  587.           scripts, pages, or mechanisms.
  589.         * Have one attack specialist and two social engineering specialists
  590.           attempt to launch some sort of phishing champaign against the
  591.           company's employees.
  593.         * Have one attack specialist and two social engineering specialists
  594.           attempt to convince the company's hosting provider that they are the
  595.           rightful owners of the company's four servers and have been locked
  596.           out of their email account.
  598. Step Five: Drill yourselves. This step is optional but highly recommended.
  599. Procure a server with a large amount of RAM and multiple processors. Have one
  600. member of your strike team set up a virtual network on it that, to the best of
  601. your knowledge, mimics the network you are planning to attack. This one team
  602. member should not participate in the drills themselves, and they should not
  603. give other team members details pertaining to the virtual network. If you are
  604. planning on attacking a large cooperation, set up the virtual network like a
  605. large cooperate network with a labyrinth of firewalls, routers, switches, and
  606. domain controllers. If you are planning on attacking a small cooperation or
  607. home business, set up your network accordingly. You should never have to
  608. visualize more than 12 workstations, even if your team is doing a complex
  609. pivoting exercise. As a group, attempt to break into your virtual network and
  610. execute your stratagem. The virtual network should be deliberately
  611. misconfigured so that there is a way for your team to infiltrate it and
  612. accomplish their simulated goal, but the misconfigurations should be extremely
  613. subtle. The team should have to work very hard to find them. Run multiple
  614. drills. After each drill, the misconfigurations in the network, and potentially
  615. the layout of the network itself, should be altered to force your team to
  616. attack it in a different way or to exercise a different skill. The purpose of
  617. these drills are two fold. Firstly, they allow your team members to get
  618. accustomed to working together. Secondly, they will prepare your team for the
  619. day when they actually go up against your real target network.
  621. Step Six: Execute your stratagem on your target network. Your strike team
  622. should attack methodically and silently. Every member should know what they
  623. need to do and how they need to do it. No mistakes should be made. Every tool
  624. you use should be well honed and function flawlessly. Not a second should be
  625. wasted. Use time to your advantage. Your target organization will be the most
  626. unprepared for an attack in the middle of the night when all of its IT staff
  627. are at home sound asleep. If your stratagem calls for being embedded in your
  628. target network for a long period of time, tread very lightly once you
  629. infiltrate it.
  633. Interlocking Stratagems in Theory
  637. In this section I will give multiple examples of stratagems that an actual
  638. strike team could make use of. You should combine multiple stratagems to
  639. accomplish your ultimate goal. Individual stratagems are like pieces of a
  640. jigsaw puzzle, and are intended to be pieced together. A strike team should
  641. execute multiple stratagems in succession, possibly in cooperation with other
  642. strike teams in an effort to accomplish a common goal. This section is not
  643. intended to be a play book. I encourage you to build off of my stratagems or,
  644. better yet, devise your own. Some stratagems are:
  646. (1) Collect information on individuals within the target organization. Mount a
  647. phishing campaign against the organization and gain access to as many
  648. workstations as possible. Once you have breached its network, do not pivot.
  649. Attempt to locate any useful information on the workstations you have
  650. compromised, and then remain in the network for as long as possible doing
  651. nothing more than idly gathering intelligence.
  653. (2) Take complete or partial control over the target organization's main means
  654. of communication (usually email). Review a few of their messages and learn how
  655. they are structured and formatted. Then, send a number of blatantly false
  656. messages to one or more members of the organization using the credentials of
  657. another member of the organization. Multiple false messages should be sent over
  658. some period of time. When members of the organization begin to receive false
  659. messages from their colleagues, distrust will begin to take root.
  661. (3) Take complete or partial control over the target organization's main means
  662. of communication (usually email). Review a few of their messages and learn how
  663. they are structured and formatted. Then, devise some way to intercept and
  664. inspect or modify messages in transit within the target organization
  665. (essentially, perform a man in the middle attack). Every once in awhile, alter
  666. a message in a subtle but disruptive way. Perhaps change a date or a time so
  667. certain individuals do not arrive at their meetings on time or do not arrive at
  668. all. Once you have reason to believe that your modifications have taken their
  669. toll (i.e. the person you targeted missed their meeting), undo the changes you
  670. made to the message you intercepted so upon audit it appears as though the
  671. message was never tampered with. Doing this is usually hard to detect and will
  672. slowly cause the target organization to destabilize itself as tensions between
  673. individuals within it begin to rise and their employees begin to question their
  674. own sanity.
  676. (4) Take complete or partial control over the target organization's main means
  677. of communication (usually email). Review a few of their messages and learn how
  678. they are structured and formatted. Use the credentials of a high ranking
  679. individual within the target organization to distribute a message that appears
  680. to be from them that claims a terrible tragedy has occurred that warrants an
  681. immediate, brash, resource intensive response from the rest of the
  682. organization. You will most likely not be able to pull this off more than once.
  683. This stratagem works especially well against militant groups with poorly
  684. defined command structures but has other applications as well.
  686. (5) Once inside of the target organization's network, acquire a small amount of
  687. classified data intended for the eyes of high ranking personnel only.
  688. Strategically plant the data on the computer of one or more lower ranking
  689. individuals. Make it look like an espionage attempt. If many key individuals
  690. within the target organization are accused of trying to siphon out its secrets,
  691. it will be forced to suspend a large portion of its operations while an
  692. investigation is done.
  694. (6) Use a DDoS attack to disrupt the target organization's communications for a
  695. short period of time when they are most in need of it. For a corporation, this
  696. could be during an important international Skype call. For a government, this
  697. could be immediately following a devastating attack from an insurgency group.
  698. Doing this will cause panic, which will make the target organization
  699. temporarily more susceptible to other kinds of attacks.
  701. (7) Pose as a legitimate company selling legitimate software and befriend the
  702. target organization. Create a piece of software with a very hard to detect
  703. security flaw in it and sell it to them. The flaw could be as simple as a
  704. poorly implemented encryption library or as complex as an insecure multistage
  705. parsing algorithm. It must be incredibly subtle. So subtle that if it is
  706. detected you will be able to write it off as unintentional. It should be
  707. plausibly deniable. Once the target organization installs the vulnerable
  708. software on their machines, leverage it to perform targeted attacks on key
  709. individuals within it. Do not use it to infect entire subnets, as that will
  710. draw to much attention.
  712. (8) Locate a small software provider your target organization already does
  713. business with and infiltrate their network by using other stratagems. Modify
  714. their source code slightly so that their software becomes vulnerable to remote
  715. attack. Do not modify just any code you come across, study the software
  716. provider's development process and target code that has already been checked
  717. for bugs and is days away from being released to customers.  When the target
  718. organization installs the latest version of software from the company that you
  719. have infiltrated, they will become vulnerable. Leverage this vulnerability to  
  720. perform targeted attacks on key individuals within the target organization. Do
  721. not use it to infect entire subnets, as that will draw to much attention.
  723. (9) Locate a small software provider your target organization already does
  724. business with and infiltrate their network by using other stratagems. Most
  725. software companies offer rewards to security researchers who find
  726. vulnerabilities in their products. Determine how reported vulnerabilities are
  727. managed by the company you have infiltrated and devise a way to monitor them
  728. in real time. As soon as a security researcher reports a major vulnerability
  729. in a product your target organization uses, use it to perform targeted attacks
  730. on key individuals within it. Do not use it to infect entire subnets, as that
  731. will draw to much attention.
  733. (10) Using other stratagems, infiltrate the computers of a number of influential
  734. individuals within the target organization. Monitor their activity constantly
  735. and closely. If possible, listen to them through their computer's microphone.
  736. When you believe that one of them has left their computer, undo things they
  737. have just done. Delete the last sentence they wrote. Hit the back button on
  738. their web browser. Close the program they just opened. Over time, this will
  739. lead them to question their sanity.
  741. (11) Using other stratagems, infiltrate the computers of a number of influential
  742. individuals within the target organization. Most modern governments and
  743. corporations are at least partially corrupt. Find evidence of this corruption
  744. and use it to compel one or more of these influential individuals to aid your
  745. cause. If you are unable to find any evidence of corruption, do not be afraid
  746. to bluff. If you make a mysterious window pop up on, say, a CFO's computer that
  747. alludes to some sort of dirty secret, it is very possible that the CFO will
  748. assume that the hacker who caused the widow to appear knows something about
  749. them that they actually do not. A lot of powerful people have skeletons in the
  750. closet. The media has instilled a fear of hackers into the general populace,
  751. and this fear can be used to your advantage. Most normal people, upon being
  752. confronted by a hacker that has gained complete control of their computer, will
  753. be inclined to believe plausible sounding white lies. Having an “inside man”
  754. within your target organization can be extremely useful.
  758. Interlocking Stratagems in Practice
  762. In this section I shell present an example of a plausible situation that could
  763. warrant the involvement of hacktivists and a corresponding attack loosely built
  764. upon the stratagems from the last section. I have tried to make the situation
  765. realistic, but it is very likely that if you use my writing to plan and execute
  766. your own attack it will play out nothing like the attack depicted below. Most
  767. actual attacks are far more complex than the one presented here. The purpose
  768. of this example is to demonstrate the way in which multiple strike teams should
  769. work together. Notice how at all times each team has one or more specific
  770. goals.
  772. Situation: A hacktivist collective has decided to attack the terrorist
  773. organization Bina Al-ar-mal after they captured and executed a tourist in
  774. Syria. Bina Al-ar-mal is believed to consist of over 40,000 people, has
  775. hundreds of public Twitter feeds and Facebook accounts, and runs a small
  776. terrorist news site hosted on a Russian server. It has three known leaders, who
  777. we shall refer to as Head Terrorist 1, Head Terrorist 2, and Head Terrorist 3.
  778. Twenty-seven hacktivists have joined the effort. They have been split into
  779. three teams: team 1 consists of five of the most highly skilled hacktivists,
  780. team 2 consists of seven moderately skilled hacktivists, and team 3 consists of
  781. fifteen amateur hacktivists.
  783. Time Line:
  785. (Day 1, Hour 1) Team 1 is initially tasked by the collective with infiltrating
  786. as many terrorist Twitter and Facebook accounts as possible. The team starts
  787. enumerating the accounts immediately. They decide that no drill will be
  788. executed, as breaking into Facebook and Twitter accounts is a trivial task.
  790. (Day 1, Hour 1) Team 2 is initially tasked by the collective with infiltrating
  791. the web hosting provider hosting the terrorist group's website. They begin
  792. reconnaissance.
  794. (Day 1, Hour 1) Team 3 is initially tasked by the collective with attacking
  795. Bina Al-ar-mal's website directly. They begin to map the website.
  797. (Day 1, Hour 2) Team 1 finishes enumerating the terrorist Facebook and Twitter
  798. accounts. They begin attempting to break into them.
  800. (Day 1, Hour 2) Team 3 finishes mapping Bina Al-ar-mal's website and begins to
  801. attack.
  803. (Day 1, Hour 3) Team 1 has breached a few terrorist Facebook and Twitter
  804. accounts. After examining their contents they determine that the terrorists
  805. are using SpookyMail email service to communicate off of social media. A few
  806. terrorist email accounts are identified and the team begins to try to break
  807. into those as well.
  809. (Day 1, Hour 3) Team 3 gains read/write access to a limited portion of the
  810. server Bina Al-ar-mal's website is hosted on. The other teams are alerted.
  811. They set up a simple php based IP logger script to capture the IP addresses of
  812. Bina Al-ar-mal members attempting to check their organization's news feed.
  814. (Day 1, Hour 6) Team 2's reconnaissance ends. They have located the web hosting
  815. provider and gathered information on said provider's website and servers. They
  816. begin attacking them.
  818. (Day 1, Hour 7) Team 1 breaches their first few terrorist email accounts.
  820. (Day 1, Hour 9) Team 2 locates a vulnerability in the the terrorist's web
  821. hosting provider's website. They are not able to fully compromise any of their
  822. servers, but they are able to get a list of customer names, domain names, and
  823. billing addresses by exploiting a flaw in the website's shopping cart feature.
  824. Upon inspecting the list, they discover that the person paying Bina Al-ar-mal's
  825. hosting bill has a British billing address. The other teams are alerted and
  826. Scotland Yard is notified of the terrorist threat immediately.  
  828. (Day 1, Hour 23) Team 1 is able to get Head Terrorist 1's email address off of
  829. the “contact” pane of one of the hacked terrorist email accounts. They make
  830. ready for a spear phishing attack against him, but decide to wait some time to
  831. launch it, as it is currently the middle of the night where Head Terrorist 1 is
  832. believed to be.
  834. (Day 2, Hour 3) Team 3 has gathered over seven thousand IP addresses of people
  835. viewing Bina Al-ar-mal's news feed and tries to attack them all using known
  836. router vulnerabilities. When all is said and done they have infected
  837. thirty-seven routers and forty-six workstations. They determine that
  838. thirty-four of these work stations belong to active members of Bina Al-ar-mal.
  839. They observe these workstations passively, hoping to gather information. The
  840. other two teams are briefed on their success.
  842. (Day 2, Hour 8) Team 1 launched a spear phishing attack against Head Terrorist
  843. 1 using the hacked email account of another terrorist.
  845. (Day 2, Hour 9) Team 1's spear phishing attack against Head Terrorist 1 is a
  846. success. They now have full control over his Windows XP laptop and inform the
  847. other two teams of their success. After searching the laptop's hard drive and
  848. downloading a half gigabyte of confidential documents and IM logs, the team
  849. decides to plant a PDF of the Christian Bible on it along with some real
  850. looking fake papers from the CIA. After gleaning Head Terrorist 2's and Head
  851. Terrorist 3's email addresses from the stolen IM logs, the team sends them both
  852. emails from the hacked email account of a lower level terrorist claiming that
  853. Head Terrorist 1 is dirty.
  855. (Day 2, Hour 9) Team 3 decides to take the sensitive information stolen from
  856. Head Terrorist 1's computer stolen by Team 1 along with other fake CIA
  857. documents and place it on all thirty-four of the terrorist workstations they
  858. control. They use a hacked email account belonging to an uninvolved terrorist
  859. to inform Head Terrorist 2 and Head Terrorist 3 that Head Terrorist 1 is a
  860. traitor an he has at least thirty-four moles inside of their organization, all
  861. of whom they mention by name.
  863. (Day 2, Hour 10) Head Terrorist 1's laptop is searched by security forces under
  864. the control of Terrorist 2. Head Terrorist 1 is determined to be part of the
  865. CIA and is placed into a cell to be used as leverage against the United States.
  867. (Day 2, Hour 17) Head Terrorist 2 and Head Terrorist 3 raid all thirty-four of
  868. the suspected moles and find the planted documents. They begin to interrogate
  869. all thirty-four of them in order to find out how deep the CIA has penetrated
  870. their organization. None of them know anything but most of them make up real
  871. sounding false information to make the interrogations end.
  873. (Day 3, Hour 3) Team 1 determines that most remaining Facebook and Twitter
  874. accounts can not be breached. Several team members leave and a few stick around
  875. to try and finish off the remaining accounts.
  877. (Day 6, Hour 17) Scotland Yard arrests the person allegedly paying for Bina
  878. Al-ar-mal's web hosting. It is later determined that the person is actually
  879. part of a London-based Bina Al-ar-mal cell.
  881. (Day 6, hour 20) Team 2 destroys Bina Al-ar-mal's web site after catching word
  882. of the Scotland Yard raid.
  884. End Result: One of three head terrorists is being held by their own
  885. organization as a traitor and thirty-four unrelated terrorists are being held
  886. by their own organization and brutally interrogated about actions they did not
  887. commit. One terrorist is in the custody of the Scotland Yard, and a British
  888. terror cell has been exposed. Bina Al-ar-mal's entire communication network is
  889. compromised (but they do not know that yet), and their website has been taken
  890. offline permanently. All members of Bina Al-ar-mal are now becoming
  891. increasingly suspicious of their fellow members and the hacktivist collective
  892. is now in a position to launch further attacks on Bina Al-ar-mal (using the
  893. compromised email and social media accounts) at a later time. This has all been
  894. accomplished in under a week.
  896. ________________________________________________________________________________
  898.                         My public key is available here:    
  906.                  SHA1: cb36db996bb684e569663ca7b0d93177ecc561be
  908.                           Grab it while you still can.
  910. ________________________________________________________________________________
  917. Disclaimer: All information provided in this document is for educational
  918. purposes only. The ideas presented here are solely academic and should never be
  919. acted upon or put into practice. The author of this document will not be held
  920. responsible in the event any criminal or civil charges be brought against any
  921. individuals misusing the information in this document to break the law.
  925. -----BEGIN PGP SIGNATURE-----
  927. iQIcBAEBCgAGBQJUWbobAAoJEDWMWw6MLtALcMgP/3FVybGLvoK2rigce8BoxlVx
  928. I06UKO0jh8iUpWxSKFC1mI9phCed8Dhx1nb9bwuY6CWa5NPnn8+R8O98wyvzW5aX
  929. 4UVytZ8aqxn83RocLGjkRF6TaCBFaD3V81IHaNY1ODuXBGVR7IG4djS6pDw9BJda
  930. f19L3a8zdr8yoczisdpckIWEqWfLSRgwkOcJ9xtDYG6FuDjs++4ZdncUfwCg76aw
  931. xYJVACdXsI1VDjVtGr1Fx756DuPkFr5APQG64dor5iOxhXw+9sEVD7AnzjpSCxCK
  932. MtaHzkuiwwnp38z9PlaSPqxwyNZ6t8F9FPsgf76x7+egqZ0/Q158NR7gGb1XqaL9
  933. V6mopDiGeQveHePG1zpOv22YBMkrxi0KjFDDTOM/xYBw/+wZnjXjoL+eC2vegQxU
  934. cvcntSXN8l5Wtjc+mX9GdKF+RmjQvN62TmpxB9i35ZhdR7ogk1uqPGqxbova6v/f
  935. 3VSfroFWoOo2wkx/aZLpo3Sqe6JS+lRBpZkysWsJHcbNjUfYG6BDWameXvBuIecB
  936. Q1kdRhrQKayoaVOVrzLTmm4T+Nu9/0Vcdx9AO5FF4eShHNa93ybDVOcUaweYoO/K
  937. CngW+eRkz2B+YOOTOeAq9JfvAlo89HUWCRj+OOvWsjJAy5eEQWYcH2X7b7CyGkZb
  938. U4SaSVZVhGFN1kQgCIlV
  939. =QuZa
  940. -----END PGP SIGNATURE-----
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand