Where did you learn to hack

Hack Back!A do-it-yourself guide for those who don't have the patience to wait for whistleblowers

This guest post was first published on Pastebin by @GammaGroupPR, the Gamma FinFisher hacker. Many thanks to Kilian for the translation.

1. Introduction

I'm not writing this to indicate what a cool hacker I am and what stark skills I used to expose Gamma. I'm writing this to demystify hacking and to show how simple it is. And hopefully to educate and inspire you guys to get out there and hack. If you have no programming or hacking experience, some of this text will seem like a foreign language to you. Check out the resources and materials section at the end to help you get started. And believe me, once you've learned the basics, you'll realize that it's really easier than making a Freedom of Information request.

2. Stay safe

This is illegal, so you need to take a few basic precautions:

  1. Create a hidden, encrypted partition with Truecrypt 7.1a.
  2. Install Whonix on the encrypted partition.
  3. (Optional) It should probably be sufficient to run everything through Tor with Whonix. However, it is better not to use an internet connection that is linked to your name and address. An antenna, aircrack and reaver can come in handy here.

As long as you use your common sense - that is, never do anything hacking-related outside of Whonix, never do your normal computer use within Whonix, never mention information about your real life when talking to other hackers, and never with your illegal hackers - Bragging about deeds to friends in real life - then you can do pretty much anything you want without fear.

NOTE: I recommend NOT hacking directly through Tor. Tor is useful for things like surfing the Internet, but when it comes to using hacking tools like nmap, sqlmap, and nikto, which make thousands of queries that run very slowly through Tor. You will also want a public IP address to receive “connect back shells”. I recommend hacking through servers that you hacked or through a virtual private server (VPS) that you paid for with Bitcoin. So only the text interface, which needs little bandwidth, runs between you and the server via Tor. All the commands you carry out go through a nice, fast connection to your destination.

3. Explore the target

Basically I just keep using fierce, whois queries of IP addresses and domain names, and reverse whois queries to find all the IP address ranges and domain names associated with an organization.

For example Blackwater: We start and know that their homepage can be found at academi.com. If we run "fierce.pl -DNS academi.com", we will find these subdomains: email.academi.com extranet.academi.com mail.academi.com secure.academi.com vault.academi.com www.academi.com

Now we do whois queries and find out that the homepage of www.academi.com is hosted by Amazon Web Service, while the other IPs are in the following range:

NetRange: - CIDR: CustName: Blackwater USA Address: 850 Puddin Ridge Rd

A whois query from academi.com also reveals that it is registered under the same address, so we use that as a string for the reverse whois search. As far as I know, all actual reverse whois search services cost money, so I'll just cheat on Google:

"850 Puddin Ridge Rd" inurl: ip-address-lookup "850 Puddin Ridge Rd" inurl: domaintools

Now run “fierce.pl -range” over the IP ranges to look up DNS names and “fierce.pl -dns” over the domain names to find subdomains and IP addresses. Do more whois queries and repeat the process until you have found everything.

Also, just google the organization and browse their website. For example, on academi.com we find links to a career portal, an online shop, and an employee information page, so we now have a few more: careers.academi.com academiproshop.com te.academi.com property.academi.com teams.academi.com

If you repeat the inquiries from Whois and others, you find that academiproshop.com does not appear to be hosted or serviced by Blackwater, so you can cross it off the list of IPs / Domains of interest.

In the case of FinFisher, it was simply a Whois query from finfisher.com that led me to the unprotected site finsupport.finfisher.com because it was registered under the same name "FinFisher GmbH". If you google for “FinFisher GmbH” inurl: domaintools you will find gamma-international.de, which in turn redirects to finsupport.finfisher.com.

... Now you have a rough idea of ​​how I'm scouting a target.

This is actually one of the most important parts because the larger the attack surface you uncover, the easier it will be to find a hole in it anywhere.

4. Scanning & Exploiting

Scan all IP ranges you found with nmap to find all running services. In addition to a standard port scan, scanning according to SNMP is underestimated.

Now, for every ongoing service you find:

  1. Is he revealing something that he shouldn't? Sometimes companies run services that do not require authentication and assume it is secure because the URL or IP to access them is not public. Maybe fierce found a git subdomain and you can go to git.companyname.come / gitweb / and look for the source code.
  2. Is it terribly misconfigured? Maybe you have an FTP server that allows anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol Stratfor). Perhaps your integrated devices (VOIP boxes, IP cameras, routers, etc.) use the manufacturer's standard password.
  3. Is it running on an old version of software that is susceptible to a public "exploit"?

Web servers deserve a category of their own. For all web servers, including those that nmap often finds on non-standard ports, I usually do the following:

1) Click through in the browser. Especially on subdomains that Fierce finds that are not intended for the public, such as test.company.com or dev.company.com, you can often find interesting things just while surfing.

2) use nikto. It will check things like webserver / .svn /, webserver / backup /, webserver / phpinfo.php, and a few thousand other common bugs and misconfigurations.

3) Find out what software is used on the website. WhatWeb is useful.

4) Depending on which software the website is running with, use more specific tools such as wpscan, CMS-Explorer, and Joomscan.

First try this on all services to see if there is any misconfiguration, publicly known security vulnerability or other easy access. If not, it's time to find a new vulnerability:

5) Custom web apps are more fertile ground for failure than large, widespread projects, so try there first. I use ZAP, and some combinations of its automated tests, along with manual poking with the help of the intercepting proxy.

6) Obtain a copy for the non-custom software they are using. If it's free software, you can just download it. If it's proprietary, you can usually pirate it. If it's proprietary and so obscure that it can't be pirated, you can buy it (lame) or go to Google and find another website that uses the same software and is easier to hack and get a copy from there.

For finsupport.finfisher.com it was the following process:

  • let nikto run in the background.
  • Go to the website. Look for a login page. Check the login form quickly with sqli.
  • See if WhatWeb knows what software the website is running on.
  • WhatWeb doesn't know about it, so the next question I want to answer is whether it's a Gamma website or whether there are other websites with the same software.
  • I look in the source code of the page and find a url to search for (index.php is not really unique to this software). I take Scripts / scripts.js.php and google: allinurl: "Scripts / scripts.js.php"
  • I find a handful of other sites using the same software, all written by the same little web design company. It looks like each website is individually programmed, but they have a lot of common source code. So I hack a few to get a collection of code from the web design company.

At this point I can see the reports of the journalists in front of me, who write exaggeratedly: “In a sophisticated, multi-stage attack, the hackers first compromised a web design company in order to obtain confidential data, which then helped them to attack the Gamma Group ... "

But it's actually pretty easy to perform almost on autopilot once you get the hang of it. It only took a few minutes to:

  • allinurl: google “Scripts / scripts.js.php“ and find the other websites.
  • Finding they are all vulnerable to SQL injection at the first url parameter I try.
  • To realize that they all run with Apache ModSecurity, so I have to use sqlmap with the option –tamper = ’Sabotage / modsecurityversioned.py‘.
  • Obtaining the admin login data, logging in and uploading a PHP shell (the check for permissible file name extensions was made in Javascript on the client side) and downloading the source code of the website.

Looking at the source code, I realize that you could have called it Damn Vulnerable Web App v2. It has SQL Injection, Local File Inclusion, the file upload verification is done by the client in JavaScript, and if you are not authenticated the admin page simply sends you back to the login page with a location header den you can simply filter out with an "intercepting proxy" and the access works perfectly.

Back on the finsupport page, the admin page / BackOffice / replies with "403 Forbidden" and I have some problems with local file inclusion, so I switch to SQL injection (it's nice to have a dozen options to choose from) . The other web designer's websites all had a print.php that you could put your own database commands into, so I'll make some quick queries:

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1 = 1
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2 = 1

They show that finsupport also has this print.php and that it is vulnerable. And it has admin rights in the database! For MySQL that means you can read and write files. Turns out the page has magicquotes enabled so I can't use INTO OUTFILE to write files. But I can use a short script that does

  • “Sqlmap –file-read” used to get the PHP source code for a URL
  • makes a normal web request to get the html
  • Finds files that are contained or required in the PHP source code
  • Finds PHP files that are linked in the HTML

... to recursively download the source code of the entire website.

Looking through the source code, I see that customers can attach a file to their support tickets and there is no checking of the file extension. So I look for a username and password from the customer database, create a support request with an attached PHP shell and I'm in!

5. Extend rights (or fail to do so)

___________ ----------- ^ __ ^ (oo) _______ (__)) / || ---- w | || || ^^^^^^^^^^^^^^^

On over 50% of the Linux servers out there, two simple scripts - Linux_Exploit_Suggester, and unix-privesc-check - can get “root”, that is, admin rights.

The latest version of Debian ran on finsupport without local root exploits, but unix-privesc-check resulted in:

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write in /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is executed by cron as root. The user www-data can write in /etc/cron.hourly/webalizer

So in /etc/cron.hourly/webalizer I add:

chown root: root / path / to / my_setuid_shell chmod 04755 / path / to / my_setuid_shell

Wait an hour and ... nothing. It turns out that even though the cron process is running, no real cron jobs appear to be running. The Webalizer directory shows that the statistics have not been updated since last month. Apparently, after changing the time zone, cron sometimes runs at the wrong time or sometimes not at all and needs to be restarted after changing the time zone. ls -l / etc / localtime shows the time zone was updated on June 6th, at the same time Webalizer stopped recording statistics, so that's probably the problem. Anyway, the only thing this server does is deliver the website so that I already have access to everything interesting on it. Root wouldn't bring much new, so I'll check out the rest of the network.

6. Keep looking around

The next step is to look around the hacked box's local area network. This is pretty much the same as the first "scan & exploit" step, except that there are many more interesting services open behind the firewall. A tarball that contains a statically linked copy of nmap and all of its scripts that you can upload and run on any box is very useful for this. The various nfs- * and especially smb- * scripts that nmap has will be extremely helpful.

The only interesting thing I was able to pull from finsupport's local network was another web server with a folder called “qateam” that contained their mobile malware.

7. Have fun

Once you're on the network, the real fun begins. Just use your imagination. While I've called these articles a guide for would-be whistleblowers, there is no reason to limit yourself to leaking documents. My original plan was as follows:

  • Hack Gamma and get a copy of FinSpy server software.
  • Find vulnerabilities in FinSpy servers.
  • Search for and hack all FinSpy command-and-control (C&C) servers on the internet.
  • Identify the groups that run them.
  • Use the C&C servers to upload and run a program on all targets that tells them who is spying on them.
  • Use the C&C servers to uninstall FinFisher on all targets.
  • Connect the former C&C servers to a botnet around Gamma Group to DDoSen.

It wasn't until I failed to completely hack Gamma and had some interesting documents but no copy of the FinSpy server software that I got used to the far less fun backup plan of leaking their stuff and breaking into Twitter making fun of them.

Set your GPUs to FinSpy-PC + Mobile-2012-07-12-Final.zip and finally crack the password so that I can continue with step 2!

8. Other methods

The general method I described above - which is to search, find vulnerabilities, and exploit them - is just one way to hack, and probably more suitable for people with programming skills. There is no one right way to go, and every method that works is as good as any other. I want to mention these other ways without going into detail:

1) Send exploits in web browsers, Java, Flash or Microsoft Office in convincing emails to employees, persuading them to open the link or attachment. Or hack a website that is frequently visited by employees and incorporate the browser / Java / Flash exploit there.

This method is used by most government hacking groups, but you don't have to be a government with a million dollar budget for 0-day research and FinSploit or VUPEN subscriptions to pull this off. You can get a high quality exploit kit from Russia for a few thousand, and you can rent one for much less. There is also Metasploit browser autopwn, but you are likely to have better luck with no exploits and a fake Flash update message.

2) Taking advantage of the fact that people are 95% nice, trusting, and helpful.

The information security industry has invented a term to make it sound like science: "Social Engineering".This is probably the best way if you don't know too much about computers, and it really is all it takes to be a successful hacker.

9. Material



Aside from hacking-specific things, almost anything that is useful for a system administrator to set up and manage a network will also help in exploring it. This includes familiarity with the Windows command line and the UNIX shell, basic scripting skills, knowledge of LDAP, Kerberos, Active Directory, networks, etc.

10. Outro

You will find that some of this sounds exactly like what Gamma does. Hacking is a tool. It's not the sale of hacking tools that makes Gamma evil. It is who Gamma's customers are after and for what purpose that makes them angry. That doesn't mean that tools are automatically neutral. Hacking is an offensive tool. Just as guerrilla warfare makes it harder to occupy a country: whenever attack is cheaper than defense, it is harder to uphold illegitimate authority and inequality. That's why I wrote this article to make hacking a bit easier and more accessible. And I wanted to show that the Gamma Group hack really wasn't anything special, just normal SQL injection and that you could go out and do similar things.

Solidarity with everyone in Gaza, Israeli conscientious objectors, Chelsea Manning, Jeremy Hammond, Peter Sunde, anakata and all other imprisoned hackers, dissidents and criminals!

Would you like more critical reporting?

Our work at netzpolitik.org is financed almost exclusively by voluntary donations from our readers. With an editorial staff of currently 15 people, this enables us to journalistically work on many important topics and debates in a digital society. With your support, we can clarify even more, conduct investigative research much more often, provide more background information - and defend even more fundamental digital rights!

You too can support our work now with yours Donation.

Clicking on the link loads our donation widget. In doing so, data is sent to our donation service provider twingle. You can find more information in our privacy policy.

About the author

Guest Post

Guest contributions are contributions from people who do not belong to the netzpolitik.org editorial team. Sometimes we approach authors and publishers to ask them about guest contributions, sometimes the authors approach us. Guest contributions do not necessarily reflect the opinion of the editors.
Published 08/14/2014 at 1:20 PM