hackingteamwriteup-fisher2016

0001-01-01

Hacking Team Writeup

by Phineas Fisher (2016)

https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Rants%26Writeups/Hacking%20Team%20Writeup.md

Remark
#antisec
Phineas is disgusted by “sellouts”
Hacking Team
Tor isn’t a panacea
OPSEC considerations
Whonix, Tails, Qubes TorVM
wifislax - wifi cracking distro
VPN
Jeremy Hammond busted by correlating home address w/ VPN
dont hack directly from Tor - blacklists
DNS tunneling
command and control
connect-back shells
stable servers
hacked servers
pay for VPS with Bitcoin
attribution
APT
code and TTP reuse as attribution
public tools as plausible deniability
changing tactics to avoid being profiled
“Google Hacking for Penetration Testers”
subdomain enumeration
fierce
theHarvester
recon-ng
whois + reverse whois
site:domaintools.com
site:www.find-ip-address.com
port scanning
service fingerprinting
IDS
“the whole internet is being scanned constantly”
nmap
zmap
masscan
WhatWeb
BlindElephant
social engineering
LinkedIn
data.com/jogsaw
file metadata
metagoofil
FOCA (metadata)
foothold
try easy, common techniques first
spear phishing
targeted attacks
buying access
Joomla
Joomscan
VPN appliances
0-day
postfix
reverse engineering
leveraging bugs in embedded devices
backdoored firmware
post exploitation
backdoor
busybox
Responder.py
Python
tcpdump
dsniff
socat
GNU screen
SOCKS proxy
tgcd
testing tools and attack kits prior to use
Responder.py -A
NoSQL
MySQL authentication bypass
mongodb
RCS
GridFS
torrent
Shodan
insecure backups
iSCSI
Synology
NAS
port forwarding
iscsiadm
iptables
vmfs-fuse
losetup
fdisk
mount
VHD
pwdump
cachedump
lsadump
registry hives
proxychains
smbclient
Metasploit
psexec.ps1
meterpreter
process migration
“load kiwi”
“creds_wdigest”
Domain Admin
PowerShell
New-MailboxExportRequest
Microsoft Exchange
lateral movement
mimikatz
sekurlsa::logonpasswords
sekurlsa::msv
runas
PowerUp
bypassuac
privilege escalation
psexec
WMI
winexe
PowerShell Empire invoke-psexec
sc.exe
pth-win.exe
Event ID 7045 “Service Control Manager”
Event Logs
wmiexec.py
pth-wmis
pass the hash
wmic
PSRemoting
dont recommend opening new protocols
Windows 10
Scheduled Task
schtasks.exe
GPO
GPO logon script
GPO install msi
GPO scheduled task
token stealing - mimikatz token::xxx
MS14-068
Kerberos
Domain Admin Tickets
sekurlsa::pth
process injection
RAT
pupy_migrate command
pupy
meterpreter-migrate
psinject_empire
persistence
Duqu 2-style persistence
high uptime servers as targets
golden ticket
backup access
PowerView
Windows 2000, 2003 lacking PowerShell
netview.exe
net view
Invoke-ShareFinderThreaded
Select-String
Out-File
reading email
reading SharePoint
Active Directory
Nagios
Get-Keystrokes
Get-TimedScreenshot
PowerSploit
Do-Exfiltration
nishang
hunting sysadmins
CredMan.ps1
searching for interesting files
TrueCrypt volumes
weak passwords
passwords.txt
git repos
sudo
password reuse
GitLab
“forgot my password” + mailserver access
ethical hacking
encrypted email - GPG/PGP
Enigmail
Links

No notes link to this note