Hacking Back: A DIY Guide

Hacking Back: Introduction

This edition of Hacking Back has now been translated into the English language (original edition can be found here). The author is aware that the English-speaking world already has many books, guides, talks, and other info covering the topic of hacking.

Nevertheless, in those parts of the world, where “hackers” are much better than the author, they have chosen to use their talents to assist “defense” contractors, intelligence agencies, and the corporate sector.

Believe it or not, the so-called “hacker culture” was born in the United States as a part of a counterculture. All that remains of that history can only be seen in movies, read in thrillers, and spoke of in stories that sound like folklore.

Those hackers who once stood against the establishment have since been assimilated; they wear “Anonymous” t-shirts, dye their hair funky colors, use cool “hacker” names, and pretend to be rebels while all the time they are only tools of the corrupt system.

Before the hacking era, leaking secrets entailed sneaking around, breaking into secure locations, stealing information, and leaking that information to the public; before the hacking era, robbing a bank entailed robbing banks or other institutions with violence.

Today, people with the knowledge and know how can do both things from the comfort of a hotel room using a laptop.

Like the CNT said subsequent to the Gamma Group attack: “Let’s take a step forward with new forms of struggle.”

The maker of secretive FinFisher spyware — sold exclusively to governments and police agencies — has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more.
A hacker has announced on Reddit and Twitter that they’d hacked Anglo-German company Gamma International UK Ltd., makers of FinFisher spyware sold exclusively to governments and police agencies.

We’re living in a time when hackers have become the modern-day Robbin Hoods; they’re stealing from the filthy rich corporate giants and giving back to those who deserve it- the people!


Hacking Back 1.0: Hacking Team

Hacking Team was a company involved in assisting governments in hacking and spying on journalists, social activists, political opposition groups, and others these governments viewed as threats to their power. Occasionally, Hacking Team went after actual criminals and terrorist groups.

Vincenzetti, the company’s CEO, was known to end his emails with the fascist slogan “Boia chi molla,” which roughly translates to “[He] who abandons the struggle is a hangman/executioner.”

Boia chi molla
“Boia chi molla”

But it would be more correct to say “boia chi vende RCS.” Hacking Team even made the audacious claim to possess the technology to “solve” the Tor and Darknet “problem.” Nevertheless, the author and many others are still free, so the effectiveness is in doubt.


Hacking Back 2.0: Stay Safe Out There

Unfortunately, the world is an unfair place: bad people get rich destroying other people’s lives, while good people go to prison or are killed for trying to do something righteous.

On the bright side, there are a few good people out there, such as those who work on the Tor Project, who continue to fight against the evil of our governments and the corrupt corporations.

There are a few precautions one can take to protect yourself from imprisonment, harm, and possibly death.

1. Encrypt Your Hard Disk

If the police have made as far as your front door with a search warrant to seize your computer, it’s safe to say you’ve made enough mistakes already. Don’t let it be any easier than it already has been: encrypting your computer’s hard drive will make it nearly impossible to retrieve anything useful.

2. Use a Virtual Machine, Routing Traffic Through Tor

Running a virtual machine with its traffic routed through Tor accomplishes to important things: a) It keeps you anonymous while b) helping you keep your personal life and your hacking life separate. The last thing you want is for the two to mix. Once they do, it’s game over.

3. Do Not Connect Directly To Tor

Tor isn’t fully protective of its users. A savvy investigator can correlate the times you’re connected to Tor
with the times your hacker handle is active. There have been successful attacks against Tor in the recent past, so be forewarned. The best thing to do is use other WiFi connections other than yours along with Socks5.

In addition to that, Wifislax is a Linux distro featuring numerous tools for cracking WiFi.

The other option is to connect to a VPN or a bridge node before connecting to Tor.

Nevertheless, that alone is less secure than using another WiFi connection on top of that, because the hacker’s location can still be correlated and lead investigators directly to their front door. Jeremy Hammond is one such example.

Hacking Back 3.0: Infrastructure

Never hack directly from Tor exit nodes. They’re blacklisted, slow, and aren’t capable of receiving connect-backs. Tor is used to maintain anonymity while you connect to the infrastructure.

1. Domain names. For command and control addresses, as well as DNS tunnels for guaranteed egress.

2. Stable servers. To be used as command and control addresses, receive connect-back shells, to launch your attacks, and to store the loot.

3. Hacked servers. For pivots to hide the IP addresses of the stable servers; they have fast connections without pivoting.

This is good for when you’re scanning ports, scanning the entire internet, downloading a database with SQLi (SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker), among other things.

Hacking Back 3.1: Attribution

The media often reveals stories where attacks have been traced back to government-backed hacking groups (APTs). This is because these groups use the same tools, leave behind the same footprints, and use the same infrastructures (domains, emails, etc.).

This is due to pure negligence since they are able to hack without the legal consequences faced by others. There is no reason to make the job of law enforcement easier by following these people’s footsteps. You must get into a habitual routine of using new servers, domain names, email addresses, and pay for things using new cryptocurrency addresses.

Furthermore, only use tools that are available to the public or code that was written by you for a specific attack. This also includes using different techniques than last time as to not leave a footprint. A lot of serial killers have gotten arrested – not because of witnesses, DNA, or fingerprints – simply because they created a pattern for law enforcement to follow.

Hacking Back 4.0: Information Gathering

Information gathering can be a very tedious part hacking. Nonetheless, learning as much as you can about a target can make or break an attack. This especially become a reality when you are studying a larger surface of attack; there is much more of a chance you will find a vulnerability in this case.

Hacking Back 4.1: Technical Information

Below are some good examples.

1. Google. A lot of interesting things can be found with a few well-chosen search
queries. For example, the identity of DPR or the bible of Google hacking, “Google Hacking for Penetration Testers”.

2. Subdomain Enumeration. Often, a company’s main website is hosted by a third party, and you’ll find
the company’s actual IP range, thanks to subdomains like mx.company.com or ns1.company.com. Additionally, there are things that shouldn’t be exposed in “hidden” subdomains. Useful tools for discovering domains and subdomains
are Fierce, theHarvester, and Recon-ng.

3. Whois Lookups and Reverse Lookups. With a reverse lookup using the whois information from a domain or IP range of a company, you can find other domains and IP ranges. There are not any free ways to do reverse lookups aside from a Google “hack.”

4. Port Scanning and Fingerprinting. Unlike the other techniques, this talks to the company’s servers. I
include it in this section because it’s not an attack, it’s just information gathering.

The company’s IDS might generate an alert, but you don’t have to worry since the whole internet is being scanned constantly. For scanning, nmap is precise and can fingerprint the majority of services discovered.

For companies with very large IP ranges, zmap ormasscan are fast. WhatWeb or BlindElephant can fingerprint websites.

Hacking Back 4.2: Social Information

For social engineering, it’s useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, among other things.

Some resources are:

1. Google. Here as well, it’s the most useful tool.

2. theHarvester and recon-ng. Though these items have already been mentioned, they’re worth mentioning again. They can find a lot of information quickly and automatically. It’s best to read all of their documentation.

3. LinkedIn. A lot of information about a company’s employees can be found here. The company’s recruiters are the most likely to accept your connection requests.

4. Data.com. Previously known as jigsaw.com, it has contact information for many

5. File Metadata. A lot of information about employees and their systems can be found in
metadata of files the company has published. Useful tools for finding files on the company’s website and extracting the metadata are metagoofil and FOCA.

Part two of this tutorial can be found here.