
Phineas Fisher's account of how he took down HackingTeam - adamnemecek
https://ghostbin.com/paste/6kho7
======
sklivvz1971
> I want to dedicate this guide to the victims of the assault on the Armando
> Diaz school, and to all those whose blood has been spilled at the hands of
> Italian fascism.

For those who don't know, they are referring to the 2001 Armando Diaz school
attack [1] (warning: graphic), where hundreds of G8 pacific protesters were
brutalized and tortured by Italian police. Whilst the police has been found
guilty of this, none of the policemen is serving any jail time.

[1]:
[https://en.wikipedia.org/wiki/2001_Raid_on_Armando_Diaz](https://en.wikipedia.org/wiki/2001_Raid_on_Armando_Diaz)

~~~
nxzero
>> "hundreds of G8 pacific protesters were brutalized and tortured by Italian
police. Whilst the police has been found guilty of this, none of the policemen
is serving any jail time."

If police commit crimes, they must be held accountable.

~~~
pteredactyl
Or America

~~~
nickpsecurity
Plenty of police in jail in America. They're just harder to convict. Easier to
get them fired. Italy is exponentially worse than America on this issue.

And I say that as an activist against police corruption here who also lives in
a murder capital. Police pulling shit that bad here is rare outside the
"hoods" where it's thugs and low income people nobody cares about. Still
usually just a ticket, thrown on a car, or a brief taser. The worst plant shit
on people but they're very rare.

------
mmaunder
For anyone who doesn't follow infosec: This guy is responsible for two of the
most impressive hacks recently and still hasn't been doxed or arrested. And so
the linked doc is awesome if only for the opsec tips it provides. And it
provides much more than that. It really gives you some perspective on how much
work an attacker will put into breaking into your network and the kind of
structured approach they're taking. Plus it's very hands on and is educational
and current whether you're black or white hat. If you read nothing else in
infosec this month, read this.

~~~
nerdy
He's likely to be identified as he gets more brazen. Even authoring this
volume of text is risky, and there are other notes from the same author linked
within. Spelling can be used to approximate region and phrases or errors such
as "the hard of the business" ("heart of") and "passtime" ("pastime") are even
stronger markers. Of course there's no way to tell if these are unintentional
or planted errata.

I'm grateful for the information. It's incredibly interesting, but it might
come at great expense to the author.

~~~
espadrine
This text is a translation. The original is in Spanish. It might have its own
mistakes and traces, although I am not knowledgeable to detect country-
specific patterns.
[http://pastebin.com/raw/GPSHF04A](http://pastebin.com/raw/GPSHF04A)

Presumably, given that they talk about EU culture^W^W^W^W (see comment below)
have a [https://securityinabox.org/es/…](https://securityinabox.org/es/…)
link, the author is from Spain, which would make it easier to pinpoint an
origin, as Spain has a wider spectrum of language differences than in most
other Spanish-speaking countries.

Since there is a link to [http://madrid.cnt.es/](http://madrid.cnt.es/), they
maybe live in the capital, which weighs 3 million inhabitants.

~~~
josemrb
After reading the original doc, by the style used and some slang (although it
could be on purpose), I would say the author is from Chile.

I'm glad to find people that still fight the system in this side of the world.

~~~
peeb
I would be willing to bet they are from Italy. I am Italian and they wrote
about some stuff that you would know only if you followed Italian news.

They could be dropping some contradictory clues, BTW. I could definitely see
that.

~~~
21
Did you verify that the stuff you refereed to as only being known if you
follows Italian news is not on the net? Don't those Italian news outlets have
websites?

This guy seems to be pretty good at googling around for stuff.

------
e12e
Wow, this is great. Feels like reading phrack in the 90s. Anyone know of
similar, contemporary resources on hacking?

This stuff is gold:

> NoSQL, or rather NoAuthentication, has been a great gift to the hacker
> community [1]. Just when I was worrying that all MySQL's sins of omission
> had finally been patched [2][3][4][5], these new databases appear, lacking
> authentication by design. Nmap found a few in Hacking Team's internal
> network:

Not to mention: > As fun as it was to listen to captures and watch webcam
images of Hacking Team developing its malware, it wasn't very useful. Their
insecure security backups were the vulnerability that threw the doors open.
According to the documentation [1], their iSCSI systems should have been on a
separate network, but nmap count a few of them in their 192.168.1.200/24
subnet:

I can just hear some one saying to themselves, four years ago, "This backup
stuff should be on a separate subnet, but for now this appears to be working.
Make a note-to-self to secure it later." ....

~~~
celticninja
There was another one on the finisher attack, also on paste bin that is Worth
a read.

~~~
Kristine1975
Namely this one:
[http://pastebin.com/raw/cRYvK4jb](http://pastebin.com/raw/cRYvK4jb) (also
linked in the OP's link).

------
andretti1977
The border between what is "right" and what is "wrong" is very thin. What he
did is illegal but it was right.

I think people should be grateful to the ones that as he did, fight against
what is legal but definitely wrong.

~~~
wzy
Did you get a chance to vote on the law that made what he did illegal?

Better yet, when was the lat time you got to vote on a law that was passed in
your country?

~~~
andretti1977
I can't understand what you really meant with your questions, but no, usually
you don't get the chance to vote law. As a citizen (at least an italian one)
you are allowed to vote for parties which in the end vote for the laws. So i
don't have the right to directly vote for a law. I can only delegate someone
to decide laws for me and this is a broken system at least in 2016 when i
think we have all the technology to allow individual votes or at least a
better delegation mechanism.

------
mintplant
> As far as I know, there's no free way of making inverse whois queries

Whoisology [1] is good for this, though they've been more aggressively pushing
their paid options as of late. Also WhoisMind [2], to some extent.

[1] [https://whoisology.com/](https://whoisology.com/)

[2] [http://www.whoismind.com/](http://www.whoismind.com/)

~~~
nikcub
Free alternative for anonymous requests is to hit the google caches, ex.

    
    
        site:whois.domaintools.com "Y Combinator"
    
    

[https://encrypted.google.com/search?q=site%3Awhois.domaintoo...](https://encrypted.google.com/search?q=site%3Awhois.domaintools.com+"Y+Combinator")

------
moyix
Oh wow, he used some tools I wrote (and that someone later updated to work
with Vista & above):

[https://github.com/Neohapsis/creddump7](https://github.com/Neohapsis/creddump7)

------
enjoy-your-stay
Wow, this was a real eye-opener.

>Thanks to the hardworking Russians and their exploit kits... many businesses
already have compromised machines in their network. Almost all of the Fortune
500, with their enormous networks, have a few bots on the inside

I could definitely believe that, having worked at a few, they have massive
infrastructure and many users that are extremely relaxed about security in
general.

What then struck me was the way he casually decided to hack a VPN (!) is it
really so straightforward? And the way he seemed confident about testing his
exploit on other compromised machines without detection.

I'm always paranoid every time I type 'last' on my Linux box, wondering if the
thing is really compromised and totally lying to me - now I'm even more so!

~~~
klapinat0r
> _What then struck me was the way he casually decided to hack a VPN_

He's intentionally vague, but given he mentions two routers and two vpn
systems, it's highly probable that he's referring to one of the two routers
(which is embedded, and has firmware). Furthermore, he refers to a website[1]
which predominately deals with routers.

> _is it really so straightforward?_

Routers, yes[2], VPN daemons, not as much.

[1]: [http://www.devttys0.com/training/](http://www.devttys0.com/training/) \-
which can also contain a vpn daemon of course.

[2]:
[https://github.com/darkarnium/secpub/tree/master/Multivendor...](https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2)

------
nexar
He is active on reddit answering questions -
[https://www.reddit.com/user/PhineasFisher](https://www.reddit.com/user/PhineasFisher)

------
mercurial
> Hacking Team was a company that [...]

AFAIK, they are still operating and still doing exactly the same thing.

~~~
chinathrow
They just lost their export license.

~~~
mintplant
More information:

[http://motherboard.vice.com/read/hacking-team-has-lost-
its-l...](http://motherboard.vice.com/read/hacking-team-has-lost-its-license-
to-export-spyware)

Quote:

"We can sell everywhere in Europe without a license. We can sell everywhere in
the world but we have to ask for a license every time we sell."

~~~
mercurial
My heart bleeds. The question is, how hard is it for a company like that to
get an individual license if they have a cozy relationship with law
enforcement, which wouldn't be very surprising in their case?

------
MatthiasP
Original text in spanish:
[http://pastebin.com/raw/GPSHF04A](http://pastebin.com/raw/GPSHF04A)

------
0xdeba5e12
i'm really happy to see the translation getting around this far. it's an
amazing text, & i'm glad my quick & dirty translation job got it out there
mostly intact. i never really gave it a proper proofread, so thanks for
catching those mistakes. more importantly, though, Phineas Fisher himself has
just released his own translation. and, having just discovered that ghostbins
are editable, i added a url to his version at the top of the text. here it is
again: [http://pastebin.com/raw/0SNSvyjJ](http://pastebin.com/raw/0SNSvyjJ)

------
noobie
I was curious why he was using domain names instead of tor hidden service or
other p2p networks. Turns out that using domain names provides a backup
communications channel (DNS) that gets through pretty much any firewall.

~~~
acdha
The other thing to remember is that Tor traffic is generally rare and few
places have a business case for it so it's more likely to be monitored, just
as in the past many places used to watch for IRC connections since it was
infinitely more likely to be a botnet control channel than Fred in accounting
seeing whether #quickbooks existed.

DNS, HTTPS to some random AWS/Azure/etc. endpoint, etc. are common as dirt and
enough harder to monitor that many places either don't try or struggle to do
do effectively.

------
csmajorfive
How did he record these step-by-step instructions with such high detail? Is
this common practice?

~~~
voltagex_
This is pretty normal for a paid penetration test - but it's got far more
technical detail than you'd normally see. I don't think the person behind this
has revealed anything particularly new, they just know their tools _really_
well.

~~~
amjo324
Agreed. However, in a formal penetration testing engagement, the tester will
usually only record and document their exact steps because they have to
provide a detailed report to their client. This hacker didn't have that same
obligation. I'm speculating that he is probably a habitual note taker. In this
way, if he ever comes across similar challenges when attacking a new target,
he has his notes to refer to.

I was curious to read this piece to see how closely the approach, techniques
and tools he uses compare to how penetration testers are formally trained in
the info sec industry. For what it's worth, the methodology in terms of
reconnaissance, privilege escalation and lateral movement within the network
are typical. Also, most of the tool set he uses (e.g. mimikatz, responder,
meterpreter, powersploit, psexec) are part of any good penetration tester's
arsenal.

I'm not trying to down play the achievement though. He is clearly very skilled
and knowledgeable. Of particular note, it seems that the initial intrusion was
only possible because 'after about two weeks of reverse engineering, I
discovered a remote root exploit' in an embedded system. He doesn't provide
technical details of the exploit but finding a 0-day in an embedded system is
usually far from child's play.

------
kumarski
I am non-technical and I love this post for its exhaustive documentation and
citations.

------
nxzero
Is there any reason to believe this doc was (or was not) produced by a state-
level actor?

~~~
Mendenhall
That is my thought as well, for a few reasons.

~~~
kenshaw
Well, the author's day job might be as a "whitehat" for a state sponsored
entity -- its even possible/plausible the author could be one of the
HackingTeam -- perhaps motivated by company politics to expose them.

------
djvdorp
Previously:
[https://news.ycombinator.com/item?id=11509950](https://news.ycombinator.com/item?id=11509950)

------
kombucha2
can anyone suggest good infosec reads or periodicals?

~~~
timothyschmidt
[https://archive.org/details/International_Journal_of_PoC_201...](https://archive.org/details/International_Journal_of_PoC_2013_08_05)

------
bluesilver07
The link doesn't work anymore - getting a 404. Are there any other links?

~~~
bluesilver07
Found this -
[http://pastebin.com/raw/0SNSvyjJ](http://pastebin.com/raw/0SNSvyjJ)

------
SCHiM
Wow this person is impressive, the details of the attack and the preparation
almost make it read like a Hollywood hacker movie script (if they made good
movies about hacking that is...).

------
DyslexicAtheist
the English article now returns a 404. any alternative places it is still
visible at?

~~~
millzlane
[http://pastebin.com/raw/0SNSvyjJ](http://pastebin.com/raw/0SNSvyjJ)

------
m00dy
One of the most sophisticated story i have read so far.

------
simula67
> with just one hundred hours of work

Yeah, right. Most of the tools and knowledge he used would have taken much
longer than that to acquire.

~~~
tomlong
I think they're saying that's how much time it took them from the position
they started from. Obviously if you have to learn it all and study its going
to take an order of magnitude or two longer.

------
cinquemb
So, who's next? :P

------
uberweb
got mirror?

------
steckerbrett
> Obviously you have pay anonymously, with bitcoin, for exaple (if youuse it
> carefully)

Bitcoin is anonymous? Time to go to jail.

~~~
TACIXAT
Could you expand on your comment? My understanding is that if a party can't
tie a wallet to an identity then it is anonymous. So if you can acquire
bitcoins (eg. mining) and purchase something (eg. VPS) without giving up your
identity then you are solid.

~~~
Karunamon
I've heard conflicting information as far as this goes.

Thinking this through- an adversary who's watching the block chain probably
knows some inputs and some outputs. As in, these addresses belong to an
exchange, these addresses belong to a hosting company.

Okay, fine. Now remember than any user can literally create wallets out of
thin air, and in fact doing so is considered basic security hygiene. Let's say
Joe User transfers one coin from one wallet to another wallet under their
control. Let's say they do this 20 times, sometimes with the full amount,
sometimes less.

How does the adversary attach an identity to those transactions?

~~~
reqctomaniac
You have to use your bitcoins someday. Either to buy real currency or real
goods. Then you know where the money went TO. Tracing the transactions back
(where the money came FROM) is then not a big deal - full history is in the
blockchain.

So as long as you don't do a transaction that connects your identity to any
bitcoin address, you are fine. but to use bitcoins you are almost always
required to do it (its an electronic financial transaction, they are governed
by law to have an identity, but of course you can find entities who do not
follow these laws).

~~~
aaronbasssett
Only as you say if you convert them into a "real" currency. If they only used
their Bitcoin to purchase goods (such as VPS) which was not tied to a physical
address, then they could still remain anonymous.

As for where the Bitcoins came from, I'm sure the author of this document
would have some digital assets they could sell on the darknet to acquire some
Bitcoin. Where those Bitcoin originated then would not be their problem.

