Hacker News new | past | comments | ask | show | jobs | submit login
Phineas Fisher's account of how he took down HackingTeam (ghostbin.com)
429 points by adamnemecek on Apr 16, 2016 | hide | past | web | favorite | 97 comments

> I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those whose blood has been spilled at the hands of Italian fascism.

For those who don't know, they are referring to the 2001 Armando Diaz school attack [1] (warning: graphic), where hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time.

[1]: https://en.wikipedia.org/wiki/2001_Raid_on_Armando_Diaz

That was the one sentence that stood out to me as well. I can imagine this was an incident that had a high impact on "Fisher". I remember watching a live-stream of the incident broadcasted from the building on the other side of the road (which was thankfully the building where my friends stayed).

My friends went inside the school after the raid and took pictures that I can't get out of my head to this day. The whole building looked like a slaughterhouse with blood everywhere. Blood-stains on radiators indicating that peoples heads were repeatedly smashed against them. I also remember the screams you could hear on the live-stream. First it was people yelling "pacifisti" and then just screams for 20min until the screaming stopped and ambulances arrived.

That shit really paves the way for young activists continuous fight against facism of any kind.

Very possible that the reference is sunblock, that is a counter-measure to waste the time of anyone trying to track them down and burn them.

Fisher is experienced enough to know any information they leak will be used against them. My guess is that the event is either symbolic or meant build on a persona used to find people like them; post provides a means of contact.

Regardless of their intent, as made clear by my other comment, this was a tragic event, and the police should be held accountable.

Yes, this is what I thought, too. Also I have the distinct impression that the references to the Spanish language are a red herring as well.

Thanks. I'm shocked, I had no idea this had happened.

An interesting movie about what happened at the Diaz school: https://en.wikipedia.org/wiki/Diaz_%E2%80%93_Don't_Clean_Up_...

Where to find it though? I'm having a hard time finding it through legal or illegal means.

If you can deal with arabic subtitles on top of the english ones, it's at https://vimeo.com/150492784 and https://vimeo.com/150597736

Oh, man... I think I'd rather just Buy a dvd and play it with 3rd-party subtitles. Subtitle gore really bothers me.

>> "hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time."

If police commit crimes, they must be held accountable.

Not in Italy.

Or America

Plenty of police in jail in America. They're just harder to convict. Easier to get them fired. Italy is exponentially worse than America on this issue.

And I say that as an activist against police corruption here who also lives in a murder capital. Police pulling shit that bad here is rare outside the "hoods" where it's thugs and low income people nobody cares about. Still usually just a ticket, thrown on a car, or a brief taser. The worst plant shit on people but they're very rare.

Thanks for the link. Im shocked that I never saw this on US media. Idk if it was censored or I just missed it. This is so brutal it puts Abu Grhaib to shame esp given the targets. Makes me want to get a team together and take a plane to Italy to clean house.

Doubt it would help much at this point. Damage is done. Still pisses me off though.

So, it got some coverage but maybe not enough or not in what news I was reading. Still strange given magnitude of event and anti-fascist demographic here. Figured they'd do it gor ratings at tge least.

How many of these attacks are you aware of?


Terrorism is not quite the same thing, but many are similarly notable.

(I'm probably only aware of a couple of them; I'm not grandstanding about awareness here)

Attacks by police in non-dictatorships against covilians at this level? I dont hear of many and dont think of it same as terrorist incidents.


Please don't do this here.

For anyone who doesn't follow infosec: This guy is responsible for two of the most impressive hacks recently and still hasn't been doxed or arrested. And so the linked doc is awesome if only for the opsec tips it provides. And it provides much more than that. It really gives you some perspective on how much work an attacker will put into breaking into your network and the kind of structured approach they're taking. Plus it's very hands on and is educational and current whether you're black or white hat. If you read nothing else in infosec this month, read this.

He's likely to be identified as he gets more brazen. Even authoring this volume of text is risky, and there are other notes from the same author linked within. Spelling can be used to approximate region and phrases or errors such as "the hard of the business" ("heart of") and "passtime" ("pastime") are even stronger markers. Of course there's no way to tell if these are unintentional or planted errata.

I'm grateful for the information. It's incredibly interesting, but it might come at great expense to the author.

This text is a translation. The original is in Spanish. It might have its own mistakes and traces, although I am not knowledgeable to detect country-specific patterns. http://pastebin.com/raw/GPSHF04A

Presumably, given that they talk about EU culture^W^W^W^W (see comment below) have a https://securityinabox.org/es/… link, the author is from Spain, which would make it easier to pinpoint an origin, as Spain has a wider spectrum of language differences than in most other Spanish-speaking countries.

Since there is a link to http://madrid.cnt.es/, they maybe live in the capital, which weighs 3 million inhabitants.

That's an error on the translation, "EEUU" is the Spanish acronym for "Estados Unidos", referring to the United States of America, not the EU (in Spanish, "UE" for "Unión Europea")

After reading the original doc, by the style used and some slang (although it could be on purpose), I would say the author is from Chile.

I'm glad to find people that still fight the system in this side of the world.

"weones culiaos" sounds pretty Chilean indeed!

I would be willing to bet they are from Italy. I am Italian and they wrote about some stuff that you would know only if you followed Italian news.

They could be dropping some contradictory clues, BTW. I could definitely see that.

Did you verify that the stuff you refereed to as only being known if you follows Italian news is not on the net? Don't those Italian news outlets have websites?

This guy seems to be pretty good at googling around for stuff.

You comment about spelling and phrases reminds me of the NYT's Dialect Quiz Map. I tried it and it was accurately able to guess where I was originally from. While not useful by itself, I could see it being handy as part of an overall investigation.

Hadn't seen it before and so looked it up -- pretty neat. Unfortunately the "results page" was broken, but the individual questions & associated heatmaps were still very interesting. Thanks!


Who exactly would be trying to track him down?

Is there some global force that would be active on him?

HT, Gamma, victims we aren't aware of, or any government who could believably threaten to prosecute then offer a deal for cooperation?

Some people even do it out of curiosity: https://news.ycombinator.com/item?id=11304752

Thats the thing, HT or Gamma without the co-operation of international law enforcement presumably would have a very hard time finding these people in a legal manner. So whats going on up there.

HT Gamma can file a complaint with the relevant authority, just like any other hacked company, and this could trigger an international LE operation.

So I'm not sure what your trying to say.

The Unabomber was turned in by his brother and sister in law who recognized his writing.

Yep. There's even automated techniques for spotting it with decent accuracy.

Or even evaluating the frequencies of words, as well as the frequencies of juxtaposition of words.

What was the other hack?

Gamma International.

He's (or she ;) has skill although I can't say how special. What I'll give Fisher are two things:

1. Great choice of targets where the leaks are less questionable in terms of ethics.

2. A great write-up with references that could benefit attackers, defenders, and students alike.

Phineas Fisher has already publicly outed himself as an Italian security researcher. He openly shares his first and last name on his website.

Wow, this is great. Feels like reading phrack in the 90s. Anyone know of similar, contemporary resources on hacking?

This stuff is gold:

> NoSQL, or rather NoAuthentication, has been a great gift to the hacker community [1]. Just when I was worrying that all MySQL's sins of omission had finally been patched [2][3][4][5], these new databases appear, lacking authentication by design. Nmap found a few in Hacking Team's internal network:

Not to mention: > As fun as it was to listen to captures and watch webcam images of Hacking Team developing its malware, it wasn't very useful. Their insecure security backups were the vulnerability that threw the doors open. According to the documentation [1], their iSCSI systems should have been on a separate network, but nmap count a few of them in their subnet:

I can just hear some one saying to themselves, four years ago, "This backup stuff should be on a separate subnet, but for now this appears to be working. Make a note-to-self to secure it later." ....

There was another one on the finisher attack, also on paste bin that is Worth a read.

Namely this one: http://pastebin.com/raw/cRYvK4jb (also linked in the OP's link).

The border between what is "right" and what is "wrong" is very thin. What he did is illegal but it was right.

I think people should be grateful to the ones that as he did, fight against what is legal but definitely wrong.

Did you get a chance to vote on the law that made what he did illegal?

Better yet, when was the lat time you got to vote on a law that was passed in your country?

I can't understand what you really meant with your questions, but no, usually you don't get the chance to vote law. As a citizen (at least an italian one) you are allowed to vote for parties which in the end vote for the laws. So i don't have the right to directly vote for a law. I can only delegate someone to decide laws for me and this is a broken system at least in 2016 when i think we have all the technology to allow individual votes or at least a better delegation mechanism.

> As far as I know, there's no free way of making inverse whois queries

Whoisology [1] is good for this, though they've been more aggressively pushing their paid options as of late. Also WhoisMind [2], to some extent.

[1] https://whoisology.com/

[2] http://www.whoismind.com/

Free alternative for anonymous requests is to hit the google caches, ex.

    site:whois.domaintools.com "Y Combinator"


Oh wow, he used some tools I wrote (and that someone later updated to work with Vista & above):


Wow, this was a real eye-opener.

>Thanks to the hardworking Russians and their exploit kits... many businesses already have compromised machines in their network. Almost all of the Fortune 500, with their enormous networks, have a few bots on the inside

I could definitely believe that, having worked at a few, they have massive infrastructure and many users that are extremely relaxed about security in general.

What then struck me was the way he casually decided to hack a VPN (!) is it really so straightforward? And the way he seemed confident about testing his exploit on other compromised machines without detection.

I'm always paranoid every time I type 'last' on my Linux box, wondering if the thing is really compromised and totally lying to me - now I'm even more so!

> What then struck me was the way he casually decided to hack a VPN

He's intentionally vague, but given he mentions two routers and two vpn systems, it's highly probable that he's referring to one of the two routers (which is embedded, and has firmware). Furthermore, he refers to a website[1] which predominately deals with routers.

> is it really so straightforward?

Routers, yes[2], VPN daemons, not as much.

[1]: http://www.devttys0.com/training/ - which can also contain a vpn daemon of course.

[2]: https://github.com/darkarnium/secpub/tree/master/Multivendor...

He is active on reddit answering questions - https://www.reddit.com/user/PhineasFisher

> Hacking Team was a company that [...]

AFAIK, they are still operating and still doing exactly the same thing.

Here's a rather technical article on what they are apparently up to: https://reverse.put.as/2016/02/29/the-italian-morons-are-bac...

HackingTeam latest sample is a very fresh sample compared with what we got in the past, it is a sample created post July 2015 hack, and it’s using the same code base as before. HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us.

They just lost their export license.

More information:



"We can sell everywhere in Europe without a license. We can sell everywhere in the world but we have to ask for a license every time we sell."

My heart bleeds. The question is, how hard is it for a company like that to get an individual license if they have a cozy relationship with law enforcement, which wouldn't be very surprising in their case?

They can sell to Europeans only.

This means they sell black market now to outside EU.

Original text in spanish: http://pastebin.com/raw/GPSHF04A

i'm really happy to see the translation getting around this far. it's an amazing text, & i'm glad my quick & dirty translation job got it out there mostly intact. i never really gave it a proper proofread, so thanks for catching those mistakes. more importantly, though, Phineas Fisher himself has just released his own translation. and, having just discovered that ghostbins are editable, i added a url to his version at the top of the text. here it is again: http://pastebin.com/raw/0SNSvyjJ

I was curious why he was using domain names instead of tor hidden service or other p2p networks. Turns out that using domain names provides a backup communications channel (DNS) that gets through pretty much any firewall.

The other thing to remember is that Tor traffic is generally rare and few places have a business case for it so it's more likely to be monitored, just as in the past many places used to watch for IRC connections since it was infinitely more likely to be a botnet control channel than Fred in accounting seeing whether #quickbooks existed.

DNS, HTTPS to some random AWS/Azure/etc. endpoint, etc. are common as dirt and enough harder to monitor that many places either don't try or struggle to do do effectively.

How did he record these step-by-step instructions with such high detail? Is this common practice?

This is pretty normal for a paid penetration test - but it's got far more technical detail than you'd normally see. I don't think the person behind this has revealed anything particularly new, they just know their tools really well.

Agreed. However, in a formal penetration testing engagement, the tester will usually only record and document their exact steps because they have to provide a detailed report to their client. This hacker didn't have that same obligation. I'm speculating that he is probably a habitual note taker. In this way, if he ever comes across similar challenges when attacking a new target, he has his notes to refer to.

I was curious to read this piece to see how closely the approach, techniques and tools he uses compare to how penetration testers are formally trained in the info sec industry. For what it's worth, the methodology in terms of reconnaissance, privilege escalation and lateral movement within the network are typical. Also, most of the tool set he uses (e.g. mimikatz, responder, meterpreter, powersploit, psexec) are part of any good penetration tester's arsenal.

I'm not trying to down play the achievement though. He is clearly very skilled and knowledgeable. Of particular note, it seems that the initial intrusion was only possible because 'after about two weeks of reverse engineering, I discovered a remote root exploit' in an embedded system. He doesn't provide technical details of the exploit but finding a 0-day in an embedded system is usually far from child's play.

I am non-technical and I love this post for its exhaustive documentation and citations.

Is there any reason to believe this doc was (or was not) produced by a state-level actor?

That is my thought as well, for a few reasons.

Well, the author's day job might be as a "whitehat" for a state sponsored entity -- its even possible/plausible the author could be one of the HackingTeam -- perhaps motivated by company politics to expose them.

can anyone suggest good infosec reads or periodicals?

Security Week[0]?

[0]: http://securityweek.com/

The link doesn't work anymore - getting a 404. Are there any other links?

Wow this person is impressive, the details of the attack and the preparation almost make it read like a Hollywood hacker movie script (if they made good movies about hacking that is...).

the English article now returns a 404. any alternative places it is still visible at?

One of the most sophisticated story i have read so far.

> with just one hundred hours of work

Yeah, right. Most of the tools and knowledge he used would have taken much longer than that to acquire.

I think they're saying that's how much time it took them from the position they started from. Obviously if you have to learn it all and study its going to take an order of magnitude or two longer.

I would have thought that the two-week 0day exploit alone was 100 hours.

So, who's next? :P

got mirror?

> Obviously you have pay anonymously, with bitcoin, for exaple (if youuse it carefully)

Bitcoin is anonymous? Time to go to jail.

Bitcoin can be used in a way that defeats anonymity - as per the parentheses in the quote.

Being pedantic, but I think you mean helps ensure anonymity?

Could you expand on your comment? My understanding is that if a party can't tie a wallet to an identity then it is anonymous. So if you can acquire bitcoins (eg. mining) and purchase something (eg. VPS) without giving up your identity then you are solid.

I've heard conflicting information as far as this goes.

Thinking this through- an adversary who's watching the block chain probably knows some inputs and some outputs. As in, these addresses belong to an exchange, these addresses belong to a hosting company.

Okay, fine. Now remember than any user can literally create wallets out of thin air, and in fact doing so is considered basic security hygiene. Let's say Joe User transfers one coin from one wallet to another wallet under their control. Let's say they do this 20 times, sometimes with the full amount, sometimes less.

How does the adversary attach an identity to those transactions?

You have to use your bitcoins someday. Either to buy real currency or real goods. Then you know where the money went TO. Tracing the transactions back (where the money came FROM) is then not a big deal - full history is in the blockchain.

So as long as you don't do a transaction that connects your identity to any bitcoin address, you are fine. but to use bitcoins you are almost always required to do it (its an electronic financial transaction, they are governed by law to have an identity, but of course you can find entities who do not follow these laws).

Only as you say if you convert them into a "real" currency. If they only used their Bitcoin to purchase goods (such as VPS) which was not tied to a physical address, then they could still remain anonymous.

As for where the Bitcoins came from, I'm sure the author of this document would have some digital assets they could sell on the darknet to acquire some Bitcoin. Where those Bitcoin originated then would not be their problem.

Nobody that I can remember has been able to identify the large bitcoin thefts over the years by tracking the coins, those people cashed out somehow. However the SEC filing on Pirateat40's ponzi scheme was remarkably detailed, they were able to track every single coin he received and prove he spent it on himself.

I would imagine others use JoinMarket to mix up the coins[1], use coin control[2] to exchange for other cryptocurrency p2p, or other obfuscation methods like buying up high demand items with bitcoin then selling them remotely for other bitcoins.

[1]https://github.com/JoinMarket-Org/joinmarket/wiki http://joinmarket.io/


Just by following the flow of the money between wallets? Assuming that at least one of the wallets can be connected to an identity, guessing that the others belong to the same person shouldn't be too difficult, just by observing transaction patterns.

Graph analysis.

The[insert relevant law enforcement] could subpoena the VPN company for your IP address. So that wouldn't be 'anonymous'.

Telling the blockchain about your bitcoins and their transactions would also leak your IP.

To be anonymous you need to do all transactions from anonymous internet and get all your stuff anonymously.

Perhaps a purchased ebook downloaded from TOR.

You can wash your coins of course, I think it currently requires trust in the company doing it and if not done correctly might still leave a trace.

Of course the real world is different, would the FBI do enormous op sec to catch a small time crook. It's more about risk management.

Not if you understand how it works.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact