Debian -- The Universal Operating System

0x00.txt - the write-up/guide from the FinFisher hack

Here is the write-up/guide from the FinFisher hack, which is excellent reading - it is also mirrored here. Hopefully we will get the Hacking Team one soon.
 _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) A DIY Guide for those without the patience to wait for whistleblowers 
--1-- Introduction
I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you've learned the basics you'll realize this really is easier than filing a FOIA request.
-- 2 -- Staying Safe
This is illegal, so you'll need to take same basic precautions:
  1. Make a hidden encrypted volume with Truecrypt 7.1a
  2. Inside the encrypted volume install Whonix
  3. (Optional) While just having everything go over Tor thanks to Whonix is probably sufficient, it's better to not use an internet connection connected to your name or address. A cantenna, aircrack, and reaver can come in handy here.
As long as you follow common sense like never do anything hacking related outside of Whonix, never do any of your normal computer usage inside Whonix, never mention any information about your real life when talking with other hackers, and never brag about your illegal hacking exploits to friends in real life, then you can pretty much do whatever you want with no fear of being v&.
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable for some things like web browsing, when it comes to using hacking tools like nmap, sqlmap, and nikto that are making thousands of requests, they will run very slowly over Tor. Not to mention that you'll want a public IP address to receive connect back shells. I recommend using servers you've hacked or a VPS paid with bitcoin to hack from. That way only the low bandwidth text interface between you and the server is over Tor. All the commands you're running will have a nice fast connection to your target.
-- 3 -- Mapping out the target
Basically I just repeatedly use fierce.pl, whois lookups on IP addresses and domain names, and reverse whois lookups to find all IP address space and domain names associated with an organization.
For an example let's take Blackwater. We start out knowing their homepage is at academi.com. Running fierce.pl -dns academi.com we find the subdomains:
67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
Now we do whois lookups and find the homepage of www.academi.com is hosted on Amazon Web Service, while the other IPs are in the range:
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
Doing a whois lookup on academi.com reveals it's also registered to the same address, so we'll use that as a string to search with for the reverse whois lookups. As far as I know all the actual reverse whois lookup services cost money, so I just cheat with google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more whois lookups and repeat the process until you've found everything.
Also just google the organization and browse around its websites. For example on academi.com we find links to a careers portal, an online store, and an employee resources page, so now we have some more:
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
If you repeat the whois lookups and such you'll find academiproshop.com seems to not be hosted or maintained by Blackwater, so scratch that off the list of interesting IPs/domains.
In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com was simply a whois lookup of finfisher.com which found it registered to the name "FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools 
finds gamma-international.de, which redirects to finsupport.finfisher.com
...so now you've got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it.
-- 4 -- Scanning & Exploiting
Scan all the IP ranges you found with nmap to find all services running. Aside from a standard port scan, scanning for SNMP is underrated.
Now for each service you find running:
  1. Is it exposing something it shouldn't? Sometimes companies will have services running that require no authentication and just assume it's safe because the url or IP to access it isn't public. Maybe fierce found a git subdomain and you can go to git.companyname.come/gitweb/ and browse their source code.
  2. Is it horribly misconfigured? Maybe they have an ftp server that allows anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol stratfor). Maybe their embedded devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's default password.
  3. Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap will often find running on nonstandard ports, I usually:
  1. Browse them. Especially on subdomains that fierce finds which aren't intended for public viewing like test.company.com or dev.company.com you'll often find interesting stuff just by looking at them.
  2. Run nikto. This will check for things like webserve.svn/, webservebackup/, webservephpinfo.php, and a few thousand other common mistakes and misconfigurations.
  3. Identify what software is being used on the website. WhatWeb is useful
  4. Depending on what software the website is running, use more specific tools like wpscan, CMS-Explorer, and Joomscan.
First try that against all services to see if any have a misconfiguration, publicly known vulnerability, or other easy way in. If not, it's time to move on to finding a new vulnerability:
5) Custom coded web apps are more fertile ground for bugs than large widely used projects, so try those first. I use ZAP, and some combination of its automated tests along with manually poking around with the help of its intercepting proxy.
6) For the non-custom software they're running, get a copy to look at. If it's free software you can just download it. If it's proprietary you can usually pirate it. If it's proprietary and obscure enough that you can't pirate it you can buy it (lame) or find other sites running the same software using google, find one that's easier to hack, and get a copy from them.
For finsupport.finfisher.com the process was:
At this point I can see the news stories that journalists will write to drum up views: "In a sophisticated, multi-step attack, hackers first compromised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group..."
But it's really quite easy, done almost on autopilot once you get the hang of it. It took all of a couple minutes to:
Looking through the source code they might as well have named it Damn Vulnerable Web App v2. It's got sqli, LFI, file upload checks done client side in javascript, and if you're unauthenticated the admin page just sends you back to the login page with a Location header, but you can have your intercepting proxy filter the Location header out and access it just fine.
Heading back over to the finsupport site, the admin /BackOffice/ page returns 403 Forbidden, and I'm having some issues with the LFI, so I switch to using the sqli (it's nice to have a dozen options to choose from). The other sites by the web designer all had an injectable print.php, so some quick requests to:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
reveal that finsupport also has print.php and it is injectable. And it's database admin! For MySQL this means you can read and write files. It turns out the site has magicquotes enabled, so I can't use INTO OUTFILE to write files. But I can use a short script that uses sqlmap --file-read to get the php source for a URL, and a normal web request to get the HTML, and then finds files included or required in the php source, and finds php files linked in the HTML, to recursively download the source to the whole site.
Looking through the source, I see customers can attach a file to their support tickets, and there's no check on the file extension. So I pick a username and password out of the customer database, create a support request with a php shell attached, and I'm in!
-- 5 -- (fail at) Escalating
< got r00t? >
 \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester, and unix-privesc-check.
finsupport was running the latest version of Debian with no local root exploits, but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data 
can write to /etc/cron.hourly/webalizer
so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
wait an hour, and ....nothing. Turns out that while the cron process is running it doesn't seem to be actually running cron jobs. Looking in the webalizer directory shows it didn't update stats the previous month. Apparently after updating the timezone cron will sometimes run at the wrong time or sometimes not run at all and you need to restart cron after changing the timezone.
ls -l /etc/localtime shows the timezone got updated June 6, the same time webalizer stopped recording stats, so that's probably the issue. At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn't get much of anything new, so I move on to the rest of the network.
-- 6 -- Pivoting
The next step is to look around the local network of the box you hacked. This is pretty much the same as the first Scanning & Exploiting step, except that from behind the firewall many more interesting services will be exposed. A tarball containing a statically linked copy of nmap and all its scripts that you can upload and run on any box is very useful for this. The various nfs-* and especially smb-* scripts nmap has will be extremely useful.
The only interesting thing I could get on finsupport's local network was another webserver serving up a folder called 'qateam' containing their mobile malware.
-- 7 -- Have Fun
Once you're in their networks, the real fun starts. Just use your imagination. While I titled this a guide for wannabe whistleblowers, there's no reason to limit yourself to leaking documents. My original plan was to:
  1. Hack Gamma and obtain a copy of the FinSpy server software
  2. Find vulnerabilities in FinSpy server.
  3. Scan the internet for, and hack, all FinSpy C&C servers.
  4. Identify the groups running them.
  5. Use the C&C server to upload and run a program on all targets telling them who was spying on them.
  6. Use the C&C server to uninstall FinFisher on all targets.
  7. Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some interesting documents but no copy of the FinSpy server software that I had to make due with the far less lulzy backup plan of leaking their stuff while mocking them on twitter.
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password already so I can move on to step 2!
-- 8 -- Other Methods
The general method I outlined above of scan, find vulnerabilities, and exploit is just one way to hack, probably better suited to those with a background in programming. There's no one right way, and any method that works is as good as any other. The other main ways that I'll state without going into detail are:
1) Exploits in web browers, java, flash, or microsoft office, combined with emailing employees with a convincing message to get them to open the link or attachment, or hacking a web site frequented by the employees and adding the browsejava/flash exploit to that.
This is the method used by most of the government hacking groups, but you don't need to be a government with millions to spend on 0day research or subscriptions to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit for a couple thousand, and rent access to one for much less. There's also metasploit browser autopwn, but you'll probably have better luck with no exploits and a fake flash updater prompt.
2) Taking advantage of the fact that people are nice, trusting, and helpful 95% of the time.
The infosec industry invented a term to make this sound like some sort of science: "Social Engineering". This is probably the way to go if you don't know too much about computers, and it really is all it takes to be a successful hacker.
-- 9 -- Resources
Links:
Books:
  • The Web Application Hacker's Handbook
  • Hacking: The Art of Exploitation
  • The Database Hacker's Handbook
  • The Art of Software Security Assessment
  • A Bug Hunter's Diary
  • Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
  • TCP/IP Illustrated
Aside from the hacking specific stuff almost anything useful to a system administrator for setting up and administering networks will also be useful for exploring them. This includes familiarity with the windows command prompt and unix shell, basic scripting skills, knowledge of ldap, kerberos, active directory, networking, etc.
-- 10 -- Outro
You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a tool. It's not selling hacking tools that makes Gamma evil. It's who their customers are targeting and with what purpose that makes them evil. That's not to say that tools are inherently neutral. Hacking is an offensive tool. In the same way that guerrilla warfare makes it harder to occupy a country, whenever it's cheaper to attack than to defend it's harder to maintain illegitimate authority and inequality. So I wrote this to try to make hacking easier and more accessible. And I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action.
Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned hackers, dissidents, and criminals!
submitted by m1croc0d3 to HowToHack [link] [comments]

Full tutorial for setting up a hidden service store

Hello everybody! There are a lot of vendors which reputation is very high and may be trusted for direct orders. If they do not want to rely only on third parties markets and be dependant to their downtime, death, exit scam etc. with this tutorial they will be able to easily setup a private store (and harden it a bit).
Advantages:
Disadvantages:
This tutorial will guide you with the entire procedure, from buying a server to setting up Anonymart. This tutorial assumes that you will start with a freshly installed Debian 7. Other setup and software may interfere with my setup script, so if you are unsure read the source code.

Buying the server

This is probably the hardest part. You should look for a provider who accept Bitcoin and that has not strict practices on verifying customers identities.
One of the best resources for finding out such providers is:
https://www.exoticvps.com/
While there are some providers like vultr.com which will not ask for personal details and will not complain about tor, I'd suggest to avoid such large scale companies (especially if based in the US). For example, if we assume the scenario where everybody choose Vultr because it's the easier place to obtain a server, LE may force Vultr to monitor all instances which generate tor traffic without being a a tor node. After that they may cause some seconds of downtime each and compare the result to the availability of the store. The whole point of this tutorial is to decentralize, and you really should think always about that.
On most providers you can't order via Tor with obviously fake credentials because all of them use MaxMind fraud prevention which will blacklist all orders done via Tor, VPN or anonymous proxies.
First of all install proxychains on your torified system. You can install it in Tails and debian based distributions with
sudo apt-get install proxychains
(on Whonix this step is not required)
Now, in order to place an order which seems legit to fraud prevention we need a clean ip from a residential connection. This is what Socks Proxies exist for so you should buy some at Vip72 (or obviously any other provider). The demo cost 3$ and you can pay with Bitcoin via Tor.
After your payment has been verified you should be able to browse Socks Proxies by their Country/Region.
Select one and test it via proxychains. Proxychains is useful because, as the name says, it can chain proxy, so you can connect to the specified set of proxy you want via tor.
Here's the default configuration:
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 
Now add the selected proxy to the conf:
sudo nano /etc/proxychains.conf
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 socks5   
Now open a browser using proxychains:
proxychains chromium
or
proxychains firefox
Keep in mind that this should not be done with tor-browser because it's iser agents and other specifics are detected by the anti fraud system.
If the socks proxy is working you should be able to browse the internet. If nothing loads, just get another socks and change the proxychains configuration.
Now go to http://www.fakenamegenerator.com/ and get something which will match your proxy and seems to be believable.
Choose your provider and try to order depending on which location you prefer and how much money you wish to spend. Keep in mind that this tutorial is aimed to full system, so if you are not ordering a dedicated server but a VPS you should select a full virtualized one (KVM, vmware, XEN-HVM). Unless you're expecting a huge load, 512MB of RAM and 10GB oh storage should be enough.
Your provider will send you an email with information to access to you control panel from where you will be able to install the operating system. This tutorial is specifically for Debian 7 x64 (x86 is ok too), but if you know what you are doing you can obviously

Basic server setup

First of all you have to generate a ssh key if you already don't have one.
ssh-keygen -t ecdsa
With that command we are generating a 256 bits ECDSA key.
If you left the dafult options you should be able to get the public key using:
cat .ssh/id_ecdsa.pub
Now login to your newly installed server. The panel should have generally asked you to provide a root password or sent via email a random generated one. Since here we're assuming that you are on Tails, Whonix or any othe system which force all connections trough tor. In particular, if you are on Tails, you should enable SSH keys persistence. If you continue on the tutorial skipping this part, you will loose your keys and the access to the server as soon as you shutdown your computer.
ssh [email protected]
Answer yes to the first question.
Now the last step:
git clone https://github.com/anonymart/anonymart.git /vawww/anonymart
sh /vawww/anonymart/bin/full_setup.sh
The installation script will update the system, remove useless packages, install the required ones, configure a nginx+php-fpm+mysql stack, configure tor, configure iptables and much more. If everything goes smoothly at the end it should tell you an onion address which will be the the url of your store and an onion address which you will use to connect via ssh to the server instead of the original ip.

Configure anonymart

Now go to your new url. You will be redirected to /settings/create where you will create the basic settings for yout store. Choose a very strong password. Bitcoin address for payments will be generated using your Electrum master key (which can't be used to spend the coins) using BIP32.

Final

I've already coded a small script where vendors may enter their onion url signed with their GPG key. The script will look up on Grams for that GPG key and match the vendor to the url and add it to a public database. If some stores start to popup, i will make it available as a hidden service.
Donations: 12xjgV2sUSMrPAeFHj3r2sgV6wSjt2QMBP

Some notes on anonymart

The original developer of anonymart has decided to abandon the project because interested in something else. I was already collaborating with him before that decision so he decided to pass to me the lead of it. I've reviewed part of the code and i haven't seen security issues, but this doesn't mean it's 100% secure. I'll do my best to review it all and add some missing features like:
  • Two factor authentication
  • Switch from blockchain.info api to lookup on Electrum stratum servers
  • Add the possibility to add more than one image per product
  • Change the order id from incremental to a random one
  • Add JSON api to list store products to facilitate third parties search engines
Unfortunately I'm not very familiar with laravel yet, so before messing with the code I'd need some times, so don't expect huge updates soon.
submitted by spike25 to DeepDotWeb [link] [comments]

Infrastructure security tips for Bitcoin Websites

I'm not amused by the latest Bitcoin hacks, I therefore made a checklist for anybody that hosts a site.
PHP
Apache/lighttpd/nginx
OS
Database
Intrusion Detection
Infrastructure
Mail
Firewall
Web Applications Firwalls/DDoS Protection
Backup
Source Code
Some info about me:
I'm 26 years old, have experience in webhosting for 10 years, also some coding experience. I have a degree in computer science. I work as system engineer doing managed hosting and application management of mostly websites for well known companies. I'm mostly involved in infra architecture, initial setup during service transitions, performance tuning. I'm not a security guy but I work with them every day.
I'm available for review/setup of your infrastructure in my spare time, payment in BTC only. Since a lot of trust is required I will provide my full personal details including proof of my work and education. I do NOT use any tools to check your system but rather look at it by hand.
submitted by aeyes to Bitcoin [link] [comments]

Debian 10: Installing MySQL (not MariaDB) Installing the Electrum Bitcoin in Debian 9 (Stretch) install bitcoin full node on debian Debian 8 Installing MySQL Database Server and phpMyAdmin Unix & Linux: Debian 8 - Install lastest version of MySQL ...

Install php (the language wordpress is written in), the php-fpm plugin (which lets php run in the background), the php-mysql plugin (which lets php work with some database software that you will probably install later if you decide to build a wordpress site), and nginx, which we will use as our webserver. apt install php php-fpm php-mysql nginx -y Step 2: Install MySQL 8.0 on Debian 10/ Debian 9. Once the repository has been added, install MySQL 8.0 on Debian 10 / Debian 9 by running the following commands: sudo apt update sudo apt -y install mysql-server. When asked for the rootpassword, provide the password. Re-enter root database user password. Select the Authentication plugin and ... Debian Buster (Debian 10) is the latest release with MariaDB as default fork of MySQL in their repositories. We will install MySQL 8 in this guide. Debian 10 buster includes 40% updated software packages, such as Apache 2.4, BIND DNS Server 9.11, PHP 7.3, Python 3 3, Ruby 2.5, MariaDB 10.3 and so on. Ubuntu is based on a snapshot of Debian and naturally, they are similar in many ways. Ubuntu ... Debian is a free operating system (OS) for your computer. An operating system is the set of basic programs and utilities that make your computer run. Debian provides more than a pure OS: it comes with over 59000 packages, precompiled software bundled up in a nice format for easy installation on your machine. Read more... This guide shows how to install and run Bitcoin Core on a clean Ubuntu 18.04 system. Prerequisites. Although Ubuntu carries Bitcoin Core in the Software Center, the release tends to be out-of-date. For this reason, this tutorial won’t use the Software Center. Compilation from source offers one alternative, but involves many steps. A more direct route is to install a precompiled binary from ...

[index] [37621] [46998] [42530] [13982] [19549] [25897] [16826] [18934] [32712] [38988]

Debian 10: Installing MySQL (not MariaDB)

Beginners MYSQL Database Tutorial # How to install MySQL on Ubuntu/Debian Linux - Duration: 5:19. ProgrammingKnowledge 275,799 views. 5:19. Install & Configure PHP7, MySQL/MariaDB, ... The Crypto Dad shows you how to set up the Electrum Bitcoin wallet in the Debian 9 (Stretch) Linux distribution. We go through downloading (with verification) and installing the Electrum bitcoin ... install bitcoin full node on debian blocksize. Loading... Unsubscribe from blocksize? ... Make Login and Register Form Step by Step Using NetBeans And MySQL Database - Duration: 3:43:32 ... Installing MySQL database and phpMyAdmin Melakukan instalasi MySQL database dan phpMyAdmin. Unix & Linux: Debian 8 - Install lastest version of MySQL Helpful? Please support me on Patreon: https://www.patreon.com/roelvandepaar With thanks & praise t...

#