brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Events » Data processing
event:hackedteam

Table of Contents

Hackedteam
hacking-team.jpg
organizer: niekt0
date/time: 9.7.2015 19:00
place: brmlab
stream: jen ten neoficiální

Drazi supi, internetove more nam vyplavilo obzvlaste velkou a smrdutou zdechlinu. Nuze hodujme.

K dispozici by meli byt kompletni leaknute data (400G), mozna i zaindexovane jestli se to stihne. Cilem je najit co nejvic informaci relevantnich pro nasi malou cz-sk gubernii.

http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html https://www.reddit.com/r/HackedTeam

Data processing

  • get it
  • remove warez? there is a lot of software (cracked Windows, IDA…), it eats capacity and may cause legal problems with sharing
    • also, linux ISOs - just a waste of space
  • extract all archives
    • also, some FS images, like raspberry card…
  • extract Outlook folders with readpst -S -D
  • run recoll (xapian index machine), this takes some time if you don't have SSD
  • result → http://nat.brmlab.cz:9066/
  • /support.hackingteam.com.tar.gz contained SQL database, you should be able to drop it to /var/lib/mysql and read it
    • Mrkva provided nice extraction script, see below

Support database

It seems that most exploits are created semi-automatically as one-time droppers to prevent misuse. This means that every exploit has been processed as a support ticket.

Extraction script: http://nat.brmlab.cz/ht-cherrypick/getcz.sh

Extracted tickets by Czech police: http://nat.brmlab.cz/ht-cherrypick/supcz.tar.gz and http://nat.brmlab.cz/ht-cherrypick/supczold.tar.gz

Currently the following techniques were identified as being used by the Czech police:

  • browser exploits (they send you a link to HT servers that exploit your browser and then redirect to a specified page. We have seen WTFs like http://www.levnethuje.cz/prodej/brno)
  • MS Word exploits
  • browser and Office exploits are usually just wrappers for Flash exploit (see vector-exploit repo for builders and source)
  • Recording ambient audio with infected Android device
  • Flash exploits injected using a MITM device (think connected at the target's ISP, evil WIFI AP etc.). This works for flash on both Win, OSX and Linux.
  • Computer tracking based on sorrounding SSID
  • Infecting Windows PC by Evil Maid attack
  • Czech police had license for Windows version of the spyware and was evaluating Linux and iOS version. The evaluation license was issued 26 Jun 2015, so they presumably did not have too much time to enjoy it.

General spyware info

It looks like the Hackingteam spyware won't install inside virtual machine or when one of the following processes is running:

  • Explorer Suite$
  • IDA Pro v
  • Wireshark
  • API Monitor
  • VMWare Tools
  • WinPcap
  • ^Syser
  • \\.NET Reflector
  • ^PE Explorer
  • ^SysAnalyzer
  • Python .* volatility
  • VirtualBox Guest Additions
  • Process Hacker
  • Mandiant Red Curtain
  • ^OSForensics
event/hackedteam.txt · Last modified: 2016/12/07 22:08 by 127.0.0.1