OpRussia

From Enlace Hacktivista
Jump to navigation Jump to search

A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing a MILLION plus and continues! When Russia made the decision to illegally enter another country hackers all around the world realised that Russia was fair game and the chances of prosecution for non-Russian hackers is next to non because who really cares if you hack a country widely known for hacking other countries and holing them for ransom in the sum of millions and killing untold amount of innocents in the country of Ukraine?

Explanation of the Hack

For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].

For a lot (not all) of the Russian email leaks the recon process was:

  • 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange" and then download the results (You may also search for the CVE).
  • 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
  • 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2]

From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely pulled out of Ukraine!

Media Coverage

Partners