Swag reminder https://teespring.com/stores/illmob-swag-shop
Simple tool to create HTA with Evading AV
CORS Misconfiguration Scanner.
Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells
SkelSec/pypykatz 0.3.0 released
rogerorr/DllSurrogate-dll to call x32com from x64 binaries
phackt/stager.dll- metasploit shellcode detection evasion
ANDRAX v4 DragonFly – Penetration Testing on Android
facebookincubator/WEASEL- DNS covert channel implant
Cobalt Strike 4.0 Released
macOS Red Team: Calling Apple APIs Without Building Binaries
antonioCoco/RogueWinRM – Windows Local Privilege Esc
xFreed0m/Disruption – Terraform script to deploy AD-based environment on Azure
b4rtik/ATPMiniDump – Evading WinDefender ATP credential-theft
sachinkamath/ntlmrecon – fast NTLM reconnaissance
Pwnagotchi 1.4.0 Released
FSecureLABS/awspx– Graph tool for access and resource relationships in AWS
leo-lb/wpbrute-rs – WordPress login bruteforcer
CVE-2019-2890 – PoC
harleo/asnipASN – IP range attack surface mapping
Mimikatz 2.2.0 20191125 – released
sailay1996/UAC_Bypass_In_The_WildWindows 10 UAC bypass for all executable files which are autoelevate true
0vercl0k/CVE-2019-11708 – Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
AMSI as a Service — Automating AV Evasion
Bad Binder: Android In-The-Wild Exploit
Getting Malicious Office Documents to Fire with Protected View
Weak encryption cipher and hardcoded cryptographic keys in Fortinet products
Reflected XSS in graph.facebook.com leads to account takeover
Cracking Mifare Classic cards with Proxmark3 RDV4
Red Team Diary, Entry #3: Custom Malware Development
Evading WinDefender ATP credential-theft
Dumping LSASS without Mimikatz with MiniDumpWriteDump
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
HackerOne breach lets outside hacker read customers’ private bug reports
CVE-2019-12750: Symantec Endpoint Protection Local Privilege Escalation
BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets
We thought they were potatoes but they were beans (from Service Accounts
Spilling Local Files via XXE When HTTP OOB Fails
+20 new dumps added to our database
HRShell – Flask HTTP/HTTPS Reverse Shell/C2
Evil WinRM + Donut-Loader
USB Armory MKII
PyPyKatz-WASM – Parse lsass dumps in the cloud
SMB2 snapshots with Impacket SMBClient
Python API wrapper for spyse.com tools
SharpDoor – termsrv.dll multiRDP patcher
Just in time for summer camp , finally got around to adding designs to new illmob store on ::teespring:: tried to keep the prices to at cost. We will also be handing out some stickers and prizes given out randomly if you find us. See you there!
TL;DR: The infosec ‘community’ is a dumpster fire. (with lots of screenshots that everyone loves to post.)
So since a shitty reporter wrote a hit piece of a one-sided view of the illmob facebook group, figured we’d get all the info on the table so you can make your own conclusions instead of following the narrative. This was never about illmob being misogynists. They wanted to twist it to make it seem like posts about the few women who caused drama and fake the funk in the scene were us including all women. Even though there was other females in the group.
On illmob it was mostly a lot of posts related to infosec, we dropped security related news, 0days, tools, breaches and yes talked shit about people we felt cause drama or we call out for being a fraud. If this happened in 2010-2011 we would have been called racists for calling out Gregory Evans for calling himself World’s #1 Hacker.
This changed in September 2017 when tweets started popping up on Twitter about conferences adopting Codes of Conducts etc , trying to push the GamerGate narrative into the infosec community. Tweets from Roxanna ‘@theroxyd’ Dehart , who had never attended a single DerbyCon started to push the agenda of asking why the conference doesn’t have a CoC. There was some back and forth between a few of us. Including me, Martin Bos, Roxy, Brian ‘@DeviantOllam’ Rea, and Wesley Mcgrew. During the time I was making stickers and ended up making this sticker.
And I got into the back and forth fight with Wesley McGrew over the sticker which I made a photoshop of him
I was calling him out because usually the loudest backers of bullshit are the ones who want to pretend to be for the cause.
Example: This tweet about Georgia Weidman after she had posted on Twitter asking for opinions on her new website design, I said her logo was shitty
the resulting tweet a few months later was from her trying to tweet BsidesCT to try to get me removed from the conference for being mean about artwork. But it did make her improve the logo …
This started a whole pile up on Twitter of people questioning her abilities during which Georgia’s mom made an account on Twitter to fight with everyone. I got this message from Wesley:
So does this make a Wesley a misogynist because he was going against someone he felt didn’t belong, was it worse he did it in private?
Was he complacent for being in the group with a ‘burner account’
^ nuff said.
We’ll get back to Georgia further down the post…
One good thing to come out of the DerbyCoC stickers was resulting in me selling all of the stickers for donations and then donating all the funds received to 2 different non-profits that support women in technology. (Girls Who Code & CyberJutsu Girl’s Academy)
Some of the leftover funds from money coming in after DerbyCon went to the Puerto Rico Hurricane fund, which happened right around the same time.
But yea we’re a misogynist hate group…
Now let’s address this tweet. This is the tweet that set it all off. I understand relationships go bad, and can have bad actors on both sides. People can also be vindictive as fuck after breaking up. Not to say nothing happened that was tweeted, or to downplay the seriousness of the accusations, but it’s up for the police and courts to decide once all the evidence is presented from both parties. Not for Twitter or a conference to decide.
Being that I was working security for the conference, upon seeing this tweet, I had a duty to let the rest of security know about this. Because it was in a sea of other people that were already talking shit on Twitter I may have not worded it in a way that was understood by some.
Immediately I was PM’d and this conversation happened.
Hopping on our security team Slack I immediately informed the team to make sure they were aware there may be an issue and that we should look into it. She had stated there was paperwork submitted but this had not trickled down to the rest of the team. I was only trying to help, I wasn’t trying to be offensive to someone who may have experienced something like what was tweeted.
Upon coming out of that PM , I was greeted with a tweet from Brian ‘DeviantOllam’ Rea , whom I was already arguing with in previous weeks. Twitter isn’t the greatest medium to get points across because noone knows your tone or intention. Hence this response.
Im not one to take shit , especially from some no-talent assclown who does lockpicking party tricks that my locksmith down the street does daily. I responded and said I was on staff and told him to go back to being a cuck. Brian immediately called Dave at his wife’s birthday dinner to cry about being called a cuck.
This was from Dave’s own Facebook page, Dave was at dinner and didn’t want drama, so he had head of security call me to say that I couldnt’ come to Derbycon. Which of course was changed to I was able to come just not volunteer my time to do security. I wasn’t getting paid to work, I drove 12 hours each way for 7 years to help with a conference that I believed was one of the best conferences around with awesome people. I didn’t want anything in return. I vented in the illmob group at the time which alot of people were a part of at the time, including people who helped run Derbycon.
The accuser’s ex-bf also hit me up during this time
Making light of the situation during the weekend I made some photoshops to fuck with Brian ‘DeviantOllam’ Rea , which got circulated from the group of him and his wife Tarah Wheeler. There was people in the group who knew Brian and sent him screenshots. Such as the ones seen below. It’s the fucking internet, if shit like this offends you then you arent built for the internet.
We knew there was a leak because someone took a photo of them trying to laugh it off while they were at DerbyCon, pointing at the pictures. I photoshopped those out and made it them laughing at ‘her’ book. Which was also posted in the group.
During this time Shannon ‘@snubs’ Morse along with Roxy, started to chime in more with Codes of Conduct and even went as far as writing a Tumblr blog post naming me, a derbycon videographer (IronGeek), the accused/unnamed rapist , and YTCracker as ‘women haters’. It also told the story of how YT grabbed snubs ass during a drunken defcon party a few years earlier. YT admitted he was wrong and apologized profusely. I tweeted to her asking her about her grabbing Bill Gardner’s ass at DerbyCon to jump the beer line, in which I was blocked. The post was discussed in the group and with another photoshop. At some point it was discussed that she had some nude photos to her boyfriend that had got leaked, these files were easily found if you just google her name, there was no threat to release her pictures because they were already floating around the internet for more than 10 years now, we werent the ones disseminating . Does that make it right talking about it? No. But neither do false claims.
That pretty much brings us to present there was two posts unrelated to the previous drama , but got intertwined into the whole DerbyCon drama in 2018. I was there this year but stayed in my room to watch most of the talks because the vibe was off and I was only there to hang out with friends.
There was a Mental Health Village to help people in the community deal with their various issues. There was a whiteboard outside the village asking “what makes you happy?” Someone wrote ‘boobies’ then someone else wrote underneath ‘#metoo’ and pointing to the writing. This caused issues with one female attendee @deborahlindseyl. She tweeted to @derbycon about the issue and was unsatisfied with the timeliness of their response. She also criticized Amanda Berlin for covering the offending text with a sticker (which also happened to be a podcast Amanda was a part of) so she accused them of trying to cover it up and promote the podcast.
She also went on to criticize Walmart Security for having mustache combs at their booth, and not anything for women. People went on to assume she was just another shit-stirrer and didn’t take her opinion that a poor attempt at a joke should be something that the conference as a whole should be responsible for. AFAIK the conference organizers tried to resolve the issue as quick as possible but I was apart of anything so I cant confirm what went down. Other people that were there did comment in the group on what went down, along with report of other people complaining that there was nazis at DerbyCon because someone was photographed doing the ‘circlegame’ symbol. After this died down someone thought it would be funny to post a picture of her face on a battleship calling her ‘BattleCunt’
Around the same time someone posted a tweet from Georgia Weidman claiming that DerbyCon 2013 was worse that an attempted rape that happened when she and Brian ‘DeviantOllam’ Rea were attending a conference in Poland. (During which Brian didn’t believe her narration of events, in which he later apologized for 4 years later on his blog and deleted previous tweets saying she was a liar.)
People in the thread were questioning her state during DerbyCon, where she admits to drinking before and during her talk, which wasn’t well-received. Not because she was female , it was just the content was filled with drunken ramblings. Other items from people who had in-person accounts of her doing/saying other things mentioned in the screenshots. Shit got rowdy in the posts with both men and women responding their opinion and experiences. Also there was talk that she did training while drugged up, it was so bad that conference organizers offered attendees another free class to make up for it.
Besides noone wants to take you seriously if you dress like this during a technical conference.
Georgia herself recognizes the CoC narrative
The report for Motherboard was also in the group, and had been in the group for over 18 months. He was brought into the group by Runa Sandvik who was an original illmob member. He was a tech writer so everyone figured he was there to get the latest tech scoop before other reporters did. He must have had a deadline to meet to deviate from the normal writing he did, Do I blame him for the article? Yep. It was a one-sided piece, he messaged a few people involved in the article , including me. He didn’t even take time to research anything, he went from messaging to article within the afternoon. here’s my conversation.
As you can see the shitting on males narrative doesn’t make for a good hit piece. It was poorly researched considering the length of time in the group (18months to 2 yrs), does that make him complacent like everyone that feels the need to apologize for being in the group so they don’t call their place of work trying to get them fired? We were a group of guys AND girls we didn’t hate women.
If you want to fit your own narrative of one of the players in this drama, who promotes ‘women in tech’, even wrote a book on it, is now being sued in court along with her employer for allegedly trying to force people she was in charge of to do illegal things. see ::HERE:: and ::HERE:: , trial scheduled for next year if not settled out of court beforehand. When someone complained to HR, Tarah responded by wiping evidence from one of the plaintiffs under the guise of a ‘laptop upgrade’. Shit like this in the workplace does worse for women than some Memes and name calling.
I’ll leave you with me being my ‘meanest’ on Facebook.
her ability as a wordpress ‘dev’ to leave .bak backup in root directory
her ability to write a ‘book’ which she relied on other women to write
Female attendee Derbycon 2017.
p.s. the Facebook group never closed, people were removed and trimmed down to less than 50 members who continue to discuss infosec and learn. fuck the bullshit.
p.s.s. for those thinking im only photoshopping women, https://imgur.com/a/28mndq2
Seems like our little journalist, Lorenzo Franceschi-Bicchierai, is no stranger to being a misogynist homophobe himself. He tried to age old “sorry im ashamed of these tweet and I’ve changed” when confronted by them and then deleted the tweets. The internet is forever cupcake, nice try though.
So I have a bit of history with the old trojan scene from 20 years ago. I got my first computer in 1999 around that time I had also read articles in USA Today about BO2k being released at Defcon etc.. I had dialup Compuserve at the time , most of my friends that had online had AOL, so i used to try get free access on there and its where I learned to jack accounts from , at the time one of my friends suggested a program called Sub7. I used it on the regular, it’s where i learned how networking and how Window98 worked, I learned how file extensions worked, by changing the .exe to .com I could name the file something less conspicuous to trick the target into opening something called www.mypics.com. I learned programming because I had the need to make small 2kb webdownloaders in Microsoft Assembler (MASM) because targets wouldnt like to download a 300kb+ file over dialup.
So I was pretty well versed at the time on all the features and nuances of Sub7. I hung around IRC at the time with a bunch of smart people who still to this day I am very good friends with. I tried to keep track of a lot of people at that time and still have some people from time to time pop into the illmob IRC to say hi. My last remembrance of Sub7 back then was in 2003ish when the final version came out. The real mobman had released versions far and few between at that time and people wanted version that worked with XP (there was a hardcall to a dll that made sub7 fail and pop up a message box if you tried to get RAS passwords etc..) and other details I will get to later in this post. There was an attempt around 2009to reboot it with the ‘blessing’ of mobman by someone named read101. It was a shitshow I wrote about it in an article on here about it :::HERE::: it was basically a failed attempt to make it look like sub7 then used Nirsoft password recovery tools bound to the server.exe to do password recovery. A real shitshow. After that failed release it got quiet for a while.
I had gotten in trouble awhile back and was on probation, around 2010 FBI had paid me a visit asking a bunch of questions etc… they didn’t give me a reason for their visit but claimed they wanted help and that “it would benefit me i.e. money , equipment etc, done with probation…) but they never gave me reasons why they showed up or what they wanted to know. I had thought that becauseI filed a motion to be released from my probation early, (which I had also written over some IRC conversation help with Jeremy Hammond )
Eventually I blew them off. But curiosity got the best of me and I wanted to see if there was a Jeremy connection to the visit when he got busted for hacking Stratfor with LulzSec, I filed a Freedom Of Information Act (F.O.I.A.) on myself , after a number of years I got the results back (fucking F.B.I. and government are slow as fuck). So I got my results back eventually and found out at some point in 2009 there was an informant in Tennesee claiming that *I* was mobman and I had started coding newer versions of Sub7. I will provide screenshot if need be, the results I got back from feds were heavily redacted. That’s why they paid me a visit, They asked about botnets etc , I figured out later that they were working on taking down the CoreFlood botnet, which the agent that paid me a visit had took down along with help from Microsoft by seeing this article a few months later ::Article Here::
Flash forward to 2013, there was an article in ::Rolling Stone magazine::. It featured some ‘geek’ hackers one that stuck out was someone calling themselves ‘mobman’. So i’m like oh fuck he’s back, so i started to dox this new person “Greg Hanis”. Firing up Evernote I just started pasted odds and ends etc about him , found his Skype and started messaging him.The whole point of this article is not to shit on him as a person, but to shed light on this grift he has of being mobman. So as I was talking to him, I would ask him particulars of that era, nicks and handles of people in the IRC that I still recall, he kinda of shrugged them off when I was chatting saying he didn’t recall. I chalked it up to a decade of memory lost and also shrugged it off. I kept digging too though. I found arrests in Florida from online mugshot sites, found his social media profiles. I started digging but kinda of lost interest because There was people I knew that knew him personally from the scene. Eventually I think it was Defcon 2015 I had met him in person. I brought him to the room I was staying at with a friend , who had also know the real mobman from IRC, he even fired off some questions that Greg shrugged off. This went on for a few times at Defcon that I hung out with him. Didn’t question that he knew John Mcafee working with the failed venture DemonSaw, the time I snuck into the private party section of Hustler’s Club and drank all John’s liquor while I chatted up his wife Janice, getting drunker and drunker. (also which Greg said he could get us into as VIPs but I ended up sneaking by bouncers myself)
I started gathering more doxx over the years too, when I started getting into password breached database dumps. Now Greg, had always used the handle GregTampa for his online persona, why would someone go from a mysterious handle like mobman to a handle that exposes his name and where he was from. A lot of his cross-referenced emails and passwords popped up in the databases, none leading to anything sub7 related. The Wikipedia Article on Sub7 didn’t start mentioning Greg until after 2014.
Recently I had a pentest in Philadelphia this summer , close to where an old IRC friend lived. During the course of reminiscing we had talked about Sub7 and our memories of it. We also talked about Greg as mobman. I had mention he was weird and always was evasive when answering questions, we said we should confront him about it sometime. Then there was a Podcast that came out called Darknet Diaries in August of this year. Whenever Greg was asked about Sub7 he would use the same tactics of jumping around the questions, he sounded more like a user of Sub7 than someone who actually coded it. I talked with friend about it and he came to the same conclusion. We talked more about confronting him but never got around to it. Then The Many Hats Club did a podcast on him this past week. Same fucking shit, I’ll break down some highlights. Claims he was a teenager when he wrote it, to “hack people on Ultima Online” now going by his slideshare info seen here,
he says he was 15. Greg was born 10/27/1980 that would have been 1995. First off trojans werent really a thing yet, secondly Ultima Online wasnt released until September 1997, and third sub7 1.0 wasnt released until 1999.
The Romanian Angle
OK this is where we start to get into the juicy proof. My memory of mobman was always some euro guy , because not only did he speak like english wasn’t his first language, I had other friends that talked to him in Romanian on IRC. Secondly mobman gives shoutouts and dedication to B.U.G. Mafia in a release of Sub7, (they were an underground Romanian rap group). Another version on Sub7 was called M.U.I.E in which on the Sub7 site he said this:
Greg is of greek heritage, which he admitted in chatlogs in which me and some friends started interrogating him in a Facebook group chat. In these same chatlogs inquire why would he give shoutouts to Romanian rap group, his only explanation was this:
In these same chatlogs , which I will link to, I start pressing on him some hardcore questions, of people in the scene back then, and particulars of the program itself. One of the first items is HardDrive Killer Pro, which was an old batchfile from someone named Munga Bunga, it’s intent was to recursively erase files on Win98 and 95 , rendering it useless if rebooted. mobman had bound this batfile to the server , because “one particularly lucky son-of-a-bitch named Sean Hamilton, ICQ #7889118. If Sean or someone with his ICQ account information stored on his/her computer managed to get the virus on their computer, the virus would proceed to erase the computer’s entire hard drive using Hard Drive Killer Pro. This also means that if you are running a computer infected with SubSeven and happen to add information to the registry that lists possession of ICQ UIN #7789118, it will instantly bomb your hard drive” Which was found out and used by people to wreck their victims. Greg’s explanation was in this chatlog: mobman1.pdf in which he claims a woman was his target.
Another issue was the master password. at some point it was either leaked or someone reversed the code to the server to find that was a backdoor password to control servers. Anyone could connect to it with the client and type the password of “14438136782715101980” and gain access to the victim. Greg was asked his explanation of the master password:
which might seem like a plausible answer had he not taken almost 2 hours to come up with. With that jumbled amount of numbers anyone could have lucked out , but he also faults, his ICQ number for gregtampa is 14204407 which can be seen in this old angelfire account , not 144 as he claims.
and the fact that the real mobman’s ICQ was 14438136 as seen ::here:: which makes up the first part of the master password….
Also there was a time mobman posted that his leave of absence was due to moving to Mtl (Montreal) as seen here http://archive.li/KugEw
” [ guess who’s back… back again ]it’s been a while… i just recently moved to mtl, and as a result i’ve got more free time on my hands. sub7 is back.[ 10/27/03 5:25 am by mobman ]”
Besides living in Florida either with his mom or homeless, and more recently Alabama, he’s probably never been out of country , much less Canada to live. Also on The Many Hats podcast @ minute 1:59:44 he says he has a passport and has never been out of the country.
If you look at his github, has nothing coded in Delphi just PHP, granted Greg may know some thing, after all he graduated from ITT Tech, I found the proof he sent to The Many Hats Club. It’s password protected https://www.dropbox.com/s/mwerljtvfkh6vox/sub7-master-suite.zip?dl=0 in which I cracked, the password being : mobman
I still havent cracked some of the other password protected files in it yet
It’s a fucking collection of just the Sub7 binaries , no source code, no proofs, I even think I saw this posted on an old hack forum a while back.
Ill probably have more to add as i’m just starting , but If he has in any way proof anything that he is the indisputable author of Sub7 i’ll eat my hat. If anyone has any more information to add email me illwill at illmob.org
also he claims that he was made rich from selling his software to John Mcafee and working under MGT in the many hats podcast, I don’t see any land owned in Alabama by him
Our new open source python OSINT framework, skiptracer was released yesterday @ HushCon. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target on a ramen noodle budget. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. you can get the code here. https://github.com/xillwillx/skiptracer
Seems our pal Mario Dinatale, or’ Mario Di Natale’ as he now uses for SEO reasons (see post: Hacks Lies Nation States) has bullshitted his way into another job. I wonder how much bullshit he fed into his new employer Kyber Secure ‘Why do you care’ you might ask? Because charlatans like him lie their way into jobs and bragging about ransomware ‘takedowns’ they had no part in, are some of the reason why this industry and security is such a shitshow. I feel bad for the clients.