Stakkato Principal - method of hacking


Dear Readers,
We would like to introduce you "Stakkato" hacking method.
Take a look!
"Stakkato Principal"
Author: Mardian Gunawan

Stakkato, or stakkato intrusion are known for its simplicity to take over thousand of high profile website. Basically its just leveraging using known (kiddies) methods yet the impact is devastating. knowledge one will gain and what one will learn after reading this article is to explore, making use of , technology, and circumvent it of course. All I do is just to prove my theory that stakkato attack can be done in any level, that's it.


1. From sqli attack on one site, some os command executions, gets data of email and password of approx. 41.754 accounts in hand(and a full ownage of the server).

#Technical# Sqli, nmap, backdoor, os command execution(ftp-s:filename, etc) blabla, do your homework kids

The sqli is not important, yet we focus on what to do with it.

2. More digging on the loot. Gmail user: approx. 10.000 user.

Using checker we gets 427 valid username and password of approx. 3.000 creds of 10.000. Creds could be collected: more than 1.400 creds.

Yahoo user give appprox 8/10 by using manual checking, which is the rest majority account of 41.754.

Creds could be collected:

30.000 yahoo user * 8/10 = 24.000 yahoo users.

Twitter account?, interesting, really. if enough time & resources


The main data are on csv file, using bash/terminal we sort it out(using cut, grep, sed etc), really having a hard time re-constructing the data.

The checker used are from gunslinger


Valid gmail password

3. From gmail users we harvest:

· Passwords for other site, skype, etc.

· Bank owner transaction info (very useful if you are targeting some bank/bank owner)

· Company database and reports

· Internal company software (distributed limitedly for company employee only)

· Photos (some "nice" photos ;'))


Do *.jpg, *.xls, *.exe after successful mail login

Passwords for other site

Passwords for other site

Passwords for other site

Transaction info

Company database

Company report

Internal company software

4. Some gmail accounts compromised, 120 are used to follow "some" blogsite, to increase follower. And some 100 are given to friend, to look for facebook poker chip(if the passwd is matched).

5. The stakkato continue / dreadful scenario

1. Some other site that deals with deposits, which is vulnerable to sqli too, we got the user cred from gmail account we compromised earlier, w00t!, we got ourself account with over 200.000.000 rupiah, just mail the site owner and ask to withdraw to your account, done!.

PS: Well maybe its not that easy, but you get the idea.

2. Feed the username+pass to facebook checker, make facebook API script for auto posting, likes, add friends, block person, etc. some cool stuff using compromised fb accounts.

Voila, You got yourself Social BotNet!


Its an sql injection, do ‘ or ‘1’=’1’ – ‘ to get admin, and USERNAME’ – ‘ for specific user. And sometimes, well most of the time i guess, sqli on login will gets you admin that DOES NOTHING, so enumerating users is usually what I do next.


Making use of significant data is neat. Years of skills and practice can't match tools, ever. If this isn't devastating enough, wait untill i log in to your account.

About author:
Mardian Gunawan- IT Security, betatester x86 platform for Pentoo, a Gento-based Pentesting Linux Live CD. Translating TOR project into my native language, Shodan evangelist, betatester for hakin9 magazine and author of Internet Search Engine Exploitation Dengan Shodan and creator of The Shpy project ("shpy"), POC for DC6221 Defcon Hacker Groups - International Jakarta Area, Indonesia and currently betatesting Givon Zirkind's Transcendental Encryption (TEC).

Other materials:
Fedora Security LiveCD Linux
Functional brain

Do you want to join Hakin9? Don't waste your time. Many interesting, technical articles.

Click here: Hakin9

September 2, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023