Skip to main content

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/
Encoding errors --> https://ftfy.now.sh/
File Signatures List --> Click here
PCAP Analysis: --> https://www.packettotal.com/

Online Cipher Decryptors:

CyberChef  - Cipher Decoder  Crack Station-Hash Cracker Decrypt Any Kind of Hash

1) Cipher Statistics
2) Index of Coincidence Calculator - Online IC Cryptanalysis Tool
3) Tools List (Awesome and Fantastic Tools) Available on dCode
4) Solve an Aristocrat or Patristocrat
5) RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
5-1) RSA - Find PQ using N
6) BertNase's Own Hide content in a Image made of blocks - npiet fun!
7) Vigenere Solver - www.guballa.de
8) Fernet (Decode)
9) Unicode Text Steganography Encoders/Decoders
10) All in ONE encoders and Decoders Tool
11) Cryptii - Decoder

Image Forensics:

1) Forensically, free online photo forensics tools - 29a.ch
2) StegSolve to decryt data in image files

Online Stegnographic tools

1) https://osric.com/chris/steganography/decode.html
2) http://stylesuxx.github.io/steganography/
3) https://futureboy.us/stegano/decinput.html
4) https://www.pdf-online.com/osa/extract.aspx --> For PDF


Audio Forensics:

1) Decrypt Old tapes with software for Atari 8-bit computers (Software - Download Required)
strings filename | awk 'length($0)>15' | sort -u
                                     /\
                      Setting the minimum length
                      for a string can help clean
                      out a lot of the garbage.
                      this will only print strings
                      with 15 or more chars.
# strings -a -n 15 filename
grep -rnw '/' -ie 'password' --color=always  

    --> Print files with line numbers where string is found
# Grep for words starting with "co"

egrep "^co" common.txt > /cp.txt
#Hex Decode a file 

cat key| xxd -r -p  > key.bin 
fcrackzip -D -p rockyou.txt -u   --> crack a zip file using        wordlist


Download John the Ripper Community Version (Lot of Plugins are Available)

zip2john filename.zip > filehash.txt    --> creates a hash

john filehash.txt -> cracks the password using default wordlist 

john -wordlist=/usr/share/wordlists/rockyou.txt.gz filehash.txt 













pdfcrack -f file.pdf -w ../stego/rockyou.txt  --> crack PDF Files using wordlist 
Analyzing Microsoft Office Docs

└─$ sudo -H pip install -U oletools[full] --break-system-packages

#get embedded items in the doc 
oleid filename.doc 

#List the macros 
olevba filename.doc 

#Extract embedded objects from OLE files.
oleobj filename.doc

#Extract embedded objects from RTF files.
rtfobj filename.doc
Analyzing Event logs for finding violations 

sudo usbrip events violations auth.json -f syslog  
python latex.py --files file.7z --wordlist rockyou.txt

Brute Force 7z Zip files -- 7z Zip Brute Force Github


String -a 'filename.png'  --> scans the whole file instead of the data section.
binwalk -e 'filename.png' --> Automatically extracts all files. For this specific file this did not do us any good.
steghide info filename.png  --> check the embedded data inside an image; you need a passkey to get the embedded data information
steghide extract -sf filename.png --> extract the embedded data;you need a passkey to get the embedded data extracted into a file
xxd filename    --> Hex viewer 

xxd -p -c 10000 FILENAME --> Dump all the data in a single lin
xxd -p -r hex.txt > meow --> reversing a file into binary; then file meow                --> know the file details 
python RsaCtfTool.py -n 2227212908056272288661402263220544270835000977233668976511 -e 3 --uncipher 56274920108122478990888092521371739605513959053

Decrypy the cipher text when n,e and c are given in RSA
cat file.csv | sed -e 's/,,/, ,/g' | column -s, -t | less -#5 -N -S  

Read CSV files in linux  Properly
echo "whateverthehellTheTextIsAddSpacesToYourText" | sed 's/\(.\{5\}\)/\1 /g'

Add a Space after every 5 Characters
#stegnography deccrypter    
gem install zsteg

Imaging and Recovery:



sudo dcfldd if=/dev/sdb of=/home/recovery.dd
             if=input location; of=output location



scp user@10.10.10.48:/home/recovery.dd /location/filename.dd
      similar to ssh; used to copy the file into our location

xxd filename 
               open with hex editor to view the contents.

Imaging for Forensics

dd if=\\.\d: of=c:\test.dd bs=1G --size --process
Volatality 

wget https://github.com/volatilityfoundation/volatility/releases/download/2.6.1/volatility_2.6_lin64_standalone.zip 
unzip volatility_2.6_lin64_standalone.zip 

mv volatility_2.6_lin64_standalone vol 

#Get Image Profile - OS 
./vol -f Image.raw imageinfo 

#Use the Profile from previous command 

#Get Files
./vol -f Image.raw --profile=Win7SP1x86_23418 filescan

#Get the offset of the file; from previous command to download 
└─$ ./vol -f Image.raw --profile=Win7SP1x86_23418 dumpfiles --physoffset=0x000000000aab12345 -u -n -D .

#Get TrueCrypt Passwords in memory
./vol -f Image.raw --profile=Win7SP1x86_23418 truecryptpassphrase
pngcheck -v filename.png --> PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.
exiftool filename.png --> meta data viewer; check if there are any hash values in it.
file filename.gif --> shows the actual file extension
strings ./filename  -- > find the interesting strings any file
ltrace ./filename   -->  Intercept the functions that are being called.
Unzipping a lopp of files

ZIPFILE=$1
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD=$( unzip -l $ZIPFILE | grep -E "^\s+[0-9]+" | grep -Eo "[0-9]+\.zip" | grep -Eo "[0-9]+" )
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
ZIPFILE="$PASSWORD.zip"
done 
find / -size 33c -user bandit7 -group bandit6 2>/dev/null
Image Signature: 

JPG: Both images above show that a regular JPG begins with 0xFFD8 and ends with 0xFFD9
PNG: This shows that PNG images should begin with hex value 0x89504E47 and end with 0xAE426082
BMP: Bitmap images have an inconsistency in their end values from my study, but their beginning hex values are 0x424D36
GIF: Similar to bitmaps, end values for gif images vary, but they usually begin with 0x47494638


Data Recovery when you accidentally Delete a Partition

https://dmde.com/
Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.   Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure...
Post a Comment
Read more