Skip to main content

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/
Encoding errors --> https://ftfy.now.sh/
File Signatures List --> Click here
PCAP Analysis: --> https://www.packettotal.com/

Online Cipher Decryptors:

CyberChef  - Cipher Decoder  Crack Station-Hash Cracker Decrypt Any Kind of Hash

1) Cipher Statistics
2) Index of Coincidence Calculator - Online IC Cryptanalysis Tool
3) Tools List (Awesome and Fantastic Tools) Available on dCode
4) Solve an Aristocrat or Patristocrat
5) RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
5-1) RSA - Find PQ using N
6) BertNase's Own Hide content in a Image made of blocks - npiet fun!
7) Vigenere Solver - www.guballa.de
8) Fernet (Decode)
9) Unicode Text Steganography Encoders/Decoders
10) All in ONE encoders and Decoders Tool
11) Cryptii - Decoder

Image Forensics:

1) Forensically, free online photo forensics tools - 29a.ch
2) StegSolve to decryt data in image files

Online Stegnographic tools

1) https://osric.com/chris/steganography/decode.html
2) http://stylesuxx.github.io/steganography/
3) https://futureboy.us/stegano/decinput.html
4) https://www.pdf-online.com/osa/extract.aspx --> For PDF


Audio Forensics:

1) Decrypt Old tapes with software for Atari 8-bit computers (Software - Download Required)
strings filename | awk 'length($0)>15' | sort -u
                                     /\
                      Setting the minimum length
                      for a string can help clean
                      out a lot of the garbage.
                      this will only print strings
                      with 15 or more chars.
# strings -a -n 15 filename
grep -rnw '/' -ie 'password' --color=always  

    --> Print files with line numbers where string is found
# Grep for words starting with "co"

egrep "^co" common.txt > /cp.txt
#Hex Decode a file 

cat key| xxd -r -p  > key.bin 
fcrackzip -D -p rockyou.txt -u   --> crack a zip file using        wordlist


Download John the Ripper Community Version (Lot of Plugins are Available)

zip2john filename.zip > filehash.txt    --> creates a hash

john filehash.txt -> cracks the password using default wordlist 

john -wordlist=/usr/share/wordlists/rockyou.txt.gz filehash.txt 













pdfcrack -f file.pdf -w ../stego/rockyou.txt  --> crack PDF Files using wordlist 
Analyzing Microsoft Office Docs

└─$ sudo -H pip install -U oletools[full] --break-system-packages

#get embedded items in the doc 
oleid filename.doc 

#List the macros 
olevba filename.doc 

#Extract embedded objects from OLE files.
oleobj filename.doc

#Extract embedded objects from RTF files.
rtfobj filename.doc
Analyzing Event logs for finding violations 

sudo usbrip events violations auth.json -f syslog  
python latex.py --files file.7z --wordlist rockyou.txt

Brute Force 7z Zip files -- 7z Zip Brute Force Github


String -a 'filename.png'  --> scans the whole file instead of the data section.
binwalk -e 'filename.png' --> Automatically extracts all files. For this specific file this did not do us any good.
steghide info filename.png  --> check the embedded data inside an image; you need a passkey to get the embedded data information
steghide extract -sf filename.png --> extract the embedded data;you need a passkey to get the embedded data extracted into a file
xxd filename    --> Hex viewer 

xxd -p -c 10000 FILENAME --> Dump all the data in a single lin
xxd -p -r hex.txt > meow --> reversing a file into binary; then file meow                --> know the file details 
python RsaCtfTool.py -n 2227212908056272288661402263220544270835000977233668976511 -e 3 --uncipher 56274920108122478990888092521371739605513959053

Decrypy the cipher text when n,e and c are given in RSA
cat file.csv | sed -e 's/,,/, ,/g' | column -s, -t | less -#5 -N -S  

Read CSV files in linux  Properly
echo "whateverthehellTheTextIsAddSpacesToYourText" | sed 's/\(.\{5\}\)/\1 /g'

Add a Space after every 5 Characters
#stegnography deccrypter    
gem install zsteg

Imaging and Recovery:



sudo dcfldd if=/dev/sdb of=/home/recovery.dd
             if=input location; of=output location



scp user@10.10.10.48:/home/recovery.dd /location/filename.dd
      similar to ssh; used to copy the file into our location

xxd filename 
               open with hex editor to view the contents.

Imaging for Forensics

dd if=\\.\d: of=c:\test.dd bs=1G --size --process
Volatality 

wget https://github.com/volatilityfoundation/volatility/releases/download/2.6.1/volatility_2.6_lin64_standalone.zip 
unzip volatility_2.6_lin64_standalone.zip 

mv volatility_2.6_lin64_standalone vol 

#Get Image Profile - OS 
./vol -f Image.raw imageinfo 

#Use the Profile from previous command 

#Get Files
./vol -f Image.raw --profile=Win7SP1x86_23418 filescan

#Get the offset of the file; from previous command to download 
└─$ ./vol -f Image.raw --profile=Win7SP1x86_23418 dumpfiles --physoffset=0x000000000aab12345 -u -n -D .

#Get TrueCrypt Passwords in memory
./vol -f Image.raw --profile=Win7SP1x86_23418 truecryptpassphrase
pngcheck -v filename.png --> PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.
exiftool filename.png --> meta data viewer; check if there are any hash values in it.
file filename.gif --> shows the actual file extension
strings ./filename  -- > find the interesting strings any file
ltrace ./filename   -->  Intercept the functions that are being called.
Unzipping a lopp of files

ZIPFILE=$1
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD=$( unzip -l $ZIPFILE | grep -E "^\s+[0-9]+" | grep -Eo "[0-9]+\.zip" | grep -Eo "[0-9]+" )
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
ZIPFILE="$PASSWORD.zip"
done 
find / -size 33c -user bandit7 -group bandit6 2>/dev/null
Image Signature: 

JPG: Both images above show that a regular JPG begins with 0xFFD8 and ends with 0xFFD9
PNG: This shows that PNG images should begin with hex value 0x89504E47 and end with 0xAE426082
BMP: Bitmap images have an inconsistency in their end values from my study, but their beginning hex values are 0x424D36
GIF: Similar to bitmaps, end values for gif images vary, but they usually begin with 0x47494638


Data Recovery when you accidentally Delete a Partition

https://dmde.com/
Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

Hash Extension Attacks

By
  #Install Dependencies sudo apt-get install libssl-dev #Download Hash Extender git clone https://github.com/iagox86/hash_extender.git cd hash_extender make #Run it /hash_extender --data 'username=admin' --secret 16 --append '&isLoggedIn=True' --signature d3a85d3b3087c7e841f84eb4316765c6e1f786074a1f1db996b2e0f8c96f197e2f55433920a630feb07daafadefbc13c947e5225fc509f8241f57f47a8df5311 --format sha512
Post a Comment
Read more