πŸ”’
There are new articles available, click to refresh the page.
Today β€” 21 October 2021Tools

NTFSTool - Forensics Tool For NTFS (Parser, MTF, Bitlocker, Deleted Files)

21 October 2021 at 11:30
By: Zion3R


NTFSTool is a forensic tool focused on NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.

See below for some examples of the features!


Features

Forensics

NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS). The undelete command will search for any file record marked as "not in use" and allow you to retrieve the file (or part of the file if it was already rewritten). It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also supported.


Bitlocker support

For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.


EFS support

In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). Certificates with private keys can be exported using the backup command. Reinmport the backup on another machine to be able to read your encrypted file again!

More information on Mimikatz Wiki

Decryption of EFS encrypted files is coming!


Shell

There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).


Help & Examples

Help command displays description and examples for each command. Options can be entered as decimal or hex number with "0x" prefix (ex: inode).

ntfstool help [command]
Command Description
info Display information for all disks and volumes
mbr Display MBR structure, code and partitions for a disk
gpt Display GPT structure, code and partitions for a disk
vbr Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported)
extract Extract a file from a volume.
image Create an image file of a disk or volume.
mft Display FILE record details for a specified MFT inode. Almost all attribute types supported
btree Display VCN content and Btree index for an inode
bitlocker Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed.
bitdecrypt Decrypt a volume to a file using password, recovery key or bek.
efs.backup Export EFS keys in PKCS12 (pfx) format.
efs.certificate List, display and export system certificates (SystemCertificates/My/Certificates).
efs.key List, display, decrypt and export private keys (Crypto/RSA).
efs.masterkey List, display and decrypt masterkeys (Protect).
fve Display information for the specified FVE block (0, 1, 2)
reparse Parse and display reparse points from $Extend$Reparse.
logfile Dump $LogFile file in specified format: csv, json, raw.
usn Dump $UsnJrnl file in specified format: csv, json, raw.
shadow List volume shadow snapshots from selected disk and volume.
streams Display Alternate Data Streams
undelete Search and extract deleted files for a volume.
shell Start a mini Unix-like shell
smart Display S.M.A.R.T data

Limitations
  • Some unsupported cases. WIP.
  • No documentation

Feel free to open an issue or ask for a new feature!


Build

Vcpkg is the best way to install required third-party libs.

Install vcpkg as described here: vcpkg#getting-started

git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat

Integrate it to your VisualStudio env:

vcpkg integrate install

At build time, VisualStudio will detect the vcpkg.json file and install required packages automatically.

Current third-party libs:

  • openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
  • nlohmann-json: JSON for Modern C++
  • distorm: Powerful Disassembler Library For x86/AMD64
  • cppcoro: A library of C++ coroutine abstractions for the coroutines TS.

Examples

Info
info
+-------------------------------------------------------------------------------------+
| Id | Model | Type | Partition | Size |
+-------------------------------------------------------------------------------------+
| 0 | Samsung SSD 850 EVO 500GB | Fixed SSD | GPT | 500107862016 (465.76 GiBs) |
| 1 | ST2000DM001-1ER164 | Fixed HDD | GPT | 2000398934016 (1.82 TiB) |
| 2 | 15EADS External | Fixed HDD | MBR | 1500301910016 (1.36 TiB) |
| 3 | osfdisk | Fixed HDD | MBR | 536870912 (512.00 MiBs) |
+-------------------------------------------------------------------------------------+
info disk=3
Model       : osfdisk
Version : 1
Serial :
Media Type : Fixed HDD
Size : 536870912 (512.00 MiBs)
Geometry : 512 bytes * 63 sectors * 255 tracks * 65 cylinders
Volume : MBR

+--------------------------------------------------------------------------------------------------+
| Id | Boot | Label | Mounted | Filesystem | Offset | Size |
+--------------------------------------------------------------------------------------------------+
| 1 | No | NTFSDRIVE | F:\ | Bitlocker | 0000000000000200 | 000000001ffffe00 (512.00 MiBs) |
+--------------------------------------------------------------------------------------------------+
info disk=3 volume=1
Serial Number  : 0000aa60-00002eae
Filesystem : Bitlocker
Bootable : False
Type : Fixed
Label : NTFSDRIVE
Offset : 512 (512.00 bytes)
Size : 536870400 (512.00 MiBs)
Free : 519442432 (495.38 MiBs)
Mounted : True (F:\)
Bitlocker : True (Unlocked)

MBR
mbr disk=2
MBR from \\.\PhysicalDrive2
---------------------------

Disk signature : e4589462
Reserved bytes : 0000

Partition table :
+---------------------------------------------------------------------------------------------------+
| Id | Boot | Flags | Filesystem | First sector | Last sector | Offset | Sectors | Size |
+---------------------------------------------------------------------------------------------------+
| 1 | No | Principal | NTFS / exFAT | 0 2 3 | 255 254 255 | 128 | 16771072 | 8.00 GiBs |
+---------------------------------------------------------------------------------------------------+

MBR signature : 55aa

Strings:
[63] : Invalid partition table
[7b] : Error loading operating system
[9a] : Missing operating system

Disassemble Bootstrap Code [y/N] ? y

0000 : 33c0 : xor ax, ax
0002 : 8ed0 : mov ss, ax
0004 : bc007c : mov sp, 0x7c00
0007 : 8ec0 : mov es, ax
0009 : 8ed8 : mov ds, ax
000b : be007c : mov si, 0x7c00
000e : bf0006 : mov di, 0x600
0011 : b90002 : mov cx, 0x200
...

GPT
gpt disk=1
Signature        : EFI PART
Revision : 1.0
Header Size : 92
Header CRC32 : cc72e4d3
Reserved : 00000000
Current LBA : 1
Backup LBA : 3907029167
First Usable LBA : 34
Last Usable LBA : 3907029134
GUID : {a21d6495-cd58-4b8d-b968-dc337adcf6ac}
Entry LBA : 2
Entries Num : 128
Entries Size : 128
Partitions CRC32 : 0c9a0a25

Partition table : 2 entries
+------------------------------------------------------------------------------------------------------------------------+
| Id | Name | GUID | First sector | Last sector | Flags |
+------------------------------------------------------------------------------------------------------------------------+
| 1 | Microsoft reserved partition | {da0ac4a1-a78c-4053-bab5-36c70a71fe63} | 34 | 262177 | 000000000000 |
| 2 | Basic data partition | {4b4ea4b3-64a1-4c6d-bd4b-1c2b0e4e706f} | 264192 | 3907028991 | 000000000000 |
+------------------------------------------------------------------------------------------------------------------------+

VBR
vbr disk=3 volume=1
Structure :
Jump : eb5890 (jmp 0x7c5a)
OEM id : -FVE-FS-
BytePerSector : 512
SectorPerCluster : 8
Reserved Sectors : 0
Number of FATs : 0
Root Max Entries : 0
Total Sectors : 0
Media Type : f8
SectorPerFat : 8160
SectorPerTrack : 63
Head Count : 255
FS Offset : 1
Total Sectors : 0
FAT Flags : 0000
FAT Version : 0000
Root Cluster : 0
FS Info Sector : 1
Backup BootSector: 6
Reserved : 00000000
Reserved : 00000000
Reserved : 00000000
Drive Number : 80
Reserved : 00
Ext. Boot Sign : 29
Serial Nuumber : 00000000
Volume Name : NO NAME
FileSystem Type : FAT32
Volume GUID : {4967d63b-2e29-4ad8-8399-f6a339e3d001}
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
End marker : 55aa

Strings:
[00] : Remove disks or other media.Β 
[1f] : Disk errorΒ 
[2c] : Press any key to restart

Disassemble Bootstrap Code [y/N] ? y

7c5a : eb58 : jmp 0x7cb4
7c5c : 90 : nop
7c5d : 2d4656 : sub ax, 0x5646
7c60 : 45 : inc bp
7c61 : 2d4653 : sub ax, 0x5346
7c64 : 2d0002 : sub ax, 0x200
[...]

Extract
extract disk=3 volume=1 from=\bob.txt output=d:\bob.txt
Extract file from \\.\PhysicalDrive3 > Volume:1
-----------------------------------------------

[+] Opening \\?\Volume{00023d5d-0000-0000-0002-000000000000}\
[-] Source : \bob.txt
[-] Destination : d:\bob.txt
[-] Record Num : 47 (0000002fh)
[+] File extracted (42 bytes written)
extract disk=0 volume=4 --system output=d:\system
Extract file from \\.\PhysicalDrive0 > Volume:4
-----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\windows\system32\config\system
[-] Destination : d:\system
[-] Record Num : 623636 (00098414h)
[+] File extracted (19398656 bytes written)

Image
image disk=2 volume=2 output=d:\imagevol.raw
Image from \\.\PhysicalDrive2 > Volume:2
----------------------------------------

[+] Opening \\?\Volume{f095dd1d-f302-4d17-bf68-7cc8c1de3965}\
[-] Size : 33520128 (31.97 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done
image disk=2 output=d:\image.raw
Image from \\.\PhysicalDrive2
-----------------------------

[+] Opening \\.\PhysicalDrive2
[-] Size : 67108864 (64.00 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done

MFT
mft disk=2 volume=1 inode=5 (root folder)
Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2020-02-24 19:42:23 | | | | | | FileRecord Changed Time : 2020-02-24 19:42:23 | | | | | | Last Access Time : 2020-02-24 19:42:23 | | | | | | Permissions : | | | | | | read_only : 0 | | | | | | hidden : 1 | | | | | | system : 1 | | | | | | device : 0 | | | | | | normal : 0 | | | | | | temporary : 0 | | | | | | sparse : 0 | | | | | | reparse_point : 0 | | | | | | compressed : 0 | | | | | | offline : 0 | | | | | | not_indexed : 1 | | | | | | encrypted : 0 | | | | | | Max Number of Versions : 0 | | | | | | Version Number : 0 | +------------------------------------------------------------------------------------------------------------------+ | 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 | | | | | | Parent Dir Sequence Num : 5 | | | | | | File Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2011-12-24 03:13:12 | | | | | | FileRecord Changed Time : 2011-12-24 03:13:12 | | | | | | Last Access Time : 1970-01-01 00:59:59 | | | | | | Allocated Size : 0 | | | | | | Real Size : 0 | | | | | | ------ | | | | | | Name : . | +------------------------------------------------------------------------------------------------------------------+ | 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 | | | | | | 8268d} | +------------------------------------------------------------------------------------------------------------------+ | 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h | | | | | | Collation Rule : 1 | | | | | | Index Alloc Entry Size : 4096 | | | | | | Cluster/Index Record : 1 | | | | | | ----- | | | | | | First Entry Offset : 16 | | | | | | Index Entries Size : 136 | | | | | | Index Entries Allocated : 136 | | | | | | Flags : Large Index | +------------------------------------------------------------------------------------------------------------------+ | 5 | $INDEX_ALLOCATION | True | 12288 | Index | | | | | | 0000000000000004 : $AttrDef | | | | | | 0000000000000008 : $BadClus | | | | | | 0000000000000006 : $Bitmap | | | | | | 0000000000000007 : $Boot | | | | | | 000000000000000b : $Extend | | | | | | 0000000000000002 : $LogFile | | | | | | 0000000000000000 : $MFT | | | | | | 0000000000000001 : $MFTMirr | | | | | | 000000000000002d : $RECYCLE.BIN | | | | | | 0000000000000009 : $Secure | | | | | | 000000000000000a : $UpCase | | | | | | 0000000000000003 : $Volume | | | | | | 0000000000000005 : . | | | | | | 000000000000240c : Dir1 | | | | | | 0000000000000218 : Dir2 | | | | | | 000000000000212a : Dir3 | | | | | | 0000000000000024 : Dir4 | | | | | | 0000000000000def : RECYCLER | | | | | | 000000000000001b : System Volume Information | | | | | | 000000000000001b : SYSTEM~1 | +------------------------------------------------------------------------------------------------------------------+ | 6 | $BITMAP | False | 8 | Index Node Used : 2 | +------------------------------------------------------------------------------------------------------------------+ ">
Signature         : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 274035114
Sequence Number : 5
Hardlink Count : 1
Attribute Offset : 56
Flags : In_use | Directory
Real Size : 704
Allocated Size : 1024
Base File Record : 0
Next Attribute ID : 56
MFT Record Index : 5
Update Seq Number : 4461
Update Seq Array : 00000000

Attributes:
-----------

+------------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2020-02-24 19:42:23 |
| | | | | FileRecord Changed Time : 2020-02-24 19:42:23 |
| | | | | Last Access Time : 2020-02-24 19:42:23 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 1 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 |
| | | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2011-12-24 03:13:12 |
| | | | | FileRecord Changed Time : 2011-12-24 03:13:12 |
| | | | | Last Access Time : 1970-01-01 00:59:59 |
| | | | | Allocated Size : 0 |
| | | | | Real Size : 0 |
| | | | | ------ |
| | | | | Name : . |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 |
| | | | | 8268d} |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 136 |
| | | | | Index Entries Allocated : 136 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ALLOCATION | True | 12288 | Index |
| | | | | 0000000000000004 : $AttrDef |
| | | | | 0000000000000008 : $BadClus |
| | | | | 0000000000000006 : $Bitmap |
| | | | | 0000000000000007 : $Boot |
| | | | | 000000000000000b : $Extend |
| | | | | 0000000000000002 : $LogFile |
| | | | | 0000000000000000 : $MFT |
| | | | | 0000000000000001 : $MFTMirr |
| | | | | 000000000000002d : $RECYCLE.BIN |
| | | | | 0000000000000009 : $Secure |
| | | | | 000000000000000a : $UpCase |
| | | | | 0000000000000003 : $Volume |
| | | | | 0000000000000005 : . |
| | | | | 000000000000240c : Dir1 |
| | | | | 0000000000000218 : Dir2 |
| | | | | 000000000000212a : Dir3 |
| | | | | 0000000000000024 : Dir4 |
| | | | | 0000000000000def : RECYCLER |
| | | | | 000000000000001b : System Volume Information |
| | | | | 000000000000001b : SYSTEM~1 |
+------------------------------------------------------------------------------------------------------------------+
| 6 | $BITMAP | False | 8 | Index Node Used : 2 |
+------------------------------------------------------------------------------------------------------------------+

Btree
btree disk=0 volume=1 inode=5 (root folder)
B-tree index (inode:5) from \\.\PhysicalDrive3 > Volume:1
---------------------------------------------------------

Attributes:
-----------

+-------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------+
| 1 | $INDEX_ROOT | False | 56 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Large Index |
+-------------------------------------------------------------------------------------------+
| 2 | $INDEX_ALLOCATION | True | 20480 | First VCN : 0x000000000000 |
| | | | | Last VCN : 0x000000000004 |
+-------------------------------------------------------------------------------------------+

$INDEX_ALLOCATION entries:
--------------------------

+--------------------------------------------------------------------------------------------+
| VCN | Raw address | Size | Entries |
+--------------------------------------------------------------------------------------------+
| 000000000000h | 000000024000h | 000000001000h | 000000000004: $AttrDef |
| | | | 000000000008: $BadClus |
| | | | 000000000006: $Bitmap |
....
| | | | 000000000009: $Secure |
| | | | 00000000000a: $UpCase |
| | | | 000000000003: $Volume |
+--------------------------------------------------------------------------------------------+
| 000000000001h | 000000025000h | 000000001000h | 000000000098: randomfile - Copie (5).accdb |
| | | | 000000000097: randomfile - Copie (5).bat |
| | | | 000000000095: randomfile - Copie (5).psd |
| | | | 000000000096: randomfile - Copie (5).txt |
| | | | 00000000009b: randomfile - Copie (6).accdb |
....
| | | | 000000000083: randomfile.accdb |
| | | | 000000000082: randomfile.bat |
| | | | 000000000084: randomfile.psd |
| | | | 000000000081: randomfile.txt |
| | | | 000000000024: System Volume Information |
+--------------------------------------------------------------------------------------------+
| 000000000002h | 0000007d6000h | 000000001000h | |
+--------------------------------------------------------------------------------------------+
| 000000000003h | 0000007d7000h | 000000001000h | 000000000005: . |
| | | | 000000000092: randomfile - Copie (4).txt |
+--------------------------------------------------------------------------------------------+
| 000000000004h | 0000007d8000h | 000000001000h | 000000000027: random folder |
| | | | 00000000008c: randomfile - Copie (2).accdb |
| | | | 00000000008b: randomfile - Copie (2).bat |
| | | | 000000000089: randomfile - Copie (2).psd |
....
| | | | 00000000008e: randomfile - Copie (3).txt |
| | | | 000000000094: randomfile - Copie (4).accdb |
| | | | 000000000093: randomfile - Copie (4).bat |
| | | | 000000000091: randomfile - Copie (4).psd |
+--------------------------------------------------------------------------------------------+

B-tree index:
-------------

Root
|- 000000000000:
|---- VCN: 3
|- 000000000005: .
|---- VCN: 0
|- 000000000004: $AttrDef
|- 000000000008: $BadClus
|- 000000000006: $Bitmap
....
|- 000000000009: $Secure
|- 00000000000a: $UpCase
|- 000000000003: $Volume
|- 000000000092: randomfile - Copie (4).txt
|---- VCN: 4
|- 000000000027: random folder
|- 00000000008c: randomfile - Copie (2).accdb
|- 00000000008b: randomfile - Copie (2).bat
|- 000000000089: randomfile - Copie (2).psd
....
|- 000000000094: randomfile - Copie (4).accdb
|- 000000000093: randomfile - Copie (4).bat
|- 000000000091: randomfile - Copie (4).psd
|- 000000000000 (*)
|---- VCN: 1
|- 000000000098: randomfile - Copie (5).accdb
|- 000000000097: randomfile - Copie (5).bat
|- 000000000095: randomfile - Copie (5).psd
....
|- 000000000084: randomfile.psd
|- 000000000081: randomfile.txt
|- 000000000024: System Volume Information

Bitlocker
bitlocker disk=3 volume=1
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Volume Master Keys:
-------------------

+--------------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Details |
+--------------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | Nonce : 01d5ecbb00f7155000000003 |
| | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | Encrypted Key : b76281568419ec3bee89d1eddccf3169 |
| | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | 0788bd366bec117b11a9fd6e |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$daea96439babc5d1 |
| | | | e7f20c8860ff1ee9$1048576$12$5015 |
| | | | f700bbecd50103000000$60$175ec23c |
| | | | d799e2bde9d24bf3697919feb7628156 |
| | | | 8419ec3bee89d1eddccf316959c466b6 |
| | | | b392f40f0875e58168d868d70788bd36 |
| | | | 6bec117b11a9fd6e |
+--------------------------------------------------------------------------------------------------------------------+
| 2 | Recovery Password | {19b4a3e2-94b3-452f-a614-6212faeb1b9d} | Nonce : 01d5ecbb00f7155000000006 |
| | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | Encrypted Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | 6124ff46865e805367f7bef1 |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$b9963d29e1bad1f4 |
| | | | 2e60c3bfb6e3bef5$1048576$12$5015 |
| | | | f700bbecd50106000000$60$3a06a06f |
| | | | db044d850ecd6faf5cf2aec997a43d40 |
| | | | c695c6d190eba3956ac7c7b1f5fdbbc7 |
| | | | f9a61a77c914fa347479c7ac6124ff46 |
| | | | 865e805367f7bef1 |
+--------------------------------------------------------------------------------------------------------------------+
bitlocker disk=3 volume=1 password=badpassword
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | badpassword | Invalid |
+--------------------------------------------------------------------------------+
bitlocker disk=3 volume=1 password=123456789
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | 123456789 | Valid |
| | | | | |
| | | | | VMK : 751bf363db63ba6f1b36fb2ecd5ff1d8 |
| | | | | f5eab77e8754a848f2743978c7615f9f |
| | | | | FVEK : 35b8197e6d74d8521f49698d5f556589 |
| | | | | 2cf286ae5323c65631965c905a9d7da4 |
+--------------------------------------------------------------------------------------------------------------+

Bitdecrypt
bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4
[+] Opening \\?\Volume{09a02598-0000-0000-0002-000000000000}\
[+] Reading Bitlocker VBR
[-] Volume State : ENCRYPTED
[-] Size : 536870400 (512.00 MiBs)
[-] Encrypted Size : 536870400 (512.00 MiBs)
[-] Algorithm : AES-XTS-128
[+] Decrypting sectors
[-] Processed data size : 512.00 MiBs (100%)
[+] Duration : 7535ms
[+] Closing Volume

EFS-backup
efs.backup disk=0 volume=4 password=123456
Backup certificates and keys from \\.\PhysicalDrive0 > Volume:4
---------------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
- 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B
[+] Finding corresponding private keys
- 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a
[+] Finding corresponding masterkeys
- 9ac19509-54d3-48bc-8c67-4cfb01d73498
[+] Exporting 1 certificates and keys (pass: backup)
- ef456e5b-43e4-4eda-a80b-e234611306d4 : Ok
Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx

EFS-certificate
efs.certificate disk=0 volume=4
List certificates from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
8 certificate(s) found
[+] Certificates
+-----------------------------------------------------------------------------------------------------------------------------------+
| Id | User | File | Certificate |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 0 | Bobby | Name : 02728B6DF5573C5955A4DFF22319441C889C367B | Friendly Name : APNS certificate Direct |
| | | Record : 00000001d2d5h | |
| | | Size : 850.00 bytes | |
| | | | |
| | | Creation : 2019-05-11 15:59:29 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Bobby | Name : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Friendly Name : APNS certificate |
| | | Record : 00000000b5a4h | |
| | | Size : 824.00 bytes | |
| | | | |
| | | Creation : 2021-03-03 18:02:33 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bobby | Name : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 |
| | | Record : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 |
| | | Size : 1.15 KiB | Type : PROV_RSA_FULL |
| | | | KeySpec : AT_KEYEXCHANGE |
| | | Creation : 2020-08-17 13:20:03 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
..........
efs.certificate disk=0 volume=4 inode=0xb5a4
Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate
+----------------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-03-03 18:02:33 |
| | | Size : 824.00 bytes |
+----------------------------------------------------------------------------------------------------------------------------+
| 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 |
+----------------------------------------------------------------------------------------------------------------------------+
| 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate |
+----------------------------------------------------------------------------------------------------------------------------+
| 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 5 | CERT_CERTIFICATE_FILE | Data: |
| | | Version: 3 (0x2) |
| | | Serial Number: |
| | | 01:20:cb:ab:28:8a:97:ee:99:cc |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA |
| | | Validity |
| | | Not Before: Mar 3 15:57:33 2021 GMT |
| | | Not After : Mar 3 16:02:33 2022 GMT |
| | | Subject: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 |
| | | Subject Public Key Info: |
| | | Public Key Algorithm: rsaEncryption |
| | | RSA Public-Key: (1024 bit) |
| | | Modulus: |
| | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: |
| | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: |
...
| | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: |
| | | 9e:6f:85:9c:b6:8f:be:d3:05 |
| | | Exponent: 65537 (0x10001) |
| | | X509v3 extensions: |
| | | X509v3 Authority Key Identifier: |
| | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D |
| | | 8:A7:4C:8E:74 |
| | | X509v3 Subject Key Identifier: |
| | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 |
| | | 0:9C:A8 |
| | | X509v3 Basic Constraints: critical |
| | | CA:FALSE |
| | | X509v3 Key Usage: critical |
| | | Digital Signature, Key Encipherment |
| | | X509v3 Extended Key Usage: critical |
| | | TLS Web Server Authentication, TLS Web Client Authen |
| | | tication |
| | | 1.2.840.113635.100.6.10.6: |
| | | .. |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: |
...
| | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: |
| | | ff:0c |
+----------------------------------------------------------------------------------------------------------------------------+
efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem
Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate exported to mycert.pem

EFS-key
efs.key disk=0 volume=4
List keys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Listing user directories:
8 directories found
[+] Searching for keys
9713 key(s) found
[+] Keys
+------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Name | Creation Date |
+------------------------------------------------------------------------------------------------------------------+
| 0 | User1 | Name : 0004f7ed30db...017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 |
| | | Record : 0000000246c5h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 1 | User1 | Name : 0016875547ba...f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 |
| | | Record : 000000019f19h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 2 | User1 | Name : 002a02ec680e...9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 |
..........
efs.key disk=0 volume=4 inode=742107
Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A | | | | | | | | HMAC : - | | | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 | | | | | | | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 | | | | 58DB27E19596DD118F2D70F68CC7913C | ... | | | 7870F6C68DA1B9139BF6E39725F4E72E | | | | 4EC435C947F127CA3E333CB5E2F43978 | | | | | | | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F | | | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED | +------------------------------------------------------------------------------------------------------------------+ | 6 | Hash | 0000000000000000000000000000000000000000 | +------------------------------------------------------------------------------------------------------------------+ | 7 | ExportFlag | Version : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Version : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Export Flag | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 | | | | | | | | HMAC : - | | | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 | | | | | | | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 | | | | | | | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 | | | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 | +------------------------------------------------------------------------------------------------------------------+ ">
Display key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[+] Key
+------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-09-23 22:16:43 |
| | | Size : 4.00 KiBs |
+------------------------------------------------------------------------------------------------------------------+
| 1 | Version | 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | Name | ef456e5b-43e4-4eda-a80b-e234611306d4 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | Flags | 00000000h |
+------------------------------------------------------------------------------------------------------------------+
| 4 | PublicKey | Magic : 31415352h (RSA1) |
| | | Size : 2048 |
| | | Exponent : 65537 |
| | | |
| | | Permissions : CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
...
| | | |
| | | Modulus : 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+------------------------------------------------------------------------------------------------------------------+
| 5 | Encrypted PrivateKey | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : ClΓ© privΓ©e CryptoAPI |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A |
| | | |
| | | HMAC : - |
| | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 |
| | | |
| | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 |
| | | 58DB27E19596DD118F2D70F68CC7913C |
...
| | | 7870F6C68DA1B9139BF6E39725F4E72E |
| | | 4EC435C947F127CA3E333CB5E2F43978 |
| | | |
| | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F |
| | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED |
+------------------------------------------------------------------------------------------------------------------+
| 6 | Hash | 0000000000000000000000000000000000000000 |
+------------------------------------------------------------------------------------------------------------------+
| 7 | ExportFlag | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Export Flag |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 |
| | | |
| | | HMAC : - |
| | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 |
| | | |
| | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 |
| | | |
| | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 |
| | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 |
+------------------------------------------------------------------------------------------------------------------+
efs.key disk=0 volume=4 inode=742107 masterkey=34fac126105ce30...178c5bff4979eb
Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Clear key (2048bits):
+----------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------+
| 0 | Magic | RSA2 |
+----------------------------------------------------------+
| 1 | Bitsize | 2048 |
+----------------------------------------------------------+
| 2 | Permissions | CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
| | | CRYPT_WRITE |
| | | CRYPT_MAC |
| | | CRYPT_EXPORT_KEY |
| | | CRYPT_IMPORT_KEY |
+----------------------------------------------------------+
| 3 | Exponent | 65537 |
+----------------------------------------------------------+
| 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+----------------------------------------------------------+
| 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 |
...
| | | 65F7DE6D173FEBEF95BE491FB222E07B |
+----------------------------------------------------------+
| 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE |
...
| | | 6759E812B6385B9151EBED8DCD65238F |
+----------------------------------------------------------+
| 7 | Exponent1 | 0E33B17876918051427271EB667AE238 |
...
| | | 69349EF83ACE9B75D20004D155CDA3FF |
+----------------------------------------------------------+
| 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 |
...
| | | E7008F2EA5684A74E4BFEEFAAB48C979 |
+----------------------------------------------------------+
| 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 |
...
| | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 |
+----------------------------------------------------------+
| 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA |
| | | 40D83B3FBF0D9D016C419E6B6744AD73 |
...
| | | 47685BDEB0FABDC21AF5CABBA13D138D |
| | | F39FC063F1F20323E3220229E29FA42D |
+----------------------------------------------------------+
efs.key disk=0 volume=4 inode=742107 masterkey=34...eb output=mykey format=pem
Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Public key exported to mykey.pub.pem.
[+] Private key exported to mykey.priv.pem.

EFS-masterkey
efs.masterkey disk=0 volume=4
List masterkeys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for keys
19 key(s), 2 preferred file(s) found
[+] MasterKeys
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Key(s) | Creation Date |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | DefaultAppPool | Name : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 |
| | | Record : 000000031848h | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
| | | | Version : 2 | |
| | | | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : DF0651C903763132BC3043BF144A7DDD | |
| | | | Rounds : 8000 | |
| | | | CredHist | |
| | | | Version : 3 | |
| | | | GUID : {00000000-0000-0000-0000-000000000000} | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | DefaultAppPool | Name : Preferred | Preferred | 2021-08-17 14:54:41 |
| | | Record : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | |
| | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bob | Name : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 |
| | | Record : 000000004f4ah | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
..........
efs.masterkey disk=0 volume=4 inode=0x80544
Display masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[+] MasterKey
+--------------------------------------------------------------------+
| Id | Property | Value |
+--------------------------------------------------------------------+
| 0 | File | Creation : 2020-07-06 05:56:06 |
| | | Size : 468.00 bytes |
+--------------------------------------------------------------------+
| 1 | Version | 2 |
+--------------------------------------------------------------------+
| 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 |
+--------------------------------------------------------------------+
| 3 | Policy | 00000005h |
+--------------------------------------------------------------------+
| 4 | MasterKey | Version : 2 |
| | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 |
| | | 296D1F0E5BA93249858BE3ACCC8FD7A8 |
| | | F62DB6808833FC303095C6588BDE3826 |
| | | 80ABF391222CD77661BCCB637DDAC490 |
| | | B5FC02C854EF45490EE10851EF524DE2 |
| | | 85DD508F905216D528D3DC3336830FF9 |
| | | 690472730A03D64CF892E06B9AA35692 |
| | | AB7679E908D487119030B73CB87E6F9F |
| | | 731F65609CB8ACA972BCC9042B27B9B4 |
+--------------------------------------------------------------------+
| 5 | BackupKey | Version : 2 |
| | | Salt : B60E21F9578D02A97964D7B10151BE69 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 |
| | | D78A649F02DDFE7C069F9B5F8FF9F005 |
| | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 |
| | | E797DC5F4A3A0535B3217BADC7FAD38E |
| | | 798C1846423C8631DE472D790B308B2D |
| | | F15340B87FCD55A98DAEE92196235CF9 |
| | | B328FAF475C05A911DF19C99D54D5A3C |
+--------------------------------------------------------------------+
| 6 | CredHist | Version : 3 |
| | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} |
+--------------------------------------------------------------------+
efs.masterkey disk=0 volume=4 inode=0x80544 sid="S-1-5-21-1521398...3175218-1001" password="ntfst00l"
Decrypt masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[-] Masterkey
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Rounds : 8000
Salt : 3ED4CDBCC4073D6724A512061D0597E1
[+] Decrypting masterkey
[+] Clear masterkey (256bits):
34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6
0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB

FVE
fve disk=3 volume=1 fve_block=2
Signature             : -FVE-FS-
Size : 57
Version : 2
Current State : ENCRYPTED (4)
Next State : ENCRYPTED (4)
Encrypted Size : 536870400 (512.00 MiBs)
Convert Size : 0
Backup Sectors : 16
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
Backup Sectors Offset : 0000000002110000

FVE Metadata Header
-------------------

Size : 840
Version : 1
Header Size : 48
Copy Size : 840
Volume GUID : {70a57ea3-9b98-4034-8b6a-645f731e2d1e}
Next Counter : 10
Algorithm : AES-XTS-128 (8004)
Timestamp : 2020-02-26 16:39:17

FVE Metadata Entries (5)
------------------------

+----------------------------------------------------------------------------------------------------------------+
| Id | Version | Size | Entry Type | Value Type | Value |
+----------------------------------------------------------------------------------------------------------------+
| 1 | 1 | 72 | Drive Label | Unicode | String : TWN NTFSDRIVE 26/02/2020 |
+----------------------------------------------------------------------------------------------------------------+
| 2 | 1 | 224 | VMK | VMK | Key ID : {2dd368f3-37d7-414f-94e6-3c5b86f |
| | | | | | add50} |
| | | | | | Last Change : 2020-02-26 16:40:00 |
| | | | | | Protection : Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 108 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000002 |
| | | | | | MAC : 1dfebdc79a966e72ca806d6a83d8c7ba |
| | | | | | Key : eb51a188df981b54f51698c76d76a8bb |
| | | | | | d22afbbe27603ea6afc34c077726262e |
| | | | | | 5ba07482053d3c36fdecf80f |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000003 |
| | | | | | MAC : 175ec23cd799e2bde9d24bf3697919fe |
| | | | | | Key : b76281568419ec3bee89d1eddccf3169 |
| | | | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | | | 0788bd366bec117b11a9fd6e |
+----------------------------------------------------------------------------------------------------------------+
| 3 | 1 | 316 | VMK | VMK | Key ID : {19b4a3e2-94b3-452f-a614-6212fae |
| | | | | | b1b9d} |
| | | | | | Last Change : 2020-02-26 16:40:07 |
| | | | | | Protection : Recovery Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 172 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 64 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000004 |
| | | | | | MAC : 8064d679c7d8d1fa8ae548b0844882c7 |
| | | | | | Key : 18d21021d40e3dc99d38c8dd84faed10 |
| | | | | | 370c32095f4f63261ad8ec40 |
| | | | | | |
| | | | | | Property #1.2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000005 |
| | | | | | MAC : 3d40f2b5fc0091b894b438763fcdf4cd |
| | | | | | Key : a0af0aeda32d977d26ac76f9fc429668 |
| | | | | | 955d2a6a49fe4e2323751924e47e6c39 |
| | | | | | 8c22f7fcd2d4272003cb7a4e |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000006 |
| | | | | | MAC : 3a06a06fdb044d850ecd6faf5cf2aec9 |
| | | | | | Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | | | 6124ff46865e805367f7bef1 |
| | | | | | |
| | | | | | Property #3 - Unknown (00000015) |
| | | | | | - 28 |
| | | | | | -------- |
| | | | | | Unknown Value Type (21) |
+----------------------------------------------------------------------------------------------------------------+
| 4 | 1 | 80 | FKEV | AES-CCM | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000008 |
| | | | | | MAC : 2ff7d7f79920e3509fb8d20cb15b62c8 |
| | | | | | Key : 097169b9a5c41420ed2353a4a4210763 |
| | | | | | a8833d1a4a88c6f7c0c45ec7c0959f25 |
| | | | | | 2c8eac3f306e9fd1e693784a |
+----------------------------------------------------------------------------------------------------------------+
| 5 | 1 | 100 | Volume Header Block | Offset and Size | Offset : 0000000002110000 |
| | | | | | Size : 0000000000002000 |
+----------------------------------------------------------------------------------------------------------------+

reparse
reparse disk=0 volume=4
[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading $Extend\$Reparse
[+] 104 entries found
+----------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Filename | Type | Target/Data |
+----------------------------------------------------------------------------------------------------------------+
| 0 | 00000eb3 | debian.exe | AppExecLink | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4 |
| | | | | |
| | | | | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4!debian |
| | | | | |
| | | | | C:\Program Files\WindowsApps\The |
| | | | | DebianProject.DebianGNULinux_1.2 |
| | | | | .0.0_x64__76v4gfsz19hv4\debian.e |
| | | | | xe |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 13 | 000007f9 | BaseLayer | Mount Point | \??\Volume{629458e4-0000-0000-00 |
| | | | | 00-010000000000}\ |
+----------------------------------------------------------------------------------------------------------------+
| 14 | 00013e24 | Watchdog | Mount Point | \??\C:\Program Files\NVIDIA Corp |
| | | | | oration\NvContainer\Watchdog |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 102 | 00035861 | C2R64.dll | Symbolic Link | \??\C:\Program Files\Common File |
| | | | | s\Microsoft Shared\ClickToRun\C2 |
| | | | | R64.dll |
+----------------------------------------------------------------------------------------------------------------+
| 103 | 000986b0 | All Users | Symbolic Link | \??\C:\ProgramData |
+----------------------------------------------------------------------------------------------------------------+

logfile
logfile disk=4 volume=1 output=logfile.csv format=csv
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $LogFile record
[-] $LogFile size : 4.14 MiBs
[+] Parsing $LogFile Restart Pages
[-] Newest Restart Page LSN : 5274485
[-] Volume marked as cleanly unmounted
[-] Client found : [1] NTFS
[+] Parsing $LogFile Record Pages
[-] $LogFile Record Page Count: 86
[+] Parsing $LogFile Records: 601
[+] Closing volume
Sample of logfile.csv
    LSN,ClientPreviousLSN,UndoNextLSN,ClientID,RecordType,TransactionID,RedoOperation,UndoOperation,MFTClusterIndex,TargetVCN,TargetLCN
5269000,5268967,5268967,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269019,5269000,5269000,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269044,5269019,5269019,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269063,5269044,5269044,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269082,5269063,5269063,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269103,5269082,5269082,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269122,5269103,0,0,1,24,ForgetTransaction,CompensationLogRecord,0,0,18446744073709551615
5269133,0,0,0,1,24,UpdateResidentValue,UpdateResidentValue,2,13,43703

usn
usn disk=4 volume=1 output=usn.csv format=csv
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Finding $Extend\$UsnJrnl record
[+] Found in file record : 41
[+] Data stream $J size : 2.66 KiBs
[+] Reading $J
[+] Processing entry : 32
[+] Closing volume
Sample of usn.csv
MajorVersion,MinorVersion,FileReferenceNumber,FileReferenceSequenceNumber,ParentFileReferenceNumber,ParentFileReferenceSequenceNumber,Usn,Timestamp,Reason,SourceInfo,SecurityId,FileAttributes,Filename
2,0,53,4,5,5,0,2020-02-26 21:43:36,FILE_CREATE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,96,2020-02-26 21:43:36,FILE_CREATE+CLOSE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,192,2020-02-26 21:43:38,RENAME_OLD_NAME,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,288,2020-02-26 21:43:38,RENAME_NEW_NAME,0,0,DIRECTORY,test
2,0,53,4,5,5,360,2020-02-26 21:43:38,RENAME_NEW_NAME+CLOSE,0,0,DIRECTORY,test
2,0,53,4,5,5,432,2020-02-26 21:43:39,OBJECT_ID_CHANGE,0,0,DIRECTORY,test
2,0,53,4,5,5,504,2020-02-26 21:43:39,OBJECT_ID_CHANGE+CLOSE,0,0,DIRECTORY,test
2,0,54,2,53,4,576,2020-02-26 21:43:41,FILE_CREATE,0,0,ARCHIVE,Nouveau document texte.txt

shadow
shadow disk=0 volume=4
[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] VSS header found at 0x1e00

+---------------------------------------------------------------------------------------------------------------+
| SetID/ID | Count | Date | Details |
+---------------------------------------------------------------------------------------------------------------+
| {857c9ac4-ee4f-4bc6-b822-59e935a7120f} | 1 | 2020-09-21 00:15:38 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {3d102db1-8de2-4e7d-8ba5-e0dd4f67740d} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+
| {83bc8af4-8802-4466-ae38-717f6474616a} | 1 | 2020-09-22 06:10:00 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {e668c329-66a2-4ebd-beef-3c6bca81cbf7} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+

streams
streams disk=0 volume=4 from=c:\test.pdf
Listing streams from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\test.pdf
[-] Record Num : 13525 (000034d5h)
[+] Alternate data stream(s):
+-----------------------------+
| Id | Name | Size |
+-----------------------------+
| 0 | Zone.Identifier | 27 |
+-----------------------------+

undelete
undelete disk=4 volume=1
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $MFT record
[+] $MFT size : 256.00 KiBs (~256 records)
[+] Reading $BITMAP record
[+] $BITMAP size : 16.00 KiBs
[+] Searching deleted files
[+] Processed data size : 262144 (100%)
[+] Duration : 7ms

Deleted Files Found
-------------------

+---------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Flag | Filename | Size | Deletion Date | % Recoverable |
+---------------------------------------------------------------------------------------------------------------+
| 0 | 00000029 | | .\$RECYCLE.BIN\[...]\$RAV85W4.jpg | 5.10 KiBs | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
| 1 | 00000035 | | .\$RECYCLE.BIN\[...]\$IAV85W4.jpg | 58.00 bytes | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading file record : 41
[+] Extracting $RAV85W4.jpg to restored_kitten.jpg
[+] 5219 bytes written

shell
shell disk=4 volume=1
disk4:volume1:> ls

Inode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy
8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Bad | 536866816 | |
6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy
7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy
11 | DIR | $Extend | | 2020-02-26 16:35:29 | Hi Sy
2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy
0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy
1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy
50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy
9 | | $Secure | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $SDS | 264200 | |
10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2020-02-26 16:35:29 | Hi Sy
5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy
85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar
| ADS | Zone.Identifier | 123 | |
42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar
39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar
| ADS | Zone.Identifier | 154 | |
40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar
| ADS | Zone.Identifier | 303 | |
41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar
| ADS | Zone.Identifier | 262 | |
36 | DIR | System Volume Information | | 2020-02-26 16:35:29 | Hi Sy

disk4:volume1:> pwd
\
disk4:volume1:> cat hello.txt
Hey !
disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.html
HostUrl=https://www.7-zip.org/a/7z1900-x64.exe

disk4:volume1:> exit

smart
smart disk=1
Version          : 1 revision 1
Type : SATA/IDE Master on primary channel
Capabilities : ATA, ATAPI, S.M.A.R.T

Status : Passed

-- Device ID
+---------------------------------------------------------------------------------------------------+
| Property | Value |
+---------------------------------------------------------------------------------------------------+
| General Configuration | 0040h |
| Number of Cylinders | 16383 |
| Reserved | c837h |
| Number Of Heads | 16 |
| Bytes Per Track | 0 |
| Bytes Per Sector | 0 |
| Sectors Per Track | 63 |
| Vendor Unique | |
| Seria Number | S2RBNX0H606448W |
| Buffer Type | 0 |
| Buffer Size | 0 |
| ECC Size | 0 |
| Firmware Revision | EMT02B6Q |
| Model Number | Samsung SSD 850 EVO 500GB |
| Maximum Number of Sectors On R/W | 32769 |
| Double Word IO | 16385 |
| Capabilities | Reserved : 0000h |
| | DMA Support : True |
| | LBA Support : True |
| | DisIORDY : True |
| | IORDY : True |
| | Requires ATA soft start : False |
| | Overlap Operation support: True |
| | Command Queue Support : False |
| | Interleaved DMA Support : False |
| Reserved1 | 4000h |
| PIO Timing | 512 |
| DMA Timing | 512 |
| Field Validity | CHS Number : True |
| | Cycle Number : True |
| | Ultra DMA : True |
| Current numbers of cylinders | 16383 |
| Current numbers of heads | 16 |
| Current numbers of sectors per track | 63 |
| Multiple Sector Setting | 16514064 |
| Total Number of Sectors Addressable (LBA) | 268435455 |
| Singleword DMA Transfer Support | 0 |
| Multiword DMA Transfer Support | Mode 0 (4.17Mb/s) |
| | Mode 1 (13.3Mb/s) |
| | Mode 2 (16.7Mb/s) |
| Advanced PIO Modes | 0003h |
| Minimum Multiword DMA Transfer Cycle Time per Word | 120 |
| Recommended Multiword DMA Transfer Cycle Time per Word | 120 |
| Minimum PIO Transfer Cycle Time (No Flow Control) | 120 |
| Minimum PIO Transfer Cycle Time (Flow Control) | 120 |
| ATA Support | ATA-2 |
| | ATA-3 |
| | ATA-4 |
| | ATA/ATAPI-5 |
| | ATA/ATAPI-6 |
| | ATA/ATAPI-7 |
| | ATA/ATAPI-8 |
| | ATA/ATAPI-9 |
| Ultra DMA Transfer Support | Mode 0 (16.7MB/s) |
| | Mode 1 (25.0MB/s) |
| | Mode 2 (33.3MB/s) |
| | Mode 3 (44.4MB/s) |
| | Mode 4 (66.7MB/s) |
| | Mode 5 (100.0MB/s) (selected) |
| | Mode 6 (133.0MB/s) |
+---------------------------------------------------------------------------------------------------+

-- Attributes
+-------------------------------------------------------------------------------------------------------------------+
| Index | Name | Flags | Raw | Value | Worst | Threshold | Status |
+-------------------------------------------------------------------------------------------------------------------+
| 05h | Reallocated Sector Count | 0033h | 000000000000h | 100 | 100 | 10 | Ok |
| 09h | Power-On Hours Count | 0032h | 000000008d54h | 92 | 92 | 0 | Ok |
| 0ch | Power Cycle Count | 0032h | 0000000000f5h | 99 | 99 | 0 | Ok |
| b1h | Wear Range Delta | 0013h | 00000000005eh | 95 | 95 | 0 | Ok |
| b3h | Used Reserved Block Count (Total) | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| b5h | Program Fail Count Total | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b6h | Erase Fail Count | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b7h | Sata Down Shift Error Count | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| bbh | Reported Uncorrectable Errors | 0032h | 000000000000h | 100 | 100 | 0 | Ok |
| beh | Temperature Difference From 100 | 0032h | 000000000020h | 68 | 50 | 0 | Ok |
| c3h | Hardware Ecc Recovered | 001ah | 000000000000h | 200 | 200 | 0 | Ok |
| c7h | Udma Crc Error Rate | 003eh | 000000000000h | 100 | 100 | 0 | Ok |
| ebh | Good Block Count And System Free Block Count | 0012h | 000000000071h | 99 | 99 | 0 | Ok |
| f1h | Lifetime Writes From Host Gib | 0032h | 00154bf298c9h | 99 | 99 | 0 | Ok |
+-------------------------------------------------------------------------------------------------------------------+


Yesterday β€” 20 October 2021Tools

Metabadger - Prevent SSRF Attacks On AWS EC2 Via Automated Upgrades To The More Secure Instance Metadata Service V2 (IMDSv2)

20 October 2021 at 20:30
By: Zion3R


Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).


Metabadger

Purpose and functionality

  • Diagnose and evaluate your current usage of the AWS Instance Metadata Service along with understanding how the service works
  • Prepare you to upgrade to v2 of the Instance Metadata service to safeguard against v1 attack vectors
  • Give you the ability to specifically update your instances to only use IMDSv2
  • Give you the ability to disable the Instance Metadata service where you do not need it as a way to reduce attack surface

What is the AWS Instance Metadata Service?
  • The AWS metadata service essentially gives you access to all the things within an instance, including the instance role credential & session token
  • Known SSRF vulnerabilities that exploit and use this attack as a pivot into your environment
  • The famous attacks you have heard about, some of which involved this method of gaining access via a vulnerable web app with access to the instance metadata service
  • Attacker could take said credentials from metadata service and use them outside of that particular instance

IMDSv2 and why it should be used
  • Ensuring that instances are using V2 of the metadata service at all times by making it a requirement within it’s configuration
  • Enabling session tokens with a PUT request with a mandatory request header to the AWS metadata API, IMDSv1 does not check for this making it easier for attackers to exploit the service
  • X-Forwarded-For header is not allowed in IMDSv2 ensuring that no proxy based traffic is allowed to communicate with the metadata service

Problem Statement

Engineering teams may have a vast variety of compute infrastructure in AWS that they need to protect from certain vulnerabilities that leverage the metadata service. The metadata service is required to run on instances if any IAM is used or if there is any user data information the instance might need when it boots. Limiting the attack surface of your instances is crucial in preventing the ability to pivot in your environment by stealing information provided by the service itself. Numerous famous attacks in the past have leveraged this particular service to exploit a role that is attached to the instance or dump sensitive data that is accessible via the metadata service. Metabadger can help to identify where and how you are using the instance metadata service while also giving you the ability to reduce any unwanted attack leverage to lower your overall risk posture while operating in EC2.


Disclaimer and Rollback

Using this tool may impact your AWS compute infrastructure as not all services and applications may work either without the metadata service or on version 2. Take caution when deploying this in your production environment and have a rollback plan in place incase something seems out of the ordinary. Metabadger comes built in with the ability to roll back to the default version 1 of the service using the -v1 flag, you can use this to quickly roll back your instances to use the default. Ideally, you should run this tool and update your metadata version in non-production environments as a proving grounds before applying it.


Guided Steps for Hardening

Step 1

Initially, we want to discover our overall usage of the metadata service in a particular AWS region. Metabadger will evaluate the current status of your usage in the region where your credentials point to in your /.aws/credentials file or the current role that is assumed. You may also specify the --region flag when running the discover-metadata command if you would like to change to another region than what is currently configured. Once you have a good idea of which version your instances are running and if the service is enabled or disabled, you will be able to make a much more defined action plan for hardening the service. Note that you can find specific meaning to every metadata option that is set here.

Step 2

One of the areas that should be evaluated when making the switch to v2 of the service is the use of IAM roles. Metabadger lets you identify instances in a region that may already be using an IAM role. The discover-role-usage command will output a list of instances that have roles attached to them. If you have a lot of instances using roles, you should take precaution when updating the service to v2 to ensure the overall functionality of your workloads does not become impacted.

Step 3

Upon completion of doing your initial discovery and evaluation, you can now create a staged approach to hardening your compute infrastructure to use either v2 of the metadata service or disable it where it may not be used. The harden-metadata command allows you to update all instances in a particular region by default. You can also pass instance tags using the --tags flag or an input file containing a csv of instances that you would like to apply a configuration for. Once you have made the appropriate updates to v2 and disabled the service where it is not used you can re-evaluate using the items in Step 1 to confirm your environment is locked down. If you have certain instances that you don't want to update you can exlude them via the --exclusion flag by tag or instance id.


Requirements

Metabadger requires an IAM role or credentials with the following permission:

ec2:ModifyInstanceAttribute
ec2:DescribeInstances

When making changes to the Instance Metadata service, you should be cautious and follow additional guidance from AWS on how to safely upgrade to version 2. Metabadger was designed to assist you with this process to further secure your compute infrastructure in AWS.

AWS Best Practice Guide on Updating to IMDSv2


Usage & Installation

Install via pip

pip3 install --user metabadger

Install via Github

$ git clone https://github.com/salesforce/metabadger
$ cd metabadger
$ pip install -e .

$ metabadger
Usage: metabadger [OPTIONS] COMMAND [ARGS]...

Metabadger is an AWS Security Tool used for discovering and hardening the
Instance Metadata service.

Options:
--version Show the version and exit.
--help Show this message and exit.

Commands:
disable-metadata Disable the IMDS service on EC2 instances
discover-metadata Discover summary of IMDS service usage within EC2
discover-role-usage Discover summary of IAM role usage for EC2
harden-metadata Harden the AWS instance metadata service from v1 to v2

Commands

discover-metadata

A summary of your overall instance metadata service usage including which version and an overall enforcement percentage. Using these numbers will help you understand the overall posture of how hardened your metadata usage is and where you're enforcing v2 vs v1.

Options:
-a, --all-region Provide a metadata summary for all available regions in the AWS account
-j, --json Get metadata summary in JSON format
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

discover-role-usage

A summary of instances and the roles that they are using, this will give you a good idea of the caution you must take when making updates to the metadata service itself.

Options:
-p, --profile TEXT Specify the AWS IAM profile.
-r, --region TEXT Specify which AWS region you will perform this command in

harden-metadata

The ability to modify the instances to use either metadata v1 or v2 and to get an understanding of how many instances would be modified by running a dry run mode.

Options:
-e, --exclusion The exclusion flag will apply to everything besides what is specified, tags or instances
-d, --dry-run Dry run of hardening metadata changes
-v1, --v1 Enforces v1 of the metadata service
-i, --input-file PATH Path of csv file of instances to harden IMDS for
-t, --tags TEXT A comma seperated list of tags to apply the hardening setting to
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

disable-metadata

Use this command to completely disable the metadata servie on instances.

Options:
-e, --exclusion The exclusion flag will apply to everything besides what is specified, tags or instances
-d, --dry-run Dry run of disabling the metadata service
-i, --input-file PATH Path of csv file of instances to disable IMDS for
-t, --tags TEXT A comma seperated list of tags to apply the hardening setting to
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

Logging

All changes made by Metabadger will be logged to a file saved in the working directory called metabadger.log. The file will include the following for every action that the tool takes when it changes the metadata service:

  • The time and date stamp for when a change was made
  • Change that occured (disabled, hardened, or updated)
  • The instance ID where the change was made
  • Dry run information
  • A status on if the change was successful or not


Limelighter - A Tool For Generating Fake Code Signing Certificates Or Signing Real Ones

20 October 2021 at 11:30
By: Zion3R


A tool which creates a spoof code signing certificates and sign binaries and DLL files to help evade EDR products and avoid MSS and sock scruitney. LimeLighter can also use valid code signing certificates to sign files. Limelighter can use a fully qualified domain name such as acme.com.


Contributing

LimeLighter was developed in golang.

Make sure that the following are installed on your OS

openssl
osslsigncode

The first step as always is to clone the repo. Before you compile LimeLighter you'll need to install the dependencies. To install them, run following commands:

go get github.com/fatih/color

Then build it

go build Limelighter.go

Usage
./LimeLighter -h       

.____ .__ .____ .__ .__ __
| | |__| _____ ____ | | |__| ____ | |___/ |_ ___________
| | | |/ \_/ __ \| | | |/ ___\| | \ __\/ __ \_ __ \
| |___| | Y Y \ ___/| |___| / /_/ > Y \ | \ ___/| | \/
|_______ \__|__|_| /\___ >_______ \__\___ /|___| /__| \___ >__|
\/ \/ \/ \/ /_____/ \/ \/
@Tyl0us


[*] A Tool for Code Signing... Real and fake
Usage of ./LimeLighter:
-Domain string
Domain you want to create a fake code sign for
-I string
Unsiged file name to be signed
-O string
Signed file name
-Password string
Password for real certificate
-Real string
Path to a valid .pfx certificate file
-Verify string
Verifies a file's code sign certificate
-debug
Print debug statements

To sign a file you can use the command option Domain to generate a fake code signing certificate.


Β 

to sign a file with a valid code signing certificate use the Real and Password to sign a file with a valid code signing certificate.

To verify a signed file use the verify command.





Before yesterdayTools

LazyCSRF - A More Useful CSRF PoC Generator

19 October 2021 at 20:30
By: Zion3R


LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.


Motivation

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, this does not support JSON parameters. It also uses the <form>, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in the burp itself are often garbled in the generated CSRF PoC. Those were the motivations for creating this extension.


Features
  • Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
  • Support JSON parameter (like GraphQL Request)
  • Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy)
  • Support displaying multibyte characters (like Japanese)

Difference in display of multibyte characters

The following image shows the difference in the display of multibyte characters between Burp's CSRF PoC generator and LazyCSRF. LazyCSRF can generate CSRF PoC without garbling multibyte characters that are not garbled on Burp.


Β 

Installation

Download the jar from GitHub Releases. In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type Java, and specify the location of the jar.


How to Build

intellij

If you use IntelliJ IDEA, you can build it by following Build -> Build Artifacts -> LazyCSRF:jar -> Build.


Command line

You can build it with maven.

$ mvn install

Usage

You can generate a CSRF PoC by selecting Extensions->Generate JSON CSRF PoC with Ajax or Generate POST PoC with Form from the menu that opens by right-clicking on Burp Suite.



LICENSE

MIT License

Copyright (C) 2021 tkmru



Karma_V2 - A Passive Open Source Intelligence (OSINT) Automated Reconnaissance (Framework)

19 October 2021 at 11:30
By: Zion3R

πš”πšŠπš›πš–πšŠ 𝚟𝟸 is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework)


πš”πšŠπš›πš–πšŠ 𝚟𝟸 can be used by Infosec Researchers, Penetration Testers, Bug Hunters to find deep information, more assets, WAF/CDN bypassed IPs, Internal/External Infra, Publicly exposed leaks and many more about their target. Shodan Premium API key is required to use this automation. Output from the πš”πšŠπš›πš–πšŠ 𝚟𝟸 is displayed to the screen and saved to files/directories.

Regarding Premium Shodan API, Please see the Shodan site for more information.

Shodan website: Shodan WebsiteAPI : Developer API


Features
  • Powerful and flexible results via Shodan Dorks
  • SSL SHA1 checksum/fingerprint Search
  • Only hit In-Scope IPs
  • Verify each IP with SSL/TLS certificate issuer match RegEx
  • Provide Out-Of-Scope IPs
  • Find out all ports including well known/uncommon/dynamic
  • Grab all targets vulnerabilities related to CVEs
  • Banner grab for each IP, Product, OS, Services & Org etc.
  • Grab favicon Icons
  • Generate Favicon Hash using python3 mmh3 Module
  • Favicon Technology Detection using nuclei custom template
  • ASN Scan
  • BGP Neighbour
  • IPv4 & IPv6 Profixes for ASN
  • Interesting Leaks like Indexing, NDMP, SMB, Login, SignUp, OAuth, SSO, Status 401/403/500, VPN, Citrix, Jfrog, Dashboards, OpenFire, Control Panels, Wordpress, Laravel, Jetty, S3 Buckets, Cloudfront, Jenkins, Kubernetes, Node Exports, Grafana, RabbitMQ, Containers, GitLab, MongoDB, Elastic, FTP anonymous, Memcached, DNS Recursion, Kibana, Prometheus, Default Passwords, Protected Objects, Moodle, Spring Boot, Django, Jira, Ruby, Secret Key and many more...

Installation

1. Clone the repo
# git clone https://github.com/Dheerajmadhukar/karma_v2.git

2. Install shodan & mmh3 python module
# python3 -m pip install shodan mmh3

3. Install JSON Parser [JQ]
# apt install jq -y

4. Install httprobe @tomnomnom to probe the requests
# GO111MODULE=on go get -v github.com/tomnomnom/httprobe

5. Install Interlace @codingo to multithread [Follow the codingo interlace repo instructions]
# git clone https://github.com/codingo/Interlace.git & install accordingly. 

6. Install nuclei @projectdiscovery
# GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

7. Install lolcat
# apt install lolcat -y

8. Install anew
# GO111MODULE=on go get -u github.com/tomnomnom/anew

Ok, how do I use it?
# cat > .token
SHODAN_PREMIUM_API_HERE

Usage

You can use this command to check help:

$ bash karma_v2 -h



MODEs
MODE Examples
-ip bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -ip
-asn bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -asn
-cve bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -cve
-favicon bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -favicon
-leaks bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -leaks
-deep bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -deep
-count bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -count

Demo
  • karma_v2 [mode -ip] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (8)
  • karma_v2 [mode -asn] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (9)
  • karma_v2 [mode -cve] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (10)
  • karma_v2 [mode -favicon] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (11)
  • karma_v2 [mode -leaks]

&#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (12)


  • karma_v2 [mode -deep]

-deep support all the above modes e.g. -count,-ip,-asn,-favicon,-cve,-leaks !


Output
output/bugcrowd.com-YYYY-MM-DD/ 

.
β”œβ”€β”€ ASNs_Detailed_bugcrowd.com.txt
β”œβ”€β”€ Collect
β”‚ β”œβ”€β”€ host_domain_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_12289a814...83029f8944b6088d60204a92e_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_17537bf84...73cb1d684a495db7ea5aa611b_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_198d6d4ec...681b77585190078b07b37c5e1_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_26a9c5618...d60eae2947b42263e154d203f_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_3da3825a2...3b852a42470410183adc3b9ee_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_4d0eab730...68cf11d2db94cc2454c906532_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_8907dab4c...12fdbdd6c445a4a8152f6b7b7_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_9a9b99eba...5dc5106cea745a591bf96b044_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_a7c14d201...b6fd4bc4e95ab2897e6a0bsfd_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_a90f4ddb0...85780bdb06de83fefdc8a612d_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_domain_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_subjectCN_domain.tld.json.gz
β”‚ └── ssl_subject_domain.tld.json.gz
| └── . . .
β”œβ”€β”€ IP_VULNS
β”‚ β”œβ”€β”€ 104.x.x.x.json.gz
β”‚ β”œβ”€β”€ 107.x.x.x.json.gz
β”‚ β”œβ”€β”€ 107.x.x.x.json.gz
β”‚ └── 99.x.x.x.json.gz
| └── . . .
β”œβ”€β”€ favicons_domain.tld.txt
β”œβ”€β”€ host_enum_domain.tld.txt
β”œβ”€β”€ ips_inscope_domain.tld.txt
β”œβ”€β”€ main_domain.tld.data
β”œβ”€β”€ . . .

karma_v2 Newly Added Shodan Dorks
  • SonarQube
  • Apache hadoop node
  • Directory Listing
  • Oracle Business intelligence
  • Oracle Web Login
  • Docker Exec
  • Apache Status
  • Apache-Coyote/1.1 Tomcat-5.5
  • Swagger UI
  • H-SPHERE
  • Splunk
  • JBoss
  • phpinfo
  • ID_VC
  • Confluence
  • TIBCO_Jaspersoft
  • Shipyard_Docker_management
  • Symfony PHP info AWS creds
  • Ignored-by_CDNs
  • Django_Exposed
  • Cluster_Node_etcd
  • SAP_NetWeaver_Application

πš”πšŠπš›πš–πšŠ 𝚟𝟸 Supported Shodan Dorks
DORKs DORKs DORKs
ssl.cert.fingerprint http.status:"302" oauth "Server: Jetty"
ssl http.status:"302" sso X-Amz-Bucket-Region
org title:"401 Authorization Required" "development" org:"Amazon.com"
hostname http.html:"403 Forbidden" "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]"
ssl.cert.issuer.cn http.html:"500 Internal Server Error" http.favicon.hash:81586312 200
ssl.cert.subject.cn ssl.cert.subject.cn:*vpn* product:"Kubernetes" port:"10250, 2379"
ssl.cert.expired:true title:"citrix gateway" port:"9100" http.title:"Node Exporter"
ssl.cert.subject.commonName http.html:"JFrog" http.title:"Grafana"
http.title:"Index of /" "X-Jfrog" http.title:"RabbitMQ"
ftp port:"10000" http.title:"dashboard" HTTP/1.1 307 Temporary Redirect "Location: /containers"
"Authentication: disabled" port:445 product:"Samba" http.title:"Openfire Admin Console" http.favicon.hash:1278323681
title:"Login - Adminer" http.title:"control panel" "MongoDB Server Information" port:27017 -authentication
http.title:"sign up" http.html:"* The wp-config.php creation script uses this file" port:"9200" all:"elastic indices"
http.title:"LogIn" clockwork "220" "230 Login successful." port:21
port:"11211" product:"Memcached" "port: 53" Recursion: Enabled title:"kibana"
port:9090 http.title:"Prometheus Time Series Collection and Processing Server" "default password" title:protected
http.component:Moodle http.favicon.hash:116323821 html:"/login/?next=" title:"Django"
html:"/admin/login/?next=" title:"Django" title:"system dashboard" html:jira http.component:ruby port:3000
html:"secret_key_base" I will add more soon . . .

πš”πšŠπš›πš–πšŠ 𝚟𝟸 Newly Added Shodan Dorks
DORKs DORKs DORKs
"netweaver" port:"2379" product:"etcd" http.title:"DisallowedHost"
ssl:"${target}" "-AkamaiGHost" "-GHost" ssl:"${target}" "-Cloudflare" ssl:"${target}" "-Cloudfront"
"X-Debug-Token-Link" port:443 http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 http.title:"TIBCO Jaspersoft:" port:"443" "1970"
"Confluence" http.title:"SonarQube" html:"jmx?qry=Hadoop:*"
http.title:"Directory Listing" http.title:"H-SPHERE" http.title:"Swagger UI - "
Server: Apache-Coyote/1.1 Tomcat-5.5" port:2375 product:"Docker" http.title:"phpinfo()"
http.title:"ID_VC_Welcome" "x-powered-by" "jboss" jboss http.favicon.hash:-656811182
http.title:"Welcome to JBoss" port:"8089, 8000" "splunkd" http.favicon.hash:-316785925
title:"splunkd" org:"Amazon.com" http.title:"oracle business intelligence sign in" http.title:"Oracle WebLogic Server Administration Console"
http.title:"Apache Status" I will add more soon . . .



Inceptor - Template-Driven AV/EDR Evasion Framework

18 October 2021 at 20:30
By: Zion3R


Modern Penetration testing and Red Teaming often requires to bypass common AV/EDR appliances in order to execute code on a target. With time, defenses are becoming more complex and inherently more difficult to bypass consistently.

Inceptor is a tool which can help to automate great part of this process, hopefully requiring no further effort.


Features

Inceptor is a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions. Inceptor has been designed with a focus on usability, and to allow extensive user customisation.

To have a good overview of what it was implemented and why, it might be useful to tak a look to the following resources:


Shellcode Transformation/Loading

Inceptor is able to convert existing EXE/DLL into shellcode using various open-source converters:

  • Donut: Donut is "The Converter". This tool is more like a piece of art by TheWover, and can be used to transform Native binaries, DLL, and .Net binaries into position independent code shellcode.
  • sRDI: By Monoxgas, this tool can convert existing naticcve DLL into PIC, which can then be injected as regular shellcode.
  • Pe2Sh: By Hasherazade, this tool can convert an existing native EXE into PIC shellcode, which can also be run as a normal EXE.

LI Encoders vs LD Encoders

Inceptor can encode, compress, or encrypt shellcode using different means. While developing the tool, I started differentiating between what I call loader-independent (LI) encoding, and loader-dependent (LD) encoding.

Loader-independent encoding is a type of encoding not managed by the template chosen by the user (loader). This usually means that the decoding stub is not part of the template, but embedded in the shellcode itself. Inceptor offers this kind of feature using the open-source tool sgn, which is used to make the payload polymorphic and undetectable using common signature detection.

Even strong at it is, Shikata-Ga-Nai is not really suitable for certain templates. For this reason, Inceptor also implements Loader-dependent encoders, which are designed to let the loader taking care of the decoding. As such, LD encoders install the decoding stub directly in the template. This kind of encoders, as implemented within Inceptor, are also "Chainable", meaning they can be chained together to encode a payload.

While using a chain of encoders can sometimes improve the obfuscation of a given payload, this technique can also expose multiple decoding routines, which can help Defenders to design signatures against them. For this reason, Inceptor offers multiple ways to obfuscate the final artifacts, hardening the RE process.

At the time of writing, the public version of Inceptor has been provided with the following encoders/compressors/encryptors:

  • Native
    • Xor
    • Nop (Insertion)
  • .NET
    • Hex
    • Base64
    • Xor
    • Nop (Insertion)
    • AES
    • Zlib
    • RLE
  • PowerShell
    • Hex
    • Base64
    • Xor
    • Nop (Insertion)
    • AES

Inceptor can validate an encoding chain both statically and dynamically, statically checking the decoders' input/output types, and also dynamically verifying the implementation with an independent implementation.

At any time, a user can easily validate a chain using the chain-validate.py utility.


AV Evasion Mechanisms

Inceptor also natively implements AV Evasion mechanisms, and as such, it offers the possibility to include AV evasion features to the payload in the form of "modules" (plugins).

The plugins which can be embedded are:

  • AMSI bypass
  • WLDP bypass
  • ETW bypass
  • Sandbox (Behavioural) Deception

EDR Evasion Mechanisms

Inceptor also implements EDR Evasion mechanisms, such as full unhooking, direct syscall invocation and manual DLL mapping. Direct Syscalls are implemented in C# using the outstanding "DInvoke" project, again by TheWover. In C/C++, Syscalls are implemented using SysWhispers and SysWhispers2 projects, by Jackson_T. In addition, Inceptor has built-in support for x86 Syscalls as well.

As the AV bypass features, these features can be enabled as modules, with the only difference that they require operating on a template which supports them. The techniques implemented so far are:

  • Full Unhooking
  • Manual DLL Mapping
  • Direct Syscalls

Obfuscation

Inceptor supports payload obfuscation by using external utils, such as ConfuserExand Chameleon, and provides support for C/C++ obfuscation using LLVM-Obfuscator, which is an IR-based obfuscator using the LLVM compilation platform.

  • PowerShell
  • C#
  • C/C++

Code Signing

Another feature of Inceptor is that it can code sign the resulting binary/dll by using the tool CarbonCopyUsually, files signed with code signing certificates are less strictly analysed. Many anti-malware products don't validate/verify these certificates.


Workflow

The full workflow can be summarized in the following high-level, and simplified scheme:



Installation

Inceptor has been designed to work on Windows. The update-config.py utility can locate the required Microsoft binaries and update the configuration accordingly. It might be required to install Microsoft Build Tools, the Windows SDK, and Visual Studio, update-config.py will guide the user on how to install the required dependencies.

git clone --recursive https://github.com/klezVirus/inceptor.git
cd inceptor
virtualenv venv
venv\Scripts\activate.bat
pip install -r requirements.txt
cd inceptor
python update-config.py

Useful Notes

Default Loaders

The current version of Inceptor locates a specific template using a simple naming convention (don't change template names), and the set of arguments given by the user. Among the arguments, there is also the loader (-t). If not specified, the loader will be picked-up as a function of the file to pack, following this simple schema:

$ python inceptor.py -hh

[*] Default Loaders
Input File Extension SpecialCondition Guessed Filetype Default Loader Default Template
0 .raw NaN Shellcode Simple Loader Classic
1 .exe .NET Dotnet Executable Donut Classic
2 .exe NaN Native Executable Pe2Shellcode PE Load
3 .dll NaN Native Library sRDI Classic

Template name convention

It's very important to understand also the template name convention, to avoid misinterpreting an artifact behaviour.

  • Classic: a classic template usually means it uses the VirtualAlloc/VirtualAllocEx and CreateThread/CreateRemoteThread API to allocate and execute arbitrary code
  • Dinvoke: if a template contains only dinvoke (e.g classic-dinvoke.cs), it means it uses dynamic function resolution feature of dinvoke
  • dinvoke-subtechnique: a template containing dinvoke followed by another keyword is using a particular feature of dinvoke, like manual_mapping, overload_mapping, or syscalls
  • Syscalls: as the name suggest, this template is using syscalls
  • PE Load: this template tries to map a full PE into memory, without transforming it
  • Assembly Load: this template tries to execute a .NET assembly using reflection

Usage
$ usage: inceptor.py [-h] [-hh] [-Z] {native,dotnet,powershell} ...

inceptor: A Windows-based PE Packing framework designed to help
Red Team Operators to bypass common AV and EDR solutions

positional arguments:
{native,dotnet,powershell}
native Native Binaries Generator
dotnet .NET Binaries Generator
powershell PowerShell Wrapper Scripts Generator

optional arguments:
-h, --help show this help message and exit
-hh Show functional table
-Z, --check Check file against ThreatCheck

Next Developments
  • New Template Engine
  • New Templates
  • New Encoders
  • C# Code-Based obfuscation

Resources


ImpulsiveDLLHijack - C# Based Tool Which Automates The Process Of Discovering And Exploiting DLL Hijacks In Target Binaries

18 October 2021 at 11:30
By: Zion3R


C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during RedTeam Operations to evade EDR's.


1. Methodological Approach :

The tool basically acts on automating following stages performed for DLL Hijacking:

  • Discovery - Finding Potentially Vulnerable DLL Hijack paths
  • Exploitation - Confirming whether the Confirmatory DLL was been loaded from the Hijacked path leading to a confirmation of 100% exploitable DLL Hijack!

Discovery Methodology :

  • Provide Target binary path to ImpulsiveDLLHijack.exe
  • Automation of ProcMon along with the execution of Target binary to find Potentially Vulnerable DLL Hijackable paths.

Exploitation Methodology :

  • Parse Potentially Vulnerable DLL Hijack paths from CSV generated automatically via ProcMon.

  • Copy the Confirmatory DLL (as per the PE architecture) to the hijack paths one by one and execute the Target Binary for predefined time period simultaneously.

  • As the DLL hijacking process is in progress following are the outputs which can be gathered from the Hijack Scenario:

    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is loaded by the Target Binary we get following output on the console stating that the DLL Hijack was successful - DLL Hijack Successful -> DLLName: | <Target_binary_name>
    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary we get following output on the console stating that the DLL Hijack was unsuccessful - DLL Hijack Unsuccessful -> <DLL_Path>

    Entry Point Not Found Scenarios:

    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary as the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error - "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was hijackable if the entry point was correct -> DLL Hijack Successful -> [Entry Point Not Found - Manual Analysis Required!]: <Hijack_path>
    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is executed by the Target Binary even after the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was success even after the entry point was not correct -> DLL Hijack Successful -> [Entry Point Not Found]: <Hijack_path>

Note: The "Entry Point not found" Error is been handled by the code programmatically no need to close the MsgBox manually :) # Rather this would crash the code further****

  • Once the DLL Hijacking process is completed for every Potentially Vulnerable DLL Hijack path we get the final output on the console as well as in a text file (C:\DLLLogs\output_logs.txt) in the following format:

    • <DLLHijack_path> --> DLL Hijack Successful (if the Hijack was successful)
    • <DLLHijack_path> --> DLL Hijack Unuccessful (if the Hijack was unsuccessful)
    • <DLLHijack_path> --> DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required] (if the Entry point was not found but can be successful after manual analysis)
    • <DLLHijack_path> --> DLL Hijack Successful [Entry Point Not Found] (if the hijack was successful even after the entry point was not found)
    • <DLLHijack_path> --> Copy: Access to Path is Denied (Access denied)

**These Confirmed DLL Hijackable paths can later be weaponized during a Red Team Engagement to load a Malicious DLL Implant via a legitimate executable (such as OneDrive,Firefox,MSEdge,"Bring your own LOLBINs" etc.) and bypass State of the art EDR's as most of them fail to detect DLL Hijacking as assessed by George Karantzas and Constantinos Patsakis as mentioned in there research paper: https://arxiv.org/abs/2108.10422


2. Prerequisites:
  • Procmon.exe -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
  • Custom Confirmatory DLL's :
    • These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path
    • Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)
    • 32Bit dll name should be: maldll32.dll
    • 64Bit dll name should be: maldll64.dll
    • Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)

Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.

  • Build and Setup Information:

    • ImpulsiveDLLHijack

      • Clone the repository in Visual Studio
      • Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/
      • Build the project!
      • The ImpulsiveDLLHijack.exe will be inside the bin directory.
    • And for Confirmatory DLL's:

      • Clone the repository in Visual Studio
      • Build the project with x86 and x64
      • Rename x86 release as maldll32.dll and x64 release as maldll64.dll
    • Setup: Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))


3. Usage:

Β 


4. Examples:
  • Target Executable: OneDrive.exe

  • Stage: Discovery

  • Stage: Exploitation

    • Successful DLL Hijacks:


    Β 

    • Unsuccessful DLL Hijacks:


    Β 

    • DLL is not loaded as the entry point is not identical! Manual Analysis might make it a successful DLL Hijack :)


    Β 

    • DLL Hijack successful even after unidentical entry point!


    Β 

  • Stage: Final Results and Logs

    • C:\DLLLogs\output_logs.txt:


    Β 

Thankyou, Feedback would be greatly appreciated! - knight!



Fapro - Free, Cross-platform, Single-file mass network protocol server simulator

17 October 2021 at 20:30
By: Zion3R


FaPro is a Fake Protocol Server tool, Can easily start or stop multiple network services.

The goal is to support as many protocols as possible, and support as many deep interactions as possible for each protocol.


Features
  • Supported Running Modes:
    • Local Machine
    • Virtual Network
  • Supported Protocols:
    • DNS
    • DCE/RPC
    • EIP
    • Elasticsearch
    • FTP
    • HTTP
    • IEC 104
    • Memcached
    • Modbus
    • MQTT
    • MySQL
    • RDP
    • Redis
    • S7
    • SMB
    • SMTP
    • SNMP
    • SSH
    • Telnet
    • VNC
    • IMAP
    • POP3
  • Use TcpForward to forward network traffic
  • Support tcp syn logging

Protocol simulation demos

Rdp

Support credssp ntlmv2 nla authentication.

Support to configure the image displayed when user login.


SSH

Support user login.

Support fake terminal commands, such as id, uid, whoami, etc.

Account format: username:password:home:uid


IMAP & SMTP

Support user login and interaction.



Mysql

Support sql statement query interaction



HTTP

Support website clone, You need to install the chrome browser and chrome driver to work.


Quick Start

Generate Config

The configuration of all protocols and parameters is generated by genConfig subcommand.

Use 172.16.0.0/16 subnet to generate the configuration file:

fapro genConfig -n 172.16.0.0/16 > fapro.json

Or use local address instead of the virtual network:

fapro genConfig > fapro.json

Run the protocol simulator

Run FaPro in verbose mode and start the web service on port 8080:

fapro run -v -l :8080

Tcp syn logging

For windows users, please install winpcap or npcap.


Log analysis

Use ELK to analyze protocol logs:



Configuration

This section contains the sample configuration used by FaPro.

{
"version": "0.38",
"network": "127.0.0.1/32",
"network_build": "localhost",
"storage": null,
"geo_db": "/tmp/geoip_city.mmdb",
"hostname": "fapro1",
"use_logq": true,
"cert_name": "unknown",
"syn_dev": "any",
"exclusions": [],
"hosts": [
{
"ip": "127.0.0.1",
"handlers": [
{
"handler": "dcerpc",
"port": 135,
"params": {
"accounts": [
"administrator:123456",
],
"domain_name": "DESKTOP-Q1Test"
}
}
]
}
]
}
  • version: Configuration version.
  • network: The subnet used by the virtual network or the address bound to the local machine(Local mode).
  • network_build: Network mode(supported value: localhost, all, userdef)
    • localhost: Local mode, all services are listening on the local machine
    • all: Create all hosts in the subnet(i.e., Can ping all the host in the subnet)
    • userdef: Create only the hosts specified in the hosts configuration.
  • storage: Specify the storage used for log collection, support sqlite, mysql, elasticsearch. e.g.
  • geo_db: MaxMind geoip2 database file path, used to generate ip geographic location information. if you use Elasticsearch storage, never need this field, it will be automatically generated using the geoip processor of Elasticsearch.
  • hostname: Specify the host field in the log.
  • use_logq: Use local disk message queue to save logs, and then send it to remote mysql or Elasticsearch to prevent remote log loss.
  • cert_name: Common name of the generated certificate.
  • syn_dev: Specify the network interface used to capture tcp syn packets. If it is empty, the tcp syn packet will not be recorded. On windows, the device name is like "\Device\NPF_{xxxx-xxxx}".
  • exclusions: Exclude remote ips from logs.
  • hosts: Each item is a host configuration.
  • handlers: Service configuration, the service configured on the host, each item is a service configuration.
  • handler: Service name (i.e., protocol name)
  • params: Set the parameters supported by the service.

Example

Create a virtual network, The subnet is 172.16.0.0/24, include 2 hosts,

172.16.0.3 run dns, ssh service,

and 172.16.0.5 run rpc, rdp service,

protocol access logs are saved to elasticsearch, exclude the access log of 127.0.0.1.

{
"version": "0.38",
"network": "172.16.0.0/24",
"network_build": "userdef",
"storage": "es://http://127.0.0.1:9200",
"use_logq": true,
"cert_name": "unknown",
"syn_dev": "any",
"geo_db": "",
"exclusions": ["127.0.0.1"],
"hosts": [
{
"ip": "172.16.0.3",
"handlers": [
{
"handler": "dns",
"port": 53,
"params": {
"accounts": [
"admin:123456"
],
"appname": "domain"
}
},
{
"handler": "ssh",
"port": 22,
"params": {
"accounts": [
"root:5555555:/root:0"
],
"prompt": "$ ",
"server_version": "SSH-2.0-OpenSSH_7.4"
}
}
]
},
{
"ip": "172.16.0.5",
"handlers": [
{
"handler": "dcerpc",
"port": 135,
"params": {
"accounts": [
"administrator:123456"
],
"domain_name": "DESKTOP-Q1Test"
}
},
{
"handler": "rdp",
"port": 3389,
"params": {
"accounts": [
"administrator:123456"
],
"auth": false,
"domain_name": "DESKTOP-Q1Test",
"image": "rdp.jpg",
"sec_layer": "auto"
}
}
]
}
]
}

FAQ

We have collected some frequently asked questions. Before reporting an issue, please search if the FAQ has the answer to your problem.


Contributing
  • Issues are welcome.


DorkScout - Golang Tool To Automate Google Dork Scan Against The Entiere Internet Or Specific Targets

17 October 2021 at 11:30
By: Zion3R


dokrscout is a tool to automate the finding of vulnerable applications or secret files around the internet throught google searches, dorkscout first starts by fetching the dorks lists from https://www.exploit-db.com/google-hacking-database and then it scans a given target or everything it founds


Installation

dorkscout can be installed in different ways:


Go Packages

throught Golang Packages (golang package manager)

go get github.com/R4yGM/dorkscout

this will work for every platform


Docker

if you don't have docker installed you can follow their guide

first of all you have to pull the docker image (only 17.21 MB) from the docker registry, you can see it here, if you don't want to pull the image you can also clone the repository and then build the image from the Dockerfile

docker pull r4yan/dorkscout:latest

if you don't want to pull the image you can download or copy the dorkscout Dockerfile that can be found here and then build the image from the Dockerfile

then if you want to launch the container you have to first create a volume to share your files to the container

docker volume create --name dorkscout_data

using docker when you launch the container it will automatically install the dork lists inside a directory called "dorkscout" :

Vulnerability Data.dorkscout' -rw-r--r-- 1 r4yan r4yan 49048 Jul 31 14:56 'Pages Containing Login Portals.dorkscout' -rw-r--r-- 1 r4yan r4yan 16112 Jul 31 14:56 'Sensitive Directories.dorkscout' -rw-r--r-- 1 r4yan r4yan 451 Jul 31 14:56 'Sensitive Online Shopping Info.dorkscout' -rw-r--r-- 1 r4yan r4yan 29938 Jul 31 14:56 'Various Online Devices.dorkscout' -rw-r--r-- 1 r4yan r4yan 2802 Jul 31 14:56 'Vulnerable Files.dorkscout' -rw-r--r-- 1 r4yan r4yan 4925 Jul 31 14:56 'Vulnerable Servers.dorkscout' -rw-r--r-- 1 r4yan r4yan 8145 Jul 31 14:56 'Web Server Detection.dorkscout' ">
-rw-r--r-- 1 r4yan r4yan   110 Jul 31 14:56  .dorkscout
-rw-r--r-- 1 r4yan r4yan 79312 Aug 10 20:30 'Advisories and Vulnerabilities.dorkscout'
-rw-r--r-- 1 r4yan r4yan 6352 Jul 31 14:56 'Error Messages.dorkscout'
-rw-r--r-- 1 r4yan r4yan 38448 Jul 31 14:56 'Files Containing Juicy Info.dorkscout'
-rw-r--r-- 1 r4yan r4yan 17110 Jul 31 14:56 'Files Containing Passwords.dorkscout'
-rw-r--r-- 1 r4yan r4yan 1879 Jul 31 14:56 'Files Containing Usernames.dorkscout'
-rw-r--r-- 1 r4yan r4yan 5398 Jul 31 14:56 Footholds.dorkscout
-rw-r--r-- 1 r4yan r4yan 5568 Jul 31 14:56 'Network or Vulnerability Data.dorkscout'
-rw-r--r-- 1 r4yan r4yan 49048 Jul 31 14:56 'Pages Containing Login Portals.dorkscout'
-rw-r--r-- 1 r4yan r4yan 16112 Jul 31 14:56 'Sensitive Directories.dorkscout'
-rw-r--r-- 1 r4yan r4yan 451 Jul 31 14:56 'Sensitive Online Shopping Info.dorkscout'
-rw-r--r-- 1 r4yan r4yan 29938 Jul 31 14:56 'Various Online Devices.dorkscout'
-rw-r--r-- 1 r4yan r4yan 2802 Jul 31 14:56 'Vulnerable Files.dorkscout'
-rw-r--r-- 1 r4yan r4yan 4925 Jul 31 14:56 'Vulnerable Servers.dorkscout'
-rw-r--r-- 1 r4yan r4yan 8145 Jul 31 14:56 'Web Server Detection.dorkscout'

so that you don't have to install them then you can start scanning by doing :

docker run -v Dorkscout:/dorkscout r4yan/dorkscout scan <options>

replace the <options> with the options/arguments you want to give to dorkscout, example :

docker run -v dorkscout_data:/dorkscout r4yan/dorkscout scan -d="/dorkscout/Sensitive Online Shopping Info.dorkscout" -H="/dorkscout/a.html"

If you wanted to scan throught a proxy using a docker container you have to add the --net host optionexample :

docker run --net host -v dorkscout_data:/dorkscout r4yan/dorkscout scan -d="/dorkscout/Sensitive Online Shopping Info.dorkscout" -H="/dorkscout/a.html -x socks5://127.0.0.1:9050"

Always save your results inside the volume and not in the container because then the results will be deleted! you can save them by writing the same volume path of the directory you are saving the results

if you added this and did everything correctly at the end of every scan you'd find the results inside the folder /var/lib/docker/volumes/dorkscout_data/_data

this will work for every platform


Executable

you can also download the already compiled binaries here and then execute them


Usage
dorkscout -h
Usage:
dorkscout [command]

Available Commands:
completion generate the autocompletion script for the specified shell
delete deletes all the .dorkscout files inside a given directory
help Help about any command
install installs a list of dorks from exploit-db.com
scan scans a specific website or all the websites it founds for a list of dorks

Flags:
-h, --help help for dorkscout

Use "dorkscout [command] --help" for more information about a command.

to start scanning with a wordlist and a proxy that will then return the results in a HTML format

dorkscout scan -d="/dorkscout/Sensitive Online Shopping Info.dorkscout" -H="/dorkscout/a.html" -x socks5://127.0.0.1:9050

results :



Install wordlists

to start scanning you'll need some dork lists and to have these lists you can install them through the install command

dorkscout install --output-dir /dorks

and this will fetch all the available dorks from exploit.db

[+] ./Advisories and Vulnerabilities.dorkscout
[+] ./Vulnerable Files.dorkscout
[+] ./Files Containing Juicy Info.dorkscout
[+] ./Sensitive Online Shopping Info.dorkscout
[+] ./Files Containing Passwords.dorkscout
[+] ./Vulnerable Servers.dorkscout
[+] ./Various Online Devices.dorkscout
[+] ./Pages Containing Login Portals.dorkscout
[+] ./Footholds.dorkscout
[+] ./Error Messages.dorkscout
[+] ./Files Containing Usernames.dorkscout
[+] ./Network or Vulnerability Data.dorkscout
[+] ./.dorkscout
[+] ./Sensitive Directories.dorkscout
[+] ./Web Server Detection.dorkscout
2021/08/11 19:02:45 Installation finished in 2.007928 seconds on /dorks


  • There are no more articles
❌