Thursday, March 30, 2017

Cuckoo Sandbox

What is it? 

In three words, Cuckoo Sandbox is a malware analysis system.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future

Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

Volatile memory extraction utility framework

Volatility Framework - Volatile memory extraction utility framework 

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Capture Live RAM



Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool’s footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with Live RAM Analysis in Belkasoft Evidence Center. Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8 and 10, 2003 and 2008 Server.


Why Memory Dump Is the First Thing To Do During the Acquisition

Memory dumps are a valuable source of ephemeral evidence and volatile information. Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account login credentials for many webmail and social network services such as Gmail, Yahoo Mail, Hotmail; Facebook, Twitter, Google Plus; file sharing services such as Dropbox, Flickr, SkyDrive, etc.

Thursday, March 16, 2017

Find ORACLE_HOME



sqlplus>

SQL > var OH varchar2(200);
SQL > EXEC dbms_system.get_env('ORACLE_HOME', :OH) ;
SQL > PRINT OH

Wednesday, February 22, 2017

ifconfig.me: connection test

curl ifconfig.me

Get your external IP address

curl ifconfig.me/ip -> IP Adress

curl ifconfig.me/host -> Remote Host

curl ifconfig.me/ua ->User Agent

curl ifconfig.me/port -> Port

TheFatRat v1.8 - Easy Tool For Generate Backdoor with Msfvenom

What is TheFatRat ?

An easy tool to generate backdoor with msfvenom (a part from metasploit framework) and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .


https://github.com/Screetsec/TheFatRat 

trojan-dropper: Dr0p1t-Framework

Features

Works with Windows and Linux
Adding malware after downloading it to startup
Adding malware after downloading it to task scheduler
Finding and killing the antivirus before running the malware
Running a custom (batch|powershell|vbs) file you have choosen before running the malware
In running powershell scripts it can bypass execution policy
Using UPX to compress the dropper after creating it
Choose an icon for the dropper after creating it


https://blog.malwarebytes.com/threats/trojan-dropper/

https://github.com/D4Vinci/Dr0p1t-Framework


dirsearch.py

dirsearch is a simple command line tool designed to brute force directories and files in websites.

hashID | hash-identifier

Identify the different types of hashes used to encrypt data and especially passwords.
This replaces hash-identifier, which is outdated!
hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions.

Supported hash list
--
1Password(Agile Keychain)
1Password(Cloud Keychain)
Adler-32
AIX(smd5)
AIX(ssha1)
AIX(ssha256)
AIX(ssha512)
Android FDE ≤ 4.3
Android PIN
Apache MD5
bcrypt(SHA-256)
BigCrypt
Blowfish(OpenBSD)
BSDi Crypt
Cisco Type 4
Cisco Type 8
Cisco Type 9
Cisco VPN Client(PCF-File)
Cisco-ASA(MD5)
Cisco-IOS(MD5)
Cisco-IOS(SHA-256)
Cisco-PIX(MD5)
Citrix Netscaler
Clavister Secure Gateway
CRAM-MD5
CRC-16
CRC-16-CCITT
CRC-24
CRC-32
CRC-32B
CRC-64
CRC-96(ZIP)
Crypt16
CryptoCurrency(Adress)
CryptoCurrency(PrivateKey)
Dahua
DES(Oracle)
DES(Unix)
Django(bcrypt-SHA256)
Django(bcrypt)
Django(DES Crypt Wrapper)
Django(MD5)
Django(PBKDF2-HMAC-SHA1)
Django(PBKDF2-HMAC-SHA256)
Django(SHA-1)
Django(SHA-256)
Django(SHA-384)
DNSSEC(NSEC3)
Domain Cached Credentials
Domain Cached Credentials v2
Double MD5
Double SHA1
Drupal > v7.x
Eggdrop IRC Bot
ELF-32
EPi
EPiServer 6.x < v4
EPiServer 6.x ≥ v4
Fairly Secure Hashed Password
FCS-16
FCS-32
Fletcher-32
FNV-132
FNV-164
Fortigate(FortiOS)
FreeBSD MD5
GHash-32-3
GHash-32-5
GOST CryptoPro S-Box
GOST R 34.11-94
GRUB 2
Half MD5
HAS-160
Haval-128
Haval-160
Haval-192
Haval-224
Haval-256
hMailServer
IKE-PSK MD5
IKE-PSK SHA1
IP.Board ≥ v2
IPMI2 RAKP HMAC-SHA1
iSCSI CHAP Authentication
Joaat
Joomla < v2.5.18
Joomla ≥ v2.5.18
Juniper Netscreen/SSG(ScreenOS)
Kerberos 5 AS-REQ Pre-Auth
Lastpass
LDAP(SSHA-512)
Lineage II C4
LinkedIn
LM
Lotus Notes/Domino 5
Lotus Notes/Domino 6
Lotus Notes/Domino 8
MangosWeb Enhanced CMS
MD2
MD4
MD5
MD5 Crypt
MD5(APR)
MD5(Chap)
MediaWiki
Microsoft MSTSC(RDP-File)
Microsoft Office ≤ 2003 (MD5+RC4)
Microsoft Office ≤ 2003 (SHA1+RC4)
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office 2013
Microsoft Outlook PST
Minecraft(AuthMe Reloaded)
Minecraft(xAuth)
MSSQL(2000)
MSSQL(2005)
MSSQL(2008)
MSSQL(2012)
MSSQL(2014)
MyBB ≥ v1.2+
MySQL Challenge-Response Auth (SHA1)
MySQL323
MySQL4.1
MySQL5.x
NetNTLMv1-VANILLA / NetNTLMv1+ESS
NetNTLMv2
Netscape LDAP SHA
Netscape LDAP SSHA
NTHash(FreeBSD Variant)
NTLM
Oracle 11g/12c
Oracle 7-10g
osCommerce
OSX v10.4-10.6
OSX v10.7
OSX v10.8-10.9
Palshop CMS
PBKDF2-HMAC-SHA256(PHP)
PBKDF2-SHA1(Generic)
PBKDF2-SHA256(Generic)
PBKDF2-SHA512(Generic)
PBKDF2(Atlassian)
PBKDF2(Cryptacular)
PBKDF2(Dwayne Litzenberger)
PDF 1.4 - 1.6 (Acrobat 5 - 8)
PeopleSoft
PHPass' Portable Hash
phpBB 3.x
PHPS
PostgreSQL Challenge-Response Auth (MD5)
PostgreSQL MD5
RACF
RAdmin v2.x
Redmine Project Management Web App
RIPEMD-128
RIPEMD-160
RIPEMD-256
RIPEMD-320
Salsa10
Salsa20
SAM(LM_Hash:NT_Hash)
SAP CODVN B (BCODE)
SAP CODVN F/G (PASSCODE)
SAP CODVN H (PWDSALTEDHASH) iSSHA-1
SCRAM Hash
scrypt
SHA-1
SHA-1 Crypt
SHA-1(Base64)
SHA-1(Oracle)
SHA-224
SHA-256
SHA-256 Crypt
SHA-384
SHA-512
SHA-512 Crypt
SHA3-224
SHA3-256
SHA3-384
SHA3-512
Siemens-S7
SipHash
Skein-1024
Skein-1024(384)
Skein-1024(512)
Skein-256
Skein-256(128)
Skein-256(160)
Skein-256(224)
Skein-512
Skein-512(128)
Skein-512(160)
Skein-512(224)
Skein-512(256)
Skein-512(384)
Skype
SMF ≥ v1.1
Snefru-128
Snefru-256
SSHA-1(Base64)
SSHA-512(Base64)
Sun MD5 Crypt
Sybase ASE
Tiger-128
Tiger-160
Tiger-192
Traditional DES
vBulletin < v3.8.5
vBulletin ≥ v3.8.5
Ventrilo
VNC
WebEdition CMS
Whirlpool
Woltlab Burning Board 3.x
Woltlab Burning Board 4.x
Wordpress ≥ v2.6.2
Wordpress v2.6.0/2.6.1
XOR-32
xt:Commerce
ZipMonster