Security Slice

Tag: windows tools

Security tools that can run on Windows

GetUserSPNs.py

Description

Part of the Impacket network tool suite – queries target domain for SPNs that are running under a user account (requires valid domain credentials).

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN]
                      [-usersfile USERSFILE] [-request]
                      [-request-user username] [-save]
                      [-outputfile OUTPUTFILE] [-debug]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-ip ip address]
                      target
 
Queries target domain for SPNs that are running under a user account
 
positional arguments:
  target                domain/username[:password]
 
optional arguments:
  -h, --help            show this help message and exit
  -target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain
                        of the user. Allows for Kerberoasting across trusts.
  -usersfile USERSFILE  File with user per line to test
  -request              Requests TGS for users and output them in JtR/hashcat
                        format (default False)
  -request-user username
                        Requests TGS for the SPN associated to the user
                        specified (just the username, no domain needed)
  -save                 Saves TGS requested to disk. Format is
                        <username>.ccache. Auto selects -request
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -debug                Turn DEBUG output ON
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter. Ignoredif -target-domain is specified.

Examples

 GetUserSPNs.py hiboxy.com/bgreen:Password1 -request -dc-ip 10.130.10.4 | tee /tmp/spns.output

This will return SPNs for accounts that might have elevated privileges. Grep out the hashes into a separate file and crack them with hashcat.

Blog Posts

netcat

Description

The swiss army knife of pen testing.

PlatformAll
Author
LicenseFree
URL

Usage

[v1.10-46]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]
        -e filename             program to exec after connect [dangerous!!]
        -b                      allow broadcasts
        -g gateway              source-routing hop point[s], up to 8
        -G num                  source-routing pointer: 4, 8, 12, ...
        -h                      this cruft
        -i secs                 delay interval for lines sent, ports scanned
        -k                      set keepalive option on socket
        -l                      listen mode, for inbound connects
        -n                      numeric-only IP addresses, no DNS
        -o file                 hex dump of traffic
        -p port                 local port number
        -r                      randomize local and remote ports
        -q secs                 quit after EOF on stdin and delay of secs
        -s addr                 local source address
        -T tos                  set Type Of Service
        -t                      answer TELNET negotiation
        -u                      UDP mode
        -v                      verbose [use twice to be more verbose]
        -w secs                 timeout for connects and final net reads
        -C                      Send CRLF as line-ending
        -z                      zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

Examples

nc -nzv -w 3 <ip> <port>

This command scans a port to see if it’s open without establishing a full 3-way handshake. It waits for 3 seconds before disconnecting.

┌──(root💀kali)-[/home/kali/proving_grounds/Bratarina]
└─# nc -zv -w 3 192.168.145.71 443                                    
bratarina [192.168.145.71] 443 (https) : Connection timed out
                                                                                                                                                             
┌──(root💀kali)-[/home/kali/proving_grounds/Bratarina]
└─# nc -zv -w 3 192.168.145.71 25                                                                                                                   
bratarina [192.168.145.71] 25 (smtp) open
nc -nlvp 1337 -e /bin/bash

Starts a back door listener on port 1337 and presents the user with a bash shell when the user connects.

nc -nlvp 1337 < /tmp/file.txt

Sends file.txt over the socket when the user connects. The other side of the connection would look like “nc <ip> 1337 > file.txt”

Blog Posts

nmap

Description

A free and open source utility for network discovery and security auditing.

PlatformAll
Author
LicenseFree
URLnmap.org

Usage

Nmap 7.91 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Examples

nmap x.x.x.x

he default nmap scan will check if common ports are open.

└─# nmap 192.168.145.71  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:09 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
Not shown: 995 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
53/tcp  closed domain
80/tcp  open   http
445/tcp open   microsoft-ds
nmap -A x.x.x.x -p 22,25,53,80,445

The -A option enables OS detection, version detection, script scanning, and traceroute output.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:12 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
 
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_  256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp  open   smtp        OpenSMTPD
| smtp-commands: bratarina Hello bratarina [192.168.49.145], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB       
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Aggressive OS guesses: Linux 2.6.32 (88%), Linux 2.6.32 or 3.10 (88%), Linux 2.6.39 (88%), Linux 3.10 - 3.12 (88%), Linux 4.4 (88%), WatchGuard Fireware 11.8 (88%), Synology DiskStation Manager 5.1 (87%), Linux 2.6.35 (87%), Linux 4.9 (87%), Linux 3.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2021-04-11T14:12:39-04:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-11T18:12:38
|_  start_date: N/A
 
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   38.83 ms 192.168.49.1
2   38.83 ms bratarina (192.168.145.71)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.03 seconds
nmap -sT -p 1-65535 x.x.x.x

This command will do a full TCP connect scan on every port.

sudo nmap -n -sT x.x.x.x/24 -oA /tmp/scan

The -n will not resolve host names, the -sT will do a TCP connect scan on the subnet specified, and the -oA will save normal, grepable, and XML output to /tmp/scan.

sec@slingshot:~$ sudo nmap -n -sT 10.130.10.0/24 -oA /tmp/scan
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 14:25 UTC
Nmap scan report for 10.130.10.4
Host is up (0.030s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.5
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.6
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.10
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.11
Host is up (0.028s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.21
Host is up (0.029s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.22
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.25
Host is up (0.030s latency).
Not shown: 978 filtered ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
81/tcp   open  hosts2-ns
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
444/tcp  open  snpp
445/tcp  open  microsoft-ds
465/tcp  open  smtps
587/tcp  open  submission
593/tcp  open  http-rpc-epmap
808/tcp  open  ccproxy-http
1801/tcp open  msmq
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  msmq-mgmt
2525/tcp open  ms-v-worlds
3389/tcp open  ms-wbt-server
6001/tcp open  X11:1
6502/tcp open  netop-rc
6565/tcp open  unknown
6646/tcp open  unknown
 
Nmap scan report for 10.130.10.33
Host is up (0.029s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.44
Host is up (0.031s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.45
Host is up (0.030s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap done: 256 IP addresses (11 hosts up) scanned in 26.57 seconds
 sudo nmap -n -O -sT –open x.x.x.x-x

This will do a scan without resolving names, OS fingerprinting, a full-connect TCP scan, and only display open ports.

sec@slingshot:~$ ping -c2 10.130.10.10
PING 10.130.10.10 (10.130.10.10) 56(84) bytes of data.
64 bytes from 10.130.10.10: icmp_seq=1 ttl=63 time=26.8 ms
64 bytes from 10.130.10.10: icmp_seq=2 ttl=63 time=26.9 ms
 
--- 10.130.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 26.868/26.889/26.910/0.021 ms
sec560@slingshot:~$ sudo nmap -n -O -sT --open 10.130.10.21-22
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:19 UTC
Nmap scan report for 10.130.10.21
Host is up (0.030s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
 
Nmap scan report for 10.130.10.22
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
9100/tcp open  jetdirect
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/15%OT=22%CT=1%CU=38811%PV=Y%DS=2%DC=I%G=Y%TM=6230BC9
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)SEQ(SP=FD
OS:%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=
OS:M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=F4B3%W2=F4
OS:B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M54DNNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
 
Network Distance: 2 hops
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 19.22 seconds
 sudo nmap -n -sT -sV –open x.x.x.x-x

This scan will not resolve host names, perform a TCP full-connect, connect to services and perform version scanning (using /usr/share/nmap/nmap-service-probes), and only show open ports.

sec@slingshot:~$ sudo nmap -n -sT -sV --open 10.130.10.21-22
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:44 UTC
Nmap scan report for 10.130.10.21
Host is up (0.032s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Nmap scan report for 10.130.10.22
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
9100/tcp open  jetdirect?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 16.19 seconds
 nmap –proxy socks4://127.0.0.1:4444 x.x.x.x

This is how you route nmap traffic through a dynamic proxy, like the kind you can create with ssh -D.

 nmap -Pn <ip>

The -Pn option will skip the host discovery portion of the scan. This is useful if a firewall is filtering ICMP packets like the Windows firewall does by default.

Additional Details

  • When not running as root, nmap does a full TCP connect.
  • /usr/share/nmap/nmap-service-probes
    • where nmap stores service version identification checks
  • /usr/share/nmap/scripts/script.db
    • index of all the local NSE scripts
    • can grep for specific scripts
  • /usr/share/nmap/nmap-services
    • nmap’s personal /etc/services
SEC560HANDOUT_NmapCheatSheetv1.1_D02_01

Blog Posts

reg_export

Description

This program exports the raw content of a registry value to a file.

PlatformWindows
AuthorAdam Kramer
LicenseGPLv3
URLhttps://github.com/adamkramer/reg_export

Usage

Usage: reg_export.exe <registry key> <value name> <file> [/32node]
E.g. reg_export.exe HKEY_CURRENT_USER\Console CursorSize C:\output.raw /32node
 
Additional information:
#1. If you want the default value for a subkey, enter the value name (default)
#2 Appending /32node can be used to request values from 32 bit registry node

Examples

reg_export HKCU\software\key value script.js

Extracts the data from in the key in the value and writes it to a file named script.js.

Blog Posts

translate.py

Description

Translate bytes according to a Python expression.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: translate.py [options] [file-in] [file-out] command [script]
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        Output file (default is stdout)
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include
  -f, --fullread        Full read of the file
  -r REGEX, --regex=REGEX
                        Regex to search input file for and apply function to
  -R FILTERREGEX, --filterregex=FILTERREGEX
                        Regex to filter input file for and apply function to
  -m, --man             print manual

Examples

translate.py encoded.raw decoded.txt ‘byte ^ 0x5b’

XORs encoded.raw with the key 0x5b. Hex ASCII can be encoded as raw bytes by using the command “xxd -r -p encoded.hex > encoded.raw”.

translate.py -o svchost.exe.dec svchost.exe ‘byte ^ 0x10’

“byte” is the current byte in the file, ‘byte ^ 0x10’ does an XOR 0x10
Extra functions:
rol(byte, count)
ror(byte, count)
IFF(expression, valueTrue, valueFalse)
Variable “position” is an index into the input file, starting at 0

Blog Posts

FLOSS

Description

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like `strings.exe` to enhance basic static analysis of unknown binaries.

PlatformWindows, Mac, Linux
AuthorFireEye Labs
LicenseApache License 2.0
URLhttps://github.com/fireeye/flare-floss/releases

Usage

Usage: floss [options] FILEPATH
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -n MIN_LENGTH, --minimum-length=MIN_LENGTH
                        minimum string length (default is 4)
  -f FUNCTIONS, --functions=FUNCTIONS
                        only analyze the specified functions (comma-separated)
  --save-workspace      save vivisect .viv workspace file in current directory
 
  Extraction options:
    Specify which string types FLOSS shows from a file, by default all
    types are shown
 
    --no-static-strings
                        do not show static ASCII and UTF-16 strings
    --no-decoded-strings
                        do not show decoded strings
    --no-stack-strings  do not show stackstrings
 
  Format Options:
    -g, --group         group output by virtual address of decoding functions
    -q, --quiet         suppress headers and formatting to print only
                        extracted strings
 
  Logging Options:
    -v, --verbose       show verbose messages and warnings
    -d, --debug         show all trace messages
 
  Script output options:
    -i IDA_PYTHON_FILE, --ida=IDA_PYTHON_FILE
                        create an IDAPython script to annotate the decoded
                        strings in an IDB file
    -r RADARE2_SCRIPT_FILE, --radare=RADARE2_SCRIPT_FILE
                        create a radare2 script to annotate the decoded
                        strings in an .r2 file
 
  Identification Options:
    -p PLUGINS, --plugins=PLUGINS
                        apply the specified identification plugins only
                        (comma-separated)
    -l, --list-plugins  list all available identification plugins and exit
 
  FLOSS Profiles:
    -x, --expert        show duplicate offset/string combinations, save
                        workspace, group function output

Examples

 floss –no-static-strings file.exe

The following example shows decoded and stack strings found in 9.exe. Although floss has the ability to show regular static strings as well, you’re typically only interested in seeing the encoded strings by the time you run floss.

remnux@remnux:~$ floss --no-static-strings file.exe
 
FLOSS decoded 16 strings
\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Fil
\system32\
.ocx
whh27018
WinSta0\Default
WinSta0\Default
WinSta0\Default
user32.dll
syst<
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user32.dll
systH
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
syst
\system32\AA
\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
FLOSS extracted 4 stackstrings
WinSta0\Default
user32.dll
\Program Files\Common Files\
rundll32.exe
 
Finished execution after 3.978650 seconds

Blog Posts

base64dump.py

Description

Extracts and decodes base64 strings (or other encodings) found inside the provided file. base64dump looks for sequences of base64 characters (or other encodings) in the provided file and tries to decode them.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: base64dump.py [options] [file]
Extract base64 strings from file
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -e ENCODING, --encoding=ENCODING
                        select encoding to use (default base64)
  -s SELECT, --select=SELECT
                        select item nr for dumping (a for all)
  -d, --dump            perform dump
  -x, --hexdump         perform hex dump
  -a, --asciidump       perform ascii dump
  -S, --strings         perform strings dump
  -n NUMBER, --number=NUMBER
                        minimum number of bytes in decoded data
  -c CUT, --cut=CUT     cut data
  -w, --ignorewhitespace
                        ignore whitespace

Examples

base64dump.py file.txt

The following output shows the sections that base64dump.py has attempted to decode using base64. However, this file isn’t using the default base64 encoding so see the next example.

remnux@remnux:~$ base64dump.py file.txt
ID  Size    Encoded          Decoded          MD5 decoded                    
--  ----    -------          -------          -----------                    
 1:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 2:       8 wstwaxap         ��pk.�           b5d83e3988cda1f8e903e138131cba91
 3:       8 yaoduhc=         ɪ.�.            c2b2fd4a95ff2e8d6ed65268e8e0a7f7
 4:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
 5:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 6:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
 7:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
 8:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
 9:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
10:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
11:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
12:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
13:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
14:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
15:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
16:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
17:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
18:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
19:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
20:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
21:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
22:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
23:       8 WCoEYFdo         X*.`Wh           9e71afc328eab02982d2cd44d58697bc
24:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
25:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
26:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
27:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
28:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
29:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
30:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
31:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
32:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
33:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
34:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
35:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
36:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
37:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
38:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
39:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
40:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
41:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
42:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
43:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
44:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
45:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
46:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
47:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
48:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
49:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
50:       4 this             �.�              8e5a04323b343a97433a353a663678b3
51:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
52:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
53:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
54:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
55:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
56:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
base64dump.py -e pu file.txt

This example shows how base64dump.py attempts to decode “percent u” encoded base64. You’re normally interested in the section with the largest size.

remnux@remnux:~$ base64dump.py -e pu file.txt
ID  Size    Encoded          Decoded                MD5 decoded                    
--  ----    -------          -------                -----------                    
 1:    1260 %u00e8%u0000%u5d �....]��.��...�=  889060967c0b481fa97ba2fb3447963c
 2:      12 %u9090%u9090     ����                a5cc288c0d8fad7eda458b7241548977
 3:      12 %u0c0c%u0c0c     ....                   d5aba5b36cbaf9dcb46a48418c3d6241
base64dump.py -e pu file.txt s 1 -d > file.bin

In this example, base64dump.py decodes and dumps section 1 from this file and outputs the results to a file named collab.bin. See the previous example for section definitions.

remnux@remnux:~$ base64dump.py -e pu file.txt -s 1 -d > file.bin
remnux@remnux:~$ ls -l file.bin
-rw-rw-r-- 1 remnux remnux 420 Aug 17 18:58 collab.bin
remnux@remnux:~$ file file.bin
collab.bin: data
, , , ,

procDOT

Description

ProcDOT takes output from Process Monitor (procmon) and a packet capture, and graphs the activity based on the selected process. It shows every file and registry key the process touched, every child process or thread spawned, and every file and registry key touched by the children. It also allows the activity to be played back sequentially.

PlatformWindows and Linux
AuthorChristian Wojner
LicenseISC
URLhttps://www.procdot.com/

Usage

In Procmon

  1. Configure the displayed columns in procmon to show TID and Sequence number.
  2. Under Filter, make sure “Enable Advanced Output” is disabled.
  3. Save the output as a CSV and make sure to save all events, not just filtered ones.

In ProcDOT

  1. Load the procmon CSV into procdot (and optionally the packet capture).
  2. Click the “…” next to Launcher and select the starting process you want to analyze.
  3. Click Refresh to update the graph.

Examples

In the following example, powershell was used to launch an executable while Procmon was recording. The output was then fed into ProcDOT so the file and registry interactions could be displayed visually.

Blog Posts

, , ,