Leaderboard

Crack legacy zip encryption with Biham and Kocher's known plaintext attack. Overview A ZIP archive may contain many entries whose content can be compressed and/or encrypted. In particular, entries can be encrypted with a password-based symmetric encryption algorithm referred to as traditional PKWARE encryption, legacy encryption or ZipCrypto. This algorithm generates a pseudo-random stream of bytes (keystream) which is XORed to the entry's content (plaintext) to produce encrypted data (ciphertext). The generator's state, made of three 32-bits integers, is initialized using the password and then continuously updated with plaintext as encryption goes on. This encryption algorithm is vulnerable to known plaintext attacks as shown by Eli Biham and Paul C. Kocher in the research paper A known plaintext attack on the PKZIP stream cipher. Given ciphertext and 12 or more bytes of the corresponding plaintext, the internal state of the keystream generator can be recovered. This internal state is enough to decipher ciphertext entirely as well as other entries which were encrypted with the same password. It can also be used to bruteforce the password with a complexity of nl-6 where n is the size of the character set and l is the length of the password. bkcrack is a command-line tool which implements this known plaintext attack. The main features are: Recover internal state from ciphertext and plaintext. Change a ZIP archive's password using the internal state. Recover the original password from the internal state. Install Precompiled packages You can get the latest official release on GitHub. Precompiled packages for Ubuntu, MacOS and Windows are available for download. Extract the downloaded archive wherever you like. On Windows, Microsoft runtime libraries are needed for bkcrack to run. If they are not already installed on your system, download and install the latest Microsoft Visual C++ Redistributable package. Compile from source Alternatively, you can compile the project with CMake. First, download the source files or clone the git repository. Then, running the following commands in the source tree will create an installation in the install folder. cmake -S . -B build -DCMAKE_INSTALL_PREFIX=install cmake --build build --config Release cmake --build build --config Release --target install Thrid-party packages bkcrack is available in the package repositories listed on the right. Those packages are provided by external maintainers. Usage List entries You can see a list of entry names and metadata in an archive named archive.zip like this: bkcrack -L archive.zip Entries using ZipCrypto encryption are vulnerable to a known-plaintext attack. Recover internal keys The attack requires at least 12 bytes of known plaintext. At least 8 of them must be contiguous. The larger the contiguous known plaintext, the faster the attack. Load data from zip archives Having a zip archive encrypted.zip with the entry cipher being the ciphertext and plain.zip with the entry plain as the known plaintext, bkcrack can be run like this: bkcrack -C encrypted.zip -c cipher -P plain.zip -p plain Load data from files Having a file cipherfile with the ciphertext (starting with the 12 bytes corresponding to the encryption header) and plainfile with the known plaintext, bkcrack can be run like this: bkcrack -c cipherfile -p plainfile Offset If the plaintext corresponds to a part other than the beginning of the ciphertext, you can specify an offset. It can be negative if the plaintext includes a part of the encryption header. bkcrack -c cipherfile -p plainfile -o offset Sparse plaintext If you know little contiguous plaintext (between 8 and 11 bytes), but know some bytes at some other known offsets, you can provide this information to reach the requirement of a total of 12 known bytes. To do so, use the -x flag followed by an offset and bytes in hexadecimal. bkcrack -c cipherfile -p plainfile -x 25 4b4f -x 30 21 Number of threads If bkcrack was built with parallel mode enabled, the number of threads used can be set through the environment variable OMP_NUM_THREADS. Decipher If the attack is successful, the deciphered data associated to the ciphertext used for the attack can be saved: bkcrack -c cipherfile -p plainfile -d decipheredfile If the keys are known from a previous attack, it is possible to use bkcrack to decipher data: bkcrack -c cipherfile -k 12345678 23456789 34567890 -d decipheredfile Decompress The deciphered data might be compressed depending on whether compression was used or not when the zip file was created. If deflate compression was used, a Python 3 script provided in the tools folder may be used to decompress data. python3 tools/inflate.py < decipheredfile > decompressedfile Unlock encrypted archive It is also possible to generate a new encrypted archive with the password of your choice: bkcrack -C encrypted.zip -k 12345678 23456789 34567890 -U unlocked.zip password The archive generated this way can be extracted using any zip file utility with the new password. It assumes that every entry was originally encrypted with the same password. Recover password Given the internal keys, bkcrack can try to find the original password. You can look for a password up to a given length using a given character set: bkcrack -k 1ded830c 24454157 7213b8c5 -r 10 ?p You can be more specific by specifying a minimal password length: bkcrack -k 18f285c6 881f2169 b35d661d -r 11..13 ?p Learn A tutorial is provided in the example folder. For more information, have a look at the documentation and read the source. Contribute Do not hesitate to suggest improvements or submit pull requests on GitHub. License This project is provided under the terms of the zlib/png license. Download: bkcrack-master.zip or git clone https://github.com/kimci86/bkcrack.git Source

Trackgram Use Instagram location features to track an account Usage At this moment the usage of Trackgram is extremly simple: 1. Download this repository 2. Go through the instalation steps 3. Change the parameters in the tracgram main method directly: + Mandatory: - NICKNAME: your username on Instagram - PASSWORD: your instagram password - OBJECTIVE: your objective username + Optional: - path_to_csv: the path were the csv file will be stored, including the name 4. Execute it with python3 tracgram.py Installation steps Download with $ git clone https://github.com/initzerCreations/Tracgram Install dependencies using pip install -r requirements.txt Congrats! by now you should be able to run it: python3 tracgram.py Screenshots Features 1. Provides a heatmap based on the location frequency 2. Markers displayed on the heatmap indicating: Exact location name Time when relate post was made Link to Google Maps address 3. Graph relating the posts count for an specific location 4. Generate a easy to process .CSV file Download: Tracgram-main.zip or git clone https://github.com/initzerCreations/Tracgram.git Source

Description Bash tool used for proactive detection of malicious activity on macOS systems. I was inspired by Venator-Swift and decided to create a bash version of the tool. OneLiner command curl https://raw.githubusercontent.com/ab2pentest/MacOSThreatTrack/main/MacOSThreatTrack.sh | bash Gathered information [+] System info [+] Users list [+] Environment variables [+] Process list [+] Active network connections [+] SIP status [+] GateKeeper status [+] Zsh history [+] Bash history [+] Shell startup scripts [+] PF rules [+] Periodic scripts [+] CronJobs list [+] LaunchDaemons data [+] Kernel extensions [+] Installed applications [+] Installation history [+] Chrome extensions Todo Saving output as JSON instead of printing out the result. Download: MacOSThreatTrack-main.zip or git clone https://github.com/ab2pentest/MacOSThreatTrack.git Source

Detecting Linux kernel process masquerading with command line forensics By Craig Rowland on 27 Apr 2020 Linux kernel process masquerading is sometimes used by malware to hide when it is running. Let’s go over how you can unmask a piece of Linux malware using this tactic. What is Linux kernel process masquerading? On Linux, the kernel has many threads created to help with system tasks. These threads can be for scheduling, disk I/O, and so forth. When you use a standard process listing command, such as ps, these threads will show up as having [brackets] around them to denote that they are threads of some kind. Ordinary processes will not normally show up with [brackets] around them in the ps listing. The brackets denote that the process has no command-line arguments, which usually means it was spawned as a thread. For example, the below listing shows kernel threads vs. normal processes: ps –auxww Figure 1 — Linux kernel threads vs. normal processes. What does it look like? Linux malware uses a variety of techniques to hide from detection. One method they will use is to try to impersonate a kernel thread by making the process show [brackets] around its name in the ps listing. Administrators can easily overlook a malicious process this way. If you look at the listing below, we have started a process to hide itself by trying to look like a kernel thread. Can you see it? Figure 2 — An example of Linux kernel thread masquerading hiding. How to impersonate a Linux kernel thread Now that you know what Linux kernel thread masquerading looks like, let’s set up a test so you can play with how to find it using command line forensics. We’ll use the sleep command for our simulation as you can do it on any system without fear of causing trouble: export PATH=.:$PATH cp /bin/sleep /tmp/[kworkerd] cd /tmp "[kworkerd]" 3600 & The export path sets things so we can execute the file in the local directory without needing to put a “./” in front of it. This makes it look more legit. We next copy the sleep command over to /tmp and then run it under the bogus name [kworkerd]. We put on a value of 3,600 seconds to the sleep command so it will quietly exit after an hour once testing is over. Let’s look at our handiwork and we should see [kworkerd] running when we do our ps command. ps -auxww Figure 3 — Real vs. imposter Linux kernel thread. De-cloaking Linux kernel thread masquerading with process maps The first method we’ll use to de-cloak a masquerading process is to see if it has any contents under /proc/<PID>/maps. This location is normally where processes show libraries they are linking to and where they mapped to in memory. For real kernel threads, it should be empty. If you look at this location for a process that is named in [brackets] but it shows any data, then it is not a real kernel thread. The basic command we’ll use is cat /proc/<PID>/maps where <PID> is the process ID we are investigating. In the above example, we think that [kworkerd] looks suspicious with PID 2121 so we’ll check it out: cat /proc/2121/maps Figure 4 — Using Linux /proc maps to detect kernel masquerading. If you see anything listed under this area and the process has [brackets] around it, then it’s likely malicious and trying to hide. If you want, you can run this command to quickly go over all the system PIDs and see which ones are named with brackets but have maps files. Normally you should see nothing here. Anything that shows data should be investigated further. ps auxww | grep \\[ | awk '{print $2}' | xargs -I % sh -c 'echo PID: %; cat /proc/%/maps' 2> /dev/null This command outputs the image below if it finds something. Figure 5 — Finding Linux kernel masquerading with a script. In the /proc/<PID>/maps;listing you’ll see some paths to investigate where the binary has links to itself or libraries it is using. In the above, we see the path /tmp/[kworkerd] which would be a high priority location to investigate. You may also see libraries that are suspicious, references to hidden directories, and so forth. Take a close look at it and be sure you don’t miss anything! De-cloaking Linux kernel thread masquerading with cryptographic hashing Another way to de-cloak a masquerading Linux kernel thread is to see if it shows a binary attached to the running process. Basically, you just use the technique we discussed on recovering malicious binaries that are deleted, but see if you can get a SHA1 hash. If you get a hash back, then it’s a normal process trying to hide and is not a kernel thread. Real kernel threads won’t have a link to the binary that started them. This technique was suggested by @r00tkillah on Twitter when this subject was first posted. A process binary on Linux can be quickly copied if you simply look at /proc/<PID>/exe. You can copy this file to a new location and have an instant snapshot of the binary that started the process. You can also use this link to get an instant hash to check against databases of known malware. Real kernel threads won’t have this data available, only imposters will. In our case, we’ll use this knowledge to investigate our suspicious PID 2121 like this: sha1sum /proc/2121/exe Figure 6 — Obtaining SHA1 hash of Linux kernel masquerading attack. Now we see the hash, let’s recover the binary and copy it somewhere so it can be analyzed offline. Using the command below we’ll make a copy to /tmp/suspicious_bin. Now, we have our own copy in case the malware tries to delete itself in self-defence: cp /proc/2121/exe /tmp/suspicious_bin Figure 7 — Recovering suspicious Linux malware binary. If you want to automatically crawl through the PIDs and get SHA1 hashes of imposters, you can run this command: ps auxww | grep \\[ | awk '{print $2}' | xargs -I % sh -c 'echo PID: %; sha1sum /proc/%/exe' 2> /dev/null The above command will try to get a SHA1 hash of all processes with [brackets] around them. Any that return a hash are likely imposters: Figure 8 — Script output of SHA1 hash from masquerading Linux kernel thread. Now you have two solid ways to use the Linux command line to investigate suspicious processes trying to masquerade as kernel threads. Adapted from original post which appeared on Sandfly Security. Craig Rowland is Founder and CEO of Sandfly Security. Sursa: https://blog.apnic.net/2020/04/27/detecting-linux-kernel-process-masquerading-with-command-line-forensics/