Search the Community

Motivation During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created. [hide][Hidden Content]]

Prefetch Hash Cracker During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created. How does it work? The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there’s a possible full path for which the result matches the provided hash, that path is outputted. [Hidden Content]

DDWPasteRecon Pastesites are websites that allow users to share plain text through public posts called “pastes.” Once attackers compromise the external perimeter and gain access to the internal resources they release the part of data on the “paste” sites like pastebin or hastebin. As these hackers or malicious groups publish dumps on such sites other users can see sensitive information through paste sites. With various malicious groups now using these services as communication channels, temporary storage or sharing, and various other sources being used to trade POC code, I thought it would be a good idea to have an easy tool to help organisations Blue and Red Teams to have visibility into these sites via Google dorks. DDWPasteRecon tool will help you identify code leak, sensitive files, plaintext passwords, and password hashes. It also allows members of SOC & Blue Team to gain situational awareness of the organisation’s web exposure on the pastesites. It Utilises Google’s indexing of pastesites to gain targeted intelligence of the organisation. Blue & SOC teams can collect and analyse data from these indexed pastesites to better protect against unknown threats. [hide][Hidden Content]]

Lnkbomb is used for uploading malicious shortcut files to insecure file shares. The vulnerability exists due to Windows looking for an icon file to associate with the shortcut file. This icon file can be directed to a penetration tester’s machine running Responder or smbserver to gather NTLMv1 or NTLMv2 hashes (depending on the configuration of the victim host machine). The tester can then attempt to crack those collected hashes offline with a tool like Hashcat. The payload file is uploaded directly to the insecure file specified by the tester in the command line. The tester includes their IP address as well, which is written into the payload. [hide][Hidden Content]]

[HIDE][Hidden Content]]