My National Cyber League Personal Notes so I can remember what weird commands I used and how they work
- Always double check the answer, being the only one bringing down team accuracy kinda sucks
- There are more and more online webapps that have these tools built in (just google it)
- If you are really stuck, it helps to dumb it down and/or try going at it from another angle
- Organize your time, the challenges get surprisingly easier when you have food in your belly and a good nights rest
- "Try harder"
- They sometimes have hints to which tool to use
- view metadata:
exif #or exif2
exiftool
- check file:
file
strings
#-n :length of string
#-t x :view offset x=hex d=decimal
- pull things out of files:
binwalk
# checks for embedded files
#-Me :recursively extracts any files
steghide extract -sf picture.jpg
# usually used with passwords but can work without
#-sf :specify filename
pngcheck -vtpf picture.png
#-v :verbose
#-t :display text
#-p :displays contents of optional chunks
#-f :continue after major errors
foremost file.sus
# Carves out embedded and appended files and dumps them to output
outguess -k "key string" -r path/to/file.jpg output.txt
zsteg file.png
# needs to be installed with $ gem install zsteg
stegsnow -C -p password path/to/file.png
stegcracker steg.jpg wordlist.txt
# brute forces passwords using wordlists (takes a while)
- Gross GUI programs:
- Stegosuite
- DIIT (Digital Invisible Ink Toolkit)
- OpenStego
- Another tool they use is sometimes is DIIT (Digital Invisible Ink Toolkit) - DIIT
- An online port of StegSolve which inlucdes 32 bit planes, RGBS values, and color palettes - StegOnline
- Extra helpful collection of tools in docker image - Stego-Toolkit
- This is really just googling and going off hunches till you make it
- How to google dork - Wiki
- This tool is useful to convert GPS coordinates / get location - GPS-coordinates
- Online exif viewer (one of many) - Exif
- Sherlock is a cool tool that I sadly haven't had to use for NCL...yet - Sherlock
- Reverse image search:
- Go talk to Jacob M
- Try running
strings
orfile
on it
- Free programs for reverse engineering:
- Online reverse engineering tool - odaweb
- Online decompiler for multiple languages - decompiler
- GDB is also really cool if you learn how to use it - GDB
- Bash's pipe
|
is your friend! eg:cat log | grep "ip:" | awk '{print $1}' | wc -l
- I also like using Atom with ctrl+f, regex, and then cutting/replacing all
- Pull out column(s) based on designated fiter(s)
awk -F "seperator" '{commands $value}'
awk -F ";" # -F allows you to specify the column splitter
awk -F " |:" # filters based on both spaces and :'s
awk '{print $1 " and " $(NF)}' # command prints "first column and last column"
awk '{n += $1}; END{print n}' # sums up all $1 values and returns that value at the end
- Filter based on strings or regex
grep
grep -i -v -c -o -r # --ignore-case, -v --invert-match, --count, --only-matching, --recursive
grep -A NUM -B NUM # --after-context, --before-context, prints NUM lines before or after grepped lines
grep "string" 'regex' # single quotes is for regex and double quotes is strings
grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file # Real IP regex
- Extra commands:
wc # word count, -l to count lines, -w to count words, -m to count characters, -c to count bytes
tr # translate, -d 'char' to delete character,
sort # -n to sort by numeric values
uniq # -c to count occurances (needs to be sorted first)
split -l x input.txt outputPrefix # split file into smaller files after x lines
- Grep regex
- Stole sum idea from here
- AWK is cool
- Git gud at regex - Regex Practice
- Great crypto solveing website - Cryptii
- A crypto identifier w/ solvers - boxentriq
- Good for advanced algos - CyberChef
- Lots of solvers - dcode
- Cryptogram solver tool - quipqiup
- Another tool site - rumkin
- nmap
nmap <scan type> <options> <target(s)>
nmap -sS 192.168.0.0/24 # example TCP scan that targets 192.168.0.1-254
#-Pn: include this if the host isn't responding to pings
#-sU: udp scan
#--script: to use premade or downloaded (github) scripts
#-sV: probe open ports to guess version/service info
#-A: include a lot of stuff
- identify hashes:
hashid path/to/file
hash-identifier
# prompts for hash, w/ cool ascii art
- creating dictonary:
- rockyou.txt is a good start to figure out if there's a pattern
- search google/github for premade lists eg: txt of all pokemon
- wikipedia also has a lot of lists but they probably require cleaning
- crack hashes using hashcat (the cool way):
hashcat -m <hash mode> -a <attack type> hashes.hash dictionary [-r /usr/share/hashcat/rules/ruleset.rule] # use "--stdout" to print out guesses
hashcat -m 0 - a 6 hash dict "?n?l?u?s?a" # to append mask to end
hashcat -m 0 -a 6 hash "?a?a" dict # to preppend mask to beginning
- make your own ruleset, or you can search for others on github
./mp64 -o output.rule "pass?a"
# will generate a rulelist of pass1, pass2, passA, pass!...
- The 'easier' CPU intensive hash cracking tool, John The Ripper:
john hash.hash --wordlist=dict --rules:All # Hail Mary
zip2john # pull hash out of encrypted zip (need to remore another part before using hashcat)
- Identify hashes - identifier1
- Use this for ez password cracking - CrackStation
- When making a dictionary and you're too lazy to use a rule to switch characters - ConvertCase
- Hashcat instructions, or just read the man page - Hashcat
- Hashcat ruleset creation help - Rule Based Attack
- An article discussing rulelists - One rule to rule them all
- Practice w/ Defcon's hashlist - Defcon 2020