🦑 Reverse engineering:
🖥️ Static Analysis Tools
1. IDA Pro
- Industry-standard disassembler and debugger for analyzing binaries.
- Includes a powerful scripting engine.
- Website: [Hex-Rays](https://hex-rays.com/)
2. Ghidra
- Open-source reverse engineering suite developed by the NSA.
- Features include decompilation and support for various architectures.
- GitHub: [Ghidra](https://github.com/NationalSecurityAgency/ghidra)
3. Radare2
- Advanced open-source framework for analyzing binaries, debugging, and patching.
- Command-line focused but has GUI support via Cutter.
- GitHub: [Radare2](https://github.com/radareorg/radare2)
4. Binary Ninja
- Lightweight reverse engineering platform with an emphasis on automation.
- Features include powerful APIs for custom analysis.
- Website: [Binary Ninja](https://binary.ninja/)
5. Capstone
- A lightweight disassembly framework supporting multiple architectures.
- Often used as a backend for other tools.
- GitHub: [Capstone](https://github.com/capstone-engine/capstone)
---
### 🔍 Dynamic Analysis Tools
1. OllyDbg
- Classic debugger for Windows binaries.
- Focused on malware and exploit analysis.
2. WinDbg
- A powerful Windows debugger.
- Commonly used for debugging Windows kernel and drivers.
3. x64dbg
- Open-source debugger for Windows applications.
- Provides a user-friendly GUI and scripting capabilities.
- GitHub: [x64dbg](https://github.com/x64dbg/x64dbg)
4. Frida
- Dynamic instrumentation toolkit.
- Ideal for analyzing mobile apps and binaries during runtime.
- GitHub: [Frida](https://github.com/frida/frida)
5. Qiling Framework
- Advanced binary emulation framework for testing and debugging.
- Supports multiple architectures.
- GitHub: [Qiling Framework](https://github.com/qilingframework/qiling)
---
### 📱 Mobile App Reverse Engineering Tools
1. APKTool
- Decompiles Android APK files to view the source code and resources.
- Ideal for analyzing Android malware or app vulnerabilities.
- GitHub: [APKTool](https://github.com/iBotPeaches/Apktool)
2. Jadx
- Decompiler for Android DEX and APK files.
- Converts binary code into readable Java code.
- GitHub: [Jadx](https://github.com/skylot/jadx)
3. Hopper Disassembler
- User-friendly disassembler and debugger for macOS and iOS binaries.
- Website: [Hopper](https://www.hopperapp.com/)
---
### ⚙️ Firmware Reverse Engineering Tools
1. Binwalk
- Tool for extracting and analyzing firmware images.
- Frequently used in IoT and embedded system analysis.
- GitHub: [Binwalk](https://github.com/ReFirmLabs/binwalk)
2. GHIDRA Firmware Analyzer
- Part of Ghidra; supports firmware disassembly and analysis.
3. Firmadyne
- Emulation and analysis of Linux-based firmware.
- GitHub: [Firmadyne](https://github.com/firmadyne/firmadyne)
---
### 🔐 Encryption and Obfuscation Tools
1. Uncompyle6
- Decompiler for Python bytecode back into readable Python source code.
- GitHub: [Uncompyle6](https://github.com/rocky/python-uncompyle6)
2. Procyon
- Java decompiler that supports modern Java features.
- GitHub: [Procyon](https://github.com/mstrobel/procyon)
3. Snowman Decompiler
- Lightweight decompiler for C/C++ binaries.
- GitHub: [Snowman](https://github.com/yegord/snowman)
---
### 💡 Other Useful Tools
1. YARA
- Helps identify and classify malware through pattern matching.
- GitHub: [YARA](https://github.com/VirusTotal/yara)
2. RETool
- Web-based reverse engineering toolkit.
- Ideal for quick analysis without heavy installations.
- Website: [RETool](https://reverseengineeringtool.com/)
3. DiE (Detect It Easy)
- Identifies obfuscation, packers, and encryption in binaries.
- GitHub: [Detect It Easy](https://github.com/horsicq/Detect-It-Easy)
🖥️ Static Analysis Tools
1. IDA Pro
- Industry-standard disassembler and debugger for analyzing binaries.
- Includes a powerful scripting engine.
- Website: [Hex-Rays](https://hex-rays.com/)
2. Ghidra
- Open-source reverse engineering suite developed by the NSA.
- Features include decompilation and support for various architectures.
- GitHub: [Ghidra](https://github.com/NationalSecurityAgency/ghidra)
3. Radare2
- Advanced open-source framework for analyzing binaries, debugging, and patching.
- Command-line focused but has GUI support via Cutter.
- GitHub: [Radare2](https://github.com/radareorg/radare2)
4. Binary Ninja
- Lightweight reverse engineering platform with an emphasis on automation.
- Features include powerful APIs for custom analysis.
- Website: [Binary Ninja](https://binary.ninja/)
5. Capstone
- A lightweight disassembly framework supporting multiple architectures.
- Often used as a backend for other tools.
- GitHub: [Capstone](https://github.com/capstone-engine/capstone)
---
### 🔍 Dynamic Analysis Tools
1. OllyDbg
- Classic debugger for Windows binaries.
- Focused on malware and exploit analysis.
2. WinDbg
- A powerful Windows debugger.
- Commonly used for debugging Windows kernel and drivers.
3. x64dbg
- Open-source debugger for Windows applications.
- Provides a user-friendly GUI and scripting capabilities.
- GitHub: [x64dbg](https://github.com/x64dbg/x64dbg)
4. Frida
- Dynamic instrumentation toolkit.
- Ideal for analyzing mobile apps and binaries during runtime.
- GitHub: [Frida](https://github.com/frida/frida)
5. Qiling Framework
- Advanced binary emulation framework for testing and debugging.
- Supports multiple architectures.
- GitHub: [Qiling Framework](https://github.com/qilingframework/qiling)
---
### 📱 Mobile App Reverse Engineering Tools
1. APKTool
- Decompiles Android APK files to view the source code and resources.
- Ideal for analyzing Android malware or app vulnerabilities.
- GitHub: [APKTool](https://github.com/iBotPeaches/Apktool)
2. Jadx
- Decompiler for Android DEX and APK files.
- Converts binary code into readable Java code.
- GitHub: [Jadx](https://github.com/skylot/jadx)
3. Hopper Disassembler
- User-friendly disassembler and debugger for macOS and iOS binaries.
- Website: [Hopper](https://www.hopperapp.com/)
---
### ⚙️ Firmware Reverse Engineering Tools
1. Binwalk
- Tool for extracting and analyzing firmware images.
- Frequently used in IoT and embedded system analysis.
- GitHub: [Binwalk](https://github.com/ReFirmLabs/binwalk)
2. GHIDRA Firmware Analyzer
- Part of Ghidra; supports firmware disassembly and analysis.
3. Firmadyne
- Emulation and analysis of Linux-based firmware.
- GitHub: [Firmadyne](https://github.com/firmadyne/firmadyne)
---
### 🔐 Encryption and Obfuscation Tools
1. Uncompyle6
- Decompiler for Python bytecode back into readable Python source code.
- GitHub: [Uncompyle6](https://github.com/rocky/python-uncompyle6)
2. Procyon
- Java decompiler that supports modern Java features.
- GitHub: [Procyon](https://github.com/mstrobel/procyon)
3. Snowman Decompiler
- Lightweight decompiler for C/C++ binaries.
- GitHub: [Snowman](https://github.com/yegord/snowman)
---
### 💡 Other Useful Tools
1. YARA
- Helps identify and classify malware through pattern matching.
- GitHub: [YARA](https://github.com/VirusTotal/yara)
2. RETool
- Web-based reverse engineering toolkit.
- Ideal for quick analysis without heavy installations.
- Website: [RETool](https://reverseengineeringtool.com/)
3. DiE (Detect It Easy)
- Identifies obfuscation, packers, and encryption in binaries.
- GitHub: [Detect It Easy](https://github.com/horsicq/Detect-It-Easy)
Hex-Rays
Hex-Rays: State-of-the-Art Binary Code Analysis Tools
Professional binary analysis with IDA Pro disassembler and decompiler. Tools for reverse engineering, malware analysis, and vulnerability research.
Forwarded from Exploiting Crew (Pr1vAt3)
🦑 New Working list of Google Dorks :
### Files Containing Passwords
1.
2.
3.
4.
### Various Online Devices
5.
### Vulnerable Servers
6.
7.
8.
9.
### Files Containing Juicy Info
10.
11.
12.
13.
### Files Containing Usernames
14.
15.
### Files Containing Passwords
1.
site:github.com "BEGIN OPENSSH PRIVATE KEY" 2.
ext:nix "BEGIN OPENSSH PRIVATE KEY" 3.
intext:"aws_access_key_id" | intext:"aws_secret_access_key" filetype:json | filetype:yaml 4.
intitle:index of /etc/ssh ### Various Online Devices
5.
inurl:home.htm intitle:1766 ### Vulnerable Servers
6.
intitle:"SSL Network Extender Login" -checkpoint.com 7.
intext:"siemens" & inurl:"/portal/portal.mwsl" 8.
Google Dork Submisson For GlobalProtect Portal 9.
inurl:"cgi-bin/koha" ### Files Containing Juicy Info
10.
intext:"proftpd.conf" "index of" 11.
site:.edu filetype:xls "root" database 12.
intext:"dhcpd.conf" "index of" 13.
site:uat.* * inurl:login ### Files Containing Usernames
14.
"START test_database" ext:log 15.
"Header for logs at time" ext:logForwarded from Exploiting Crew (Pr1vAt3)
🦑 Top Ai Image Generators:
General AI Art Tools
1. DALL·E
7 [https://openai.com/dall-e](https://openai.com/dall-e)
2. MidJourney
[https://www.midjourney.com](https://www.midjourney.com)
3. Stable Diffusion (DreamStudio)
[https://dreamstudio.ai](https://dreamstudio.ai)
4. DeepAI Image Generator
[https://deepai.org/machine-learning-model/text2img](https://deepai.org/machine-learning-model/text2img)
5. Runway ML
[https://runwayml.com](https://runwayml.com)
### Free and Easy-to-Use Generators
6. Craiyon (formerly DALL·E Mini)
[https://craiyon.com](https://craiyon.com)
7. Artbreeder
[https://www.artbreeder.com](https://www.artbreeder.com)
8. Fotor AI Art Generator
[https://www.fotor.com/features/ai-image-generator](https://www.fotor.com/features/ai-image-generator)
9. Picsart AI Generator
[https://picsart.com/ai-image-generator](https://picsart.com/ai-image-generator)
10. NightCafe Studio
[https://creator.nightcafe.studio](https://creator.nightcafe.studio)
### Specialized AI Tools
11. Avatarify AI (For Portraits)
[https://www.avatarify.ai](https://www.avatarify.ai)
12. Deep Dream Generator (Surreal Images)
[https://deepdreamgenerator.com](https://deepdreamgenerator.com)
13. Deep Nostalgia (Photo Animation)
[https://www.myheritage.com/deep-nostalgia](https://www.myheritage.com/deep-nostalgia)
14. ArtSmart.ai
[https://artsmart.ai](https://artsmart.ai)
15. RunDiffusion (Customizable)
[https://www.rundiffusion.com](https://www.rundiffusion.com)
General AI Art Tools
1. DALL·E
7 [https://openai.com/dall-e](https://openai.com/dall-e)
2. MidJourney
[https://www.midjourney.com](https://www.midjourney.com)
3. Stable Diffusion (DreamStudio)
[https://dreamstudio.ai](https://dreamstudio.ai)
4. DeepAI Image Generator
[https://deepai.org/machine-learning-model/text2img](https://deepai.org/machine-learning-model/text2img)
5. Runway ML
[https://runwayml.com](https://runwayml.com)
### Free and Easy-to-Use Generators
6. Craiyon (formerly DALL·E Mini)
[https://craiyon.com](https://craiyon.com)
7. Artbreeder
[https://www.artbreeder.com](https://www.artbreeder.com)
8. Fotor AI Art Generator
[https://www.fotor.com/features/ai-image-generator](https://www.fotor.com/features/ai-image-generator)
9. Picsart AI Generator
[https://picsart.com/ai-image-generator](https://picsart.com/ai-image-generator)
10. NightCafe Studio
[https://creator.nightcafe.studio](https://creator.nightcafe.studio)
### Specialized AI Tools
11. Avatarify AI (For Portraits)
[https://www.avatarify.ai](https://www.avatarify.ai)
12. Deep Dream Generator (Surreal Images)
[https://deepdreamgenerator.com](https://deepdreamgenerator.com)
13. Deep Nostalgia (Photo Animation)
[https://www.myheritage.com/deep-nostalgia](https://www.myheritage.com/deep-nostalgia)
14. ArtSmart.ai
[https://artsmart.ai](https://artsmart.ai)
15. RunDiffusion (Customizable)
[https://www.rundiffusion.com](https://www.rundiffusion.com)
Openai
DALL·E 3
DALL·E 3 understands significantly more nuance and detail than our previous systems, allowing you to easily translate your ideas into exceptionally accurate images.
Forwarded from Exploiting Crew (Pr1vAt3)
🦑Exploitation of the Microsoft Exchange Vulnerability:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
Forwarded from Exploiting Crew (Pr1vAt3)
Once the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks:
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
Forwarded from Exploiting Crew (Pr1vAt3)
Using the webshell, the attackers launched a PowerShell that was then used to download a payload from the following URL:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
Forwarded from Exploiting Crew (Pr1vAt3)
The Prometei Botnet :
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
Forwarded from Exploiting Crew (Pr1vAt3)
Sqhost supports the following commands:
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server