Skip to content

Instantly share code, notes, and snippets.

View diyinfosec's full-sized avatar

diyinfosec

7 followers · 0 following
View GitHub Profile
@diyinfosec
diyinfosec / Useful sed
Created January 28, 2020 17:06
https://unix.stackexchange.com/questions/236920/1-what-does-this-sed-action-mean
\([^"]*\) defines a group of characters, the group is actually the found contents between the two braces (), the braces need to be escaped hence \( and \)
\1 is the contents of the first group
There could be several groups defined using multiple sets of brace pairs, they are numbered incrementally and each one can be referenced as \n (e.g. \1, \2, \3 etc) hence the name: backreference.
@diyinfosec
diyinfosec / csv_dictreader_json.py
Created June 5, 2020 16:10
Simple csv to json conversion in python. Useful for csv log files that have a header.
import csv
import json
with open('splunk.csv', mode='r') as infile:
reader = csv.DictReader(infile)
for rows in reader:
print(json.dumps(rows))
@diyinfosec
diyinfosec / vim_tips.txt
Last active July 28, 2020 07:56
Simple macro with vim:
Usecase: Join evey other line in a file to the previous one.
We can do this easily using macros:
1. start recording a macro 'q': qqJjq
2. replay the macro 'q' 500 times: 500@q
(Actually it is not a macro called 'q', it is a named register called 'q'. instead of interactively fill that register as in (1), you could also do :let @q = "Jj" and then do 2.)
Source: https://superuser.com/questions/168942/how-to-join-every-second-line-in-vim
@diyinfosec
diyinfosec / MS Crypto API - CAPI
Created November 26, 2020 19:24
https://docs.microsoft.com/en-us/previous-versions/ms867086(v=msdn.10)?redirectedfrom=MSDN
The Cryptography API, or How to Keep a Secret
01/12/2010
22 minutes to read
Robert Coleridge
Microsoft Developer Network Technology Group
@diyinfosec
diyinfosec / 01-aes-bruteforce.py
Created January 25, 2022 19:36
Brute-force AES-256 keys from memory dump.
from timeit import default_timer as timer
from binascii import b2a_hex
#- Config variables
filename="memory.dmp"
aes_key_size=32
#- Variables related to file processing
file_offset=0;
total_keys_found = 0;
@diyinfosec
diyinfosec / aes-with-key-schedule.py
Created January 26, 2022 16:40
from timeit import default_timer as timer
from binascii import b2a_hex,hexlify
#- Goto "Memory dump processing" second section
#- AES key schedule calculation taken from: https://www.alexrhodes.io/blog/post/30/
class AesKeySchedule:
#AES S-box
s_box = [
@diyinfosec
diyinfosec / 02-aes-bruteforce-with-randomness-check.py
Created January 27, 2022 18:28
Brute-force AES-256 keys from memory dump with randomness checks (using count of distinct bytes)
from timeit import default_timer as timer
from binascii import b2a_hex
#- Config variables
filename="memory.dmp"
aes_key_size=32
min_distinct_bytes=10
#- Variables related to file processing
file_offset=0;
@diyinfosec
diyinfosec / 03-aes-key-find-using-schedule.py
Created January 27, 2022 19:57
Find AES-256 keys in memory dump based on key schedule calculation across a sliding window.
from timeit import default_timer as timer
from binascii import b2a_hex,hexlify
#- First half of the code covers AES schedule calculation. Memory dump processing, line 150 onwards.
#- AES key schedule calculation taken from: https://www.alexrhodes.io/blog/post/30/
class AesKeySchedule:
#AES S-box
s_box = [
@diyinfosec
diyinfosec / 04-aes-find-ntfs-efs-keys.py
Created January 28, 2022 18:11
Scan memory and find AES-256 keys used by Encrypting File System (NTFS)
import re
#- Name of the file/drive letter to scan
#input_file_name="C:\\memory.dmp"
input_file_name="memory.dmp"
key_len=32
#- Open the input file
with open(input_file_name, "rb") as f:
@diyinfosec
diyinfosec / ntfs_hardlink_limit_test.ps1
Created January 30, 2022 17:46
Powershell script to test how many hardlinks are supported for a file in NTFS.