My Tools

All of the tools below are available now on Github:

https://github.com/theevilbit

Extract MD5

This small Python script will extract all MD5 strings from a given file.

Use:
extractmd5.py filename

Released under MIT licence.

Download: extractmd5.py
Also available from: https://code.google.com/p/extractmd5/

Cisco Type 7 Password Decrypter

Small tool to decrypt Cisco IOS type 7 passwords, it can also encrypt clear text passwords if required. 

Usage:

c:\>ciscot7.py --help
Usage: ciscot7.py [options]

Options:
  -h, --help            show this help message and exit
  -e, --encrypt         Encrypt password
  -d, --descrypt        Decrypt password. This is the default
  -p PASSWORD, --password=PASSWORD
                        Password to encrypt / decrypt
  -f FILE, --file=FILE  Cisco config file, only for decryption

If we specify a config file, it will look for all type 7 passwords in it.

License: MIT

Download: ciscot7.py

PickAx Password Finder

A PAX file is an encrypted image format, where Blowfish is used as the encryption algorithm. The tool, called Pick Ax, was developed by Smaller Animals, but it's not accessible anymore from the original website (http://www.smalleranimals.com/pickaxe.htm), but you can find it here:
http://windows.softwareweb.com/download-file/100581616/freeware/pick-ax-1.0/

The image header signature is:
"PAX" (0x50 0x41 0x58) in the first 3 bytes.

I made a script, which can simply try passwords from a wordlist (or you can specify a single one) against a given image. It requires _ISource50.dll, which contains a function to check for the password, it's downloadable from Smaller Animal's website:
http://www.smalleranimals.com/isource.htm
http://www.smalleranimals.com/zips/ImgSource5/isource50.zip

Using the tool is really simple:

Usage:

pickaxpwfinder.py [options]

Options:
  -h, --help            show this help message and exit
  -p PASSWORD, --password=PASSWORD
                        Password to try
  -d DICTIONARY, --dictionary=DICTIONARY
                        Specify dictionary (wordlist)
  -f FILE, --file=FILE  Chose PAX file to crack

I also made an encrypted image to play with, the password is "password".

License: MIT (only the script, not the DLL)

Download:
google-logo.pax
pickaxpwfinder.py

Total Commander FTP Password Recovery Tool

Simple Python script, which can recover Total Commander stored FTP passwords.

Usage:

tcpwrecovery.py [options]

Options:
  -h, --help            show this help message and exit
  -c, --common          Search wcx_ftp.ini in common places
  -f FILE, --file=FILE  File to decrypt
  -p PASSWORD, --password=PASSWORD
                        Password to decrypt

It can search in some common places for the INI file, you can explicitly specify the location or you can simply supply the encrypted password. Sample output:

c:\tcpwrecovery>tcpwrecovery.py -c
-> Trying: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Found: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Decrypting: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini

[connections]
1=example.com
default=example.com
[example.com]
host=example.com
username=fakeusername
password=fakepassword
pasvmode=0
MLSD=-1
[default]
pasvmode=0

-> Trying: C:\Windows\wcx_ftp.ini
-> Not found: C:\Windows\wcx_ftp.ini

-> Trying: wcx_ftp.ini
-> Not found: wcx_ftp.ini

License: MIT

Download: tcpwrecovery.py

TrueCrypt Search and Decrypt

I developed this python script / tool for the 2013 DC3 Forensic Challenge. It will search for TC encrypted files in a folder or drive, and then will try to decrypt them.

I used some of the source code from the following resources:


The codes above were rewritten to support TrueCrypt version 7, keyfile support was added.

The tool is very fast in searching TC volumes. The search logic is the following:
a. The suspect file size modulo 512 must equal zero.
b. The suspect file size is at least 256kB in size (this is the size of the headers + backup headers)
c. The suspect file must not contain a common file header.
d. The suspect file has entropy more then 7.6.

The search is actually looking for encrypted files, as it’s impossible to tell if a file is a TC volume until the correct password is supplied. Thus it can be used to look for other encrypted files like FreeOTFE.
Based on these rules, the search will find any possible encrypted file, not only TC. Proving that a file is actually a TC volume is impossible without decryption. If running it on the entire file system, it will find about 300 files, which are not real TC volumes at all, which is a very good false positive rate, considering that there are more than 200.000 files on a normal computer. (This is only if we have the provided foremost configuration file set, to filter out known headers). An example Foremost header configuration file provided with the source code.

The password tries are very slow compared to other tools like OTFBrutus (http://www.tateu.net/software/dl.php?f=OTFBrutusGUI), and the reason is that the hash and encryptions implemented in python are not so optimal. If we have only a couple of passwords to try, then the tool is good, but if not it will run for long time. The tool can decrypt an entire TC volume (hidden as well) once the password is found.

Licence: MIT, except the parts which were taken from other sources. see above.

Download:
tcsandd_1.0.zip
tcsandd_1.0_User_Guide.docx


1 comment:

Anonymous said...

Hello there, i am a computer science student. i got an assignment to make a formal report and presentation based on several choice of topic, i have chose Kioptrix. i found your blog and your website is a big help to me. i would like to use some of your information and software application that u have in your blog. Your website brings me attraction to choose this topic. Thanks :)