├── CheatSheet ├── .holder └── volshell.pdf ├── Cybertalents └── DFIR-scholarship-CTF │ └── jam │ ├── holder │ ├── solver.py │ └── sound.wav ├── DFIRSeries ├── .holder ├── EventLogs.pptx ├── Intro to data acquisition.pptx ├── Registry.pptx └── Windows Acquisition.pptx ├── Previous-work.md ├── Talks └── INSEC │ ├── INSEC.pptx │ └── readme.md ├── Writeup Template.md ├── artifast_json_2_splunk.py ├── asset_discovery.sh ├── config.xml ├── dummy.md ├── elk.ps1 ├── elk.sh ├── if_ena.ko └── test.py /CheatSheet/.holder: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /CheatSheet/volshell.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/CheatSheet/volshell.pdf -------------------------------------------------------------------------------- /Cybertalents/DFIR-scholarship-CTF/jam/holder: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Cybertalents/DFIR-scholarship-CTF/jam/solver.py: -------------------------------------------------------------------------------- 1 | import wave, struct 2 | def read_frame(): 3 | wavefile = wave.open('sound.wav', 'r') 4 | length = wavefile.getnframes() 5 | frames = [] 6 | for i in range(0, length): 7 | wavedata = wavefile.readframes(1) 8 | data = struct.unpack(" 0: 18 | pos += 1 19 | output += "1"*(pos//47) 20 | else: 21 | neg += 1 22 | output += "0"*(neg//47) 23 | else: 24 | if frames[n] < 0: 25 | neg += 1 26 | if frames[n+1] > 0: 27 | output += "0"*(neg//47) 28 | neg = 0 29 | else: 30 | pos += 1 31 | if frames[n+1] < 0: 32 | output += "1"*(pos//47) 33 | pos = 0 34 | return output 35 | def binary_2_ascii(output): 36 | binary_int = int(output, 2); 37 | byte_number = binary_int.bit_length() + 7 // 8 38 | binary_array = binary_int.to_bytes(byte_number, "big") 39 | return binary_array.decode() 40 | if __name__ == "__main__": 41 | print(binary_2_ascii(frame_to_wave(read_frame()))) -------------------------------------------------------------------------------- /Cybertalents/DFIR-scholarship-CTF/jam/sound.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/Cybertalents/DFIR-scholarship-CTF/jam/sound.wav -------------------------------------------------------------------------------- /DFIRSeries/.holder: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /DFIRSeries/EventLogs.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/DFIRSeries/EventLogs.pptx -------------------------------------------------------------------------------- /DFIRSeries/Intro to data acquisition.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/DFIRSeries/Intro to data acquisition.pptx -------------------------------------------------------------------------------- /DFIRSeries/Registry.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/DFIRSeries/Registry.pptx -------------------------------------------------------------------------------- /DFIRSeries/Windows Acquisition.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/DFIRSeries/Windows Acquisition.pptx -------------------------------------------------------------------------------- /Previous-work.md: -------------------------------------------------------------------------------- 1 | ### Created Scenarios 2 | * https://www.netscylla.com/blog/2022/01/01/CyberDefenders-DetectLog4j-CTF.html 3 | * https://beginninghacking.net/2021/12/17/cyberdefenders-bsidesjeddah-part2-memory-image-forensics/ 4 | * https://www.it-sec.fail/bsides-jeddah-ctf-2021-category-pcap-writeup/ 5 | * https://sutharnisarg.medium.com/cyberdefenders-ctf01-b61752ed512b 6 | * https://0xsh3rl0ck.github.io/ctf-writeup/Cyber-Defenders-Pwned-DC/ 7 | -------------------------------------------------------------------------------- /Talks/INSEC/INSEC.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/Talks/INSEC/INSEC.pptx -------------------------------------------------------------------------------- /Talks/INSEC/readme.md: -------------------------------------------------------------------------------- 1 | # Practicing 2 | * https://training.dfirdiva.com/listing-category/dfir-blue-team-ctfs 3 | # Books & Courses 4 | 5 | * SANS roadmap: www.sans.org/cyber-security-skills-roadmap/ 6 | * [Incident response and digital forensics book](https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684) 7 | * [Introductory computer forensics: a hands on practical approach book](https://link.springer.com/book/10.1007/978-3-030-00581-8) 8 | * [Art of memory forensics](https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098) 9 | * [Windows Internals part 1,2](https://www.amazon.com/Windows-Internals-Part-architecture-management/dp/0735684189) 10 | 11 | # Skills 12 | 13 | * [The Analyst Mindset - A Cognitive Skills Assessment of Digital Forensic Analysts](https://chrissanders.org/dissertation/Sanders,%20Chris%20-%20The%20Analyst%20Mindset%20-%20A%20Cognitive%20Skills%20Assessment%20of%20Digital%20Forensic%20Analysts.pdf) 14 | * [What are Cognitive Skills?](https://www.mindmattersjo.com/what-are-cognitive-skills.html) 15 | 16 | # Tools 17 | 18 | * [FTK Imager](https://accessdata.com/product-download) 19 | * [Arsenal Image Mounter](https://arsenalrecon.com/downloads/) 20 | * [Volatility](https://www.volatilityfoundation.org/) 21 | * [Belkasoft live ram capturer](https://belkasoft.com/get) 22 | * [wireshark](https://www.wireshark.org/) 23 | * [brimsecurity](https://www.brimdata.io/) 24 | * [pdfstreamdumper](https://github.com/dzzie/pdfstreamdumper) 25 | * [oletools](https://github.com/decalage2/oletools) 26 | 27 | # Experts to follow 28 | * https://twitter.com/champdfa 29 | * https://twitter.com/ali_alwashali 30 | * https://twitter.com/binaryz0ne 31 | * https://twitter.com/petermstewart 32 | * https://twitter.com/jstrosch 33 | * https://twitter.com/DFIRmadness 34 | * https://twitter.com/DidierStevens 35 | * https://twitter.com/DFIRScience 36 | * https://twitter.com/attrc 37 | * https://twitter.com/fatmafouad_y 38 | * https://twitter.com/phillmoore 39 | * https://twitter.com/4n6lady 40 | * https://twitter.com/WyattRoersma 41 | * https://twitter.com/DfirDiva 42 | * https://twitter.com/champdfa 43 | * https://twitter.com/TheDFIRReport 44 | * https://twitter.com/sansforensics 45 | * https://twitter.com/B1N2H3X 46 | * https://twitter.com/andreafortunatw 47 | * https://twitter.com/lawwait 48 | * https://twitter.com/blueteamsec1 49 | * https://twitter.com/bunsofwrath12 50 | * https://twitter.com/CyberRaiju 51 | * https://twitter.com/davisrichardg 52 | -------------------------------------------------------------------------------- /Writeup Template.md: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 |
6 |
7 | Logo 8 |
9 |

Exercise Documentation

10 |

CTF Challenge Writeup

11 |
12 |
13 |
Name: Example Name
14 |
Category: Example Category
15 |
Difficulty: Example Difficulty
16 |
Target Audience: Beginner / Community / Pro
17 |
Last Update: Example Date
18 |
19 |
Prepared for: CTF.ae
20 |
21 | 22 |
23 | Disclaimer: This document is classified as Internal and is intended solely for authorized personnel. Unauthorized distribution, publication, or misuse of this document, in any form, is strictly prohibited and may result in legal action, including civil or criminal liability, as applicable by law. By accessing this document, you acknowledge and agree to adhere to its confidential nature and accept the responsibility to maintain its integrity and confidentiality. 24 |
25 |
26 |
27 | 28 | ## Learning Outcomes 29 | 30 | * Out-of-bounds write 31 | * SQL Injection 32 | * Bypassing WAF with URL encoding 33 | * Etc, etc, etc. Include here what the player is going to learn. 34 | 35 | ## Mapping 36 | 37 | * This section is about mapping the challenge to a global benchmark 38 | * MITRE TTPs for Forensics challenges 39 | * OWASP CWEs for web challenges 40 | * Example: CWE-23 Relative Path Traversal 41 | 42 | ## Challenge Idea 43 | 44 | Write a short description of the challenge idea, what the player is supposed to do, and how the challenge is meant to be solved. Keep it short, a single paragraph but long enough to get a good overview of the challenge idea and complexity. 45 | 46 | ## Writeup Content 47 | 48 | Here is where you will write your writeup. Feel free to include screenshots (upload them to imgur) and code snippets. Make sure to explain clearly the steps the player should take to solve the challenge. It is important you explain as clearly as possible, as this is what CTF.ae will use to validate your challenges and may be used in future workshops. 49 | 50 | Images must follow this same exact format. 51 |
52 | 53 |

(Put here a short description of the image)

54 |
55 | 56 | Code snippets must be in using the markdown format with proper syntax highlighting, as shown below. 57 | 58 | ```python 59 | def hello_world(): 60 | print("Hello, World!") 61 | ``` 62 | 63 | If your challenge has a static flag, include the flag here. If the flag is dynamic, you can ignore this part. 64 | 65 | ## Challenge Flag 66 | 67 |
68 | FLAG{FLAG_HERE} 69 |
70 | -------------------------------------------------------------------------------- /artifast_json_2_splunk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import glob 3 | import re 4 | 5 | def process_file(filename): 6 | # Open the file without converting newlines. 7 | with open(filename, 'r', encoding='utf-8', newline='') as f: 8 | content = f.read() 9 | 10 | # Apply substitutions 11 | content = re.sub(r'\[', '', content) # remove '[' 12 | content = re.sub(r'\]', '', content) # remove ']' 13 | content = re.sub(r' {', '{', content) # replace " {" with "{" 14 | content = re.sub(r'},\{', '}\r\n{', content) # replace "},{" with "}\r\n{" 15 | content = re.sub(r'\{\r\n\s+', '{', content) # remove newline and spaces after '{' 16 | content = re.sub(r',\r\n\s+', ',', content) # remove newline and spaces after comma 17 | content = re.sub(r'\r\n\s+\}', '}', content) # remove newline and spaces before '}' 18 | content = re.sub(r'\r\n\}', '}', content) # remove newline before '}' 19 | 20 | # Write back, preserving the newline sequences 21 | with open(filename, 'w', encoding='utf-8', newline='') as f: 22 | f.write(content) 23 | 24 | def main(): 25 | files = glob.glob('*.json') 26 | total = len(files) 27 | for idx, filename in enumerate(files, start=1): 28 | print(f"Processing file {idx}/{total}: {filename}") 29 | process_file(filename) 30 | 31 | if __name__ == '__main__': 32 | main() 33 | -------------------------------------------------------------------------------- /asset_discovery.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ------------------------------------------------------------------- 4 | # Script Name: asset_discovery.sh 5 | # Description: Performs a ping sweep on a /16 CIDR network range 6 | # based on the machine's primary IP address. It identifies 7 | # active hosts, attempts to determine their operating systems, 8 | # and retrieves their hostnames. 9 | # Author: mhasan 10 | # Date: 20/0/2024 11 | # ------------------------------------------------------------------- 12 | 13 | # Maximum number of concurrent processes to control parallelism 14 | MAX_CONCURRENT=50 15 | 16 | # ------------------------------------------------------------------- 17 | # Function: get_primary_ip 18 | # Description: Retrieves the machine's primary IPv4 address by checking 19 | # available network commands ('ip' or 'ifconfig'). 20 | # Exits the script if neither command is available. 21 | # ------------------------------------------------------------------- 22 | get_primary_ip() { 23 | # Check if the 'ip' command is available 24 | if command -v ip &>/dev/null; then 25 | # Use the 'ip' command to list IPv4 addresses, exclude the 'lo' interface 26 | ip -o -4 addr list scope global up | awk '$2 != "lo" {print $4}' | cut -d/ -f1 | head -n1 27 | elif command -v ifconfig &>/dev/null; then 28 | # Fallback to 'ifconfig' if 'ip' is not available 29 | # Extract lines containing 'inet', exclude the loopback address, and select the first IP 30 | ifconfig | awk '/inet / && !/127.0.0.1/ {print $2}' | head -n1 31 | else 32 | # Output an error message to stderr and exit if neither command is found 33 | echo "Neither 'ip' nor 'ifconfig' command is available." >&2 34 | exit 1 35 | fi 36 | } 37 | 38 | # ------------------------------------------------------------------- 39 | # Function: get_ttl 40 | # Description: Extracts the TTL (Time To Live) value from the ping output. 41 | # Parameters: 42 | # $1 - The output string from the ping command. 43 | # Returns: 44 | # The TTL value as an integer, or an empty string if not found. 45 | # ------------------------------------------------------------------- 46 | get_ttl() { 47 | local ping_output="$1" 48 | # Use 'sed' with extended regex to capture the TTL value 49 | echo "$ping_output" | sed -nE 's/.*ttl=([0-9]+).*/\1/p' 50 | } 51 | 52 | # ------------------------------------------------------------------- 53 | # Function: determine_os 54 | # Description: Infers the operating system of a host based on its TTL value 55 | # and the presence of specific open ports. 56 | # Parameters: 57 | # $1 - The IP address of the host. 58 | # $2 - The TTL value extracted from the ping output (can be empty). 59 | # $@ - The list of open ports. 60 | # Returns: 61 | # A string representing the inferred operating system. 62 | # ------------------------------------------------------------------- 63 | determine_os() { 64 | local ip="$1" 65 | local ttl="$2" 66 | shift 2 67 | local open_ports=("$@") 68 | local os="Unknown" 69 | 70 | # Infer OS based on TTL value if TTL is available 71 | if [ -n "$ttl" ]; then 72 | if [ "$ttl" -le 64 ]; then 73 | os="Linux/Unix" 74 | elif [ "$ttl" -le 128 ]; then 75 | os="Windows" 76 | elif [ "$ttl" -le 255 ]; then 77 | os="Network Device" 78 | fi 79 | fi 80 | 81 | # Define port-to-OS mappings 82 | declare -A port_os_mapping=( 83 | [22]="Linux/Unix" 84 | [135]="Windows" 85 | [139]="Windows" 86 | [445]="Windows" 87 | [3389]="Windows" 88 | ) 89 | 90 | # Refine OS detection based on open ports 91 | for port in "${open_ports[@]}"; do 92 | if [ -n "${port_os_mapping[$port]}" ]; then 93 | os="${port_os_mapping[$port]}" 94 | break 95 | fi 96 | done 97 | 98 | echo "$os" 99 | } 100 | 101 | # ------------------------------------------------------------------- 102 | # Function: get_hostname 103 | # Description: Retrieves the hostname associated with a given IP address 104 | # using DNS reverse lookup via 'nslookup'. 105 | # Parameters: 106 | # $1 - The IP address to lookup. 107 | # Returns: 108 | # The hostname if found, otherwise "N/A". 109 | # ------------------------------------------------------------------- 110 | get_hostname() { 111 | local ip="$1" 112 | local hostname 113 | 114 | # Perform nslookup and extract the hostname from the output 115 | hostname=$(nslookup "$ip" 2>/dev/null | awk -F " " '/name =/ {print $NF}' | sed 's/\.$//' | cut -d "." -f1) 116 | 117 | # If no hostname is found, set it to "N/A" 118 | if [ -z "$hostname" ]; then 119 | hostname="N/A" 120 | fi 121 | 122 | echo "$hostname" 123 | } 124 | 125 | # ------------------------------------------------------------------- 126 | # Function: process_ip 127 | # Description: Processes a single IP address by performing a ping, 128 | # scanning ports, extracting the TTL, determining the OS, 129 | # and retrieving the hostname. Outputs the result in CSV format. 130 | # Parameters: 131 | # $1 - The IP address to process. 132 | # Outputs: 133 | # A comma-separated string: IP,Hostname,OS 134 | # ------------------------------------------------------------------- 135 | process_ip() { 136 | local ip="$1" 137 | 138 | # Perform a single ICMP ping with a 1-second timeout and capture the output 139 | local ping_output 140 | ping_output=$(ping -c1 -W1 "$ip" 2>/dev/null) 141 | 142 | local ttl="" 143 | local machine_up=false 144 | 145 | # Check if the ping was successful by searching for "bytes from" in the output 146 | if echo "$ping_output" | grep -q "bytes from"; then 147 | # Extract the TTL value from the ping output 148 | ttl=$(get_ttl "$ping_output") 149 | machine_up=true 150 | fi 151 | 152 | # Ports to scan 153 | local ports_to_scan=(22 135 139 445 3389) 154 | local open_ports=() 155 | 156 | # Scan ports 157 | for port in "${ports_to_scan[@]}"; do 158 | if timeout 0.1 bash -c "echo > /dev/tcp/$ip/$port" 2>/dev/null; then 159 | open_ports+=("$port") 160 | fi 161 | done 162 | 163 | # If ping failed but any ports are open, consider the machine up 164 | if [ "$machine_up" = false ] && [ "${#open_ports[@]}" -gt 0 ]; then 165 | machine_up=true 166 | fi 167 | 168 | if [ "$machine_up" = true ]; then 169 | # Determine the operating system based on TTL and open ports 170 | local os 171 | os=$(determine_os "$ip" "$ttl" "${open_ports[@]}") 172 | 173 | # Retrieve the hostname associated with the IP 174 | local hostname 175 | hostname=$(get_hostname "$ip") 176 | 177 | # Output the results in CSV format: IP,Hostname,OS 178 | echo "$ip,$hostname,$os" 179 | fi 180 | } 181 | 182 | # ------------------------------------------------------------------- 183 | # Function: ping_sweep 184 | # Description: Performs a parallelized ping sweep across a /16 network range. 185 | # Limits the number of concurrent background jobs to prevent 186 | # system overload. 187 | # Parameters: 188 | # $1 - The first octet of the IP range. 189 | # $2 - The second octet of the IP range. 190 | # ------------------------------------------------------------------- 191 | ping_sweep() { 192 | local octet1="$1" 193 | local octet2="$2" 194 | local max_jobs="$MAX_CONCURRENT" # Maximum concurrent processes 195 | local job_count=0 # Current number of active jobs 196 | 197 | # Iterate through the third octet (0 to 255) 198 | for octet3 in {0..255}; do 199 | # Iterate through the fourth octet (1 to 254) to avoid network and broadcast addresses 200 | for octet4 in {1..254}; do 201 | # Construct the full IP address 202 | ip="$octet1.$octet2.$octet3.$octet4" 203 | ( 204 | # Process the IP address in a subshell to enable parallel execution 205 | process_ip "$ip" 206 | ) & # Run the subshell in the background 207 | 208 | # Increment the job counter 209 | ((job_count++)) 210 | 211 | # If the maximum number of concurrent jobs is reached, wait for any to finish 212 | if [ "$job_count" -ge "$max_jobs" ]; then 213 | # 'wait -n' waits for the next background job to finish 214 | wait -n 2>/dev/null 215 | # Decrement the job counter as one job has completed 216 | ((job_count--)) 217 | fi 218 | done 219 | done 220 | 221 | # Wait for all remaining background jobs to complete before exiting the function 222 | wait 223 | } 224 | 225 | # ------------------------------------------------------------------- 226 | # Main Execution Block 227 | # ------------------------------------------------------------------- 228 | 229 | # Retrieve the primary IP address of the machine 230 | primary_ip=$(get_primary_ip) 231 | 232 | # Check if the primary IP was successfully obtained 233 | if [ -z "$primary_ip" ]; then 234 | echo "Unable to determine the machine's IP address." >&2 235 | exit 1 236 | fi 237 | 238 | # Extract the first two octets of the IP address to define the /16 network range 239 | # The 'IFS=.' sets the Internal Field Separator to a dot for splitting 240 | IFS=. read -r octet1 octet2 _ _ <<< "$primary_ip" 241 | 242 | # Initiate the ping sweep on the determined /16 network range 243 | ping_sweep "$octet1" "$octet2" 244 | -------------------------------------------------------------------------------- /config.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 23.3 4 | 5 | 6 | normal 7 | pfSense 8 | home.arpa 9 | 10 | 11 | all 12 | 13 | system 14 | 1998 15 | 16 | 17 | admins 18 | 19 | system 20 | 1999 21 | 0 22 | 2000 23 | page-all 24 | 25 | 26 | admin 27 | 28 | system 29 | admins 30 | 0 31 | user-shell-access 32 | user-ipsec-xauth-dialin 33 | $2y$10$ZeMQJD2LUOEtoSMU7Y3viuL7B5CHIJIDwB//fOt7F9l.JymQQt1JO 34 | c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRklUaDZiVUxRQVNrc0xWUW9MR2Uzc0hMM3hjelk2bjlMMjUxMHRFVzFyTUpzNzArUXJ5bjhDYXlvcTNZQm5DcmpFWFBGeUJWVzAwZUk2S2M4eGRFVWRTdTlIUEtRZGVMMkZEOFFjT0ZaOTl5WmpxcGRpSVZWMTFkUUUrc3lvR1FhWE5OMXJidTBXL3dLdEpwZlYzdWhXQ05RQ3dlU0lINW9uNkhEaTcwdXhKb2VFejErYmtLUjcyajJ4VDc3TmIzRlA4c3VoUjF1WTFGaUJMaTRnRFpHcDVOYXEvSHBuNUZCT0taRjMyY1FZeStNeTBqc0xQeFJPQ1R2SnlOL213TTh5cVgvc2lzYmZnSFRMa2I5SThsdCswaXdzSmdlUFRIeW51enNGeFR3ZG5ZVlFYZC9KZ0ExZXJieVRyUUo3VjkwY01GNFVRMFhMY1RNMGZReVdUemwgc25hcGxhYnMtdnBjLTAwNjU0N2RkY2Q4ODkzZTY2Cg== 35 | 36 | 37 | user 38 | 39 | ec2-user 40 | 2000 41 | c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRklUaDZiVUxRQVNrc0xWUW9MR2Uzc0hMM3hjelk2bjlMMjUxMHRFVzFyTUpzNzArUXJ5bjhDYXlvcTNZQm5DcmpFWFBGeUJWVzAwZUk2S2M4eGRFVWRTdTlIUEtRZGVMMkZEOFFjT0ZaOTl5WmpxcGRpSVZWMTFkUUUrc3lvR1FhWE5OMXJidTBXL3dLdEpwZlYzdWhXQ05RQ3dlU0lINW9uNkhEaTcwdXhKb2VFejErYmtLUjcyajJ4VDc3TmIzRlA4c3VoUjF1WTFGaUJMaTRnRFpHcDVOYXEvSHBuNUZCT0taRjMyY1FZeStNeTBqc0xQeFJPQ1R2SnlOL213TTh5cVgvc2lzYmZnSFRMa2I5SThsdCswaXdzSmdlUFRIeW51enNGeFR3ZG5ZVlFYZC9KZ0ExZXJieVRyUUo3VjkwY01GNFVRMFhMY1RNMGZReVdUemwgc25hcGxhYnMtdnBjLTAwNjU0N2RkY2Q4ODkzZTY2Cg== 42 | $2y$10$76HssREl6OYPmQKnyLJIGOWuatWFN.MhnlByLq0n2glS0GjBysrWu 43 | user-shell-access 44 | 45 | 2001 46 | 2000 47 | 2.pfsense.pool.ntp.org 48 | 49 | https 50 | 51 | 52 | 2 53 | 54 | 55 | 65f8636004955 56 | 57 | yes 58 | 59 | 60 | 61 | 400000 62 | hadp 63 | hadp 64 | hadp 65 | 66 | monthly 67 | 68 | 69 | 115200 70 | 71 | 72 | 73 | enabled 74 | 22 75 | 76 | 77 | 78 | service wireguardd start 79 | 80 | 81 | 82 | 83 | ena0 84 | 85 | dhcp 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 0 94 | 95 | 96 | 97 | 98 | 99 | 100 | public 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 1 109 | 110 | 111 | 112 | automatic 113 | 114 | 115 | 116 | 117 | pass 118 | wan 119 | inet 120 | 121 | icmp 122 | 123 | 124 | 125 | 126 | wanip 127 | 128 | 129 | 1710777165 130 | 131 | 132 | pass 133 | wan 134 | inet 135 | 136 | tcp 137 | 138 | 139 | 140 | 141 | wanip 142 | 22 143 | 144 | 145 | 1710777165 146 | 147 | 148 | pass 149 | wan 150 | inet 151 | 152 | tcp 153 | 154 | 155 | 156 | 157 | wanip 158 | 443 159 | 160 | 161 | 1710777165 162 | 163 | 164 | pass 165 | wan 166 | inet 167 | 168 | tcp 169 | 170 | 171 | 172 | 173 | wanip 174 | 80 175 | 176 | 177 | 1710777165 178 | 179 | 180 | pass 181 | wan 182 | inet 183 | 184 | udp 185 | 186 | 187 | 188 | 189 | wanip 190 | 1194 191 | 192 | 193 | 1710777165 194 | 195 | 196 | 197 | pass 198 | openvpn 199 | inet 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 1710777165 209 | 210 | 211 | 212 | pass 213 | enc0 214 | inet46 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 1710777165 223 | 224 | 225 | pass 226 | lan 227 | inet 228 | 229 | lan 230 | 231 | 232 | 233 | 234 | 235 | 0100000101 236 | 237 | 238 | 239 | 240 | 241 | 242 | Local Database 243 | none 244 | 172.25.53.0 245 | 24 246 | 247 | 172.19.0.1 248 | 249 | 250 | 251 | 1 252 | wan 253 | 254 | 255 | aggressive 256 | inet 257 | myaddress 258 | 259 | user_fqdn 260 | admin@pfsense 261 | 262 | aes 263 | 128 264 | 265 | sha1 266 | 2 267 | 86400 268 | netgate-aws-ipsec 269 | 270 | 271 | 272 | xauth_psk_server 273 | 274 | force 275 | 10 276 | 5 277 | ikev1 278 | 279 | 280 | 1 281 | tunnel 282 | 283 | network 284 |
0.0.0.0
285 | 0 286 | 287 | 288 | mobile 289 | 290 | esp 291 | 292 | aes 293 | 128 294 | 295 | hmac_sha1 296 | 0 297 | 28800 298 | 299 | 300 | 65f8634d78f57 301 | 1 302 | 303 | 304 | 305 | 306 | 307 | Networks_to_NAT 308 |
127.0.0.0/8 172.24.42.0/24 172.25.53.0/24
309 | 310 | network 311 | 312 | 313 | 314 | 315 | 316 | 317 | */1 318 | * 319 | * 320 | * 321 | * 322 | root 323 | /usr/sbin/newsyslog 324 | 325 | 326 | 1 327 | 3 328 | * 329 | * 330 | * 331 | root 332 | /etc/rc.periodic daily 333 | 334 | 335 | 15 336 | 4 337 | * 338 | * 339 | 6 340 | root 341 | /etc/rc.periodic weekly 342 | 343 | 344 | 30 345 | 5 346 | 1 347 | * 348 | * 349 | root 350 | /etc/rc.periodic monthly 351 | 352 | 353 | 1,31 354 | 0-5 355 | * 356 | * 357 | * 358 | root 359 | /usr/bin/nice -n20 adjkerntz -a 360 | 361 | 362 | 1 363 | 3 364 | 1 365 | * 366 | * 367 | root 368 | /usr/bin/nice -n20 /etc/rc.update_bogons.sh 369 | 370 | 371 | 1 372 | 1 373 | * 374 | * 375 | * 376 | root 377 | /usr/bin/nice -n20 /etc/rc.dyndns.update 378 | 379 | 380 | */60 381 | * 382 | * 383 | * 384 | * 385 | root 386 | /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 387 | 388 | 389 | 30 390 | 12 391 | * 392 | * 393 | * 394 | root 395 | /usr/bin/nice -n20 /etc/rc.update_urltables 396 | 397 | 398 | 1 399 | 0 400 | * 401 | * 402 | * 403 | root 404 | /usr/bin/nice -n20 /etc/rc.update_pkg_metadata 405 | 406 | 407 | 408 | 409 | 410 | left=system-processor&right=&resolution=300&timePeriod=-1d&startDate=&endDate=&startTime=0&endTime=0&graphtype=line&invert=true&refresh-interval=0 411 | 412 | 413 | system_information:col1:show,disks:col1:show,netgate_services_and_support:col2:show,interfaces:col2:show 414 | 10 415 | 416 | 417 | 418 | 0 419 | 420 | server_user 421 | Local Database 422 | UDP 423 | tun 424 | wan 425 | 1194 426 | 427 | no 428 | no 429 | 65f863682cf05 430 | 65f863689db9e 431 | 1024 432 | AES-128-CBC 433 | none 434 | 1 435 | 172.24.42.0/24 436 | yes 437 | yes 438 | 439 | yes 440 | push "route-ipv6 0::0/1 vpn_gateway";push "route-ipv6 8000::0/1 vpn_gateway"; 441 | fd6f:826b:ed1e::0/64 442 | 443 | 172.24.42.1 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | debug.trace_on_panic 463 | 1 464 | 465 | 466 | 467 | debug.debugger_on_panic 468 | 0 469 | 470 | 471 | 472 | 473 | 474 | wan 475 | dynamic 476 | WAN_DHCP 477 | 1 478 | inet 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | ipalias 488 | lo0 489 | 490 | single 491 | 24 492 | 172.19.0.1 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 65f8636004955 507 | 508 | server 509 | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVsakNDQTM2Z0F3SUJBZ0lJWGM0eEJOdyt1WUF3RFFZSktvWklodmNOQVFFTEJRQXdZekZCTUQ4R0ExVUUKQ2hNNFRtVjBaMkYwWlNCd1psTmxibk5sSUZCc2RYTWdSMVZKSUdSbFptRjFiSFFnVTJWc1ppMVRhV2R1WldRZwpRMlZ5ZEdsbWFXTmhkR1V4SGpBY0JnTlZCQU1URlhCbVUyVnVjMlV0TmpWbU9EWXpOakF3TkRrMU5UQWVGdzB5Ck5EQXpNVGd4TlRVek1EUmFGdzB5TlRBME1qQXhOVFV6TURSYU1HTXhRVEEvQmdOVkJBb1RPRTVsZEdkaGRHVWcKY0daVFpXNXpaU0JRYkhWeklFZFZTU0JrWldaaGRXeDBJRk5sYkdZdFUybG5ibVZrSUVObGNuUnBabWxqWVhSbApNUjR3SEFZRFZRUURFeFZ3WmxObGJuTmxMVFkxWmpnMk16WXdNRFE1TlRVd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFET2dwcDNVWWdDekJJVTRydkkvblJncWR1a0Q3a3dkSHpRNWNtRitYUzMKcEhvaDFncHUxYnpNdnc1ZVdYZ0NvQjRHSnBuY3FrMGZQYVhkQTA0djNBNUhNNWhUcldDZEd3M2pLSitQdVZkNwpvTVhUeDJ1TFEySzZ2M3pCa0d4a0owUXFqeHowR0pUdUl0Y0NpR1hxVlpXakVJWlJ6Rk5EclRqcUN5L1IveGhkCnMwKzliY3lZTWVsNmFYMWdQVEF1Yk5LMG0yQTdwQzV3R013b2Y4QUtiTFVudGlON2UvdlBIM3dQZlNWb0pZNmcKQ25NUDZKU2dRK21GTXZ2TEZRWFF0SThmYlFPSldra094QjY5MDNyK081R2wvWEFpY2ZUOE1IMUlmY1NCU1h4MwpjMHdNY1dvYnZSSWlYTHNSQzhPei9USEhsait5MytyM1JrQnhKOE1BRm9mdEFnTUJBQUdqZ2dGTU1JSUJTREFKCkJnTlZIUk1FQWpBQU1CRUdDV0NHU0FHRytFSUJBUVFFQXdJR1FEQUxCZ05WSFE4RUJBTUNCYUF3TXdZSllJWkkKQVliNFFnRU5CQ1lXSkU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUZObGNuWmxjaUJEWlhKMGFXWnBZMkYwWlRBZApCZ05WSFE0RUZnUVVRZkI5UnNqMm1HRnRYN1ErOUVFb0k2ZUZybkV3ZkFZRFZSMGpCSFV3YzZGbnBHVXdZekZCCk1EOEdBMVVFQ2hNNFRtVjBaMkYwWlNCd1psTmxibk5sSUZCc2RYTWdSMVZKSUdSbFptRjFiSFFnVTJWc1ppMVQKYVdkdVpXUWdRMlZ5ZEdsbWFXTmhkR1V4SGpBY0JnTlZCQU1URlhCbVUyVnVjMlV0TmpWbU9EWXpOakF3TkRrMQpOWUlJWGM0eEJOdyt1WUF3SndZRFZSMGxCQ0F3SGdZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGCkJRZ0NBakFnQmdOVkhSRUVHVEFYZ2hWd1psTmxibk5sTFRZMVpqZzJNell3TURRNU5UVXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUJweFNiZVdaRFYzUjN5dEJyLzNRcmRZQVVmK0xJSXNKeEFUSTRaRDdrTHA3Q2JtZitudAo1aXJxTHJKanB3dHJJZGdUTjZjUm01N3NEbGxnM2FPY2tMd3NuaWkwS3R2QkR6dStpR0pUaktQa2tUeUNjbVRqCjdmK3U1YkJLYnM5RmVHOTJLRjJiaUJ5NE85aWZ3OW5tRjkrQzhuNnVNQUErTVdNUjh4TFBpQVE2K1l1U1dicC8KekQ0UVZtc29IZDUyVEtQQTVNcXhkV3lGMHZUNHRDeE5mcEZiSFN6NlA4RjZnZmxxUzVzWEllYUJ4M2NlUkorUApoU3lBazhZWnp0NlQyaFdLMkx0QkJtUFZpRFFhNDZjYm8yZWJ6cWdNTDBURE0zK29SNG8ycDV6em9LWFR1d3pyCnNteHcreWcxZEtRWFVnRllaOWlrcFcxbE95Um8rbld5ZzdJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 510 | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRE9ncHAzVVlnQ3pCSVUKNHJ2SS9uUmdxZHVrRDdrd2RIelE1Y21GK1hTM3BIb2gxZ3B1MWJ6TXZ3NWVXWGdDb0I0R0pwbmNxazBmUGFYZApBMDR2M0E1SE01aFRyV0NkR3czaktKK1B1VmQ3b01YVHgydUxRMks2djN6QmtHeGtKMFFxanh6MEdKVHVJdGNDCmlHWHFWWldqRUlaUnpGTkRyVGpxQ3kvUi94aGRzMCs5YmN5WU1lbDZhWDFnUFRBdWJOSzBtMkE3cEM1d0dNd28KZjhBS2JMVW50aU43ZS92UEgzd1BmU1ZvSlk2Z0NuTVA2SlNnUSttRk12dkxGUVhRdEk4ZmJRT0pXa2tPeEI2OQowM3IrTzVHbC9YQWljZlQ4TUgxSWZjU0JTWHgzYzB3TWNXb2J2UklpWExzUkM4T3ovVEhIbGoreTMrcjNSa0J4Cko4TUFGb2Z0QWdNQkFBRUNnZ0VBSk5IcWdwMjUxMjNWUjM0SnAxT2ZJbUVHdFdETVR4Umw4TVVYd2xodzlCRlMKYVZnRmNpK1B3eDNKalE3OHM5TWlwMHdZb055SWRhcURPVDNPb2YvbFY5S2VOVVV6ZGErT01WTmI1NzlQRnM3YQpsdUQyanRVTDlHb1I3MTAxeGtHdUNMeU5tQVFPQWN1YWRHd25aN21zdlc5RDA2L1BwTUJzNW1YcU45SDQ0VE8xCjdCNUVHYVBVZDV6NXlYNTFhQVl4K3FBVWJKZ0h6QUppaUZKNnZvNlZPQWxlWjJqMnNSc3A0dHo5QW0wR1ozVCsKZHNDZWZrY2NPa2xPRGtMeTdsdEtCM01XbGtOWlA2bnI4bXg0T20wUEpyRU02akx4aDJlMWVpSm11RVVyUEdhbwpLQ0M5amxkQnRzTVVUU1dPTGpOV1ZkTDgweFNua3hqbHlQOFdHTGJ0d1FLQmdRRC8rbEZBMloxNjVQL0FNNkhUClhPU3dDZVk3MnNjbE9FU2NSRkc2SGtub0xxNDVaWTZjQjZiVFl1R2k3VjRsa092SU51M2FIaHVsdGlhYmpaS04KR1dFallHMkRQYzRFQWJlajZ3ZEtQQ0FZZFZoczBFZUc1RS9JUmpsK0hsYyt5RDFvNVByTXJPUkxoZjlsb2ttagpGZWc2OWhyTXFOQlVRTzVuZEgyNEYxMU1YUUtCZ1FET2h6QVZXblcyeUx3YkczZ1htV09peW8rbjI2WjBHOEthCnlmb2U0QlJDSmJ1dmNRN3A2UW5IemplOTBnb2Fkb1RULzBZRnZvWVEwYldpQ25EbGtvbHFyYVRkZkdJYlVLMGsKai9mQWhnek4wK2JiUHJiVFFqNVRDYXltWCtHcXhxSUplZ25ZdHlZUlM5VnZNU2VxY3VPWHUyOXQ2VVovc1NQNApsTXlYRldUdzBRS0JnRTkyN094OTRmWjV5cTluRi9DZW9OdkpadkRqM1BpLy9BU3E3TmdqZVB3Y0tiZmx3QnpOCi8wc1dJa2ZLK25RZEJpVTBjQ2hMT25mNkVRZ3ZMZlNoa1ZkREl4d2YvcW1kd3QyZkk3YzI3UnZLcWZXMXZzNncKWjlnYmZOT2JKYWgyenlHV0hBbVlEcE1uZVA2Ykg5TUNCUUx3emFjRkxROUt6UGZPNFF4YUxIdDlBb0dCQU01Uwp2L2FWS0lReWhibU85NnFiMHE0UEx2VEN1c2ZEOCtZdllYRDI2MFlwN0JhWkhBMFNnbkxaMFZZUlA0YXdZSUpwCnc4cDVTL1lCaXpNV3V6S2Q4aXBnenhOMTc0emFUQjc2dE1maEkybDlDR1IvZ3FZS3g3aXRNWTRFdTYyZ1FzQzAKNnFGV1Z2RndrUWxFVWh3MktxaXExK2MxNVBnc1A0TlhKQXpMa3N3QkFvR0JBTlA3VmpIaWQwYmxXcFNCSSs2bQpNUFF2RUpBb3NMT2VDbzBxRlBreTA5dzMzMWxYNXA3Z3NYMG5GY1VPd2l2dnN3alhseXVaVysyRXIycEtYS1l5Cm1QQzlPQmxWNGo4akZsNndhMDROVVl5UEtEcEhtT3ZNbENRMzFEWGtESUpiK29qK0V2MGtUSHQ5Tk14M2pDZEwKalFiQk94NUlROC9GVGVmSCtuNXA4M0RoCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K 511 | 512 | 513 | 65f863689db9e 514 | 515 | server 516 | 65f863682cf05 517 | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzVENDQTVtZ0F3SUJBZ0lCQWpBTkJna3Foa2lHOXcwQkFRc0ZBREJ3TVFzd0NRWURWUVFHRXdKVlV6RUwKTUFrR0ExVUVDQk1DVkZneER6QU5CZ05WQkFjVEJrRjFjM1JwYmpFVU1CSUdBMVVFQ2hNTFRtVjBaMkYwWlNCVwpVRTR4RkRBU0Jna3Foa2lHOXcwQkNRRVdCV1Z0WVdsc01SY3dGUVlEVlFRREV3NU9aWFJuWVhSbElGWlFUaUJEClFUQWVGdzB5TkRBek1UZ3hOVFV6TVROYUZ3MHpOREF6TVRZeE5UVXpNVE5hTUhReEN6QUpCZ05WQkFZVEFsVlQKTVFzd0NRWURWUVFJRXdKVVdERVBNQTBHQTFVRUJ4TUdRWFZ6ZEdsdU1SUXdFZ1lEVlFRS0V3dE9aWFJuWVhSbApJRlpRVGpFVU1CSUdDU3FHU0liM0RRRUpBUllGWlcxaGFXd3hHekFaQmdOVkJBTVRFazVsZEdkaGRHVWdWbEJPCklGTmxjblpsY2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTURpVWxnT2lMWjgKd1pUd3dUL0RBTzJwSnlZQ2dsNFR4UWtrZFM4VytTc2FRTXljVENSZzd2T3VRZndYZDRDL2NuRzJVTkVKUHZTTApXU1djNVRPa3JFNWNGVWNzWXNjTW1wTUgzOW11K1MraHNaQmpYZnRnNDNwSllkYy85Y3Q1Q2FnS0pDd2VIQjl0ClArTFJnTCtFc1BLaGord1VmazhJa0ZZSVFjZ2dpcFZsaEZEenBHWjJEVUxiakt3cGpXZUJ6VUVxcXUvNE1RRzEKRWFNT2I2OGwzQ3JaWm01M0xvek93YmM1Q2lpME1GQ0duajlIQlJDWkhyTlR0QnhEdjNyYUpsZUl2dXRyVUdhNwpVTGNuT0NpbHR4YVhpMHBIalo3cTRreFV2OGhTS1E5STQyVzNwa1dpajJtNklOaXJRdTFzSkNkSEFXMVhpRk00CmkrSGltU0lkSUMwQ0F3RUFBYU9DQVZBd2dnRk1NQWtHQTFVZEV3UUNNQUF3RVFZSllJWklBWWI0UWdFQkJBUUQKQWdaQU1Bc0dBMVVkRHdRRUF3SUZvREF6QmdsZ2hrZ0JodmhDQVEwRUpoWWtUM0JsYmxOVFRDQkhaVzVsY21GMApaV1FnVTJWeWRtVnlJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJUTXc0bWNmcFpISldMMU14VEhMaUdrClluYW1jVENCb1FZRFZSMGpCSUdaTUlHV2dCVE81TjNza3IvSG5ndHI5TDFVanFsQ0NkdzBXYUYwcEhJd2NERUwKTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnVEFsUllNUTh3RFFZRFZRUUhFd1pCZFhOMGFXNHhGREFTQmdOVgpCQW9UQzA1bGRHZGhkR1VnVmxCT01SUXdFZ1lKS29aSWh2Y05BUWtCRmdWbGJXRnBiREVYTUJVR0ExVUVBeE1PClRtVjBaMkYwWlNCV1VFNGdRMEdDQ0Y0anZ3Z0srdG4zTUNjR0ExVWRKUVFnTUI0R0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBZ1lJS3dZQkJRVUlBZ0l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFjeG9GaXlSTE41M1VsaAp3RXVTQzErN1BBK0IvUXFuTEFOcjdEallTRzZZa2RVWTl6TmdoZitTVzVXSGVaSGY0bXpQNi8xb3VVTzB5Zmt1CnRPZDh4V1F5TzZLVCtxVVdmS2QvK0NLU0VsQkFPVG96YU9acDBqSHBKWVJwbzFHYkN2a3R2U3VPRUFncW1NdUQKRUtKSU9jVTU1WW9ZQWg2cU5GVC95SFMrNk5wc0VIR1lzSzJWaUh5SnM4ZTRDRXFDQkNwU290SFBNQTdkMjcxcgpMWFk0WDY0YUo4UUtFRyt6QS9jd3JyanorR1dqSWJReFZrMWIyNFZFTDU2U2xxeTl6RXZFT2VNZFlPM2hyNkFKCjNwRDFqSm1iK1FSYnBBNzdzQUUyS3BFdTBGTHFKeDZwcDlDc1F5NUpReVpRb21UT0dJN2M1MDJIUEdwSXdwbncKOGNxdTRpRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 518 | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRREE0bEpZRG9pMmZNR1UKOE1FL3d3RHRxU2NtQW9KZUU4VUpKSFV2RnZrckdrRE1uRXdrWU83enJrSDhGM2VBdjNKeHRsRFJDVDcwaTFrbApuT1V6cEt4T1hCVkhMR0xIREpxVEI5L1pydmt2b2JHUVkxMzdZT042U1dIWFAvWExlUW1vQ2lRc0hod2ZiVC9pCjBZQy9oTER5b1kvc0ZINVBDSkJXQ0VISUlJcVZaWVJRODZSbWRnMUMyNHlzS1kxbmdjMUJLcXJ2K0RFQnRSR2oKRG0rdkpkd3EyV1p1ZHk2TXpzRzNPUW9vdERCUWhwNC9Sd1VRbVI2elU3UWNRNzk2MmlaWGlMN3JhMUJtdTFDMwpKemdvcGJjV2w0dEtSNDJlNnVKTVZML0lVaWtQU09ObHQ2WkZvbzlwdWlEWXEwTHRiQ1FuUndGdFY0aFRPSXZoCjRwa2lIU0F0QWdNQkFBRUNnZ0VBSU8vRXJlSzFkNnZ3Qm5YaUdmZzdsVm00SktaekNvdUhydHI1NDdPaGtybWwKN1FxWGVmTFBldTc3dDRkdVVaN2ZkUWx6M1c0ZHdQWjJuNVNlRXVhQXdkUzVrWERENFVlR3NhcTdqOWx3RmJFZgp1QTh2d2pnMlAvQjk4NXFwWnpoZzdML21rMTRFNFZ6dmR0VGRqbGFqUEp0WUR6RWtyR3hDOFYzeGxiSHcyRGUwCmREOVVxaG5LNmZIZWMxM29BYWxwblBkUThPV0ViOXJYSVNlZWlqZ2FKdEZTdWZFdWdWbFF5Y1Jnayt5RUNETnMKQjdlcHU0c3NwRjBaVEs3ck1aT0RnZjI2NitidzkrNjJGUVB0aHdUcXJUdmxMSU9zSHlFTWFQVDErbTZVQU95VQpKUkdZVU5iU0w4NEEzVE1yYlk5Qk45bVRoeWFxbHY1R0YvRXNSdnJnUVFLQmdRRHdRd2plakFBM2M0T0RpK2RGCkFPdUpObldXNmZwdW9RUUdrWDVPMFNENlBJUXZUNWdYTys3NWNCZFZUSEI0QkZGMFU0VmZxOGVaUEJMWERkRVMKTkJYOW1SWHdySk1LaDhmai8rYmdVRVJScDBWblVtMVVkUWw2NEVjc1MvTE9sWHVYWWh5bjZ6Z0QwUzBCNDhjbwpTRzZjOEN2Y0drbDNDUFBxbmRKVytHSUpYUUtCZ1FETmhNNWREUHRiK3h3WHZQSzJsRUtESDdWc2FObEp2eDJLCnpqNys4bEZlckUyaGplbE9ZMWE3WDhtbWxFWHF2cVMreXFtZDBUcEplVkZ1M3JtQWx0Wlg0UHdzMkIwdFRqT3UKZ3hoTWJucS8wQWFIRGpwc1Z6ZEVNWk1mK25NYm9BOHpJaklyU3kyTy9YTnFtZS9xbHRad1loSXJnYzdlVHZBVQpmQ1h3Zm05MUVRS0JnR1BGZ3BaZ0R1cjRCaUlIWStlTXhVSzZvY1FrcjhGbkRmUG9VVXBMbitVcVlqMy9VSW85CmNqU1ZMcXRXVGRJWkFQWk1oTE5BODJjWHdqOFoxcnMzYy9aV3J2eTl2V1gvRXF3RXBZeDY2SlA3NFY5UnBHTVIKSXZtcXp3Ti9HbnBkS3ZDblpuejR1YzhqK3d1dzJoQkpXOTNDQW9TcFNkNnJraGJZcVBOQ3UvdGxBb0dBUUZ5Uwo4L2tZenRsNUZzWUpqTHdwaUQ3cDVpVi94dVNmTDlVZlRXQTlzMVJxaTJtUjR3YWhKdFQ4cGJwUm13NVJNWjd1Ck40cEtvcS9ubkwwTGd3VzU0cE9HNWRSWWJ0UEt3NkF5ZjkwcGUrQjk2dFc5M2lnQ0dzMGJzaXdRMkZucjZLdVEKNHBZTWtuYzFLZkZEZlVmM3FBSk9obW1FaTRKVkZWVTczSEQ4SHNFQ2dZQndoS0FZNjdtak9PWmVMUlZJM0J3Twp2SGVPODNDY1RmdmV6Ymc1a0hzTGJteXNscElWbFhaVEpLUldPc3FiMXZMdU4xUFZlWGxOT1FoOGx2RmpUdjNHCmhnTWllMVlxb3F1dWN2U0FYL2tsQlBmREEwMjhOYzZxU1Y0VkRIUmxJRVlJZUpNM01CK0RyNytmQ25uY2ltdngKbVpWbFp2ajBUWlpkV0lxUGUrQzlyZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K 519 | 520 | 521 | 522 | 523 | 524 | 525 | AWS VPC Wizard 526 | aws-wizard 527 | https://docs.netgate.com/pfsense/en/latest/packages/aws-vpc-wizard/index.html 528 | 530 | 0.10 531 | aws_wizard.xml 532 | 533 | 534 | IPsec Profile Wizard 535 | ipsec-profile-wizard 536 | 538 | 1.2 539 | ipsec-profile.xml 540 | 541 | 542 | Netgate Firmware Upgrade 543 | Netgate_Firmware_Upgrade 544 | 545 | 23.05.00 546 | netgate_firmware_upgrade.xml 547 | /usr/local/pkg/netgate_firmware_upgrade.inc 548 | 549 | 550 | sudo 551 | https://docs.netgate.com/pfsense/en/latest/packages/sudo.html 552 | 553 | http://www.sudo.ws/ 554 | 0.3_8 555 | sudo.xml 556 | /usr/local/pkg/sudo.inc 557 | 558 | 559 | WireGuard 560 | 572 | https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-WireGuard 573 | 0.2.1 574 | wireguard.xml 575 | /usr/local/pkg/wireguard/includes/wg.inc 576 | 577 | 578 | AWS VPC VPN Wizard 579 | AWS VPC Connection Wizard 580 |
VPN
581 | /wizard.php?xml=vpc_vpn_wizard.xml 582 | 583 | 584 | IPsec Export: Apple Profile 585 | IPsec Profile Export 586 |
VPN
587 | vpn_ipsec_profile.php 588 | 589 | 590 | IPsec Export: Windows 591 | IPsec Profile Export 592 |
VPN
593 | vpn_ipsec_export_win.php 594 | 595 | 596 | Netgate Firmware Upgrade 597 | Upgrade Firmware of Netgate hardware models. 598 |
System
599 | /netgate_firmware_upgrade.php 600 | 601 | 602 | sudo 603 |
System
604 | /pkg_edit.php?xml=sudo.xml 605 | 606 | 607 | WireGuard 608 |
VPN
609 | /wg/vpn_wg_tunnels.php 610 | 611 | 612 | WireGuard 613 |
Status
614 | /wg/status_wireguard.php 615 | 616 | 617 | 618 | 619 | 620 | user:root 621 | ALL 622 | 623 | 624 | 625 | user:root 626 | ALL 627 | 628 | 629 | 630 | user:root 631 | ALL 632 | 633 | 634 | 635 | user:root 636 | ON 637 | ALL 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | off 646 | yes 647 | 300 648 | no 649 | all 650 | yes 651 | yes 652 | 653 | 654 | 655 | 656 | service wireguardd start 657 | earlyshellcmd 658 | 659 | 660 | 661 | 662 | wireguard 663 | wireguardd 664 | php_wg 665 | 666 | 667 | 668 | 669 | 670 | 671 | WireGuard 672 | 673 | 674 | 675 | 676 | 677 | 65f863682cf05 678 | 679 | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVSRENDQXl5Z0F3SUJBZ0lJWGlPL0NBcjYyZmN3RFFZSktvWklodmNOQVFFTEJRQXdjREVMTUFrR0ExVUUKQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBbFJZTVE4d0RRWURWUVFIRXdaQmRYTjBhVzR4RkRBU0JnTlZCQW9UQzA1bApkR2RoZEdVZ1ZsQk9NUlF3RWdZSktvWklodmNOQVFrQkZnVmxiV0ZwYkRFWE1CVUdBMVVFQXhNT1RtVjBaMkYwClpTQldVRTRnUTBFd0hoY05NalF3TXpFNE1UVTFNekV5V2hjTk16UXdNekUyTVRVMU16RXlXakJ3TVFzd0NRWUQKVlFRR0V3SlZVekVMTUFrR0ExVUVDQk1DVkZneER6QU5CZ05WQkFjVEJrRjFjM1JwYmpFVU1CSUdBMVVFQ2hNTApUbVYwWjJGMFpTQldVRTR4RkRBU0Jna3Foa2lHOXcwQkNRRVdCV1Z0WVdsc01SY3dGUVlEVlFRREV3NU9aWFJuCllYUmxJRlpRVGlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUx2bkxSeEEKVFFOb2RpS2V0ZGdMYlhmWFQzZkZpeE5vZ0p3REJ2MXY1aVdvc1VQZGx6K01oNGtXUVJiRFh4c3paOUFVQVZHcApIR2dNYk9jQVJIQTdjaTZZbWRBUTQzN1gxZUMwMWYyRUZuZFZPSFBHT1h6RnV2ZFNSTkhESlhkRnc3YWdseXpxCkIyL2M1akg5ZjlsdXZTT2xwMFJuNStBTnNlVmpkNlV0NUQySzV6Z1N5bm1Seno1UlFPZWVuTjUzelorcW53eXEKRVg0cUt3UjJYaFJkQ3FhT0JtektOeGtWQWpGdXpwUWx6R3lkdDE3VFd4ZERrSzVqM3pMVGt4TDVlR05kanNSawplQ3lVM3djWUw5ajRhRENFTXhDTUVCWEp1MDFKdUpzNW1QaGNxMXVjT3pqOTNzUkpBbmRNRkY1ajZBY2laT1pUCkFHVlhWaG9GdzVvRDIvMENBd0VBQWFPQjRUQ0IzakFkQmdOVkhRNEVGZ1FVenVUZDdKSy94NTRMYS9TOVZJNnAKUWduY05Ga3dnYUVHQTFVZEl3U0JtVENCbG9BVXp1VGQ3SksveDU0TGEvUzlWSTZwUWduY05GbWhkS1J5TUhBeApDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJRXdKVVdERVBNQTBHQTFVRUJ4TUdRWFZ6ZEdsdU1SUXdFZ1lEClZRUUtFd3RPWlhSbllYUmxJRlpRVGpFVU1CSUdDU3FHU0liM0RRRUpBUllGWlcxaGFXd3hGekFWQmdOVkJBTVQKRGs1bGRHZGhkR1VnVmxCT0lFTkJnZ2hlSTc4SUN2clo5ekFNQmdOVkhSTUVCVEFEQVFIL01Bc0dBMVVkRHdRRQpBd0lCQmpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVRwMlEwWWJCbWduQmZkOGNGTEV4cHhJd0hsaDJQcGcxCmU1SktMMW9SUTUvc3dMeVE0a0tuWVpSYkR0MkoxK2MzVVNpakgraGl4NXlscDdNVUdHaEV3ZDlYZXJITnVTSTkKUjEra0RUY2lNWDQxckpWb2ZRTHd4Uk51dDNud3RoT0t2T2lId1dpVU4rMGtoUTRYTHNiMlRaYXNxeCszU0F4SgpDK0ZLTVZoK2xES042ZG9UeEpWZ0xBR0UzSWhTZzRQb1NEWGV0Y01paEZQaXl1U0ttRVZXVnVXQWF5L3VseTBRCmh5RHpVV2ZmWHZZQ1phdUdwN09xWGI2ZGltTHdRR0UzT3V3NjY4bDEzRDErdGpid3o0N08wVkNGN2VBSnZDYW8KWktJbUpaMjNXcVVFenlHWVZJZ205QW9nT2JhNmRKMVpuVU1Wb0t1eXE0OVVWa1FsQ1RjdXd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 680 | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc1eTBjUUUwRGFIWWkKbnJYWUMyMTMxMDkzeFlzVGFJQ2NBd2I5YitZbHFMRkQzWmMvakllSkZrRVd3MThiTTJmUUZBRlJxUnhvREd6bgpBRVJ3TzNJdW1KblFFT04rMTlYZ3ROWDloQlozVlRoenhqbDh4YnIzVWtUUnd5VjNSY08yb0pjczZnZHYzT1l4Ci9YL1picjBqcGFkRVorZmdEYkhsWTNlbExlUTlpdWM0RXNwNWtjOCtVVURubnB6ZWQ4MmZxcDhNcWhGK0tpc0UKZGw0VVhRcW1qZ1pzeWpjWkZRSXhiczZVSmN4c25iZGUwMXNYUTVDdVk5OHkwNU1TK1hoalhZN0VaSGdzbE44SApHQy9ZK0dnd2hETVFqQkFWeWJ0TlNiaWJPWmo0WEt0Ym5EczQvZDdFU1FKM1RCUmVZK2dISW1UbVV3QmxWMVlhCkJjT2FBOXY5QWdNQkFBRUNnZ0VBVmQvenlsOEtzMTJJN0E2THZkYVBLMzkvNXBXbUYzTWhuK3QwUk54Z211SnIKVFVCVzhPaXBRcm9rZWlKRTgzbjlYbWZlS0hONHM0YkdPSlp6TUxYQ1c5QkxMMytnY09aMGJWTklIeXBBV0Q1ZQo0KzU2ZEc4cm9QOTh5ejc3L3ZRbjIyMnVXWTBGWkJiWkw0eVM0d3pNclI5MmYvbGF6QmVHTDNkVGhXNmhTb3hJCnBMczRwV0VNclB2TGVKQStiR0xxbmJBZmFjMXFJZEp6MWd1bUtodVNGcGxkcHBQcWVTTkJaYVJJci9MZzZKbngKME1WeHNHZG9MbEhZeFF2eW9nemlHSDl3Z1hxMHNtcEVSdVUzaWRGWHlpaEl0czB3S0hpcE0vUVFtckI3MVkzTgp4Q0ZWZ1Z4bmhaSnlHeVBjeG0xdk1GU1pqc0luV1B1WFFNcmloS1JRQXdLQmdRRDFHVkRpcXlmckgwb1dsMmQvCm9EOTFyc0NIckkyK3pYN0xCaWxxT0dzVVlLdk9zYVZzekxNUXdVNWFZUldlYzVxY3VzRG5VRXF0bjVaRWZRbjEKN2dTbzNpc0c4Zy9JNEJ3cTcyVnBuc3FZL3o5SXJYZlRoZzdNQTNBYUxQQTA1ZVpDc3VQNU1Wd1cxNjBiWHR4UQpucWhuR2tOT0VXV3I4UUp2ZXdZODJ0dWtBd0tCZ1FERVFxR0l3Y0R1T0NsQWNGaXlNNkdzb0Jjc0lnRVZjN2dPCnZvRTVvK0w4V0NMeGNhcmxCQ3lmRlRKRWcwNjh4ajloR1BYd2RjbEpnWjNsekRqUzFWT2RSL3BscU1veXNvTVEKdFVjblI2VmY0TzM3elJYL1pIUUkzRTYzOTYrSGR5NVZEVzRUZDdDdC9QWEF6SmtWRVg4NVRWcCtjUWZLZlVvaQpPdHZKdmtwLy93S0JnSCtuL2Q3eE1rdGQ4cUt0blBSMkxGZEkrM0l1eDJ6M2J2Q2pkdktpQy9PREhqajdnYU9YClFqU1oyZ3Rzd1d2VDNsVi9WM1dpOWlKVUdsbjFuamgvRGVJK1JMN0xXTGxSTUpxVU1ZZS9jdG9aSjRiZEFxb2oKQ3BYcnZIbUZxbDZDMTFrcC8xOE0vRi9SV1pJRjZFMzlOTXp1ZXR1d1ovb1QveWE5TnRSL1VTS3RBb0dBVmVJdQpuQkRsbzVseCs5L3VBSFYxcjN3VEI5NE5pVnl0VTg1cjhGUldkVVVBYlpYblNmYk1yQVR6aldYRW8vbEJMUFZtClVvYkl3ZUQxdnVUaWpPaUxnWTFJOXdtcENneHlMSEtYbzRuSHhiQkJsR29IMFU0ZE5POXJoemZkV1ROL1UvcmYKaTZkWjZwbUMxWTd6QW5RNHIxTzVZUkdIYmtYcmxoVVpyeXdWbi9NQ2dZRUE2TXVwa2lNKy92WDlzNlZla2ZuZApyYkZwVHVzcllxcjhMRDZCTTF1SDZITENPVURaWUFEbFNuTTh4NVl6WEEwam55bkVhZEY1b3J6L0RpMks0Z2lxClNMVGxzM0RoS0J5L0JIbXYycCt4K2N5WEFWQklXVy9STnkxOVZRL2NuZVJhUEZPNTFyT1o5cjVuVEhlTC9JMTMKZVdKamNOQjBJTXZiR3hScE1TZExVZjg9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K 681 | 2 682 | 683 | 684 | -------------------------------------------------------------------------------- /dummy.md: -------------------------------------------------------------------------------- 1 | # Important artifacts 2 | | Live | offline | Tool | 3 | | ------------- | ------------- | ------------- | 4 | | HKEY_LOCAL_MACHINE/SYSTEM | C:\Windows\System32\config\SYSTEM | Registry Explorer/regrip | 5 | | HKEY_LOCAL_MACHINE/SOFTWARE | C:\Windows\System32\config\SOFTWARE | Registry Explorer/regrip | 6 | | HKEY_USERS | C:\Windows\System32\config\SAM | Registry Explorer/regrip | 7 | | HKEY_CURRENT_USER | C:\Users\\NTUSER.dat
C:\Users\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | Registry Explorer/regrip | 8 | | Amcache.hve | C:\Windows\appcompat\Programs\Amcache.hve | RegistryExplorer/regrip | 9 | | Event viewer -> Windows Logs -> SECURITY | C:\Windows\winevt\Logs\Security.evtx | Event logs Explorer | 10 | | Event viewer -> Windows Logs -> SYSTEM | C:\Windows\winevt\Logs\SYSTEM.evtx | Event logs Explorer | 11 | | Event viewer -> Windows Logs -> Application | C:\Windows\winevt\Logs\Application.evtx | Event logs Explorer | 12 | | Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> Operational | Microsoft-Windows-TaskScheduler%4Operational.evtx | Event Log Explorer 13 | | Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> Operational | Microsoft-Windows-TaskScheduler%4Operational.evtx | Event Log Explorer 14 | # System Information 15 | | What | Where | Tool | 16 | | ------------- | ------------- | ------------- | 17 | | Windows version and installation date |
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion |
    • RegistryExplorer
    • regrip | 18 | | Computer name |
      • SYSTEM\ControlSet001\Control\ComputerName\ComputerName |
        • RegistryExplorer
        • regrip | 19 | | Timezone |
          • SYSTEM\ControlSet001\Control\TimeZoneInformation |
            • RegistryExplorer
            • regrip | 20 | | Startup and shutdown time |
              • SYSTEM\ControlSet001\Control\Windows
              • SYSTEM.evtx 1074 (shutdown type) & 6005/6006 (event logs start/stop)
              |
              • TurnedTimesView | 21 | # Network Information 22 | | What | Where | Tool | 23 | | ------------- | ------------- | ------------- | 24 | | Identify physical cards |
                • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards |
                  • RegistryExplorer
                  • regrip 25 | | Identify interface configuration |
                    • SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces |
                      • RegistryExplorer
                      • regrip 26 | | Connections History |
                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
                        • Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx |
                          • WifiHistoryView 27 | | Network shares |
                            • SYSTEM\ControlSet001\Services\LanmanServer\Shares |
                              • Registry Explorer/regrip | 28 | # Users Information 29 | | What | Where | Tool | 30 | | ------------- | ------------- | ------------- | 31 | | Username, creation date ,login date, SID |
                                • SAM |
                                  • RegistryExplorer
                                  • regrip | 32 | | Login, logout, deletion, creation |
                                    • Security.evtx
                                      • 4624 -> Successful logon event
                                      • 4625 -> failed logon event
                                      • 4634 -> Session terminated
                                      • 4647 -> User initiated logoff
                                      • 4672 -> Special privilege logon
                                      • 4648 -> User run program as another user (Runas administrator)
                                      • 4720/4726 -> Account creation/deletion |
                                        • EventLog Explorer | 33 | # File activities - what happened? 34 | | What | Where | Tool | 35 | | ------------- | ------------- | ------------- | 36 | | File name, path, timestamps, actions (i.e rename) |
                                          • $MFT, $LogFile, $UsnJrnl:$J |
                                            • NTFS Log Tracker 37 | | Information about deleted files |
                                              • $I30 |
                                                • INDXRipper 38 | # File activities - Who did it? 39 | | What | Where | Tool | 40 | | ------------- | ------------- | ------------- | 41 | | Failed/Succesful object access |
                                                  • Securit.evtx
                                                    • 4656 -> User tried to access an object
                                                    • 4660 -> object was deleted
                                                    • 4663 -> User accessed the object successfuly
                                                    • 4658 -> the user closed the opened object (file) |
                                                      • EventLog Explorer | 42 | | Recently used files/folders |
                                                        • NTUSER.dat
                                                          • Software\Microsoft\Office\15.0\\File MRU
                                                          • Software\Microsoft\Office\15.0\\Place MRU
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths |
                                                            • RegistryExplorer
                                                            • regrip | 43 | | Accessed folders |
                                                              • ShellBags
                                                                • NTUSER.dat
                                                                • USRCLASS.dat |
                                                                  • Shellbags Explorer 44 | | Accessed files, its path, metadata, timestamps, drive letter |
                                                                    • LNK files
                                                                      • C:\Users\\Appdata\Roaming\Microsoft\Windows\Recent
                                                                      • C:\Users\\Desktop
                                                                      • C:\Users\\AppData\Roaming\Microsoft\Office\Recent\ |
                                                                        • LECmd | 45 | | Frequently accessed files |
                                                                          • JumpLists
                                                                            • C:\Users\\AppData\Roaming\Microsoft\ Windows\Recent\AutomaticDestinations
                                                                            • C:\Users\\AppData\Roaming\Microsoft\ Windows\Recent\CustomDestinations |
                                                                              • JumpLists Explorer | 46 | # Connected devices 47 | | What | Where | Tool | 48 | | ------------- | ------------- | ------------- | 49 | | Vendor ID, Product ID, Serial Number, Device name |
                                                                                • SYSTEM\ControlSet001\Enum\USB |
                                                                                  • RegistryExplorer
                                                                                  • regrip | 50 | | Serial Number, First connection time, last connection time, last removal time |
                                                                                    • SYSTEM\ControlSet001\USBSTOR |
                                                                                      • RegistryExplorer
                                                                                      • regrip | 51 | | USB Label |
                                                                                        • SYSTEM\ControlSet001\Enum\SWD\WPDBUSENUM |
                                                                                          • RegistryExplorer
                                                                                          • regrip | 52 | | GUID, TYPE, serial number |
                                                                                            • SYSTEM\ControlSet001\Control\DeviceClasses |
                                                                                              • RegistryExplorer
                                                                                              • Regrip 53 | | VolumeGUID, Volume letter, serial number |
                                                                                                • SYSTEM\MountedDevices
                                                                                                • SOFTWARE\Microsoft\Windows Portable Devices\Devices
                                                                                                • SOFTWARE\Microsoft\Windows Search\VolumeInfoCache |
                                                                                                  • RegistryExplorer
                                                                                                  • regrip | 54 | | Serial number, first connection time |
                                                                                                    • setupapi.dev.log |
                                                                                                      • notepad++ | 55 | | Serial number, connections times, drive letter |
                                                                                                        • SYSTEM.evtx
                                                                                                          • 20001 -> a new device is installed
                                                                                                        • Security.evtx
                                                                                                          • 6416 -> new externel device recognized
                                                                                                        • Microsoft-Windows-Ntfs%4Operational.evtx |
                                                                                                          • EventLog Explorer | 56 | | Automation |
                                                                                                            • Registry
                                                                                                            • EventLogs
                                                                                                            • setupapi.dev.log |
                                                                                                              • USBDeviceForensics
                                                                                                              • USBDetective | 57 | # Execution activites 58 | | What | Where | Tool | 59 | | ------------- | ------------- | ------------- | 60 | | Windows Services executable, date added |
                                                                                                                • SYSTEM\CurrentControlSet\Services |
                                                                                                                  • RegistryExplorer
                                                                                                                  • regrip | 61 | | Service installation time, Service crashed, stop/start service event |
                                                                                                                    • Security.evtx
                                                                                                                      • 4697 -> service gets installed
                                                                                                                    • SYSTEM.evtx
                                                                                                                      • 7034 -> Service crashed
                                                                                                                      • 7035 -> start/stop requests
                                                                                                                      • 7036 -> service stoppped/started
                                                                                                                      |
                                                                                                                      • Eventlog Explorer | 62 | | Autorun applications |
                                                                                                                        • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                                                                                        • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                                                                                                        • SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
                                                                                                                        • SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
                                                                                                                        • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                        • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce |
                                                                                                                          • RegistryExplorer
                                                                                                                          • regrip | 63 | | Frequently run programs, last time, number of execution |
                                                                                                                            • UserAssist
                                                                                                                              • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist |
                                                                                                                                • UserAssist by didier steven | 64 | | Run of older applications on newer system |
                                                                                                                                  • SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache |
                                                                                                                                    • ShimCache parser | 65 | | files path, md5 & sha1 hash |
                                                                                                                                      • Amcache.hve |
                                                                                                                                        • Amcache parser | 66 | | Background applications |
                                                                                                                                          • BAM & DAM
                                                                                                                                            • SYSTEM\ControlSet001\Services\bam\State\UserSettings |
                                                                                                                                              • RegistryExplorer
                                                                                                                                              • regrip | 67 | | Filename, size, run count, each run timestamp, path |
                                                                                                                                                • Prefetch
                                                                                                                                                • C:\Windows\Prefetch |
                                                                                                                                                  • WinPrefetchView | 68 | | Program network usage, memory usage |
                                                                                                                                                    • SRUM
                                                                                                                                                    • C:\Windows\System32\sru\SRUDB.dat |
                                                                                                                                                      • SrumECmd | 69 | | Scheduled task |
                                                                                                                                                        • C:\Windows\Tasks
                                                                                                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
                                                                                                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree
                                                                                                                                                        • Microsoft-Windows-TaskScheduler%4Operational.evtx |
                                                                                                                                                          • Task Scheduler Viewer | 70 | # Memory analysis 71 | | What | plugin | 72 | | ------------- | ------------- | 73 | | List processes | windows.pslist | 74 | | Scan image for hidden processes | windows.psxview | 75 | | List network connections | windows.netscan | 76 | | List files loaded in memory | windows.filescan | 77 | | Look for malicious codes in memory | windows.malfind | 78 | # Wireshark filters cheatsheet 79 | | What | filter | 80 | | ------------- | ------------- | 81 | | Source IP | ip.src == "127.0.0.1" | 82 | | Destination IP | ip.dst == "127.0.0.1" | 83 | | Protocol | http - ftp - dns - etc. | 84 | | Source port | tcp.srcport == "80" - udp.srcport == "80" | 85 | | Destination port | tcp.dstport == "80" - udp.dstport == "80" | 86 | -------------------------------------------------------------------------------- /elk.ps1: -------------------------------------------------------------------------------- 1 | $ProgressPreference = 'SilentlyContinue' 2 | Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.16.0-windows-x86_64.zip -OutFile elastic-agent-8.16.0-windows-x86_64.zip 3 | Expand-Archive .\elastic-agent-8.16.0-windows-x86_64.zip -DestinationPath . 4 | cd elastic-agent-8.16.0-windows-x86_64 5 | .\elastic-agent.exe install --url=https://172.168.40.123:8220 --enrollment-token=QkdVNUo1TUJrbUdRVG9VQUVDUG86cVlMQlFyZDVRY09SdHRCbW1LREZjQQ== 6 | -------------------------------------------------------------------------------- /elk.sh: -------------------------------------------------------------------------------- 1 | curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.16.0-linux-x86_64.tar.gz 2 | tar xzvf elastic-agent-8.16.0-linux-x86_64.tar.gz 3 | cd elastic-agent-8.16.0-linux-x86_64 4 | sudo ./elastic-agent install --url=https://172.168.40.123:8220 --enrollment-token=QkdVNUo1TUJrbUdRVG9VQUVDUG86cVlMQlFyZDVRY09SdHRCbW1LREZjQQ== 5 | -------------------------------------------------------------------------------- /if_ena.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xHasanM/MISC/76982c95bf301007223bed626bbc6ce514b674fd/if_ena.ko -------------------------------------------------------------------------------- /test.py: -------------------------------------------------------------------------------- 1 | python 2 | from pwn import * 3 | import hashlib 4 | 5 | conn = remote("blackhat4-ac66ee1bbf6d6edd64a68636b170b110-0.chals.bh.ctf.sa", 443, ssl=True, sni="blackhat4-ac66ee1bbf6d6edd64a68636b170b110-0.chals.bh.ctf.sa") 6 | #conn = process(["python3", "task1.py"]) 7 | conn.recvuntil("...") 8 | conn.recvuntil("|") 9 | conn.sendline(" ") 10 | conn.recvuntil("public key ::") 11 | conn.recvline() 12 | idd = str(conn.recvline().strip().decode().split(' = ')[-1]) 13 | conn.recvuntil("enjoy ::") 14 | conn.recvline() 15 | enc_flag = int(conn.recvline().strip().decode().split(' ')[-1]) 16 | 17 | while True: 18 | conn.recvuntil("> ") 19 | conn.sendline("e") 20 | conn.recvuntil("> (int) ") 21 | conn.sendline(str(2**512)) 22 | conn.recvuntil("Encryption ::") 23 | conn.recvline() 24 | m1 = int(conn.recvline().strip().decode().split(' ')[-1]) 25 | m2 = int(conn.recvline().strip().decode().split(' ')[-1]) 26 | conn.recvuntil("> ") 27 | conn.sendline("d") 28 | conn.recvuntil("> (int) ") 29 | conn.sendline(str(m1)) 30 | conn.recvuntil("Decryption ::") 31 | conn.recvline() 32 | r = int(conn.recvline().strip().decode().split(' ')[-1]) 33 | conn.recvuntil("> ") 34 | conn.sendline("d") 35 | conn.recvuntil("> (int) ") 36 | conn.sendline(str(m2)) 37 | conn.recvuntil("Decryption ::") 38 | conn.recvline() 39 | q = int(conn.recvline().strip().decode().split(' ')[-1]) 40 | n = (2**512 - r) // q 41 | if str(hashlib.sha256(str(n).encode()).hexdigest()) == str(idd): 42 | break 43 | 44 | print("Modulus : ",n) 45 | 46 | while True: 47 | conn.recvuntil("Key updated succesfully ::") 48 | conn.recvline() 49 | conn.recvline() 50 | #print(conn.recvline().strip().decode().split(' = ')[-1]) 51 | #e=55 52 | e = int(conn.recvline().strip().decode().split(' = ')[-1]) 53 | print(e % 0x10001) 54 | if e % 0x10001 == 0: 55 | print("SOLVED") 56 | _e = e//0x10001 57 | new_c = pow(enc_flag, _e, n) 58 | conn.recvuntil("> ") 59 | conn.sendline("d") 60 | conn.recvuntil("> (int) ") 61 | conn.sendline(str(new_c)) 62 | conn.recvuntil("Decryption ::") 63 | conn.recvline() 64 | FLAG = bytes.fromhex(hex(int(conn.recvline().strip().decode().split(' ')[-1]))[2:]) 65 | print(FLAG) 66 | exit() 67 | conn.sendline("u") 68 | --------------------------------------------------------------------------------