├── LICENSE
├── README.md
└── juicy_files.txt


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 DiabloHorn
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # yara4pentesters
 2 | rules to identify files containing juicy information like usernames, passwords etc
 3 | 
 4 | ## requirements
 5 | 
 6 | * YARA
 7 |   * https://virustotal.github.io/yara/
 8 | 
 9 | ## searching for files
10 | Remember that depending on the YARA version or operating system that you use, the syntax might vary slightly.
11 | 
12 | ### recursive search
13 | 
14 | ```
15 | yara -r juicy_files.txt <location>
16 | ```
17 | 
18 | ### recursive search by tag
19 | 
20 | ```
21 | yara -t <tag> -r juicy_files.txt <location>
22 | ```
23 | 
24 | ### recursive search single rule
25 | ```
26 | yara -i <rule identifier/name> -r juicy_files.txt <location>
27 | ```
28 | 
29 | ## examples
30 | 
31 | ```
32 | ~/Desktop/yara4pentesters$ yara -r juicy_files.txt ../y4p_files
33 | shadow_file ../y4p_files/shadow
34 | hive_file ../y4p_files/mysecurity
35 | hive_file ../y4p_files/mysam
36 | hive_file ../y4p_files/system
37 | hive_file ../y4p_files/mysystem
38 | ntds_file ../y4p_files/ntds.dit
39 | 
40 | 
41 | ~/Desktop/yara4pentesters$ yara -t linux -r juicy_files.txt ../y4p_files
42 | shadow_file ../y4p_files/shadow
43 | 
44 | ~/Desktop/yara4pentesters$ yara -i ntds_file -r juicy_files.txt ../y4p_files
45 | ntds_file ../y4p_files/ntds.dit
46 | ```
47 | 
48 | ## References
49 | 
50 | * https://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
51 | 


--------------------------------------------------------------------------------
/juicy_files.txt:
--------------------------------------------------------------------------------
  1 | rule ntds_file : usernames hashed_passwords active_directory windows passwords
  2 | {
  3 |     meta:
  4 |         author = "DiabloHorn https://diablohorn.com"
  5 |         description = "find the ntds.dit file"
  6 |     strings:
  7 |         $filemagic = {ef cd ab 89}
  8 |         $content_string = "Admin-Display-Name" nocase wide
  9 |         $content_string2 = "Address-Entry-Display-Table-MSDOS" nocase wide
 10 |         $content_string3 = "nTDSDSA-Display" nocase wide
 11 |         $content_string4 = "MSysObjects" nocase ascii
 12 |         $content_string5 = "ObjidTable" nocase ascii
 13 |     condition:
 14 |         ($filemagic at 4) and (int32(12) == 0 or int32(12) == 1) and all of ($content_*)
 15 | }
 16 | 
 17 | rule hive_file : usernames hashed_passwords registry windows passwords
 18 | {
 19 |     meta:
 20 |         author = "DiabloHorn https://diablohorn.com"
 21 |         description = "find registry hive files like system/security/sam"
 22 |     strings:
 23 |         $filemagic = "regf"
 24 |         $filemagicbin = "hbin"
 25 |         $content_string = "ROOT"
 26 |     condition:
 27 |         $filemagic at 0 and $filemagicbin at 4096 and $content_string
 28 |         
 29 | }
 30 | 
 31 | rule shadow_file : usernames hashed_passwords linux passwords
 32 | {
 33 |     meta:
 34 |         author = "DiabloHorn https://diablohorn.com"
 35 |         description = "find shadow files"
 36 |     strings:
 37 |         $rootline = /root:.:\d+?:\d+?:\d+?:\d+?:/ nocase
 38 |         $hashline = /:\$\d\$/
 39 |         $hashtype_md5 = ":$1$"
 40 |         $hashtype_blowfish = ":$2a$"
 41 |         $hashtype_blowfish2 = ":$2y$"
 42 |         $hashtype_sha256 = ":$5$"
 43 |         $hashtype_sha512 = ":$6$"
 44 |     condition:
 45 |         $rootline and $hashline and (1 of ($hashtype_*))
 46 | }
 47 | 
 48 | rule tomcat_file : usernames plain_passwords passwords
 49 | {
 50 |     meta:
 51 |         author = "DiabloHorn https://diablohorn.com"
 52 |         description = "find tomcat config file with plaintext passwords"
 53 |     strings:
 54 |         $xml_ident = "<tomcat-users>" nocase
 55 |         $xml_ident2 = "</tomcat-users>" nocase
 56 |         $roles = "<role rolename=" nocase
 57 |         $password_string = "username=" nocase
 58 |         $password_string2 = "password=" nocase
 59 |         $password_string3 = "roles=" nocase
 60 |     condition:
 61 |         all of them
 62 | }
 63 | 
 64 | rule mysql_file : usernames plain_passwords passwords
 65 | {
 66 |     meta:
 67 |         author = "DiabloHorn https://diablohorn.com"
 68 |         description = "find mysql config file with plaintext passwords"
 69 |     strings:
 70 |         $section_header = "[client]\n" nocase
 71 |         $section_header2 = "[mysqld]\n" nocase
 72 |         $content_data = /port.{,10}?=/ nocase
 73 |         $content_data2 = /socket.{,10}?=/ nocase
 74 |         $content_data3 = /max_connections.{,10}?=/ nocase 
 75 |         $creds_user = /user.{,10}?=/ nocase
 76 |         $creds_password = /password.{,10}?=/ nocase
 77 |     condition:
 78 |         all of them
 79 | }
 80 | 
 81 | rule unencrypted_private_key : plain_privatekey privatekey
 82 | {
 83 |     meta:
 84 |         author = "DiabloHorn https://diablohorn.com"
 85 |         description = "find unencrypted private keys"
 86 |     strings:
 87 |         $content = "-----BEGIN RSA PRIVATE KEY-----" nocase
 88 |         $content2 = "encrypted" nocase
 89 |     condition:
 90 |         $content at 0 and not $content2
 91 | }
 92 | 
 93 | rule encrypted_private_key : encrypted_privatekey privatekey keycontainer
 94 | {
 95 |     meta:
 96 |         author = "DiabloHorn https://diablohorn.com"
 97 |         description = "find encrypted private keys"
 98 |     strings:
 99 |         $content = "-----BEGIN RSA PRIVATE KEY-----" nocase
100 |         $content2 = "encrypted" nocase
101 |     condition:
102 |         $content at 0 and $content2
103 | }
104 | 
105 | rule keepass_file : keycontainer keepass
106 | {
107 |     meta:
108 |         author = "DiabloHorn https://diablohorn.com"
109 |         description = "find keepass containers"
110 |     strings:
111 |         $filemagic_primary = {03 D9 A2 9A}
112 |         $filemagic_secondary = {(67 | 65 | 66 | 55) FB 4B B5}
113 |     condition:
114 |         $filemagic_primary at 0 and $filemagic_secondary at 4
115 | }
116 | 
117 | rule jks_file : keycontainer java_keystore
118 | {
119 |     meta:
120 |         author = "DiabloHorn https://diablohorn.com"
121 |         description = "find java keystore containers"
122 |     strings:
123 |         $filemagic = {fe ed fe ed 00 00 00 02}
124 |     condition:
125 |         $filemagic at 0
126 | }
127 | 
128 | rule encrypted_ppk_file : keycontainer putty encrypted_privatekey privatekey
129 | {
130 |     meta:
131 |         author = "DiabloHorn https://diablohorn.com"
132 |         description = "find encrypted putty ppk files"
133 |     strings:
134 |         $content = "PuTTY-User-Key-File-2" nocase
135 |         $content2 = "Encryption" nocase
136 |         $content3 = "Private-Lines" nocase
137 |         $content4 = "none" nocase
138 |     condition:
139 |         $content at 0 and $content2 and $content3 and not $content4
140 | }
141 | 
142 | rule ppk_file : keycontainer putty plain_privatekey privatekey
143 | {
144 |     meta:
145 |         author = "DiabloHorn https://diablohorn.com"
146 |         description = "find putty ppk files"
147 |     strings:
148 |         $content = "PuTTY-User-Key-File-2" nocase
149 |         $content2 = "Encryption" nocase
150 |         $content3 = "Private-Lines" nocase
151 |         $content4 = "none" nocase
152 |     condition:
153 |         $content at 0 and $content2 and $content3 and $content4
154 | }
155 | 
156 | rule minidump_file : memory windows
157 | {
158 |     meta:
159 |         author = "DiabloHorn https://diablohorn.com"
160 |         description = "find memory dump files"
161 |     strings:
162 |         $header = "MDMP"
163 |         $formatversion = {93 a7}
164 |     condition:
165 |         $header at 0 and $formatversion at 4
166 | }
167 | 
168 | rule crashdump_file : memory windows
169 | {
170 |     meta:
171 |         author = "DiabloHorn https://diablohorn.com"
172 |         description = "find memory dump files"
173 |     strings:
174 |         $header = "PAGE"
175 |         $header2 = "DUMP"
176 |     condition: //might not work due to int32() on filesize, should be int64, but not available
177 |         $header at 0 and $header2 at 4 and (uint32(0xf88) == 1 or uint32(0xf88) == 2) and int32(0xfa0) >= filesize
178 | }
179 | 
180 | rule crashdump64_file : memory windows
181 | {
182 |     meta:
183 |         author = "DiabloHorn https://diablohorn.com"
184 |         description = "find memory dump files"
185 |     strings:
186 |         $header = "PAGE"
187 |         $header2 = "DU64"
188 |     condition: //might not work due to int32() on filesize, should be int64, but not available
189 |         $header at 0 and $header2 at 4 and (uint32(0xf98) == 1 or uint32(0xf98) == 2) and int32(0xfa0) >= filesize
190 | }
191 | 
192 | rule vmdk_file : virtualdisk
193 | {
194 |     meta:
195 |         author = "DiabloHorn https://diablohorn.com"
196 |         description = "find vmdk files"
197 |     strings:
198 |         $filemagic = {4b 44 4d} //KDM
199 |         $header = "# Disk DescriptorFile"
200 |         $header2 = "version="
201 |         $header3 = "CID="
202 |         $header4 = "parentCID="
203 |         $header5 = "createType="
204 |         $header6 = "# Extent description"
205 |     condition:
206 |         $filemagic at 0 and (all of ($header*))
207 | }
208 | 
209 | rule gpp_file : passwords plain_password
210 | {
211 |     meta:
212 |         author = "DiabloHorn https://diablohorn.com"
213 |         description = "find gpp files"
214 |     strings:
215 |         $content1 = "<?xml" nocase
216 |         $content2 = "<user" nocase
217 |         $content3 = "cpassword=" nocase
218 |         $content4 = "username=" nocase
219 |         $content5 = "clsid=" nocase
220 |         $content6 = "</user>" nocase
221 |     condition:
222 |         all of them
223 | }
224 | 
225 | rule sql_dump : passwords dbdump {
226 |     meta:
227 |         author = "ydklijnsma https://blog.0x3a.com"
228 |         description = "Looks at sql dump file pattern"
229 | 
230 |     strings:
231 |         $dump_header_regex = /-- [a-zA-Z0-9]+\s?SQL\s?[Dd]ump\s?/i
232 | 
233 |         $dump_string_createtableifexists = "CREATE TABLE IF NOT EXISTS"
234 |         $dump_string_droptableifexists = "DROP TABLE IF EXISTS "
235 |         $dump_string_createtable = "CREATE TABLE "
236 | 
237 |         $insert_into = "INSERT INTO "
238 | 
239 |     condition:
240 |         $dump_header_regex at 0 and
241 |             (2 of ($dump_string_*)) and
242 |                 #insert_into >= 1
243 | }
244 | 
245 | rule idapro_database {
246 | 	meta:
247 | 		author = "ydklijnsma https://blog.0x3a.com/"
248 | 		description = "Finds IDA pro IDB databases"
249 | 	
250 | 	strings:
251 | 		$magic = { 49 44 41 ?? }
252 | 		$btree_str = "B-tree"
253 | 
254 | 	condition:
255 | 		$magic at 0 and $btree_str
256 | 
257 | }
258 | 


--------------------------------------------------------------------------------